Decrypt my World : CAPICOM

Does SignTool work on Windows 7?

alejacma — Mon, 14 Dec 2009 08:32:00 GMT

Hi all,

The answer to the question of the title is YES, OF COURSE! Why wouldn't it? Well, the reason of this question is the following: you may already know that CAPICOM has been deprecated on Windows 7 (CAPICOM support on Windows 7). It was going to be deprecated when Vista came out, but it didn't (CAPICOM support on Windows Vista). And why wasn't it deprecated on Vista? Because a tool like SignTool depended on CAPICOM.

So if SignTool depends on CAPICOM, will it work on Windows 7? Yes, because Signtool has been updated on Windows 7 and it does not use CAPICOM anymore.

Note: remember that Win7 version of SignTool comes with Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

x64 version of CAPICOM?

alejacma — Mon, 14 Dec 2009 07:37:00 GMT

Hi all,

Now that we are progressively moving to x64 systems, many people ask me if there is an x64 version of CAPICOM available. The answer is no, there is not. And because CAPICOM is already deprecated (CAPICOM support on Windows 7), there won't ever be any. So if you are using a version of x64 Windows older than Windows 7/Server 2008 R2, you will have to use x86 version (which will only work with x86 apps), or move to i.e. .NET and forget about CAPICOM.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

2.1.0.3, a new CAPICOM version?

alejacma — Fri, 04 Dec 2009 13:44:00 GMT

Hi all,

The other day I got surprised when a customer of mine told me that they had seen a new CAPICOM version being installed by Office 2007 SP2: 2.1.0.3. I've been dealing with many CAPICOM issues in the past, and I had no news of such a version. Is it a new version? Can it be used? Can it be redistributed?

To my knowledge, version 2.1.0.2 was the lastest version available. Additionally, it was the only supported version on Vista/Server 2008 (CAPICOM support on Windows Vista, CAPICOM support on Windows Server 2008). Note that this is not the case on Windows 7/2008 R2 (CAPICOM support on Windows 7). CAPICOM has been deprecated, and you should seriously think about migrating to a .NET solution, for example.

Anyway, after some research I was told that the code of 2.1.0.3 is exactly the same as 2.1.0.2, and only the version number is different. Office 2007 had to modify the version number of their copy of CAPICOM to work around some issue on their setup logic in SP2.

So summing up, just forget about that dll that Office uses. Stick to the official version, 2.1.0.2, that is available here: Security Update for CAPICOM (KB931906).

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

CAPICOM support on Windows 7

alejacma — Thu, 15 Oct 2009 18:55:00 GMT

Hi all,

CAPICOM has finally been deprecated, and it won't be supported on Windows 7. This link is up to date and proposes alternatives to CAPICOM classes by using .NET classes and CryptoAPI: Alternatives to Using CAPICOM.

The following article may help if you were using CAPICOM in your web site and you are planning on using .NET now: Writing an ActiveX Control in .NET.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to sign EXE files with an Authenticode certificate (part 2)

alejacma — Thu, 11 Dec 2008 12:59:00 GMT

Hi all, welcome back,

The other day a customer of mine was having an issue with SignTool.exe when signing an EXE file. The EXE file was getting corrupted/unusable after signing it.

When troubleshooting this issue, I had the chance to play a bit more with SignTool and check what it does behind the scenes.

Note: I already talked a bit about signing EXEs in post How to sign EXE files with an Authenticode certificate (VB.NET). This new post will add more details and samples.

SignTool.exe uses CAPICOM.SignedCode class and its Sign method to do the signing.

The following VBScript shows how we may use CAPICOM to do the signing programmatically:

Option Explicit

Dim szCertName, szExeToSign
szCertName = "My cert Subject"
szExeToSign = "MyApplication.exe"

Const CAPICOM_CURRENT_USER_STORE = 2
Const CAPICOM_STORE_OPEN_READ_ONLY = 0
Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1
Const CAPICOM_AUTHENTICATED_ATTRIBUTE_DOCUMENT_DESCRIPTION = 2

' Get certificate for signing
'
Dim objStore
Set objStore = WScript.CreateObject("CAPICOM.Store")
objStore.Open CAPICOM_CURRENT_USER_STORE, "My", CAPICOM_STORE_OPEN_READ_ONLY
Dim objSigningCert
Set objSigningCert = objStore.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, szCertName).Item(1)

' Create a signer for the code
'
Dim objSigner
Set objSigner = WScript.CreateObject("CAPICOM.Signer")
objSigner.Certificate = objSigningCert

' Sign the file
'
Dim objSignedCode
Set objSignedCode = WScript.CreateObject("CAPICOM.SignedCode")
objSignedCode.FileName = szExeToSign
objSignedCode.Sign objSigner
objSignedCode.TimeStamp "http://timestamp.globalsign.com/scripts/timstamp.dll"

WScript.Echo "Done!"

Note that this sample also shows how to time stamp a signature programmatically.

This sample was also reproducing my customer's issue. So I checked what CAPICOM does behind the scenes to further troubleshoot the issue.

CAPICOM.SignedCode.Sign uses CryptUIWizDigitalSign API to do the signing.

The following VB.NET sample uses CryptUIWizDigitalSign through P/Invoke to do the signing programmatically:

<SAMPLE file="Crypto.vb">

Imports System.Runtime.InteropServices
Imports System.Security.Cryptography
Imports System.ComponentModel
Imports System.Windows.Forms

Public Class Crypto

    ' #define CRYPTUI_WIZ_NO_UI     1
    Public Const CRYPTUI_WIZ_NO_UI As Int32 = 1

    ' #define CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE     0x01
    Public Const CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE As Int32 = 1

    ' #define CRYPTUI_WIZ_DIGITAL_SIGN_CERT                    0x01
    Public Const CRYPTUI_WIZ_DIGITAL_SIGN_CERT As Int32 = 1

    ' typedef struct _CRYPTUI_WIZ_DIGITAL_SIGN_INFO {  
    '   DWORD dwSize;  
    '   DWORD dwSubjectChoice;  
    '   union {    
    '       LPCWSTR pwszFileName;    
    '       PCCRYPTUI_WIZ_DIGITAL_SIGN_BLOB_INFO pSignBlobInfo;  
    '   };  
    '   DWORD dwSigningCertChoice;  
    '   union {    
    '       PCCERT_CONTEXT pSigningCertContext;    
    '       PCCRYPTUI_WIZ_DIGITAL_SIGN_STORE_INFO pSigningCertStore;    
    '       PCCRYPTUI_WIZ_DIGITAL_SIGN_CERT_PVK_INFO pSigningCertPvkInfo;  
    '   };  
    '   LPCWSTR pwszTimestampURL;  
    '   DWORD dwAdditionalCertChoice;  
    '   PCCRYPTUI_WIZ_DIGITAL_SIGN_EXTENDED_INFO pSignExtInfo;
    ' } CRYPTUI_WIZ_DIGITAL_SIGN_INFO;
    <StructLayout(LayoutKind.Sequential)> _
    Public Structure CRYPTUI_WIZ_DIGITAL_SIGN_INFO
        Public dwSize As Int32
        Public dwSubjectChoice As Int32
        <MarshalAs(UnmanagedType.LPWStr)> Public pwszFileName As String
        Public dwSigningCertChoice As Int32
        Public pSigningCertContext As IntPtr
        Public pwszTimestampURL As String
        Public dwAdditionalCertChoice As Int32
        Public pSignExtInfo As IntPtr
    End Structure

    ' typedef struct _CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT {  
    '      DWORD dwSize;  
    '      DWORD cbBlob;  
    '      BYTE* pbBlob;
    ' } CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT;
    <StructLayout(LayoutKind.Sequential)> _
    Public Structure CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT
        Public dwSize As Int32
        Public cbBlob As Int32
        Public pbBlob As IntPtr
    End Structure

    ' BOOL WINAPI CryptUIWizDigitalSign(
    '      DWORD dwFlags,
    '      HWND hwndParent,
    '      LPCWSTR pwszWizardTitle,
    '      PCCRYPTUI_WIZ_DIGITAL_SIGN_INFO pDigitalSignInfo,
    '      PCCRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT* ppSignContext
    ' );
    <DllImport("Cryptui.dll", CharSet:=CharSet.Unicode, SetLastError:=True)> _
    Public Shared Function CryptUIWizDigitalSign( _
        ByVal dwFlags As Int32, _
        ByVal hwndParent As IntPtr, _
        ByVal pwszWizardTitle As String, _
        ByRef pDigitalSignInfo As CRYPTUI_WIZ_DIGITAL_SIGN_INFO, _
        ByRef ppSignContext As IntPtr _
    ) As Boolean
    End Function

    ' BOOL WINAPI CryptUIWizFreeDigitalSignContext(
    '   PCCRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT pSignContext
    ' );
    <DllImport("Cryptui.dll", CharSet:=CharSet.Auto, SetLastError:=True)> _
    Public Shared Function CryptUIWizFreeDigitalSignContext( _
        ByVal pSignContext As IntPtr _
    ) As Boolean
    End Function

End Class

</SAMPLE>

<SAMPLE file="Module1.vb">

Imports System.ComponentModel
Imports System.Runtime.InteropServices
Imports SignExe.Crypto
Imports System.Security.Cryptography.X509Certificates
Imports System.IO

Module Module1

    Sub Main()

        ' Parameters
        Dim certPath As String = "MyCert.pfx"
        Dim exePath As String = "MyApplication.exe"
        Dim sigPath As String = "signature.sig"

        ' Variables
        '
        Dim cert As X509Certificate2
        Dim digitalSignInfo As CRYPTUI_WIZ_DIGITAL_SIGN_INFO
        Dim pSignContext As IntPtr
        Dim pSigningCertContext As IntPtr
        Dim signContext As CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT
        Dim fileOut As FileStream
        Dim binWriter As BinaryWriter
        Dim blob() As Byte

        Try
            ' Get certificate context
            '
            cert = New X509Certificate2(certPath, "")
            pSigningCertContext = cert.Handle

            ' Prepare signing info: exe and cert
            '
            digitalSignInfo = New CRYPTUI_WIZ_DIGITAL_SIGN_INFO
            digitalSignInfo.dwSize = Marshal.SizeOf(digitalSignInfo)
            digitalSignInfo.dwSubjectChoice = CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE
            digitalSignInfo.pwszFileName = exePath
            digitalSignInfo.dwSigningCertChoice = CRYPTUI_WIZ_DIGITAL_SIGN_CERT
            digitalSignInfo.pSigningCertContext = pSigningCertContext
            digitalSignInfo.pwszTimestampURL = vbNullString
            digitalSignInfo.dwAdditionalCertChoice = 0
            digitalSignInfo.pSignExtInfo = IntPtr.Zero

            ' Sign exe
            '
            If (Not CryptUIWizDigitalSign( _
                CRYPTUI_WIZ_NO_UI, _
                IntPtr.Zero, _
                vbNullString, _
                digitalSignInfo, _
                pSignContext _
            )) Then
                Throw New Win32Exception(Marshal.GetLastWin32Error(), "CryptUIWizDigitalSign")
            End If

            ' Get the blob with the signature
            '
            signContext = Marshal.PtrToStructure(pSignContext, GetType(CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT))
            blob = New Byte(signContext.cbBlob) {}
            Marshal.Copy(signContext.pbBlob, blob, 0, signContext.cbBlob)

            ' Store the signature in a new file
            '
            fileOut = File.Open(sigPath, FileMode.Create)
            binWriter = New BinaryWriter(fileOut)
            binWriter.Write(blob)
            binWriter.Close()
            fileOut.Close()

            ' Free blob
            '
            If (Not CryptUIWizFreeDigitalSignContext(pSignContext)) Then
                Throw New Win32Exception(Marshal.GetLastWin32Error(), "CryptUIWizFreeDigitalSignContext")
            End If

            ' We are done
            Console.WriteLine("Done!!!")

        Catch ex As Win32Exception
            ' Any expected errors?
            '
            Console.WriteLine(ex.Message + " error#" + ex.NativeErrorCode.ToString)
        Catch ex As Exception
            ' Any unexpected errors?
            '
            Console.WriteLine(ex.Message)
        End Try

        ' We are done
        '
        Console.WriteLine("<< Press any key to continue >>")
        Console.ReadKey()

    End Sub

End Module

</SAMPLE>

This sample was also reproducing the issue. So I checked what CryptUIWizDigitalSign does behind the scenes.

CryptUIWizDigitalSign API uses SignerSignEx API to do the signing.

The following VC++ sample uses SignerSignEx API to do the signing programmatically:

#include "windows.h"
#include "Wincrypt.h"
#include "stdio.h"
#include "conio.h"


// STRUCTS

typedef struct _SIGNER_FILE_INFO {  
	DWORD cbSize;  
	LPCWSTR pwszFileName;  
	HANDLE hFile;
} SIGNER_FILE_INFO,  *PSIGNER_FILE_INFO;

typedef struct _SIGNER_BLOB_INFO {  
	DWORD cbSize;  
	GUID *pGuidSubject;  
	DWORD cbBlob;  
	BYTE *pbBlob;  
	LPCWSTR pwszDisplayName;
} SIGNER_BLOB_INFO,  *PSIGNER_BLOB_INFO;

typedef struct _SIGNER_SUBJECT_INFO {  
	DWORD cbSize;  
	DWORD *pdwIndex;  
	DWORD dwSubjectChoice;  
	union {    
		SIGNER_FILE_INFO *pSignerFileInfo;    
		SIGNER_BLOB_INFO *pSignerBlobInfo;  
	} ;
} SIGNER_SUBJECT_INFO,  *PSIGNER_SUBJECT_INFO;

typedef struct _SIGNER_CERT_STORE_INFO {  
	DWORD cbSize;  
	PCCERT_CONTEXT pSigningCert;  
	DWORD dwCertPolicy;  
	HCERTSTORE hCertStore;
} SIGNER_CERT_STORE_INFO,  *PSIGNER_CERT_STORE_INFO;

typedef struct _SIGNER_SPC_CHAIN_INFO {  
	DWORD cbSize;  
	LPCWSTR pwszSpcFile;  
	DWORD dwCertPolicy;  
	HCERTSTORE hCertStore;
} SIGNER_SPC_CHAIN_INFO,  *PSIGNER_SPC_CHAIN_INFO;

typedef struct _SIGNER_CERT {  
	DWORD cbSize;  
	DWORD dwCertChoice;  
	union {    
		LPCWSTR pwszSpcFile;    
		SIGNER_CERT_STORE_INFO *pCertStoreInfo;    
		SIGNER_SPC_CHAIN_INFO *pSpcChainInfo;  
	} ;  
	HWND hwnd;
} SIGNER_CERT,  *PSIGNER_CERT;

typedef struct _SIGNER_ATTR_AUTHCODE {  
	DWORD cbSize;  
	BOOL fCommercial;  
	BOOL fIndividual;  
	LPCWSTR pwszName;  
	LPCWSTR pwszInfo;
} SIGNER_ATTR_AUTHCODE,  *PSIGNER_ATTR_AUTHCODE;

typedef struct _SIGNER_SIGNATURE_INFO {  
	DWORD cbSize;  
	ALG_ID algidHash;  
	DWORD dwAttrChoice;  
	union {    
		SIGNER_ATTR_AUTHCODE *pAttrAuthcode;  
	} ;  
	PCRYPT_ATTRIBUTES psAuthenticated;  
	PCRYPT_ATTRIBUTES psUnauthenticated;
} SIGNER_SIGNATURE_INFO,  *PSIGNER_SIGNATURE_INFO;

typedef struct _SIGNER_PROVIDER_INFO {  
	DWORD cbSize;  
	LPCWSTR pwszProviderName;  
	DWORD dwProviderType;  
	DWORD dwKeySpec;  
	DWORD dwPvkChoice;  
	union {    
		LPWSTR pwszPvkFileName;    
		LPWSTR pwszKeyContainer;  
	} ;
} SIGNER_PROVIDER_INFO,  *PSIGNER_PROVIDER_INFO;

typedef struct _SIGNER_CONTEXT {  
	DWORD cbSize;  
	DWORD cbBlob;  
	BYTE *pbBlob;
} SIGNER_CONTEXT,  *PSIGNER_CONTEXT;


// EXPORTS 

typedef HRESULT (WINAPI* SignerFreeSignerContextType)(
  __in  SIGNER_CONTEXT *pSignerContext
);

typedef HRESULT (WINAPI *SignerSignExType)(
  __in      DWORD dwFlags,
  __in      SIGNER_SUBJECT_INFO *pSubjectInfo,
  __in      SIGNER_CERT *pSignerCert,
  __in      SIGNER_SIGNATURE_INFO *pSignatureInfo,
  __in_opt  SIGNER_PROVIDER_INFO *pProviderInfo,
  __in_opt  LPCWSTR pwszHttpTimeStamp,
  __in_opt  PCRYPT_ATTRIBUTES psRequest,
  __in_opt  LPVOID pSipData,
  __out     SIGNER_CONTEXT **ppSignerContext
);


// MAIN

void main()
{
	// PARAMETERS

	// File to sign
	LPCWSTR pwszFileName = L"C:\\TEST\\MyApplication.exe";

	// Signing Cert Subject
	LPCWSTR pwszCertSubject = L"My cert Subject";

	// VARIABLES
	HRESULT hResult = S_OK;
	BOOL bResult = TRUE;
	HMODULE hMssign32 = NULL;
	SignerSignExType pfSignerSignEx = NULL;
	SignerFreeSignerContextType pfSignerFreeSignerContext = NULL;
	HANDLE hFile = NULL;
	HCERTSTORE hCertStore = NULL; 
	PCCERT_CONTEXT pCertContext = NULL;
	DWORD dwIndex = 0;
	SIGNER_FILE_INFO signerFileInfo;
	SIGNER_SUBJECT_INFO signerSubjectInfo;
	SIGNER_CERT_STORE_INFO signerCertStoreInfo;
	SIGNER_CERT signerCert;
	SIGNER_SIGNATURE_INFO signerSignatureInfo;
	SIGNER_CONTEXT * pSignerContext = NULL;

	// MAIN

	// Attach a debugger now!
	printf("<< Press any key to continue>>\n");
	_getch();

	// Load library containing SignerSignEx and SignerFreeSignerContext
	printf("LoadLibrary...");
	hMssign32 = LoadLibrary(L"Mssign32.dll");
	if (!hMssign32)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Get SignerSignEx function
	printf("GetProcAddress(SignerSignEx)...");
	pfSignerSignEx = (SignerSignExType) GetProcAddress(hMssign32, "SignerSignEx");
	if (!pfSignerSignEx)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Get SignerFreeSignerContext function
	printf("GetProcAddress(SignerFreeSignerContext)...");
	pfSignerFreeSignerContext = (SignerFreeSignerContextType) GetProcAddress(hMssign32, "SignerFreeSignerContext");
	if (!pfSignerFreeSignerContext)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Open file to sign
	printf("CreateFile...");
	hFile = CreateFile(
		pwszFileName,
		GENERIC_READ | GENERIC_WRITE,
		0,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL
	);
	if (!hFile)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Open MY cert store
	printf("CertOpenStore...");
	hCertStore = CertOpenStore(
		CERT_STORE_PROV_SYSTEM, 
		0,
		NULL,
		CERT_SYSTEM_STORE_CURRENT_USER,
		L"MY"
	);                 
	if (!hCertStore)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Find signing cert in MY cert store
	printf("CertFindCertificateInStore...");
	pCertContext = CertFindCertificateInStore(
		hCertStore,
		X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
		0,
		CERT_FIND_SUBJECT_STR,
		(void *)pwszCertSubject,
		NULL
	);
	if (!pCertContext)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Prepare SIGNER_FILE_INFO struct
	signerFileInfo.cbSize = sizeof(SIGNER_FILE_INFO);
	signerFileInfo.pwszFileName = pwszFileName;
	signerFileInfo.hFile = hFile;

	// Prepare SIGNER_SUBJECT_INFO struct
	signerSubjectInfo.cbSize = sizeof(SIGNER_SUBJECT_INFO);
	dwIndex = 0;
	signerSubjectInfo.pdwIndex = &dwIndex;
	signerSubjectInfo.dwSubjectChoice = 1; // SIGNER_SUBJECT_FILE
	signerSubjectInfo.pSignerFileInfo = &signerFileInfo;

	// Prepare SIGNER_CERT_STORE_INFO struct
	signerCertStoreInfo.cbSize = sizeof(SIGNER_CERT_STORE_INFO);
	signerCertStoreInfo.pSigningCert = pCertContext;
	signerCertStoreInfo.dwCertPolicy = 2; // SIGNER_CERT_POLICY_CHAIN
	signerCertStoreInfo.hCertStore = NULL;

	// Prepare SIGNER_CERT struct
	signerCert.cbSize = sizeof(SIGNER_CERT);
	signerCert.dwCertChoice = 2; // SIGNER_CERT_STORE
	signerCert.pCertStoreInfo = &signerCertStoreInfo;
	signerCert.hwnd = NULL;

	// Prepare SIGNER_SIGNATURE_INFO struct
	signerSignatureInfo.cbSize = sizeof(SIGNER_SIGNATURE_INFO);
	signerSignatureInfo.algidHash = CALG_SHA1;
	signerSignatureInfo.dwAttrChoice = 0; // SIGNER_NO_ATTR
	signerSignatureInfo.pAttrAuthcode = NULL;
	signerSignatureInfo.psAuthenticated = NULL;
	signerSignatureInfo.psUnauthenticated = NULL;

	// Sign file with cert
	printf("SignerSignEx...");
	hResult = pfSignerSignEx(
		0,
		&signerSubjectInfo,
		&signerCert,
		&signerSignatureInfo,
		NULL,
		NULL,
		NULL,
		NULL,
		&pSignerContext
	);
	if (S_OK != hResult)
	{
		printf("Error #%d\n", hResult); goto cleanup;
	}
	printf("Done!\n");

	printf("\nSUCCESS!!!\n");

	// Clean up
cleanup:

	if (pSignerContext)
	{
		hResult = pfSignerFreeSignerContext(pSignerContext);
	}

	if (pCertContext)
	{
		bResult = CertFreeCertificateContext(pCertContext);
	}

	if (hCertStore)
	{
		bResult = CertCloseStore(hCertStore, CERT_CLOSE_STORE_CHECK_FLAG);
	}

	if (hFile)
	{
		bResult = CloseHandle(hFile);
	}

	if (hMssign32)
	{
		bResult = FreeLibrary(hMssign32);
	}

	// Exit
	printf("<< Press any key to exit >>\n");
	_getch();
	return;
}

This sample was also reproducing the issue.

Finally we saw that the issue was not in SignTool.exe / CAPICOM.SignCode.Sign / CryptUIWizDigitalSign / SignerSignEx, but in the EXE itself!

I run Visual Studio's Dumpbin.exe with its "/HEADER" parameter to list the problematic EXE's PE header information before and after signing it (the Microsoft Portable Executable and Common Object File Format Specification gives detailed information about PE header information).

Before signing, I could see the following Optional Header Value:

1400 [ C40] RVA [size] of Certificates Directory

After signing, I could see the following value:

1400 [ 1650] RVA [size] of Certificates Directory

Certificates Directory points to the location of the code signing signature in the binary. So an EXE which has not been signed should contain the following values:

0 [ 0] RVA [size] of Certificates Directory

Which was not our case. So SignerSignEx was not corrupting the EXE when signing it. It was already corrupted before that, even if it was successfully running before signing!

Just for testing, I opened the problematic EXE with a binary editor before signing it. I looked for "00 14 00 00 04 0c 00 00" bytes (correspondent to "1400 [ C40] RVA [size] of Certificates Directory" values), changed them to "00 00 00 00 00 00 00 00" and signed the EXE. It worked! Now the EXE is not corrupted and I can see the Digital Signature in Explorer, the certificate I used to sign, launch the EXE and run it as expected.

Manually modifying the PE header is not supported by Microsoft. If you face a similar issue, you should work with the team that developed the EXE and focus on why the EXE got generated with an invalid PE header in the first place.

I looked on the Internet and found that there are some third-party tools which may help us to see and modify the PE header if needed for testing purposes, for example PEInfo 0.9 BETA which I haven't tried so I can't neither recommend nor discourage its use.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to modify an Interop assembly to change the return type of a method (VB.NET)

alejacma — Mon, 04 Aug 2008 09:52:00 GMT

Hi all,

In some situations we may need to reference a COM dll in our Visual Studio project in order to use a specific COM object within our .NET application, and thanks to COM Interop we can do it. When we add a reference to a COM dll in our project, a COM Interop assembly gets generated so we can use COM objects in the dll almost like any other .NET object. And I say almost because i.e. .NET needs to translate COM types to .NET types and it doesn't always do the conversion the way we like or need.

Let's see this with the following real example:

We are writing an Exit Module for our Certification Authority. We are trying to obtain the raw binary data for a certificate issued by our CA. We are calling CCertServerExit.GetCertificateProperty("RawCertificate", PROPTYPE_BINARY) (ICertServerExit::GetCertificateProperty Method) to achieve that. But GetCertificateProperty is returning a String and not an array of bytes, because .NET interop layer is converting a VARIANT of type BSTR (vt = VT_BSTR) to a .NET String. Because of this return type, .NET is trimming the last byte of the binary certificate when the number of bytes is odd. .NET strings cannot represent BSTRs that contain an odd number of bytes.

Fortunately we can modify the Interop assembly and choose a different return type for that method. This modification will allow us to get all the bytes in the certificate. These are the steps to do this:

1) Extract IL from Interop.CertClientLib.dll interop assembly generated by VS IDE when we added CertCli COM reference to our VS project:

ildasm.exe Interop.CertClientLib.dll /out:temp.il

2) Delete Interop.CertClientLib.dll file.

3) Delete CertCli COM reference from our project.

4) Modify temp.il and change the declaration of GetCertificateProperty in base and derived classes to take an IntPtr for the last output parameter instead of a VARIANT *:

instance void 
GetCertificateProperty([in] string  marshal( bstr) strPropertyName,
                       [in] int32 PropertyType,
                       [out] native int pvarPropertyValue) runtime managed internalcall

5) Generate a new Interop.CertClientLib.dll which includes these modifications:

ilasm.exe /DLL temp.il /res:temp.res /out=Interop.CertClientLib.dll

6) Modify our project's references to use this new DLL.

7) Change our .NET code to use the IntPtr calling convention. Manage Variant objects from IntPtr and free the memory after its use. Sample:

<DllImport("Oleaut32.dll", PreserveSig:=False)> _
Private Shared Sub VariantClear(ByVal var As IntPtr)
End Sub

'Exit Module Notify callback
Public Sub Notify(ByVal ExitEvent As Integer, ByVal Context As Integer) Implements CERTEXITLib.ICertExit.Notify

    Trace.WriteLine(">> Notify")

    Dim oCSE As New CERTCLIENTLib.CCertServerExit
    oCSE.SetContext(Context)

    Trace.WriteLine(String.Format("ExitEvent = {0}", ExitEvent))
    If ExitEvent = 1 Then 'Issue

        ' Allocate memory to hold VARIANT
        '
        Dim variantObjectPtr As IntPtr
        variantObjectPtr = Marshal.AllocHGlobal(2048)

        ' Get VARIANT containing certificate bytes
        '
        oCSE.GetCertificateProperty("RawCertificate", DataTypeEnum.Binary, variantObjectPtr)

        ' Read ANSI BSTR information from the VARIANT as we know RawCertificate property 
        ' is ANSI BSTR. Please note that the below code is written based on how the 
        ' VARIANT structure looks like in C/C++
        '
        Dim bstrPtr As IntPtr
        bstrPtr = Marshal.ReadIntPtr(variantObjectPtr, 8)

        Dim bstrLen As Integer
        bstrLen = Marshal.ReadInt32(bstrPtr, -4)

        Dim certBytes(bstrLen - 1) As Byte
        Marshal.Copy(bstrPtr, certBytes, 0, bstrLen)

        Trace.WriteLine(String.Format("Certificate length = {0}", certBytes.Length))

        ' Clear the VARIANT which will free the memory allocated for the VARIANT members
        '
        VariantClear(variantObjectPtr)

        ' Get certificate
        '
        Dim x509 As New X509Certificate(certBytes)

        ' Store the certificate in the certificate store
        '
        Dim store As New StoreClass
        Dim cert As New CertificateClass
        Dim data As String = Convert.ToBase64String(x509.GetRawCertData)

        cert.Import(data)
        store.Open(CAPICOM_STORE_LOCATION.CAPICOM_LOCAL_MACHINE_STORE, _
                    "My", _
                    CAPICOM_STORE_OPEN_MODE.CAPICOM_STORE_OPEN_READ_WRITE)
        store.Add(cert)

        ' Get VARIANT containing Serial Number
        '
        oCSE.GetCertificateProperty("SerialNumber", DataTypeEnum.String, variantObjectPtr)

        ' Construct Variant .NET object from IntPtr
        '
        Dim variantObject As Object
        variantObject = Marshal.GetObjectForNativeVariant(variantObjectPtr)

        ' Get Serial Number
        '
        Dim serialNo As String = variantObject

        Trace.WriteLine(String.Format("Serial Number = {0}", serialNo))

        ' Free memory
        '
        VariantClear(variantObjectPtr)

        ' Get VARIANT containing Distinguished Name
        '
        oCSE.GetCertificateProperty("DistinguishedName", DataTypeEnum.String, variantObjectPtr)

        ' Construct Variant .NET object from IntPtr
        '
        variantObject = Marshal.GetObjectForNativeVariant(variantObjectPtr)

        ' Get Serial Number
        '
        Dim distinguishedName As String = variantObject

        Trace.WriteLine(String.Format("DistinguishedName = {0}", distinguishedName))

        ' Free memory
        '
        VariantClear(variantObjectPtr)

        ' Get VARIANT containing Not Before date
        '
        oCSE.GetCertificateProperty("NotBefore", DataTypeEnum.Date, variantObjectPtr)

        ' Construct Variant .NET object from IntPtr
        '
        variantObject = Marshal.GetObjectForNativeVariant(variantObjectPtr)

        ' Get Not Before date
        '
        Dim validFrom As Date = variantObject

        Trace.WriteLine(String.Format("Not Before = {0}", validFrom.ToString))

        ' Free memory
        '
        VariantClear(variantObjectPtr)

        ' Get VARIANT containing Not After date
        '
        oCSE.GetCertificateProperty("NotAfter", DataTypeEnum.Date, variantObjectPtr)

        ' Construct Variant .NET object from IntPtr
        '
        variantObject = Marshal.GetObjectForNativeVariant(variantObjectPtr)

        ' Get Not After date
        '
        Dim validTo As Date = variantObject

        Trace.WriteLine(String.Format("Not After = {0}", validTo.ToString))

        ' Free memory
        '
        VariantClear(variantObjectPtr)

        ' Free the memory block allocated to hold VARIANT 
        '
        Marshal.FreeHGlobal(variantObjectPtr)

    End If

    Trace.WriteLine("<< Notify")

End Sub

Note: Becareful when translating the sample to C#: "Dim certBytes(bstrLen - 1) As Byte" will translate to "byte[] rawCert = new byte[bstrLen];".

I've also seen this kind of issues when referencing CAPICOM.dll (Interop.CAPICOM.dll interop assembly). These errors may appear when we are i.e. decrypting a string:

System.Runtime.InteropServices.COMException: ASN1 unexpected end of data.
System.Runtime.InteropServices.COMException: ASN1 bad tag value met.

For instance, CAPICOM.Utilities.ByteArrayToBinaryString returns a BSTR that represents the binary data being passed as an input parameter. The interop layer assigns the BSTR to a .NET string which removes the last byte and makes the data even. By using an IntPtr as return type we can access the complete binary data as we've already seen. In this case we'll replace "string marhal(bstr)" to "native int" just before each ByteArrayToBinaryString occurrence in the IL file.

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

Credits: Sample code has been provided by my colleague Prabagar Ramadasse. Thank you Prabagar!

How to read certificate extensions with CAPICOM (C#)

alejacma — Mon, 19 May 2008 18:14:00 GMT

Hi all, welcome back,

I recently had a customer who needed to retrieve extensions from certificates the easy way in .NET 1.1, and they wanted to use CAPICOM for that. In .NET 2.0 and later we may use X509Certificate2 to achieve the same results (I strongly recommend this approach), but in .NET 1.1 we only have X509Certificate class which is much more limited.

Note that the same ideas shown in the same below may be taken into account when using CAPICOM from i.e. VBScript.

The following sample shows how to use CAPICOM from a C# app to read a couple of extensions from a test cert (remember to add CAPICOM as a reference to the project first):

using CAPICOM;

...

// Load the cert
Certificate CAPICOMCertClass = new CertificateClass();
CAPICOMCertClass.Load("C:\\test.cer", null, CAPICOM_KEY_STORAGE_FLAG.CAPICOM_KEY_STORAGE_DEFAULT, CAPICOM_KEY_LOCATION.CAPICOM_CURRENT_USER_KEY);

// Find the extensions we are interested in
foreach (Extension CertExtension in CAPICOMCertClass.Extensions())
{

  // Does the extension have a Friendly Name? Yes? Use it!
  if (CertExtension.OID.FriendlyName == "Subject Alternative Name")
  {
    String stringSubjectAltName = CertExtension.EncodedData.Format(true);
    MessageBox.Show(stringSubjectAltName);
  }

  // The extension has no Friendly Name, but we can use its OID instead
  if (CertExtension.OID.Value.ToString() == "1.3.6.1.4.1.5734.1.33")
  {
    // For demostration purposes of Utilities class, let's assume the value of the OID is an hex string which represents the chars of a string but we need the string itself
    
    // This property is in Hexadecimal
    String stringOIDHex = CertExtension.EncodedData.Format(true).Replace(" ", "");

    // We convert it to binary
    Utilities utils = new UtilitiesClass();
    String stringOIDBinary = utils.HexToBinary(stringOIDHex);
    byte[] OIDBinary = (byte[])utils.BinaryStringToByteArray(stringOIDBinary);

    // We convert it to string
    String stringOID = System.Text.Encoding.ASCII.GetString(OIDBinary);
    MessageBox.Show(stringOID);
  }
}

References to the classes I've used: Certificate, Extensions, Extension, OID, Utilities.

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

Certificate has private key but we get "the keyset does not exist" error

alejacma — Fri, 18 Apr 2008 11:00:00 GMT

Hi all, welcome back,

The other day we were using CAPICOM in a client script run in Internet Explorer. We were trying to sign some string with the private key of a certificate we previously installed in the client machine, but we kept getting the error "the keyset does not exist", like if the private key didn't exist. But the certificate had been installed from a PFX file, it appeared in the Personal store and we could see the message "You have a private key that corresponds to this certificate" when double-clicking on the cert. What was going on?

The issue was happening in Windows XP SP2. As we saw in Key Containers: Basics, the keysets (key containers) for the user should be in her profile here C:\Documents and Settings\<user_name>\Application Data\Microsoft\Crypto\RSA\<user_SID>. But we realized this folder was empty, even after re-installing the cert. Weird. When we install a new cert (and no smart cards are involved), a file containing the keys associated with it gets created in there...

Additionally, if we imported the PFX into a smart card, everything worked just fine.

Well, we finally realized what was happening:

When importing a PFX with Windows Certificate Import Wizard we can click "Browse" to select a cert store and "Place all certificates in the following store". We can then check "Show physical stores". In our particular scenario, we had two physical stores under "Personal" store: "3rd Party Smart card SW" first and "Registry" second. "3rd Party Smart card SW" was an store for smart cards related to some third-party smart card CSP.

It turned out that if we chose "Automatically select the certificate store based on the type of certificate" in the wizard instead of browsing for a store, the cert was going to "3rd Party Smart card SW" physical store automatically and the key file wasn't being created in the user's profile. For this reason CAPICOM was failing, as it couldn't find that file.

So we solved the issue by re-installing the cert and manually browsing for "Registry" physical store in "Personal" store. This way the keyset file got created in Microsoft\Crypto\RSA\<userSID> folder, CAPICOM was able to get the private key and everything worked just fine.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

CAPICOM Security Alerts are not localized

alejacma — Mon, 24 Mar 2008 14:48:00 GMT

Hi all, welcome back,

When we use CAPICOM, we may get some messages like the following:

Security Alert: This Web site needs to decrypt data using your private key.

Security Alert: This Web site needs to create a digital signature using your private key.

Security Alert: This Web site needs to add digital certificates to this computer.

Security Alert: This Web site needs access to digital certificates on this computer.

Security Alert: This Web site needs to delete digital certificates from this computer.

Some people would like to have them localized to i.e. Spanish, or at least be able to turn them off. Unfortunately there are no localized versions of CAPICOM.dll and those messages can't be turned off.

Additionally, there are no plans to create such localized versions in the future. CAPICOM support is very limited already (will it be available in next version of Windows? Who knows...), and it's pretty much dedicated to fix security bugs if ever found.

As always, my recommendation is to use .NET and System.Security.Cryptography classes whenever possible.

If you need to use .NET assemblies from client side scripting (main use of CAPICOM for many people), for instance, here you can find a sample to create an ActiveX from an assembly, so System.Security.Cryptography classes can be used in Internet Explorer: Writing an ActiveX Control in .NET.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

CAPICOM support on Windows Server 2008

alejacma — Thu, 06 Mar 2008 09:52:00 GMT

Hi all, welcome back,

If you remember all the confusion there was regarding CAPICOM support on Vista, now everything seems much clearer on Windows Server 2008. Our documentation team has done its homework, as we can see in CAPICOM Reference:

"CAPICOM is available for use in the following operating systems: Windows Server 2008, Windows Vista, Windows XP, and Windows 2000. It may be altered or unavailable in subsequent versions. Instead, use the .NET Framework to implement security features."

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

CAPICOM support on Windows Vista

alejacma — Fri, 19 Oct 2007 10:47:00 GMT

I know there has been a lot of confusion about this, because some articles on the web (i.e. MSDN) say CAPICOM is not supported on Vista, while others say it is.

I have good news for you people, especially for those who want to do cryptographic operations from scripting: CAPICOM is officially supported on Vista, but only on its version 2.1.0.2.

This version can be downloaded from here:

Platform SDK Redistributable: CAPICOM
http://www.microsoft.com/downloads/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6&DisplayLang=en

(Note: at the time of this writing, this article DOES NOT say that CAPICOM is supported on Vista).

This new version of CAPICOM was released, among other reasons, because of a security update on CAPICOM:

Security Update for CAPICOM (KB931906)
http://www.microsoft.com/downloads/details.aspx?FamilyId=CA930018-4A66-4DA6-A6C5-206DF13AF316&displaylang=en

(Note: this article DOES say that CAPICOM is supported on Vista)

If we try to use version 2.1.0.1 on Vista, for instance, a small .NET sample which uses CAPICOM like the following:
"
StoreClass store = new StoreClass();
store.Open(CAPICOM_STORE_LOCATION.CAPICOM_SMART_CARD_USER_STORE, null, CAPICOM_STORE_OPEN_MODE.CAPICOM_STORE_OPEN_READ_WRITE);
"
Will return the following exception:
"
System.Runtime.InteropServices.COMException (0x80880900): Exception from HRESULT: 0x80880900
"
Which means:
"
# for hex 0x80880900 / decimal -2138568448
CAPICOM_E_NOT_SUPPORTED capicom.h
"

Anyway, my recommendation is to use .NET Framework classes instead of CAPICOM whenever possible.

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)