Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...

Weblog

Strangest X509Certificate ever seen ?

The source code at the end of this post does a Authenticode® self-check. That is, it check if it has, itself, been signed by a X.509 certificate. This is done using the (rather crudely documented) X509Certificate.CreateFromSignedFile.

If the assembly is signed you would expect a valid X509Certificate as the output, would you? Well you got it. Or if the assembly has been modified, so the code signature doesn't verify, you would expect an exception, right? Got it again. But if the assembly wasn't signed what would you expect ?

  1. null
  2. DivideByZeroException
  3. X509Certificate

If you expected a null, then you'll be (at least) disappointed and probably surprised at lot the first time you run your program. If you expected a DivideByZeroException then you should stop reading my blog right now and go to sleep - do not try again unless you have slept for a minimum of 8 straight hours. If you (really) expected an X509Certificate then tell me, without looking to the source code, what it should contains ?

Actually it doesn't contains much and the best way to detect it is to call GetHashCode () and check if it returns 0. As I said i'm unsure if this a feature or a bug - but it certainly complicates unit testing (and not only for Mono ;-).

Here's the promised code for doing an Authenticode® self-check on an assembly. This works on both Mono (post 0.28, which means CVS right now) and the Microsoft framework.

using System; using System.Reflection; using System.Runtime.InteropServices; using System.Security.Cryptography.X509Certificates; public class MainClass { public static void Main (string[] args) { Assembly self = Assembly.GetEntryAssembly (); try { X509Certificate x509 = X509Certificate.CreateFromSignedFile (self.Location); if (x509.GetHashCode () != 0) Console.WriteLine (x509.ToString (true)); else Console.WriteLine ("Assembly isn't signed by a software publisher certificate"); } catch (COMException ce) { // using a test certificate without trusting the test root ? Console.WriteLine (ce.Message); } } }

Hmmm... a little explaination may not hurt everyone, so:

> makecert.exe -n "CN=your name" -sv yourkeypair.pvk yourcert.cer
Succeeded
 
> cert2spc.exe yourcert.cer yourspc.spc
Succeeded
 
> signcode.exe -v yourkeypair.pvk -spc yourspc.spc -t http://timestamp.verisign.com/scripts/timstamp.dll selfcheck.exe
Succeeded
 
> chktrust.exe selfcheck.exe
Succeeded
 
> selfcheck.exe
CERTIFICATE:
Format: X509
Name: CN=your name
Issuing CA: CN=Root Agency
Key Algorithm: 1.2.840.113549.1.1.1
Serial Number: 88488DD7C38FED4E907DB55418353D04
Key Alogrithm Parameters: 0500
Public Key: 30818902818100BB16FBE837D1B326BA547936A4CE3068FC63AE5D9F885
12339A372CC564F77E5ECA1087F27B9523A23E9D7F0B8B11FA63BB03A8890CC2CB21E75F0215F267
F56FC4A96174BC17C7585835E312BBE320F22C26970EA1A282898C52BE090B511AFDF88C14437BB5
E0402257C3CFA34BCA324C8660A1A4F0BAB479403C8FFD5E99B0203010001

Notes:

  1. Under Windows and the MS runtime you have to add trust to the test root in order for this demonstration to work, otherwise the self-check will fail with the message: The certification path terminates with the test root which is not trusted with the current policy settings.
  2. You must add mono before each command when using the Mono:: runtime.

Actually the title is a little misleading - it is strange but surely not the strangest X.509 certificate you can find. Warning: This is a funny read whether or not you care about X.509 certificates (in the last case just read the citations).


10/12/2003 20:28:02 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.