Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CmsWrapperBlob: Add fall back to manual chain validation #25

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CmsWrapperBlob: Add fall back to manual chain validation #25

wants to merge 1 commit into from

Conversation

qmfrederik
Copy link
Collaborator

On Windows, building a custom certificate chain with Apple certificates fails; so revert back to manually building the chain. Also add additional validation to make sure the certificate used is actually a code signing certificate.

@qmfrederik
Copy link
Collaborator Author

qmfrederik commented Nov 27, 2022
edited
Loading

The certificate chain validation fails on Windows, even when using the custom trust store. If I recall correctly, this was related to the certificates using the Authority Key Identifier and how Windows checks the AKI when building a trust store. This PR works around that by manually building the certificate chain on Windows.

Regarding the checks which are implemented to make sure a certificate is a valid code signing certificate:

The Certification Practice Statement for the Apple Worldwide Developer Relations Certification Authority can be found at https://www.apple.com/certificateauthority/. This implementation is based on version 1.23, which is available at https://images.apple.com/certificateauthority/pdf/Apple_WWDR_CPS_v1.23.pdf. The details are listed in section 4.11, Certificate Profile, and section 4.11.1, iOS Development and Submission Certificates.

@qmfrederik
CmsWrapperBlob: Add fall back to manual chain validation
9be5638 
On Windows, building a custom certificate chain with Apple certificates fails; so revert back to manually building the chain.  Also add additional validation to make sure the certificate used is actually a code signing certificate.
@qmfrederik qmfrederik force-pushed the fixes/manual-cert-chain branch from 55dd906 to 9be5638 Compare November 28, 2022 08:32
@filipnavara
Copy link
Owner

On Windows, building a custom certificate chain with Apple certificates fails

Can you be more specific about the case where it fails? I used it on Windows to resign a couple of packages and it worked for me, so at very least I would like to know the specific use case where it fails (certs, Windows version, etc.). There are certainly some intermediate/chain certificates that are missing. For example, rcodesign ships 21 certificates (https://github.com/indygreg/apple-platform-rs/tree/main/apple-codesign/src/apple-certs) in their implementation. I never needed the other certs for my use cases, but perhaps newer/older Apple certs depend on them.

I am fine with adding some additional verification of the certificates, but I am not completely convinced about the approach. There's the "designated requirement" property which specifies how to validate the certificate. Ideally the check should be tied to it. There's already AppleCertificateExtensions.IsAppleDeveloperCertificate with a TODO for additional validation, and the designated requirements are parsed into a tree structure (https://github.com/filipnavara/CodeSign/blob/master/Melanzana.CodeSign/Requirements/RequirementSet.cs#L52).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@qmfrederik @filipnavara