Authenticode signing with keys on smart cards
Al_spectrum
not exactly a security issue...
We Authenticode-sign our drivers and other binaries and the
signing system is currently set up in a "manual" way. That is,
the signing key is in a dedicated, stand-alone and securely
stored laptop, and every time we have to sign a binary, someone
with access to the signing laptop, has to copy the binary manually
to the laptop, sign it, and copy back. This has become a problem,
as the manual signing step complicates, and sometimes delays,
the software release process.
So, we want to automate the signing and are now planning to keep
our signing keys on smart cards.
As this seems non-trivial, to my surprise, I'm looking for an advice.
In particular, I'd appreciate any info or pointers concerning:
- is SignTool still the right utility for Authenticode signing with smart
cards?
- smart card types supported by SignTool (or any other MS signing tool
supporting smart cards)
- examples of SignTool command line for signing with smart cards
- any known problems and limitations in the smart card support by
the MS signing tools (platforms, versions, etc.).
Thank you.
Joe Kaplan
usage is totally transparent. Your signtool command line stays the same.
Essentially, if the smart card is inserted, then the cert+priv key it is
"available" to the machine. Someone will need to type in the PIN when
prompted, but you won't see any other major changes.
I like the Gemalto .NET smart cards for this purpose. Note that part of the
transparency I see may be because their cards work with default CSPs. I'm
not sure if you'll have slightly different experiences with other vendors.
I got a starter kit from them which included a set of 25 and have been able
to use their web-based smart card management site to copy cert+priv key onto
their cards importing from P12 format to do the provisioning work.
To make this really really secure, you need to actually change the admin pin
of the cards from the default of 0000 or else the cards are fairly hackable
if stolen. I haven't quite made it over this hurdle yet as I'm uncertain
what card management toolset you need to accomplish that.
Hope that helps!
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Al_spectrum" <Al_sp...@discussions.microsoft.com> wrote in message
news:650971A5-DFC4-4F16...@microsoft.com...
Al_spectrum
thanks for the responding, would appreciate if you find time for
a few further comments .
> I use smart cards for this exact purpose and it works fine. The actual
> usage is totally transparent. Your signtool command line stays the same.
I don't think it's possible in our case. When we sign now, we simply
use "/ac" to specify the Authenticode certificate as a file. When signing
with a key on a smart card, one probably has to use "/csp" and "/kc"
to specify the signing key? Or, do you use "/a"?
Could you show me the SignTool command line that you use when
signing with smart cards?
(Of course, replacing your actual paths and names with placeholders.)
> Essentially, if the smart card is inserted, then the cert+priv key it is
> "available" to the machine. Someone will need to type in the PIN when
> prompted, but you won't see any other major changes.
Can't one use "/p" to specify the PIN? The need to always specify the
PIN manually would seriously hurt the idea of signing automation.
> I like the Gemalto .NET smart cards for this purpose. Note that part of the
> transparency I see may be because their cards work with default CSPs.
Do you mean your private key and certificate are on a smart card, but
you don't have to specify them for SignTool?
> I got a starter kit from them which included a set of 25 and have been able
> to use their web-based smart card management site to copy cert+priv key onto
> their cards importing from P12 format to do the provisioning work.
You copied the private keys through their smart card management site?
I perhaps misunderstand you, or this doesn't sound right from the
security point of view...
Thanks and regards.
Joe Kaplan
signtool.exe sign /n MyCertSubjectName /t
http://timestamp.verisign.com/scripts/timstamp.dll /v %1
Here, you can see that I'm only specifying the certificate subject name.
That certificate is actually on the smart card (with the private key), but
since Gemalto's cards work with the built in CSPs, you don't have to specify
anything special to have it find the cert. It just works basically.
I specify a timestamp service to ensure that we use that consistently, but
everything else is default. I have the intermediate CA cert for the code
signing cert installed in the local machine intermediate store, so that gets
included in the signed data by default as a result. Again, you don't need
to specify this. You could have that in a separate file, but it isn't
really needed.
I don't know if you can use /p to specify the PIN. I doubt it, but you
could try. One thing to consider is that by doing this, you are undermining
some of the aspects of smart card's security because if the PIN is recorded
somewhere in plain text, stealing the smart card effectively steals the
private key. You aren't as "two factor" as you were when someone had to
"know" the PIN and enter it on demand. As such, you might want to
reconsider whether you really want smart cards or not for your application.
In reference to the Gemalto cards and their website, I just mean that they
have a web-based tool that allows you to perform operations on a smart card
such as setting the PIN and importing a certificate from a P12 file onto the
card. You'll need some mechanism to handle these things. The web-based
tool is easy to deal with. This all works via an ActiveX control that you
install separately.
I hope that helps
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Al_spectrum" <Alspe...@discussions.microsoft.com> wrote in message
news:3C9CAB2A-2398-444D...@microsoft.com...