Skip to content

CmsWrapperBlob: Add fall back to manual chain validation#25

Open
qmfrederik wants to merge 1 commit intofilipnavara:masterfrom
qmfrederik:fixes/manual-cert-chain
Open

CmsWrapperBlob: Add fall back to manual chain validation#25
qmfrederik wants to merge 1 commit intofilipnavara:masterfrom
qmfrederik:fixes/manual-cert-chain

Conversation

@qmfrederik
Copy link
Collaborator

@qmfrederik qmfrederik commented Nov 27, 2022

On Windows, building a custom certificate chain with Apple certificates fails; so revert back to manually building the chain. Also add additional validation to make sure the certificate used is actually a code signing certificate.

@qmfrederik
Copy link
Collaborator Author

qmfrederik commented Nov 27, 2022
edited
Loading

The certificate chain validation fails on Windows, even when using the custom trust store. If I recall correctly, this was related to the certificates using the Authority Key Identifier and how Windows checks the AKI when building a trust store. This PR works around that by manually building the certificate chain on Windows.

Regarding the checks which are implemented to make sure a certificate is a valid code signing certificate:

The Certification Practice Statement for the Apple Worldwide Developer Relations Certification Authority can be found at https://www.apple.com/certificateauthority/. This implementation is based on version 1.23, which is available at https://images.apple.com/certificateauthority/pdf/Apple_WWDR_CPS_v1.23.pdf. The details are listed in section 4.11, Certificate Profile, and section 4.11.1, iOS Development and Submission Certificates.

@qmfrederik
CmsWrapperBlob: Add fall back to manual chain validation
9be5638 
On Windows, building a custom certificate chain with Apple certificates fails; so revert back to manually building the chain.  Also add additional validation to make sure the certificate used is actually a code signing certificate.
@qmfrederik qmfrederik force-pushed the fixes/manual-cert-chain branch from 55dd906 to 9be5638 Compare November 28, 2022 08:32
@filipnavara
Copy link
Owner

filipnavara commented Dec 3, 2022

On Windows, building a custom certificate chain with Apple certificates fails

Can you be more specific about the case where it fails? I used it on Windows to resign a couple of packages and it worked for me, so at very least I would like to know the specific use case where it fails (certs, Windows version, etc.). There are certainly some intermediate/chain certificates that are missing. For example, rcodesign ships 21 certificates (https://github.com/indygreg/apple-platform-rs/tree/main/apple-codesign/src/apple-certs) in their implementation. I never needed the other certs for my use cases, but perhaps newer/older Apple certs depend on them.

I am fine with adding some additional verification of the certificates, but I am not completely convinced about the approach. There's the "designated requirement" property which specifies how to validate the certificate. Ideally the check should be tied to it. There's already AppleCertificateExtensions.IsAppleDeveloperCertificate with a TODO for additional validation, and the designated requirements are parsed into a tree structure (https://github.com/filipnavara/CodeSign/blob/master/Melanzana.CodeSign/Requirements/RequirementSet.cs#L52).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qmfrederik @filipnavara