EldoS | Feel safer!

Software components for data protection, secure storage and transfer

timestamp problem in authenticode

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#10543
Posted: 07/08/2009 04:43:24
by Gerald So (Basic support level)
Joined: 05/07/2009
Posts: 7

Hi, I tested the sample 'AuthenticodeDemo' within the 'SBB 7.1.156', found a problem about timestamp verifing. If a file's TSP was signed by the 'http://timestamp.verisign.com/scripts/timstamp.dll' all worked well. If signed by 'http://timestamp.globalsign.com/scripts/timstamp.dll' or 'http://www.trustcenter.de/codesigning/timestamp' or 'http://timestamp.comodoca.com/authenticode' the timestamp would not displayed when verifing.
The same thing happened if a TSP signed by myself with the code below:
Code
procedure TFormMain.ElAuthenticodeSignerTimestampNeeded(Sender: TObject;
  const Request: ByteArray; var Reply: ByteArray; var Succeeded: Boolean);
var
    res : integer;
    OutStream, InStream : TMemoryStream;
    PFXStream : TFileStream;
    PFXName : string;
begin
  OutStream := TMemoryStream.Create;
  InStream := TMemoryStream.Create;
  try
    if editTSPURL.Text = '' then
    begin
      Succeeded := false;
      PFXName := ExtractFilePath(GetModuleName(0)) + 'tsa1024.pfx';
      if FileExists(PFXName) then
      begin
        try
          PFXStream := TFileStream.Create(PFXName, fmOpenRead);
          if TSPCertStore.LoadFromStreamPFX(PFXStream, '') = 0 then
          begin
            InStream.WriteBuffer(Request[0], Length(Request));
            InStream.Position := 0;
            if TSPSvr.LoadRequestFromStream(InStream) = 0 then
            begin
              TSPSvr.TSPInfo.Time := UTCNow;
              Succeeded := TSPSvr.SaveReplyToStream(psGranted, 0, OutStream);
            end;
          end;
          PFXStream.Free;
        finally
          ;
        end;
      end;
    end else
    begin
      HTTPSClient.OutputStream := OutStream;
      res := HTTPSClient.Post(editTSPURL.Text, Request);
      Succeeded := res = 200;
    end;
    if Succeeded then
    begin
      OutStream.Position := 0;
      SetLength(Reply, OutStream.Size);
      OutStream.ReadBuffer(Reply[0], OutStream.Size);
    end;
  finally
    ;
  end;
  OutStream.Free;
  InStream.Free;
end;


[ Download ]
#10544
Posted: 07/08/2009 04:52:42
by Gerald So (Basic support level)
Joined: 05/07/2009
Posts: 7

In addition, the all signed files can pass the MS 'signtool.exe verify' command, even if 'AuthenticodeDemo' does not display thair timestamp.

Reply

Statistics

Topic viewed 1553 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!