Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify wsusscn2.cab failed #118

Closed
mirostauder opened this issue Sep 15, 2021 · 2 comments
Closed

verify wsusscn2.cab failed #118

mirostauder opened this issue Sep 15, 2021 · 2 comments

Comments

@mirostauder
Copy link

mirostauder commented Sep 15, 2021
edited

trying to verify the Microsoft MBSA cab file
http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab
getting a failed result

gentoo # osslsigncode -v
osslsigncode 2.2.0, using:
	OpenSSL 1.1.1l  24 Aug 2021 (Library: OpenSSL 1.1.1l  24 Aug 2021)
	libcurl/7.78.0 OpenSSL/1.1.1l zlib/1.2.11 brotli/1.0.9 libssh2/1.9.0_DEV nghttp2/1.43.0

Please send bug-reports to Michal.Trojnara@stunnel.org


gentoo # osslsigncode verify -in wsusscn2.cab 
Signature Index: 0  (Primary Signature)
Message digest algorithm  : SHA256
Current message digest    : F6761010C997DBA6FC036FF118399E25E0CB279F741C1CAA9444BCD6902B860B
Calculated message digest : F6761010C997DBA6FC036FF118399E25E0CB279F741C1CAA9444BCD6902B860B

Signer's certificate:
	Signer #0:
		Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
		Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
		Serial : 33000001DF6BF02E92A74AB4D00000000001DF
		Certificate expiration date:
			notBefore : Dec 15 21:31:45 2020 GMT
			notAfter : Dec  2 21:31:45 2021 GMT

Number of certificates: 2
	Signer #0:
		Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
		Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
		Serial : 33000001DF6BF02E92A74AB4D00000000001DF
		Certificate expiration date:
			notBefore : Dec 15 21:31:45 2020 GMT
			notAfter : Dec  2 21:31:45 2021 GMT
	------------------
	Signer #1:
		Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
		Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
		Serial : 610E90D2000000000003
		Certificate expiration date:
			notBefore : Jul  8 20:59:09 2011 GMT
			notAfter : Jul  8 21:09:09 2026 GMT

Authenticated attributes:
	Message digest algorithm: SHA256
	Message digest: 83317FC77E67B19114D1D2ABA94FC876AFE3D99E8597A7880F3BDF3BE8C09CF2
	Signing time: N/A
	Microsoft Individual Code Signing purpose
	URL description: http://www.microsoft.com
	Text description: Microsoft

The signature is timestamped: Sep 14 05:03:59 2021 GMT
Hash Algorithm: sha256
Timestamp Verified by:
		Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
		Serial : 3300000151C350E7596CAAC6A7000000000151

CAfile: /etc/ssl/certs/ca-certificates.crt
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt
CRL distribution point: http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

CMS_verify error
140414913832768:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:crypto/cms/cms_smime.c:252:Verify error:unable to get local issuer certificate
Timestamp Server Signature verification: failed

PKCS7_verify error
140414913832768:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:284:Verify error:unable to get local issuer certificate
Signature verification: failed

Number of verified signatures: 1
Failed

This is on Gentoo, but tried v2.1 on Debian with a similar result
Any idea what's going on?
Am I doing it wrong?
@olszomal
Copy link
Collaborator

Try to use -CAfile and -TSA-CAfile options specify how to find needed CA or TSA certificates in PEM format.
Indicated files:
CAfile: /etc/ssl/certs/ca-certificates.crt
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt
don't contain appropriate CA certificates.

@mtrojnar mtrojnar closed this as completed Mar 6, 2022
@jgstew
Copy link

jgstew commented Aug 9, 2022

What are the right options for -CAfile and -TSA-CAfile and where to find the default of certs to use for verification for Windows?

When I do verification on Ubuntu, it seems to just work, so it must have them. When I try verification on Windows, it doesn't work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jgstew @mtrojnar @olszomal @mirostauder