things & stuff » Cryptography

The Demise of CAPICOM

Jeff Fitzsimons — Thu, 16 Oct 2008 06:43:01 +0000

CAPICOM, a COM-based wrapper for the CryptoAPI library, is deprecated and on its way out. However, Microsoft has no time line for phasing it out, nor have they provided sufficient documentation of alternatives.

Many CAPICOM pages contain a confusing, bright-red header along the lines of:

[The SignedCode object is available for use in the operating systems listed in the Requirements section. Instead, use Platform Invocation Services (PInvoke) to call the Win32 API SignerSignEx, SignerTimeStampEx, and WinVerifyTrust functions to sign content with an Authenticode digital signature. For information about PInvoke, see Platform Invoke Tutorial. The .NET and CryptoAPI via P/Invoke: Part 1 and .NET and CryptoAPI via P/Invoke: Part 2 subsections of Extending .NET Cryptography with CAPICOM and P/Invoke may also be helpful.]

Note that this alarming paragraph seems to begin by simply telling you that this API is supported on the operating systems listed later. It does not state that the API will not be available on later OSes, but why place this here otherwise? The next sentence, beginning with, “Instead, …” seems to be contrasting with something, yet makes absolutely no sense in this context.

Finally, this paragraph instructs us to investigate SignerSignEx, and SignerTimeStampEx, which are supplied by the mssign32.dll, have no header file, and absolutely no example code. This is what I find most irksome, they document each and every function and structure, yet each page says, “there is no header file, so copy and paste the declaration given here.” Well, why not simply provide an mssign.h file on blogs.msdn, or similar? And why, oh why, is there not a single line of sample code?

Follow-up

I have provided a basic header file for mssign32.dll, here.

GnuPG Plugin for vim Under Cygwin

Jeff Fitzsimons — Sat, 04 Oct 2008 18:50:57 +0000

GnuPG, GNU Privacy Guard, is a free system for encrypting files, emails, etc. The GnuPG plugin for vim provides automatic encryption and decryption of files within vim. If you attempt to edit a GnuPG-encrypted file with vim, it will prompt you for the password, and re-encrypt the file when you’re done editing.

Download the gnupg plugin for vim from here and copy it into your user directory directory under .vim/plugin. From the Cygwin bash prompt:

mkdir ~/.vim/plugin
copy gnupg.vim ~/.vim/plugin

Run vim, then use the :scriptnames command and verify that gnupg.vim appears in the list of sourced scripts:

  1: /cygdrive/c/Users/username/.vim/plugin/gnupg.vim

Using Certificates and Signtool

Jeff Fitzsimons — Fri, 12 Sep 2008 21:24:12 +0000

Obtain a Software Publisher Certificate

Your Certificate Authority will supply one of the following:

a Personal Information Exchange (.pfx) file
a Software Publisher Certificate (.spc), and a Private Key (.pvk) file
a CER-encoded X.509 Certificate (.cer), and a Private Key (.pvk) file

For the second and third case, these file must be converted to a Personal Information Exchange (.pfx) file.

Convert SPC or CER to Personal Information Exchange (.pfx)

Syntax for .spc conversion:

pvk2pfx -pvk filename.pvk -pi password -spc filename.spc -pfx output.pfx

The syntax is identical for .cer conversion:

pvk2pfx -pvk filename.pvk -pi password -spc filename.cer -pfx
output.pfx

Sign the Executable

Signtool.exe can be used to sign executables (.exe) and Dynamic Link Libraries (.DLL).

Basic Signature

signtool.exe sign /v /f filename.pvk /p password executable

Signature With Timestamp

signtool.exe sign /v /f filename.pvk /p password /t url executable

Where url is the URL of your Certificate Authorities timestamp server (e.g. http://timestamp.verisign.com/scripts/timestamp.dll for VeriSign)

Signature Verification

signtool verify /pa executable

/pa indicates that the “Default Authenticode” verification policy is used. Omitting the switch will cause the verification to fail, which does not necessarily mean that a given file isn’t Authenticode signed.

Resources

Windows Driver Kit: Device Installation, Software Publisher Certificate (MSDN)
PKCS12 is the successor to PFX.

mssign32.dll

Jeff Fitzsimons — Fri, 12 Sep 2008 02:48:19 +0000

With CAPICOM deprecated, MSDN suggests using the mssign32.dll functions. There are two fundamental problems with this:

No example code whatsoever is provided.
No header file is provided.

Well, at least I can do something about #2. Here is a minimal version of a header file for mssign32.dll. It includes direct function declarations, as well as function pointer typedefs.

The function pointers can be used with LoadLibrary/GetProcAddress to dynamically call the functions, as in:

SignerSignPtr pSignerSign =
    (SignerSignPtr)GetProcAddress(hModule, "SignerSign");

SSH Key Generation and Conversion With OpenSSH

Jeff Fitzsimons — Wed, 21 May 2008 23:40:13 +0000

Key Generation

Generate a DSA key:

ssh-keygen -t dsa

This will generate an RFC 4716-formatted key file similar to the following:

An accompanying, OpenSSH-formatted public key file should also be generated under the same file name with a .pub suffix. It should appear similar to the following:

ssh-dss AAAAB3NzaC1kc3MAAACBAOKN+mbJcFmmerwSESFLF4nPt83EiVZgPq3t
u+INkwBGHyYsKvZu6DYnUr5GXiqgtAnvNEaXK3BDaStMKa9VqE6PL2b9Bbn3fqsL
JVLX09F0kwQQxI28tBoy2kpucenTPxez9fUKQObFOE6W9FWOI5t13RT14QsuijlU
dq5Uea5/AAAAFQDu45eG8YFV3l9PViXMjlwFGrjVxwAAAIAXbQRJeBO9tt3EMQJr
a19OL+PX/56Y1X/7O5FqrrGaz8rSmJmEyWQrcEP0+AeFd+pm5FP9n1vyNredHfgf
YovdQicI1XqRKrqH4wMwsmc1AbjAAMtjDenlPPP+FTC1+qln/17sWkF2B+ihLbvg
aA8pMbwEVGK50jO0+krga56JygAAAIEAy8hllDrFzQUqFG0kMe8r3dOFDjMQHf6I
TttmAiScwEPg+a5D++Sqbj42vkKSNgaYHc+Z8QPgerPehIkBde6wx0ukq0a8IXy8
F86IasXz3wzotPeJsdKimynQKzhSm9Jzbk/SK/yh5NGhJzz1VmHsg+ir/qReguMH
fqDGCI4kSFY= user@hostname

Export Public Key in RFC 4716 Format

Given a private key, export its public key:

ssh-keygen -e -f private_key

This will generate a RFC 4716 output similar to the following:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted from OpenSSH by user@hostname"
AAAAB3NzaC1kc3MAAACBAOKN+mbJcFmmerwSESFLF4nPt83EiVZgPq3tu+INkwBGHyYsKv
Zu6DYnUr5GXiqgtAnvNEaXK3BDaStMKa9VqE6PL2b9Bbn3fqsLJVLX09F0kwQQxI28tBoy
2kpucenTPxez9fUKQObFOE6W9FWOI5t13RT14QsuijlUdq5Uea5/AAAAFQDu45eG8YFV3l
9PViXMjlwFGrjVxwAAAIAXbQRJeBO9tt3EMQJra19OL+PX/56Y1X/7O5FqrrGaz8rSmJmE
yWQrcEP0+AeFd+pm5FP9n1vyNredHfgfYovdQicI1XqRKrqH4wMwsmc1AbjAAMtjDenlPP
P+FTC1+qln/17sWkF2B+ihLbvgaA8pMbwEVGK50jO0+krga56JygAAAIEAy8hllDrFzQUq
FG0kMe8r3dOFDjMQHf6ITttmAiScwEPg+a5D++Sqbj42vkKSNgaYHc+Z8QPgerPehIkBde
6wx0ukq0a8IXy8F86IasXz3wzotPeJsdKimynQKzhSm9Jzbk/SK/yh5NGhJzz1VmHsg+ir
/qReguMHfqDGCI4kSFY=
---- END SSH2 PUBLIC KEY ----

Convert Public RFC 4716 to Public OpenSSH Format

Convert the exported public key from RFC 4716 format to OpenSSH format (for use in an authorized_keys file, for example):

ssh-keygen -i -f public_key

This will generate OpenSSH-formatted output similar to the following:

ssh-dss AAAAB3NzaC1kc3MAAACBAOKN+mbJcFmmerwSESFLF4nPt83EiVZgPq3t
u+INkwBGHyYsKvZu6DYnUr5GXiqgtAnvNEaXK3BDaStMKa9VqE6PL2b9Bbn3fqsL
JVLX09F0kwQQxI28tBoy2kpucenTPxez9fUKQObFOE6W9FWOI5t13RT14QsuijlU
dq5Uea5/AAAAFQDu45eG8YFV3l9PViXMjlwFGrjVxwAAAIAXbQRJeBO9tt3EMQJr
a19OL+PX/56Y1X/7O5FqrrGaz8rSmJmEyWQrcEP0+AeFd+pm5FP9n1vyNredHfgf
YovdQicI1XqRKrqH4wMwsmc1AbjAAMtjDenlPPP+FTC1+qln/17sWkF2B+ihLbvg
aA8pMbwEVGK50jO0+krga56JygAAAIEAy8hllDrFzQUqFG0kMe8r3dOFDjMQHf6I
TttmAiScwEPg+a5D++Sqbj42vkKSNgaYHc+Z8QPgerPehIkBde6wx0ukq0a8IXy8
F86IasXz3wzotPeJsdKimynQKzhSm9Jzbk/SK/yh5NGhJzz1VmHsg+ir/qReguMH
fqDGCI4kSFY=