Transcription
InCommon/Comodo Code Signing Certificates - requestorJim Dutton11/07/2013, 12/13/2013, 11/24/2015The process for “creating” a Code Signing Certificate (C-S-C) is radically different from thatof creating an SSL Certificate. Using the inCommon/Comodo process, via their CertificateManager (CM) application, there are basically three stages: RAO verifies/assigns Organization and/or Department with Code Signing Certificatecapability (not included)RAO “authorizes” an individual using only their name and e-mail address via CM tobe allowed to “join” an invitation from Comodo to authorized themself and ifapproved – to receive and download the private key, public key, and C-S-C;individual's e-mail “domain” must match Organization/Department “domain” above!(not included)authorized individual receives “invitation e-mail”, goes through 2nd stageauthorization, receives another e-mail to import C-S-C into their web browser, thenexports C-S-C for use by Java/Jar signing process(es) (see page 2)Using this process, there is NO CSR required as with SSL Certificates. There is also noprivate key created on the “user side”. All of the C-S-C component creation occurs on the“Comodo side”. This also differs from some application instructions with regards to a C-S-Cwhere they have one go through the CSR creation, submission, certificate/public keyreception and export for Java/Jar signing processes. It is possible to create a Java certificatemanager “data/key store” solely with the Comodo delivered PKCS12 bundle (C-S-C andComodo intermediary CA certificates), thereby importing all components, including theprivate key.Note: there is NO inCommon/Comodo documentation that covers all of these stages (noreven mentions them), and any related Comodo documentation is out of date or limited to asingle, specific, Windows application for performing Java/JAR signing, which does not applyto traditional (Java) “keytool” or Oracle's “jarsigner” signing applications.Note: for any given Organization/Department – ALL inCommon/Comodo C-S-Cs may havethe SAME X.509 Subject DN! For example,Subject: /C US/postalCode 62901/ST Illinois/L Carbondale/street WhamB15/street 625 Wham Drive/O Southern Illinois University/OU SIUCInformation Technology/CN Southern Illinois UniversityNote the Common Name (CN) and Organizational Unit (OU) values. Also note that NONE ofthese fields are selectable or alterable by the RAO as the CSR is created wholly by andwithin Comodo! There is, however, a “Subject Alternative Name” field in the certificate withthe requestor's e-mail address, but that hardly identifies a particularhost/desktop/computer.Page 1 of 10
InCommon/Comodo Code Signing Certificates - requestorJim Dutton11/07/2013, 12/13/2013, 11/24/2015Stage 3 – Requestor finishes authorization and imports C-S-C1. After Comodo has reviewed the C-S-C CM authorization (so far, 1 to 2 business days)they send out the “Invitation” e-mail to the requestor2. Requestor chooses which web browser client to use (default or otherwise) and opensup the “validate your email address” URLPage 2 of 10
InCommon/Comodo Code Signing Certificates - requestorJim Dutton11/07/2013, 12/13/2013, 11/24/20153. Requestor performs “User Registration”1. Internet ExplorerTake defaults unless otherwise directed. “User Protected” adds a user generatedpassword to the C-S-C and is optional, but will be required everytime the C-S-C isused. If selected, additional process windows will appear.2. Firefox4. E-mail validation acceptedPage 3 of 10
InCommon/Comodo Code Signing Certificates - requestorJim Dutton11/07/2013, 12/13/2013, 11/24/20155. Requestor receives C-S-C import e-mailNOTE: the “install the certificate” URL WILL import the C-S-C bundle INTO the defaultweb browser. If this is not desired, then choose the specific web browser to use andpaste in the above URL into that web browser (and activate it)6. Import of C-S-C bundle1. Internet ExplorerPage 4 of 10
InCommon/Comodo Code Signing Certificates - requestorJim Dutton11/07/2013, 12/13/2013, 11/24/20152. Firefox7. Verify C-S-C in web browser certificate databasePage 5 of 10
InCommon/Comodo Code Signing Certificates - requestorJim Dutton11/07/2013, 12/13/2013, 11/24/20158. Backup/export the C-S-C bundle1. In the browser Certificate Manager window, select the C-S-C, and then click onthe “Backup” button (not the “Backup All” button which will export ALLcertificates listed, highlighted or not)2. An export password will be required3. Export/backup completionThe “backup file” (PKCS12 format, “.p12” extension) will now contain the entire C-S-Cbundle which can then be imported into whatever Java certificate manager tool that will beused for doing the actual Java/JAR signing.Page 6 of 10
InCommon/Comodo Code Signing Certificates - requestorJim Dutton11/07/2013, 12/13/2013, 11/24/2015Verifying contents and validity of “.p12” C-S-C bundleThis requires the “openssl” command to be available somewhere (Unix, Linux).First – let's verify the contents: There should be one certificate, the “C-S-C”, with “SIUC” and/or “Southern IllinoisUniversity” in it There should be multiple Comodo interim/intermediate CA certificates There should be one Private Key For each of the certificates, there should be an “issuer” and “subject” text lines To display the basic contents: Use: openssl pkcs12 -info -in full path to “.p12” file You may/will be prompted for the export/backup password/passphrase The results will look something like the following figure on the next page note the “subject” and “issuer” lines which are associated with the followingcertificate data block The Private Key “Enter PEM pass phrase” will accept anything 4 characters the value doesn't matter since the content is not being savedPage 7 of 10
InCommon/Comodo Code Signing Certificates - requestorJim Dutton11/07/2013, 12/13/2013, 11/24/2015openssl pkcs12 -info -in codesigningbackup.p12Enter Import Password:MAC Iteration 2000MAC verified OKPKCS7 DataShrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000Bag AttributesfriendlyName: Southern Illinois University's Internet2 IDlocalKeyID: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXKey Attributes: No Attributes Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----BEGIN ENCRYPTED PRIVATE wDgQITB/4unj9UycCAggA.-----END ENCRYPTED PRIVATE KEY----PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000Certificate bagBag AttributesfriendlyName: InCommon Code Signing CA - The USERTRUST Networksubject /C US/O Internet2/OU InCommon/CN InCommon Code Signing CAissuer /C US/ST UT/L Salt Lake City/O The USERTRUST Network/OU http://www.usertrust.com/CN UTN-USERFirstObject-----BEGIN zF tGnDANBgkqhkiG9w0BAQUFADCB.-----END CERTIFICATE----Certificate bagBag AttributesfriendlyName: UTN-USERFirst-Object - AddTrust ABsubject /C US/ST UT/L Salt Lake City/O The USERTRUST Network/OU http://www.usertrust.com/CN UTN-USERFirstObjectissuer /C SE/O AddTrust AB/OU AddTrust External TTP Network/CN AddTrust External CA Root-----BEGIN GJCanSzANBgkqhkiG9w0BAQUFADBv.-----END CERTIFICATE----Certificate bagBag AttributesfriendlyName: AddTrust External Rootsubject /C SE/O AddTrust AB/OU AddTrust External TTP Network/CN AddTrust External CA Rootissuer /C SE/O AddTrust AB/OU AddTrust External TTP Network/CN AddTrust External CA Root-----BEGIN BAQUFADBvMQswCQYDVQQGEwJTRTEU.-----END CERTIFICATE----Certificate bagBag AttributesfriendlyName: Southern Illinois University's Internet2 IDlocalKeyID: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXsubject /C US/postalCode 62901/ST Ilinois/L Carbondale/street Wham B15/street 625 Wham Drive/O SouthernIllinois University/OU SIUC Information Technology/CN Southern Illinois Universityissuer /C US/O Internet2/OU InCommon/CN InCommon Code Signing CA-----BEGIN F5ljCuXgwDQYJKoZIhvcNAQEFBQAw.-----END CERTIFICATE-----Page 8 of 10
InCommon/Comodo Code Signing Certificates - requestorJim Dutton11/07/2013, 12/13/2013, 11/24/2015Now let's display the important parts of the Comodo signed certificate, which should alsoshow “your” e-mail address which implies that only “you” will be allowed/authorized to usethis certificate. Create a new file with just the signed certificate in it openssl pkcs12 -out new filename -in path to “.p12” file -nokeys -clcerts Now display text portion of signed certificate openssl x509 -noout -text -in new filename The output should look something like (note Subject Alternate Name):Certificate:Data:Version: 3 (0x2)Serial x:xxSignature Algorithm: sha1WithRSAEncryptionIssuer: C US, O Internet2, OU InCommon, CN InCommon Code Signing CAValidityNot Before: Dec 10 00:00:00 XXXX GMTNot After : Dec 10 23:59:59 XXXX GMTSubject: C US/2.5.4.17 62901, ST Illinois, L Carbondale/2.5.4.9 Wham B15/2.5.4.9 625 Wham Drive,O Southern Illinois University, OU SIUC Information Technology, CN Southern Illinois UniversitySubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (2048 bit)Modulus (2048 .Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Authority Key XX:XX:XX:XX:XX:XX:XX:XX:XXX509v3 Subject Key XX:XX:XX:XX:XX:XX:XXX509v3 Key Usage: criticalDigital SignatureX509v3 Basic Constraints: criticalCA:FALSEX509v3 Extended Key Usage:Code SigningNetscape Cert Type:Object SigningX509v3 Certificate Policies:Policy: 1.3.6.1.4.1.5923.1.4.3.2.1CPS: https://www.incommon.org/cert/repository/cps code signing.pdfX509v3 CRL Distribution ningCA.crlAuthority Information Access:CA Issuers - .crtOCSP - URI:http://ocsp.incommon.orgX509v3 Subject Alternative Name:email:YOUR@MAIL.ADDRESSSignature Algorithm: :XX:XX:XX:XX:XX:XX:XX:XX:.Page 9 of 10
InCommon/Comodo Code Signing Certificates - requestorJim Dutton11/07/2013, 12/13/2013, 11/24/2015Appendix B – Result of deleting C-S-C from web browserFirst, it should be noted that you only get to download the C-S-C bundle ONCE. Thisbecomes apparent on a second attempt and the following error messageSecond, if you have NOT “backed up” (exported) the C-S-C bundle and you delete the C-S-Ccertificate from the browser, then you are “out of luck” and will have to request another CS-C. This is also true if the browser certificate database (“certX.db” for Mozilla browsers) isdeleted, damaged, or the host/desktop used in the C-S-C processing is deleted or damaged.It is unclear as to what the “Please ensure . the same computer that you requested itfrom” message really means. Did Comodo secretly store something (cookie, or somethingelse) during the process that it then looks for later when importing the C-S-C bundle? Wehave not been able to find any permanent cookie related to Comodo, inCommon, orAddtrust (one of their CA names). Does the Comodo application/process for the requestorauthentication acquire host/browser/desktop information from the HTTP connection andthat data is later used in some fashion to verify “same computer”? Or does Comodosomehow track the live usage of signed Java entities and then compare that withsomething that they keep to see if there is a difference?Page 10 of 10
InCommon/Comodo Code Signing Certificates - requestor Jim Dutton 11/07/2013, 12/13/2013, 11/24/2015 8. Backup/export the C-S-C bundle 1. In the browser Certificate Manager window, select the C-S-C, and then click on the “Backup” button (not the “Backup All” button which wi
