Sebastien Pouliot
45aa840540
2004-08-10 Sebastien Pouliot <[email protected]>
|
il y a 21 ans | |
|---|---|---|
| .. | ||
| certview | il y a 22 ans | |
| .cvsignore | il y a 21 ans | |
| AssemblyInfo.cs | il y a 21 ans | |
| ChangeLog | il y a 21 ans | |
| MakeCert.cs | il y a 22 ans | |
| Makefile | il y a 21 ans | |
| README | il y a 22 ans | |
| StrongNameManager.cs | il y a 21 ans | |
| cert2spc.cs | il y a 22 ans | |
| certmgr.cs | il y a 21 ans | |
| chktrust.cs | il y a 22 ans | |
| secutil.cs | il y a 23 ans | |
| setreg.cs | il y a 22 ans | |
| signcode.cs | il y a 22 ans | |
| sn.cs | il y a 21 ans | |
README
Mono's Security Tools - README
Last updated: February 24, 2004 (post mono 0.30)
* General notes
- This directory contains clones for .NET security tools;
- All tools are 100% managed code with no dependency to the Mono's runtime.
- A much as possible the same command line arguments as the original are used;
- Documentation (man) is available for most tools;
- All tools, except secutil.exe, requires the Mono.Security.dll assembly.
- Authenticode(r) support is MINIMAL - there are still many missing
validations.
* Known bugs
- If signcode.exe is executed more than once on a assembly, the signature
becomes invalid (but the assembly can still be executed).
* Authenticode tutorial
1. Getting a test certificate
The tool makecert.exe can create test certificates. The test certificates are
only trusted by Mono's security tools (i.e. the resulting signature won't be
valid on Windows [1]). For "real" certificates you must deal with (and pay) a
trusted commercial CA (or you can have your own CA inside your entreprise).
The command:
mono makecert.exe -n "CN=your name" -sv yourkeypair.pvk yourcert.cer
will create both a PVK file (containing your private key) and a CER file
(containing the X.509 certificate). This step will take some time because the
tools must generate your own keypair (in this case a 1024 bits RSA keypair).
example:
mono makecert.exe -n "CN=Sebastien Pouliot" -sv spouliot.pvk spouliot.cer
2. Getting a SPC file
The certificate file (.cer) must be converted into a SPC (software publisher
certificate) file before signing any assembly (or executable file).
The command:
mono cert2spc.exe yourcert.cer yourspc.spc
will create your SPC file from your X.509 certificates files.
example:
mono cert2spc.exe spouliot.cer spouliot.spc
3. Signing an assembly
You need both your PVK (private key) and SPC files to sign an assembly (or
any PE file). You may also include a countersignature in your assembly using
a timestamp server (so the signature can still be verified after your
certificate is expired).
The command:
mono signcode.exe -v yourkeypair.pvk -spc yourspc.spc -t
http://timestamp.verisign.com/scripts/timstamp.dll yourassembly.exe
will sign the specified PE file using your private key and embed your
certificate and a timestamp. Note: there are no "e" in timstamp.dll !
example:
mono signcode.exe -v spouliot.pvk -spc spouliot.spc -t
http://timestamp.verisign.com/scripts/timstamp.dll small.exe
4. Checking an assembly
Anyone can now validate the assembly signature using the chktrust tool.
The command:
mono chktrust.exe yourassembly.exe
will verify the integrity of the specified PE file. Any change to the file
will invalidate it's signature.
example:
mono chktrust.exe small.exe
[1] FOR TEST PURPOSE ONLY ON WINDOWS
As stated you can "activate" the Mono's test certificate by doing the
following steps.
a. Generate the Mono's root certificate
mono makecert.exe -r mono.cer
b. Double-click on the mono.cer file
c. Click on the "Install certificate..." button
d. Read everything then, if you still want to, answer YES to add the test
certificate in your TRUSTED root certificates.
Be warned that by doing so YOU ARE TRUSTING THIS TEST CERTIFICATE on your
system. This is bad for several reason, foremost that EVERYONE has access to
it's private key! Please remove the test certificate AS SOON as you have
finished testing using it.
--------------------
[email protected]
Last updated: February 24, 2004 (post mono 0.30)
* General notes
- This directory contains clones for .NET security tools;
- All tools are 100% managed code with no dependency to the Mono's runtime.
- A much as possible the same command line arguments as the original are used;
- Documentation (man) is available for most tools;
- All tools, except secutil.exe, requires the Mono.Security.dll assembly.
- Authenticode(r) support is MINIMAL - there are still many missing
validations.
* Known bugs
- If signcode.exe is executed more than once on a assembly, the signature
becomes invalid (but the assembly can still be executed).
* Authenticode tutorial
1. Getting a test certificate
The tool makecert.exe can create test certificates. The test certificates are
only trusted by Mono's security tools (i.e. the resulting signature won't be
valid on Windows [1]). For "real" certificates you must deal with (and pay) a
trusted commercial CA (or you can have your own CA inside your entreprise).
The command:
mono makecert.exe -n "CN=your name" -sv yourkeypair.pvk yourcert.cer
will create both a PVK file (containing your private key) and a CER file
(containing the X.509 certificate). This step will take some time because the
tools must generate your own keypair (in this case a 1024 bits RSA keypair).
example:
mono makecert.exe -n "CN=Sebastien Pouliot" -sv spouliot.pvk spouliot.cer
2. Getting a SPC file
The certificate file (.cer) must be converted into a SPC (software publisher
certificate) file before signing any assembly (or executable file).
The command:
mono cert2spc.exe yourcert.cer yourspc.spc
will create your SPC file from your X.509 certificates files.
example:
mono cert2spc.exe spouliot.cer spouliot.spc
3. Signing an assembly
You need both your PVK (private key) and SPC files to sign an assembly (or
any PE file). You may also include a countersignature in your assembly using
a timestamp server (so the signature can still be verified after your
certificate is expired).
The command:
mono signcode.exe -v yourkeypair.pvk -spc yourspc.spc -t
http://timestamp.verisign.com/scripts/timstamp.dll yourassembly.exe
will sign the specified PE file using your private key and embed your
certificate and a timestamp. Note: there are no "e" in timstamp.dll !
example:
mono signcode.exe -v spouliot.pvk -spc spouliot.spc -t
http://timestamp.verisign.com/scripts/timstamp.dll small.exe
4. Checking an assembly
Anyone can now validate the assembly signature using the chktrust tool.
The command:
mono chktrust.exe yourassembly.exe
will verify the integrity of the specified PE file. Any change to the file
will invalidate it's signature.
example:
mono chktrust.exe small.exe
[1] FOR TEST PURPOSE ONLY ON WINDOWS
As stated you can "activate" the Mono's test certificate by doing the
following steps.
a. Generate the Mono's root certificate
mono makecert.exe -r mono.cer
b. Double-click on the mono.cer file
c. Click on the "Install certificate..." button
d. Read everything then, if you still want to, answer YES to add the test
certificate in your TRUSTED root certificates.
Be warned that by doing so YOU ARE TRUSTING THIS TEST CERTIFICATE on your
system. This is bad for several reason, foremost that EVERYONE has access to
it's private key! Please remove the test certificate AS SOON as you have
finished testing using it.
--------------------
[email protected]