Opened 23 months ago

Last modified 22 months ago

#798 accepted Bug / Defect

certificate for tap-windows driver is outdated

Reported by: hkocam Owned by: Samuli Seppänen
Priority: major Milestone:
Component: tap-windows Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Silent install on windows 10 fails/hangs as there is always the confirmation-dialog for the device-driver.
Output from Powershell:

PS C:\Users\Hakan.Kocaman> Get-AuthenticodeSignature "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\swd\OpenVPN\tap-windows-9.21.2.exe"


    Verzeichnis: C:\Program Files (x86)\LANDesk\LDClient\sdmcache\swd\OpenVPN


SignerCertificate                         Status                                                         Path
-----------------                         ------                                                         ----
5E66E0CA2367757E800E65B770629026E131A7DC  Valid                                                          tap-windows-9.21.2.exe


PS C:\Users\Hakan.Kocaman> Get-AuthenticodeSignature "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\swd\OpenVPN\tap-windows-9.21.2.exe"|fl


SignerCertificate      : [Subject]
                           CN="OpenVPN Technologies, Inc.", O="OpenVPN Technologies, Inc.", L=Pleasanton, S=California, C=US

                         [Issuer]
                           CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

                         [Serial Number]
                           04D54DC0A2016B263EEEB255D321056E

                         [Not Before]
                           13.08.2013 02:00:00

                         [Not After]
                           02.09.2016 14:00:00

                         [Thumbprint]
                           5E66E0CA2367757E800E65B770629026E131A7DC

TimeStamperCertificate :
Status                 : Valid
StatusMessage          : Signatur wurde überprüft.
Path                   : C:\Program Files (x86)\LANDesk\LDClient\sdmcache\swd\OpenVPN\tap-windows-9.21.2.exe
SignatureType          : Authenticode
IsOSBinary             : False



PS C:\Users\Hakan.Kocaman> Get-AuthenticodeSignature "C:\Users\Hakan.Kocaman\Downloads\tap-windows-9.21.2\driver\tap0901.cat"


    Verzeichnis: C:\Users\Hakan.Kocaman\Downloads\tap-windows-9.21.2\driver


SignerCertificate                         Status                                                         Path
-----------------                         ------                                                         ----
5E66E0CA2367757E800E65B770629026E131A7DC  Valid                                                          tap0901.cat


PS C:\Users\Hakan.Kocaman> Get-AuthenticodeSignature "C:\Users\Hakan.Kocaman\Downloads\tap-windows-9.21.2\driver\tap0901.cat"|fl


SignerCertificate      : [Subject]
                           CN="OpenVPN Technologies, Inc.", O="OpenVPN Technologies, Inc.", L=Pleasanton, S=California, C=US

                         [Issuer]
                           CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

                         [Serial Number]
                           04D54DC0A2016B263EEEB255D321056E

                         [Not Before]
                           13.08.2013 02:00:00

                         [Not After]
                           02.09.2016 14:00:00

                         [Thumbprint]
                           5E66E0CA2367757E800E65B770629026E131A7DC

TimeStamperCertificate :
Status                 : Valid
StatusMessage          : Signatur wurde überprüft.
Path                   : C:\Users\Hakan.Kocaman\Downloads\tap-windows-9.21.2\driver\tap0901.cat
SignatureType          : Authenticode
IsOSBinary             : False


Staus for the Certificate is valid, but it wss only valid till 2016-09-02.
Kind regards
hkocam

Attachments (2)

computer_certificates_trusted_issuer.png (53.6 KB) - added by hkocam 23 months ago.
certificate store trusted issuers
windows_sec_trust_issuer_prompt.png (100.7 KB) - added by hkocam 23 months ago.

Download all attachments as: .zip

Change History (15)

comment:1 Changed 23 months ago by Samuli Seppänen

The driver signature has been time-stamped, so it is valid. I think that you would get the same prompt even if "Not after" would be in the future. The only way to get rid of the prompt would be to inject our publisher certificate into the Windows certificate store before running the tap-windows6 installer. That is what we do in OpenVPN Connect afaik.

Changed 23 months ago by hkocam

certificate store trusted issuers

comment:2 in reply to:  1 Changed 23 months ago by hkocam

Hi,

sorry for the delay

Replying to samuli:

The only way to get rid of the prompt would be to inject our publisher certificate into the Windows certificate store before running the tap-windows6 installer.

That's what i'm doing here too, see attachment 1,
when i monitor the process with process explorer, the process only sits there more or less idle.
we are running the installation using the system-account, maybe this
htis is the stacktrace i get while it sits there:

ntoskrnl.exe!KeSynchronizeExecution+0x3f26
ntoskrnl.exe!KeWaitForMultipleObjects+0x109c
ntoskrnl.exe!KeWaitForMultipleObjects+0xb3f
ntoskrnl.exe!KeWaitForSingleObject+0x377
ntoskrnl.exe!KeQuerySystemTimePrecise+0xd04
ntoskrnl.exe!MmUnlockPages+0x138a
ntoskrnl.exe!KeWaitForMultipleObjects+0x1283
ntoskrnl.exe!KeWaitForMultipleObjects+0xb3f
ntoskrnl.exe!KeWaitForMultipleObjects+0x4fe
win32kfull.sys!xxxUpdateInputHangInfo+0x5a3
win32kfull.sys!xxxUpdateInputHangInfo+0x1b8
win32kfull.sys!CheckWinstaAttributeAccess+0x10b8
win32kfull.sys!NtUserWaitMessage+0x22
ntoskrnl.exe!setjmpex+0x3b03
wow64cpu.dll!TurboDispatchJumpAddressEnd+0x540
wow64cpu.dll!TurboDispatchJumpAddressEnd+0x503
wow64.dll!Wow64KiUserCallbackDispatcher+0x4151
wow64.dll!Wow64LdrpInitialize+0x120
ntdll.dll!EtwEventProviderEnabled+0x1cb1
ntdll.dll!memset+0x1c3f4
ntdll.dll!LdrInitializeThunk+0xe

This is the output of sigcheck https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx:

c:\users\hakan.kocaman\downloads\tap-windows-9.21.2\driver\tap0901.cat:
	Verified:	Signed
	File date:	13:00 21.04.2016
	Signing date:	10:07 21.04.2016
	Catalog:	c:\users\hakan.kocaman\downloads\tap-windows-9.21.2\driver\tap0901.cat
	Signers:
	   OpenVPN Technologies
		Cert Status:	This certificate or one of the certificates in the certificate chain is not time valid.
		Valid Usage:	Code Signing
		Cert Issuer:	DigiCert Assured ID Code Signing CA-1
		Serial Number:	04 D5 4D C0 A2 01 6B 26 3E EE B2 55 D3 21 05 6E
		Thumbprint:	5E66E0CA2367757E800E65B770629026E131A7DC
		Algorithm:	sha1RSA
		Valid from:	01:00 13.08.2013
		Valid to:	13:00 02.09.2016
	   DigiCert Assured ID Code Signing CA-1
		Cert Status:	Valid
		Valid Usage:	Code Signing
		Cert Issuer:	DigiCert Assured ID Root CA
		Serial Number:	0F A8 49 06 15 D7 00 A0 BE 21 76 FD C5 EC 6D BD
		Thumbprint:	409AA4A74A0CDA7C0FEE6BD0BB8823D16B5F1875
		Algorithm:	sha1RSA
		Valid from:	13:00 11.02.2011
		Valid to:	13:00 10.02.2026
	   DigiCert
		Cert Status:	Valid
		Valid Usage:	Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
		Cert Issuer:	DigiCert Assured ID Root CA
		Serial Number:	0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
		Thumbprint:	0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
		Algorithm:	sha1RSA
		Valid from:	01:00 10.11.2006
		Valid to:	01:00 10.11.2031
	Counter Signers:
	   DigiCert Timestamp Responder
		Cert Status:	Valid
		Valid Usage:	Timestamp Signing
		Cert Issuer:	DigiCert Assured ID CA-1
		Serial Number:	03 01 9A 02 3A FF 58 B1 6B D6 D5 EA E6 17 F0 66
		Thumbprint:	614D271D9102E30169822487FDE5DE00A352B01D
		Algorithm:	sha1RSA
		Valid from:	01:00 22.10.2014
		Valid to:	01:00 22.10.2024
	   DigiCert Assured ID CA-1
		Cert Status:	Valid
		Valid Usage:	Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing
		Cert Issuer:	DigiCert Assured ID Root CA
		Serial Number:	06 FD F9 03 96 03 AD EA 00 0A EB 3F 27 BB BA 1B
		Thumbprint:	19A09B5A36F4DD99727DF783C17A51231A56C117
		Algorithm:	sha1RSA
		Valid from:	01:00 10.11.2006
		Valid to:	01:00 10.11.2021
	   DigiCert
		Cert Status:	Valid
		Valid Usage:	Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
		Cert Issuer:	DigiCert Assured ID Root CA
		Serial Number:	0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
		Thumbprint:	0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
		Algorithm:	sha1RSA
		Valid from:	01:00 10.11.2006
		Valid to:	01:00 10.11.2031
	Company:	n/a
	Description:	n/a
	Product:	n/a
	Prod version:	n/a
	File version:	n/a
	MachineType:	n/a

i'm still puzzled, why only the first signature is checked, while the second would be time-valid.

many thanks for your time and patience

hakan kocaman

comment:3 Changed 23 months ago by Samuli Seppänen

I think the sigcheck tool checks each signature in series without looking at the whole chain. So, when it sees an expired certificate (=ours), it will complain about the signature not beving time-valid.

@hkocam: how do you inject the certificate to the certificate store? I've never tried doing that from within an NSI installer.

comment:4 in reply to:  3 Changed 23 months ago by hkocam

Replying to samuli:

I think the sigcheck tool checks each signature in series without looking at the whole chain. So, when it sees an expired certificate (=ours), it will complain about the signature not beving time-valid.

@hkocam: how do you inject the certificate to the certificate store? I've never tried doing that from within an NSI installer.

Hi,

we use a simple batch-file and use certutil :

call certutil -addstore "TrustedPublisher" "%programfiles(x86)%\LANDesk\LDClient\sdmcache\SWD\OpenVPN\DigiCert_SHA2_Timestamp_Responder.cer"

comment:5 Changed 23 months ago by Samuli Seppänen

@hkocam: opened a GitHub issue about certificate injection.

comment:6 in reply to:  5 Changed 23 months ago by hkocam

Replying to samuli:

@hkocam: opened a GitHub issue about certificate injection.

Many thanks, but to clarify:
even if the cert is in the certstore, i get the prompt to trust the driver-issuer(see newest attachment)

Changed 23 months ago by hkocam

comment:7 Changed 23 months ago by Samuli Seppänen

@hkocam: have you tried putting the certificate into other stores besides "Trusted publishers"?

comment:8 in reply to:  7 Changed 23 months ago by hkocam

Replying to samuli:

@hkocam: have you tried putting the certificate into other stores besides "Trusted publishers"?

i also tried "intermediate ca" and "trusted devices" with no luck

comment:9 Changed 23 months ago by Samuli Seppänen

Owner: set to Samuli Seppänen
Status: newaccepted

I will do some testing to see if I can reproduce the problem, and to see what effect certificate injection has.

comment:10 in reply to:  9 Changed 23 months ago by hkocam

Replying to samuli:

I will do some testing to see if I can reproduce the problem, and to see what effect certificate injection has.

thanks , i realy appreciate this.

the build-instructions look complicated enough, that
i think i would mess it up anyway.
but if you are in the position to build the driver anew,
maybe you could build only with the sha2-cert ?

i would love to test this build then in our rollout-process.

kind regards
hkocam

comment:11 Changed 23 months ago by Samuli Seppänen

We have both SHA1 and SHA2 signatures in the driver because Windows Vista, and possibly old Windows 7, can't understand SHA2 signatures at all. Recent Windows updates have, I believe, already dropped support for SHA1 signatures. So we need both for the release installers.

Now that I think of it, the problem might be that SHA1 and SHA2 signatures require separate publisher certificates, and if either is missing, Windows pops up a warning dialog. Once you've installed the driver manually, do you have one or two new publisher certificates in the certificate store?

comment:12 in reply to:  11 ; Changed 23 months ago by hkocam

Replying to samuli:

We have both SHA1 and SHA2 signatures in the driver because Windows Vista, and possibly old Windows 7, can't understand SHA2 signatures at all. Recent Windows updates have, I believe, already dropped support for SHA1 signatures. So we need both for the release installers.

i know that you as a project have to cater for legacy systems.

Now that I think of it, the problem might be that SHA1 and SHA2 signatures require separate publisher certificates, and if either is missing, Windows pops up a warning dialog. Once you've installed the driver manually, do you have one or two new publisher certificates in the certificate store?

i got only one openvpn-cert in trusted publishers, with
thumbprint : 5e 66 e0 ca 23 67 75 7e 80 0e 65 b7 70 62 90 26 e1 31 a7 dc

i also do have 3 root cert from digicert in thirdparty-root-ca:

 DigiCert Assured ID Root CA :  ‎05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43
 DigiCert Global Root CA : ‎a8 98 5d 3a 65 e5 e5 c4 b2 d7 d6 6d 40 c6 dd 2f b1 9c 54 36
 DigiCert High Assurance EV Root CA : ‎5f b7 ee 06 33 e2 59 db ad 0c 4c 9a e6 d3 8f 1a 61 c7 dc 25

comment:13 in reply to:  12 Changed 22 months ago by hkocam

Replying to hkocam:
Hi,

i got only one openvpn-cert in trusted publishers, with
thumbprint : 5e 66 e0 ca 23 67 75 7e 80 0e 65 b7 70 62 90 26 e1 31 a7 dc

got again time to investigate this and i'm really embarrassed:
the cert i used does not belong to the driver(tap-windows-9.21.2), after i compared the two.
i made a fresh export from the driver and imported this cert before the install ,
everythings worked as exspected.

sorry for the noise

Note: See TracTickets for help on using tickets.