堆栈内存溢出
  简体   繁体   English

您如何部署自己的 Authenticode 时间戳服务?

[英]How do you deploy your own Authenticode Timestamping Service?

 原文  2012-06-27 19:33:35       c#/ dll/ code-signing/ trusted-timestamp

问题描述

I would like to timestamp my DLL file with my own Authenticode Timestamping Service.我想用我自己的 Authenticode 时间戳服务为我的 DLL 文件加上时间戳。 Is this possible?这可能吗? How could I achieve this?我怎么能做到这一点?

5 个解决方案

解决方案1
 6  2012-07-03 13:46:04

You need to write a custom HTTP Timestamp server.您需要编写一个自定义的 HTTP 时间戳服务器。 It should follow RFC 3161 Time-Stamp Protocol (TSP) rules.它应该遵循RFC 3161时间戳协议 (TSP) 规则。

When you sign your DLL for authenticode with a tool such as Signtool.exe from the Windows SDK, you can specify the url of the timestamp server (with the /t swich. See also /tr and /td).当您使用 Windows SDK 中的Signtool.exe等工具为 DLL 签名以获取验证码时,您可以指定时间戳服务器的 url(使用 /t 开关。另见 /tr 和 /td)。 You would then point to your server.然后,您将指向您的服务器。

See here on SO for a related question: Trusted Timestamps - understanding the format (rfc3161)有关相关问题,请参阅此处的 SO: 可信时间戳 - 了解格式 (rfc3161)

and also: Alternative timestamping services for Authenticode还有: Authenticode 的替代时间戳服务

解决方案2
 6 已采纳  2013-05-22 15:45:34

You can develop your own timestamping service.您可以开发自己的时间戳服务。 You can write TSP (RFC 3161) server but Authenticode doesn't use RFC 3161 but PKCS#7/PKCS#9 formats as described in MSDN article (which you can implement as well).您可以编写 TSP (RFC 3161) 服务器,但 Authenticode 不使用 RFC 3161,而是使用MSDN 文章中所述的 PKCS#7/PKCS#9 格式(您也可以实现)。 Our SecureBlackbox components include timestamping server component which supports both formats.我们的SecureBlackbox组件包括支持两种格式的时间戳服务器组件。 Update: recent updates to Authenticode use standard RFC 3161 timestamps.更新:最近对 Authenticode 的更新使用标准 RFC 3161 时间戳。

But the problem is to get the certificate which you will use to sign timestamps.但问题是获取您将用于签署时间戳的证书。 This certificate must be issued by one of the CAs and as I understand, there exist severe requirements regarding management and infrastructure aspects of running a timestamp server.该证书必须由其中一个 CA 颁发,据我所知,对于运行时间戳服务器的管理和基础设施方面存在严格的要求。 In particular you need to have a secure timestamping hardware.特别是你需要有一个安全的时间戳硬件。 I didn't dig deep into this question, but these aspects are much more complicated then writing a piece of code.我没有深入研究这个问题,但是这些方面比编写一段代码要复杂得多。

Still if you run your own PKI infrastructure (have your own trusted root certificates and CA certificates), then the problem of having a trusted timestamping certificate is solved automatically - you can generate your own certificate.尽管如此,如果您运行自己的 PKI 基础设施(拥有自己的可信根证书和 CA 证书),那么拥有可信时间戳证书的问题就会自动解决——您可以生成自己的证书。

解决方案3
 4  2016-04-15 15:11:04

You can set up your own Time-stamping Authority (TSA) supporting Authenticode time-stamps (and/or RFC#3161) using SignServer.您可以使用 SignServer 设置自己的时间戳机构 (TSA),支持 Authenticode 时间戳(和/或 RFC#3161)。

See https://www.signserver.org for the download and the installation instructions.有关下载和安装说明,请参阅https://www.signserver.org In summary the important steps are:总之,重要的步骤是:

  1. Make sure you have the pre-requisites:确保您具备以下先决条件:

    • Java爪哇
    • An application server (ie WildFly)一个应用服务器(即 WildFly)
    • Apache Ant for deploying用于部署的 Apache Ant

  2. Download the 4.0 release from https://signserver.org or https://sourceforge.net/projects/signserver/files/signserver/4.0/ .https://signserver.orghttps://sourceforge.net/projects/signserver/files/signserver/4.0/下载 4.0 版本。

  3. Configure application server配置应用服务器

    • For HTTPS (optional)对于 HTTPS(可选)
    • To make web services work使网络服务工作
    • Patch with the latest security fixes使用最新的安全修复程序打补丁

  4. Configure SignServer deployment配置 SignServer 部署

    • Set database.name=nodb and database.nodb.location=/an/empty/folder/as/db in conf/signserver_deploy.properties在 conf/signserver_deploy.properties 中设置 database.name=nodb 和 database.nodb.location=/an/empty/folder/as/db

  5. Deploy SignServer部署 SignServer

    • export APPSRV_HOME=/opt/wildfly-9/出口APPSRV_HOME=/opt/wildfly-9/
    • bin/ant deploy bin/ant 部署
    • Start application server /opt/wildfly-9/bin/standalone.sh启动应用服务器 /opt/wildfly-9/bin/standalone.sh

  6. Check that server started检查服务器是否启动

    • bin/signserver getstatus brief all bin/signserver getstatus 简介

  7. Setup a crypto token设置加密令牌

    • bin/signserver setproperties doc/sample-configs/keystore-crypto-configuration.properties bin/signserver setproperties doc/sample-configs/keystore-crypto-configuration.properties
    • bin/signserver reload 1 bin/signserver 重新加载 1
    • bin/signserver getstatus brief all bin/signserver getstatus 简介

  8. Setup a sample time-stamp signer设置示例时间戳签名者

    • bin/signserver setproperties doc/sample-configs/qs_timestamp_configuration.properties bin/signserver setproperties doc/sample-configs/qs_timestamp_configuration.properties
    • bin/signserver reload 2 bin/signserver 重新加载 2
    • bin/signserver getstatus brief all bin/signserver getstatus 简介

  9. Test the time-stamp signer测试时间戳签名者

解决方案4
 1  2015-11-13 11:30:48

Assuming you are wanting this for testing, if you are happy to use signtool.exe with the /tr switch, you don't have to look at the RFC, because openssl implements enough of this for you.假设您想要使用它进行测试,如果您乐于使用带有 /tr 开关的 signtool.exe,您就不必查看 RFC,因为 openssl 已经为您实现了足够的功能。 Simply write an HTTP POST handler in your favourite language, pass the posted data into "openssl ts -reply" verbatim, send back the openssl TS response data.只需用您喜欢的语言编写一个 HTTP POST 处理程序,将发布的数据逐字传递到“openssl ts -reply”中,然后发回 openssl TS 响应数据。 This is good enough to fool "signtool.exe verify /pa", even if it isn't strictly following the RFC.这足以欺骗“signtool.exe verify /pa”,即使它没有严格遵循 RFC。

EDIT: It seems the open-source Java Signserver project gives you a server handling MSauthenticode (/t) and rfc3161 (/tr) timestamping out of the box.编辑:似乎开源 Java Signserver 项目为您提供了一个处理 MSauthenticode (/t) 和 rfc3161 (/tr) 时间戳的服务器。 Configuration of Signserver involved too many dependencies for me, so I instead hacked its unit test for MSAuthenticode timestamping, bolted on a small HTTP server to the test case, and with little work - my Java skills are mediocre at best - have a running authenticode timestamp server for development use, and have verified that the timestamps thus created are not subject this issue . Signserver 的配置对我来说涉及太多的依赖项,所以我改用了 MSAuthenticode 时间戳的单元测试,将一个小型 HTTP 服务器固定到测试用例上,并且几乎没有工作 - 我的 Java 技能充其量是平庸的 - 有一个正在运行的验证码时间戳服务器用于开发,并已验证由此创建的时间戳不受此问题的影响 I cannot release the source code, however following this tip should get you something working pretty quickly.我不能发布源代码,但是按照这个提示应该可以让你很快地工作。

解决方案5
 0  2021-01-09 16:42:13

https://PKIaaS.io offers an RFC 3161 and Microsoft Authenticode compliant timestamp server. https://PKIaaS.io提供符合 RFC 3161 和 Microsoft Authenticode 的时间戳服务器。 After you create a certificate authority on the site, it will show a timestamp URL in the list of "CA Service URLs" that timestamp requests can be sent to for signing.在站点上创建证书颁发机构后,它将在“CA 服务 URL”列表中显示时间戳 URL,时间戳请求可以发送到该 URL 以进行签名。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 您如何创建自己的数据类型? - How do you create your own DataType? 您如何声明自己的Main()并导入ResourceDirectory - How do you declare your own Main() and import ResourceDirectory 您如何发布或部署您的 C# 桌面应用程序? - How do you publish or deploy your C# desktop application? 您如何编写Visual Studio插件来操纵自己的文件类型? - How do you write a Visual Studio plugin to manipulate your own file type? 您如何使用Facebook用户对象来获取自己的用户对象? - How do you use a Facebook user object to get your own user object? C# 和数据结构,您是否需要自己编写? - C# and datastructures, do you ever need to write your own? 您是否有自己的“ utils” dll,并且在其中保存了什么? - Do you have your own 'utils' dll and what do you keep there? 最佳实践:您如何正确地将合同暴露于与MEF一起使用的外部服务? - Best Practice: How do you properly expose your contract to an external service for use with MEF? 您如何组织实用程序功能? - How do you organize your Utility functions? 你如何调试你的 Nest 查询? - How do you debug your Nest queries?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM