How do you deploy your own Authenticode Timestamping Service? - c#

I would like to timestamp my DLL file with my own Authenticode Timestamping Service. Is this possible? How could I achieve this?

You can develop your own timestamping service. You can write TSP (RFC 3161) server but Authenticode doesn't use RFC 3161 but PKCS#7/PKCS#9 formats as described in MSDN article (which you can implement as well). Our SecureBlackbox components include timestamping server component which supports both formats. Update: recent updates to Authenticode use standard RFC 3161 timestamps.
But the problem is to get the certificate which you will use to sign timestamps. This certificate must be issued by one of the CAs and as I understand, there exist severe requirements regarding management and infrastructure aspects of running a timestamp server. In particular you need to have a secure timestamping hardware. I didn't dig deep into this question, but these aspects are much more complicated then writing a piece of code.
Still if you run your own PKI infrastructure (have your own trusted root certificates and CA certificates), then the problem of having a trusted timestamping certificate is solved automatically - you can generate your own certificate.

You need to write a custom HTTP Timestamp server. It should follow RFC 3161 Time-Stamp Protocol (TSP) rules.
When you sign your DLL for authenticode with a tool such as Signtool.exe from the Windows SDK, you can specify the url of the timestamp server (with the /t swich. See also /tr and /td). You would then point to your server.
See here on SO for a related question: Trusted Timestamps - understanding the format (rfc3161)
and also: Alternative timestamping services for Authenticode

You can set up your own Time-stamping Authority (TSA) supporting Authenticode time-stamps (and/or RFC#3161) using SignServer.
See https://www.signserver.org for the download and the installation instructions. In summary the important steps are:
Make sure you have the pre-requisites:
Java
An application server (i.e. WildFly)
Apache Ant for deploying
Download the 4.0 release from https://signserver.org or https://sourceforge.net/projects/signserver/files/signserver/4.0/ .
Configure application server
For HTTPS (optional)
To make web services work
Patch with the latest security fixes
Configure SignServer deployment
Set database.name=nodb and database.nodb.location=/an/empty/folder/as/db in conf/signserver_deploy.properties
Deploy SignServer
export APPSRV_HOME=/opt/wildfly-9/
bin/ant deploy
Start application server /opt/wildfly-9/bin/standalone.sh
Check that server started
bin/signserver getstatus brief all
Setup a crypto token
bin/signserver setproperties doc/sample-configs/keystore-crypto-configuration.properties
bin/signserver reload 1
bin/signserver getstatus brief all
Setup a sample time-stamp signer
bin/signserver setproperties doc/sample-configs/qs_timestamp_configuration.properties
bin/signserver reload 2
bin/signserver getstatus brief all
Test the time-stamp signer
bin/signclient timestamp http://localhost:8080/signserver/process?workerName=TimeStampSigner

Assuming you are wanting this for testing, if you are happy to use signtool.exe with the /tr switch, you don't have to look at the RFC, because openssl implements enough of this for you. Simply write an HTTP POST handler in your favourite language, pass the posted data into "openssl ts -reply" verbatim, send back the openssl TS response data. This is good enough to fool "signtool.exe verify /pa", even if it isn't strictly following the RFC.
EDIT: It seems the open-source Java Signserver project gives you a server handling MSauthenticode (/t) and rfc3161 (/tr) timestamping out of the box. Configuration of Signserver involved too many dependencies for me, so I instead hacked its unit test for MSAuthenticode timestamping, bolted on a small HTTP server to the test case, and with little work - my Java skills are mediocre at best - have a running authenticode timestamp server for development use, and have verified that the timestamps thus created are not subject this issue. I cannot release the source code, however following this tip should get you something working pretty quickly.

https://PKIaaS.io offers an RFC 3161 and Microsoft Authenticode compliant timestamp server. After you create a certificate authority on the site, it will show a timestamp URL in the list of "CA Service URLs" that timestamp requests can be sent to for signing.

Related

Update Exchange Server Certificate in C#

My goal is to update the Certificate for Exchange Servers from within a C# app, just like the Enable-ExchangeCertificate PS Cmdlet does.
I've already written an updater for IIS, which uses Microsoft.Web.Administration to access and manipulate IIS Sites and Bindings. I've searched through Google and VS Libraries for Exchange API tools, but without any luck. I can only find References to EWS (Exchange Web Services), which can't update the Server Certificate AFAIK.
Is there any API that can be used? How does Enable-ExchangeCertificate provide the functionality? I'm also thinking about just using the PS Cmdlet if all else fails, but I'd like to have a standalone app to rely on. No remote server management needed, localhost-only is fine.
tl;dr How to update a local Exchange Server Certificate in C#?
EDIT I'll look further into the EWS API (https://github.com/OfficeDev/ews-managed-api/blob/master/README.md), it looks like it might do the job. It provides Assemblies to access EWS data, but I haven't found any API Calls exclusively for Certificate Management.
There are multiple parts in MS Exchange which aren´t covered by an API. Mostly this is due to security reasons or as it´s quite complex and therefore no API needed (e.g. Exchange Schema update).
The normal Microsoft way included only two steps:
Make a Backup of the current configuration & SSL cert (Optional)
Import the certificate
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path
c:\certificates\YOUR_CERTIFICATE.cer -Encoding byte -ReadCount 0))
But some use MMC and that's working as well (so you might check for an API for MMC for this part).
Enable it
Enable-ExchangeCertificate -Thumbprint
1234ae0567a72fccb75b1d0198628675333d010e -Services POP,IMAP,SMTP,IIS
I would assume that there is no such API as its not really needed to have one. Normally an SSL certificate is valid for 3 years. So you need to run the command above 1x every 3 years and a 3rd party access to this part wouldn´t make any sense as it wouldn´t be often used and therefore Microsoft haven´t build one.
To give you more infos here. The SSL certificate information for Microsoft is saved in two locations. One in the local Regestry and one in Microsoft Active Directory (see here: uses the local instance of Active Directory Lightweight Directory Services (AD LDS) to read and write data). Dealing with changes to the ActiveDirectory without the way Microsoft supports might be VERY risky and would mean that Microsoft do not offer any support if that caused a problem. So I would use the powershell approach Enable-ExchangeCertificate in your app.
P.S. I would never ever run an unknown plugin on my Exchange server which do replace an SSL certificate which I can do via a simple powershell command. The plugin could cause a lot of other issues and can contain a lot of stuff which isn´t so "nice". So before you wast your time into that project think if there is really an audience for it.

Push Notification using C# Push Sharp library is not working on production server

After certificate is generated, I've only exported the private key (without the certificate) in Keychain access, exported as .p12 and used the file, and it was not worked. I've exported only certificate and exported as .p12 and used the file, and it was also not worked.
The exception is:
You have selected the Production server, yet your Certificate does not appear to be the Production certificate! Please check to ensure you have the correct certificate!
If i use the same .p12 with MoonAPNS library it is working fine, but not with PUSHSHarp library. am using push sharp only for silent notifications.
Apple introduced a new unified Push Notification certificate that is valid for both Sandbox and Production servers. This new certificate has a bit different of a Subject Name (it used to contain either Apple Production IOS Push Services or Apple Development IOS Push Services and now it contains Apple Push Services).
PushSharp 2.x does not know about this new format and still expects the old Subject Names to verify against, so it thinks your certificate is invalid.
PushSharp 3.x (currently pre-release available on NuGet) is recommended and does properly validate the new type of certificate. I'd recommend updating to a 3.x version (of course there are some breaking API changes involved in that).
If you are still insistent on using PushSharp 2.x, you can override the certificate validation by setting the disableCertificateCheck parameter to true in the ApplePushChannelSettings class constructor.

How to prevent application being marked as suspicious

I have a .NET application written in C# using Visual Studio 2012. I'm promoting the application through my own website and have it available for download. When downloading it in Chrome I get a message stating that my application is "not commonly downloaded and could be dangerous". Additionally, when I download my own application and execute it Avast sees it as suspicious and wants to run it in the sandbox.
Is there anyway I can prevent this from happening (without purchasing a certificate for signing)? I don't want potential users to run into this issue.
Edit: I am not doing anything malicious or using any hooks in my application. The application is just a small simple tool as you can see here.
Either you code-sign the App or you wait until a few thousands of people download your App, install it, not report it as garbage and then you get good-will grant from providers.
Even if your application is signed with a certificate issued by one of the CA's participating in Microsoft's Trusted Root Certificate Authority program, it could still face some issues unless you use an EV Authenticode code signing certificate and/or continue to renew the same certificate in perpetuity. See "IE9 SmartScreen Warning, Despite Following All Recommendations" for an example. In short, you're paying for reputation as a software publisher.

Component or Source for Running an FTP Server via C# (with SSL)

I'm surprised by the lack of products out there for running your own FTP server in managed code. I'm looking for either a product or thorough source code for building an FTP server in C# that supports SSL. I need complete control over the directory/file handling, not just serving files from a local directory.
Clever Internet .NET Suite looks to be exactly what I'm looking for. However, when I tried it out I got errors connecting to the FtpServerSSL sample from FileZilla when SSL was enabled. It worked perfectly without SSL, so I wrote to their support, but I haven't heard a response from them yet.
Never done it myself, but you could try one of these:
http://www.c-sharpcorner.com/UploadFile/psingh/FTPServerinCSharp11162005015958AM/FTPServerinCSharp.aspx
http://www.codeguru.com/csharp/csharp/cs_network/sockets/article.php/c7409/
You secure the port using httpcfg or netsh in windows, not in the app.
We plan to release FTP / FTPS server components within a month as part of our SecureBlackbox product. The components are currently being internally tested. As SecureBlackbox is a security suite, SSL part will work there :).

Approaches to manage files on remote *NIX sever from Windows client applications

My Windows client application (written in C#) works with the remote MySQL database deployed on *NIX server.
I'm going to add the ability to store files on the server. I was never fond of storing files in DB, so the files will be stored in the file system. The application will need to upload, download, and delete files from server.
Any approach I can think of requires additional service to be deployed on server.
So far my favorite is SFTP*, but there are other solutions which are IMO inferior:
Web Service - are there any? haven't done any research in this direction.
FTP server - brings at least all the problems connected with protocol itself
WebDAV - interesting option, considering there is Apache module and .NET libraries
Some ad-hoc script (clearly the worst solution)
*I intend to use SharpSSH library, and public key authentication to access special account on the server which will be restricted to SSH operations only
Edit: corrected some terms confusion, thanks to #vartec
SCP has rather limited functionality. SFTP and FISH give you a lot more then plain SCP. (note, that SFTP should not be confused with FTPS)
Example of SFTP C# implementation.
Advantage over other options — no extra configuration at server side required.
I would use vsftpd on the *NIX server side: it's small and easy to configure, and I haven't had any problems with it since I initially set it up about 6 months ago so it's also reliable. I just use regular FTP, but you can do SSL with vsftpd if you're concerned about security.
On the client side there is this free, open source, FTP Client Library for C# made by Dan at C-SharpCorner.com. It works, and it's easy to extend its functionality to do more things. For example, I added a function for changing file permissions on the remote server.
putty and winscp are all you need.

Categories