Angus Robertson

My pre and post command jobs do other stuff as well as signing, copy files to various directories.

Beware the signtool /a command only works when there is just one certificate available...

Angus

Quote

sort out is to program InnoSetup to also sign all executables inside the package,

I have batch command files that handle all the signing, and then sign the final setup file, using InnoSetup pre and post compile steps.  Better to use CMD extension for Windows 11, BAT is deprecated. 

[PostCompile]
Name: "signsetup.bat"

[PreCompile]
Name: "compress.bat"

Angus

Not used the signcode /sha1 argument before, it is more common to use :

/a /s MY /n "Common name"   (this all replaces /f in my earlier example)

where /a automatically looks for a signing certificate, /s is the Windows store (MY is the name for Personal), and the Common Name is usually your company name, but whatever is shown on the General certificate dialog tab for 'Issued to', or CN= under Subject on the Details tab. 

Angus

Quote

Does anyone know if it is possible to convert the USB token to an ISO and then mount it on a build server ?

No, because the HSM in the token has a program that takes data from the application, signs it with the private key in the HSM and returns a digest to the application as part of the signing process.  The whole point is the private key is not available outside the HSM so can not be copied.  

The HSM/token can be used remotely only if the data to be signed is passed to the PC/server with the HSM, and the digest returned to the originating PC.  

Angus

Quote

In the context of code signing, where do you get a pfx these days?

You did not qualify your comment about PFX files only being useful for self signed certificates by mentioning code signing.  Not sure how useful self code signing would be. 

But you are correct, new code signing is all dongles, although my own Comodo PFX files still work fine with signtool:

signtool sign /p "xx" /f "c:\certificates\magenta-systems-certkey.pfx" /d "Copyright (c) 1998-2023 The OpenSSL Project" /as /fd sha256 /tr http://timestamp.sectigo.com /td sha256 "c:\svn-repos\signed-openssl\openssl-3.2.0-win32\libcrypto-3.dll"

That command only needs a minor change to make it useful a dongle certificate, assuming the drivers for the dongle are installed.

Angus

Quote

pfx files are a thing of the past

I would dispute that statement, PFX or PKCS#12 are Microsoft's preferred format since they contain certificate, private key and intermediate certificates, so one file per host. 

Sure you can create PEM/CER bundles with a private key, but more than one certificate can confuse servers. 

But Apache does not support PFX, you have to use PEM, that is the main reason PFX is not often seen.

Angus

Quote

So I finally got a DigiCert certificate. The hardware USB token is in the PC.

Is this a Code Signing certificate?  If so, you can not export the private key from the token, so no reason to export the certificate either.  

If not, why did Digicert supply it on a token?

Angus

1 hour ago, Kas Ob. said:

ability to create CSR or what i miss the most, the ability to create CSR from a certificate

PemTool has both, two buttons, Create Request from Props and Create Request from Cert, the former uses properties from another tab, lots of them.

PemTool takes a while to understand, it is a development tool to test all the ICS certificate functions, and does not have a friendly GUI.   It only writes files, no database like XCA. 

There is a second sample OverbyteIcsX509CertsTst that orders Let's Encrypt certificates and includes an 'Own CA' allowing you to sign your own local certificates with a private CA.

Angus

ICS has a lot of tools for certificate manipulation, reading and writing different formats, so can convert between them, and can read and write to the Windows Store. 

The OverbyteIcsPemTool sample does all this, it has more features than the XCA tool.  A compiled version can be downloaded if you don't want to build it.  

Angus

OpenSSL has released new minor version 3.2.0, which has a lot of new features.  It is compatible with the current versions of ICS, but has only been tested briefly with clients, it needs at least a week of testing with servers before I'm comfortable adding the DLLs to ICS as the defaults.

The major change in 3.2.0 is support for client side QUIC protocol. QUIC is based on UDP rather than TCP and allows multiple streams in parallel, typically for downloading web pages with hundreds of elements, QUIC combined with HTTP/2 becomes HTTP/3.  There is a DLL solution that has been used to add HTTP/2 to Indy but not native Delphi implementation I'm aware of, it's a lot of work. So no possibility of ICS having HTTP/3 soon.

Other changes in 3.2.0 include:
Certificate compression in TLS, including support for zlib, zstd and Brotli
Deterministic ECDSA.
Support for Ed25519ctx, Ed25519ph and Ed448ph.
AES-GCM-SIV.
Argon2 and supporting thread pool functionality.
Hybrid Public Key Encryption (HPKE).
The ability to use raw public keys in TLS.
Support for Brainpool curves in TLS 1.3.
SM4-XTS.
Support for using the Windows system certificate store as a source of trusted root certificates.

Some of the above cipher and hash changes may be used by TLS connections without change to ICS, if negotiated with the other end, but certificate related changes will need updates to ICS.

Windows binaries are available in SVN and the overnight zip file and separately from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp

In addition to the three DLL files, the zip includes a compiled RES resource file that contains the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately.

ICS V9.1 and later optionally support loading the resource file, currently in SVN and the overnight zip.

Angus

ICS V9.0 added a function IpHlpGetDnsServers  in unit OverbyteIcsIpHlpApi.pas that sets a TStringList with the local PC DNS server IPs.

The DnsQuey unit also has a list of public DNS servers, Cloudfare, Google, etc, that TDnsQuey can loop through.  Ditto for DoH.

Angus

The main problem with the PUT handler in the application server was a complete lack of content upload handling, it was just ignored, now fixed, will be in SVN today.

Angus

Look at where that code came from in the X509Certs unit, it loops through a few different public DNS servers until one gives the expected result. 

Angus

Beware DNS caches are not very clever with new TXT records, I found it may take a couple of requests before a newly added TXT records was found, should not matter for email since that rarely changes.

Angus

DNS TXT records are undefined, the content varies according to the application.

The ICS unit for ordering wildcard SSL certificates simply checks the entire TXT record against the value given:

                FDnsQuery.QueryAnySync(Item.CPage, DnsQueryTXT) ;
                if FDnsQuery.TXTRecordCount > 0 then begin
                    for I := 0 to FDnsQuery.TXTRecordCount - 1 do begin
                        if (FDnsQuery.TXTRecord = Item.CDNSValue) then begin
                            LogEvent('Successfully tested DNS challenge for: ' + Item.CPage + ', Data=' + Item.CDNSValue);
                            Result := True;
                            Exit;
                        end;
                    end;

For email SPF records, you might search the record for v=spf1 and look at the rest afterwards.

Angus

I will test PUT finally works this week, but not for a couple of days. 

Angus

TDnsQuery in V9.0 added TXTRecordCount and TXTRecord[n] methods, since there are often multiple TXT records.   Also sync mode to make it easier to use.  

Look at the latest OverbyteIcsNsLookup sample.

Angus

Thanks, that will explain why a PUT test upload failed recently, it was still on my list to test, fix will be in SVN this week.

Angus

The second option to avoid distributing OpenSSL DLLs was added last week, embedding the DLLs in the application and extracting them when the application is first run to a common directory, this was discussed in the last OpenSSL update message. Other related changes will happen this week. 

I always saw the major downside of SChannel that Microsoft is slow to add new features, and they are only added to new Windows versions, even TLS/1.2 took several years to be added to Windows 8/Server 2012 and did not support EC certificates properly.  So exactly the same update policy as OpenSSL, except you have to upgrade the entire OS instead of a couple of DLLs.

Angus

The fix was in SVN weeks ago.  If you work with ICS from SVN, you need to keep it up to date and accept things may get broken, and you may need to wait a few days for bug fixes, 

I try to make sure SVN always has a buildable version, but it does not always work, currently SVN is waiting for two Posix fixes from the last update, but I've changed dozens of units since then which need a lot of testing.

Angus

Quote

probably you could make it in some pluggable manner to easily integrate another TLS engines?

That would be a massive amount of work, OpenSSL functions are buried in a lot of ICS functions at low level. 

I looked at your SChannel implementation for ICS when you initially wrote it.

At the time the USP was no DLLs, but there are now two separate solutions that avoid distributing separate OpenSSL DLLs, so what do you now see as the benefit of SChannel? 

Angus

The output folders should be created when the DCU are built.  If not the batch lines you copied earlier create both folders.  

It is not necessary to distribute lots of empty folders, except for ancient versions that did not create them. 

Angus

Looking at the D2010 package, there is typo, you need to correct the post-build command to change a win64 to win32, since D2010 does not have Win64 so the directory will not exist,

Sorry, these package changes are done manually, and I have to edit hundreds of files by hand.

Angus

Don't worry about the compile errors with Android, I've just installed Android support for Delphi 12 and get a load of errors when building ICS 9.1 for Android (and a couple of Linux) which I will fix or suppress in the near future. 

For ICS V10, just comment out the offending functions like IcsIsValidAnsiCodePage which uses ICON and IcsGetFreeDiskSpace, which are fine for Posix not seemingly not Android, doubt any of this stuff is needed to get basic sockets working on Android.

And avoid changes like using generics that are unnecessary to make ICS work on Android.

Angus

Those build command in the package copy DFM forms from the source directory to compiled Lib, but you can do it manually if it fails and remove the build lines from the package.

Angus