Using Fortanix Data Security Manager with Microsoft CNG Provider and SignTool

Last Updated: June 09, 2023 10:26

FORTANIX DATA SECURITY MANAGER WITH CNG PROVIDER AND SIGNTOOL, GUIDE.pdf
(1 MB)

Introduction

Fortanix Data Security Manager (DSM) has a state-of-the-art code-signing solution that offers the following capabilities:

FIPS 140-2 level 3 assurance for private key protection.
Supports all types of asymmetric keys, signing, and hashing algorithms used for code signing. It also supports signing just the hash.
Code signing in large enterprises often requires verification of metadata associated with the data being signed as well as access control around the use of keys. These checks can easily be performed in a secure environment using plugins in Fortanix DSM.
Code signing keys are very sensitive, and their use should be tightly controlled. Fortanix DSM provides elaborate quorum-based policies to be configured for these keys which require approval from M of N administrators before the signing operation is performed. These approvals can be obtained in an asynchronous and distributed fashion.
Strict role-based access control, quorum-based approval workflows, automation, and audit logs for all code signing operations.
Support of 100% REST APIs, KMIP, PKCS11, JCE, Microsoft CAPI, and CNG for easy integration with your existing DevOps tooling.
Code signing is future-proof in Fortanix DSM. Post-quantum algorithms, such as LMS, are already supported and can be used for code signing.
Figure 1: Code Signing Solution

Microsoft’s SignTool is a prominent tool used in a Microsoft environment to sign and verify the authenticity of code developed for the Microsoft platforms. Fortanix KMS CNG Provider makes it easy to securely store sensitive objects/keys required during the sign and verify processes, a native feature provided by Fortanix DSM for enterprise-level code-signing capabilities.

Preparing the Build Server/Code-Signing Workstation

The Server/Workstation that will be running the SignTool must have the following installed:

Fortanix KMS CNG Provider:
- Link: https://support.fortanix.com/hc/en-us/articles/360018084132-CNG-EKM
- After installing, validate that the provider has been correctly registered. Since the CNG provider is not configured yet, you will see an error.
```
certutil - csplist
```
  Figure 2: Validation
SignTool:
- SignTool is now part of Windows SDK and is required.
- Link: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/
NOTE

When you install the SignTool, both 32-bit and 64-bit versions are installed. The Fortanix CNG library only supports the 64-bit version.

For more information, refer to https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool.

Fortanix Data Security Manager Configuration

Fortanix DSM will require appropriate groups and apps to be pre-created before Microsoft CNG and SignTool code-signing integration may begin.

Create an appropriate group that will be managing the security objects within the account:
Figure 3: Create Group
Create a new App in Fortanix DSM that will provide an API Key that will be used to authenticate when communicating using CNG provider (take note of the API Key):

Figure 4: Create App and Copy API Key
On the Build Server/Code-Signing Workstation, Fortanix KMS CNG Provider requires configuration variables. Fortanix DSM supports certificate-based authentication or API key-based authentication for a CNG client. For more information on the authentication steps, refer to the Developer's Guide: Client-Microsoft CNG Key Storage Provider
Confirm Fortanix KMS CNG Provider can communicate properly with Fortanix DSM:
```
certutil -csp "Fortanix KMS CNG Provider" -key
```
Figure 5: Confirm the Communication

Generate or Import the Private Key and Certificate

Securing the Private Keys and Certificates are the most critical tasks to ensure codes cannot be maliciously signed by offending parties. Fortanix supports two main methods in generating/importing and securing the appropriate Security Objects:

Generate the Private Key using Fortanix DSM UI, create a Certificate Sign Request from SignTool, and then import the Certificate into Fortanix DSM after it is signed by a trusted Certificate Authority.
Generate a Self-Signed Certificate by automatically creating the Private Key in Fortanix DSM through PowerShell. Then import the Certificate securely into Fortanix DSM.

Method 1 - Generate Private Key on Fortanix Data Security Manager / Generate CSR Using Certreq.exe

This method will generate the Private Key and Certificate sign request from Fortanix DSM and certreq.exe. Upon receiving a signed certificate from the trusted Certificate Authority, the certificate can then be imported into Fortanix DSM.

Create a new security object that will be the Private Key and assign it to the appropriate group (in this example, we will call the security object - wincryptoapp):
Figure 6: Create New Security Object
Generate the Certificate Sign Request using the private key using the SignTool:
1. Create a new file called inf in a temporary directory.
2. Replace the following content into the file:
  1. KeyContainer: Name of the security object created previously/Private Key.
  2. ProviderName: Based on the provider name when installing the Fortanix CNG Provider.
```
[NewRequest]
Subject = "CN=wincryptoapp, OU=fyoo,O=Fortanix,C=AU"
KeyContainer = "wincryptoapp"
;Uncomment the following line if using the machine key storage
;MachineKeySet = true
ProviderName = "Fortanix KMS CNG Provider"
UseExistingKeySet = true
```
    Figure 7: Generate Key Using PowerShell
3. Type the following command to generate the Certificate Sign Request:
```
certreq.exe -new request.inf request.csr
```
4. This command will now generate a request.csr Certificate Sign Request file and should be sent to the trusted Certificate Authority to receive a signed Certificate.
After the signed Certificate is received, you can import the certificate into Fortanix DSM.

Figure 8: Import Signed Certificate
Keep a copy of the certificate on the server where the SignTool will be run from (the certificate can be exported from Fortanix DSM at any time).

Method 2 - Generate Self-Signed Certificate Locally Using PowerShell and Fortanix Data Security Manager

Launch PowerShell and create a new key as well as a self-signed certificate.

$cert = New-SelfSignedCertificate -Subject "NewIIS2" -type codesigningcert -provider "Fortanix KMS CNG Provider" -certstorelocation Cert:\LocalMachine\My

Cd Cert:\LocalMachine\My

Cert:\LocalMachine\My> Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint – autosize

certutil -store -user My

Figure 9: Create New Key

The Private Key should have been created within Fortanix DSM.

Figure 10: Key Created

Export the certificate and key into a file.

Export-Certificate -Cert (Get-Item Cert:\CurrentUser\My\<thumbprint-of-cert>) -FilePath C:\Test.cert

certutil.exe -encode C:\Test.cert C:\Test.pem

Figure 11: Export Certificate and Key

Import the certificate into Fortanix DSM:

Figure 12: Import the Certificate and Key

Code-Signing Integration (Directly from Workstation)

Verify no other signatures are present on the file that will be signed:

Figure 13: Verify Signature
Open a command prompt. Locate the file SignTool that is appropriate for your code (for example: x64, x86, and so on).

Figure 14: Locate SignTool
Verify that the key you wish to use to sign the code is available in the remote CNG provider:
```
certutil -csp "Fortanix KMS CNG Provider" -key
```
Figure 15: Verify the Key
The following command will sign the code specified in the SignTool and require the following parameters at a minimum to successfully run the SignTool:
- CSP: The CNG provider you wish to use for the sign operation.
- KC: Key Container (also known as an alias) that will be used for the sign operation.
- File: Certificate generated from the Private Key stored in Fortanix DSM.
- Code to sign.
```
signtool.exe sign /csp "Fortanix KMS CNG Provider" /kc "wincryptoapp" /fd sha256 /f c:\temp\wincryptoapp.cer c:\temp\lala.ps1
```
  Figure 16: Sign the Code
  If using a certificate already stored in the certstore, you may also omit the CSP and KC parameters.
```
signtool.exe sign /sha1 <thumbprint-of-cert> C:\temp\lala.ps1 /fd sha256
```
  Figure 17: Omit the CSP and KC
  NOTE
  Microsoft signtool has a known issue that causes the exit status to be non-zero even when the signing operation succeeds. To work around this issue, please set the following environment variable before running signtool.
  set FORTANIX_SIGNTOOL_BUG_WORKAROUND=true
After the file has been signed, Fortanix DSM will log an event within the audit log to signify the private key was used to sign the code:

Figure 18: Event Log

Figure 19: Signature Details

Verify Signed Code

The signed Code can also be verified using SignTool.

If a self-signed certificate is used, then it must be installed on the Server / Workstation you wish to verify from as it will not have a trusted root CA chain in the certificate. The use of a self-signed certificate should only be used in a test environment. The procedure to test is as follows:

If you do not have the certificate readily available, download the certificate from Fortanix DSM.
Right-click the downloaded/existing certificate file and install the Certificate. Ensure it is imported into the Trusted Root Certification Authority (in this example certificate fyoo was used):
Figure 20: Self-signed Certificate
The following command will verify the code using SignTool and require the following parameters at a minimum to successfully run the SignTool:
```
signtool verify /pa c:\temp\lala.ps1
```
Figure 21: Verify the Code and Run SignTool

Frequently Asked Questions

How do I validate the supported algorithms and modes using Fortanix KMS CNG Provider?

You can view all of the supported methods, algorithms, and modes with Fortanix DSM using the CNG provider by running a csptest:
```
certutil -csp "Fortanix KMS CNG Provider" -csptest
```
Figure 22: Validate Supported Algorithms