CMSSigner signedData content support Microsoft Authenticode?

[MorganReid]

The CMS signer can sign arbitrary data and produces a CMS (RFC 3852) SignedData structure in binary format.
The following is the configuration of the worker.

I get the cms.sign, and use the following command to parse the signature file
openssl pkcs7 -inform der -in cms.sig -print
The analysis results are as follows (only the relevant part of the question is intercepted)

Now I want the signedData content of CMSSigner to be the mode defined by Microsoft Authenticode, how should I do it? I've tried configuring CONTENTOID 1.3.6.1.4.1.311.2.1.4 for the worker, but it not ok.

[netmackan]

The CMSSigner likely does not have all the required configuration options to fulfill what is needed for Authenticode.

To sign various file formats like MSI, PE, PS1 etc., using Authenticode there is the MSAuthCode signers but those are currently only in Enterprise Edition.

Sure you can set the CONTENTOID in the CMSSigner but there are likely also other things needed like certain Authenticode specific signed attributes.

Let's say the CMSSigner would have everything needed for Authenticode, for what and how do you plan to use it? I mean it would only create the signature and if you for instance would sign an EXE file you would need something to calculate what should be signed and format the content and then in the end include that signature into the binary, no?
Can you give some more information here on how you use the signer and also how you determine the signature is "not ok". Is that by comparing with some spec or by running some verification.

Cheers,
Markus

[MorganReid]

Thank you very much for your reply.
At first I used the following commands to sign and verify

sbsign --key local.key --cert local.pem --detached --output sbsign.sig vmlinuz-5.10.73-secure
sbverify --cert local.pem --detached sbsign.sig vmlinuz-5.10.73-secure

Now because the signServer (based on the community version of the container) has been built and connected to the HSM. So I plan to use signServer to sign, but do not change the verification method (still use sbverify).

Then, sbverify verification failed, I analyzed and compared the signature results of sbsign and signserver, and found some differences.(The signature of signserver is on the left, and the signature of sbsign is on the right). The signature result of sbsign should be Windows Authenticode Portable Executable Signature Format. The signserver should use RFC 3852.

Now I have two questions. The first is that I set DETACHEDSIGNATURE to false. Why does encapContentInfo.eContent display private key in the signature result of signserver? Second, is there any way to convert the signature result of signserver into the form of sbsign?
Looking forward to hearing from you again.

[netmackan]

Can you also share how you call SignServer and what you send in?
I..e. if you use SignClient, include the command line or if you use the upload forms what do you fill in?

[MorganReid]

Thank you very much for your reply, below is the flow of my call.

file is an ordinary file, converted into a byte array
   @RequestParam MultipartFile file
         byte[] bytesUnsigned = file.getBytes();

Create a signserver with SigningAndValidationWS
    @Bean
    public ISigningAndValidation signingAndValidationWS() {
        String signServerHost = System.getProperty("signServerHost");
        int signServerPort = Integer.getInteger("signServerPort");
        return new SigningAndValidationWS(signServerHost, signServerPort, true);
    }

Call sign(), specify the signer as CMSSigner, and pass in the byte array corresponding to the file
    @Autowired
    private ISigningAndValidation signServer;
        GenericSignResponse signResp = signServer.sign(“CMSSigner”, bytesUnsigned);
        String signature = HexFormat.of().formatHex(signResp.getProcessedData());

Convert the returned result into a binary file, and then execute the above parsing command 
openssl pkcs7 -inform der -in cms.sig -print

I didn't do any rest, CMSSignerDevKey is RSA2048.

[netmackan]

The code looks alright at a first glance at least.
But what do you provide as input?
From the ASN.1 dump, on the right we can see that the encapsulated content of the CMS signature is a Microsoft structure SpcPeImageDataObject () but on the left it looks like as if a PEM file was provided as input.

The CMSSigner would encapsulate exactly what you provide as input. But for an Authenticode signature the content should be this special structure. The MSAuthCodeCMSSigner implements Authenticode signing and creates this structure but is currently only available in Enterprise so with the normal CMSSigner you would need to take care of constructing the structure first.