signtool fails to sign a binary with a key from a AWS CloudHSM

6
votes

We are going to use AWS CloudHSM service to keep all code signing certificates secure and perform code signing on our build server. Our build server is Windows Server 2010, so I installed AWS CloudHSM client there. I activated cluster and all commandline utils work as expected: I am able to login, add keys, find keys etc. We would like to continue to use signtool to sign our binaries, so I thought that we can use key storage providers (KSPs) for AWS CloudHSM, that are installed along with other tools.

The Cavium KSP and CNG providers were installed successfully and are visible in the windows crypto provider's list. I defined environment variables as said here ( https://docs.aws.amazon.com/cloudhsm/latest/userguide/ksp-library-prereq.html ).

I added certificate via certutil to the HSM storage: 

Certutil -CSP "Cavium Key Storage Provider" -user -importPFX  "certificate.pfx"
SDK Version: 2.03
Enter PFX password:
Certificate "myCertificate" added to store.

CertUtil: -importPFX command completed successfully.

Certificate has been added sucessfully and it appears when I execute findKey command from key_mgmt_util.exe console.

After that I tried to sign a binary with the certificate as it is said in https://docs.microsoft.com/en-us/windows-hardware/test/hlk/user/hlk-signing-with-an-hsm:

signtool_64 sign /n myCertificate "test.exe"

or

signtool sign /sha1 4F555EF9FAB8E86A2F84ACF325362A29FB64AF66 "test.exe"

but I got an error I cannot resolve

    SDK Version: 2.03
    Done Adding Additional Store
    SignTool Error: An error occurred while attempting to load the signing
    certificate from: C:\temp\test.exe

I also tried to specify key storage provider and key container

signtool sign /csp "Cavium Key Storage Provider" /k CARoot-877f51a1-90ee-4c10-8feb-02925caab4fb test.exe

that returned to me 

SignTool Error: An unexpected internal error has occurred.
Error information: "Could not associate private key with certificate." (-2147024
891/0x80070005)

and 

signtool sign /f certificate.pem /csp "Cavium Key Storage Provider"
/k CARoot-877f51a1-90ee-4c10-8feb-02925caab4fb test.exe

with other error message

SignTool Error: The specified private key does not match the public key of the selected certificate.

It seems to me that something is wrong with the certificate from the storage, but I have no idea how to fix this. test.exe exists on the disk and can be signed with signtool using certificate from another provider or when specifiyng pfx file.

What am I doing wrong? Is Amazon CloudHSM client compatible with signtool or how else can I sign binary on Windows using Amazon CloudHSM as a key storage?

3
amazon-web-servicescertificatecode-signinghsmsigntool
Hi @toohtik, did you make any progress on this? I too would like to use a Cloud HSM provider to sign binaries but I have not seen any reports that it actually works.DaveJ
Hi @DaveJ take a look my answer lower, thxtoohtik
Thank you @toohtik for taking the time to update. Could you please post further updates if there any too. Thanks again, very much appreciated.DaveJ

3 Answers

3
votes

I just wrote the article Signing executables with Microsoft SignTool.exe using AWS CloudHSM-backed certificates that covers this scenario.

To summarize:

  • You need to ensure that you have the latest binaries for CloudHSM.

  • Check that when the certificate is created (if you self sign) that the relevant Key Container within Windows is created.

  • Run certutil -repairstore if needed.
  • When using the SignTool, check that you specify the certificate HASH


If you need further help, reach out to AWS Support as always or look in the AWS forums.

2
votes

I wrote to AWS supported and they responded back with:

"This issue seems to be caused by trying to store the certificate on the HSM, and referencing the certificate with SignTool. Although the certutil command shows "CertUtil: -importPFX command completed successfully.", CloudHSM doesn't currently support certificate storage. This feature will be added however, and when it's released will be added to the version history page.

You should be able to use SignTool by referencing the certificate locally (.crt/.cer), and using the private key of the certificate stored on the HSM:

c:> signtool sign /f certname.cer /csp "Cavium Key Storage Provider" /k kontainer_name test.exe

But this approach doesn't work on my end either. So I am still waiting for their assistance

0
votes

Have you tried

setx /m n3fips_partition <my hsm id>
setx n3fips_password=CU-username:CU-password

signtool sign /f /csp "Cavium Key Storage Provider" /k <container name> test.exe

I don't know what the container name should be. Usually there's a tool to map between the HSM partition and a container.

cloudhsm v2 docs on this topic can be found her https://docs.aws.amazon.com/cloudhsm/latest/userguide/ksp-library-prereq.html

https://docs.microsoft.com/en-us/windows/desktop/seccrypto/signtool

Searching through the registry for Cavium I found

Cavium CNG Provider and Cavium Key Storage Provider . maybe you need the cng which maps to ksp?

Also, The doc for the project is on github and the doc writers appear to be contributors https://github.com/awsdocs/aws-cloudhsm-user-guide/blob/master/doc_source/ksp-library-install.md

Did you run the csp ksp registration tool?