Didier Stevens

Monday 14 July 2008

A New Version of WhoAmI? and Another Little Puzzle

Filed under: My Software,Update — Didier Stevens @ 0:57

I’ve updated my WhoAmI? Firefox add-on for version 3.

You can download it here or get it from the Mozilla site. It has remained in the Sandbox since my first post, but now I’ve nominated to leave the Sandbox. If you use it, please post a review on the Mozilla page to help it on its way out of the the Sandbox (or keep it there if it’s too buggy).

And now for the little puzzle: what is special about this other version of my WhoAmI? add-on?

So don’t get confused by these 2 versions:

  • The real version of WhoAmI? is here
  • Download this other version only if you’re interested in a little puzzle

19 Comments »

  1. So far the only thing that I see different about the files so far is that the puzzle contains 3 extra files in a META-INF folder:

    DidierStevensCodeSigning.rsa
    DidierStevensCodeSigning.sf
    manifest.mf

    Meaning that it is signed (https://DidierStevens.com). That can’t be it though… can it?

    All other files appear to be the same from checking their hashes and running diff. So if there is something else hiding it must be in one of the above files, I believe. (However, I haven’t found anything of interest yet and am now going to sleep.)

    Comment by jamie — Monday 14 July 2008 @ 6:39

  2. Yes, it is signed. And what is the consequence of this code signing?

    Comment by Didier Stevens — Monday 14 July 2008 @ 7:04

  3. The implication that it this is a “trustworthy” application?

    Comment by jamie — Monday 14 July 2008 @ 15:18

  4. Actually, I wanted to ask “what is the technical consequence of his code signing”?

    Did you install the the signed XPI?

    Comment by Didier Stevens — Monday 14 July 2008 @ 15:49

  5. I installed the signed XPI and Firefox wouldn’t verify the signature.

    http://people.rit.edu/jrk9055/notverified.bmp

    I’m trying to dig up certutil now so I can figure out why your signed files fail (opening the .rsa sig file in wordpad doesn’t tell me whom your CA is — at least I can’t tell as of yet)

    Comment by Jason Koppe — Monday 14 July 2008 @ 18:46

  6. So, I got certutil installed. I don’t notice any information in the file about a trusted third party CA that issued you the certificate; I’m pretty sure that’s why Firefox won’t verify it… Here is the dump output for the certificate file… Since

    PKCS7 Message:

    No PKCS7 Message Content

    PKCS7 Message Authenticated Attributes:
    3 attributes:

    Attribute[0]: 1.2.840.113549.1.9.3 (Content Type)
    Value[0][0]:
    Unknown Attribute type
    0000 06 09 2a 86 48 86 f7 0d 01 07 01 ..*.H……

    Attribute[1]: 1.2.840.113549.1.9.5 (Signing Time)
    Value[1][0]:
    Unknown Attribute type
    0000 17 0d 30 38 30 37 31 33 31 39 35 31 32 39 5a ..080713195129Z

    Attribute[2]: 1.2.840.113549.1.9.4 (Message Digest)
    Value[2][0]:
    Unknown Attribute type
    0000 04 14 1e fe e7 33 bd 9a be e8 cb a2 90 57 a2 aa …..3…….W..
    0010 60 76 93 74 66 b8 `v.tf.

    No PKCS7 Message Signing Certificate
    PKCS7 Message Certificates:
    ================ Begin Nesting Level 1 ================
    X509 Certificate:
    Version: 3
    Serial Number: 02
    Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00 ..
    Issuer:
    E=didier stevens Google mail
    CN=Didier Stevens (https://DidierStevens.com)
    O=https://DidierStevens.com
    L=Brussels
    S=Brussels
    C=BE

    NotBefore: 7/13/2008 3:43 PM
    NotAfter: 7/13/2010 3:43 PM

    Subject:
    E=didier stevens Google mail
    OU=Didier Stevens Code Signing (https://DidierStevens.com)
    O=https://DidierStevens.com
    L=Brussels
    S=Brussels
    C=BE

    Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
    Algorithm Parameters:
    05 00 ..
    Public Key: UnusedBits = 0
    0000 30 82 02 0a 02 82 02 01 00 da 80 86 32 08 ac 61 0………..2..a
    0010 41 d2 2c 22 f9 3b a1 bf 17 21 79 55 b3 77 1a e4 A.,”.;…!yU.w..
    0020 e8 0e 7e 1c 62 74 d5 c5 19 b9 21 04 18 17 99 96 ..~.bt….!…..
    0030 21 d4 56 16 13 f9 02 c1 77 37 3a 26 93 15 12 4a !.V…..w7:&…J
    0040 fc 97 ec 83 c7 bb 9f 38 0c 22 af 89 82 19 83 68 …….8.”…..h
    0050 87 86 31 bd c8 11 75 fd b2 3e 75 72 fb 28 22 c0 ..1…u..>ur.(“.
    0060 72 85 48 e3 45 f0 52 8a 4c 26 11 a2 f0 95 23 e6 r.H.E.R.L&….#.
    0070 38 76 6b a0 0e 86 00 a5 8c 3e f4 f9 b3 5d 58 8b 8vk……>…]X.
    0080 86 34 4c dd 4c 55 c4 7b 54 1f 83 bb c0 a6 05 3c .4L.LU.{T……..d..K…..
    00e0 1e ab 83 43 0f d6 6e 08 7c 85 65 61 b4 ef 27 e0 …C..n.|.ea..’.
    00f0 0b e5 13 0e e1 3f 63 d5 86 8b b9 58 d3 e8 05 ff …..?c….X….
    0100 f8 d7 1a 63 3e ba b6 50 48 be 13 09 d7 55 2f 1f …c>..PH….U/.
    0110 20 14 a6 fb e8 46 d7 52 07 04 2e ed 05 90 63 04 ….F.R……c.
    0120 49 84 a7 59 d1 68 49 73 22 fa ba 9e 87 cf a8 de I..Y.hIs”…….
    0130 5f fa 0e cb 3b 1d 57 ed 4c db 83 94 82 c3 90 06 _…;.W.L…….
    0140 7c 3a 3a e2 f3 bb b8 b8 de a1 49 53 27 1e 7d 63 |::…….IS’.}c
    0150 00 b7 3a aa 88 9e 3d d0 76 cf 6f 49 b5 c2 7e 12 ..:…=.v.oI..~.
    0160 10 f0 ee ed 6f 3a 4d 6f 0d 7c 51 4b 67 b8 c4 7a ….o:Mo.|QKg..z
    0170 27 6f f7 0b d8 15 2f 03 ae 0e 7b 45 bf 1f 1a 46 ‘o…./…{E…F
    0180 e1 e1 ba 0f 15 cd 1f 70 10 9e 18 74 08 a1 dd 09 …….p…t….
    0190 83 7f 6b 8e 56 9b 8c b9 c6 28 58 d2 e6 e0 e3 5d ..k.V….(X….]
    01a0 38 ba 97 02 60 48 76 52 ef 5a a1 71 de 51 46 00 8…`HvR.Z.q.QF.
    01b0 59 df 13 9f 09 d0 67 03 37 64 5b b6 7b bf 86 ec Y…..g.7d[.{...
    01c0 6d 4a 50 78 3a 23 12 c9 87 c7 1f ee 0e e3 c1 7a mJPx:#.........z
    01d0 c7 4d 53 2b a1 c7 ad 34 4a f7 15 e5 4d 5b 8d 55 .MS+...4J...M[.U
    01e0 d0 21 79 be 5e b7 c8 ed 2d e9 50 b6 a0 da f4 75 .!y.^...-.P....u
    01f0 14 2f 84 56 e8 43 bc ef d5 0f 32 18 5f 1f 25 a3 ./.V.C....2._.%.
    0200 41 34 1c 4e b7 9d 97 62 f9 02 03 01 00 01 A4.N...b......
    Certificate Extensions: 1
    2.5.29.37: Flags = 1(Critical), Length = c
    Enhanced Key Usage
    Code Signing(1.3.6.1.5.5.7.3.3)

    Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00 ..
    Signature: UnusedBits=0
    0000 c9 dc bc 99 11 7b 3c 1a bc 5a d2 62 a2 f7 c3 c0 .....{.g..
    0030 45 e5 43 15 71 00 82 1a 04 df 30 f8 cc 94 4a 2a E.C.q.....0...J*
    0040 a8 00 4a ec fe 46 52 cb f6 57 5a ab ae 4e 26 81 ..J..FR..WZ..N&.
    0050 6d cb 59 3e 66 1e 5b 08 3a d2 e7 79 75 4a 1c 2a m.Y>f.[.:..yuJ.*
    0060 80 70 35 90 d9 39 f4 bb cd 4b ef 47 f7 3a da 4c .p5..9...K.G.:.L
    0070 49 bc 17 e6 14 0b 74 f6 49 fe f7 29 21 40 54 4e I.....t.I..)!@TN
    0080 fd 2e e6 36 12 0e 0e 7d c3 98 75 3a 70 e9 f7 45 ...6...}..u:p..E
    0090 6a 9f 43 4a b8 f4 d4 43 53 fd 34 41 5a 4a cb 76 j.CJ...CS.4AZJ.v
    00a0 6e 7b 51 59 b5 22 e0 2b af cf 9f 3b d1 c3 c4 9e n{QY.".+...;....
    00b0 a2 43 d4 f8 b4 fc 70 21 86 57 6c dd b4 3d 8c 06 .C....p!.Wl..=..
    00c0 ce ee 88 27 b5 73 38 e0 fc 0a d5 d3 3b e3 84 0f ...'.s8.....;...
    00d0 9e 1c 73 a8 f1 d1 24 7a ac 58 84 11 8f b1 b5 2e ..s...$z.X......
    00e0 3f 32 d8 76 c9 aa 2e cb cc 5b de dc 5a 5a c8 b2 ?2.v.....[..ZZ..
    00f0 41 26 c7 36 e5 85 14 7f 5f ff 65 e4 21 b2 e7 5f A&.6...._.e.!.._
    0100 7d 76 5e 3e 4b d1 0f 35 51 b0 50 f6 f5 43 1e 1f }v^>K..5Q.P..C..
    0110 d3 ae 4a 65 d1 a8 d6 52 f6 07 90 cf ae b4 17 79 ..Je...R.......y
    0120 d9 9f 34 cc e5 62 b5 fb cd e7 1b b6 d5 73 60 a8 ..4..b.......s`.
    0130 ce b3 9e ba 1a aa 64 16 eb 1b 97 00 c6 43 51 2b ......d......CQ+
    0140 00 28 1f dd ef 12 50 86 97 22 c0 56 d6 c1 e9 83 .(....P..".V....
    0150 9d 90 08 8b 7d ed 00 d8 77 9f 2a 06 6e 54 12 05 ....}...w.*.nT..
    0160 15 56 6f 57 ff da a3 0f 03 17 8b 42 15 db 2f df .VoW.......B../.
    0170 37 48 af ac 0c ae ee c3 ab 70 1f 7a 9e 05 5b 75 7H.......p.z..[u
    0180 90 da e6 e0 2b 5d b8 6e aa ba b7 d1 ba 2f 36 83 ....+].n…../6.
    0190 e6 04 e3 98 48 69 93 46 9b ef cc 1f 26 65 d2 3e ….Hi.F….&e.>
    01a0 a7 c4 9d eb f6 8c 12 67 3b ee b5 52 03 18 f9 f0 …….g;..R….
    01b0 1b e0 1b dd 40 7c 7d 74 2d 51 5b 1a 76 0b fc 43 ….@|}t-Q[.v..C
    01c0 2f a7 db c2 4a 85 0c 35 42 4d 91 56 54 cd 0b cb /…J..5BM.VT…
    01d0 b4 0d c7 e0 dd c3 2e 74 ed 92 c8 a7 c1 be 78 7f …….t……x.
    01e0 ea b8 60 44 be 6b a4 00 95 67 0c 73 81 c6 1a 13 ..`D.k…g.s….
    01f0 28 ec 96 ea b5 1d 0c 3f e3 45 46 0c 0e 9b 56 bb (……?.EF…V.
    Non-root Certificate
    Cert Hash(md5): ef 18 fa ca c4 75 20 e8 62 fb 9a 8b 13 7c c7 7c
    Cert Hash(sha1): ce 7b 0f 23 c4 ca dc b1 14 5b 1c 1e e9 53 07 64 c4 f7 b3 1f
    —————- End Nesting Level 1 —————-
    No PKCS7 Message CRLs

    Comment by Jason Koppe — Monday 14 July 2008 @ 18:55

  7. Excellent work Jason!

    While updating my Firefox add-on yesterday, I got interested in digital signatures for add-ons, but wasn’t too impressed by the terse Firefox interface.

    The error you get means that your copy of Firefox doesn’t trust the root CA that issued the code signing certificate I used. And that’s normal, because it’s a self-signed root CA that I created. More details in an upcoming blogpost, but if you’re interested, my root CA cert is here: http://didierstevens.com/files/data/ca.crt

    Comment by Didier Stevens — Monday 14 July 2008 @ 19:30

  8. Actually I didn’t try to install it until now. I received the same error… I had just examined the certificate with a hex editor and got some of the information that Jason has dumped.

    Comment by jamie — Monday 14 July 2008 @ 19:31

  9. BTW, I had tried to go this route to install it, but that didn’t work either.

    Comment by jamie — Monday 14 July 2008 @ 19:38

  10. That’s what I mean with the terse UI. When something goes wrong, you’ll get “Signing could not be verified” plus a number, which I assumed is the error code, but I’ve yet to find a comprehensive error code list.

    Comment by Didier Stevens — Monday 14 July 2008 @ 19:47

  11. Ahh… OK, I thought there was more to the puzzle…

    Comment by jamie — Monday 14 July 2008 @ 23:55

  12. Hmm… I instructed FF3 to trust your CA; now the plugin installs. However, it says that my current user is default (and it should say Jason).

    Running: FF3, Vista x64 Business

    Comment by Jason Koppe — Monday 14 July 2008 @ 23:59

  13. I trusted your cert as a CA in FF3 — this allowed the XPI to install. However, it doesn’t list the proper username in the statusbar. It just says default (should say Jason).

    I’m running FF3 and Vista x64

    Comment by Jason Koppe — Tuesday 15 July 2008 @ 0:11

  14. WhoAmI? displays the name of your profile (actually, the name of the folder of your profile), not the OS username.
    If you’re not using the Profile Manager, FF creates a profile called default. Here are the details: http://kb.mozillazine.org/Profile_Manager

    Comment by Didier Stevens — Tuesday 15 July 2008 @ 10:32

  15. @jamie: would you prefer something more difficult?

    Comment by Didier Stevens — Tuesday 15 July 2008 @ 12:40

  16. Maybe :-)

    Comment by jamie — Tuesday 15 July 2008 @ 14:16

  17. Ah, thanks :) I only have use for two add-ons: Zotero & LibX. For what do you use the profile manager? Do you have many profiles that have different sets of addons/configurations/bookmarks? If so, what are these profile roles?

    Comment by Jason Koppe — Tuesday 15 July 2008 @ 15:13

  18. I use different profiles for a couple of reasons:
    1) testing and development
    I’ve a couple of profiles to develop add-ons, and I usually create a new profile when I want to test a new add-on I discovered.

    2) security & privacy
    I also run several instances of FF at the same time, one exclusive for my Google account, one for my WordPress account, a couple of others for important sites, and then one for browsing. This is a tactic to protect me against XSS and other web browser attacks.

    3) alter egos
    A couple of profiles with different Google accounts

    The profile manager also allows you to choose the directory for your profile. One use for this is to put your profile on an (encrypted) USB stick that you take with you where ever you go.

    Comment by Didier Stevens — Tuesday 15 July 2008 @ 19:02

  19. Thanks :)

    Comment by Jason Koppe — Sunday 20 July 2008 @ 5:53


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 223 other followers

%d bloggers like this: