How is an Authenticode timestamp verified?

Question

For an Authenticode signed file to be verifiable by Windows after the original signing certificate has expired (typically 1-3 years after issue), the file also needs to have a cryptographically signed timestamp that Windows can verify.

There are a number of Authenticode timestamping services that will sign your binary for you for free (if they're online and working at the time).

It is not sufficient for the certificate associated with the timestamp signature to just chain back to one of the trusted root CAs in the Windows certificate store, or else your own Authenticode key could be used to sign the timestamp, making the whole exercise pointless (you could make a signature using an expired cert, then forge a timestamp from the past).

Is there an X.509 timestamping attribute that Windows checks in the cert before accepting the signature? If so, how can you get such a certificate?

Or is there a separate Authenticode timestamp trust hierarchy?

Answer 1

A certificate for a Time Stamp Authority is accepted as such only if it contains an Extended Key Usage extension which itself advertises the specific id-kp-timeStamping object identifier (aka 1.3.6.1.5.5.7.3.8). Though Authenticode time stamps do not follow the RFC 3161 format, the rules on the TSA certificate are still the same (see section 2.3).

There is some information on Authenticode time stamps there. Like standard (RFC 3161) time stamps, they rely on PKCS#7 (aka "CMS") but the exact format of the data element that is signed by the TSA differs.

This blog post advertises some sort of "your own TSA" product (which I have not tried in any way) that supports Authenticode; this would indirectly mean that making your own TSA certificate and have it accepted by Windows as valid for Authenticode time stamps is feasible.

Any CA may issue a certificate with the "TSA" object identifier in it (there is no conceptual difficulty in it), but most established CA will not, mostly for lack of demand. Note that running a TSA properly implies maintaining an accurate enough clock, resilient to external attempts at changing its notion of time (beware of NTP !), and that's not easy. It is actually very hard to do if you try to achieve sub-second accuracy (e.g. you have to process leap seconds, you cannot just ignore them).