How to get the TBS (To be signed) value of a signed file in PowerShell?

Question

Looking for a way to get the TBS of a file that has digital signature in PowerShell 7.3+

Tried a few things like:

add-type -AssemblyName system.security.cryptography.X509Certificates

$cert = new-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList <file path>

$RawdDta = $cert.RawData

But not sure what the next steps are.

Let me clarify

This is the TBS value

I want to get them in PowerShell. The image is the XML output of running commands from the built-in ConfigCI module.

Get-AuthenticodeSignature doesn't show that value.

The TBS value shown in the screenshot belongs to this certificate which is not installed in the local cert store

Update:

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations

For well-known roots, the TBS hashes for the certificates are baked into the code for Windows Defender Application Control. For example, they don’t need to be listed as TBS hashes in the policy file.

This is saying the TBS value is hash.

Answer 1

Apparently the systems I used for extracting the tbsCertificate and/or hashing it let me down. The algorithm for this value is the hash of the tbsCertificate using whatever algorithm the CA used to sign the certificate. So it's the hash value that the CA computes when signing (and that a verifier computes when verifying the chain). This program demonstrates it:

using System;
using System.Formats.Asn1;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

namespace TbsHasher
{
    internal static class TbsHasher
    {
        private static void Main(string[] args)
        {
            using (X509Certificate2 cert = new X509Certificate2(args[0]))
            {
                AsnReader reader = new AsnReader(cert.RawData, AsnEncodingRules.DER);
                AsnReader certificate = reader.ReadSequence();
                ReadOnlyMemory<byte> tbsCertificate = certificate.ReadEncodedValue();
                AsnReader signatureAlgorithm = certificate.ReadSequence();
                string algorithmOid = signatureAlgorithm.ReadObjectIdentifier();

                Span<byte> hash = stackalloc byte[512 >> 3];
                int written = Hash(tbsCertificate.Span, algorithmOid, hash);

                Console.WriteLine(Convert.ToHexString(hash.Slice(0, written)));
            }
        }

        private static int Hash(
            ReadOnlySpan<byte> source,
            string algorithmOid,
            Span<byte> destination)
        {
            const string DsaWithSha1 = "1.2.840.10040.4.3";
            const string DsaWithSha256 = "2.16.840.1.101.3.4.3.2";
            const string DsaWithSha384 = "2.16.840.1.101.3.4.3.3";
            const string DsaWithSha512 = "2.16.840.1.101.3.4.3.4";
            const string ECDsaWithSha1 = "1.2.840.10045.4.1";
            const string ECDsaWithSha256 = "1.2.840.10045.4.3.2";
            const string ECDsaWithSha384 = "1.2.840.10045.4.3.3";
            const string ECDsaWithSha512 = "1.2.840.10045.4.3.4";
            const string RsaPkcs1Md5 = "1.2.840.113549.1.1.4";
            const string RsaPkcs1Sha1 = "1.2.840.113549.1.1.5";
            const string RsaPkcs1Sha256 = "1.2.840.113549.1.1.11";
            const string RsaPkcs1Sha384 = "1.2.840.113549.1.1.12";
            const string RsaPkcs1Sha512 = "1.2.840.113549.1.1.13";

            switch (algorithmOid)
            {
                case RsaPkcs1Md5:
                    return MD5.HashData(source, destination);
                case DsaWithSha1:
                case ECDsaWithSha1:
                case RsaPkcs1Sha1:
                    return SHA1.HashData(source, destination);
                case DsaWithSha256:
                case ECDsaWithSha256:
                case RsaPkcs1Sha256:
                    return SHA256.HashData(source, destination);
                case DsaWithSha384:
                case ECDsaWithSha384:
                case RsaPkcs1Sha384:
                    return SHA384.HashData(source, destination);
                case DsaWithSha512:
                case ECDsaWithSha512:
                case RsaPkcs1Sha512:
                    return SHA512.HashData(source, destination);
            }

            throw new ArgumentOutOfRangeException($"No handler for algorithm {algorithmOid}");
        }
    }
}

When run on the PCA 2010 certificate (as downloaded from crt.sh cert 12729283), it outputs your expected 121AF4B922A74247EA49DF50DE37609CC1451A1FE06B2CB7E1E079B492BD8195

This is not a thing that is built into .NET, and it probably isn't a PowerShell intrinsic cmdlet/function for it, either. The System.Formats.Asn1 package used here should be callable from PowerShell, but you'll have to translate the C# to PS, of course.

Answer 2

With bartonjs's help I could convert his C# code into PowerShell, build on that to achieve the desired result.

Here is the code

$FilePath = "C:\Users\HotCakeX\Downloads\AppLocker-ManagedInstaller.msi"

# Get the certificate chain from the signed file
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($FilePath)
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.Build($cert)

# Get the intermediate certificate from the chain
$intermediate = $chain.ChainElements[1].Certificate

# Load the System.Security.Cryptography.X509Certificates assembly
Add-Type -AssemblyName System.Security.Cryptography.X509Certificates

# Load the System.Formats.Asn1 assembly
Add-Type -AssemblyName System.Formats.Asn1

# Create a new certificate object from the intermediate certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $intermediate

# Get the raw data of the certificate
$rawData = $cert.RawData

# Create an ASN.1 reader to parse the certificate
$asnReader = New-Object System.Formats.Asn1.AsnReader -ArgumentList $rawData, ([System.Formats.Asn1.AsnEncodingRules]::DER)

# Read the certificate sequence
$certificate = $asnReader.ReadSequence()

# Read the TBS (To be signed) value of the certificate
$tbsCertificate = $certificate.ReadEncodedValue()

# Read the signature algorithm sequence
$signatureAlgorithm = $certificate.ReadSequence()

# Read the algorithm OID of the signature
$algorithmOid = $signatureAlgorithm.ReadObjectIdentifier()

# Define a hash function based on the algorithm OID
switch ($algorithmOid) {
    "1.2.840.113549.1.1.4" { $hashFunction = [System.Security.Cryptography.MD5]::Create() }
    "1.2.840.10040.4.3" { $hashFunction = [System.Security.Cryptography.SHA1]::Create() }
    "2.16.840.1.101.3.4.3.2" { $hashFunction = [System.Security.Cryptography.SHA256]::Create() }
    "2.16.840.1.101.3.4.3.3" { $hashFunction = [System.Security.Cryptography.SHA384]::Create() }
    "2.16.840.1.101.3.4.3.4" { $hashFunction = [System.Security.Cryptography.SHA512]::Create() }
    "1.2.840.10045.4.1" { $hashFunction = [System.Security.Cryptography.SHA1]::Create() }
    "1.2.840.10045.4.3.2" { $hashFunction = [System.Security.Cryptography.SHA256]::Create() }
    "1.2.840.10045.4.3.3" { $hashFunction = [System.Security.Cryptography.SHA384]::Create() }
    "1.2.840.10045.4.3.4" { $hashFunction = [System.Security.Cryptography.SHA512]::Create() }
    "1.2.840.113549.1.1.5" { $hashFunction = [System.Security.Cryptography.SHA1]::Create() }
    "1.2.840.113549.1.1.11" { $hashFunction = [System.Security.Cryptography.SHA256]::Create() }
    "1.2.840.113549.1.1.12" { $hashFunction = [System.Security.Cryptography.SHA384]::Create() }    
    "1.2.840.113549.1.1.13" { $hashFunction = [System.Security.Cryptography.SHA512]::Create() }
    default { throw "No handler for algorithm $algorithmOid" }
}

# Compute the hash of the TBS value using the hash function
$hash = $hashFunction.ComputeHash($tbsCertificate.ToArray())


# Convert the hash to a hex string and print it
$hexString = [System.BitConverter]::ToString($hash) -replace "-", ""
Write-Host $hexString

The $FilePath variable should point to a signed file and the output is the TBS of the intermediate certificate of the file. Yes, that TBS value in Code Integrity xml files belongs to only Intermediate certificates, neither leaf nor root certificates. Although leaf certificate's name is mentioned in the xml file since I'm using FilePublisher scan level.