archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/admin/pchealth/helpctr/rc/bdychannel/testsign/faq.txt

195 lines
7.1 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. General Introduction to Code Signing
  3. -----------------
  4. Document Overview
  5. -----------------
  6. This guide presents general information about how to use the tools provided
  7. with IE30 to generate and use cryptographic certificates with IE30. It does
  8. not attempt to provide an in-depth discussion of public key cryptography,
  9. X.509 certificates, or certification policy. See the recommended reading
  10. list for suggested books and documents that will help you understand those
  11. and other background issues.
  13. Following this introduction, this guide is divided into the following
  14. sections:
  16. - Terminology
  18. Describes the terms used in this document that may be new to you.
  20. - Procedural Overview
  22. This section gives a brief description of each step of the signing
  23. procedure and an example of how it would be used by walking through a
  24. sample session from start to finish.
  26. - Required Files List
  28. - Recommended Reading
  30. Terminology
  31. -----------
  32. X.509 Certificate - A cryptographic certificate that associates an entity's
  33. name with its public key.
  35. PKCS 7 "SIGNED DATA" - A widely used convention for containing the data used
  36. to sign an image or a document, typically including the certificate of the
  37. signer and a statement about the image made by the signer.
  39. WIN_CERTIFICATE - A new Win32 defined data structure that contains either a
  40. PKCS 7 signed data object or an X.509 Certificate.
  42. Certification Authority (CA) - An entity that is making a statement
  43. (represented by an X.509 Certificate) about the authenticity of some
  44. other certificate.
  46. SPC - Software Publishing Certificate. A statement that the recipient is an
  47. approved software vendor, represented as an X.509 certificate.
  49. PE Image - Portable Executable Image, the standard Win32 executable
  50. format.
  52. Trust provider - A part of the operating system that verifies whether or not
  53. a given image is trusted based on the certificates it contains.
  55. Procedural Overview
  56. -------------------
  57. We will now walk through an example of how to sign an image. Assume we are
  58. going to sign an image named image.exe.
  60. This procedure is meant to illustrate the steps involved in signing an image
  61. file. Since creating a verifiable certificate assumes the existance of a
  62. fairly complex CA infrastructure, it is not possible to provide all of the
  63. pieces necessary for a fully trustworthy signature at this time. In
  64. particular, there does not exist a "top-level" certifying authority, which
  65. would ultimately vouch for the integrity of the entire certificate chain.
  66. Since such a top-level authority is a necessary part of the signing and
  67. verification operations, the toolkit provided will create a pseudo top-level
  68. entity when necessary. This will be called the root authority or root key.
  70. The present tools therefore allow any user of this development release to
  71. authorize themselves as a "Software Publisher" for test purposes and to
  72. sign their code, allowing for extensive testing of the tools and code
  73. used but not actually providing a secure infrastructure. In future releases,
  74. the tools will require software publishers to obtain certificates from
  75. companies whose function is to verify the identity of the publishers,
  76. providing end-users with a high level of assurance about the authenticity
  77. and origin of code that they recieve.
  79. This sample root key will be used to generate an SPC (Software Publishing
  80. Certificate), which is used to actually sign image files.
  82. [
  83. note: before proceeding, verify that the underlying crypto-api is
  84. functioning by running:
  85. c:>init * (will generate keys)
  86. c:>api * (will spew out SUCCESS messages until killed)
  87. ]
  89. 1) The first step is to run the MakeCert utility. MakeCert will perform the
  90. following tasks:
  92. - Create the end-user's public/private keypair suitable for digital
  93. signatures, and associate the keypair with a friendly name.
  95. - Associate the new keypair with an X.500 Distinguished Name, and
  97. - Create an X.509 certificate signed by the root key that binds your name to
  98. the public part of the newly created keypair.
  100. A typical invocation of MakeCert is as follows:
  102. c:\>makecert -u:MyKey -n:CN=MySoftwareCompany Cert.cer
  104. Cert.crt now contains an X.509 certificate that binds your newly created key
  105. with your name. This certificate is itself signed by the example root key
  106. described above.
  108. A public key/private key pair will be generated and assigned the name
  109. specified in the "-u" switch, or if such a key already exists, it will
  110. be re-used.
  112. Note that the name must be of the form "CN=[name-string]", as required by
  113. the ITU x.509 standard.
  115. 2) The next step is to wrap the X.509 certificate created in step 1 into a
  116. PKCS 7 signed-data object. PKCS 7 objects are commonly used as "carriers" for
  117. X.509 certificates, because it is possible to put several X.509 certificates
  118. in a single PKCS 7 object.
  120. In addition to the users's certificate, the root certificate will also be
  121. inserted into the PKCS 7 object. This will allow passing around the entire
  122. certificate chain in a single container.
  124. Do this with the Cert2SPC utility, as follows:
  126. c:\>Cert2SPC Root.cer Cert.cer Cert.spc
  128. Cert.spc now contains the Software Publishing Certificate in the correct
  129. format.
  131. 3) The next step is to use the certificate just created to sign an actual
  132. image file. Do this with the SignCode tool. It takes as input the Cert.spc
  133. file created in step 2, the name of the key pair created in step 1, and the
  134. name of the image file to sign.
  136. SignCode will perform the following tasks:
  138. - Create a cryptographic digest of the passed image file.
  140. - Sign the digest with the passed private key information.
  142. - Extract the X.509 certificates from the passed Cert.spc file.
  144. - Create a new PKCS 7 signed-data object containing the serial number of the
  145. passed X.509 certificate and the signed digest information.
  147. - Embed the PKCS 7 object into the passed image file.
  149. c:\>SignCode -prog image.exe -spc cert.spc -pvk MyKey
  151. If SignCode is successful, image.exe will have a PKCS7 certificate embedded in
  152. it. Verify this by running PeSigMgr.exe on the image:
  154. c:\>PeSigMgr -l image.exe
  156. Certificate 0 Revision 256 Type PKCS7
  158. 4) Now, check the validity of the image. Do this with the ChkTrust utility.
  160. c:\>ChkTrust image.exe
  162. ChkTrust performs the following tasks:
  164. - Extract the PKCS 7 signed data object from the image.
  166. - Extract the X.509 certificates from the PKCS 7 object.
  168. - Compute a new cryptographic checksum of the image file and compare it with
  169. the signed checksum in the PKCS 7 object.
  171. - If the image checks out, validate that the signer's X.509 certificate
  172. points back to the root certificate, and that the root key used was correct.
  174. If all this succeeds, the system has verified that the image has not been
  175. tampered with, and that whoever published this piece of software was
  176. authorized to do so by the root authority.
  178. List of Required Files
  179. ----------------------
  180. WINTRUST.DLL
  181. DIGSIG.DLL
  182. OSSAPI.DLL
  183. OSSMEM.DLL
  184. SOEDBER.DLL
  185. MSVCRT20.DLL
  186. MSVCRT40.DLL
  187. MAKECERT.EXE
  188. CERT2SPC.EXE
  189. SIGNCODE.EXE
  190. PESIGMGR.EXE
  191. CHKTRUST.EXE
  192. ROOT.CER
  193. ROOT.PVK