Changes between Version 3 and Version 4 of libwdi/signed_driver_walkthrough


Ignore:
Timestamp:
02/08/11 15:02:51 (2 years ago)
Author:
pbatard
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • libwdi/signed_driver_walkthrough

    v3 v4  
    1212 1. The [http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff latest WDK] 
    1313 
    14 For the purpose of this exercise, I will be using the OpenOCD libusb-win32_ft2232_driver files as well as driver signing credentials obtained from GlobalSign [TODO: detail the files obtained], and the development environment with be WDK 7.0.0. 
     14For the purpose of this exercise, I will be using libusb-win32_ft2232_driver files from the latest [http://www.freddiechopin.info/index.php/en/download/category/10-openocd-dev OpenOCD-dev 0.5.0] as well as driver signing credentials obtained from GlobalSign [TODO: detail the files obtained]. The development toolchain will be WDK 7.0.0. 
    1515 
    1616== Obtaining a driver signing certificate == 
     
    1818To be able to digitally sign a Windows driver, you need a Microsoft Authenticode code signing credential. A credential consists of a public key, embedded in a public certificate, containing your trusted third party verified information, as well as the matching private key, which is used to encrypt to be decrypted using the public key. 
    1919 
    20 Most of the driver signing credentials I am aware of seem to originate either from [http://www.verisign.com/ VeriSign] or [http://www.globalsign.com/ GlobalSign]. This does not mean that they are the only Certification Authorities providing these services, but they are the two that appear to be most commonly used. 
     20Most of the driver signing credentials I am aware of seem to originate either from [http://www.verisign.com/ VeriSign] or [http://www.globalsign.com/ GlobalSign]. Other Certification Authorities providing these services [http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx also exist], but Verisign and GlobalSign are the two that appear to be most commonly used. 
    2121 
    2222An important point to be aware of is that that driver signing certificates can only be delivered to registered companies, which the Certification Authority will check, therefore individual users, who don't have their own registered company, cannot usually purchase driver signing certificate. Of course, you can check with the Certification Authority to find out what their delivery requirements are. 
     
    2424'''Verisign''' 
    2525* 1st year driver signing credentials [https://winqual.microsoft.com/help/why_is_a_digital_certificate_required_for_winqual_membership.htm can be obtained for $99] 
    26 * A lot more expensive than [http://www.globalsign.com/code-signing/ GlobalSign] outside of the 1st year promo: $499/year 
     26* A lot more expensive than GlobalSign outside of the 1st year promo: $499/year 
    2727 
    2828'''Globalsign''' 
    29 * More expensive the first year, but cheaper in the long run: $229/year 
    30 * More friendly to non-US based customers 
     29* More expensive the first year, but cheaper in the long run: [http://www.globalsign.com/code-signing/ $229/year] 
     30* More friendly to non-US based customers (based in Belgium) 
    3131 
    3232From the date of registration, delivery of your certificate can take from a few days, to a few weeks. 
    3333 
    3434== Signing the driver binaries == 
     35 
     36After downloading either one of the openocd[-x64]-0.5.0-dev windows binaries, one can find the libusb-win32_ft2232_driver-101028.zip archive in the drivers/ directory. 
     37After further extracting that archive, you will find that it contains an inf file, along with the amd64/ and x86/ containing the the actual driver binaries. If you look at the binaries' properties, on the Digital Signatures tab, you will find that they have already been signed by the libusb-win32 developers (so that they can be installed on Windows outside of test mode). This is not a problem as the signature we are going to create is going to replace any existing one. If you were to recompile the [https://sourceforge.net/projects/libusb-win32/files/libusb-win32-releases/ libusb-win32] drivers from source, you would of course have no signature. And of course, since there is no signed .cat, the inf is also not signed. 
     38 
     39'''Timestamping''' 
     40 
     41While using a trusted time source for signature creation or validation is something you should always consider when using PKI, the reason you want to use timestamping from a trusted timestamping authority when signing your drivers is because it ensures that they can still be used in Windows after the code signing certificate expires. If you don't use timestamping when signing your driver files, then you will have to provide all your users with updated drivers if your original certificate expired. For instance, if you purchased a one year certificate and didn't timestamp, your drivers will cease functioning after one year. 
     42 
     43Windows Authenticode Certifications Authorities usually provide a timestamping service (usually a dll) that you can reference when signing. Currently these URLs are: 
     44* http://timestamp.verisign.com/scripts/timstamp.dll (Verisign) 
     45* http://timestamp.globalsign.com/scripts/timstamp.dll (GlobalSign) 
     46 
     47'''Additional Certificate''' 
     48 
     49While the Windows certificate store has both the GlobalSign and Verisign root CA certificates as Trusted Root Certification Authorities, these CA certificates are not the ones used for driver code signing. Instead Microsoft have their own "Microsoft Code Verification Root" certificate (which, curiously, will not appear at the top of the certification chain for signed code certificates), which they used to sign the root certificate used by the Certification Authorities they entrusted to provide Authenticode credentials to customers. Microsoft calls that a cross certificate. 
     50 
     51By default however, Windows platforms only have the Microsoft Code Verification Root certificate installed, not the the ones from subsidiaries, therefore, to be able to validate the trust chain, the CA's Authenticode root certificate must also be provided. 
     52 
     53In short, this means that you will also need to download the root Authenticode certificate from, GlobalSign, Verisign or your other third party authority, so that it can be embedded in the signature. Currently, these certificates can be obtained from: 
     54* http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx#EWAAC (Verisign) 
     55* http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx#EMG (GlobalSign) 
     56For the record, all the certificates above seem set to expire on 2016.05.23. What happens to Windows signed driver users past that date is something that probably warrants some testing... [TODO] 
     57 
     58Hint: For some weird reasons, Microsoft thought it was a good idea to provide these certificates in the form of an executable. If you want to extract certificate without running the exe, just open it in [http://www.7-zip.org/ 7-Zip], then open the _winzip_ file you'll find there, and you'll get to the MSCV-GlobalSign.cer or MSCV-VSClass3.cer certificates. 
     59 
     60'''Signing process''' 
     61 
     62With your driver signing .pfx file, the corresponding private key password, the MSVC-#### certificate above and the timestamp URL, you are now good to sign your driver files. 
     63It is probably a good idea to place the CA certificate along with your pfx in an easily accessible directory. In the example below, we will use the akeo.pfx driver signing credentials, obtained from GlobalSign, as well as MSCV-GlobalSign.cer from the D:codesign directory. The timestamping authority will also be the one from GlobalSign. 
     64Preferably you want to sign all the driver files, including the DLLs, but technically, only the .sys should be required. 
     65 
     66To sign the file, open one of the WDK dos prompts (eg. Windows XP x86 Free Build Environment), then navigate to the directory containing the driver files you want to sign (eg "libusb-win32_ft2232_driver-101028amd64libusb0.sys" and issue the following: 
     67 
     68{{{ 
     69D:libusb-win32_ft2232_driver-101028amd64>signtool sign /v /ac D:codesignMSCV-GlobalSign.cer /f D:codesignakeo.pfx /p "<YOUR_PASSWORD>" /t http://timestamp.globalsign.com/scripts/timstamp.dll libusb0.sys 
     70The following certificate was selected: 
     71    Issued to: Akeo Consulting 
     72    Issued by: GlobalSign ObjectSign CA 
     73    Expires:   Sun Jun 26 10:05:35 2011 
     74    SHA1 hash: 0BF5319EE093F9234D8504527D63CFAFEADEECF8 
     75 
     76Cross certificate chain (using machine store): 
     77    Issued to: Microsoft Code Verification Root 
     78    Issued by: Microsoft Code Verification Root 
     79    Expires:   Sat Nov 01 13:54:03 2025 
     80    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 
     81 
     82        Issued to: GlobalSign Root CA 
     83        Issued by: Microsoft Code Verification Root 
     84        Expires:   Mon May 23 17:10:51 2016 
     85        SHA1 hash: 3EEB2750A199F5E7B6A8952430BE5062FE04E9E5 
     86 
     87            Issued to: GlobalSign Primary Object Publishing CA 
     88            Issued by: GlobalSign Root CA 
     89            Expires:   Fri Jan 27 12:00:00 2017 
     90            SHA1 hash: 1AAF4DF10D36215E09E4EEFD70E340C2E4DECF38 
     91 
     92                Issued to: GlobalSign ObjectSign CA 
     93                Issued by: GlobalSign Primary Object Publishing CA 
     94                Expires:   Fri Jan 27 11:00:00 2017 
     95                SHA1 hash: B859853EF366AC9335763C340A87BD208113055F 
     96 
     97                    Issued to: Akeo Consulting 
     98                    Issued by: GlobalSign ObjectSign CA 
     99                    Expires:   Sun Jun 26 10:05:35 2011 
     100                    SHA1 hash: 0BF5319EE093F9234D8504527D63CFAFEADEECF8 
     101 
     102Done Adding Additional Store 
     103Successfully signed and timestamped: libusb0.sys 
     104 
     105Number of files successfully Signed: 1 
     106Number of warnings: 0 
     107Number of errors: 0 
     108}}} 
     109 
     110'''checking the signed driver files''' 
     111 
     112Optional, but probably a good idea, as you will get the timestamping info as well.  
     113{{{ 
     114D:libusb-win32_ft2232_driver-101028amd64>signtool verify /kp /v libusb0.sys 
     115 
     116Verifying: libusb0.sys 
     117Hash of file (sha1): B4C09901487067EB10454F6CFFCFA3C64988EE86 
     118 
     119Signing Certificate Chain: 
     120    Issued to: GlobalSign Root CA 
     121    Issued by: GlobalSign Root CA 
     122    Expires:   Fri Jan 28 12:00:00 2028 
     123    SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C 
     124 
     125        Issued to: GlobalSign Primary Object Publishing CA 
     126        Issued by: GlobalSign Root CA 
     127        Expires:   Fri Jan 27 12:00:00 2017 
     128        SHA1 hash: 1AAF4DF10D36215E09E4EEFD70E340C2E4DECF38 
     129 
     130            Issued to: GlobalSign ObjectSign CA 
     131            Issued by: GlobalSign Primary Object Publishing CA 
     132            Expires:   Fri Jan 27 11:00:00 2017 
     133            SHA1 hash: B859853EF366AC9335763C340A87BD208113055F 
     134 
     135                Issued to: Akeo Consulting 
     136                Issued by: GlobalSign ObjectSign CA 
     137                Expires:   Sun Jun 26 10:05:35 2011 
     138                SHA1 hash: 0BF5319EE093F9234D8504527D63CFAFEADEECF8 
     139 
     140The signature is timestamped: Tue Feb 08 13:54:32 2011 
     141Timestamp Verified by: 
     142    Issued to: GlobalSign Root CA 
     143    Issued by: GlobalSign Root CA 
     144    Expires:   Fri Jan 28 12:00:00 2028 
     145    SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C 
     146 
     147        Issued to: GlobalSign Timestamping CA 
     148        Issued by: GlobalSign Root CA 
     149        Expires:   Fri Jan 28 12:00:00 2028 
     150        SHA1 hash: 958D23902D5448314F2F811034356A58255CDC9B 
     151 
     152            Issued to: GlobalSign Time Stamping Authority 
     153            Issued by: GlobalSign Timestamping CA 
     154            Expires:   Tue Dec 22 09:32:56 2020 
     155            SHA1 hash: AEDF7DF76BBA2410D67DBAF18F5BA15B417E496C 
     156 
     157Cross Certificate Chain: 
     158    Issued to: Microsoft Code Verification Root 
     159    Issued by: Microsoft Code Verification Root 
     160    Expires:   Sat Nov 01 13:54:03 2025 
     161    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 
     162 
     163        Issued to: GlobalSign Root CA 
     164        Issued by: Microsoft Code Verification Root 
     165        Expires:   Mon May 23 17:10:51 2016 
     166        SHA1 hash: 3EEB2750A199F5E7B6A8952430BE5062FE04E9E5 
     167 
     168            Issued to: GlobalSign Primary Object Publishing CA 
     169            Issued by: GlobalSign Root CA 
     170            Expires:   Fri Jan 27 12:00:00 2017 
     171            SHA1 hash: 1AAF4DF10D36215E09E4EEFD70E340C2E4DECF38 
     172 
     173                Issued to: GlobalSign ObjectSign CA 
     174                Issued by: GlobalSign Primary Object Publishing CA 
     175                Expires:   Fri Jan 27 11:00:00 2017 
     176                SHA1 hash: B859853EF366AC9335763C340A87BD208113055F 
     177 
     178                    Issued to: Akeo Consulting 
     179                    Issued by: GlobalSign ObjectSign CA 
     180                    Expires:   Sun Jun 26 10:05:35 2011 
     181                    SHA1 hash: 0BF5319EE093F9234D8504527D63CFAFEADEECF8 
     182 
     183Successfully verified: libusb0.sys 
     184 
     185Number of files successfully Verified: 1 
     186Number of warnings: 0 
     187Number of errors: 0 
     188}}} 
    35189 
    36190== Creating a signed cat file ==