Windows Server 2003 (NT 5.2.3790.0) build guide
Win2K3 test certificates utility
This utility is used to generate test certificates for a very long period of time. It generates the patched source files along with certificate files which should be copied to srv03rtm
directory.
This patch should be used with the source set which includes the files from win2003_prepatched_v10a.zip
!
Also, this utility was written on bash and should be used on nix systems. Sorry, I wasn’t interested in writing the utility compatible with Windows, which may be kinda ironic. Anyway, you can try to use Git Bash instead, which may work for you.
As there is uncertainty regarding public file hosts, I’ll include all scripts and necesarry files to this page.
Usage
- Copy the original (with “v10a prepatched” applied) source files to the
certutil/source
directory, replacing/
with-
:
Source file | Copy to |
---|---|
srv03rtm/base/ntsetup/syssetup/crypto.c | certutil/source/base-ntsetup-syssetup-crypto.c |
srv03rtm/base/win32/fusion/sxs/strongname.cpp | certutil/source/base-win32-fusion-sxs-strongname.cpp |
srv03rtm/ds/security/cryptoapi/mincrypt/lib/vercert.cpp | certutil/source/ds-security-cryptoapi-mincrypt-lib-vercert.cpp |
srv03rtm/ds/security/cryptoapi/pki/certstor/policy.cpp | certutil/source/ds-security-cryptoapi-pki-certstor-policy.cpp |
srv03rtm/ds/win32/ntcrypto/mincrypt/vercert.cpp | certutil/source/ds-win32-ntcrypto-mincrypt-vercert.cpp |
srv03rtm/shell/shell32/defview.cpp | certutil/source/shell-shell32-defview.cpp |
srv03rtm/tools/checktestpca.cmd | certutil/source/tools-checktestpca.cmd |
srv03rtm/tools/checktestroot.cmd | certutil/source/tools-checktestroot.cmd |
srv03rtm/tools/postbuildscripts/crypto.cmd | certutil/source/tools-postbuildscripts-crypto.cmd |
srv03rtm/windows/core/ntuser/kernel/server.c | certutil/source/windows-core-ntuser-kernel-server.c |
- Run
generate.sh
fromcertutil
directory. - Copy the contents of
certutil/srv03rtm.certs
tosrv03rtm
.
Certutil source files
certutil/generate.sh
#!/bin/bash
set -xe
initdir="$(pwd)"
configdir="$initdir/config"
sourcedir="$initdir/source"
installdir="$initdir/srv03rtm.certs"
rm -rf "$installdir"
mkdir -p "$installdir"
isubdir() {
local path="$installdir/$1"
[ -d "$path" ] || mkdir -p "$path" || return $?
echo "$path"
}
testrootcert="$(isubdir 'tools')/testroot.cer"
testpcacert="$(isubdir 'tools')/testpca.cer"
vbl03cacert="$(isubdir 'tools')/vbl03ca.cer"
drivercert="$(isubdir 'tools')/driver.pfx"
(certdir="$(isubdir '_gencerts')"
cd "$certdir"
mkdir 'testroot.db.certs'
touch 'testroot.db.index'
echo '4831793303313605' > 'testroot.db.serial'
openssl req -x509 -md5 -newkey rsa:1536 -nodes -days 73000 \
-config "$configdir/testroot.conf" \
-keyout 'testroot.key' \
-out 'testroot.pem'
openssl x509 -outform der \
-in 'testroot.pem' \
-out "$testrootcert"
mkdir 'testpca.db.certs'
touch 'testpca.db.index'
echo '3921298631018096' > 'testpca.db.serial'
openssl req -new -newkey rsa:1536 -nodes \
-config "$configdir/testpca.conf" \
-keyout 'testpca.key' \
-out 'testpca.csr'
openssl ca -batch \
-config "$configdir/testroot.conf" \
-in 'testpca.csr' \
-out 'testpca.pem'
openssl x509 -outform der \
-in 'testpca.pem' \
-out "$testpcacert"
mkdir 'vbl03ca.db.certs'
touch 'vbl03ca.db.index'
echo '2208785574689461' > 'vbl03ca.db.serial'
openssl req -new -newkey rsa:2048 -nodes \
-config "$configdir/vbl03ca.conf" \
-keyout 'vbl03ca.key' \
-out 'vbl03ca.csr'
openssl ca -batch \
-config "$configdir/testpca.conf" \
-in 'vbl03ca.csr' \
-out 'vbl03ca.pem'
openssl x509 -outform der \
-in 'vbl03ca.pem' \
-out "$vbl03cacert"
openssl req -new -newkey rsa:1024 -nodes \
-config "$configdir/driver.conf" \
-keyout 'driver.key' \
-out 'driver.csr'
openssl ca -batch \
-config "$configdir/vbl03ca.conf" \
-in 'driver.csr' \
-out 'driver.pem'
openssl pkcs12 -export -nodes -password pass: \
-in 'driver.pem' \
-inkey 'driver.key' \
-certfile 'testroot.pem' \
-certfile 'vbl03ca.pem' \
-out "$drivercert"
cp "$testrootcert" \
"$(isubdir 'mergedcomponents/setupinfs')/testroot.cer"
cd "$installdir"
rm -rf "$certdir")
for f in "$initdir/source/"*; do
path="$(sed 's,-,/,g' <<< ${f##*/})"
cp "$f" "$(isubdir "${path%/*}")/${path##*/}"
done
certsha1() {
local sha1
if [ "${1##*.}" = 'cer' ]; then
sha1="$(openssl x509 -inform der -in "$1" -noout -fingerprint -sha1)"
elif [ "${1##*.}" = 'pfx' ]; then
sha1="$(openssl pkcs12 -in "$1" -nodes -passin pass: |
openssl x509 -noout -fingerprint -sha1)"
else
return 1
fi
[ "$?" = 0 ] || return 1
sed 's/:/ /g' <<< "${sha1##*=}"
}
join4() {
local hash="$(printf '%s%s%s%s ' "$@")"
echo "${hash:0: -1}"
}
joinba() {
local array="$(printf '0x%s, ' "$@")"
echo "${array:0: -2}"
}
certpk() {
openssl x509 -inform der -in "$1" -noout -pubkey |
grep -Fv -- ----- | base64 -d | xxd -p -c 1 | xargs
}
pksha1() {
local hash="$(printf '%s' "$@" | xxd -p -r | sha1sum)"
hash="$(sed 's/../& /g' <<< "${hash%% *}")"
echo "${hash:0: -1}"
}
testrootsha1="$(certsha1 "$testrootcert")"
testpcasha1="$(certsha1 "$testpcacert")"
driversha1="$(certsha1 "$drivercert")"
testrootpk="$(certpk "$testrootcert")"
testrootpksha1="$(pksha1 "$testrootpk")"
perl -0777 -pe "s/0x8E, 0xFF, [\s\S]*, 0xDC, 0x53/$(joinba $testrootpksha1)/" \
-i "$installdir/ds/security/cryptoapi/pki/certstor/policy.cpp"
sed -e "s/0xA4, 0xCA, .*, 0xC7, 0xAB/$(joinba $testrootsha1)/" \
-i "$installdir/base/win32/fusion/sxs/strongname.cpp" \
-i "$installdir/base/ntsetup/syssetup/crypto.c" \
perl -0777 -pe "s/(?<=BYTE rgbTestRoot0_PubKeyInfo\[\]= \{)[^}]*/\
\r\n$(joinba $testrootpk)\r\n/" \
-i "$installdir/ds/security/cryptoapi/mincrypt/lib/vercert.cpp" \
-i "$installdir/ds/win32/ntcrypto/mincrypt/vercert.cpp"
sed -e "s/A4CAECFC.*07B0C7AB/$(printf '%s' $testrootsha1)/" \
-i "$installdir/ds/win32/ntcrypto/mincrypt/vercert.cpp" \
-i "$installdir/shell/shell32/defview.cpp" \
-i "$installdir/windows/core/ntuser/kernel/server.c"
sed -e "s/52871BBC.*06D7A08D/$(join4 $testpcasha1)/" \
-i "$installdir/tools/checktestpca.cmd" \
sed -e "s/A4CAECFC.*07B0C7AB/$(join4 $testrootsha1)/" \
-i "$installdir/tools/checktestroot.cmd"
sed -e "s/5B8962DC.*2706CDBC/$(printf '%s' $driversha1)/" \
-i "$installdir/tools/postbuildscripts/crypto.cmd"
certutil/config/driver.conf
oid_section = xca_oids
[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14
1.3.6.1.4.1.311.21.7 = 1.3.6.1.4.1.311.21.7
1.3.6.1.4.1.311.21.10 = 1.3.6.1.4.1.311.21.10
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no
[ xca_dn ]
0.C=US
1.ST=WA
2.L=Redmond
3.O=Microsoft Corporation
4.OU=Copyright (c) 2002 Microsoft Corp.
5.CN=Microsoft Windows Source Kit Test
[ xca_extensions ]
subjectKeyIdentifier=hash
keyUsage=digitalSignature
extendedKeyUsage=codeSigning, 1.3.6.1.4.1.311.10.3.6
certutil/config/testpca.conf
oid_section = xca_oids
[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no
[ xca_dn ]
0.C=US
1.ST=Washington
2.L=Redmond
3.O=Microsoft Corporation
4.OU=Copyright (c) 2000 Microsoft Corp.
5.CN=Microsoft Test PCA
[ xca_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
keyUsage=nonRepudiation, keyCertSign, cRLSign
certificatePolicies=ia5org,@certpol0_sect
[certpol0_sect]
policyIdentifier=1.3.6.1.4.1.311.10.3.7
userNotice.0=@certpol0_sect_notice0_sect
[certpol0_sect_notice0_sect]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process. This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context. Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement. Vendors who have their drivers signed with this certificate do so at their own risk. In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.
[ ca ]
default_ca = testpca
[ testpca ]
dir = .
certs = $dir
new_certs_dir = $dir/testpca.db.certs
database = $dir/testpca.db.index
serial = $dir/testpca.db.serial
RANDFILE = $dir/testpca.db.rand
certificate = $dir/testpca.pem
private_key = $dir/testpca.key
default_days = 36500
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
copy_extensions = copy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
certutil/config/testroot.conf
oid_section = xca_oids
[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no
[ xca_dn ]
0.OU=Copyright (c) 1999 Microsoft Corp.
1.CN=Microsoft Test Root Authority
2.OU=Microsoft Corporation
[ xca_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
certificatePolicies=ia5org,@certpol0_sect
[ certpol0_sect ]
policyIdentifier=1.3.6.1.4.1.311.10.3.5
userNotice.0=@certpol0_sect_notice0_sect
[ certpol0_sect_notice0_sect ]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process. This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context. Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement. Vendors who have their drivers signed with this certificate do so at their own risk. In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.
[ ca ]
default_ca = testroot
[ testroot ]
dir = .
certs = $dir
new_certs_dir = $dir/testroot.db.certs
database = $dir/testroot.db.index
serial = $dir/testroot.db.serial
RANDFILE = $dir/testroot.db.rand
certificate = $dir/testroot.pem
private_key = $dir/testroot.key
default_days = 73000
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
copy_extensions = copy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
certutil/config/vbl03ca.conf
oid_section = xca_oids
[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no
[ xca_dn ]
0.CN=Microsoft Windows VBL03CA
[ xca_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
keyUsage=digitalSignature, keyCertSign, cRLSign
certificatePolicies=ia5org,@certpol0_sect
[ certpol0_sect ]
policyIdentifier=1.3.6.1.4.1.311.10.3.6
userNotice.0=@certpol0_sect_notice0_sect
[ certpol0_sect_notice0_sect ]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process. This certificate and drivers signed with this certificate are intended for use in test environments only,and are not intended for use in any other context. Vendors who distribute this certificate or drivers signed with thiscertificate outside a test environment may be in violation of their driver signing agreement. Vendors who have their drivers signed with this certificate do so at their own risk. In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.
[ ca ]
default_ca = vbl03ca
[ vbl03ca ]
dir = .
certs = $dir
new_certs_dir = $dir/vbl03ca.db.certs
database = $dir/vbl03ca.db.index
serial = $dir/vbl03ca.db.serial
RANDFILE = $dir/vbl03ca.db.rand
certificate = $dir/vbl03ca.pem
private_key = $dir/vbl03ca.key
default_days = 18250
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
copy_extensions = copy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional