Windows Server 2003 (NT 5.2.3790.0) build guide

#!/bin/bash
set -xe

initdir="$(pwd)"
configdir="$initdir/config"
sourcedir="$initdir/source"

installdir="$initdir/srv03rtm.certs"
rm -rf "$installdir"
mkdir -p "$installdir"

isubdir() {
  local path="$installdir/$1"
  [ -d "$path" ] || mkdir -p "$path" || return $?
  echo "$path"
}

testrootcert="$(isubdir 'tools')/testroot.cer"
testpcacert="$(isubdir 'tools')/testpca.cer"
vbl03cacert="$(isubdir 'tools')/vbl03ca.cer"
drivercert="$(isubdir 'tools')/driver.pfx"

(certdir="$(isubdir '_gencerts')"
cd "$certdir"

mkdir 'testroot.db.certs'
touch 'testroot.db.index'
echo '4831793303313605' > 'testroot.db.serial'
openssl req -x509 -md5 -newkey rsa:1536 -nodes -days 73000 \
-config "$configdir/testroot.conf" \
-keyout 'testroot.key' \
-out 'testroot.pem'
openssl x509 -outform der \
-in 'testroot.pem' \
-out "$testrootcert"

mkdir 'testpca.db.certs'
touch 'testpca.db.index'
echo '3921298631018096' > 'testpca.db.serial'
openssl req -new -newkey rsa:1536 -nodes \
-config "$configdir/testpca.conf" \
-keyout 'testpca.key' \
-out 'testpca.csr'
openssl ca -batch \
-config "$configdir/testroot.conf" \
-in 'testpca.csr' \
-out 'testpca.pem'
openssl x509 -outform der \
-in 'testpca.pem' \
-out "$testpcacert"

mkdir 'vbl03ca.db.certs'
touch 'vbl03ca.db.index'
echo '2208785574689461' > 'vbl03ca.db.serial'
openssl req -new -newkey rsa:2048 -nodes \
-config "$configdir/vbl03ca.conf" \
-keyout 'vbl03ca.key' \
-out 'vbl03ca.csr'
openssl ca -batch \
-config "$configdir/testpca.conf" \
-in 'vbl03ca.csr' \
-out 'vbl03ca.pem'
openssl x509 -outform der \
-in 'vbl03ca.pem' \
-out "$vbl03cacert"

openssl req -new -newkey rsa:1024 -nodes \
-config "$configdir/driver.conf" \
-keyout 'driver.key' \
-out 'driver.csr'
openssl ca -batch \
-config "$configdir/vbl03ca.conf" \
-in 'driver.csr' \
-out 'driver.pem'
openssl pkcs12 -export -nodes -password pass: \
-in 'driver.pem' \
-inkey 'driver.key' \
-certfile 'testroot.pem' \
-certfile 'vbl03ca.pem' \
-out "$drivercert"

cp "$testrootcert" \
"$(isubdir 'mergedcomponents/setupinfs')/testroot.cer"
cd "$installdir"
rm -rf "$certdir")

for f in "$initdir/source/"*; do 
  path="$(sed 's,-,/,g' <<< ${f##*/})"
  cp "$f" "$(isubdir "${path%/*}")/${path##*/}"
done

certsha1() {
  local sha1
  if [ "${1##*.}" = 'cer' ]; then
    sha1="$(openssl x509 -inform der -in "$1" -noout -fingerprint -sha1)"
  elif [ "${1##*.}" = 'pfx' ]; then
    sha1="$(openssl pkcs12 -in "$1" -nodes -passin pass: |
    openssl x509 -noout -fingerprint -sha1)"
  else
    return 1
  fi
  [ "$?" = 0 ] || return 1
  sed 's/:/ /g' <<< "${sha1##*=}"
}

join4() {
  local hash="$(printf '%s%s%s%s ' "$@")"
  echo "${hash:0: -1}"
}

joinba() {
  local array="$(printf '0x%s, ' "$@")"
  echo "${array:0: -2}"
}

certpk() {
  openssl x509 -inform der -in "$1" -noout -pubkey |
  grep -Fv -- ----- | base64 -d | xxd -p -c 1 | xargs
}

pksha1() {
  local hash="$(printf '%s' "$@" | xxd -p -r | sha1sum)"
  hash="$(sed 's/../& /g' <<< "${hash%% *}")"
  echo "${hash:0: -1}"
}

testrootsha1="$(certsha1 "$testrootcert")"
testpcasha1="$(certsha1 "$testpcacert")"
driversha1="$(certsha1 "$drivercert")"
testrootpk="$(certpk "$testrootcert")"
testrootpksha1="$(pksha1 "$testrootpk")"

perl -0777 -pe "s/0x8E, 0xFF, [\s\S]*, 0xDC, 0x53/$(joinba $testrootpksha1)/" \
-i "$installdir/ds/security/cryptoapi/pki/certstor/policy.cpp"

sed -e "s/0xA4, 0xCA, .*, 0xC7, 0xAB/$(joinba $testrootsha1)/" \
-i "$installdir/base/win32/fusion/sxs/strongname.cpp" \
-i "$installdir/base/ntsetup/syssetup/crypto.c" \

perl -0777 -pe "s/(?<=BYTE rgbTestRoot0_PubKeyInfo\[\]= \{)[^}]*/\
\r\n$(joinba $testrootpk)\r\n/" \
-i "$installdir/ds/security/cryptoapi/mincrypt/lib/vercert.cpp" \
-i "$installdir/ds/win32/ntcrypto/mincrypt/vercert.cpp"

sed -e "s/A4CAECFC.*07B0C7AB/$(printf '%s' $testrootsha1)/" \
-i "$installdir/ds/win32/ntcrypto/mincrypt/vercert.cpp" \
-i "$installdir/shell/shell32/defview.cpp" \
-i "$installdir/windows/core/ntuser/kernel/server.c"

sed -e "s/52871BBC.*06D7A08D/$(join4 $testpcasha1)/" \
-i "$installdir/tools/checktestpca.cmd" \

sed -e "s/A4CAECFC.*07B0C7AB/$(join4 $testrootsha1)/" \
-i "$installdir/tools/checktestroot.cmd"

sed -e "s/5B8962DC.*2706CDBC/$(printf '%s' $driversha1)/" \
-i "$installdir/tools/postbuildscripts/crypto.cmd"

oid_section = xca_oids

[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14
1.3.6.1.4.1.311.21.7 = 1.3.6.1.4.1.311.21.7
1.3.6.1.4.1.311.21.10 = 1.3.6.1.4.1.311.21.10

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no

[ xca_dn ]
0.C=US
1.ST=WA
2.L=Redmond
3.O=Microsoft Corporation
4.OU=Copyright (c) 2002 Microsoft Corp.
5.CN=Microsoft Windows Source Kit Test

[ xca_extensions ]
subjectKeyIdentifier=hash
keyUsage=digitalSignature
extendedKeyUsage=codeSigning, 1.3.6.1.4.1.311.10.3.6

oid_section = xca_oids

[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no

[ xca_dn ]
0.C=US
1.ST=Washington
2.L=Redmond
3.O=Microsoft Corporation
4.OU=Copyright (c) 2000 Microsoft Corp.
5.CN=Microsoft Test PCA

[ xca_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
keyUsage=nonRepudiation, keyCertSign, cRLSign
certificatePolicies=ia5org,@certpol0_sect

[certpol0_sect]
policyIdentifier=1.3.6.1.4.1.311.10.3.7
userNotice.0=@certpol0_sect_notice0_sect

[certpol0_sect_notice0_sect]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

[ ca ]
default_ca = testpca

[ testpca ]
dir = .
certs = $dir
new_certs_dir = $dir/testpca.db.certs
database = $dir/testpca.db.index
serial = $dir/testpca.db.serial
RANDFILE = $dir/testpca.db.rand
certificate = $dir/testpca.pem
private_key = $dir/testpca.key
default_days = 36500
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
copy_extensions = copy

[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional

oid_section = xca_oids

[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no

[ xca_dn ]
0.OU=Copyright (c) 1999 Microsoft Corp.
1.CN=Microsoft Test Root Authority
2.OU=Microsoft Corporation

[ xca_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
certificatePolicies=ia5org,@certpol0_sect

[ certpol0_sect ]
policyIdentifier=1.3.6.1.4.1.311.10.3.5
userNotice.0=@certpol0_sect_notice0_sect

[ certpol0_sect_notice0_sect ]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

[ ca ]
default_ca = testroot

[ testroot ]
dir = .
certs = $dir
new_certs_dir = $dir/testroot.db.certs
database = $dir/testroot.db.index
serial = $dir/testroot.db.serial
RANDFILE = $dir/testroot.db.rand
certificate = $dir/testroot.pem
private_key = $dir/testroot.key
default_days = 73000
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
copy_extensions = copy

[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional

oid_section = xca_oids

[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no

[ xca_dn ]
0.CN=Microsoft Windows VBL03CA

[ xca_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
keyUsage=digitalSignature, keyCertSign, cRLSign
certificatePolicies=ia5org,@certpol0_sect

[ certpol0_sect ]
policyIdentifier=1.3.6.1.4.1.311.10.3.6
userNotice.0=@certpol0_sect_notice0_sect

[ certpol0_sect_notice0_sect ]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only,and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with thiscertificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

[ ca ]
default_ca = vbl03ca

[ vbl03ca ]
dir = .
certs = $dir
new_certs_dir = $dir/vbl03ca.db.certs
database = $dir/vbl03ca.db.index
serial = $dir/vbl03ca.db.serial
RANDFILE = $dir/vbl03ca.db.rand
certificate = $dir/vbl03ca.pem
private_key = $dir/vbl03ca.key
default_days = 18250
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
copy_extensions = copy

[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional