编译 Windows XPSP1/Windows 2003 Server 数字证书创建工具

我已经制作完成的工具

下载地址 ：编译WindowsXPSP1/Windows2003Server数字证书创建工具资源-CSDN文库

需要安装Wsys2环境，在Wsys2中安装openssl和vim

然后运行generate.sh即可

Introduction

This utility is used to generate test certificates for a very long period of time. It generates the patched source files along with certificate files which should be copied to srv03rtm directory.

This patch should be used with the source set which includes the files from win2003_prepatched_v10a.zip!

Also, this utility was written on bash and should be used on nix systems. Sorry, I wasn't interested in writing the utility compatible with Windows, which may be kinda ironic. Anyway, you can try to use Git Bash instead, which may work for you.

As there is uncertainty regarding public file hosts, I'll include all scripts and necesarry files to this page.

Usage

1. Copy the original (with "v10a prepatched" applied) source files to the certutil/source directory, replacing / with -:

Source file	Copy to
srv03rtm/base/ntsetup/syssetup/crypto.c	certutil/source/base-ntsetup-syssetup-crypto.c
srv03rtm/base/win32/fusion/sxs/strongname.cpp	certutil/source/base-win32-fusion-sxs-strongname.cpp
srv03rtm/ds/security/cryptoapi/mincrypt/lib/vercert.cpp	certutil/source/ds-security-cryptoapi-mincrypt-lib-vercert.cpp
srv03rtm/ds/security/cryptoapi/pki/certstor/policy.cpp	certutil/source/ds-security-cryptoapi-pki-certstor-policy.cpp
srv03rtm/ds/win32/ntcrypto/mincrypt/vercert.cpp	certutil/source/ds-win32-ntcrypto-mincrypt-vercert.cpp
srv03rtm/shell/shell32/defview.cpp	certutil/source/shell-shell32-defview.cpp
srv03rtm/tools/checktestpca.cmd	certutil/source/tools-checktestpca.cmd
srv03rtm/tools/checktestroot.cmd	certutil/source/tools-checktestroot.cmd
srv03rtm/tools/postbuildscripts/crypto.cmd	certutil/source/tools-postbuildscripts-crypto.cmd
srv03rtm/windows/core/ntuser/kernel/server.c	certutil/source/windows-core-ntuser-kernel-server.c

1. Run generate.sh from certutil directory.
2. Copy the contents of certutil/srv03rtm.certs to srv03rtm.

Certutil source files

certutil/generate.sh

1   2   3   4   5   6   7   8   9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99 100 101 102 103 104 105 106 107 108 109 110

#!/bin/bash set -xe initdir="$(pwd)" configdir="$initdir/config" sourcedir="$initdir/source" installdir="$initdir/srv03rtm.certs" rm -rf "$installdir" mkdir -p "$installdir" isubdir() { local path="$installdir/$1" [ -d "$path" ] || mkdir -p "$path" || return $? echo "$path" } testrootcert="$(isubdir 'tools')/testroot.cer" testpcacert="$(isubdir 'tools')/testpca.cer" vbl03cacert="$(isubdir 'tools')/vbl03ca.cer" drivercert="$(isubdir 'tools')/driver.pfx" (certdir="$(isubdir '_gencerts')" cd "$certdir" mkdir 'testroot.db.certs' touch 'testroot.db.index' echo '4831793303313605' > 'testroot.db.serial' openssl req -x509 -md5 -newkey rsa:1536 -nodes -days 73000-config "$configdir/testroot.conf"-keyout 'testroot.key'-out 'testroot.pem' openssl x509 -outform der-in 'testroot.pem'-out "$testrootcert" mkdir 'testpca.db.certs' touch 'testpca.db.index' echo '3921298631018096' > 'testpca.db.serial' openssl req -new -newkey rsa:1536 -nodes-config "$configdir/testpca.conf"-keyout 'testpca.key'-out 'testpca.csr' openssl ca -batch-config "$configdir/testroot.conf"-in 'testpca.csr'-out 'testpca.pem' openssl x509 -outform der-in 'testpca.pem'-out "$testpcacert" mkdir 'vbl03ca.db.certs' touch 'vbl03ca.db.index' echo '2208785574689461' > 'vbl03ca.db.serial' openssl req -new -newkey rsa:2048 -nodes-config "$configdir/vbl03ca.conf"-keyout 'vbl03ca.key'-out 'vbl03ca.csr' openssl ca -batch-config "$configdir/testpca.conf"-in 'vbl03ca.csr'-out 'vbl03ca.pem' openssl x509 -outform der-in 'vbl03ca.pem'-out "$vbl03cacert" openssl req -new -newkey rsa:1024 -nodes-config "$configdir/driver.conf"-keyout 'driver.key'-out 'driver.csr' openssl ca -batch-config "$configdir/vbl03ca.conf"-in 'driver.csr'-out 'driver.pem' openssl pkcs12 -export -nodes -password pass:-in 'driver.pem'-inkey 'driver.key'-certfile 'testroot.pem'-certfile 'vbl03ca.pem'-out "$drivercert" cp "$testrootcert""$(isubdir 'mergedcomponents/setupinfs')/testroot.cer" cd "$installdir" rm -rf "$certdir") for f in "$initdir/source/"*; do path="$(sed 's,-,/,g' <<< ${f##*/})" cp "$f" "$(isubdir "${path%/*}")/${path##*/}" done certsha1() { local sha1 if [ "${1##*.}" = 'cer' ]; then sha1="$(openssl x509 -inform der -in "$1" -noout -fingerprint -sha1)" elif [ "${1##*.}" = 'pfx' ]; then sha1="$(openssl pkcs12 -in "$1" -nodes -passin pass: | openssl x509 -noout -fingerprint -sha1)" else return 1 fi [ "$?" = 0 ] || return 1 sed 's/:/ /g' <<< "${sha1##*=}" } join4() { local hash="$(printf '%s%s%s%s ' "$@")" echo "${hash:0: -1}" } joinba() { local array="$(printf '0x%s, ' "$@")" echo "${array:0: -2}" } certpk() { openssl x509 -inform der -in "$1" -noout -pubkey | grep -Fv -- ----- | base64 -d | xxd -p -c 1 | xargs } pksha1() { local hash="$(printf '%s' "$@" | xxd -p -r | sha1sum)" hash="$(sed 's/../& /g' <<< "${hash%% *}")" echo "${hash:0: -1}" } testrootsha1="$(certsha1 "$testrootcert")" testpcasha1="$(certsha1 "$testpcacert")" driversha1="$(certsha1 "$drivercert")" testrootpk="$(certpk "$testrootcert")" testrootpksha1="$(pksha1 "$testrootpk")" perl -0777 -pe "s/0x8E, 0xFF, [\s\S]*, 0xDC, 0x53/$(joinba $testrootpksha1)/"-i "$installdir/ds/security/cryptoapi/pki/certstor/policy.cpp" sed -e "s/0xA4, 0xCA, .*, 0xC7, 0xAB/$(joinba $testrootsha1)/"-i "$installdir/base/win32/fusion/sxs/strongname.cpp"-i "$installdir/base/ntsetup/syssetup/crypto.c" perl -0777 -pe "s/(?<=BYTE rgbTestRoot0_PubKeyInfo\[\]= \{)[^}]*/\r\n$(joinba $testrootpk)\r\n/"-i "$installdir/ds/security/cryptoapi/mincrypt/lib/vercert.cpp"-i "$installdir/ds/win32/ntcrypto/mincrypt/vercert.cpp" sed -e "s/A4CAECFC.*07B0C7AB/$(printf '%s' $testrootsha1)/"-i "$installdir/ds/win32/ntcrypto/mincrypt/vercert.cpp"-i "$installdir/shell/shell32/defview.cpp"-i "$installdir/windows/core/ntuser/kernel/server.c" sed -e "s/52871BBC.*06D7A08D/$(join4 $testpcasha1)/"-i "$installdir/tools/checktestpca.cmd" sed -e "s/A4CAECFC.*07B0C7AB/$(join4 $testrootsha1)/"-i "$installdir/tools/checktestroot.cmd" sed -e "s/5B8962DC.*2706CDBC/$(printf '%s' $driversha1)/"-i "$installdir/tools/postbuildscripts/crypto.cmd"

certutil/config/driver.conf

1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

oid_section = xca_oids [ xca_oids ] dom = 1.3.6.1.4.1.311.20.2 MsCaV = 1.3.6.1.4.1.311.21.1 msEFSFR = 1.3.6.1.4.1.311.10.3.4.1 iKEIntermediate = 1.3.6.1.5.5.8.2.2 nameDistinguisher = 0.2.262.1.10.7.20 id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13 id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14 1.3.6.1.4.1.311.21.7 = 1.3.6.1.4.1.311.21.7 1.3.6.1.4.1.311.21.10 = 1.3.6.1.4.1.311.21.10 [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = xca_dn x509_extensions = xca_extensions req_extensions = xca_extensions string_mask = MASK:0x2002 utf8 = yes prompt = no [ xca_dn ] 0.C=US 1.ST=WA 2.L=Redmond 3.O=Microsoft Corporation 4.OU=Copyright (c) 2002 Microsoft Corp. 5.CN=Microsoft Windows Source Kit Test [ xca_extensions ] subjectKeyIdentifier=hash keyUsage=digitalSignature extendedKeyUsage=codeSigning, 1.3.6.1.4.1.311.10.3.6

certutil/config/testpca.conf

1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69

oid_section = xca_oids [ xca_oids ] dom = 1.3.6.1.4.1.311.20.2 MsCaV = 1.3.6.1.4.1.311.21.1 msEFSFR = 1.3.6.1.4.1.311.10.3.4.1 iKEIntermediate = 1.3.6.1.5.5.8.2.2 nameDistinguisher = 0.2.262.1.10.7.20 id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13 id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14 [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = xca_dn x509_extensions = xca_extensions req_extensions = xca_extensions string_mask = MASK:0x2002 utf8 = yes prompt = no [ xca_dn ] 0.C=US 1.ST=Washington 2.L=Redmond 3.O=Microsoft Corporation 4.OU=Copyright (c) 2000 Microsoft Corp. 5.CN=Microsoft Test PCA [ xca_extensions ] basicConstraints=critical,CA:TRUE subjectKeyIdentifier=hash keyUsage=nonRepudiation, keyCertSign, cRLSign certificatePolicies=ia5org,@certpol0_sect [certpol0_sect] policyIdentifier=1.3.6.1.4.1.311.10.3.7 userNotice.0=@certpol0_sect_notice0_sect [certpol0_sect_notice0_sect] explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process. This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context. Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement. Vendors who have their drivers signed with this certificate do so at their own risk. In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement. [ ca ] default_ca = testpca [ testpca ] dir = . certs = $dir new_certs_dir = $dir/testpca.db.certs database = $dir/testpca.db.index serial = $dir/testpca.db.serial RANDFILE = $dir/testpca.db.rand certificate = $dir/testpca.pem private_key = $dir/testpca.key default_days = 36500 default_crl_days = 30 default_md = md5 preserve = no policy = generic_policy copy_extensions = copy [ generic_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional

certutil/config/testroot.conf

1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

oid_section = xca_oids [ xca_oids ] dom = 1.3.6.1.4.1.311.20.2 MsCaV = 1.3.6.1.4.1.311.21.1 msEFSFR = 1.3.6.1.4.1.311.10.3.4.1 iKEIntermediate = 1.3.6.1.5.5.8.2.2 nameDistinguisher = 0.2.262.1.10.7.20 id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13 id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14 [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = xca_dn x509_extensions = xca_extensions req_extensions = xca_extensions string_mask = MASK:0x2002 utf8 = yes prompt = no [ xca_dn ] 0.OU=Copyright (c) 1999 Microsoft Corp. 1.CN=Microsoft Test Root Authority 2.OU=Microsoft Corporation [ xca_extensions ] basicConstraints=critical,CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid certificatePolicies=ia5org,@certpol0_sect [ certpol0_sect ] policyIdentifier=1.3.6.1.4.1.311.10.3.5 userNotice.0=@certpol0_sect_notice0_sect [ certpol0_sect_notice0_sect ] explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process. This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context. Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement. Vendors who have their drivers signed with this certificate do so at their own risk. In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement. [ ca ] default_ca = testroot [ testroot ] dir = . certs = $dir new_certs_dir = $dir/testroot.db.certs database = $dir/testroot.db.index serial = $dir/testroot.db.serial RANDFILE = $dir/testroot.db.rand certificate = $dir/testroot.pem private_key = $dir/testroot.key default_days = 73000 default_crl_days = 30 default_md = md5 preserve = no policy = generic_policy copy_extensions = copy [ generic_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional

certutil/config/vbl03ca.conf

⎗

1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

oid_section = xca_oids [ xca_oids ] dom = 1.3.6.1.4.1.311.20.2 MsCaV = 1.3.6.1.4.1.311.21.1 msEFSFR = 1.3.6.1.4.1.311.10.3.4.1 iKEIntermediate = 1.3.6.1.5.5.8.2.2 nameDistinguisher = 0.2.262.1.10.7.20 id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13 id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14 [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = xca_dn x509_extensions = xca_extensions req_extensions = xca_extensions string_mask = MASK:0x2002 utf8 = yes prompt = no [ xca_dn ] 0.CN=Microsoft Windows VBL03CA [ xca_extensions ] basicConstraints=critical,CA:TRUE subjectKeyIdentifier=hash keyUsage=digitalSignature, keyCertSign, cRLSign certificatePolicies=ia5org,@certpol0_sect [ certpol0_sect ] policyIdentifier=1.3.6.1.4.1.311.10.3.6 userNotice.0=@certpol0_sect_notice0_sect [ certpol0_sect_notice0_sect ] explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process. This certificate and drivers signed with this certificate are intended for use in test environments only,and are not intended for use in any other context. Vendors who distribute this certificate or drivers signed with thiscertificate outside a test environment may be in violation of their driver signing agreement. Vendors who have their drivers signed with this certificate do so at their own risk. In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement. [ ca ] default_ca = vbl03ca [ vbl03ca ] dir = . certs = $dir new_certs_dir = $dir/vbl03ca.db.certs database = $dir/vbl03ca.db.index serial = $dir/vbl03ca.db.serial RANDFILE = $dir/vbl03ca.db.rand certificate = $dir/vbl03ca.pem private_key = $dir/vbl03ca.key default_days = 18250 default_crl_days = 30 default_md = md5 preserve = no policy = generic_policy copy_extensions = copy [ generic_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional