编译 Windows XPSP1/Windows 2003 Server 数字证书创建工具

我已经制作完成的工具

下载地址 :编译WindowsXPSP1/Windows2003Server数字证书创建工具资源-CSDN文库

需要安装Wsys2环境,在Wsys2中安装openssl和vim

然后运行generate.sh即可

Introduction

This utility is used to generate test certificates for a very long period of time. It generates the patched source files along with certificate files which should be copied to srv03rtm directory.

This patch should be used with the source set which includes the files from win2003_prepatched_v10a.zip!

Also, this utility was written on bash and should be used on nix systems. Sorry, I wasn't interested in writing the utility compatible with Windows, which may be kinda ironic. Anyway, you can try to use Git Bash instead, which may work for you.

As there is uncertainty regarding public file hosts, I'll include all scripts and necesarry files to this page.

Usage

  1. Copy the original (with "v10a prepatched" applied) source files to the certutil/source directory, replacing / with -:
Source file Copy to
srv03rtm/base/ntsetup/syssetup/crypto.c certutil/source/base-ntsetup-syssetup-crypto.c
srv03rtm/base/win32/fusion/sxs/strongname.cpp certutil/source/base-win32-fusion-sxs-strongname.cpp
srv03rtm/ds/security/cryptoapi/mincrypt/lib/vercert.cpp certutil/source/ds-security-cryptoapi-mincrypt-lib-vercert.cpp
srv03rtm/ds/security/cryptoapi/pki/certstor/policy.cpp certutil/source/ds-security-cryptoapi-pki-certstor-policy.cpp
srv03rtm/ds/win32/ntcrypto/mincrypt/vercert.cpp certutil/source/ds-win32-ntcrypto-mincrypt-vercert.cpp
srv03rtm/shell/shell32/defview.cpp certutil/source/shell-shell32-defview.cpp
srv03rtm/tools/checktestpca.cmd certutil/source/tools-checktestpca.cmd
srv03rtm/tools/checktestroot.cmd certutil/source/tools-checktestroot.cmd
srv03rtm/tools/postbuildscripts/crypto.cmd certutil/source/tools-postbuildscripts-crypto.cmd
srv03rtm/windows/core/ntuser/kernel/server.c certutil/source/windows-core-ntuser-kernel-server.c
  1. Run generate.sh from certutil directory.
  2. Copy the contents of certutil/srv03rtm.certs to srv03rtm.

Certutil source files

certutil/generate.sh
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
#!/bin/bash
set -xe

initdir="$(pwd)"
configdir="$initdir/config"
sourcedir="$initdir/source"

installdir="$initdir/srv03rtm.certs"
rm -rf "$installdir"
mkdir -p "$installdir"

isubdir() {
  local path="$installdir/$1"
  [ -d "$path" ] || mkdir -p "$path" || return $?
  echo "$path"
}

testrootcert="$(isubdir 'tools')/testroot.cer"
testpcacert="$(isubdir 'tools')/testpca.cer"
vbl03cacert="$(isubdir 'tools')/vbl03ca.cer"
drivercert="$(isubdir 'tools')/driver.pfx"

(certdir="$(isubdir '_gencerts')"
cd "$certdir"

mkdir 'testroot.db.certs'
touch 'testroot.db.index'
echo '4831793303313605' > 'testroot.db.serial'
openssl req -x509 -md5 -newkey rsa:1536 -nodes -days 73000-config "$configdir/testroot.conf"-keyout 'testroot.key'-out 'testroot.pem'
openssl x509 -outform der-in 'testroot.pem'-out "$testrootcert"

mkdir 'testpca.db.certs'
touch 'testpca.db.index'
echo '3921298631018096' > 'testpca.db.serial'
openssl req -new -newkey rsa:1536 -nodes-config "$configdir/testpca.conf"-keyout 'testpca.key'-out 'testpca.csr'
openssl ca -batch-config "$configdir/testroot.conf"-in 'testpca.csr'-out 'testpca.pem'
openssl x509 -outform der-in 'testpca.pem'-out "$testpcacert"

mkdir 'vbl03ca.db.certs'
touch 'vbl03ca.db.index'
echo '2208785574689461' > 'vbl03ca.db.serial'
openssl req -new -newkey rsa:2048 -nodes-config "$configdir/vbl03ca.conf"-keyout 'vbl03ca.key'-out 'vbl03ca.csr'
openssl ca -batch-config "$configdir/testpca.conf"-in 'vbl03ca.csr'-out 'vbl03ca.pem'
openssl x509 -outform der-in 'vbl03ca.pem'-out "$vbl03cacert"

openssl req -new -newkey rsa:1024 -nodes-config "$configdir/driver.conf"-keyout 'driver.key'-out 'driver.csr'
openssl ca -batch-config "$configdir/vbl03ca.conf"-in 'driver.csr'-out 'driver.pem'
openssl pkcs12 -export -nodes -password pass:-in 'driver.pem'-inkey 'driver.key'-certfile 'testroot.pem'-certfile 'vbl03ca.pem'-out "$drivercert"

cp "$testrootcert""$(isubdir 'mergedcomponents/setupinfs')/testroot.cer"
cd "$installdir"
rm -rf "$certdir")

for f in "$initdir/source/"*; do 
  path="$(sed 's,-,/,g' <<< ${f##*/})"
  cp "$f" "$(isubdir "${path%/*}")/${path##*/}"
done

certsha1() {
  local sha1
  if [ "${1##*.}" = 'cer' ]; then
    sha1="$(openssl x509 -inform der -in "$1" -noout -fingerprint -sha1)"
  elif [ "${1##*.}" = 'pfx' ]; then
    sha1="$(openssl pkcs12 -in "$1" -nodes -passin pass: |
    openssl x509 -noout -fingerprint -sha1)"
  else
    return 1
  fi
  [ "$?" = 0 ] || return 1
  sed 's/:/ /g' <<< "${sha1##*=}"
}

join4() {
  local hash="$(printf '%s%s%s%s ' "$@")"
  echo "${hash:0: -1}"
}

joinba() {
  local array="$(printf '0x%s, ' "$@")"
  echo "${array:0: -2}"
}

certpk() {
  openssl x509 -inform der -in "$1" -noout -pubkey |
  grep -Fv -- ----- | base64 -d | xxd -p -c 1 | xargs
}

pksha1() {
  local hash="$(printf '%s' "$@" | xxd -p -r | sha1sum)"
  hash="$(sed 's/../& /g' <<< "${hash%% *}")"
  echo "${hash:0: -1}"
}

testrootsha1="$(certsha1 "$testrootcert")"
testpcasha1="$(certsha1 "$testpcacert")"
driversha1="$(certsha1 "$drivercert")"
testrootpk="$(certpk "$testrootcert")"
testrootpksha1="$(pksha1 "$testrootpk")"

perl -0777 -pe "s/0x8E, 0xFF, [\s\S]*, 0xDC, 0x53/$(joinba $testrootpksha1)/"-i "$installdir/ds/security/cryptoapi/pki/certstor/policy.cpp"

sed -e "s/0xA4, 0xCA, .*, 0xC7, 0xAB/$(joinba $testrootsha1)/"-i "$installdir/base/win32/fusion/sxs/strongname.cpp"-i "$installdir/base/ntsetup/syssetup/crypto.c"
perl -0777 -pe "s/(?<=BYTE rgbTestRoot0_PubKeyInfo\[\]= \{)[^}]*/\r\n$(joinba $testrootpk)\r\n/"-i "$installdir/ds/security/cryptoapi/mincrypt/lib/vercert.cpp"-i "$installdir/ds/win32/ntcrypto/mincrypt/vercert.cpp"

sed -e "s/A4CAECFC.*07B0C7AB/$(printf '%s' $testrootsha1)/"-i "$installdir/ds/win32/ntcrypto/mincrypt/vercert.cpp"-i "$installdir/shell/shell32/defview.cpp"-i "$installdir/windows/core/ntuser/kernel/server.c"

sed -e "s/52871BBC.*06D7A08D/$(join4 $testpcasha1)/"-i "$installdir/tools/checktestpca.cmd"
sed -e "s/A4CAECFC.*07B0C7AB/$(join4 $testrootsha1)/"-i "$installdir/tools/checktestroot.cmd"

sed -e "s/5B8962DC.*2706CDBC/$(printf '%s' $driversha1)/"-i "$installdir/tools/postbuildscripts/crypto.cmd"
certutil/config/driver.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
oid_section = xca_oids

[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14
1.3.6.1.4.1.311.21.7 = 1.3.6.1.4.1.311.21.7
1.3.6.1.4.1.311.21.10 = 1.3.6.1.4.1.311.21.10

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no

[ xca_dn ]
0.C=US
1.ST=WA
2.L=Redmond
3.O=Microsoft Corporation
4.OU=Copyright (c) 2002 Microsoft Corp.
5.CN=Microsoft Windows Source Kit Test

[ xca_extensions ]
subjectKeyIdentifier=hash
keyUsage=digitalSignature
extendedKeyUsage=codeSigning, 1.3.6.1.4.1.311.10.3.6
certutil/config/testpca.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
oid_section = xca_oids

[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no

[ xca_dn ]
0.C=US
1.ST=Washington
2.L=Redmond
3.O=Microsoft Corporation
4.OU=Copyright (c) 2000 Microsoft Corp.
5.CN=Microsoft Test PCA

[ xca_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
keyUsage=nonRepudiation, keyCertSign, cRLSign
certificatePolicies=ia5org,@certpol0_sect

[certpol0_sect]
policyIdentifier=1.3.6.1.4.1.311.10.3.7
userNotice.0=@certpol0_sect_notice0_sect

[certpol0_sect_notice0_sect]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

[ ca ]
default_ca = testpca

[ testpca ]
dir = .
certs = $dir
new_certs_dir = $dir/testpca.db.certs
database = $dir/testpca.db.index
serial = $dir/testpca.db.serial
RANDFILE = $dir/testpca.db.rand
certificate = $dir/testpca.pem
private_key = $dir/testpca.key
default_days = 36500
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
copy_extensions = copy

[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
certutil/config/testroot.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
oid_section = xca_oids

[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no

[ xca_dn ]
0.OU=Copyright (c) 1999 Microsoft Corp.
1.CN=Microsoft Test Root Authority
2.OU=Microsoft Corporation

[ xca_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
certificatePolicies=ia5org,@certpol0_sect

[ certpol0_sect ]
policyIdentifier=1.3.6.1.4.1.311.10.3.5
userNotice.0=@certpol0_sect_notice0_sect

[ certpol0_sect_notice0_sect ]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

[ ca ]
default_ca = testroot

[ testroot ]
dir = .
certs = $dir
new_certs_dir = $dir/testroot.db.certs
database = $dir/testroot.db.index
serial = $dir/testroot.db.serial
RANDFILE = $dir/testroot.db.rand
certificate = $dir/testroot.pem
private_key = $dir/testroot.key
default_days = 73000
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
copy_extensions = copy

[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
certutil/config/vbl03ca.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
oid_section = xca_oids

[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn
x509_extensions = xca_extensions
req_extensions = xca_extensions
string_mask = MASK:0x2002
utf8 = yes
prompt = no

[ xca_dn ]
0.CN=Microsoft Windows VBL03CA

[ xca_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
keyUsage=digitalSignature, keyCertSign, cRLSign
certificatePolicies=ia5org,@certpol0_sect

[ certpol0_sect ]
policyIdentifier=1.3.6.1.4.1.311.10.3.6
userNotice.0=@certpol0_sect_notice0_sect

[ certpol0_sect_notice0_sect ]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only,and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with thiscertificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

[ ca ]
default_ca = vbl03ca

[ vbl03ca ]
dir = .
certs = $dir
new_certs_dir = $dir/vbl03ca.db.certs
database = $dir/vbl03ca.db.index
serial = $dir/vbl03ca.db.serial
RANDFILE = $dir/vbl03ca.db.rand
certificate = $dir/vbl03ca.pem
private_key = $dir/vbl03ca.key
default_days = 18250
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
copy_extensions = copy

[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional

你可能感兴趣的:(Windows,windows)