前言

今天和大家分享怎么制作nt5src的driver.pfx（testroot）证书。

2020年10月的nt5src构建指南里面的“openssl.txt”是有问题的。

一、环境准备

1.操作系统

制作环境的操作系统推荐linux或mac（不建议用windows因为要安装openssl环境很麻烦V_V）。

我自己是用 centos 7.6 和 macOS 11都测试通过的，这两个系统都自带openssl不用折腾，而且openssl命令都是兼容的！

2.配置文件

选好了操作系统后，先编辑好4个配置文件“testroot.conf”、“testpca.conf”、“vbl03ca.conf”、“driver.conf”。以下是基于“win2003_prepatched_v10a”指南包的conf配置文件进行修改。具体修改如下：

2.1、testroot.conf

oid_section = xca_oids

[ xca_oids ]

dom = 1.3.6.1.4.1.311.20.2

MsCaV = 1.3.6.1.4.1.311.21.1

msEFSFR = 1.3.6.1.4.1.311.10.3.4.1

iKEIntermediate = 1.3.6.1.5.5.8.2.2

nameDistinguisher = 0.2.262.1.10.7.20

id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13

id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14

[ req ]

default_bits = 1024

default_keyfile = privkey.pem

distinguished_name = xca_dn0

x509_extensions = xca_extensions0

req_extensions = xca_extensions0

string_mask = MASK:0x2002

utf8 = yes

prompt = no

[ ca ]

default_ca = testroot

[ xca_dn0 ]

0.OU=Copyright (c) 1999 Microsoft Corp.

1.CN=Microsoft Test Root Authority

2.OU=Microsoft Corporation

[ xca_extensions0 ]

certificatePolicies=ia5org,@certpol0_sect

authorityKeyIdentifier=keyid,issuer

subjectKeyIdentifier=hash

basicConstraints=critical,CA:TRUE

[certpol0_sect]

policyIdentifier=1.3.6.1.4.1.311.10.3.5

userNotice.0=@certpol0_sect_notice0_sect

[certpol0_sect_notice0_sect]

explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

[ testroot ]

dir = testroot

certs = $dir

new_certs_dir = $dir/testroot.db.certs

database = $dir/testroot.db.index

serial = $dir/testroot.db.serial

RANDFILE = $dir/testroot.db.rand

certificate = $dir/testroot.pem

private_key = $dir/testroot.key

default_days = 3650

default_crl_days = 30

default_md = md5

preserve = no

policy = generic_policy0

[ generic_policy0 ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = optional

emailAddress = optional

[ sub_ca_ext ]

certificatePolicies=ia5org,@certpol1_sect

keyUsage=nonRepudiation, keyCertSign, cRLSign

authorityKeyIdentifier=keyid:always

subjectKeyIdentifier=hash

basicConstraints=critical,CA:TRUE

[certpol1_sect]

policyIdentifier=1.3.6.1.4.1.311.10.3.7

userNotice.0=@certpol1_sect_notice1_sect

[certpol1_sect_notice1_sect]

explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

注意！斜体下划线字部分是被修改过的。另外“sub_ca_ext”是用于下级证书生成用的，如“testpca”是“testroot”的下一级证书，在关联时要在这里声明。后面的配置内容雷同！

2.2、testpca.conf

oid_section = xca_oids

[ xca_oids ]

dom = 1.3.6.1.4.1.311.20.2

MsCaV = 1.3.6.1.4.1.311.21.1

msEFSFR = 1.3.6.1.4.1.311.10.3.4.1

iKEIntermediate = 1.3.6.1.5.5.8.2.2

nameDistinguisher = 0.2.262.1.10.7.20

id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13

id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14

[ req ]

default_bits = 1024

default_keyfile = privkey.pem

distinguished_name = xca_dn1

x509_extensions = xca_extensions1

req_extensions = xca_extensions1

string_mask = MASK:0x2002

utf8 = yes

prompt = no

[ ca ]

default_ca = testpca

[ xca_dn1 ]

0.C=US

1.ST=Washington

2.L=Redmond

3.O=Microsoft Corporation

4.OU=Copyright (c) 2000 Microsoft Corp.

5.CN=Microsoft Test PCA

[ xca_extensions1 ]

certificatePolicies=ia5org,@certpol1_sect

keyUsage=nonRepudiation, keyCertSign, cRLSign

subjectKeyIdentifier=hash

basicConstraints=critical,CA:TRUE

[certpol1_sect]

policyIdentifier=1.3.6.1.4.1.311.10.3.7

userNotice.0=@certpol1_sect_notice1_sect

[certpol1_sect_notice1_sect]

explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

[ testpca ]

dir = testpca

certs = $dir

new_certs_dir = $dir/testpca.db.certs

database = $dir/testpca.db.index

serial = $dir/testpca.db.serial

RANDFILE = $dir/testpca.db.rand

certificate = $dir/testpca.pem

private_key = $dir/testpca.key

default_days = 3650

default_crl_days = 30

default_md = md5

preserve = no

policy = generic_policy1

[ generic_policy1 ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = optional

emailAddress = optional

[sub_ca_ext]

certificatePolicies=ia5org,@certpol2_sect

keyUsage=digitalSignature, keyCertSign, cRLSign

authorityKeyIdentifier=keyid:always

subjectKeyIdentifier=hash

basicConstraints=critical,CA:TRUE

[certpol2_sect]

policyIdentifier=1.3.6.1.4.1.311.10.3.6

userNotice.0=@certpol2_sect_notice2_sect

[certpol2_sect_notice2_sect]

explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only,and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with thiscertificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

2.3、vbl03ca.conf

oid_section = xca_oids

[ xca_oids ]

dom = 1.3.6.1.4.1.311.20.2

MsCaV = 1.3.6.1.4.1.311.21.1

msEFSFR = 1.3.6.1.4.1.311.10.3.4.1

iKEIntermediate = 1.3.6.1.5.5.8.2.2

nameDistinguisher = 0.2.262.1.10.7.20

id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13

id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14

[ req ]

default_bits = 1024

default_keyfile = privkey.pem

distinguished_name = xca_dn2

x509_extensions = xca_extensions2

req_extensions = xca_extensions2

string_mask = MASK:0x2002

utf8 = yes

prompt = no

[ ca ]

default_ca = vbl03ca

[ xca_dn2 ]

0.CN=Microsoft Windows VBL03CA

[ xca_extensions2 ]

certificatePolicies=ia5org,@certpol2_sect

keyUsage=digitalSignature, keyCertSign, cRLSign

subjectKeyIdentifier=hash

basicConstraints=critical,CA:TRUE

[certpol2_sect]

policyIdentifier=1.3.6.1.4.1.311.10.3.6

userNotice.0=@certpol2_sect_notice2_sect

[certpol2_sect_notice2_sect]

explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.  This certificate and drivers signed with this certificate are intended for use in test environments only,and are not intended for use in any other context.  Vendors who distribute this certificate or drivers signed with thiscertificate outside a test environment may be in violation of their driver signing agreement.  Vendors who have their drivers signed with this certificate do so at their own risk.  In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.

[ vbl03ca ]

dir = vbl03ca

certs = $dir

new_certs_dir = $dir/vbl03ca.db.certs

database = $dir/vbl03ca.db.index

serial = $dir/vbl03ca.db.serial

RANDFILE = $dir/vbl03ca.db.rand

certificate = $dir/vbl03ca.pem

private_key = $dir/vbl03ca.key

default_days = 3650

default_crl_days = 30

default_md = md5

preserve = no

policy = generic_policy2

[ generic_policy2 ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = optional

emailAddress = optional

[sub_ca_ext]

extendedKeyUsage=codeSigning, 1.3.6.1.4.1.311.10.3.6

keyUsage=digitalSignature

authorityKeyIdentifier=keyid:always

subjectKeyIdentifier=hash

basicConstraints=critical,CA:FALSE

2.4、driver.conf

oid_section = xca_oids

[ xca_oids ]

dom = 1.3.6.1.4.1.311.20.2

MsCaV = 1.3.6.1.4.1.311.21.1

msEFSFR = 1.3.6.1.4.1.311.10.3.4.1

iKEIntermediate = 1.3.6.1.5.5.8.2.2

nameDistinguisher = 0.2.262.1.10.7.20

id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13

id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14

1.3.6.1.4.1.311.21.7 = 1.3.6.1.4.1.311.21.7

1.3.6.1.4.1.311.21.10 = 1.3.6.1.4.1.311.21.10

[ req ]

default_bits = 1024

default_keyfile = privkey.pem

distinguished_name = xca_dn3

x509_extensions = xca_extensions3

req_extensions = xca_extensions3

string_mask = MASK:0x2002

utf8 = yes

prompt = no

[ ca ]

default_ca = wskt

[ xca_dn3 ]

0.C=US

1.ST=WA

2.L=Redmond

3.O=Microsoft Corporation

4.OU=Copyright (c) 2002 Microsoft Corp.

5.CN=Microsoft Windows Source Kit Test

[ xca_extensions3 ]

extendedKeyUsage=codeSigning, 1.3.6.1.4.1.311.10.3.6

keyUsage=digitalSignature

subjectKeyIdentifier=hash

[ wskt ]

dir = driver

certs = $dir

new_certs_dir = $dir/driver.db.certs

database = $dir/driver.db.index

serial = $dir/driver.db.serial

RANDFILE = $dir/driver.db.rand

certificate = $dir/driver.pem

private_key = $dir/driver.key

default_days = 3650

default_crl_days = 30

default_md = md5

preserve = no

policy = generic_policy3

[ generic_policy3 ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = optional

emailAddress = optional

二、生成证书

准备好配置文件后，把conf文件放在一个目录下，执行下面的openssl（或操作系统）命令：

mkdir testroot

mkdir testroot/testroot.db.certs

touch testroot/testroot.db.index

echo "4831793303313605" > testroot/testroot.db.serial

openssl req -x509 -md5 -newkey rsa:1536 -nodes -keyout testroot/testroot.key -out testroot/testroot.pem -days 36500 -config testroot.conf

openssl x509 -outform der -in testroot/testroot.pem -out testroot.cer

mkdir testpca

mkdir testpca/testpca.db.certs

touch testpca/testpca.db.index

echo "3921298631018096" > testpca/testpca.db.serial

openssl req -new -newkey rsa:1536 -nodes -keyout testpca/testpca.key -out testpca/testpca.csr -config testpca.conf

openssl ca -config testroot.conf -extensions sub_ca_ext -out testpca/testpca.pem -infiles testpca/testpca.csr

openssl x509 -outform der -in testpca/testpca.pem -out testpca.cer

mkdir vbl03ca

mkdir vbl03ca/vbl03ca.db.certs

touch vbl03ca/vbl03ca.db.index

echo "2208785574689461" > vbl03ca/vbl03ca.db.serial

openssl req -new -newkey rsa:2048 -nodes -keyout vbl03ca/vbl03ca.key -out vbl03ca/vbl03ca.csr -config vbl03ca.conf

openssl ca -config testpca.conf -extensions sub_ca_ext -out vbl03ca/vbl03ca.pem -infiles vbl03ca/vbl03ca.csr

openssl x509 -outform der -in vbl03ca/vbl03ca.pem -out vbl03ca.cer

mkdir driver

mkdir driver/driver.db.certs

touch driver/driver.db.index

echo "4455785574989478" > driver/driver.db.serial

openssl req -new -newkey rsa:1024 -nodes -keyout driver/driver.key -out driver/driver.csr -config driver.conf

openssl ca -config vbl03ca.conf -extensions sub_ca_ext -out driver/driver.pem -infiles driver/driver.csr

openssl x509 -outform der -in driver/driver.pem -out driver.cer

cat testroot/testroot.pem testpca/testpca.pem vbl03ca/vbl03ca.pem > bundle.pem

openssl pkcs12 -export -in driver/driver.pem -inkey driver/driver.key  -out driver.pfx -certfile bundle.pem -nodes

注意！斜体下划线字部分是被修改过的。

三、更新证书

1.导入证书

在导入新证书“driver.pfx”之前，先把原证书卸载了。在windows“运行”中执行“certmgr.msc”，找到对应的证书，一共有4个证书。“testroot”在“受信任的根证书颁发机构”里面；“testpca”和“vbl03ca”在“中级证书颁发机构”里面；“driver”（全称叫“Microsoft Windows Source Kit Test”）在“个人”里面。

卸载完成后，把新生成的证书文件“testroot.cer”、“testpca.cer”、“vbl03ca.cer”、“driver.cer”、“driver.pfx”覆盖复制到“D:\srv03rtm\tools”（默认源代码安装在d盘）；把“testroot.cer”覆盖复制到“D:\srv03rtm\mergedcomponents\setupinfs”。

复制完成后，直接双击“D:\srv03rtm\tools\driver.pfx”，下一步完成证书导入便可。

2.修改razzle环境

修改“razzle”环境的一些文件。找到“D:\srv03rtm\tools\checktestroot.cmd”、“D:\srv03rtm\tools\checktestpca.cmd”、“D:\srv03rtm\tools\postbuildscripts\crypto.cmd”三个文件，并把里面旧证书的SHA1值换成新证书的SHA1值。

如“checktestroot.cmd”文件中，把原来的“A4CAECFC 40A44BB7 3E3BBF69 477BC68D 07B0C7AB”替换成新证书的“62D160A1 C5257E36 7B2E471E A6A36AA7 9F9735C9”（这个值要根据你自己生成的证书用sha1验证工具计算出来）。

这里涉及3个证书的sha1值，“checktestroot.cmd”对应证书“testroot.cer”的sha1值，2020版的sha1值为“A4CAECFC40A44BB73E3BBF69477BC68D07B0C7AB”；“checktestpca.cmd”对应证书“testpca.cer”的sha1值，2020版的sha1值为“52871BBC6CAAEF1FEB45D478DDC7517C06D7A08D”；“crypto.cmd”对应证书“driver.cer”的sha1值，2020版的sha1值为“5B8962DC21A68507196A158F8F687F232706CDBC”。

如果你实在没有sha1值计算的工具，可以直接看证书详细内容可以获得这个值，如下图位置获取

注意，修改完之后，理论上可以直接运行“razzle”进行编译代码的，不过这里我发现windows有个bug。这样做后“razzle”为认为你新做的证书密码错误，实际证书是没有密码的。解决办法在下面讲。

3.更新windows

到目前为止，razzle会认为你的新证书密码是错误的（如果我在做证书时加上密码就不会有问题，但是我不确定对后面的代码执行有没有问题）。暂时已知的情况是razzle调用“signtool.exe”验证证书时，会调用本地一个com服务而这个com服务好像有bug。我在xp和win7下都发现有同样的问题存在，在csdn的文章我还搞明白是那个文件，所以简单粗暴的让大家安装Visual Studio（2003或以上的版本）就可以更新这个com服务。后来我发现只需要把文件“capicom.dll”（一个com服务）注册（regsvr32）到编译机器就可以。原编译环境的“capicom.dll”版本是“2.0.0.1”，我用vs2005的是“2.1.0.1”。安装完后，进入razzle就没有任何错误提示了。

4.验证证书

以上步骤做完后，调整系统时间为正常时间，再进入“razzle”环境后，应该不会有任何错误提示，这就表示更新证书成功，如下图

四、编译安装程序

到目前为止，你应该可以顺利通过编译源代码了（调整为正常日期情况下）。

但仍有些修改源代码的工作可选做，由于源代码中有部分跟证书有关的验证代码需要改成新的证书SHA1码，但这些代码你可以选择不修改，除了windows安装程序无法运行以为其他没有什么影响。具体涉及需要修改的文件如下，我就不列出具体修改的内容。

base/ntsetup/syssetup/crypto.c

base/win32/fusion/sxs/strongname.cpp

shell/shell32/defview.cpp

security/cryptoapi/mincrypt/lib/vercert.cpp

windows/core/ntuser/kernel/server.c

ds/win32/ntcrypto/mincrypt/vercert.cpp

ds/security/cryptoapi/pki/certstor/policy.cpp 

总结

使用新的证书就不用把机器的时间改成2020年啦！但是我目前还不知道怎么取消这烦人的证书！

PS：windows2003的源代码泄露了很久了，我今年才关注到这事情（惭愧）。但是很奇怪，这件事情在2020年底之后，就没有任何人讨论了，包括国外和国内。难道真的没有可讨论意义了吗？有感兴趣的伙伴们请留言或发邮件“2098310613@qq.com”联系我！

以上文章我在csdn也发布过，发布地址为如下：

http://t.csdn.cn/OHmMH

不会被认为是转帖的吧 ^_^

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。