Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Windows 7 Certificate Requirements for Kernel Code

Chris_ReadChris_Read Member - All Emails Posts: 16

Having renewed an EV code signing certificate, the new certificate no longer works for Windows 7 kernel driver signing. The new certificate has been accepted for Windows 10 attestation signing. The old certificate, from the same supplier, worked for both Windows 7 and the Windows 10 attestation signing portal.

The only relevant change appears to be in the distinguished name, which lacks a stateOrProvinceName attribute in the new certificate, as well as the less important postalCode and street attributes. The old, working certificate contained the name of the UK county in the stateOrProvinceName attibute.

Is the distinguished name stateOrProvinceName (ST/SP/S) attribute required for Windows 7 kernel driver signing?

Best regards

Chris Read

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,102

    The kernel doesn't examine your certificate at all, except perhaps for the expiration date. It just looks for the Microsoft Code Verification Root at the end of your cross-signing chain.

    Is it possible that your new EV cert needs a different cross certificate? If you do "signtool verify -v -kp" on your package, do you actually see the Microsoft Code Verification Root?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Martin_BurnickiMartin_Burnicki Member - All Emails Posts: 25
    edited September 25

    In addition to what Tim Roberts said:

    You should run the signtool as mentioned on a computer that has no additional certificates installed.

    Some time ago I had a problem that a kernel driver was not loaded on customer machines, but on my development machine everything was fine, and the signtool command reported that the signature was good and valid.

    The problem was that a cross certificate had not been used for signing, and thus was missing in the chain of certificates attached to the kernel driver.

    However, the missing cert was available in the cert store of my Windows machine, so signtool found it there and said that everything was OK, even though it actually was not.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,102

    This is a good point. The criteria is not "does signtool verify pass?", the criteria needs to be very specific: "does signtool verify -kp -v show the Microsoft Code Verification Root at the root of a chain?"

    Here is a valid signed file that will not be accepted as a kernel driver:

    C:\tmp>signtool verify -v -kp Sample.sys                          
    
    Verifying: Sample.sys                                             
    Signature Index: 0 (Primary Signature)                                
    Hash of file (sha1): B114D2810B90FB5C7984C890016B41C7A2AE081F         
    
    Signing Certificate Chain:                                            
        Issued to: DigiCert High Assurance EV Root CA                     
        Issued by: DigiCert High Assurance EV Root CA                     
        Expires:   Sun Nov 09 17:00:00 2031                               
        SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25               
    
            Issued to: DigiCert EV Code Signing CA (SHA2)                 
            Issued by: DigiCert High Assurance EV Root CA                 
            Expires:   Sun Apr 18 05:00:00 2027                           
            SHA1 hash: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3           
    
                Issued to: Providenza & Boekelheide, Inc.                 
                Issued by: DigiCert EV Code Signing CA (SHA2)             
                Expires:   Fri Sep 01 05:00:00 2017                       
                SHA1 hash: D44E6DD817081ECC8F5F34EADF2FFF0ABA865E84       
    
    The signature is timestamped: Wed Sep 02 12:14:49 2015                
    Timestamp Verified by:                                                
        Issued to: DigiCert Assured ID Root CA                            
        Issued by: DigiCert Assured ID Root CA                            
        Expires:   Sun Nov 09 17:00:00 2031                               
        SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43               
    
            Issued to: DigiCert Assured ID CA-1                           
            Issued by: DigiCert Assured ID Root CA                        
            Expires:   Tue Nov 09 17:00:00 2021                           
            SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117           
    
                Issued to: DigiCert Timestamp Responder                   
                Issued by: DigiCert Assured ID CA-1                       
                Expires:   Mon Oct 21 17:00:00 2024                       
                SHA1 hash: 614D271D9102E30169822487FDE5DE00A352B01D       
    
    SignTool Error: Signing Cert does not chain to a Microsoft Root Cert. 
    
    Number of files successfully Verified: 0                              
    Number of warnings: 0                                                 
    Number of errors: 1                                                   
    

    Here is a driver signed and cross-signed:

    C:\Dev\Sample\driver>signtool verify -kp -v Release64\Sample.sys
    
    Verifying: Release64\Sample.sys
    Signature Index: 0 (Primary Signature)
    Hash of file (sha1): F98B41B8ED05D7BD830DB8B56E19C8B112E77F19
    
    Signing Certificate Chain:
        Issued to: DigiCert High Assurance EV Root CA
        Issued by: DigiCert High Assurance EV Root CA
        Expires:   Sun Nov 09 17:00:00 2031
        SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
    
            Issued to: DigiCert EV Code Signing CA (SHA2)
            Issued by: DigiCert High Assurance EV Root CA
            Expires:   Sun Apr 18 05:00:00 2027
            SHA1 hash: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3
    
                Issued to: Providenza & Boekelheide, Inc.
                Issued by: DigiCert EV Code Signing CA (SHA2)
                Expires:   Fri Sep 20 05:00:00 2019
                SHA1 hash: BA6F8BBD05D3B8F1FA982A52E17854789F9B0786
    
    The signature is timestamped: Thu May 31 11:11:14 2018
    Timestamp Verified by:
        Issued to: Thawte Timestamping CA
        Issued by: Thawte Timestamping CA
        Expires:   Thu Dec 31 16:59:59 2020
        SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
    
            Issued to: Symantec Time Stamping Services CA - G2
            Issued by: Thawte Timestamping CA
            Expires:   Wed Dec 30 16:59:59 2020
            SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
    
                Issued to: Symantec Time Stamping Services Signer - G4
                Issued by: Symantec Time Stamping Services CA - G2
                Expires:   Tue Dec 29 16:59:59 2020
                SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
    
    Cross Certificate Chain:
        Issued to: Microsoft Code Verification Root
        Issued by: Microsoft Code Verification Root
        Expires:   Sat Nov 01 06:54:03 2025
        SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
    
            Issued to: DigiCert High Assurance EV Root CA
            Issued by: Microsoft Code Verification Root
            Expires:   Thu Apr 15 12:55:33 2021
            SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143
    
                Issued to: DigiCert EV Code Signing CA (SHA2)
                Issued by: DigiCert High Assurance EV Root CA
                Expires:   Sun Apr 18 05:00:00 2027
                SHA1 hash: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3
    
                    Issued to: Providenza & Boekelheide, Inc.
                    Issued by: DigiCert EV Code Signing CA (SHA2)
                    Expires:   Fri Sep 20 05:00:00 2019
                    SHA1 hash: BA6F8BBD05D3B8F1FA982A52E17854789F9B0786
    
    File has page hashes.
    
    
    Successfully verified: Release64\Sample.sys
    
    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0
    

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Chris_ReadChris_Read Member - All Emails Posts: 16

    You are correct. The new DigiCert EV certificate does not chain back to Microsoft Code Verification Root. Hopefully, DigiCert will still sign an EV certificate which does....

    The ST attribute was a red herring.

    Many thanks for all the help.

    Chris Read

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,102

    Well, the key is that you need to find a new cross certificate. Here's Microsoft's list:
    https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
    but you may be able to find it on DigiCert's web site as well.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE