Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Non timestamped cross signed driver still loads, even when i set the date of my machine to 2099?!

henrik_meidahenrik_meida Member Posts: 40

I always thought that the point of timestamp is to make sure the driver still loads after its expiration date..

But i noticed that even when i set the date of my computer to something like 2099 ( to make sure every certificate in the certificate chain is expired as well), it still loads successfully? how is this possible? i am testing it with the latest windows 10 x64 build (19042), its a Microsoft Windows 10 Enterprise.

How.. how is this possible?

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,399

    If you timestamp your signature, then the certs need to be valid as of the time of the timestamp.

    If you do not timestamp your signature, your certs need to be valid as of the time you do the install.

    I think it’s the install not the driver load/activation that matters here.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • henrik_meidahenrik_meida Member Posts: 40

    @Peter_Viscarola_(OSR) said:
    If you timestamp your signature, then the certs need to be valid as of the time of the timestamp.

    If you do not timestamp your signature, your certs need to be valid as of the time you do the install.

    I think it’s the install not the driver load/activation that matters here.

    Peter

    This is really mind boggling, so if you have a driver that you can easily load it and there is no need to install it, then timestamp really doesn't matter at all ?!

    Honestly this doesn't make any sense, so you can basically load a driver that has a expired cert, and is not timestamped, on the latest windows 10 x64 version without any issue?! If this is the case, then why would anyone even renew their cert anymore if they can load their drivers without the need of installation?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,399

    Yeah... you’re right. That doesn’t sound correct, and we know that self-installed unsigned drivers (such as non-PnP drivers that are not INF installed) can’t be loaded.

    There ARE two separate checks: An install check and a load check. And they don’t cehck the same things. I know that for sure.

    Mr @Tim_Roberts is the one who usually identifies the differences between these checks in our discussions here, IIRC.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • henrik_meidahenrik_meida Member Posts: 40

    @Peter_Viscarola_(OSR) said:
    Yeah... you’re right. That doesn’t sound correct, and we know that self-installed unsigned drivers (such as non-PnP drivers that are not INF installed) can’t be loaded.

    There ARE two separate checks: An install check and a load check. And they don’t cehck the same things. I know that for sure.

    Mr @Tim_Roberts is the one who usually identifies the differences between these checks in our discussions here, IIRC.

    Peter

    At first i thought maybe restrictions regarding timestamps are only applied to boot drivers.. but nope, i registered the driver as a boot driver with osrloader, set the time to 2099 (and obviously sync is disabled), restarted it multiple times, every boot it gets loaded without any issue.. this absolutely makes no sense...

    And i have to emphasize again that the digital signature is not timestamped, and obviously not only certificate itself, but every certificate in the chain is expired at this point (since its 2099..)

    Also get this :the certificate is SHA-1 ! I thought that Microsoft no longer supports SHA-1... what the hell is going on?

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 430

    U sure TestSigning is not on?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,399

    (and the debugger isn't connected?)

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,907

    The KMCS loader doesn't care about your certificate at all. If you have the "Microsoft Code Verification Root" in your chain, then it will work. Forever. It is a magic spell.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • henrik_meidahenrik_meida Member Posts: 40

    @Dejan_Maksimovic said:
    U sure TestSigning is not on?

    @Peter_Viscarola_(OSR) said:
    (and the debugger isn't connected?)

    Yes i am 100% sure that test signing is not on and there is no debugging going on.
    I mean are the results that i am getting abnormal? can you check the same things with a certificate that you have to see if you get the same results?

  • henrik_meidahenrik_meida Member Posts: 40

    @Tim_Roberts said:
    The KMCS loader doesn't care about your certificate at all. If you have the "Microsoft Code Verification Root" in your chain, then it will work. Forever. It is a magic spell.

    But.. that does not make any sense?! so if i have a driver that doesn't need installation, i can literally register it as a boot driver without even timestamping it, and i can use it forever even after my certificate expires?!! why would i ever renew my cert again then? or register in WHQL?

    Is this valid for both OV and EV certs?

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,907

    But...that does not make any sense?

    Why not? Despite appearances, Microsoft is really not in the business of making things harder.

    why would I ever renew my cert again

    Because if you don't, you can't sign new packages. signtool DOES validate the whole chain.

    or register in WHQL?

    Because the whole cross-signing thing does not work at all on Windows 10 if Secure Boot is on, which happens to be true for most of the Windows world.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • henrik_meidahenrik_meida Member Posts: 40

    @Tim_Roberts said:
    Because if you don't, you can't sign new packages. signtool DOES validate the whole chain.

    But i thought that was the point of using timestamp.. to prove that you actually did sign it at that time, but without it anyone can just change the date of the system when they are signing so signtool would be fine with it too..

    Because the whole cross-signing thing does not work at all on Windows 10 if Secure Boot is on, which happens to be true for most of the Windows world.

    But if i remember correctly, thats only true for OV certificates, if you have an EV certificate you can cross sign and load it with secure boot on in Windows 10?

  • CaptainFlintCaptainFlint Member Posts: 44

    @henrik_meida said:
    But if i remember correctly, thats only true for OV certificates, if you have an EV certificate you can cross sign and load it with secure boot on in Windows 10?

    No. EV is connected to Win10 driver signing in such a way, that you need an EV certificate as a requirement for sending drivers to Microsoft in order to get Attestation or WHQL signature. But if you use EV for usual cross-signing, it's no different from when you use an OV for the same purpose.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,426

    Right: you 'ev sign' a cab file, not your drivers. MSFT takes your cab file and signs the contents with their cert. You get the signed artifacts back and you now have MSFT signatures on your drivers. Attestation signing takes a few minutes and requires no awful whql testing. It's only drawbacks are: really difficult to automate, ?doesn't work for pre-w10 platforms?.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,907

    The EV cert is only required to get and maintain a hardware dashboard account. When you submit, you can use any cert that you have registered with your account.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,426

    Sure, but at this point why would anyone buy two certs? The other OV cert is now basically useless.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,399

    why would anyone buy two certs?

    Convenience. Frequently done in large organizations, in fact. The EV Cert is a royal PITA because it has to be tied to a single, given, hardware token (or hardware key store). It can be “rather difficult” to share this with your dev, test, and cert/release teams (and/or your contractors) world wide.

    So, some semi-Corporate type registers the dashboard account with the EV, and then registers an OV cert that can be sent around to all and sundry for use in submissions.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,426

    Ah good point.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 2 August 2021 Live, Online
Kernel Debugging 27 Sept 2021 Live, Online