Added EV code signing CA/Cert generator.

* print infinite debug messages on a pure virtual function call Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2021-04-18 01:53:43 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2021-04-18 01:53:43 +0200
commit: 12e01b2d5cad4338af9be63e02374d2fb6484999 (patch)
tree: 6a8a088b094abbd1356047963f0e7d45d6355c0a
parent: 59d9936eb2dafd32c34cae76e50a579a9e46361a (diff)
4 files changed, 118 insertions, 1 deletions
diff --git a/EASTL-compat/kcrt.cpp b/EASTL-compat/kcrt.cpp
index 7a8fc52..885dadb 100644
--- a/EASTL-compat/kcrt.cpp
+++ b/EASTL-compat/kcrt.cpp
@@ -152,6 +152,13 @@ void * operator new[](size_t size, size_t, size_t, const char *, int, unsigned,
 
 extern "C" void __cxa_pure_virtual(void)
 {
+    // definitly not perfect, but we get at least a notification
+    while (1)
+    {
+        DbgPrint("Pure virtual function call..\n");
+        LARGE_INTEGER li = { .QuadPart = -10000000 };
+        KeDelayExecutionThread(KernelMode, TRUE, &li);
+    }
 }
 
 // stolen from musl: https://elixir.bootlin.com/musl/v1.1.9/source/src/math/ceilf.c
diff --git a/Makefile b/Makefile
index ce51c44..5f20b8a 100644
--- a/Makefile
+++ b/Makefile
@@ -2,6 +2,7 @@ LOCAL_MINGW64_BUILD_SCRIPT := ./mingw-w64-build/mingw-w64-build
 LOCAL_MINGW64_BUILD_DIR := ./x86_64-w64-mingw32
 LOCAL_MINGW64_CC := $(LOCAL_MINGW64_BUILD_DIR)/bin/x86_64-w64-mingw32-gcc
 LOCAL_MINGW64_DDK_INCLUDE_DIR := $(LOCAL_MINGW64_BUILD_DIR)/x86_64-w64-mingw32/include/ddk
+SIGNTOOL_PREFIX := codesign
 
 INSTALL = install
 CMAKE = cmake
@@ -41,6 +42,10 @@ all: deps-print-local-notice check-vars $(1_TARGET) $(2_TARGET) $(3_TARGET)
 
 install: all
 	$(INSTALL) -d '$(DESTDIR)/'
+	test -r "$(SIGNTOOL_PREFIX)-ca-cert.pem" && \
+		$(INSTALL) "$(SIGNTOOL_PREFIX)-ca-cert.pem" $(DESTDIR)
+	test -r "$(SIGNTOOL_PREFIX)-code.p12" && \
+		$(INSTALL) "$(SIGNTOOL_PREFIX)-code.p12" $(DESTDIR)
 	$(INSTALL) -s --strip-program=$(dir $(CC))/x86_64-w64-mingw32-strip $(1_TARGET) $(DESTDIR)
 	$(INSTALL) $(1_DRIVER_NAME).bat $(DESTDIR)
 	$(INSTALL) -s --strip-program=$(dir $(CC))/x86_64-w64-mingw32-strip $(2_TARGET) $(DESTDIR)
@@ -116,9 +121,15 @@ $(EASTL_STATIC_LIB): .deps-built
 			-DCMAKE_CXX_FLAGS='-ffunction-sections -fdata-sections $(CXXFLAGS) $(EASTL_CXXFLAGS)' && \
 		$(MAKE) VERBOSE=1
 
+$(SIGNTOOL_PREFIX)-code.p12:
+	./create_codesign_ca.sh $(SIGNTOOL_PREFIX)
+
+$(SIGNTOOL_PREFIX): $(SIGNTOOL_PREFIX)-code.p12
+
 distclean: clean
 	rm -f .deps-built
 	rm -rf $(LOCAL_MINGW64_BUILD_DIR)
+	rm -f codesign*
 
 clean:
 	rm -f $(1_OBJECTS) $(1_TARGET)
diff --git a/README.md b/README.md
index 020024c..0cfecfe 100644
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ make deps
 ## Thanks!
 
 - [Zeranoe](https://github.com/Zeranoe/mingw-w64-build) for the Mingw64 build script
-- [sidhye](https://github.com/sidhye/dxx) for some copy paste ready CRT code ;)
+- [sidyhe](https://github.com/sidyhe/dxx) for some copy paste ready CRT code ;)
 
 and last but not least:
 
diff --git a/create_codesign_ca.sh b/create_codesign_ca.sh
new file mode 100755
index 0000000..42f4608
--- /dev/null
+++ b/create_codesign_ca.sh
@@ -0,0 +1,99 @@
+#!/usr/bin/env sh
+
+set -e
+set -x
+
+COPT='-algorithm EC  -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve'
+MYDIR="$(dirname "${0}")"
+
+readonly BASE="${1:-ddk}"
+readonly REVI=1
+readonly PRFX="${BASE}-"
+readonly ROOT="${PRFX}ca"
+readonly CODE="${PRFX}code"
+
+cd "${MYDIR}"
+
+# PKCS #8 private key, encrypted, PEM format.
+# shellcheck disable=SC2086
+openssl genpkey ${COPT} -aes-256-cbc -pass "pass:onlytemporary" -out "${ROOT}-private.pem" 2>/dev/null
+openssl ec -in "${ROOT}-private.pem" -passin "pass:onlytemporary" -out "${ROOT}-private-nopass.pem" #2>/dev/null
+mv "${ROOT}-private-nopass.pem" "${ROOT}-private.pem"
+openssl asn1parse -i -in "${ROOT}-private.pem"
+
+# -cert.pem is certificate (public key + subject + signature)
+openssl req -batch -verbose -new -sha256 -x509 -days 1826 -key "${ROOT}-private.pem" -out "${ROOT}-cert.pem" -config - << EOF
+[req]
+encrypt_key = yes
+prompt = no
+utf8 = yes
+string_mask = utf8only
+distinguished_name = dn
+x509_extensions = v3_ca
+
+[v3_ca]
+subjectKeyIdentifier = hash
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, keyCertSign, cRLSign
+
+[dn]
+CN = ${BASE} Root CA ${REVI}
+EOF
+openssl x509 -in "${ROOT}-cert.pem" -text -noout -nameopt utf8 -sha256 -fingerprint > "${ROOT}-cert.pem.x509.txt"
+openssl asn1parse -i -in "${ROOT}-cert.pem" > "${ROOT}-cert.pem.asn1.txt"
+
+# subordinate #1: code signing
+cat << EOF > "${CODE}-csr.config"
+[req]
+encrypt_key = yes
+prompt = no
+utf8 = yes
+string_mask = utf8only
+distinguished_name = dn
+req_extensions = v3_req
+
+[v3_req]
+subjectKeyIdentifier = hash
+keyUsage = critical, digitalSignature
+# msCodeInd = Microsoft Individual Code Signing
+# msCodeCom = Microsoft Commercial Code Signing
+extendedKeyUsage = critical, codeSigning, msCodeInd
+
+[dn]
+CN = ${base} Code Signing Authority
+EOF
+
+# PKCS #8 private key, encrypted, PEM format.
+# shellcheck disable=SC2086
+openssl genpkey ${COPT} -aes-256-cbc -pass "pass:onlytemporary" -out "${CODE}-private.pem" 2>/dev/null
+openssl ec -in "${CODE}-private.pem" -passin "pass:onlytemporary" -out "${CODE}-private-nopass.pem" 2>/dev/null
+mv "${CODE}-private-nopass.pem" "${CODE}-private.pem"
+openssl asn1parse -i -in "${CODE}-private.pem"
+
+openssl pkey -in "${CODE}-private.pem" -pubout > "${CODE}-public.pem"
+# Play some with the public key
+openssl pkey -pubin -in "${CODE}-public.pem" -text -noout > "${CODE}-public.pem.txt"
+openssl asn1parse -i -in "${CODE}-public.pem" > "${CODE}-public.pem.asn1.txt"
+
+# -csr.pem is certificate signing request
+openssl req -batch -verbose -new -sha256 -key "${CODE}-private.pem" -out "${CODE}-csr.pem" -config "${CODE}-csr.config"
+openssl req -batch -verbose -in "${CODE}-csr.pem" -text -noout -nameopt utf8 > "${CODE}-csr.pem.txt"
+openssl asn1parse -i -in "${CODE}-csr.pem" > "${CODE}-csr.pem.asn1.txt"
+
+# -cert.pem is certificate (public key + subject + signature)
+openssl x509 -req -sha256 -days 1095 \
+  -extfile "${CODE}-csr.config" -extensions v3_req \
+  -in "${CODE}-csr.pem" \
+  -CA "${ROOT}-cert.pem" -CAkey "${ROOT}-private.pem" -CAcreateserial -out "${CODE}-cert.pem"
+openssl x509 -in "${CODE}-cert.pem" -text -noout -nameopt utf8 -sha256 -fingerprint > "${CODE}-cert.pem.x509.txt"
+openssl asn1parse -i -in "${CODE}-cert.pem" > "${CODE}-cert.pem.asn1.txt"
+
+# PKCS #12 .p12 is private key and certificate(-chain), encrypted
+openssl pkcs12 -export \
+  -keypbe aes-256-cbc -certpbe aes-256-cbc -macalg sha256 \
+  -inkey "${CODE}-private.pem" \
+  -in "${CODE}-cert.pem" \
+  -chain -CAfile "${ROOT}-cert.pem" \
+  -out "${CODE}.p12"
+openssl pkcs12 -in "${CODE}.p12" -info -nodes -nokeys -out "${CODE}.p12.txt"
+openssl asn1parse -i -inform DER -in "${CODE}.p12"
author	Toni Uhlig <matzeton@googlemail.com>	2021-04-18 01:53:43 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2021-04-18 01:53:43 +0200
commit	12e01b2d5cad4338af9be63e02374d2fb6484999 (patch)
tree	6a8a088b094abbd1356047963f0e7d45d6355c0a
parent	59d9936eb2dafd32c34cae76e50a579a9e46361a (diff)