Re: [Libusb-win32-devel] libusb-win32 v1.2.3.0 released

On 2011.03.17 11:37, Xiaofan Chen wrote:
> On Thu, Mar 17, 2011 at 6:59 PM, Graeme Gill<gr...@ar...>  wrote:
>> I'm intrigued by the possibility of self signing though, if
>> it's possible to create an install process for the private certificate
>> that the user can run.
>
> Self-signing should work. You may want to take a look at
> libwdi and Pete should be able to help you better in this aspect.

I actually had a look at it.

You can of course not escape the need for an Authenticode certificate 
for the .sys, but it is indeed possible to self sign the cat to avoid 
the prompt.

Here's how you can do it, from a WinDDK prompt:

makecert -r -pe -n "CN=SELF SIGNED DRIVER TEST AUTHORITY" -sr 
localmachine -a sha1 -cy authority -sky signature -sv selfroot.pvk 
selfroot.cer
(you'll be prompted for password twice)

makecert -pe -n CN="SELF SIGNED DRIVER TEST" -a sha1 -sky signature -eku 
1.3.6.1.5.5.7.3.3 -ic selfroot.cer -iv selfroot.pvk -sv selfsign.pvk 
selfsign.cer
(again prompted)

pvk2pfx -pvk selfsign.pvk -spc selfsign.cer -pfx selfsign.pfx

Then from an elevated prompt, one can install the certificates in the 
system store with:

CertMgr /add selfroot.cer /s /r localMachine root
CertMgr /add selfsign.cer /s /r localMachine trustedpublisher


Finally, to create the signed .cat, in the directory where you have the 
.inf:

inf2cat /v /driver:. /os:XP_X86,XP_X64,Vista_X86,Vista_X64,7_X86,7_X64
signtool sign /v /ac selfsign.cer /f selfsign.pfx *.cat


Once you have done all the above, you can get promptless driver 
installation. I suppose doing it with a signle self signed cert, that is 
installed in both root and trustedpublisher will work as well, but I 
haven't tried it.


Now, of course, automating all of the above when you are generating infs 
on the fly, as is the case with libwdi, might be a bit more challenging. 
Adding an openssl dependency to create the .cer/.pfx should be no big 
deal, and the adding of the certificate to a store is also something I 
already have in libwdi. I suspect there's probably an MS API that can be 
used to sign the .cat in lieu of signtool. But what I don't know yet is 
if there exists a redistributable .cat generation tool.

Then there's the problem of ensuring that, for security reasons, 
whatever gets installed as trusted on the user machine has a private key 
that was generated on that machine and nowhere else. Unless you're in a 
corporate environment, spreading a private key with an application is a 
massive NO_NO. This means, if you don't want to end up adding self 
generated certs for every driver install, you will also need to sort 
reuse of existing key/certs from the end user machine.

I'll see what I can do to provide promptless installation for the 
generic infs that are autogenerated in libwdi (well, almost promptless, 
as I think the end users should at least be asked once if they agree to 
store an autogenerated self cert in root & trusted publishers), but this 
will require some effort...

If you have a static inf however, it shouldn't be that difficult.

Regards,

/Pete