Codesigning A Driver - 64-bit

I have a program and installer that installs a driver on the users system for the program to use. However, it doesn't work on 64 bit systems.
As I understand it, I need to sign the driver to allow it to be installed. I have a code signing certificate.
How do I sign the driver with it?

You need to do cross-signing http://msdn.microsoft.com/en-us/library/windows/hardware/gg487315.aspx
It's the same as signing. Don't let people tell you it has to be Verisign or whatever. It doesn't. But it does have to be a cert on Microsoft's list (see the link).

Related

Can I self-sign my non-production kernel driver to run on my particular system?

I know that Windows kernel drivers have to be signed with an EV certificate to run on a 64-bit version of Windows 10. I also know that I can disable driver signing on my test system by running this command:
Bcdedit.exe -set TESTSIGNING ON
My goal is to write a non-production driver for my own system. It will not be installed anywhere else. I don't want to disable driver signing for the entire system, I just want to enable my particular driver to run on this particular system.
I am basically trying to see if I can create a self-signed certificate, add it to the root store and sign my driver with it. (Again, in a non-production environment.)
Can I do this? And if so, then how?

Allow only signed applets to be installed on a JavaCard managed by GlobalPlatform 2.2.1

I'd like to provision a JavaCard so that it only allows the installation of applets that are signed by a certain key. I am not sure whether this signature is part of the cap file format. I can already install a cap file from an Android device via code taken from GlobalPlatformPro. The GlobalPlatformPro README (https://github.com/martinpaljak/GlobalPlatformPro/blob/master/README.md) mentions application signing. But I am not sure this is the way to accomplish what I need to do. I am not even sure this is possible at all.
How do I need to prepare a card to only allow installation of signed cap files?
How do I create such a cap file?
I can already lock a card with a certain key, and then this key is needed to install any cap file. But this would mean that I need to distribute the key with the cap files, so it can be installed. That is not an option as it would compromise the key.
You should read the Global Platform Specification, all information is given there.
Points to look out for that should match your requirements:
Mandated DAP Verification
Delegated Management Tokens
You will still probably need to check that your Java Card supports the given feature(at least Tokens are optional for card manufacturers) and you will need a terminal software that supports this feature(which might be difficult, as it is not very commonly used).

ECDSA signing and verification in windows and linux

This is continuation of my previous post (Understanding BCryptSignHash output signature).
Let me clearly state my problem:
I need to sign a data in windows application level.
I need to verify the same in linux application level and windows driver (that i have wrote).
I tried following:
Using CryptoAPI, i was able to sign in windows application level and verify in the windows driver. In linux, i tried to use simpleECDSA (http://jonasfj.dk/blog/2007/12/simpleecdsa-a-simple-implementation-of-ecdsa-in-c/) to verify the signature (generated using cryptoAPI). I was able to convert the binary key blobs from cryptoAPI in simpleECDSA but could not interpret the signature.
Using Crypto++ library, i was able to sign in windows application level and verify in linux application level but could not use the same to verify in windows driver.
Kindly let me know if there is a library available or a way that i could use the same public/private key and signature across windows application/driver and linux.
Am new to cryptography hence forgive my naiveness.
Thanks,
F

Digitally signing an executable, trusting its requests on the server

I'm building a cross-platform app that will communicate with the server. Security is very important.
Is there a scheme that will allow me to "trust" that the executable is genuine and hasn't been tampered with and that the requests are indeed coming from my signed executable and not an impersonator? Seems like the traditional man-in-the-middle attack. How can I prevent it?
I understand that I can sign an executable with a trusted CA under Windows. This ensures that the executable hasn't been tampered with on the user's machine. However, a targeted virus can still replace the executable (as opposed to modifying it) with an impersonator and Windows won't complain.
Can, then, my genuine executable sign the requests it is making to the server and can I validate these requests on the server? The naive solution is to embed a "private certificate" in the signed executable. However, I suspect that it's possible to extract this private certificate even from a signed executable.
Finally, are there executable signing mechanisms in OSX and Linux?
For code signing on Mac there are some reference in StackOverflow here and here. I've seen different things for Linux like signelf, bsign (used by digsig), elfsign.
As mentioned by Nickolay O., code signing will not do anything against decompilation. Code signing doesn't prevent man-in-the-middle and it's not a solution to demonstrate to a server that the client hasn't been tampered with.
Signing executables has meaning only for OS - to let it know, that executable is a good one.
If somebody can decompile your application, than you cannot be sure in any way that request was sent by the valid executable.

DDK/WDM developing problem ... driver won't load on x64 windows platform

I am a beginner at DDK/WDM driver developing field.
I have a task which involves porting a virtual device driver from x86 to x64 (intel).
I got the source code, I modified it a bit and compiled it succesfuly with DDK (build environments). But when I tried to load it on a ia64 Windows7 machine it didn't want to load.
Then I tried some simple examples of device drivers from
--http://www.codeproject.com/KB/system/driverdev.aspx (I put '--' to be able to post the hyperlink) and from other links but still the same problem.
I hear on a forum that some libraries that you use to link are not compatible with the new machines and suggested to link to another similar libraries...but still didn't worked.
When I build I use "-cefw" command line parameters as suggested.
I do not have an *.inf file asociated but I'm copying it in system32/drivers and I'm using WinObj to see if next restart it's loaded into the memory.
I also tried this program ( http://www.codeproject.com/KB/system/tdriver.aspx ) to load the driver into the memory but still didn't worked for me.
Please please help me...I'm stuck on this and my deadline already passed.
I feel I'driving nuts in here trying to discover what am I doing wrong.
So, to summarize everything:
You need to build for the corect architecture (x64 for Intel/AMD CPUs).
You MUST sign your driver. You must do this even in test mode with a self signed certificate. There is no alternative.
You MUST use an .inf file to install. If the driver is non-pnp then you don't need an .inf file, but it is very unlikely that the driver is non-pnp. In that case you need to manually create the associated service for the driver in the service control manager with sc.exe or programmatically with the SCM API. If the driver isw pnp (most likely) you must install it via an .inf file (with devcon.exe or other way). Also, installing it is not the same as loading it. For that, the appropriate hardware must be present or you must enumerate it in software (with devcon.exe for exemple).
I did not wrote a driver, but on the basis on what I hear from colleagues: Are your driver digitaly signed? If not, look for information on loading unsigned drivers on 64bit systems.
Two things:
You mention both x64 (also called x86-64, AMD64, or EMT64) and IA64 (Itanium). You understand they are two completely different architectures, right? Do you have an Itanium System? If not, you should not be compiling anything using the IA-64 build environment. It won't run on a standard PC (32 or 64).
Under 64-bit, the driver must digitally signed for production use. You will need to get an Authenticode certificate from Verisign or similar. For testing purposes, you can bypass the signature check by pressing F8 at boot time. You can also sign with a test certificate.
http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx

Resources