sweep079.htm

数字签名---Delphi Activex

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD><TITLE>Authenticode</TITLE>
<STYLE>
#tctop {color: red}
#cpslug {color: red; text-decoration: none}
</STYLE>
</HEAD>
<BODY TOPMARGIN=10 BGPROPERTIES="FIXED" BGCOLOR="#FFFFFF" LINK="#000000" VLINK="#000000" ALINK="#000000">
<FONT FACE="ARIAL,HELVETICA" SIZE="2">
<TABLE BORDER=0 ALIGN=RIGHT><TR><TD VALIGN=TOP>
<A HREF="sweep078.htm" TARGET="TEXT"><IMG SRC="u_prev_3.gif" WIDTH="30" HEIGHT="30"  BORDER=0 ALT="Previous"></A>
</TD>
<TD VALIGN=TOP><A HREF="sweep080.htm" TARGET="TEXT"><IMG SRC="u_next_3.gif" WIDTH="30" HEIGHT="30"  BORDER=0 ALT="Next"></A>
</TD></TABLE>
<H2><A NAME="codesign_0001090104000000">Authenticode</A></H2>
<BR CLEAR=ALL>
<P>Authenticode consists of programs to digitally sign files and programs to check that the files were, indeed, successfully signed. 
<P>The programs are:
<UL><LI>MakeCert, which creates a test X.509 certificate.
<LI>Cert2SPC, which creates a test SPC.
<LI>SignCode, which uses the SPC to sign a file.
<LI>PeSigMgr, which checks to see that the file was signed.
<LI>ChkTrust, which checks the validity of the file.
</UL>
<P>These programs are discussed in more detail below.
<P>Note that before using the test X.509 certificate, you will want to
add some keys to your registry. Type
<P>regedit wvtston.reg
<P>(located in the directory that you installed the signing tools) before attempting to use the test certificate.
<P>
<H3><A NAME="codesign_0001090104010000">MakeCert</A></H3>
<P>Use the MakeCert program to generate a test X.509 certificate. The program does the following:
<OL><LI>It creates a public/private key pair for digital signatures and associates it with a name that you choose.
<LI>It associates the key pair with a publisher's name that you choose.
<LI>It creates an X.509 certificate, signed by the root key or one you specifiy, that binds your name to the public part of the key pair. If you do not specify a root key, MakeCert generates one for you.
</OL>
<P>The syntax for invoking MakeCert is:
<P>MAKECERT [<I>options</I>] <I>outputfile</I> 
<P>where the options are:
<UL><LI><B>-u:</B><I>subjectKey</I> which is the location of the publisher's key pair name. If a key pair does not exist, one is created.
<LI><B>-k:</B><I>subjectKeyFile</I> which is the location of the publisher's .pvk file.
<LI><B>-n:</B><I>name</I> which is the name for the publisher's certificate. This name must conform to the X.500 standard. The easiest way to do this is to use the form "CN=<I>MyName</I>."
<LI><B>-d:</B><I>displayname</I> which is the display name of the publisher in the SPC UI.
<LI><B>-s:</B><I>issuerKeyFile</I> which is the location of the issuer's key. The default is the root key.
<LI><B>-i:</B><I>issuerCertFile</I> which is the location of the issuer's certificate.
<LI><B>-b:</B><I>logoFile</I> which is the file name of the SPC agency logo (for example, a .bmp file).
<LI><B>-l:</B><I>policyLink</I> which is a link to SPC agency policy information (for example, a URL).
<LI><B>-U:</B><I>subjectCertFile</I> is the certificate file name with the existing subject public key to be used.
<LI><B>-#:</B><I>serialNumber</I> which is the serial number of the certificate. The maximum value is 2^31. The default is a value generated by the program that is guaranteed to be unique.
<LI><B>-I</B> which means the certificate will be used by individual software publishers.
<LI><B>-C</B> which means the certificate will be used by commercial software publishers.
<LI><B>-C:</B><I>f</I> which means the certificate will be used by commercial software publishers who have met the minimum financial criteria.
<LI><B>-S:</B><I>session</I> which is the session name for an enrollment session.
<LI><B>-P:</B><I>purpose</I> which is the purpose for which the certificate is being generated. This parameter can either be CodeSigning (this is the default) or ClientAuth.
<LI><B>-x:</B><I>providerName</I> which is the CryptoAPI provider to use. (See the CryptoAPI documentation for more details.)
<LI><B>-y:</B><I>nProviderType</I> which is the CryptoAPI provider type to use. (See the CryptoAPI documentation for more details.)
<LI><B>-K:</B><I>keyspec</I> which is the key specification. This parameter can either be S for a signature key (this is the default) or E for a key-exchange key.
<LI><B>-B:</B><I>dateStart</I> which is the date when the certificate first becomes valid. The default is when the certificate is created.
<LI><B>-D:</B><I>nMonths</I> which is the duration of the validity period.
<LI><B>-E:</B><I>dateEnd</I> which is the date when the validity period ends. The default is the year 2039.
<LI><B>-h:</B><I>numChildren</I> which is the maximum height of the tree below this certificate.
<LI><B>-t:</B><I>types</I> which is the certificate type. This parameter can be E for end-entity, C for certificate authority, or both.
<LI><B>-g</B> which creates a glue certificate.
<LI><B>-r</B> which creates a self-signed certificate.
<LI><B>-m</B> which means to use the MD5 hash algorithm. This is the default.
<LI><B>-a</B> which means to use the SHA1 hash algorithm. 
<LI><B>-?</B> which displays all the options.
</UL>
<P>Here is an example:
<PRE><FONT FACE="Courier" SIZE="2">&gt;MakeCert -u:MyKey -n:CN=MySoftwareCompany Cert.cer</FONT></PRE>
<P>This generates a certificate file called Cert.cer. The public part of the key pair called KeyName is bound to the publisher, MySoftwareCompany.
<P>This utility program should not be used once the software publisher obtains a valid X.509 software publisher certificate from the appropriate CA.
<H3><A NAME="codesign_0001090104020000">Cert2SPC</A></H3>
<P>After you have generated a certificate, you must create an SPC with the Cert2SPC program. This program wraps the X.509 certificate and the root certificate into a PKCS#7 signed-data object. PKCS#7 objects are commonly used to carry certificates because it is possible to put several of them into a single object. Again, this program is for test purposes only. A valid SPC is obtained from a CA.
<P>The syntax for Cert2SPC is:
<P><B>Cert2SPC</B> <I>cert1</I><B>.cer</B> <I>cert2</I><B>.cer</B>. . .<I>certN</I><B>.cer</B> <I>output</I><B>.spc</B>
<P>where:
<UL><LI><I>cert1</I>. . .<I>certN</I> are the names of the X.509 certificates.
<LI><I>output</I> is the name of the SPC. This is a PKCS#7object containing the X.509 certificate and the root certificate.
</UL>
<P>Here is an example:
<PRE><FONT FACE="Courier" SIZE="2">&gt;Cert2Spc root.cer cert.cer cert.spc</FONT></PRE>
<P>This combines Cert.cer and Root.cer to make an SPC called Cert.spc.
<H3><A NAME="codesign_0001090104030000">SignCode</A></H3>
<P>The final step is to use the SPC to actually sign a file. This is done with the SignCode program. This program will:
<OL><LI>Create a cryptographic digest of the file.
<LI>Sign the digest with your private key.
<LI>Extract the X.509 certificates from the SPC.
<LI>Create a new PKCS#7 signed-data object that contains the serial numbers of the certificates and the signed digest information.
<LI>Embed the object into the file.
</OL>
<P>If you have a valid SPC, then you can use this program to actually sign your code. The SignCode program has a wizard to help you do this. To sign code using the wizard, simply type "SignCode" without any options. If you want to sign your code manually, the syntax is:

<P>SignCode [<B>-prog</B> <I>filename</I> <B>-spc </B><I>credentials</I> <B>-pvk </B><I>privateKeyFile </I>] [<I>options</I>]

<P>where:
<UL><LI><B>-prog </B><I>filename</I> is the name of the file to sign.
<LI><B>-spc</B> <I>credentials</I> is the file that contains the credentials. This is usually an .spc file.
<LI><B>-pvk </B><I>privateKeyFile</I> is the file containing the private key of the publisher. This is usually a .pvk file.
</UL>
<P>and where the <I>options</I> are:
<UL><LI><B>-name </B><I>opusName</I> which is a name for your program.
<LI><B>-info </B><I>opusInfo</I> which is a location, such as an URL, for obtaining information about your program.
<LI><B>-gui </B>which invokes the wizard.
<LI><B>-nocerts </B>which means you do not want any X.509 certificates embedded in the PKCS#7 signed-data object. In this case, the relevant certificates must already be stored on the client computer.
<LI><B>-provider </B><I>providerName</I> which is the CryptoAPI provider to use. (See the CryptoAPI documentation for more details.)
<LI><B>-providerType</B> <I>providerType</I> which is the CryptoAPI provider type to use. (See the CryptoAPI documentation for more details.)
<LI><B>-commerical </B>which means the code being signed was created by a commercial software publisher.
<LI><B>-individual</B> which means the code being signed was created by an individual software publisher.
<LI><B>-sha </B>which means you want to use the SHA hashing algorithm.
<LI><B>-md5</B> which means you want to use the MD5 hashing algorithm. This is the default hashing algorithm.
<LI><B>-?</B> Which displays all the options.
</UL>
<P>Here is an example of how to sign a file:
<PRE><FONT FACE="Courier" SIZE="2">&gt;SignCode -prog MyProgram.exe -spc Cert.spc -pvk MyKey</FONT></PRE>
<P>This embeds a PKCS#7 object, Cert.spc, into the digest of file, MyProgram. The digest is signed with the private key of the MyKey key pair.
<P>Once this is done (assuming you have a valid certificate), the file can be distributed to your customers.
<H3><A NAME="codesign_0001090104040000">PeSigMgr</A></H3>
<P>The PeSigMgr program checks to see if SignCode was successful. This means the file should have a PKCS#7 object embedded in it. Here is the syntax:
<P>PESIGMGR [<I>options</I>] <I>signedfile</I>
<P>where the <I>options</I>are:
<UL><LI> <B>-l </B>which lists the certificates in an image.
<LI><B>-a:</B>&lt;-<I>filename</I> -&gt; which adds a certificate file to an image.
<LI> <B>-r:</B>&lt;-<I>index</I> -&gt; which removes certificate &lt;-<I>index</I> -&gt; from an image.
<LI> <B>-s:</B>&lt;-<I>filename</I> -&gt; which is used with <B>-r</B> to save the removed certificate.
<LI><B>-t:</B>&lt;-<I>CertType</I> -&gt; which is used with <B>-a</B> to specify the type of certificate, where CertType may be X509 or PKCS7. (The default is PKCS7.)
<LI> <B>-?</B> which displays all the options.
</UL>
<P> and where <I>signedfile</I> is the name of the signed file you want to check.
<P>Here is an example:
<PRE><FONT FACE="Courier" SIZE="2">&gt;PeSigMgr -l MyProgram.exe</FONT></PRE>
<P>A sample response is:
<PRE><FONT FACE="Courier" SIZE="2">&gt;Certificate 0 Revision 256 Type PKCS#7</FONT></PRE>
<P>This means a certificate was embedded in the file.
<H3><A NAME="codesign_0001090104050000">ChkTrust</A></H3>
<P>The ChkTrust program checks the validity of the file by:
<OL><LI>Extracting the PKCS#7 signed-data object.
<LI>Extracting the X.509 certificates from the PKCS#7 signed-data object.
<LI>Computing a new hash of the file and comparing it with the signed hash in the PKCS#7 object.
</OL>
<P>If the hashes agree, ChkTrust then verifies that the signer's X.509 certificate points back to the root certificate and that the correct root key was used.
<P>If all these steps are successful, the file has not been tampered with, and the vendor was authorized to publish the file by the root authority.
<P>Here is the syntax:
<P>CHKTRUST [<I>type</I>] <I>signedfile</I>
<P>where <I>type</I> is one of the following:
<UL><LI> <B>-c</B> which is a cabinet file.
<LI> <B>-i</B> which is a PE image file. 
<LI> <B>-j</B> which is a Java class file.
</UL>
<P>Here is an example:
<PRE><FONT FACE="Courier" SIZE="2">ChkTrust MyProgram.exe</FONT></PRE>
<P>A successful response is:
<PRE><FONT FACE="Courier" SIZE="2">Result: 0</FONT></PRE>
<TABLE BORDER=0 ALIGN=RIGHT><TR><TD VALIGN=TOP>
<A HREF="sweep078.htm" TARGET="TEXT"><IMG SRC="u_prev_3.gif" WIDTH="30" HEIGHT="30"  BORDER=0 ALT="Previous"></A>
</TD>
<TD VALIGN=TOP><A HREF="sweep080.htm" TARGET="TEXT"><IMG SRC="u_next_3.gif" WIDTH="30" HEIGHT="30"  BORDER=0 ALT="Next"></A>
</TD></TABLE>
<P><P><FONT FACE="MS SANS SERIF" SIZE="1" COLOR="BLACK">
<A ID=cpslug HREF="copyrite.htm" TARGET=TEXT>&#169; 1996 Microsoft Corporation</A>
</FONT>
<BR CLEAR=ALL>
</FONT><P>
</BODY></HTML>