Microsoft KB Archive/159893

= Readme.txt for the ActiveX SDK (InetSDK\Bin) =

Article ID: 159893

Article Last Modified on 8/18/2005

-

APPLIES TO


 * Microsoft ActiveX SDK

-



This article was previously published under Q159893



SUMMARY
The following article contains the complete contents of the Readme.txt file distributed with the ActiveX SDK for Internet Explorer 3.01. (This is the Readme.txt installed on the \Inetsdk\Bin subdirectory.)



MORE INFORMATION
NOPROXY.REG   Quick setup for INet SDK without a CERN proxy

PROXY.REG     Quick setup for INet SDK with a CERN proxy called "proxy"

MkTypLib.Exe  Unsupported build provided for this SDK. The official release will use MIDL.

STMTOOL.EXE   Now called ODS_TOOL.exe, Tool for creating .STM files for use in the  tag.

DIANTZ.EXE    Now called Diamond.exe, included in CABDevKt.exe.

SHOW SCRIPT ERRORS.REG Registry settings to enable reporting of script errors in Internet Explorer. By default, the browser displays a dialog when it encounters an error parsing or running a script on a page. The dialog contains a checkbox (on by default) for disabling the reporting of additional errors on the same page.

Signing code for download

=
============

Introduction

Document Overview - This guide presents general information about how to use the tools provided with IE30 to generate and use cryptographic certificates with IE30. It does not attempt to provide an in-depth discussion of public key cryptography, X.509 certificates, or certification policy. See the recommended reading list for suggested books and documents that will help you understand those and other background issues.

Following this introduction, this guide is divided into the following sections:

- Terminology

Describes the terms used in this document that may be new to you.

- Procedural Overview

This section gives a brief description of each step of the signing procedure and an example of how it would be used by walking through a sample session from start to finish.

- Required Files List

- Recommended Reading

Terminology --- X.509 Certificate - A cryptographic certificate that associates an entity's name with its public key.

PKCS 7 "SIGNED DATA" - A widely used convention for containing the data used to sign an image or a document, typically including the certificate of the signer and a statement about the image made by the signer.

WIN_CERTIFICATE - A new Win32 defined data structure that contains either a PKCS 7 signed data object or an X.509 Certificate.

Certification Authority (CA) - An entity that is making a statement (represented by an X.509 Certificate) about the authenticity of some other certificate.

SPC - Software Publishing Certificate. A statement that the recipient is an approved software vendor, represented as an X.509 certificate.

PE Image - Portable Executable Image, the standard Win32 executable format.

Trust provider - A part of the operating system that verifies whether or not a given image is trusted based on the certificates it contains.

Procedural Overview --- We will now walk through an example of how to sign an image. Assume we are going to sign an image named Image.exe.

This procedure is meant to illustrate the steps involved in signing an image file. Since creating a verifiable certificate assumes the existence of a fairly complex CA infrastructure, it is not possible to provide all of the pieces necessary for a fully trustworthy signature at this time. In particular, there does not exist a "top-level" certifying authority, which would ultimately vouch for the integrity of the entire certificate chain. Since such a top-level authority is a necessary part of the signing and verification operations, the toolkit provided will create a pseudo top- level entity when necessary. This will be called the root authority or root key.

The present tools therefore allow any user of this development release to authorize themselves as a "Software Publisher" for test purposes and to sign their code, allowing for extensive testing of the tools and code used but not actually providing a secure infrastructure. In future releases, the tools will require software publishers to obtain certificates from companies whose function is to verify the identity of the publishers, providing end-users with a high level of assurance about the authenticity and origin of code that they receive.

This sample root key will be used to generate an SPC (Software Publishing Certificate), which is used to actually sign image files.

1) The first step is to run the MakeCert utility. MakeCert will perform the following tasks:

- Create the end-user's public/private keypair suitable for digital signatures, and associate the keypair with a friendly name.

- Associate the new keypair with an X.500 Distinguished Name, and

- Create an X.509 certificate signed by the root key that binds your name to the public part of the newly created keypair.

A typical invocation of MakeCert is as follows:

c:\>makecert -u:MyKey -n:CN=MySoftwareCompany Cert.cer

Cert.crt now contains an X.509 certificate that binds your newly created key with your name. This certificate is itself signed by the example root key described above.

A public key/private key pair will be generated and assigned the name specified in the "-u" switch, or if such a key already exists, it will be re-used.

Note that the name must be of the form "CN=[name-string]", as required by the ITU x.509 standard.

2) The next step is to wrap the X.509 certificate created in step 1 into a PKCS 7 signed-data object. PKCS 7 objects are commonly used as "carriers" for X.509 certificates, because it is possible to put several X.509 certificates in a single PKCS 7 object.

In addition to the users's certificate, the root certificate will also be inserted into the PKCS 7 object. This will allow passing around the entire certificate chain in a single container.

Do this with the Cert2SPC utility, as follows:

c:\>Cert2SPC Root.cer Cert.cer Cert.spc

Cert.spc now contains the Software Publishing Certificate in the correct format.

3) The next step is to use the certificate just created to sign an actual image file. Do this with the SignCode tool. It takes as input the Cert.spc file created in step 2, the name of the key pair created in step 1, and the name of the image file to sign.

SignCode will perform the following tasks:

- Create a cryptographic digest of the passed image file.

- Sign the digest with the passed private key information.

- Extract the X.509 certificates from the passed Cert.spc file.

- Create a new PKCS 7 signed-data object containing the serial number of the passed X.509 certificate and the signed digest information.

- Embed the PKCS 7 object into the passed image file.

c:\>SignCode -prog image.exe -spc cert.spc -pvk MyKey

If SignCode is successful, image.exe will have a PKCS7 certificate embedded in it. Verify this by running PeSigMgr.exe on the image:

c:\>PeSigMgr -l image.exe

Certificate  0 Revision 256 Type    PKCS7

4) Now, check the validity of the image. Do this with the ChkTrust utility.

c:\>ChkTrust image.exe

ChkTrust performs the following tasks:

- Extract the PKCS 7 signed data object from the image.

- Extract the X.509 certificates from the PKCS 7 object.

- Compute a new cryptographic checksum of the image file and compare it with the signed checksum in the PKCS 7 object.

- If the image checks out, validate that the signer's X.509 certificate points back to the root certificate, and that the root key used was correct.

If all this succeeds, the system has verified that the image has not been tampered with, and that whoever published this piece of software was authorized to do so by the root authority.

List of Required Files -- WINTRUST.DLL  (In System/System32 directory) DIGSIG.DLL    (In System/System32 directory) MAKECERT.EXE CERT2SPC.EXE SIGNCODE.EXE PESIGMGR.EXE CHKTRUST.EXE ROOT.CER ROOT.PVK

Additional query words: kbdsi

Keywords: KB159893

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.