Reputation: 1056
How to check to see if a windows driver has a EV certificate or not?
So in windows you can go to digital signature tab to check the file's certificate, but how can i check if the certificate is a EV certificate or not? does it show it somewhere in the details of the certificate?
More clear question : lets say you have a signed driver in windows, how can you check if it has a EV certificate or not?
Upvotes: 2
Views: 1278
Answers (2)
Reputation: 4184
EV certificates are standard X.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement. As with root certificate authorities in general, browsers may not recognize all issuers.
EV HTTPS certificates contain a subject with X.509 OIDs for jurisdictionOfIncorporationCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3),[11] jurisdictionOfIncorporationStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2) (optional),[12]jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1) (optional),[13] businessCategory (OID: 2.5.4.15) and serialNumber (OID: 2.5.4.5), with the serialNumber pointing to the ID at the relevant secretary of state (US) or government business registrar (outside US), as well as a CA-specific policy identifier so that EV-aware software, such as a web browser, can recognize them. This identifier is what defines EV certificate and is the difference with OV certificate.
Source: Wikipedia
There is no way to identify the EV certificate technically. The browser vendors maintain lists of Policy OIDs. Here is the one of Google Chrome: https://chromium.googlesource.com/chromium/src/net/+/master/cert/ev_root_ca_metadata.cc
As an example:
// AddTrust External CA Root
// https://addtrustexternalcaroot-ev.comodoca.com
{
{{0x68, 0x7f, 0xa4, 0x51, 0x38, 0x22, 0x78, 0xff, 0xf0, 0xc8, 0xb1,
0x1f, 0x8d, 0x43, 0xd5, 0x76, 0x67, 0x1c, 0x6e, 0xb2, 0xbc, 0xea,
0xb4, 0x13, 0xfb, 0x83, 0xd9, 0x65, 0xd0, 0x6d, 0x2f, 0xf2}},
{
"1.3.6.1.4.1.6449.1.2.1.5.1",
// This is the Network Solutions EV OID. However, this root
// cross-certifies NetSol and so we need it here too.
"1.3.6.1.4.1.782.1.2.1.8.1",
},
},
You will find the OID "1.3.6.1.4.1.6449.1.2.1.5.1" or "1.3.6.1.4.1.782.1.2.1.8.1" in every EV certificate issued by "AddTrust External CA Root". This is how they are identified.
Upvotes: 1
Reputation: 56
EV certificate depend on intermediate certificate.
windows load if the driver signature cross-signed with "Microsoft code verification root"
use signtool verify /v /kp Filename.sys and check "Cross Certificate Chain" part, you should see "Microsoft Code Verification Root"
Upvotes: 1
Related Questions
- How to check driver code signing policy is enabled and actually work?
- Windows Driver - Unable to sign my own driver correctly
- How to check if a certificate is installed
- Extract certificate from .sys file
- How to Sign My Driver? And is it necessary?
- Can I use a non-EV certificate to sign a driver after Windows 10 RTM release?
- What certificate does a windows driver use for signing
- How can I check whether a ssl certificate is installed?
- Driver certification on Windows
- What certificate do I need for Windows driver signing?