windows - 如何检查Windows驱动程序是否有EV证书？

Question

所以在Windows中你可以进入数字签名选项卡来检查文件的证书，但是我如何检查证书是否是EV证书？它是否在证书的详细信息中显示了它？

更明确的问题:假设您在 Windows 中有一个签名驱动程序，如何检查它是否具有 EV 证书？

Answer 1

EV certificates are standard X.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement. As with root certificate authorities in general, browsers may not recognize all issuers. EV HTTPS certificates contain a subject with X.509 OIDs for jurisdictionOfIncorporationCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3),[11] jurisdictionOfIncorporationStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2) (optional),[12]jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1) (optional),[13] businessCategory (OID: 2.5.4.15) and serialNumber (OID: 2.5.4.5), with the serialNumber pointing to the ID at the relevant secretary of state (US) or government business registrar (outside US), as well as a CA-specific policy identifier so that EV-aware software, such as a web browser, can recognize them. This identifier is what defines EV certificate and is the difference with OV certificate.

来源:Wikipedia

技术上无法识别EV证书。 浏览器供应商维护策略 OID 列表。这是 Google Chrome 的一个:https://chromium.googlesource.com/chromium/src/net/+/master/cert/ev_root_ca_metadata.cc

举个例子:

    // AddTrust External CA Root
    // https://addtrustexternalcaroot-ev.comodoca.com
    {
        {{0x68, 0x7f, 0xa4, 0x51, 0x38, 0x22, 0x78, 0xff, 0xf0, 0xc8, 0xb1,
          0x1f, 0x8d, 0x43, 0xd5, 0x76, 0x67, 0x1c, 0x6e, 0xb2, 0xbc, 0xea,
          0xb4, 0x13, 0xfb, 0x83, 0xd9, 0x65, 0xd0, 0x6d, 0x2f, 0xf2}},
        {
            "1.3.6.1.4.1.6449.1.2.1.5.1",
            // This is the Network Solutions EV OID. However, this root
            // cross-certifies NetSol and so we need it here too.
            "1.3.6.1.4.1.782.1.2.1.8.1",
        },
    },

您将在“AddTrust external CA Root”颁发的每个 EV 证书中找到 OID“1.3.6.1.4.1.6449.1.2.1.5.1”或“1.3.6.1.4.1.782.1.2.1.8.1”。这就是它们的识别方式。