; crypto.txt ; ; This data file shows all files that require CSP signing or are involved with ; the high encryption pack. It is used by the following scripts to drive processing. ; 1) public\tools\crypto.cmd (TS cert stuffing, CSP-signing, encrypted installers) ; 2) bldrules\ispu.cmd (encryption pack generation) ; 3) encryption pack propagation script ; 4) miscellaneous verification scripts ; ; Need Test sign ; Path rela- Needs Needs on EP Modify on these ; tive to Encrypted Local- to be to be Add TS Prod releas for platforms ;File %binaries% Installer izable? MACd? Signd? Cert? Type share? Intl? where 5=yes ;[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] ;----------- ---------- ------------ ------- ------ ------ ------ ---- ------ ------ --------- ; 128-bit binaries dssenh.dll . instdss5.dll no yes yes no wks no no i386:ia64:amd64 ipsec.sys . instips5.dll no no no no wks no can - lsasrv.dll . instlsa5.dll yes no no no wks no yes - ndiswan.sys . instndi5.dll no no no no wks no can - rsaenh.dll . instrsa5.dll yes yes yes no wks yes no i386:ia64:amd64 ; 40/56-bit binaries gpkcsp.dll . - no no yes no wks no no i386:ia64:amd64 sccbase.dll . - no no yes no wks no no i386:ia64:amd64 sccsccp.dll . - no no yes no wks no no i386:ia64:amd64 slbcsp.dll . - no no yes no wks no no i386:ia64:amd64 ; additional high encryption pack files encpack.sed encpack - yes no no no - no yes - encpack.inf encpack - yes no no no wks no yes - enceula.txt noexport - yes no no no wks yes yes - encread.txt noexport - yes no no no wks yes yes - ; generated high encryption pack self extracting exe encpack.exe noexport - no no no no wks yes yes - ; Add TS certificate to Terminal Services Binaries termdd.sys . - no no no yes srv no can - tdasync.sys . - no no no yes srv no can - tdipx.sys . - no no no yes srv no can - tdnetb.sys . - no no no yes srv no can - tdpipe.sys . - no no no yes srv no can - tdspx.sys . - no no no yes srv no can - tdtcp.sys . - no no no yes srv no can - tsddd.dll . - no no no yes srv no can - rdpdd.dll . - no no no yes srv no can - rdpwd.sys . - no no no yes srv no can - rdpwsx.dll . - no no no yes srv no can - ; ; Column Key ; ; [1] Files involved with crypto signing and/or the high encryption pack encpack.exe creation. ; [2] Path to file after binplacing it, relative to %binaries%. ; [3] Encrypted installers contain an encrypted version of their associated 128-bit binary as ; a resource; they ship in all languages of the product, but will only install their ; 128-bit binary if the trigger file rsaenhs.dll exists on the machine. The trigger ; file gets installed upon running encpack.exe. There is a one-to-one correspondence ; between 128-bit files and encrypted installers. ; [4] Attribute of 128-bit file, not the encrypted installer; version-stamp only ==> no ; [5] Crypto MACed (an internal cryptographic checksum requred by FIPS). maccsp is run on image. ; [6] Crypto signed (not to be confused with PRS/catalog signing). Yes implies the following: ; ==> Cryptographic signature added to the image by one of the following methods: ; a) test signature via US build process public\tools\crypto.cmd (from enigma server) ; b) real signature via crypto team for final build (from the bbn box in the vault) ; ==> This files is either a CSP (cryptographic service provider) or security package ; ==> International languages need to release these files binary-identical to what US releases ; Change column [11]'s fields to turn on/off test signing on a per-platform basis. Any ; file requiring a signature, no matter how it gets signed, needs to have the value 'yes' ; in this column. ; [7] Terminal services certificate added to image. Verify with idw\tscrtvfy.exe. ; [8] Applicable product types. ; srv ==> bla, sbs, srv, ent, dtc; installed via tsocenc.inf; they're for terminal services ; wks ==> wks, per, bla, sbs, srv, ent, dtc; installed via encinst.inf ; - ==> not applicable to any product, perhaps used to generate sfx ; [9] Files that need to be on the encryption pack release share. ; yes ==> needed for media or test installs ; the media creation script is orville\razzle -p setup\bom\encpack.bat ; no ==> won't hurt to be present, may be useful for testing purposes ;[10] Derived info from other columns to clarify what's needed for international languages. ; Don't have scripts use this column; use the other columns directly instead. ; no <== the file gets crypto signed ; can <== the file does not get crypto signed or localized so intl langs have no restrictions ; yes <== the file does not get crypto signed AND the file gets localized or is ; necessarily rebuilt for intl ;[11] This column only applies to files that require signing ([6]==yes). ; Valid values: any combination of the following: { i386,amd64,ia64 } ; Test sign binaries on the specified platforms via signcsp.exe and enigma. Otherwise, ; these files need to be checked in already vault-signed with real signatures for RTM. ; Platforms need to be colon-delimited with no spaces. ; Note that when checking in vault-signed files, the idea is that nothing modifies them ; afterward. ; a) avoid rebasing by adding to public\tools\never.reb ; b) let the perf team know to avoid re-optimizing ; c) crypto.cmd already marks the file not-to-be-rebound ; d) these files should not be localized, independent of test or real signing.