build for windows with cac drivers, adobe and certificates

resources/certificates/certificates.psm1

+#requires -version 3
+#https://github.com/nsacyber/Windows-Secure-Host-Baseline/tree/master/Certificates
+Set-StrictMode -Version 3
+
+Function Get-Certificates() {
+    <#
+    .SYNOPSIS
+    Gets certificates.
+
+    .DESCRIPTION
+    Gets certificates for a specific certificate store location and certificate store name.
+
+    .PARAMETER StoreLocation
+    The certificate store location.
+
+    .PARAMETER StoreName
+    The certificate store name.
+
+    .EXAMPLE
+    Get-Certificates -StoreLocation 'CurrentUser'
+
+    .EXAMPLE
+    Get-Certificates -StoreLocation 'LocalMachine'
+
+    .EXAMPLE
+    Get-Certificates -StoreLocation 'CurrentUser' -StoreName 'My'
+    #>
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Scope='Function')]
+    [CmdletBinding()]
+    [OutputType([System.Security.Cryptography.X509Certificates.X509Certificate2[]])]
+    Param(
+        [Parameter(Mandatory=$true, HelpMessage='The certificate store location')]
+        [ValidateNotNullOrEmpty()]
+        [ValidateSet('CurrentUser','LocalMachine',IgnoreCase=$true)]
+        [string]$StoreLocation,
+
+        [Parameter(Mandatory=$false, HelpMessage='The certificate store name')]
+        [ValidateNotNullOrEmpty()]
+        [ValidateSet('ACRS','ADDRESSBOOK','AuthRoot','CA','ClientAuthIssuer','Disallowed','DPNGRA','EFS','FlightRoot','FVE','FVE_NKP','My','REQUEST','Root','SmartCardRoot','Trust','TrustedDevices','TrustedPeople','TrustedPublisher','UserDS','Windows Live ID Token Issuer',IgnoreCase=$true)]
+        [string]$StoreName
+    )
+
+     if ($null -eq $StoreName) {
+         $certificates = [System.Security.Cryptography.X509Certificates.X509Certificate2[]]@(Get-ChildItem -Path cert:\ -Recurse | Where-Object {$_.PSParentPath -like "*$StoreLocation*" -and $_.PSIsContainer -eq $false})
+     } else {
+         $certificates = [System.Security.Cryptography.X509Certificates.X509Certificate2[]]@(Get-ChildItem -Path cert:\ -Recurse | Where-Object {$_.PSParentPath -like "*$StoreLocation*" -and $_.PSParentPath -like "*$StoreName"})
+     }
+
+     return ,$certificates
+}
+
+Function Get-CertificateStoreNames() {
+    <#
+    .SYNOPSIS
+    Gets certificate store names.
+
+    .DESCRIPTION
+    Gets the certificate store names for a specific certificate store location.
+
+    .PARAMETER StoreLocation
+    The certificate store location.
+
+    .EXAMPLE
+    Get-CertificateStoreNames -StoreLocation 'CurrentUser'
+    #>
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Scope='Function')]
+    [CmdletBinding()]
+    [OutputType([string[]])]
+    Param(
+        [Parameter(Mandatory=$true, HelpMessage='The certificate store location')]
+        [ValidateNotNullOrEmpty()]
+        [ValidateSet('CurrentUser','LocalMachine',IgnoreCase=$true)]
+        [string]$StoreLocation
+    )
+
+    $storeNames = [string[]]@((Get-ChildItem -Path cert:\ | Where-Object {$_.Location -ieq $StoreLocation}).StoreNames.Keys)
+
+    return ,$storeNames
+}
+
+Function Get-CertificateStoreDisplayName() {
+    <#
+    .SYNOPSIS
+    Gets the certificate store display name based on the programmatic name.
+
+    .DESCRIPTION
+    Gets the certificate store display name, as shown in certmgr.msc, based on the programmatic name.
+
+    .PARAMETER StoreName
+    The certificate store name.
+
+    .EXAMPLE
+    Get-CertificateStoreDisplayName -StoreName 'My'
+    #>
+    [CmdletBinding()]
+    [OutputType([string])]
+    Param(
+        [Parameter(Mandatory=$true, HelpMessage='The certificate store name')]
+        [ValidateNotNullOrEmpty()]
+        [ValidateSet('ACRS','ADDRESSBOOK','AuthRoot','CA','ClientAuthIssuer','Disallowed','DPNGRA','EFS','FlightRoot','FVE','FVE_NKP','My','REQUEST','Root','SmartCardRoot','Trust','TrustedDevices','TrustedPeople','TrustedPublisher','UserDS','Windows Live ID Token Issuer',IgnoreCase=$true)]
+        [string]$StoreName
+    )
+
+    $displayName = 'Unknown'
+
+    switch ($StoreName.ToLower()) {
+        'acrs' { $displayName = 'Automatic Certificate Request Settings' ; break }
+        'addressbook' { $displayName = 'Other People' ; break }
+        'authroot' { $displayName = 'Third-Party Root Certification Authorities' ; break }
+        'ca' { $displayName = 'Intermediate Certification Authorities' ; break }
+        'clientauthissuer' { $displayName = 'Client Authentication Issuers' ; break }
+        'disallowed' { $displayName = 'Untrusted Certificates' ; break }
+        'dpngra = ' { $displayName = 'Data Protection' ; break }
+        'efs' { $displayName = 'Encrypting File System' ; break }
+        'flightroot' { $displayName = 'Preview Build Roots' ; break }
+        'fve' { $displayName = 'BitLocker Drive Encryption' ; break }
+        'fve_nkp' { $displayName = 'BitLocker Drive Encryption Network Unlock Certificate' ; break }
+        'my' { $displayName = 'Personal' ; break }
+        'request' { $displayName = 'Certificate Enrollment Requests' ; break }
+        'root' { $displayName = 'Trusted Root Certification Authorities' ; break }
+        'smartcardroot' { $displayName = 'Smart Card Trusted Roots' ; break }
+        'trust' { $displayName = 'Enterprise Trust' ; break }
+        'trusteddevices' { $displayName = 'Trusted Devices' ; break }
+        'trustedpeople' { $displayName = 'Trusted People' ; break }
+        'trustedpublisher' { $displayName = 'Trusted Publishers' ; break }
+        'userds' { $displayName = 'Active Directory User Object' ; break }
+        'windows live id token issuer' { $displayName = 'Windows Live ID Token Issuer' ; break }
+        default {}
+
+        # other certmgr.msc Display Names seen in screenshots on the Internet (don't know store name yet):
+        # MSIEHistoryJournal
+        # Remote Desktop
+        # SMS
+    }
+
+    return $displayName
+}

resources/certificates/dod/README.txt

+####################################
+
+Certificates_PKCS7_v5.3_DoD
+
+####################################
+
+File Information:
+
+The structure of the file names for files that contain certificates in this bundle follow this pattern:
+
+Certificates_PKCS7_[bundle version]_[group]_[subgroup information].[encoding].[file type]
+
+where:
+    'bundle version' is a PKE version identification number of the form Major.Minor.Release.
+    'group' is a DoD PKI certificate grouping which is either DoD, ECA, JITC, SIPR, or WCF.
+    'subgroup information' is additional details about which Root CA the file contains (with the Root's subordinates).
+    'encoding' is the encoding scheme used in the file and is either der or pem.
+    'file type' is the file extension which best fits the contents of the file.
+
+There is a special which support the verification of this bundle. The file contains a CMS object which contains a
+payload of file checksums included in this bundle and has been digitally signed by the DoD PKE code signing credential.
+The struct of its file name follow this pattern:
+
+Certificates_PKCS7_[bundle version]_[group].sha256
+
+where:
+    'bundle version' is a PKE version identification number of the form Major.Minor.Release.
+    'group' is a DoD PKI certificate grouping which is either DoD, ECA, JITC, SIPR, or WCF.
+
+Verification:
+
+
+To verify this PKCS#7 package please perform the following steps:
+
+
+1)  Verify Thumbprint on the first DoD_PKE_CA_chain.pem certificate using the following command:
+openssl x509 -in DoD_PKE_CA_chain.pem -subject -issuer -fingerprint -noout
+
+
+Verify the following output:
+subject= /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
+issuer= /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
+SHA1 Fingerprint=D7:3C:A9:11:02:A2:20:4A:36:45:9E:D3:22:13:B4:67:D7:CE:97:FB
+
+Confirm output and verify the DoD Root CA 3 SHA1 Fingerprint by calling the DoD PKI at (844) 347-2457 or DSN 850-0032.
+
+
+2) Open DoD_PKE_CA_chain.pem in a text editor and confirm only two CERTIFICATE objects are present.
+
+
+3) Verify the S/MIME signature on Certificates_PKCS7_v5.3_DoD.sha256 using the following command:
+On Mac OSX:
+$ openssl smime -verify -in Certificates_PKCS7_v5.3_DoD.sha256 -inform DER -CAfile DoD_PKE_CA_chain.pem | shasum -a 256 -c
+
+On Linux:
+$ openssl smime -verify -in Certificates_PKCS7_v5.3_DoD.sha256 -inform DER -CAfile DoD_PKE_CA_chain.pem | dos2unix | sha256sum -c
+
+Verify the following output:
+Verification successful
+
+####################################
+
+Usage:
+
+
+Openssl - To export CA certificates to a concatenated PEM file for use as an openssl CAfile (named e.g. DoD_CAs.pem), use the following command:
+openssl pkcs7 -in Certificates_PKCS7_v5.3_DoD.pem.p7b -print_certs -out DoD_CAs.pem
+
+For more detailed instructions find our Getting Started with Firefox on Linux guide on our IASE PKI-PKE site. End Users > Web Browsers > Mozilla Firefox

resources/configs/101803-cac.ini

+[DEFAULT]
+# The location of the WIM file from the mounted Windows ISO.
+wim_file_path=artifacts\windows10-1803.wim
+# This is the complete name of the Windows version that will be generated.
+# In order to find the possible options, use the Get-WimFileImagesInfo command
+# and look for the Name property.
+image_name=Windows 10 Enterprise
+# The destination of the generated image.
+image_path=artifacts\win101803.raw
+# Select between VHD, VHDX, QCOW2, VMDK or RAW formats.
+virtual_disk_format=RAW
+# This parameter allows to choose between MAAS, KVM, VMware and Hyper-V specific images.
+# For HYPER-V, cloudbase-init will be installed and the generated image should be in vhd or vhdx format.
+# For MAAS, in addition to cloudbase-init, the curtin tools are installed
+# and the generated image should be in raw.tgz format.
+# For KVM, in addition to cloudbase-init, the VirtIO drivers are installed
+# and the generated image should be in qcow2 format.
+image_type=KVM
+# This parameter can be set to either BIOS or UEFI.
+disk_layout=BIOS
+# The product key for the selected OS.
+product_key=""
+# A comma separated array of extra features that will be enabled on the resulting image.
+# These features need to be present in the ISO file.
+extra_features=""
+# It will force the image generation when RunSysprep is False or the selected SwitchName
+# is not an external one. Use this parameter with caution because it can easily generate
+# unstable images.
+force=False
+# If set to true, MAAS Windows curtin hooks will be copied to the image root directory.
+install_maas_hooks=False
+# Select between tar, gz, zip formats or any combination between these.
+compression_format=""
+# If this parameter is set, after the image is generated,
+# a password protected zip archive with the image will be created.
+zip_password=""
+# It will stop the image generation after the updates are installed and cleaned.
+gold_image=False
+# This is the full path of the already generated golden image.
+# It should be a valid VHDX path.
+gold_image_path=""
+# This is a full path to the VMware-tools.exe version that you want to install.
+vmware_tools_path=""
+# This is the full path of a folder with custom resources which will be used by
+# the custom scripts.
+# The resources found at this path will be copied recursively to the image
+# UnattendResources\CustomResources folder.
+custom_resources_path=""
+# This is the full path of the folder which can contain a set of PS scripts,
+# that will be copied and executed during the online generation part on the VM.
+# The PowerShell scripts, if existent, will be started by Logon.ps1 script,
+# at different moments during image generation.
+# The purpose of these scripts is to offer to the user a fully
+# customizable way of defining additional logic for tweaking the final image.
+# The scripts files can have the following names: RunBeforeWindowsUpdates.ps1,
+# RunAfterWindowsUpdates.ps1, RunBeforeCloudbaseInitInstall.ps1, RunAfterCloudbaseInitInstall.ps1,
+# RunBeforeSysprep.ps1, RunAfterSysprep.ps1.
+# The script names contain the information on when the script will be executed.
+# One can define only some of the hook scripts and it is not mandatory to define all of them.
+# If a script does not exist, it will not be executed.
+custom_scripts_path="resources\scripts\windows10"
+# If set to true the Administrator account will be enabled on the client
+# versions of Windows, which have the Administrator account disabled by default
+enable_administrator_account=False
+# If set, it will replace the Cloudbase Solutions wallpaper to the one specified.
+# The wallpaper needs to be a valid .jpg/.jpeg image.
+wallpaper_path=""
+# If set, it will replace the Cloudbase Solutions wallpaper to a solid color.
+# Currently, the only allowed solid color is '0 0 0' (black).
+# If both wallpaper_path and wallpaper_solid_color are set,
+# the script will throw an error.
+wallpaper_solid_color="0 0 0"
+# If set to true and the target image format is QCOW2, the image conversion will
+# use qemu-img built-in compression. The compressed qcow2 image will be smaller, but the conversion
+# will take longer time.
+compress_qcow2=False
+[vm]
+# This will be the Administrator user's, so that AutoLogin can be performed on the instance,
+# in order to install the required products,
+# updates and perform the generation tasks like sysprep.
+administrator_password=Pa$$w0rd
+# Used to specify the virtual switch the VM will be using.
+# If it is specified but it is not external or if the switch does not exist,
+# you will get an error message.
+external_switch=external
+# The number of CPU cores assigned to the VM used to generate the image.
+cpu_count=4
+# RAM (in bytes) assigned to the VM used to generate the image.
+ram_size=8192000000
+# Disk space (in bytes) assigned to the VM used to generate the image.
+disk_size=32768000000
+[drivers]
+# The path to the ISO file containing the VirtIO drivers.
+virtio_iso_path="resources\iso\virtio.iso"
+# The location where the VirtIO drivers are found.
+# For example, the location of a mounted VirtIO ISO. VirtIO versions supported >=0.1.6.x
+virtio_base_path=""
+# The location where additional drivers that are needed for the image are located.
+drivers_path="resources\drivers"
+[updates]
+# If set to true, the latest updates will be downloaded and installed.
+install_updates=True
+# If set to true, will run DISM with /resetbase option. This will reduce the size of
+# WinSXS folder, but after that Windows updates cannot be uninstalled.
+purge_updates=True
+[sysprep]
+# Used to clean the OS on the VM, and to prepare it for a first-time use.
+run_sysprep=True
+# The path to the Unattend XML template file used for sysprep.
+unattend_xml_path=UnattendTemplate.xml
+# DisableSwap option will disable the swap when the image is generated and will add a setting
+# in the Unattend.xml file which will enable swap at boot time during specialize step.
+# This is required, as by default, the amount of swap space on Windows machine is directly
+# proportional to the RAM size and if the image has in the initial stage low disk space,
+# the first boot will fail due to not enough disk space. The swap is set to the default
+# automatic setting right after the resize of the partitions is performed by cloudbase-init.
+disable_swap=True
+# In case the hardware on which the image is generated will also be the hardware on
+# which the image will be deployed this can be set to true, otherwise the spawned
+# instance is prone to BSOD.
+persist_drivers_install=False
+[cloudbase_init]
+# This is a switch that allows the selection of Cloudbase-Init branches. If set to true, the
+# beta branch will be used:
+# https://cloudbase.it/downloads/CloudbaseInitSetup_<arch>.msi, where arch can be x86 or x64
+# otherwise the stable branch will be used:
+# https://cloudbase.it/downloads/CloudbaseInitSetup_Stable_<arch>.msi, where arch can be x86 or x64
+beta_release=False
+# Serial log port for Cloudbase-Init.
+# If set to null, the first serial port (if any) from the generation VM will be used
+serial_logging_port=COM1
+# If set, the Cloudbase-Init msi at this path will be used.
+# The path needs to be a locally accesible file path.
+msi_path=""

windows101803-cac.ps1

+## Windows 10 1803 Build Script
+
+If (-NOT ([Security.Principal.WindowsPrincipal]`
+   [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
+{
+    Write-Warning "This script requires administrative privileges to run.  Please elevate and try again."
+    Break
+}
+
+$ProgressPreference = 'SilentlyContinue'
+Write-Output "Downloading Windows 10 1803 WIM..."
+Invoke-WebRequest -Uri https://vtaimagebootstrap.blob.core.usgovcloudapi.net/wim-files/windows10-1803.wim `
+                  -OutFile artifacts/windows10-1803.wim
+$ProgressPreference = 'Continue'
+Write-Output "Finished Downloading Windows 10 1803 WIM"
+
+pushd windows-openstack-imaging-tools
+
+## Temporary workaround for https://github.com/cloudbase/windows-openstack-imaging-tools/issues/219
+(Get-Content WinImageBuilder.psm1).replace('($windowsImageConfig.cpu_count -gt [int](Get-TotalLogicalProcessors))', `
+                                           '([int]$windowsImageConfig.cpu_count -gt [int](Get-TotalLogicalProcessors))') `
+										   | Set-Content WinImageBuilder.psm1
+
+Import-Module .\WinImageBuilder.psm1
+Import-Module .\Config.psm1
+Import-Module .\UnattendResources\ini.psm1
+
+## installroot for dod certs or load certs from certificates.psm1 - http://iasecontent.disa.mil/pki-pke/InstallRoot_5.2x64.msi
+## Start-Process msiexec.exe -Wait -ArgumentList '/I C:\installers\InstallRoot_5.2x64.msi /quiet'
+
+popd
+
+New-WindowsOnlineImage -ConfigFilePath resources/configs/101803-cac.ini
+
+Remove-Module WinImageBuilder
+Remove-Module Config
+Remove-Module ini
+
+windows-openstack-imaging-tools\bin\qemu-img convert artifacts\win101803.qcow2 -f raw artifacts\win101803-cac.raw