sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CryptoPkg: BaseCryptLib: Add unit tests (Host and Shell based)

Browse Source 
This adds a new INF for BaseCryptLib suitable for
host based environments. It adds a host based unit test for
BaseCryptLib that can also be built as a shell based Unit Test.

In addition, this also adds a UnitTestHostCrtWrapper.c file, which provides
some of the functionality not provided by the default host based unit test
system that OpenSSL expects. This is used by UnitTestHostBaseCryptLib, a
version of the BaseCryptLib meant specifically for host based unit testing.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Matthew Carlson <matthewfcarlson@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
This commit is contained in:
Matthew Carlson
2020-10-09 06:37:46 +08:00
committed by mergify[bot]
parent 30f0ec8d80
commit 694bfd6ff5
33 changed files with 5569 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt Normal file
View File

@@ -0,0 +1,92 @@
--------------------------------------------------------------------------------
File: ChainCreationInstructions.txt
Description: This folder contains INI files that are required to generate
the following test cert chains. Certs will be copied onto the
file system AND MY store when they are generated by certreq.exe.
Note that typically certreq.exe operates on INF files, but in this folder
we use INI files so that our build system does not complain about INF's being
in the tree, but not in the CryptoPkg.dsc file.
To create your own certificates and signatures for testing, this file demonstrates
how the test certificate chains and signatures were created.
To create test signatures, run SignFirmwareWithEKUs.cmd (with SignTool.exe in
your path). You can then use your favorite BinaryToHex converter to convert
the binary into a byte array that you can include in unit tests.
Copyright (C) Microsoft Corporation. All Rights Reserved.
--------------------------------------------------------------------------------
Cert Chain:
------------------------------------------
| | // Root of trust. ECDSA P521 curve
| TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
| | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
------------------------------------------
^
|
------------------------------------------
| | // Issues subordinate CAs. ECC P384 curve.
| TestEKUParsingPolicyCA | // SHA 256 Key Usage:
| | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
------------------------------------------
^
|
------------------------------------------
| | // Issues end-entity (leaf) signers. ECC P256 curve.
| TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
| | // Enhanced Key Usage:
------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
^
|
--------------------------------------
/ / // Leaf signer, ECC P256 curve.
/ TestEKUParsingLeafSigner / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
/ / // Enhanced Key usages:
-------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
// 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.
---------------------------------------------------------------------------------
--- files required ---
TestEKUParsingRoot.ini - This certificate is the root CA under which all CAs live.
TestEKUParsingPolicyCA.ini - This policy CA will issue subordinate CA's with EKU constraints.
TestEKUParsingIssuingCA.ini - CA to issue end-entity leafs.
TestEKUParsingLeafSigner.ini - End-Entity leaf signer.
TestEKUParsingLeafSignerPid12345.ini - End-Entity, with EKU: 1.3.6.1.4.1.311.76.9.21.1.12345.
TestEKUParsingNoEKUsInSigner.ini - Leaf with no EKU's specified.
TestEKUParsingLeafSignerPid1.ini - Test with naming files ini, to get around build complaints.
--- Commands to execute ---
certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer
certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer
certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer
---------------------------------------------------------------------------------
Then start mmc->Add certificates, Local Computer/open Personal/Certs and export the keys into the pfx files below.
Note: You should see a little key on the top left of each cert icon, which means you have the private key
for this cert. If you don't see it something is wrong. For each cert, right-click and do all tasks,
export. Yes, Export the private key. PCKS#12 format, include all certs in path if possible.
If we automated the call to certreq above, there is a PowerShell "PKI" cmdlet which has
an Export-PfxCertificate command.
Passwords: TestEKUParsingRoot.pfx == TestEKUParsingRoot
TestEKUParsingPolicyCA.pfx == TestEKUParsingPolicyCA
TestEKUParsingIssuingCA.pfx == TestEKUParsingIssuingCA
TestEKUParsingLeafSigner.pfx == TestEKUParsingLeafSigner
TestEKUParsingLeafSignerPid12345.pfx == TestEKUParsingLeafSignerPid12345
TestEKUParsingNoEKUsInSigner.pfx == TestEKUParsingNoEKUsInSigner

11
CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd Normal file
View File

@@ -0,0 +1,11 @@
@ECHO OFF
REM
REM Use this file to create test certificates.
REM
call certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer
call certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer
call certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer
call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer
call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer
call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer
call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer

76
CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd Normal file
View File

@@ -0,0 +1,76 @@
@ECHO OFF
REM This script will use various certificates to sign blobs for testing purposes.
REM
REM
REM Our EKU test certificate chain:
REM ------------------------------------------
REM | | // Root of trust. ECDSA P521 curve
REM | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
REM ------------------------------------------
REM ^
REM |
REM ------------------------------------------
REM | | // Issues subordinate CAs. ECC P384 curve.
REM | TestEKUParsingPolicyCA | // SHA 256 Key Usage:
REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
REM ------------------------------------------
REM ^
REM |
REM ------------------------------------------
REM | | // Issues end-entity (leaf) signers. ECC P256 curve.
REM | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
REM | | // Enhanced Key Usage:
REM ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
REM ^
REM |
REM --------------------------------------
REM / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve.
REM / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
REM / / // Enhanced Key usages:
REM -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
REM // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.
REM
REM
REM
REM Dev Note: SignTool.exe must be in your path when running this script.
del *.p7b
ECHO -------------------------------------------------------------------
ECHO Press any key 4 times to append time to the test blobs to sign.
time >> TestSignWithOneEKUInLeafSigner.bin
time >> TestSignWithTwoEKUsInLeafSignerPid1.bin
time >> TestSignWithTwoEKUsInLeafSignerPid12345.bin
time >> TestSignWithNoEKUsInLeafSigner.bin
REM
REM Create a signature with TestEKUParsingLeafSigner.cer which has one EKU in it,
REM and add the Policy CA in the signature.
REM
call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSigner.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1 /ac TestEKUParsingPolicyCA.cer /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithOneEKUInLeafSigner.bin
REM
REM Create a signature with two EKU's in the leaf signer. (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.1)
REM
call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid1.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.1 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid1.bin
REM
REM Create a signature with two EKUs in the leaf (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.12345)
REM
call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid12345.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.12345 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid12345.bin
REM
REM Create a signature with a leaf that does not have any EKUs in the signture.
REM
call signtool.exe sign /fd sha256 /f TestEKUParsingNoEKUsInSigner.cer /p7 . /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithNoEKUsInLeafSigner.bin
REM
REM Rename *.p7 to *.p7b
REM
rename *.p7 *.p7b
ECHO ---------------------------------------------------------------------------
ECHO Now you can use your favorite "Binary To Hex" converter to convert the
ECHO signatures (P7B files) to byte arrays and add them to AllTestSignatures.h
ECHO ---------------------------------------------------------------------------

45
CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini Normal file
View File

@@ -0,0 +1,45 @@
[Version]
Signature="$Windows NT$
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; 2.5.29.19 == Basic Constraints for CA
[Strings]
szOID_BASIC_CONSTRAINTS2 = "2.5.29.19"
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.76.9.21.1
[NewRequest]
Subject = "CN=TestEKUParsingIssuingCA"
Exportable = true
KeyLength = 256
HashAlgorithm = sha256
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
MachineKeySet = True
RequestType = cert
ValidityPeriodUnits = 20
ValidityPeriod = Years
ProviderName = "Microsoft Software Key Storage Provider"
KeyAlgorithm = "ECDSA_P256"
[Extensions]
%szOID_BASIC_CONSTRAINTS2% = "{text}"
_continue_ = "ca=True"
Critical=%szOID_BASIC_CONSTRAINTS2%
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; This extension is so the this CA is only allowed to
; issue end-entity certs.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[BasicConstraintsExtension]
PathLength=0
;
; Surface Firmware Signing EKU
;
[Extensions]
2.5.29.37 = "{text}"
_continue_ = "1.3.6.1.4.1.311.76.9.21.1"

25
CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini Normal file
View File

@@ -0,0 +1,25 @@
[Version]
Signature="$Windows NT$
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.76.9.21.1
[NewRequest]
Subject = "CN=TestEKUParsingLeafSigner"
Exportable = true
KeyLength = 256
HashAlgorithm = sha256
KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
MachineKeySet = True
RequestType = cert
ValidityPeriodUnits = 20
ValidityPeriod = Years
ProviderName = "Microsoft Software Key Storage Provider"
KeyAlgorithm = "ECDSA_P256"
;
; Surface test firwmare signing EKU
;
[Extensions]
_continue_ = "1.3.6.1.4.1.311.76.9.21.1"

24
CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini Normal file
View File

@@ -0,0 +1,24 @@
[Version]
Signature="$Windows NT$
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.76.9.21.1
OID = 1.3.6.1.4.1.311.76.9.21.1.1
[NewRequest]
Subject = "CN=TestEKUParsingLeafSignerPid1"
Exportable = true
KeyLength = 2048
HashAlgorithm = sha256
KeySpec = AT_SIGNATURE
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
MachineKeySet = True
RequestType = cert
ValidityPeriodUnits = 5
ValidityPeriod = Years
[Extensions]
2.5.29.37 = "{text}"
_continue_ = "1.3.6.1.4.1.311.76.9.21.1,"
_continue_ = "1.3.6.1.4.1.311.76.9.21.1.1"

27
CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini Normal file
View File

@@ -0,0 +1,27 @@
[Version]
Signature="$Windows NT$
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.76.9.21.1
OID = 1.3.6.1.4.1.311.76.9.21.1.12345
[NewRequest]
Subject = "CN=TestEKUParsingLeafSignerPid12345"
Exportable = true
KeyLength = 2048
HashAlgorithm = sha256
KeySpec = AT_SIGNATURE
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
MachineKeySet = True
RequestType = cert
ValidityPeriodUnits = 5
ValidityPeriod = Years
[Extensions]
2.5.29.37 = "{text}"
_continue_ = "1.3.6.1.4.1.311.76.9.21.1,"
_continue_ = "1.3.6.1.4.1.311.76.9.21.1.12345"

16
CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini Normal file
View File

@@ -0,0 +1,16 @@
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=TestEKUParsingNoEKUsInSigner"
Exportable = true
KeyLength = 2048
HashAlgorithm = sha256
KeySpec = AT_SIGNATURE
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
MachineKeySet = True
RequestType = cert
ValidityPeriodUnits = 20
ValidityPeriod = Years

28
CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini Normal file
View File

@@ -0,0 +1,28 @@
[Version]
Signature="$Windows NT$
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; 2.5.29.19 == Basic Constraints for CA
[Strings]
szOID_BASIC_CONSTRAINTS2 = "2.5.29.19"
[NewRequest]
Subject = "CN=TestEKUParsingPolicyCA"
Exportable = true
KeyLength = 384
HashAlgorithm = sha256
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
MachineKeySet = True
RequestType = cert
ValidityPeriodUnits = 20
ValidityPeriod = Years
ProviderName = "Microsoft Software Key Storage Provider"
KeyAlgorithm = "ECDSA_P384"
[Extensions]
%szOID_BASIC_CONSTRAINTS2% = "{text}"
_continue_ = "ca=True"
Critical=%szOID_BASIC_CONSTRAINTS2%

28
CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini Normal file
View File

@@ -0,0 +1,28 @@
[Version]
Signature="$Windows NT$
[Strings]
szOID_BASIC_CONSTRAINTS2 = "2.5.29.19"
[NewRequest]
Subject = "CN=TestEKUParsingRoot"
Exportable = true
KeyLength = 521
HashAlgorithm = sha256
KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
MachineKeySet = True
RequestType = cert
ValidityPeriodUnits = 30
ValidityPeriod = Years
ProviderName = "Microsoft Software Key Storage Provider"
KeyAlgorithm = ECDSA_P521
[Extensions]
%szOID_BASIC_CONSTRAINTS2% = "{text}"
_continue_ = "ca=True"
Critical=%szOID_BASIC_CONSTRAINTS2%