BaseTools/Pkcs7Sign: Update the test certificates & Readme.md

The old TestRoot certificate used for Pkcs7Sign is not compliant to
Root CA certificate requirement with incorrect basic constraints and
key usage setting.
When OpenSSL in CryptoPkg was updated from 1.0.2xx to the latest
1.1.0xx, the CA certificate checking was enforced for more extension
validations, which will raise the verification failure when stilling
using the old sample certificates.

This patch re-generated one set of test certificates used in
Pkcs7Sign demo, and updated the corresponding Readme.md to describe
how to set the options in openssl configuration file.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

BaseTools/Source/Python/Pkcs7Sign/Readme.md

@@ -21,10 +21,44 @@ You may need the following steps for initialization:
 
     rd ./demoCA /S/Q
     mkdir ./demoCA
-    echo "" > ./demoCA/index.txt
+    echo.>./demoCA/index.txt
     echo 01 > ./demoCA/serial
     mkdir ./demoCA/newcerts
 
+OpenSSL will apply the options from the specified sections in openssl.cnf when creating certificates or certificate signing requests. Make sure your configuration in openssl.cnf is correct and rational for certificate constraints.
+The following sample sections were used when generating test certificates in this readme.
+    ...
+    [ req ]
+    default_bits        = 2048
+    default_keyfile     = privkey.pem
+    distinguished_name  = req_distinguished_name
+    attributes          = req_attributes
+    x509_extensions     = v3_ca       # The extensions to add to the self signed cert
+    ...
+    [ v3_ca ]
+    # Extensions for a typical Root CA.
+    subjectKeyIdentifier=hash
+    authorityKeyIdentifier=keyid:always,issuer
+    basicConstraints = critical,CA:true
+    keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+    ...
+    [ v3_intermediate_ca ]
+    # Extensions for a typical intermediate CA.
+    subjectKeyIdentifier = hash
+    authorityKeyIdentifier = keyid:always,issuer
+    basicConstraints = critical, CA:true
+    keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+    ...
+    [ usr_cert ]
+    # Extensions for user end certificates.
+    basicConstraints = CA:FALSE
+    nsCertType = client, email
+    subjectKeyIdentifier = hash
+    authorityKeyIdentifier = keyid,issuer
+    keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+    extendedKeyUsage = clientAuth, emailProtection
+    ...
+
 * Generate the certificate chain:
 
 NOTE: User MUST set a UNIQUE "Common Name" on the different certificate
@@ -37,7 +71,7 @@ Generate a root key:
 
 Generate a self-signed root certificate:
 
-    openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
+    openssl req -extensions v3_ca -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
     openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER
     openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem
 
@@ -50,7 +84,7 @@ Generate the intermediate key:
 Generate the intermediate certificate:
 
     openssl req -new -days 3650 -key TestSub.key -out TestSub.csr
-    openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key
+    openssl ca -extensions v3_intermediate_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key
     openssl x509 -in TestSub.crt -out TestSub.cer -outform DER
     openssl x509 -inform DER -in TestSub.cer -outform PEM -out TestSub.pub.pem
 
@@ -63,7 +97,7 @@ Generate User key:
 Generate User certificate:
 
     openssl req -new -days 3650 -key TestCert.key -out TestCert.csr
-    openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key`
+    openssl ca -extensions usr_cert -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key
     openssl x509 -in TestCert.crt -out TestCert.cer -outform DER
     openssl x509 -inform DER -in TestCert.cer -outform PEM -out TestCert.pub.pem