BaseTools/Pkcs7Sign: Update the test certificates & Readme.md

The old TestRoot certificate used for Pkcs7Sign is not compliant to Root CA certificate requirement with incorrect basic constraints and key usage setting. When OpenSSL in CryptoPkg was updated from 1.0.2xx to the latest 1.1.0xx, the CA certificate checking was enforced for more extension validations, which will raise the verification failure when stilling using the old sample certificates. This patch re-generated one set of test certificates used in Pkcs7Sign demo, and updated the corresponding Readme.md to describe how to set the options in openssl configuration file. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Eric Dong <eric.dong@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin <qin.long@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2017-04-11 15:36:54 +08:00
parent c5719579ce
commit f536d7c3ed
8 changed files with 286 additions and 230 deletions
--- a/BaseTools/Source/Python/Pkcs7Sign/TestSub.pem
+++ b/BaseTools/Source/Python/Pkcs7Sign/TestSub.pem
@ -1,57 +1,59 @@
-Bag Attributes
-    localKeyID: 01 00 00 00 
-    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
-    friendlyName: PvkTmp:11e8b08d-46fb-45a2-90c4-d458be4a1276
-Key Attributes
-    X509v3 Key Usage: 80 
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCfNn3oUo5iCBXg
-x1AUxgHG/h23/WyThgYj2NAToG3S51i0MGamyjGP8GbBphRc0ORpIhQE8Va+NPjW
-cdoh4sXLOroW3Es26sR+cxdRwNF0/YxK/+JboYDmdUecgcwqipIv795bVQjRLCyT
-/+LjLXs/B3XM/jc4jHa7gs+AmwH2DXz9VTsIHmXrm/KGZ64VQzFbJYJl+KvFAmlm
-LcL+t099lyiJYL+3LY2ajonzkAidVQylIfsmhAlcnGee6MYfPxLQRe4pIIlhyXAK
-ZixBnAlZvifo3JRwTKXRHzkj6Vp5KhDsi/31Y54iLJQHiet/FlymIHrtkFpC47xi
-ndF6jNpfAgMBAAECggEAD4owC9xS+A/gosnmxRWhLXJhet3fb8llvAX4zpGau+Uc
-wVRKu1OCNucOAISx+W/iJhN6GhQRlWByO+wXkGB5UcwaRwpFb8dxBQPoGMYAgQdm
-XsOkV7E8dZdTirEYjmZsElsP5vY2dW7MWGhiFYO7mHv6ltbmk5G83Qci3biYyRKB
-4Qb+q/1yl9tdqRvMnLshgSNSa2onGiJ8k9NniSnfnKCc4S0pliy2Z5HOPQCi2QAk
-eVWORHz5jL8lzlVCflOL7VZiS13YORMDIj0S9LyMhXO4bAtsgWfldqOupNgNW0qI
-FwzrNvIXhQxeUiqylzfKNCzuBA11CFBnPt/+agv10QKBgQDH82PHMC3GH8Teq0lw
-J5G+zYQol1ikRU7O116cAcV04P8HAiAmZ2lrP4DSJWD3y3sOjnnK54KmXkHVcNJI
-IDjb8d/BZjuYqdylfKhoKNgAdI1WcNKOz7KOK6Le8/ZK1uh1ZHMA6M+L9mTtQjhW
-DyoMvEGsQmNHnYF5n3zPQWUMFQKBgQDL17jZMLOORK2U+Iqu0cTVttGUjg/agP+r
-D4RWwA6BKI0vW3fFOka9MsjBpRZkZdXucq1TusDl8/J30FD/Cjp/gt9RwCQAvk44
-Zp6HU3TFEsBdXU+3XeJqTtyJqFuPkRQWrd0UeudSiEJammAlzyF7pPZioF1mucOA
-nCcDecLFowKBgBv1gKI9rmjh0FmCggZYwhx4CF7UquRtfJOXsfcGmGG7hG2qcmxs
-UWVZv92itGhx34ctjQI+VRqGW5ZI7F6BgvHeZHdaoEK8ncnWIIZQD8QgiBLqO8cU
-a9dNarzaSDo2ytJ/dUVPSJY9oec7Nz1xaWPWfyhjMBa3g39KOd2RO1vxAoGBAMRD
-Q9r6JSeJwId6diy0FAyhJVEfJux+36tYGVddO5nn7Wf3bW4cGhf4WYr45IJt+njH
-OVMwsKG3K3FoxVOKCaDT5SjVEtUUZkOvqlspY3iMAWLjgOlQH7uzimuQCfhE+06K
-wB4D581zHFAX6xL8R4TA4+k59jP+D9o4fue9yGZ5AoGAMn+TsY1IZFSY1fw6TTHq
-sp9PiYQQqTMjRkzE7GRXbb1rdE6WoLkSk4Dz4u/B9E7YVzTZggYhPisChu6wZPtK
-IiXBGu8h3GygUGI/WdNRKHW5nst9IZWrtVJ06c87jWqOktbgBnrbqXUG1rgRZr+i
-n3sJLF+GGwzdp/gCxLMH66M=
-----END PRIVATE KEY-----
-Bag Attributes
-    localKeyID: 01 00 00 00 
-subject=/CN=TestSub
-issuer=/CN=TestRoot
-----BEGIN CERTIFICATE-----
-MIIDADCCAeygAwIBAgIQs4xkpm0/PYFLyLk1Nd0c0zAJBgUrDgMCHQUAMBMxETAP
-BgNVBAMTCFRlc3RSb290MB4XDTE2MDgwNDE1MDIwOVoXDTM5MTIzMTIzNTk1OVow
-EjEQMA4GA1UEAxMHVGVzdFN1YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAJ82fehSjmIIFeDHUBTGAcb+Hbf9bJOGBiPY0BOgbdLnWLQwZqbKMY/wZsGm
-FFzQ5GkiFATxVr40+NZx2iHixcs6uhbcSzbqxH5zF1HA0XT9jEr/4luhgOZ1R5yB
-zCqKki/v3ltVCNEsLJP/4uMtez8Hdcz+NziMdruCz4CbAfYNfP1VOwgeZeub8oZn
-rhVDMVslgmX4q8UCaWYtwv63T32XKIlgv7ctjZqOifOQCJ1VDKUh+yaECVycZ57o
-xh8/EtBF7ikgiWHJcApmLEGcCVm+J+jclHBMpdEfOSPpWnkqEOyL/fVjniIslAeJ
-638WXKYgeu2QWkLjvGKd0XqM2l8CAwEAAaNZMFcwDwYDVR0TAQH/BAUwAwEB/zBE
-BgNVHQEEPTA7gBDOtXrP5SHHa/PsktS/ZSo1oRUwEzERMA8GA1UEAxMIVGVzdFJv
-b3SCEDQwJ38FPZWFQ6Ck9Qya58owCQYFKw4DAh0FAAOCAQEAFT8uXdMSHCmatVNg
-LMKsyVA/jJgXGncHmAy59Vjo2+KCIooEuY3NaK527LxB1yi9+UyMe2+Ia4KWcEGY
-+mb+PDTDrlsYtjIU3aRzDpyXUrkYV/D6vZaw+zsgAquQkCi+WwEYZ4uCSUznlcyt
-U3p2Rd/+tvQqq5UerPfRBIs6JTUerwRGUQurTNpzqCGClo3zi58yuOEbNIrOzW1D
-MtQFKUtKkMx4rg6NT9kq/ICXt8k3UIsXh52NTYchkLlsnCgaoKzW2DFqSMFL3KC0
-NmQtmKaPo3mBIYJT0WDofYzas2TQO8cBiQHGrSqXNFAfI5eUo3qLtsRE+7Z9F2Mw
-HgNmsA==
-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4098 (0x1002)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = CN, ST = SH, L = SH, O = TianoCore, OU = EDKII, CN = TestRoot, emailAddress = edkii@tianocore.org
+        Validity
+            Not Before: Apr 10 08:33:45 2017 GMT
+            Not After : Apr 10 08:33:45 2018 GMT
+        Subject: C = CN, ST = SH, O = TianoCore, OU = EDKII, CN = TestSub, emailAddress = edkii@tianocore.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c5:3a:af:16:34:9a:14:61:74:8c:39:1a:04:1f:
+                    7b:95:d3:40:b7:ea:26:a7:7b:8d:76:d3:86:1b:7c:
+                    07:17:d2:56:72:36:13:b4:6c:75:b7:bf:d1:35:d1:
+                    31:d5:9a:07:c1:62:4e:aa:3d:bd:d8:40:8b:48:9a:
+                    c5:46:c4:c3:10:2c:d4:82:d9:6d:f4:c3:de:85:fa:
+                    34:1d:d1:74:7a:5f:16:34:59:2b:2b:03:61:46:62:
+                    d7:88:62:59:4d:d8:55:00:52:54:e1:15:5e:a9:ec:
+                    d6:e8:51:fd:ef:8e:68:5f:d2:40:d2:61:ef:2c:1d:
+                    5b:a7:6e:14:4c:12:bc:60:81:8e:66:c9:84:51:c2:
+                    89:51:fc:e5:7f:86:9a:78:a4:c1:f7:0f:a9:a5:97:
+                    60:dd:6f:c8:a0:fd:ea:07:2f:01:36:0a:e8:bd:0e:
+                    dc:48:2e:85:22:7b:bb:db:68:78:eb:cd:6a:54:07:
+                    f7:81:a5:52:8f:f3:5c:09:1e:76:a3:d1:91:8f:ee:
+                    86:2c:85:49:99:96:4f:5f:5b:0d:08:ae:d8:20:e8:
+                    e3:67:70:c6:ec:0e:0e:bd:bf:3c:f6:db:e4:45:d5:
+                    7a:bb:9f:d1:3b:18:89:fc:63:ac:c2:30:b8:fa:bb:
+                    8a:24:63:4e:79:58:78:72:ab:27:36:3d:bb:4f:47:
+                    d6:ef
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                D6:9D:66:D6:49:7C:FA:20:8D:5D:75:69:2A:41:0A:7A:03:5A:A5:EB
+            X509v3 Authority Key Identifier: 
+                keyid:16:AA:D6:8E:1B:2D:43:F3:2D:B0:24:AD:36:65:3F:B2:FA:B1:2C:ED
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         83:3c:ae:b2:fc:99:3d:33:b3:da:ca:26:83:8c:a9:ae:f8:bb:
+         ad:05:37:97:a5:f8:0d:2b:4e:3e:e5:b7:12:68:f8:64:d4:bd:
+         ff:65:7d:57:98:61:cd:47:10:a5:6a:bd:66:89:74:ce:5e:28:
+         29:39:67:c9:1f:54:ec:78:76:b1:dd:04:91:63:b6:8c:2f:86:
+         59:1f:c4:2b:a1:4a:8c:a8:5b:f6:8a:92:f0:83:bb:92:92:5c:
+         b1:1c:18:95:3d:d6:be:6d:79:9d:4f:7b:92:1f:68:f5:1f:cd:
+         f4:37:2d:1e:e3:f6:eb:f2:8a:a4:8d:a1:c5:db:0c:3a:59:01:
+         dc:be:a9:c1:0b:04:ba:e8:02:a9:85:cd:d7:48:0d:f6:60:30:
+         2b:05:ba:e0:c7:d8:9f:23:14:37:04:0a:a7:bc:b6:c8:25:31:
+         e4:9a:41:a5:83:c2:ee:89:d3:fa:a5:7c:ae:a6:14:22:a4:5f:
+         73:03:f2:7b:3c:51:f7:76:2a:0a:cf:ee:71:35:1c:bc:ff:3f:
+         9b:d5:b1:33:e0:b6:fc:2a:c8:ab:84:89:cd:fa:1c:ee:12:8c:
+         07:ba:93:46:50:b3:3f:73:05:be:67:58:60:90:05:2c:d3:b6:
+         19:7c:a4:f0:6e:ee:d4:f2:0e:f5:02:79:5f:2c:28:83:1e:83:
+         c6:92:ba:7c