sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
2f8b51d6af6fd2eda2516030f1713dac171e0896
system76-edk2/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt
Matthew Carlson 694bfd6ff5 CryptoPkg: BaseCryptLib: Add unit tests (Host and Shell based) 
This adds a new INF for BaseCryptLib suitable for
host based environments. It adds a host based unit test for
BaseCryptLib that can also be built as a shell based Unit Test.

In addition, this also adds a UnitTestHostCrtWrapper.c file, which provides
some of the functionality not provided by the default host based unit test
system that OpenSSL expects. This is used by UnitTestHostBaseCryptLib, a
version of the BaseCryptLib meant specifically for host based unit testing.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Matthew Carlson <matthewfcarlson@gmail.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2020-10-18 00:49:58 +00:00

93 lines
5.6 KiB
Plaintext
Raw Blame History

--------------------------------------------------------------------------------
File: ChainCreationInstructions.txt
Description: This folder contains INI files that are required to generate
the following test cert chains. Certs will be copied onto the
file system AND MY store when they are generated by certreq.exe.
Note that typically certreq.exe operates on INF files, but in this folder
we use INI files so that our build system does not complain about INF's being
in the tree, but not in the CryptoPkg.dsc file.
To create your own certificates and signatures for testing, this file demonstrates
how the test certificate chains and signatures were created.
To create test signatures, run SignFirmwareWithEKUs.cmd (with SignTool.exe in
your path). You can then use your favorite BinaryToHex converter to convert
the binary into a byte array that you can include in unit tests.
Copyright (C) Microsoft Corporation. All Rights Reserved.
--------------------------------------------------------------------------------
Cert Chain:
------------------------------------------
| | // Root of trust. ECDSA P521 curve
| TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
| | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
------------------------------------------
^
|
------------------------------------------
| | // Issues subordinate CAs. ECC P384 curve.
| TestEKUParsingPolicyCA | // SHA 256 Key Usage:
| | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
------------------------------------------
^
|
------------------------------------------
| | // Issues end-entity (leaf) signers. ECC P256 curve.
| TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
| | // Enhanced Key Usage:
------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
^
|
--------------------------------------
/ / // Leaf signer, ECC P256 curve.
/ TestEKUParsingLeafSigner / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
/ / // Enhanced Key usages:
-------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
// 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.
---------------------------------------------------------------------------------
--- files required ---
TestEKUParsingRoot.ini - This certificate is the root CA under which all CAs live.
TestEKUParsingPolicyCA.ini - This policy CA will issue subordinate CA's with EKU constraints.
TestEKUParsingIssuingCA.ini - CA to issue end-entity leafs.
TestEKUParsingLeafSigner.ini - End-Entity leaf signer.
TestEKUParsingLeafSignerPid12345.ini - End-Entity, with EKU: 1.3.6.1.4.1.311.76.9.21.1.12345.
TestEKUParsingNoEKUsInSigner.ini - Leaf with no EKU's specified.
TestEKUParsingLeafSignerPid1.ini - Test with naming files ini, to get around build complaints.
--- Commands to execute ---
certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer
certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer
certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer
---------------------------------------------------------------------------------
Then start mmc->Add certificates, Local Computer/open Personal/Certs and export the keys into the pfx files below.
Note: You should see a little key on the top left of each cert icon, which means you have the private key
for this cert. If you don't see it something is wrong. For each cert, right-click and do all tasks,
export. Yes, Export the private key. PCKS#12 format, include all certs in path if possible.
If we automated the call to certreq above, there is a PowerShell "PKI" cmdlet which has
an Export-PfxCertificate command.
Passwords: TestEKUParsingRoot.pfx == TestEKUParsingRoot
TestEKUParsingPolicyCA.pfx == TestEKUParsingPolicyCA
TestEKUParsingIssuingCA.pfx == TestEKUParsingIssuingCA
TestEKUParsingLeafSigner.pfx == TestEKUParsingLeafSigner
TestEKUParsingLeafSignerPid12345.pfx == TestEKUParsingLeafSignerPid12345
TestEKUParsingNoEKUsInSigner.pfx == TestEKUParsingNoEKUsInSigner
Reference in New Issue View Git Blame Copy Permalink