diff options
Diffstat (limited to 'CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt')
| -rw-r--r-- | CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt new file mode 100644 index 0000000000..98dbc464f2 --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt @@ -0,0 +1,92 @@ +--------------------------------------------------------------------------------
+File: ChainCreationInstructions.txt
+
+Description: This folder contains INI files that are required to generate
+ the following test cert chains. Certs will be copied onto the
+ file system AND MY store when they are generated by certreq.exe.
+
+Note that typically certreq.exe operates on INF files, but in this folder
+we use INI files so that our build system does not complain about INF's being
+in the tree, but not in the CryptoPkg.dsc file.
+
+To create your own certificates and signatures for testing, this file demonstrates
+how the test certificate chains and signatures were created.
+
+To create test signatures, run SignFirmwareWithEKUs.cmd (with SignTool.exe in
+your path). You can then use your favorite BinaryToHex converter to convert
+the binary into a byte array that you can include in unit tests.
+
+Copyright (C) Microsoft Corporation. All Rights Reserved.
+--------------------------------------------------------------------------------
+Cert Chain:
+
+ ------------------------------------------
+ | | // Root of trust. ECDSA P521 curve
+ | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+ | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
+ ------------------------------------------
+ ^
+ |
+ ------------------------------------------
+ | | // Issues subordinate CAs. ECC P384 curve.
+ | TestEKUParsingPolicyCA | // SHA 256 Key Usage:
+ | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
+ ------------------------------------------
+ ^
+ |
+ ------------------------------------------
+ | | // Issues end-entity (leaf) signers. ECC P256 curve.
+ | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+ | | // Enhanced Key Usage:
+ ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
+ ^
+ |
+ --------------------------------------
+ / / // Leaf signer, ECC P256 curve.
+ / TestEKUParsingLeafSigner / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+ / / // Enhanced Key usages:
+ -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
+ // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.
+
+
+
+
+---------------------------------------------------------------------------------
+
+
+--- files required ---
+
+TestEKUParsingRoot.ini - This certificate is the root CA under which all CAs live.
+TestEKUParsingPolicyCA.ini - This policy CA will issue subordinate CA's with EKU constraints.
+TestEKUParsingIssuingCA.ini - CA to issue end-entity leafs.
+TestEKUParsingLeafSigner.ini - End-Entity leaf signer.
+TestEKUParsingLeafSignerPid12345.ini - End-Entity, with EKU: 1.3.6.1.4.1.311.76.9.21.1.12345.
+TestEKUParsingNoEKUsInSigner.ini - Leaf with no EKU's specified.
+TestEKUParsingLeafSignerPid1.ini - Test with naming files ini, to get around build complaints.
+--- Commands to execute ---
+
+certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer
+certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer
+certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer
+certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer
+certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer
+certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer
+certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer
+
+---------------------------------------------------------------------------------
+
+Then start mmc->Add certificates, Local Computer/open Personal/Certs and export the keys into the pfx files below.
+Note: You should see a little key on the top left of each cert icon, which means you have the private key
+ for this cert. If you don't see it something is wrong. For each cert, right-click and do all tasks,
+ export. Yes, Export the private key. PCKS#12 format, include all certs in path if possible.
+
+ If we automated the call to certreq above, there is a PowerShell "PKI" cmdlet which has
+ an Export-PfxCertificate command.
+
+Passwords: TestEKUParsingRoot.pfx == TestEKUParsingRoot
+ TestEKUParsingPolicyCA.pfx == TestEKUParsingPolicyCA
+ TestEKUParsingIssuingCA.pfx == TestEKUParsingIssuingCA
+ TestEKUParsingLeafSigner.pfx == TestEKUParsingLeafSigner
+ TestEKUParsingLeafSignerPid12345.pfx == TestEKUParsingLeafSignerPid12345
+ TestEKUParsingNoEKUsInSigner.pfx == TestEKUParsingNoEKUsInSigner
+
|