diff options
Diffstat (limited to 'CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts')
10 files changed, 372 insertions, 0 deletions
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt new file mode 100644 index 0000000000..98dbc464f2 --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt @@ -0,0 +1,92 @@ +--------------------------------------------------------------------------------
+File: ChainCreationInstructions.txt
+
+Description: This folder contains INI files that are required to generate
+ the following test cert chains. Certs will be copied onto the
+ file system AND MY store when they are generated by certreq.exe.
+
+Note that typically certreq.exe operates on INF files, but in this folder
+we use INI files so that our build system does not complain about INF's being
+in the tree, but not in the CryptoPkg.dsc file.
+
+To create your own certificates and signatures for testing, this file demonstrates
+how the test certificate chains and signatures were created.
+
+To create test signatures, run SignFirmwareWithEKUs.cmd (with SignTool.exe in
+your path). You can then use your favorite BinaryToHex converter to convert
+the binary into a byte array that you can include in unit tests.
+
+Copyright (C) Microsoft Corporation. All Rights Reserved.
+--------------------------------------------------------------------------------
+Cert Chain:
+
+ ------------------------------------------
+ | | // Root of trust. ECDSA P521 curve
+ | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+ | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
+ ------------------------------------------
+ ^
+ |
+ ------------------------------------------
+ | | // Issues subordinate CAs. ECC P384 curve.
+ | TestEKUParsingPolicyCA | // SHA 256 Key Usage:
+ | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
+ ------------------------------------------
+ ^
+ |
+ ------------------------------------------
+ | | // Issues end-entity (leaf) signers. ECC P256 curve.
+ | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+ | | // Enhanced Key Usage:
+ ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
+ ^
+ |
+ --------------------------------------
+ / / // Leaf signer, ECC P256 curve.
+ / TestEKUParsingLeafSigner / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+ / / // Enhanced Key usages:
+ -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
+ // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.
+
+
+
+
+---------------------------------------------------------------------------------
+
+
+--- files required ---
+
+TestEKUParsingRoot.ini - This certificate is the root CA under which all CAs live.
+TestEKUParsingPolicyCA.ini - This policy CA will issue subordinate CA's with EKU constraints.
+TestEKUParsingIssuingCA.ini - CA to issue end-entity leafs.
+TestEKUParsingLeafSigner.ini - End-Entity leaf signer.
+TestEKUParsingLeafSignerPid12345.ini - End-Entity, with EKU: 1.3.6.1.4.1.311.76.9.21.1.12345.
+TestEKUParsingNoEKUsInSigner.ini - Leaf with no EKU's specified.
+TestEKUParsingLeafSignerPid1.ini - Test with naming files ini, to get around build complaints.
+--- Commands to execute ---
+
+certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer
+certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer
+certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer
+certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer
+certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer
+certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer
+certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer
+
+---------------------------------------------------------------------------------
+
+Then start mmc->Add certificates, Local Computer/open Personal/Certs and export the keys into the pfx files below.
+Note: You should see a little key on the top left of each cert icon, which means you have the private key
+ for this cert. If you don't see it something is wrong. For each cert, right-click and do all tasks,
+ export. Yes, Export the private key. PCKS#12 format, include all certs in path if possible.
+
+ If we automated the call to certreq above, there is a PowerShell "PKI" cmdlet which has
+ an Export-PfxCertificate command.
+
+Passwords: TestEKUParsingRoot.pfx == TestEKUParsingRoot
+ TestEKUParsingPolicyCA.pfx == TestEKUParsingPolicyCA
+ TestEKUParsingIssuingCA.pfx == TestEKUParsingIssuingCA
+ TestEKUParsingLeafSigner.pfx == TestEKUParsingLeafSigner
+ TestEKUParsingLeafSignerPid12345.pfx == TestEKUParsingLeafSignerPid12345
+ TestEKUParsingNoEKUsInSigner.pfx == TestEKUParsingNoEKUsInSigner
+
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd new file mode 100644 index 0000000000..6d68afdab7 --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd @@ -0,0 +1,11 @@ +@ECHO OFF
+REM
+REM Use this file to create test certificates.
+REM
+call certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer
+call certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer
+call certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer
+call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer
+call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer
+call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer
+call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd new file mode 100644 index 0000000000..ce03e33a71 --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd @@ -0,0 +1,76 @@ +@ECHO OFF
+REM This script will use various certificates to sign blobs for testing purposes.
+REM
+REM
+REM Our EKU test certificate chain:
+REM ------------------------------------------
+REM | | // Root of trust. ECDSA P521 curve
+REM | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
+REM ------------------------------------------
+REM ^
+REM |
+REM ------------------------------------------
+REM | | // Issues subordinate CAs. ECC P384 curve.
+REM | TestEKUParsingPolicyCA | // SHA 256 Key Usage:
+REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
+REM ------------------------------------------
+REM ^
+REM |
+REM ------------------------------------------
+REM | | // Issues end-entity (leaf) signers. ECC P256 curve.
+REM | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+REM | | // Enhanced Key Usage:
+REM ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
+REM ^
+REM |
+REM --------------------------------------
+REM / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve.
+REM / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+REM / / // Enhanced Key usages:
+REM -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
+REM // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.
+REM
+REM
+REM
+REM Dev Note: SignTool.exe must be in your path when running this script.
+
+del *.p7b
+ECHO -------------------------------------------------------------------
+ECHO Press any key 4 times to append time to the test blobs to sign.
+time >> TestSignWithOneEKUInLeafSigner.bin
+time >> TestSignWithTwoEKUsInLeafSignerPid1.bin
+time >> TestSignWithTwoEKUsInLeafSignerPid12345.bin
+time >> TestSignWithNoEKUsInLeafSigner.bin
+
+
+REM
+REM Create a signature with TestEKUParsingLeafSigner.cer which has one EKU in it,
+REM and add the Policy CA in the signature.
+REM
+call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSigner.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1 /ac TestEKUParsingPolicyCA.cer /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithOneEKUInLeafSigner.bin
+
+REM
+REM Create a signature with two EKU's in the leaf signer. (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.1)
+REM
+call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid1.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.1 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid1.bin
+
+REM
+REM Create a signature with two EKUs in the leaf (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.12345)
+REM
+call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid12345.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.12345 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid12345.bin
+
+
+REM
+REM Create a signature with a leaf that does not have any EKUs in the signture.
+REM
+call signtool.exe sign /fd sha256 /f TestEKUParsingNoEKUsInSigner.cer /p7 . /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithNoEKUsInLeafSigner.bin
+
+REM
+REM Rename *.p7 to *.p7b
+REM
+rename *.p7 *.p7b
+ECHO ---------------------------------------------------------------------------
+ECHO Now you can use your favorite "Binary To Hex" converter to convert the
+ECHO signatures (P7B files) to byte arrays and add them to AllTestSignatures.h
+ECHO ---------------------------------------------------------------------------
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini new file mode 100644 index 0000000000..8576783473 --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini @@ -0,0 +1,45 @@ +[Version]
+Signature="$Windows NT$
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; 2.5.29.19 == Basic Constraints for CA
+[Strings]
+szOID_BASIC_CONSTRAINTS2 = "2.5.29.19"
+
+[EnhancedKeyUsageExtension]
+OID = 1.3.6.1.4.1.311.76.9.21.1
+
+[NewRequest]
+Subject = "CN=TestEKUParsingIssuingCA"
+Exportable = true
+KeyLength = 256
+HashAlgorithm = sha256
+KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE"
+KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
+MachineKeySet = True
+RequestType = cert
+ValidityPeriodUnits = 20
+ValidityPeriod = Years
+ProviderName = "Microsoft Software Key Storage Provider"
+KeyAlgorithm = "ECDSA_P256"
+
+
+[Extensions]
+%szOID_BASIC_CONSTRAINTS2% = "{text}"
+ _continue_ = "ca=True"
+
+Critical=%szOID_BASIC_CONSTRAINTS2%
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; This extension is so the this CA is only allowed to
+; issue end-entity certs.
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[BasicConstraintsExtension]
+PathLength=0
+
+;
+; Surface Firmware Signing EKU
+;
+[Extensions]
+ 2.5.29.37 = "{text}"
+ _continue_ = "1.3.6.1.4.1.311.76.9.21.1"
+
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini new file mode 100644 index 0000000000..f501537343 --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini @@ -0,0 +1,25 @@ +[Version]
+Signature="$Windows NT$
+
+[EnhancedKeyUsageExtension]
+OID = 1.3.6.1.4.1.311.76.9.21.1
+
+[NewRequest]
+Subject = "CN=TestEKUParsingLeafSigner"
+Exportable = true
+KeyLength = 256
+HashAlgorithm = sha256
+KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE"
+KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
+MachineKeySet = True
+RequestType = cert
+ValidityPeriodUnits = 20
+ValidityPeriod = Years
+ProviderName = "Microsoft Software Key Storage Provider"
+KeyAlgorithm = "ECDSA_P256"
+
+;
+; Surface test firwmare signing EKU
+;
+[Extensions]
+ _continue_ = "1.3.6.1.4.1.311.76.9.21.1"
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini new file mode 100644 index 0000000000..35aa78c493 --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini @@ -0,0 +1,24 @@ +[Version]
+Signature="$Windows NT$
+
+[EnhancedKeyUsageExtension]
+OID = 1.3.6.1.4.1.311.76.9.21.1
+OID = 1.3.6.1.4.1.311.76.9.21.1.1
+
+[NewRequest]
+Subject = "CN=TestEKUParsingLeafSignerPid1"
+Exportable = true
+KeyLength = 2048
+HashAlgorithm = sha256
+KeySpec = AT_SIGNATURE
+KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
+KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
+MachineKeySet = True
+RequestType = cert
+ValidityPeriodUnits = 5
+ValidityPeriod = Years
+
+[Extensions]
+ 2.5.29.37 = "{text}"
+ _continue_ = "1.3.6.1.4.1.311.76.9.21.1,"
+ _continue_ = "1.3.6.1.4.1.311.76.9.21.1.1"
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini new file mode 100644 index 0000000000..67c5741f4d --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini @@ -0,0 +1,27 @@ +[Version]
+Signature="$Windows NT$
+
+[EnhancedKeyUsageExtension]
+OID = 1.3.6.1.4.1.311.76.9.21.1
+OID = 1.3.6.1.4.1.311.76.9.21.1.12345
+
+[NewRequest]
+Subject = "CN=TestEKUParsingLeafSignerPid12345"
+Exportable = true
+KeyLength = 2048
+HashAlgorithm = sha256
+KeySpec = AT_SIGNATURE
+KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
+KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
+MachineKeySet = True
+RequestType = cert
+ValidityPeriodUnits = 5
+ValidityPeriod = Years
+
+[Extensions]
+ 2.5.29.37 = "{text}"
+ _continue_ = "1.3.6.1.4.1.311.76.9.21.1,"
+ _continue_ = "1.3.6.1.4.1.311.76.9.21.1.12345"
+
+
+
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini new file mode 100644 index 0000000000..60743b02a9 --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini @@ -0,0 +1,16 @@ +[Version]
+Signature="$Windows NT$
+
+
+[NewRequest]
+Subject = "CN=TestEKUParsingNoEKUsInSigner"
+Exportable = true
+KeyLength = 2048
+HashAlgorithm = sha256
+KeySpec = AT_SIGNATURE
+KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
+KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
+MachineKeySet = True
+RequestType = cert
+ValidityPeriodUnits = 20
+ValidityPeriod = Years
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini new file mode 100644 index 0000000000..2ccda66596 --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini @@ -0,0 +1,28 @@ +[Version]
+Signature="$Windows NT$
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; 2.5.29.19 == Basic Constraints for CA
+[Strings]
+szOID_BASIC_CONSTRAINTS2 = "2.5.29.19"
+
+[NewRequest]
+Subject = "CN=TestEKUParsingPolicyCA"
+Exportable = true
+KeyLength = 384
+HashAlgorithm = sha256
+KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE"
+KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
+MachineKeySet = True
+RequestType = cert
+ValidityPeriodUnits = 20
+ValidityPeriod = Years
+ProviderName = "Microsoft Software Key Storage Provider"
+KeyAlgorithm = "ECDSA_P384"
+
+
+[Extensions]
+%szOID_BASIC_CONSTRAINTS2% = "{text}"
+ _continue_ = "ca=True"
+
+Critical=%szOID_BASIC_CONSTRAINTS2%
+
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini new file mode 100644 index 0000000000..d8cd7d1f82 --- /dev/null +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini @@ -0,0 +1,28 @@ +[Version]
+Signature="$Windows NT$
+
+[Strings]
+szOID_BASIC_CONSTRAINTS2 = "2.5.29.19"
+
+[NewRequest]
+Subject = "CN=TestEKUParsingRoot"
+Exportable = true
+KeyLength = 521
+HashAlgorithm = sha256
+KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
+KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
+MachineKeySet = True
+RequestType = cert
+ValidityPeriodUnits = 30
+ValidityPeriod = Years
+ProviderName = "Microsoft Software Key Storage Provider"
+KeyAlgorithm = ECDSA_P521
+
+
+
+
+[Extensions]
+%szOID_BASIC_CONSTRAINTS2% = "{text}"
+ _continue_ = "ca=True"
+
+Critical=%szOID_BASIC_CONSTRAINTS2%
|