]>
Commit | Line | Data |
---|---|---|
694bfd6f MC |
1 | @ECHO OFF\r |
2 | REM This script will use various certificates to sign blobs for testing purposes.\r | |
3 | REM\r | |
4 | REM\r | |
5 | REM Our EKU test certificate chain:\r | |
6 | REM ------------------------------------------\r | |
7 | REM | | // Root of trust. ECDSA P521 curve\r | |
8 | REM | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r | |
9 | REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE\r | |
10 | REM ------------------------------------------\r | |
11 | REM ^\r | |
12 | REM |\r | |
13 | REM ------------------------------------------\r | |
14 | REM | | // Issues subordinate CAs. ECC P384 curve.\r | |
15 | REM | TestEKUParsingPolicyCA | // SHA 256 Key Usage:\r | |
16 | REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE\r | |
17 | REM ------------------------------------------\r | |
18 | REM ^\r | |
19 | REM |\r | |
20 | REM ------------------------------------------\r | |
21 | REM | | // Issues end-entity (leaf) signers. ECC P256 curve.\r | |
22 | REM | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r | |
23 | REM | | // Enhanced Key Usage:\r | |
24 | REM ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r | |
25 | REM ^\r | |
26 | REM |\r | |
27 | REM --------------------------------------\r | |
28 | REM / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve.\r | |
29 | REM / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r | |
30 | REM / / // Enhanced Key usages:\r | |
31 | REM -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r | |
32 | REM // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.\r | |
33 | REM\r | |
34 | REM\r | |
35 | REM\r | |
36 | REM Dev Note: SignTool.exe must be in your path when running this script.\r | |
37 | \r | |
38 | del *.p7b\r | |
39 | ECHO -------------------------------------------------------------------\r | |
40 | ECHO Press any key 4 times to append time to the test blobs to sign.\r | |
41 | time >> TestSignWithOneEKUInLeafSigner.bin\r | |
42 | time >> TestSignWithTwoEKUsInLeafSignerPid1.bin\r | |
43 | time >> TestSignWithTwoEKUsInLeafSignerPid12345.bin\r | |
44 | time >> TestSignWithNoEKUsInLeafSigner.bin\r | |
45 | \r | |
46 | \r | |
47 | REM\r | |
48 | REM Create a signature with TestEKUParsingLeafSigner.cer which has one EKU in it,\r | |
49 | REM and add the Policy CA in the signature.\r | |
50 | REM\r | |
51 | call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSigner.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1 /ac TestEKUParsingPolicyCA.cer /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithOneEKUInLeafSigner.bin\r | |
52 | \r | |
53 | REM\r | |
54 | REM Create a signature with two EKU's in the leaf signer. (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.1)\r | |
55 | REM\r | |
56 | call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid1.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.1 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid1.bin\r | |
57 | \r | |
58 | REM\r | |
59 | REM Create a signature with two EKUs in the leaf (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.12345)\r | |
60 | REM\r | |
61 | call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid12345.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.12345 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid12345.bin\r | |
62 | \r | |
63 | \r | |
64 | REM\r | |
65 | REM Create a signature with a leaf that does not have any EKUs in the signture.\r | |
66 | REM\r | |
67 | call signtool.exe sign /fd sha256 /f TestEKUParsingNoEKUsInSigner.cer /p7 . /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithNoEKUsInLeafSigner.bin\r | |
68 | \r | |
69 | REM\r | |
70 | REM Rename *.p7 to *.p7b\r | |
71 | REM\r | |
72 | rename *.p7 *.p7b\r | |
73 | ECHO ---------------------------------------------------------------------------\r | |
74 | ECHO Now you can use your favorite "Binary To Hex" converter to convert the\r | |
75 | ECHO signatures (P7B files) to byte arrays and add them to AllTestSignatures.h\r | |
76 | ECHO ---------------------------------------------------------------------------\r |