[mirror_edk2.git] / CryptoPkg / Test / UnitTest / Library / BaseCryptLib / TestEKUCerts / SignFirmwareWithEKUs.cmd

@ECHO OFF\r
REM   This script will use various certificates to sign blobs for testing purposes.\r
REM\r
REM\r
REM   Our EKU test certificate chain:\r
REM   ------------------------------------------\r
REM   |                                          | // Root of trust. ECDSA P521 curve\r
REM   |          TestEKUParsingRoot              | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
REM   |                                          | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE\r
REM    ------------------------------------------\r
REM                      ^\r
REM                      |\r
REM    ------------------------------------------\r
REM   |                                          | // Issues subordinate CAs. ECC P384 curve.\r
REM   |       TestEKUParsingPolicyCA             | // SHA 256 Key Usage:\r
REM   |                                          | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE\r
REM    ------------------------------------------\r
REM                      ^\r
REM                      |\r
REM    ------------------------------------------\r
REM   |                                          | // Issues end-entity (leaf) signers. ECC P256 curve.\r
REM   |        TestEKUParsingIssuingCA           | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
REM   |                                          | // Enhanced Key Usage:\r
REM    ------------------------------------------  // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r
REM                      ^\r
REM                      |\r
REM       --------------------------------------\r
REM      /     TestEKUParsingLeafSigner &&     /   // Leaf signer,  ECC P256 curve.\r
REM     /    TestEKUParsingLeafSignerPid12345 /    // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
REM    /                                     /     // Enhanced Key usages:\r
REM    --------------------------------------      // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r
REM                                                // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.\r
REM\r
REM\r
REM\r
REM  Dev Note:  SignTool.exe must be in your path when running this script.\r
\r
del *.p7b\r
ECHO -------------------------------------------------------------------\r
ECHO Press any key 4 times to append time to the test blobs to sign.\r
time >> TestSignWithOneEKUInLeafSigner.bin\r
time >> TestSignWithTwoEKUsInLeafSignerPid1.bin\r
time >> TestSignWithTwoEKUsInLeafSignerPid12345.bin\r
time >> TestSignWithNoEKUsInLeafSigner.bin\r
\r
\r
REM\r
REM Create a signature with TestEKUParsingLeafSigner.cer which has one EKU in it,\r
REM and add the Policy CA in the signature.\r
REM\r
call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSigner.cer                           /p7 .  /u 1.3.6.1.4.1.311.76.9.21.1    /ac TestEKUParsingPolicyCA.cer /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithOneEKUInLeafSigner.bin\r
\r
REM\r
REM Create a signature with two EKU's in the leaf signer.  (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.1)\r
REM\r
call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid1.cer                           /p7 .  /u 1.3.6.1.4.1.311.76.9.21.1.1  /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid1.bin\r
\r
REM\r
REM Create a signature with two EKUs in the leaf (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.12345)\r
REM\r
call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid12345.cer                           /p7 .  /u 1.3.6.1.4.1.311.76.9.21.1.12345   /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid12345.bin\r
\r
\r
REM\r
REM Create a signature with a leaf that does not have any EKUs in the signture.\r
REM\r
call signtool.exe sign /fd sha256 /f TestEKUParsingNoEKUsInSigner.cer /p7 .  /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithNoEKUsInLeafSigner.bin\r
\r
REM\r
REM Rename *.p7 to *.p7b\r
REM\r
rename *.p7 *.p7b\r
ECHO ---------------------------------------------------------------------------\r
ECHO Now you can use your favorite "Binary To Hex" converter to convert the\r
ECHO signatures (P7B files) to byte arrays and add them to AllTestSignatures.h\r
ECHO ---------------------------------------------------------------------------\r
Commit	Line	Data
694bfd6f MC	1	@ECHO OFF\r
	2	REM This script will use various certificates to sign blobs for testing purposes.\r
	3	REM\r
	4	REM\r
	5	REM Our EKU test certificate chain:\r
	6	REM ------------------------------------------\r
	7	REM \| \| // Root of trust. ECDSA P521 curve\r
	8	REM \| TestEKUParsingRoot \| // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
	9	REM \| \| // CERT_KEY_CERT_SIGN_KEY_USAGE \| CERT_CRL_SIGN_KEY_USAGE\r
	10	REM ------------------------------------------\r
	11	REM ^\r
	12	REM \|\r
	13	REM ------------------------------------------\r
	14	REM \| \| // Issues subordinate CAs. ECC P384 curve.\r
	15	REM \| TestEKUParsingPolicyCA \| // SHA 256 Key Usage:\r
	16	REM \| \| // CERT_KEY_CERT_SIGN_KEY_USAGE \| CERT_CRL_SIGN_KEY_USAGE\r
	17	REM ------------------------------------------\r
	18	REM ^\r
	19	REM \|\r
	20	REM ------------------------------------------\r
	21	REM \| \| // Issues end-entity (leaf) signers. ECC P256 curve.\r
	22	REM \| TestEKUParsingIssuingCA \| // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
	23	REM \| \| // Enhanced Key Usage:\r
	24	REM ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r
	25	REM ^\r
	26	REM \|\r
	27	REM --------------------------------------\r
	28	REM / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve.\r
	29	REM / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
	30	REM / / // Enhanced Key usages:\r
	31	REM -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r
	32	REM // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.\r
	33	REM\r
	34	REM\r
	35	REM\r
	36	REM Dev Note: SignTool.exe must be in your path when running this script.\r
	37	\r
	38	del *.p7b\r
	39	ECHO -------------------------------------------------------------------\r
	40	ECHO Press any key 4 times to append time to the test blobs to sign.\r
	41	time >> TestSignWithOneEKUInLeafSigner.bin\r
	42	time >> TestSignWithTwoEKUsInLeafSignerPid1.bin\r
	43	time >> TestSignWithTwoEKUsInLeafSignerPid12345.bin\r
	44	time >> TestSignWithNoEKUsInLeafSigner.bin\r
	45	\r
	46	\r
	47	REM\r
	48	REM Create a signature with TestEKUParsingLeafSigner.cer which has one EKU in it,\r
	49	REM and add the Policy CA in the signature.\r
	50	REM\r
	51	call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSigner.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1 /ac TestEKUParsingPolicyCA.cer /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithOneEKUInLeafSigner.bin\r
	52	\r
	53	REM\r
	54	REM Create a signature with two EKU's in the leaf signer. (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.1)\r
	55	REM\r
	56	call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid1.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.1 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid1.bin\r
	57	\r
	58	REM\r
	59	REM Create a signature with two EKUs in the leaf (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.12345)\r
	60	REM\r
	61	call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid12345.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.12345 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid12345.bin\r
	62	\r
	63	\r
	64	REM\r
65	REM Create a signature with a leaf that does not have any EKUs in the signture.\r
66	REM\r
67	call signtool.exe sign /fd sha256 /f TestEKUParsingNoEKUsInSigner.cer /p7 . /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithNoEKUsInLeafSigner.bin\r
68	\r
69	REM\r
70	REM Rename .p7 to .p7b\r
71	REM\r
72	rename .p7 .p7b\r
73	ECHO ---------------------------------------------------------------------------\r
74	ECHO Now you can use your favorite "Binary To Hex" converter to convert the\r
75	ECHO signatures (P7B files) to byte arrays and add them to AllTestSignatures.h\r
76	ECHO ---------------------------------------------------------------------------\r