--- /dev/null
+@ECHO OFF\r
+REM This script will use various certificates to sign blobs for testing purposes.\r
+REM\r
+REM\r
+REM Our EKU test certificate chain:\r
+REM ------------------------------------------\r
+REM | | // Root of trust. ECDSA P521 curve\r
+REM | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
+REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE\r
+REM ------------------------------------------\r
+REM ^\r
+REM |\r
+REM ------------------------------------------\r
+REM | | // Issues subordinate CAs. ECC P384 curve.\r
+REM | TestEKUParsingPolicyCA | // SHA 256 Key Usage:\r
+REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE\r
+REM ------------------------------------------\r
+REM ^\r
+REM |\r
+REM ------------------------------------------\r
+REM | | // Issues end-entity (leaf) signers. ECC P256 curve.\r
+REM | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
+REM | | // Enhanced Key Usage:\r
+REM ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r
+REM ^\r
+REM |\r
+REM --------------------------------------\r
+REM / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve.\r
+REM / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
+REM / / // Enhanced Key usages:\r
+REM -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r
+REM // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.\r
+REM\r
+REM\r
+REM\r
+REM Dev Note: SignTool.exe must be in your path when running this script.\r
+\r
+del *.p7b\r
+ECHO -------------------------------------------------------------------\r
+ECHO Press any key 4 times to append time to the test blobs to sign.\r
+time >> TestSignWithOneEKUInLeafSigner.bin\r
+time >> TestSignWithTwoEKUsInLeafSignerPid1.bin\r
+time >> TestSignWithTwoEKUsInLeafSignerPid12345.bin\r
+time >> TestSignWithNoEKUsInLeafSigner.bin\r
+\r
+\r
+REM\r
+REM Create a signature with TestEKUParsingLeafSigner.cer which has one EKU in it,\r
+REM and add the Policy CA in the signature.\r
+REM\r
+call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSigner.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1 /ac TestEKUParsingPolicyCA.cer /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithOneEKUInLeafSigner.bin\r
+\r
+REM\r
+REM Create a signature with two EKU's in the leaf signer. (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.1)\r
+REM\r
+call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid1.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.1 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid1.bin\r
+\r
+REM\r
+REM Create a signature with two EKUs in the leaf (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.12345)\r
+REM\r
+call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid12345.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.12345 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid12345.bin\r
+\r
+\r
+REM\r
+REM Create a signature with a leaf that does not have any EKUs in the signture.\r
+REM\r
+call signtool.exe sign /fd sha256 /f TestEKUParsingNoEKUsInSigner.cer /p7 . /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithNoEKUsInLeafSigner.bin\r
+\r
+REM\r
+REM Rename *.p7 to *.p7b\r
+REM\r
+rename *.p7 *.p7b\r
+ECHO ---------------------------------------------------------------------------\r
+ECHO Now you can use your favorite "Binary To Hex" converter to convert the\r
+ECHO signatures (P7B files) to byte arrays and add them to AllTestSignatures.h\r
+ECHO ---------------------------------------------------------------------------\r