# keep the tool as simple as possible, it has the following limitations:\r
# * Do not support vendor code bytes in a capsule.\r
#\r
-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>\r
+# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR>\r
# SPDX-License-Identifier: BSD-2-Clause-Patent\r
#\r
\r
# Globals for help information\r
#\r
__prog__ = 'GenerateCapsule'\r
-__version__ = '0.9'\r
-__copyright__ = 'Copyright (c) 2018, Intel Corporation. All rights reserved.'\r
+__version__ = '0.10'\r
+__copyright__ = 'Copyright (c) 2022, Intel Corporation. All rights reserved.'\r
__description__ = 'Generate a capsule.\n'\r
\r
-def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):\r
+def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose = False):\r
#\r
# Create a temporary directory\r
#\r
Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe'))\r
Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 '\r
Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName)\r
- Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)\r
+ if PfxFile is not None:\r
+ Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)\r
+ if SubjectName is not None:\r
+ Command = Command + '/n {SubjectName} '.format (SubjectName = SubjectName)\r
Command = Command + TempFileName\r
if Verbose:\r
print (Command)\r
shutil.rmtree (TempDirectoryName)\r
return Signature\r
\r
-def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose = False):\r
+def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, SubjectName, Verbose = False):\r
print ('signtool verify is not supported.')\r
raise ValueError ('GenerateCapsule: error: signtool verify is not supported.')\r
\r
HardwareInstance = ConvertJsonValue (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False, Default = 0)\r
MonotonicCount = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0)\r
SignToolPfxFile = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)\r
+ SignToolSubjectName = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True)\r
OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True)\r
OpenSslOtherPublicCertFile = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)\r
OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)\r
HardwareInstance,\r
UpdateImageIndex,\r
SignToolPfxFile,\r
+ SignToolSubjectName,\r
OpenSslSignerPrivateCertFile,\r
OpenSslOtherPublicCertFile,\r
OpenSslTrustedPublicCertFile,\r
UpdateImageIndex = ConvertJsonValue (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False, Default = 1)\r
MonotonicCount = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0)\r
SignToolPfxFile = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)\r
+ SignToolSubjectName = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True)\r
OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True)\r
OpenSslOtherPublicCertFile = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)\r
OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)\r
HardwareInstance,\r
UpdateImageIndex,\r
SignToolPfxFile,\r
+ SignToolSubjectName,\r
OpenSslSignerPrivateCertFile,\r
OpenSslOtherPublicCertFile,\r
OpenSslTrustedPublicCertFile,\r
"HardwareInstance": str(PayloadDescriptor.HardwareInstance),\r
"UpdateImageIndex": str(PayloadDescriptor.UpdateImageIndex),\r
"SignToolPfxFile": str(PayloadDescriptor.SignToolPfxFile),\r
+ "SignToolSubjectName": str(PayloadDescriptor.SignToolSubjectName),\r
"OpenSslSignerPrivateCertFile": str(PayloadDescriptor.OpenSslSignerPrivateCertFile),\r
"OpenSslOtherPublicCertFile": str(PayloadDescriptor.OpenSslOtherPublicCertFile),\r
"OpenSslTrustedPublicCertFile": str(PayloadDescriptor.OpenSslTrustedPublicCertFile),\r
for PayloadField in PayloadSection:\r
if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:\r
del PayloadField ['SignToolPfxFile']\r
+ if PayloadJsonDescriptorList[Index].SignToolSubjectName is None:\r
+ del PayloadField ['SignToolSubjectName']\r
if PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None:\r
del PayloadField ['OpenSslSignerPrivateCertFile']\r
if PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:\r
if args.SignToolPfxFile:\r
print ('GenerateCapsule: error: Argument --pfx-file conflicts with Argument -j')\r
sys.exit (1)\r
+ if args.SignToolSubjectName:\r
+ print ('GenerateCapsule: error: Argument --SubjectName conflicts with Argument -j')\r
+ sys.exit (1)\r
if args.OpenSslSignerPrivateCertFile:\r
print ('GenerateCapsule: error: Argument --signer-private-cert conflicts with Argument -j')\r
sys.exit (1)\r
HardwareInstance = 0,\r
UpdateImageIndex = 1,\r
SignToolPfxFile = None,\r
+ SignToolSubjectName = None,\r
OpenSslSignerPrivateCertFile = None,\r
OpenSslOtherPublicCertFile = None,\r
OpenSslTrustedPublicCertFile = None,\r
self.HardwareInstance = HardwareInstance\r
self.UpdateImageIndex = UpdateImageIndex\r
self.SignToolPfxFile = SignToolPfxFile\r
+ self.SignToolSubjectName = SignToolSubjectName\r
self.OpenSslSignerPrivateCertFile = OpenSslSignerPrivateCertFile\r
self.OpenSslOtherPublicCertFile = OpenSslOtherPublicCertFile\r
self.OpenSslTrustedPublicCertFile = OpenSslTrustedPublicCertFile\r
self.SigningToolPath = SigningToolPath\r
self.DepexExp = DepexExp\r
\r
- self.UseSignTool = self.SignToolPfxFile is not None\r
+ self.UseSignTool = (self.SignToolPfxFile is not None or\r
+ self.SignToolSubjectName is not None)\r
self.UseOpenSsl = (self.OpenSslSignerPrivateCertFile is not None and\r
self.OpenSslOtherPublicCertFile is not None and\r
self.OpenSslTrustedPublicCertFile is not None)\r
raise argparse.ArgumentTypeError ('--update-image-index must be an integer in range 0x0..0xff')\r
\r
if self.UseSignTool:\r
- self.SignToolPfxFile.close()\r
- self.SignToolPfxFile = self.SignToolPfxFile.name\r
+ if self.SignToolPfxFile is not None:\r
+ self.SignToolPfxFile.close()\r
+ self.SignToolPfxFile = self.SignToolPfxFile.name\r
if self.UseOpenSsl:\r
self.OpenSslSignerPrivateCertFile.close()\r
self.OpenSslOtherPublicCertFile.close()\r
args.HardwareInstance,\r
args.UpdateImageIndex,\r
args.SignToolPfxFile,\r
+ args.SignToolSubjectName,\r
args.OpenSslSignerPrivateCertFile,\r
args.OpenSslOtherPublicCertFile,\r
args.OpenSslTrustedPublicCertFile,\r
Result + struct.pack ('<Q', SinglePayloadDescriptor.MonotonicCount),\r
SinglePayloadDescriptor.SigningToolPath,\r
SinglePayloadDescriptor.SignToolPfxFile,\r
+ SinglePayloadDescriptor.SignToolSubjectName,\r
Verbose = args.Verbose\r
)\r
else:\r
args.HardwareInstance,\r
args.UpdateImageIndex,\r
args.SignToolPfxFile,\r
+ args.SignSubjectName,\r
args.OpenSslSignerPrivateCertFile,\r
args.OpenSslOtherPublicCertFile,\r
args.OpenSslTrustedPublicCertFile,\r
HardwareInstance,\r
UpdateImageIndex,\r
PayloadDescriptorList[Index].SignToolPfxFile,\r
+ PayloadDescriptorList[Index].SignToolSubjectName,\r
PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,\r
PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,\r
PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,\r
HardwareInstance,\r
UpdateImageIndex,\r
PayloadDescriptorList[Index].SignToolPfxFile,\r
+ PayloadDescriptorList[Index].SignToolSubjectName,\r
PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,\r
PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,\r
PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,\r
FmpAuthHeader.CertData,\r
SinglePayloadDescriptor.SigningToolPath,\r
SinglePayloadDescriptor.SignToolPfxFile,\r
+ SinglePayloadDescriptor.SignToolSubjectName,\r
Verbose = args.Verbose\r
)\r
else:\r
\r
parser.add_argument ("--pfx-file", dest='SignToolPfxFile', type=argparse.FileType('rb'),\r
help="signtool PFX certificate filename.")\r
+ parser.add_argument ("--subject-name", dest='SignToolSubjectName',\r
+ help="signtool certificate subject name.")\r
\r
parser.add_argument ("--signer-private-cert", dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),\r
help="OpenSSL signer private certificate filename.")\r