diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-11 08:17:27 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-11 08:17:27 +0000 |
commit | f215e02bf85f68d3a6106c2a1f4f7f063f819064 (patch) | |
tree | 6bb5b92c046312c4e95ac2620b10ddf482d3fa8b /src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts | |
parent | Initial commit. (diff) | |
download | virtualbox-f215e02bf85f68d3a6106c2a1f4f7f063f819064.tar.xz virtualbox-f215e02bf85f68d3a6106c2a1f4f7f063f819064.zip |
Adding upstream version 7.0.14-dfsg.upstream/7.0.14-dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts')
10 files changed, 372 insertions, 0 deletions
diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt new file mode 100644 index 00000000..10bff431 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt @@ -0,0 +1,92 @@ +-------------------------------------------------------------------------------- +File: ChainCreationInstructions.txt + +Description: This folder contains INI files that are required to generate + the following test cert chains. Certs will be copied onto the + file system AND MY store when they are generated by certreq.exe. + +Note that typically certreq.exe operates on INF files, but in this folder +we use INI files so that our build system does not complain about INF's being +in the tree, but not in the CryptoPkg.dsc file. + +To create your own certificates and signatures for testing, this file demonstrates +how the test certificate chains and signatures were created. + +To create test signatures, run SignFirmwareWithEKUs.cmd (with SignTool.exe in +your path). You can then use your favorite BinaryToHex converter to convert +the binary into a byte array that you can include in unit tests. + +Copyright (C) Microsoft Corporation. All Rights Reserved. +-------------------------------------------------------------------------------- +Cert Chain: + + ------------------------------------------ + | | // Root of trust. ECDSA P521 curve + | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE + ------------------------------------------ + ^ + | + ------------------------------------------ + | | // Issues subordinate CAs. ECC P384 curve. + | TestEKUParsingPolicyCA | // SHA 256 Key Usage: + | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE + ------------------------------------------ + ^ + | + ------------------------------------------ + | | // Issues end-entity (leaf) signers. ECC P256 curve. + | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + | | // Enhanced Key Usage: + ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) + ^ + | + -------------------------------------- + / / // Leaf signer, ECC P256 curve. + / TestEKUParsingLeafSigner / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + / / // Enhanced Key usages: + -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) + // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID. + + + + +--------------------------------------------------------------------------------- + + +--- files required --- + +TestEKUParsingRoot.ini - This certificate is the root CA under which all CAs live. +TestEKUParsingPolicyCA.ini - This policy CA will issue subordinate CA's with EKU constraints. +TestEKUParsingIssuingCA.ini - CA to issue end-entity leafs. +TestEKUParsingLeafSigner.ini - End-Entity leaf signer. +TestEKUParsingLeafSignerPid12345.ini - End-Entity, with EKU: 1.3.6.1.4.1.311.76.9.21.1.12345. +TestEKUParsingNoEKUsInSigner.ini - Leaf with no EKU's specified. +TestEKUParsingLeafSignerPid1.ini - Test with naming files ini, to get around build complaints. +--- Commands to execute --- + +certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer +certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer +certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer + +--------------------------------------------------------------------------------- + +Then start mmc->Add certificates, Local Computer/open Personal/Certs and export the keys into the pfx files below. +Note: You should see a little key on the top left of each cert icon, which means you have the private key + for this cert. If you don't see it something is wrong. For each cert, right-click and do all tasks, + export. Yes, Export the private key. PCKS#12 format, include all certs in path if possible. + + If we automated the call to certreq above, there is a PowerShell "PKI" cmdlet which has + an Export-PfxCertificate command. + +Passwords: TestEKUParsingRoot.pfx == TestEKUParsingRoot + TestEKUParsingPolicyCA.pfx == TestEKUParsingPolicyCA + TestEKUParsingIssuingCA.pfx == TestEKUParsingIssuingCA + TestEKUParsingLeafSigner.pfx == TestEKUParsingLeafSigner + TestEKUParsingLeafSignerPid12345.pfx == TestEKUParsingLeafSignerPid12345 + TestEKUParsingNoEKUsInSigner.pfx == TestEKUParsingNoEKUsInSigner + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd new file mode 100644 index 00000000..6d68afda --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd @@ -0,0 +1,11 @@ +@ECHO OFF
+REM
+REM Use this file to create test certificates.
+REM
+call certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer
+call certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer
+call certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer
+call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer
+call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer
+call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer
+call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer
diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd new file mode 100644 index 00000000..ce03e33a --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd @@ -0,0 +1,76 @@ +@ECHO OFF
+REM This script will use various certificates to sign blobs for testing purposes.
+REM
+REM
+REM Our EKU test certificate chain:
+REM ------------------------------------------
+REM | | // Root of trust. ECDSA P521 curve
+REM | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
+REM ------------------------------------------
+REM ^
+REM |
+REM ------------------------------------------
+REM | | // Issues subordinate CAs. ECC P384 curve.
+REM | TestEKUParsingPolicyCA | // SHA 256 Key Usage:
+REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
+REM ------------------------------------------
+REM ^
+REM |
+REM ------------------------------------------
+REM | | // Issues end-entity (leaf) signers. ECC P256 curve.
+REM | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+REM | | // Enhanced Key Usage:
+REM ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
+REM ^
+REM |
+REM --------------------------------------
+REM / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve.
+REM / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
+REM / / // Enhanced Key usages:
+REM -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
+REM // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.
+REM
+REM
+REM
+REM Dev Note: SignTool.exe must be in your path when running this script.
+
+del *.p7b
+ECHO -------------------------------------------------------------------
+ECHO Press any key 4 times to append time to the test blobs to sign.
+time >> TestSignWithOneEKUInLeafSigner.bin
+time >> TestSignWithTwoEKUsInLeafSignerPid1.bin
+time >> TestSignWithTwoEKUsInLeafSignerPid12345.bin
+time >> TestSignWithNoEKUsInLeafSigner.bin
+
+
+REM
+REM Create a signature with TestEKUParsingLeafSigner.cer which has one EKU in it,
+REM and add the Policy CA in the signature.
+REM
+call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSigner.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1 /ac TestEKUParsingPolicyCA.cer /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithOneEKUInLeafSigner.bin
+
+REM
+REM Create a signature with two EKU's in the leaf signer. (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.1)
+REM
+call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid1.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.1 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid1.bin
+
+REM
+REM Create a signature with two EKUs in the leaf (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.12345)
+REM
+call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid12345.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.12345 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid12345.bin
+
+
+REM
+REM Create a signature with a leaf that does not have any EKUs in the signture.
+REM
+call signtool.exe sign /fd sha256 /f TestEKUParsingNoEKUsInSigner.cer /p7 . /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithNoEKUsInLeafSigner.bin
+
+REM
+REM Rename *.p7 to *.p7b
+REM
+rename *.p7 *.p7b
+ECHO ---------------------------------------------------------------------------
+ECHO Now you can use your favorite "Binary To Hex" converter to convert the
+ECHO signatures (P7B files) to byte arrays and add them to AllTestSignatures.h
+ECHO ---------------------------------------------------------------------------
diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini new file mode 100644 index 00000000..b8683039 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini @@ -0,0 +1,45 @@ +[Version] +Signature="$Windows NT$ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; 2.5.29.19 == Basic Constraints for CA +[Strings] +szOID_BASIC_CONSTRAINTS2 = "2.5.29.19" + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 + +[NewRequest] +Subject = "CN=TestEKUParsingIssuingCA" +Exportable = true +KeyLength = 256 +HashAlgorithm = sha256 +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = "ECDSA_P256" + + +[Extensions] +%szOID_BASIC_CONSTRAINTS2% = "{text}" + _continue_ = "ca=True" + +Critical=%szOID_BASIC_CONSTRAINTS2% + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; This extension is so the this CA is only allowed to +; issue end-entity certs. +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[BasicConstraintsExtension] +PathLength=0 + +; +; Surface Firmware Signing EKU +; +[Extensions] + 2.5.29.37 = "{text}" + _continue_ = "1.3.6.1.4.1.311.76.9.21.1" + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini new file mode 100644 index 00000000..20135ba9 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini @@ -0,0 +1,25 @@ +[Version] +Signature="$Windows NT$ + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 + +[NewRequest] +Subject = "CN=TestEKUParsingLeafSigner" +Exportable = true +KeyLength = 256 +HashAlgorithm = sha256 +KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = "ECDSA_P256" + +; +; Surface test firwmare signing EKU +; +[Extensions] + _continue_ = "1.3.6.1.4.1.311.76.9.21.1" diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini new file mode 100644 index 00000000..1f9957ce --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini @@ -0,0 +1,24 @@ +[Version] +Signature="$Windows NT$ + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 +OID = 1.3.6.1.4.1.311.76.9.21.1.1 + +[NewRequest] +Subject = "CN=TestEKUParsingLeafSignerPid1" +Exportable = true +KeyLength = 2048 +HashAlgorithm = sha256 +KeySpec = AT_SIGNATURE +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 5 +ValidityPeriod = Years + +[Extensions] + 2.5.29.37 = "{text}" + _continue_ = "1.3.6.1.4.1.311.76.9.21.1," + _continue_ = "1.3.6.1.4.1.311.76.9.21.1.1" diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini new file mode 100644 index 00000000..7f17d8e1 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini @@ -0,0 +1,27 @@ +[Version] +Signature="$Windows NT$ + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 +OID = 1.3.6.1.4.1.311.76.9.21.1.12345 + +[NewRequest] +Subject = "CN=TestEKUParsingLeafSignerPid12345" +Exportable = true +KeyLength = 2048 +HashAlgorithm = sha256 +KeySpec = AT_SIGNATURE +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 5 +ValidityPeriod = Years + +[Extensions] + 2.5.29.37 = "{text}" + _continue_ = "1.3.6.1.4.1.311.76.9.21.1," + _continue_ = "1.3.6.1.4.1.311.76.9.21.1.12345" + + + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini new file mode 100644 index 00000000..266360d2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini @@ -0,0 +1,16 @@ +[Version] +Signature="$Windows NT$ + + +[NewRequest] +Subject = "CN=TestEKUParsingNoEKUsInSigner" +Exportable = true +KeyLength = 2048 +HashAlgorithm = sha256 +KeySpec = AT_SIGNATURE +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini new file mode 100644 index 00000000..1b0dcefb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini @@ -0,0 +1,28 @@ +[Version] +Signature="$Windows NT$ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; 2.5.29.19 == Basic Constraints for CA +[Strings] +szOID_BASIC_CONSTRAINTS2 = "2.5.29.19" + +[NewRequest] +Subject = "CN=TestEKUParsingPolicyCA" +Exportable = true +KeyLength = 384 +HashAlgorithm = sha256 +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = "ECDSA_P384" + + +[Extensions] +%szOID_BASIC_CONSTRAINTS2% = "{text}" + _continue_ = "ca=True" + +Critical=%szOID_BASIC_CONSTRAINTS2% + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini new file mode 100644 index 00000000..124e1e39 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini @@ -0,0 +1,28 @@ +[Version] +Signature="$Windows NT$ + +[Strings] +szOID_BASIC_CONSTRAINTS2 = "2.5.29.19" + +[NewRequest] +Subject = "CN=TestEKUParsingRoot" +Exportable = true +KeyLength = 521 +HashAlgorithm = sha256 +KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 30 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = ECDSA_P521 + + + + +[Extensions] +%szOID_BASIC_CONSTRAINTS2% = "{text}" + _continue_ = "ca=True" + +Critical=%szOID_BASIC_CONSTRAINTS2% |