From f215e02bf85f68d3a6106c2a1f4f7f063f819064 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 11 Apr 2024 10:17:27 +0200 Subject: Adding upstream version 7.0.14-dfsg. Signed-off-by: Daniel Baumann --- .../TestEKUCerts/ChainCreationInstructions.txt | 92 ++++++++++++++++++++++ .../BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd | 11 +++ .../TestEKUCerts/SignFirmwareWithEKUs.cmd | 76 ++++++++++++++++++ .../TestEKUCerts/TestEKUParsingIssuingCA.ini | 45 +++++++++++ .../TestEKUCerts/TestEKUParsingLeafSigner.ini | 25 ++++++ .../TestEKUCerts/TestEKUParsingLeafSignerPid1.ini | 24 ++++++ .../TestEKUParsingLeafSignerPid12345.ini | 27 +++++++ .../TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini | 16 ++++ .../TestEKUCerts/TestEKUParsingPolicyCA.ini | 28 +++++++ .../TestEKUCerts/TestEKUParsingRoot.ini | 28 +++++++ 10 files changed, 372 insertions(+) create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini create mode 100644 src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini (limited to 'src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts') diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt new file mode 100644 index 00000000..10bff431 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt @@ -0,0 +1,92 @@ +-------------------------------------------------------------------------------- +File: ChainCreationInstructions.txt + +Description: This folder contains INI files that are required to generate + the following test cert chains. Certs will be copied onto the + file system AND MY store when they are generated by certreq.exe. + +Note that typically certreq.exe operates on INF files, but in this folder +we use INI files so that our build system does not complain about INF's being +in the tree, but not in the CryptoPkg.dsc file. + +To create your own certificates and signatures for testing, this file demonstrates +how the test certificate chains and signatures were created. + +To create test signatures, run SignFirmwareWithEKUs.cmd (with SignTool.exe in +your path). You can then use your favorite BinaryToHex converter to convert +the binary into a byte array that you can include in unit tests. + +Copyright (C) Microsoft Corporation. All Rights Reserved. +-------------------------------------------------------------------------------- +Cert Chain: + + ------------------------------------------ + | | // Root of trust. ECDSA P521 curve + | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE + ------------------------------------------ + ^ + | + ------------------------------------------ + | | // Issues subordinate CAs. ECC P384 curve. + | TestEKUParsingPolicyCA | // SHA 256 Key Usage: + | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE + ------------------------------------------ + ^ + | + ------------------------------------------ + | | // Issues end-entity (leaf) signers. ECC P256 curve. + | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + | | // Enhanced Key Usage: + ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) + ^ + | + -------------------------------------- + / / // Leaf signer, ECC P256 curve. + / TestEKUParsingLeafSigner / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE + / / // Enhanced Key usages: + -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) + // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID. + + + + +--------------------------------------------------------------------------------- + + +--- files required --- + +TestEKUParsingRoot.ini - This certificate is the root CA under which all CAs live. +TestEKUParsingPolicyCA.ini - This policy CA will issue subordinate CA's with EKU constraints. +TestEKUParsingIssuingCA.ini - CA to issue end-entity leafs. +TestEKUParsingLeafSigner.ini - End-Entity leaf signer. +TestEKUParsingLeafSignerPid12345.ini - End-Entity, with EKU: 1.3.6.1.4.1.311.76.9.21.1.12345. +TestEKUParsingNoEKUsInSigner.ini - Leaf with no EKU's specified. +TestEKUParsingLeafSignerPid1.ini - Test with naming files ini, to get around build complaints. +--- Commands to execute --- + +certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer +certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer +certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer +certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer + +--------------------------------------------------------------------------------- + +Then start mmc->Add certificates, Local Computer/open Personal/Certs and export the keys into the pfx files below. +Note: You should see a little key on the top left of each cert icon, which means you have the private key + for this cert. If you don't see it something is wrong. For each cert, right-click and do all tasks, + export. Yes, Export the private key. PCKS#12 format, include all certs in path if possible. + + If we automated the call to certreq above, there is a PowerShell "PKI" cmdlet which has + an Export-PfxCertificate command. + +Passwords: TestEKUParsingRoot.pfx == TestEKUParsingRoot + TestEKUParsingPolicyCA.pfx == TestEKUParsingPolicyCA + TestEKUParsingIssuingCA.pfx == TestEKUParsingIssuingCA + TestEKUParsingLeafSigner.pfx == TestEKUParsingLeafSigner + TestEKUParsingLeafSignerPid12345.pfx == TestEKUParsingLeafSignerPid12345 + TestEKUParsingNoEKUsInSigner.pfx == TestEKUParsingNoEKUsInSigner + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd new file mode 100644 index 00000000..6d68afda --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/CreateTestCerts.cmd @@ -0,0 +1,11 @@ +@ECHO OFF +REM +REM Use this file to create test certificates. +REM +call certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer +call certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer +call certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer +call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer +call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer +call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer +call certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd new file mode 100644 index 00000000..ce03e33a --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/SignFirmwareWithEKUs.cmd @@ -0,0 +1,76 @@ +@ECHO OFF +REM This script will use various certificates to sign blobs for testing purposes. +REM +REM +REM Our EKU test certificate chain: +REM ------------------------------------------ +REM | | // Root of trust. ECDSA P521 curve +REM | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE +REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE +REM ------------------------------------------ +REM ^ +REM | +REM ------------------------------------------ +REM | | // Issues subordinate CAs. ECC P384 curve. +REM | TestEKUParsingPolicyCA | // SHA 256 Key Usage: +REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE +REM ------------------------------------------ +REM ^ +REM | +REM ------------------------------------------ +REM | | // Issues end-entity (leaf) signers. ECC P256 curve. +REM | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE +REM | | // Enhanced Key Usage: +REM ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) +REM ^ +REM | +REM -------------------------------------- +REM / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve. +REM / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE +REM / / // Enhanced Key usages: +REM -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) +REM // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID. +REM +REM +REM +REM Dev Note: SignTool.exe must be in your path when running this script. + +del *.p7b +ECHO ------------------------------------------------------------------- +ECHO Press any key 4 times to append time to the test blobs to sign. +time >> TestSignWithOneEKUInLeafSigner.bin +time >> TestSignWithTwoEKUsInLeafSignerPid1.bin +time >> TestSignWithTwoEKUsInLeafSignerPid12345.bin +time >> TestSignWithNoEKUsInLeafSigner.bin + + +REM +REM Create a signature with TestEKUParsingLeafSigner.cer which has one EKU in it, +REM and add the Policy CA in the signature. +REM +call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSigner.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1 /ac TestEKUParsingPolicyCA.cer /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithOneEKUInLeafSigner.bin + +REM +REM Create a signature with two EKU's in the leaf signer. (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.1) +REM +call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid1.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.1 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid1.bin + +REM +REM Create a signature with two EKUs in the leaf (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.12345) +REM +call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid12345.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.12345 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid12345.bin + + +REM +REM Create a signature with a leaf that does not have any EKUs in the signture. +REM +call signtool.exe sign /fd sha256 /f TestEKUParsingNoEKUsInSigner.cer /p7 . /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithNoEKUsInLeafSigner.bin + +REM +REM Rename *.p7 to *.p7b +REM +rename *.p7 *.p7b +ECHO --------------------------------------------------------------------------- +ECHO Now you can use your favorite "Binary To Hex" converter to convert the +ECHO signatures (P7B files) to byte arrays and add them to AllTestSignatures.h +ECHO --------------------------------------------------------------------------- diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini new file mode 100644 index 00000000..b8683039 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingIssuingCA.ini @@ -0,0 +1,45 @@ +[Version] +Signature="$Windows NT$ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; 2.5.29.19 == Basic Constraints for CA +[Strings] +szOID_BASIC_CONSTRAINTS2 = "2.5.29.19" + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 + +[NewRequest] +Subject = "CN=TestEKUParsingIssuingCA" +Exportable = true +KeyLength = 256 +HashAlgorithm = sha256 +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = "ECDSA_P256" + + +[Extensions] +%szOID_BASIC_CONSTRAINTS2% = "{text}" + _continue_ = "ca=True" + +Critical=%szOID_BASIC_CONSTRAINTS2% + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; This extension is so the this CA is only allowed to +; issue end-entity certs. +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[BasicConstraintsExtension] +PathLength=0 + +; +; Surface Firmware Signing EKU +; +[Extensions] + 2.5.29.37 = "{text}" + _continue_ = "1.3.6.1.4.1.311.76.9.21.1" + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini new file mode 100644 index 00000000..20135ba9 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSigner.ini @@ -0,0 +1,25 @@ +[Version] +Signature="$Windows NT$ + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 + +[NewRequest] +Subject = "CN=TestEKUParsingLeafSigner" +Exportable = true +KeyLength = 256 +HashAlgorithm = sha256 +KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = "ECDSA_P256" + +; +; Surface test firwmare signing EKU +; +[Extensions] + _continue_ = "1.3.6.1.4.1.311.76.9.21.1" diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini new file mode 100644 index 00000000..1f9957ce --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid1.ini @@ -0,0 +1,24 @@ +[Version] +Signature="$Windows NT$ + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 +OID = 1.3.6.1.4.1.311.76.9.21.1.1 + +[NewRequest] +Subject = "CN=TestEKUParsingLeafSignerPid1" +Exportable = true +KeyLength = 2048 +HashAlgorithm = sha256 +KeySpec = AT_SIGNATURE +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 5 +ValidityPeriod = Years + +[Extensions] + 2.5.29.37 = "{text}" + _continue_ = "1.3.6.1.4.1.311.76.9.21.1," + _continue_ = "1.3.6.1.4.1.311.76.9.21.1.1" diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini new file mode 100644 index 00000000..7f17d8e1 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingLeafSignerPid12345.ini @@ -0,0 +1,27 @@ +[Version] +Signature="$Windows NT$ + +[EnhancedKeyUsageExtension] +OID = 1.3.6.1.4.1.311.76.9.21.1 +OID = 1.3.6.1.4.1.311.76.9.21.1.12345 + +[NewRequest] +Subject = "CN=TestEKUParsingLeafSignerPid12345" +Exportable = true +KeyLength = 2048 +HashAlgorithm = sha256 +KeySpec = AT_SIGNATURE +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 5 +ValidityPeriod = Years + +[Extensions] + 2.5.29.37 = "{text}" + _continue_ = "1.3.6.1.4.1.311.76.9.21.1," + _continue_ = "1.3.6.1.4.1.311.76.9.21.1.12345" + + + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini new file mode 100644 index 00000000..266360d2 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingNoEKUsInSigner.ini @@ -0,0 +1,16 @@ +[Version] +Signature="$Windows NT$ + + +[NewRequest] +Subject = "CN=TestEKUParsingNoEKUsInSigner" +Exportable = true +KeyLength = 2048 +HashAlgorithm = sha256 +KeySpec = AT_SIGNATURE +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini new file mode 100644 index 00000000..1b0dcefb --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingPolicyCA.ini @@ -0,0 +1,28 @@ +[Version] +Signature="$Windows NT$ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; 2.5.29.19 == Basic Constraints for CA +[Strings] +szOID_BASIC_CONSTRAINTS2 = "2.5.29.19" + +[NewRequest] +Subject = "CN=TestEKUParsingPolicyCA" +Exportable = true +KeyLength = 384 +HashAlgorithm = sha256 +KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 20 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = "ECDSA_P384" + + +[Extensions] +%szOID_BASIC_CONSTRAINTS2% = "{text}" + _continue_ = "ca=True" + +Critical=%szOID_BASIC_CONSTRAINTS2% + diff --git a/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini new file mode 100644 index 00000000..124e1e39 --- /dev/null +++ b/src/VBox/Devices/EFI/Firmware/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/TestEKUParsingRoot.ini @@ -0,0 +1,28 @@ +[Version] +Signature="$Windows NT$ + +[Strings] +szOID_BASIC_CONSTRAINTS2 = "2.5.29.19" + +[NewRequest] +Subject = "CN=TestEKUParsingRoot" +Exportable = true +KeyLength = 521 +HashAlgorithm = sha256 +KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" +KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" +MachineKeySet = True +RequestType = cert +ValidityPeriodUnits = 30 +ValidityPeriod = Years +ProviderName = "Microsoft Software Key Storage Provider" +KeyAlgorithm = ECDSA_P521 + + + + +[Extensions] +%szOID_BASIC_CONSTRAINTS2% = "{text}" + _continue_ = "ca=True" + +Critical=%szOID_BASIC_CONSTRAINTS2% -- cgit v1.2.3