blob: ce03e33a716982647d09ac69069a6a18a68ddbd3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
@ECHO OFF
REM This script will use various certificates to sign blobs for testing purposes.
REM
REM
REM Our EKU test certificate chain:
REM ------------------------------------------
REM | | // Root of trust. ECDSA P521 curve
REM | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
REM ------------------------------------------
REM ^
REM |
REM ------------------------------------------
REM | | // Issues subordinate CAs. ECC P384 curve.
REM | TestEKUParsingPolicyCA | // SHA 256 Key Usage:
REM | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
REM ------------------------------------------
REM ^
REM |
REM ------------------------------------------
REM | | // Issues end-entity (leaf) signers. ECC P256 curve.
REM | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
REM | | // Enhanced Key Usage:
REM ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
REM ^
REM |
REM --------------------------------------
REM / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve.
REM / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
REM / / // Enhanced Key usages:
REM -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
REM // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.
REM
REM
REM
REM Dev Note: SignTool.exe must be in your path when running this script.
del *.p7b
ECHO -------------------------------------------------------------------
ECHO Press any key 4 times to append time to the test blobs to sign.
time >> TestSignWithOneEKUInLeafSigner.bin
time >> TestSignWithTwoEKUsInLeafSignerPid1.bin
time >> TestSignWithTwoEKUsInLeafSignerPid12345.bin
time >> TestSignWithNoEKUsInLeafSigner.bin
REM
REM Create a signature with TestEKUParsingLeafSigner.cer which has one EKU in it,
REM and add the Policy CA in the signature.
REM
call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSigner.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1 /ac TestEKUParsingPolicyCA.cer /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithOneEKUInLeafSigner.bin
REM
REM Create a signature with two EKU's in the leaf signer. (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.1)
REM
call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid1.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.1 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid1.bin
REM
REM Create a signature with two EKUs in the leaf (1.3.6.1.4.1.311.76.9.21.1, and 1.3.6.1.4.1.311.76.9.21.1.12345)
REM
call signtool.exe sign /fd sha256 /f TestEKUParsingLeafSignerPid12345.cer /p7 . /u 1.3.6.1.4.1.311.76.9.21.1.12345 /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithTwoEKUsInLeafSignerPid12345.bin
REM
REM Create a signature with a leaf that does not have any EKUs in the signture.
REM
call signtool.exe sign /fd sha256 /f TestEKUParsingNoEKUsInSigner.cer /p7 . /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /v /debug TestSignWithNoEKUsInLeafSigner.bin
REM
REM Rename *.p7 to *.p7b
REM
rename *.p7 *.p7b
ECHO ---------------------------------------------------------------------------
ECHO Now you can use your favorite "Binary To Hex" converter to convert the
ECHO signatures (P7B files) to byte arrays and add them to AllTestSignatures.h
ECHO ---------------------------------------------------------------------------
|
