public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file
@ 2022-07-08 11:41 Lin, Jason1
  2022-07-09 14:17 ` Bob Feng
  2022-07-25  4:26 ` 回复: [edk2-devel] " gaoliming
  0 siblings, 2 replies; 4+ messages in thread
From: Lin, Jason1 @ 2022-07-08 11:41 UTC (permalink / raw)
  To: devel
  Cc: Jason1 Lin, Bob Feng, Liming Gao, Yuwei Chen, Michael D Kinney,
	Dakota Chiang

From: Jason1 Lin <jason1.lin@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928

Windows-based system using signtool.exe to sign the capsule.
Add the support to using "--subject-name" argument to assign
the subject name used to sign the capsule file.
This argument would pass to signtool.exe as a part of input
argument with "/n" flag.

NOTE: If using signtool.exe to sign capsule at least need to
      choose one of "--pfx-file" and "--subject-name"
      argument to input the value.

Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Dakota Chiang <dakota.chiang@intel.com>
---
 BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43 ++++++++++++++++----
 1 file changed, 34 insertions(+), 9 deletions(-)

diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
index b8039db878..35435946c6 100644
--- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
+++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
@@ -10,7 +10,7 @@
 # keep the tool as simple as possible, it has the following limitations:
 #   * Do not support vendor code bytes in a capsule.
 #
-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR>
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 
@@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader  import FmpPayloadHeaderClass
 # Globals for help information
 #
 __prog__        = 'GenerateCapsule'
-__version__     = '0.9'
-__copyright__   = 'Copyright (c) 2018, Intel Corporation. All rights reserved.'
+__version__     = '0.10'
+__copyright__   = 'Copyright (c) 2022, Intel Corporation. All rights reserved.'
 __description__ = 'Generate a capsule.\n'
 
-def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
+def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose = False):
     #
     # Create a temporary directory
     #
@@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
     Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe'))
     Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 '
     Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName)
-    Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
+    if PfxFile is not None:
+        Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
+    if SubjectName is not None:
+        Command = Command + '/n {SubjectName} '.format (SubjectName = SubjectName)
     Command = Command + TempFileName
     if Verbose:
         print (Command)
@@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
     shutil.rmtree (TempDirectoryName)
     return Signature
 
-def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose = False):
+def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, SubjectName, Verbose = False):
     print ('signtool verify is not supported.')
     raise ValueError ('GenerateCapsule: error: signtool verify is not supported.')
 
@@ -249,6 +252,7 @@ if __name__ == '__main__':
             HardwareInstance             = ConvertJsonValue (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False, Default = 0)
             MonotonicCount               = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0)
             SignToolPfxFile              = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)
+            SignToolSubjectName          = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True)
             OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
             OpenSslOtherPublicCertFile   = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
             OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
@@ -264,6 +268,7 @@ if __name__ == '__main__':
                                             HardwareInstance,
                                             UpdateImageIndex,
                                             SignToolPfxFile,
+                                            SignToolSubjectName,
                                             OpenSslSignerPrivateCertFile,
                                             OpenSslOtherPublicCertFile,
                                             OpenSslTrustedPublicCertFile,
@@ -303,6 +308,7 @@ if __name__ == '__main__':
             UpdateImageIndex             = ConvertJsonValue (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False, Default = 1)
             MonotonicCount               = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0)
             SignToolPfxFile              = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)
+            SignToolSubjectName          = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True)
             OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
             OpenSslOtherPublicCertFile   = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
             OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
@@ -329,6 +335,7 @@ if __name__ == '__main__':
                                             HardwareInstance,
                                             UpdateImageIndex,
                                             SignToolPfxFile,
+                                            SignToolSubjectName,
                                             OpenSslSignerPrivateCertFile,
                                             OpenSslOtherPublicCertFile,
                                             OpenSslTrustedPublicCertFile,
@@ -348,6 +355,7 @@ if __name__ == '__main__':
                                   "HardwareInstance": str(PayloadDescriptor.HardwareInstance),
                                   "UpdateImageIndex": str(PayloadDescriptor.UpdateImageIndex),
                                   "SignToolPfxFile": str(PayloadDescriptor.SignToolPfxFile),
+                                  "SignToolSubjectName": str(PayloadDescriptor.SignToolSubjectName),
                                   "OpenSslSignerPrivateCertFile": str(PayloadDescriptor.OpenSslSignerPrivateCertFile),
                                   "OpenSslOtherPublicCertFile": str(PayloadDescriptor.OpenSslOtherPublicCertFile),
                                   "OpenSslTrustedPublicCertFile": str(PayloadDescriptor.OpenSslTrustedPublicCertFile),
@@ -363,6 +371,8 @@ if __name__ == '__main__':
         for PayloadField in PayloadSection:
             if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:
                 del PayloadField ['SignToolPfxFile']
+            if PayloadJsonDescriptorList[Index].SignToolSubjectName is None:
+                del PayloadField ['SignToolSubjectName']
             if PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None:
                 del PayloadField ['OpenSslSignerPrivateCertFile']
             if PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:
@@ -402,6 +412,9 @@ if __name__ == '__main__':
         if args.SignToolPfxFile:
             print ('GenerateCapsule: error: Argument --pfx-file conflicts with Argument -j')
             sys.exit (1)
+        if args.SignToolSubjectName:
+            print ('GenerateCapsule: error: Argument --SubjectName conflicts with Argument -j')
+            sys.exit (1)
         if args.OpenSslSignerPrivateCertFile:
             print ('GenerateCapsule: error: Argument --signer-private-cert conflicts with Argument -j')
             sys.exit (1)
@@ -425,6 +438,7 @@ if __name__ == '__main__':
                      HardwareInstance             = 0,
                      UpdateImageIndex             = 1,
                      SignToolPfxFile              = None,
+                     SignToolSubjectName          = None,
                      OpenSslSignerPrivateCertFile = None,
                      OpenSslOtherPublicCertFile   = None,
                      OpenSslTrustedPublicCertFile = None,
@@ -439,13 +453,15 @@ if __name__ == '__main__':
             self.HardwareInstance             = HardwareInstance
             self.UpdateImageIndex             = UpdateImageIndex
             self.SignToolPfxFile              = SignToolPfxFile
+            self.SignToolSubjectName          = SignToolSubjectName
             self.OpenSslSignerPrivateCertFile = OpenSslSignerPrivateCertFile
             self.OpenSslOtherPublicCertFile   = OpenSslOtherPublicCertFile
             self.OpenSslTrustedPublicCertFile = OpenSslTrustedPublicCertFile
             self.SigningToolPath              = SigningToolPath
             self.DepexExp                     = DepexExp
 
-            self.UseSignTool = self.SignToolPfxFile is not None
+            self.UseSignTool = (self.SignToolPfxFile is not None or
+                                self.SignToolSubjectName is not None)
             self.UseOpenSsl  = (self.OpenSslSignerPrivateCertFile is not None and
                                 self.OpenSslOtherPublicCertFile is not None and
                                 self.OpenSslTrustedPublicCertFile is not None)
@@ -504,8 +520,9 @@ if __name__ == '__main__':
                         raise argparse.ArgumentTypeError ('--update-image-index must be an integer in range 0x0..0xff')
 
             if self.UseSignTool:
-                self.SignToolPfxFile.close()
-                self.SignToolPfxFile = self.SignToolPfxFile.name
+                if self.SignToolPfxFile is not None:
+                    self.SignToolPfxFile.close()
+                    self.SignToolPfxFile = self.SignToolPfxFile.name
             if self.UseOpenSsl:
                 self.OpenSslSignerPrivateCertFile.close()
                 self.OpenSslOtherPublicCertFile.close()
@@ -548,6 +565,7 @@ if __name__ == '__main__':
                                             args.HardwareInstance,
                                             args.UpdateImageIndex,
                                             args.SignToolPfxFile,
+                                            args.SignToolSubjectName,
                                             args.OpenSslSignerPrivateCertFile,
                                             args.OpenSslOtherPublicCertFile,
                                             args.OpenSslTrustedPublicCertFile,
@@ -590,6 +608,7 @@ if __name__ == '__main__':
                             Result + struct.pack ('<Q', SinglePayloadDescriptor.MonotonicCount),
                             SinglePayloadDescriptor.SigningToolPath,
                             SinglePayloadDescriptor.SignToolPfxFile,
+                            SinglePayloadDescriptor.SignToolSubjectName,
                             Verbose = args.Verbose
                         )
                     else:
@@ -671,6 +690,7 @@ if __name__ == '__main__':
                                             args.HardwareInstance,
                                             args.UpdateImageIndex,
                                             args.SignToolPfxFile,
+                                            args.SignSubjectName,
                                             args.OpenSslSignerPrivateCertFile,
                                             args.OpenSslOtherPublicCertFile,
                                             args.OpenSslTrustedPublicCertFile,
@@ -715,6 +735,7 @@ if __name__ == '__main__':
                                                                 HardwareInstance,
                                                                 UpdateImageIndex,
                                                                 PayloadDescriptorList[Index].SignToolPfxFile,
+                                                                PayloadDescriptorList[Index].SignToolSubjectName,
                                                                 PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
                                                                 PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
                                                                 PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
@@ -753,6 +774,7 @@ if __name__ == '__main__':
                                                             HardwareInstance,
                                                             UpdateImageIndex,
                                                             PayloadDescriptorList[Index].SignToolPfxFile,
+                                                            PayloadDescriptorList[Index].SignToolSubjectName,
                                                             PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
                                                             PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
                                                             PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
@@ -785,6 +807,7 @@ if __name__ == '__main__':
                                            FmpAuthHeader.CertData,
                                            SinglePayloadDescriptor.SigningToolPath,
                                            SinglePayloadDescriptor.SignToolPfxFile,
+                                           SinglePayloadDescriptor.SignToolSubjectName,
                                            Verbose = args.Verbose
                                            )
                           else:
@@ -968,6 +991,8 @@ if __name__ == '__main__':
 
     parser.add_argument ("--pfx-file", dest='SignToolPfxFile', type=argparse.FileType('rb'),
                          help="signtool PFX certificate filename.")
+    parser.add_argument ("--subject-name", dest='SignToolSubjectName',
+                         help="signtool certificate subject name.")
 
     parser.add_argument ("--signer-private-cert", dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),
                          help="OpenSSL signer private certificate filename.")
-- 
2.37.0.windows.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file
  2022-07-08 11:41 [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file Lin, Jason1
@ 2022-07-09 14:17 ` Bob Feng
  2022-07-25  4:26 ` 回复: [edk2-devel] " gaoliming
  1 sibling, 0 replies; 4+ messages in thread
From: Bob Feng @ 2022-07-09 14:17 UTC (permalink / raw)
  To: Lin, Jason1, devel@edk2.groups.io
  Cc: Gao, Liming, Chen, Christine, Kinney, Michael D, Chiang, Dakota

Reviewed-by: Bob Feng <bob.c.feng@intel.com>

-----Original Message-----
From: Lin, Jason1 <jason1.lin@intel.com> 
Sent: Friday, July 8, 2022 7:42 PM
To: devel@edk2.groups.io
Cc: Lin, Jason1 <jason1.lin@intel.com>; Feng, Bob C <bob.c.feng@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>; Chen, Christine <yuwei.chen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Chiang, Dakota <dakota.chiang@intel.com>
Subject: [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file

From: Jason1 Lin <jason1.lin@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928

Windows-based system using signtool.exe to sign the capsule.
Add the support to using "--subject-name" argument to assign the subject name used to sign the capsule file.
This argument would pass to signtool.exe as a part of input argument with "/n" flag.

NOTE: If using signtool.exe to sign capsule at least need to
      choose one of "--pfx-file" and "--subject-name"
      argument to input the value.

Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Dakota Chiang <dakota.chiang@intel.com>
---
 BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43 ++++++++++++++++----
 1 file changed, 34 insertions(+), 9 deletions(-)

diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
index b8039db878..35435946c6 100644
--- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
+++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
@@ -10,7 +10,7 @@
 # keep the tool as simple as possible, it has the following limitations: #   * Do not support vendor code bytes in a capsule. #-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>+# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR> # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader  import FmpPayloadHeaderClass
 # Globals for help information # __prog__        = 'GenerateCapsule'-__version__     = '0.9'-__copyright__   = 'Copyright (c) 2018, Intel Corporation. All rights reserved.'+__version__     = '0.10'+__copyright__   = 'Copyright (c) 2022, Intel Corporation. All rights reserved.' __description__ = 'Generate a capsule.\n' -def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):+def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose = False):     #     # Create a temporary directory     #@@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
     Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe'))     Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 '     Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName)-    Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)+    if PfxFile is not None:+        Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)+    if SubjectName is not None:+        Command = Command + '/n {SubjectName} '.format (SubjectName = SubjectName)     Command = Command + TempFileName     if Verbose:         print (Command)@@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
     shutil.rmtree (TempDirectoryName)     return Signature -def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose = False):+def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, SubjectName, Verbose = False):     print ('signtool verify is not supported.')     raise ValueError ('GenerateCapsule: error: signtool verify is not supported.') @@ -249,6 +252,7 @@ if __name__ == '__main__':
             HardwareInstance             = ConvertJsonValue (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False, Default = 0)             MonotonicCount               = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0)             SignToolPfxFile              = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)+            SignToolSubjectName          = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True)             OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True)             OpenSslOtherPublicCertFile   = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)             OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)@@ -264,6 +268,7 @@ if __name__ == '__main__':
                                             HardwareInstance,                                             UpdateImageIndex,                                             SignToolPfxFile,+                                            SignToolSubjectName,                                             OpenSslSignerPrivateCertFile,                                             OpenSslOtherPublicCertFile,                                             OpenSslTrustedPublicCertFile,@@ -303,6 +308,7 @@ if __name__ == '__main__':
             UpdateImageIndex             = ConvertJsonValue (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False, Default = 1)             MonotonicCount               = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0)             SignToolPfxFile              = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)+            SignToolSubjectName          = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True)             OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True)             OpenSslOtherPublicCertFile   = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)             OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)@@ -329,6 +335,7 @@ if __name__ == '__main__':
                                             HardwareInstance,                                             UpdateImageIndex,                                             SignToolPfxFile,+                                            SignToolSubjectName,                                             OpenSslSignerPrivateCertFile,                                             OpenSslOtherPublicCertFile,                                             OpenSslTrustedPublicCertFile,@@ -348,6 +355,7 @@ if __name__ == '__main__':
                                   "HardwareInstance": str(PayloadDescriptor.HardwareInstance),                                   "UpdateImageIndex": str(PayloadDescriptor.UpdateImageIndex),                                   "SignToolPfxFile": str(PayloadDescriptor.SignToolPfxFile),+                                  "SignToolSubjectName": str(PayloadDescriptor.SignToolSubjectName),                                   "OpenSslSignerPrivateCertFile": str(PayloadDescriptor.OpenSslSignerPrivateCertFile),                                   "OpenSslOtherPublicCertFile": str(PayloadDescriptor.OpenSslOtherPublicCertFile),                                   "OpenSslTrustedPublicCertFile": str(PayloadDescriptor.OpenSslTrustedPublicCertFile),@@ -363,6 +371,8 @@ if __name__ == '__main__':
         for PayloadField in PayloadSection:             if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:                 del PayloadField ['SignToolPfxFile']+            if PayloadJsonDescriptorList[Index].SignToolSubjectName is None:+                del PayloadField ['SignToolSubjectName']             if PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None:                 del PayloadField ['OpenSslSignerPrivateCertFile']             if PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:@@ -402,6 +412,9 @@ if __name__ == '__main__':
         if args.SignToolPfxFile:             print ('GenerateCapsule: error: Argument --pfx-file conflicts with Argument -j')             sys.exit (1)+        if args.SignToolSubjectName:+            print ('GenerateCapsule: error: Argument --SubjectName conflicts with Argument -j')+            sys.exit (1)         if args.OpenSslSignerPrivateCertFile:             print ('GenerateCapsule: error: Argument --signer-private-cert conflicts with Argument -j')             sys.exit (1)@@ -425,6 +438,7 @@ if __name__ == '__main__':
                      HardwareInstance             = 0,                      UpdateImageIndex             = 1,                      SignToolPfxFile              = None,+                     SignToolSubjectName          = None,                      OpenSslSignerPrivateCertFile = None,                      OpenSslOtherPublicCertFile   = None,                      OpenSslTrustedPublicCertFile = None,@@ -439,13 +453,15 @@ if __name__ == '__main__':
             self.HardwareInstance             = HardwareInstance             self.UpdateImageIndex             = UpdateImageIndex             self.SignToolPfxFile              = SignToolPfxFile+            self.SignToolSubjectName          = SignToolSubjectName             self.OpenSslSignerPrivateCertFile = OpenSslSignerPrivateCertFile             self.OpenSslOtherPublicCertFile   = OpenSslOtherPublicCertFile             self.OpenSslTrustedPublicCertFile = OpenSslTrustedPublicCertFile             self.SigningToolPath              = SigningToolPath             self.DepexExp                     = DepexExp -            self.UseSignTool = self.SignToolPfxFile is not None+            self.UseSignTool = (self.SignToolPfxFile is not None or+                                self.SignToolSubjectName is not None)             self.UseOpenSsl  = (self.OpenSslSignerPrivateCertFile is not None and                                 self.OpenSslOtherPublicCertFile is not None and                                 self.OpenSslTrustedPublicCertFile is not None)@@ -504,8 +520,9 @@ if __name__ == '__main__':
                         raise argparse.ArgumentTypeError ('--update-image-index must be an integer in range 0x0..0xff')              if self.UseSignTool:-                self.SignToolPfxFile.close()-                self.SignToolPfxFile = self.SignToolPfxFile.name+                if self.SignToolPfxFile is not None:+                    self.SignToolPfxFile.close()+                    self.SignToolPfxFile = self.SignToolPfxFile.name             if self.UseOpenSsl:                 self.OpenSslSignerPrivateCertFile.close()                 self.OpenSslOtherPublicCertFile.close()@@ -548,6 +565,7 @@ if __name__ == '__main__':
                                             args.HardwareInstance,                                             args.UpdateImageIndex,                                             args.SignToolPfxFile,+                                            args.SignToolSubjectName,                                             args.OpenSslSignerPrivateCertFile,                                             args.OpenSslOtherPublicCertFile,                                             args.OpenSslTrustedPublicCertFile,@@ -590,6 +608,7 @@ if __name__ == '__main__':
                             Result + struct.pack ('<Q', SinglePayloadDescriptor.MonotonicCount),                             SinglePayloadDescriptor.SigningToolPath,                             SinglePayloadDescriptor.SignToolPfxFile,+                            SinglePayloadDescriptor.SignToolSubjectName,                             Verbose = args.Verbose                         )                     else:@@ -671,6 +690,7 @@ if __name__ == '__main__':
                                             args.HardwareInstance,                                             args.UpdateImageIndex,                                             args.SignToolPfxFile,+                                            args.SignSubjectName,                                             args.OpenSslSignerPrivateCertFile,                                             args.OpenSslOtherPublicCertFile,                                             args.OpenSslTrustedPublicCertFile,@@ -715,6 +735,7 @@ if __name__ == '__main__':
                                                                 HardwareInstance,                                                                 UpdateImageIndex,                                                                 PayloadDescriptorList[Index].SignToolPfxFile,+                                                                PayloadDescriptorList[Index].SignToolSubjectName,                                                                 PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,                                                                 PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,                                                                 PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,@@ -753,6 +774,7 @@ if __name__ == '__main__':
                                                             HardwareInstance,                                                             UpdateImageIndex,                                                             PayloadDescriptorList[Index].SignToolPfxFile,+                                                            PayloadDescriptorList[Index].SignToolSubjectName,                                                             PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,                                                             PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,                                                             PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,@@ -785,6 +807,7 @@ if __name__ == '__main__':
                                            FmpAuthHeader.CertData,                                            SinglePayloadDescriptor.SigningToolPath,                                            SinglePayloadDescriptor.SignToolPfxFile,+                                           SinglePayloadDescriptor.SignToolSubjectName,                                            Verbose = args.Verbose                                            )                           else:@@ -968,6 +991,8 @@ if __name__ == '__main__':
      parser.add_argument ("--pfx-file", dest='SignToolPfxFile', type=argparse.FileType('rb'),                          help="signtool PFX certificate filename.")+    parser.add_argument ("--subject-name", dest='SignToolSubjectName',+                         help="signtool certificate subject name.")      parser.add_argument ("--signer-private-cert", dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),                          help="OpenSSL signer private certificate filename.")-- 
2.37.0.windows.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* 回复: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file
  2022-07-08 11:41 [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file Lin, Jason1
  2022-07-09 14:17 ` Bob Feng
@ 2022-07-25  4:26 ` gaoliming
  2022-07-25 15:10   ` Bob Feng
  1 sibling, 1 reply; 4+ messages in thread
From: gaoliming @ 2022-07-25  4:26 UTC (permalink / raw)
  To: devel, jason1.lin
  Cc: 'Bob Feng', 'Yuwei Chen',
	'Michael D Kinney', 'Dakota Chiang'

Jason:
  Thanks for you to add the detail usage model in BZ 3928. I have no other
comments. Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>

Thanks
Liming
> -----邮件原件-----
> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Lin, Jason1
> 发送时间: 2022年7月8日 19:42
> 收件人: devel@edk2.groups.io
> 抄送: Jason1 Lin <jason1.lin@intel.com>; Bob Feng <bob.c.feng@intel.com>;
> Liming Gao <gaoliming@byosoft.com.cn>; Yuwei Chen
> <yuwei.chen@intel.com>; Michael D Kinney <michael.d.kinney@intel.com>;
> Dakota Chiang <dakota.chiang@intel.com>
> 主题: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for signtool
to
> input subject name to sign capsule file
> 
> From: Jason1 Lin <jason1.lin@intel.com>
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928
> 
> Windows-based system using signtool.exe to sign the capsule.
> Add the support to using "--subject-name" argument to assign
> the subject name used to sign the capsule file.
> This argument would pass to signtool.exe as a part of input
> argument with "/n" flag.
> 
> NOTE: If using signtool.exe to sign capsule at least need to
>       choose one of "--pfx-file" and "--subject-name"
>       argument to input the value.
> 
> Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Dakota Chiang <dakota.chiang@intel.com>
> ---
>  BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43
> ++++++++++++++++----
>  1 file changed, 34 insertions(+), 9 deletions(-)
> 
> diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> index b8039db878..35435946c6 100644
> --- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> +++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> @@ -10,7 +10,7 @@
>  # keep the tool as simple as possible, it has the following limitations:
> 
>  #   * Do not support vendor code bytes in a capsule.
> 
>  #
> 
> -# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>
> 
> +# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR>
> 
>  # SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>  #
> 
> 
> 
> @@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader
> import FmpPayloadHeaderClass
>  # Globals for help information
> 
>  #
> 
>  __prog__        = 'GenerateCapsule'
> 
> -__version__     = '0.9'
> 
> -__copyright__   = 'Copyright (c) 2018, Intel Corporation. All rights
reserved.'
> 
> +__version__     = '0.10'
> 
> +__copyright__   = 'Copyright (c) 2022, Intel Corporation. All rights
> reserved.'
> 
>  __description__ = 'Generate a capsule.\n'
> 
> 
> 
> -def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
> 
> +def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose
=
> False):
> 
>      #
> 
>      # Create a temporary directory
> 
>      #
> 
> @@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile,
> Verbose = False):
>      Command = Command + '"{Path}" '.format (Path = os.path.join
(ToolPath,
> 'signtool.exe'))
> 
>      Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData
> /p7co 1.2.840.113549.1.7.2 '
> 
>      Command = Command + '/p7 {TempDir} '.format (TempDir =
> TempDirectoryName)
> 
> -    Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
> 
> +    if PfxFile is not None:
> 
> +        Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
> 
> +    if SubjectName is not None:
> 
> +        Command = Command + '/n {SubjectName} '.format
> (SubjectName = SubjectName)
> 
>      Command = Command + TempFileName
> 
>      if Verbose:
> 
>          print (Command)
> 
> @@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile,
> Verbose = False):
>      shutil.rmtree (TempDirectoryName)
> 
>      return Signature
> 
> 
> 
> -def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose
=
> False):
> 
> +def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile,
SubjectName,
> Verbose = False):
> 
>      print ('signtool verify is not supported.')
> 
>      raise ValueError ('GenerateCapsule: error: signtool verify is not
> supported.')
> 
> 
> 
> @@ -249,6 +252,7 @@ if __name__ == '__main__':
>              HardwareInstance             = ConvertJsonValue
> (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False,
> Default = 0)
> 
>              MonotonicCount               = ConvertJsonValue
> (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
> = 0)
> 
>              SignToolPfxFile              = ConvertJsonValue (Config,
> 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None,
Open
> = True)
> 
> +            SignToolSubjectName          = ConvertJsonValue (Config,
> 'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
> Open = True)
> 
>              OpenSslSignerPrivateCertFile = ConvertJsonValue (Config,
> 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
> 
>              OpenSslOtherPublicCertFile   = ConvertJsonValue (Config,
> 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
> None, Open = True)
> 
>              OpenSslTrustedPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
> 
> @@ -264,6 +268,7 @@ if __name__ == '__main__':
>                                              HardwareInstance,
> 
>                                              UpdateImageIndex,
> 
>                                              SignToolPfxFile,
> 
> +
> SignToolSubjectName,
> 
> 
> OpenSslSignerPrivateCertFile,
> 
> 
> OpenSslOtherPublicCertFile,
> 
> 
> OpenSslTrustedPublicCertFile,
> 
> @@ -303,6 +308,7 @@ if __name__ == '__main__':
>              UpdateImageIndex             = ConvertJsonValue
> (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False,
> Default = 1)
> 
>              MonotonicCount               = ConvertJsonValue
> (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
> = 0)
> 
>              SignToolPfxFile              = ConvertJsonValue (Config,
> 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None,
Open
> = True)
> 
> +            SignToolSubjectName          = ConvertJsonValue (Config,
> 'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
> Open = True)
> 
>              OpenSslSignerPrivateCertFile = ConvertJsonValue (Config,
> 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
> 
>              OpenSslOtherPublicCertFile   = ConvertJsonValue (Config,
> 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
> None, Open = True)
> 
>              OpenSslTrustedPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
> 
> @@ -329,6 +335,7 @@ if __name__ == '__main__':
>                                              HardwareInstance,
> 
>                                              UpdateImageIndex,
> 
>                                              SignToolPfxFile,
> 
> +
> SignToolSubjectName,
> 
> 
> OpenSslSignerPrivateCertFile,
> 
> 
> OpenSslOtherPublicCertFile,
> 
> 
> OpenSslTrustedPublicCertFile,
> 
> @@ -348,6 +355,7 @@ if __name__ == '__main__':
>                                    "HardwareInstance":
> str(PayloadDescriptor.HardwareInstance),
> 
>                                    "UpdateImageIndex":
> str(PayloadDescriptor.UpdateImageIndex),
> 
>                                    "SignToolPfxFile":
> str(PayloadDescriptor.SignToolPfxFile),
> 
> +                                  "SignToolSubjectName":
> str(PayloadDescriptor.SignToolSubjectName),
> 
>                                    "OpenSslSignerPrivateCertFile":
> str(PayloadDescriptor.OpenSslSignerPrivateCertFile),
> 
>                                    "OpenSslOtherPublicCertFile":
> str(PayloadDescriptor.OpenSslOtherPublicCertFile),
> 
>                                    "OpenSslTrustedPublicCertFile":
> str(PayloadDescriptor.OpenSslTrustedPublicCertFile),
> 
> @@ -363,6 +371,8 @@ if __name__ == '__main__':
>          for PayloadField in PayloadSection:
> 
>              if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:
> 
>                  del PayloadField ['SignToolPfxFile']
> 
> +            if PayloadJsonDescriptorList[Index].SignToolSubjectName is
> None:
> 
> +                del PayloadField ['SignToolSubjectName']
> 
>              if
> PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None:
> 
>                  del PayloadField ['OpenSslSignerPrivateCertFile']
> 
>              if
> PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:
> 
> @@ -402,6 +412,9 @@ if __name__ == '__main__':
>          if args.SignToolPfxFile:
> 
>              print ('GenerateCapsule: error: Argument --pfx-file conflicts
> with Argument -j')
> 
>              sys.exit (1)
> 
> +        if args.SignToolSubjectName:
> 
> +            print ('GenerateCapsule: error: Argument --SubjectName
> conflicts with Argument -j')
> 
> +            sys.exit (1)
> 
>          if args.OpenSslSignerPrivateCertFile:
> 
>              print ('GenerateCapsule: error: Argument
> --signer-private-cert conflicts with Argument -j')
> 
>              sys.exit (1)
> 
> @@ -425,6 +438,7 @@ if __name__ == '__main__':
>                       HardwareInstance             = 0,
> 
>                       UpdateImageIndex             = 1,
> 
>                       SignToolPfxFile              = None,
> 
> +                     SignToolSubjectName          = None,
> 
>                       OpenSslSignerPrivateCertFile = None,
> 
>                       OpenSslOtherPublicCertFile   = None,
> 
>                       OpenSslTrustedPublicCertFile = None,
> 
> @@ -439,13 +453,15 @@ if __name__ == '__main__':
>              self.HardwareInstance             = HardwareInstance
> 
>              self.UpdateImageIndex             = UpdateImageIndex
> 
>              self.SignToolPfxFile              = SignToolPfxFile
> 
> +            self.SignToolSubjectName          = SignToolSubjectName
> 
>              self.OpenSslSignerPrivateCertFile =
> OpenSslSignerPrivateCertFile
> 
>              self.OpenSslOtherPublicCertFile   =
> OpenSslOtherPublicCertFile
> 
>              self.OpenSslTrustedPublicCertFile =
> OpenSslTrustedPublicCertFile
> 
>              self.SigningToolPath              = SigningToolPath
> 
>              self.DepexExp                     = DepexExp
> 
> 
> 
> -            self.UseSignTool = self.SignToolPfxFile is not None
> 
> +            self.UseSignTool = (self.SignToolPfxFile is not None or
> 
> +                                self.SignToolSubjectName is not
> None)
> 
>              self.UseOpenSsl  = (self.OpenSslSignerPrivateCertFile is not
> None and
> 
>                                  self.OpenSslOtherPublicCertFile is
> not None and
> 
>                                  self.OpenSslTrustedPublicCertFile is
> not None)
> 
> @@ -504,8 +520,9 @@ if __name__ == '__main__':
>                          raise argparse.ArgumentTypeError
> ('--update-image-index must be an integer in range 0x0..0xff')
> 
> 
> 
>              if self.UseSignTool:
> 
> -                self.SignToolPfxFile.close()
> 
> -                self.SignToolPfxFile = self.SignToolPfxFile.name
> 
> +                if self.SignToolPfxFile is not None:
> 
> +                    self.SignToolPfxFile.close()
> 
> +                    self.SignToolPfxFile = self.SignToolPfxFile.name
> 
>              if self.UseOpenSsl:
> 
>                  self.OpenSslSignerPrivateCertFile.close()
> 
>                  self.OpenSslOtherPublicCertFile.close()
> 
> @@ -548,6 +565,7 @@ if __name__ == '__main__':
> 
> args.HardwareInstance,
> 
> 
> args.UpdateImageIndex,
> 
>                                              args.SignToolPfxFile,
> 
> +
> args.SignToolSubjectName,
> 
> 
> args.OpenSslSignerPrivateCertFile,
> 
> 
> args.OpenSslOtherPublicCertFile,
> 
> 
> args.OpenSslTrustedPublicCertFile,
> 
> @@ -590,6 +608,7 @@ if __name__ == '__main__':
>                              Result + struct.pack ('<Q',
> SinglePayloadDescriptor.MonotonicCount),
> 
>                              SinglePayloadDescriptor.SigningToolPath,
> 
>                              SinglePayloadDescriptor.SignToolPfxFile,
> 
> +
> SinglePayloadDescriptor.SignToolSubjectName,
> 
>                              Verbose = args.Verbose
> 
>                          )
> 
>                      else:
> 
> @@ -671,6 +690,7 @@ if __name__ == '__main__':
> 
> args.HardwareInstance,
> 
> 
> args.UpdateImageIndex,
> 
>                                              args.SignToolPfxFile,
> 
> +
> args.SignSubjectName,
> 
> 
> args.OpenSslSignerPrivateCertFile,
> 
> 
> args.OpenSslOtherPublicCertFile,
> 
> 
> args.OpenSslTrustedPublicCertFile,
> 
> @@ -715,6 +735,7 @@ if __name__ == '__main__':
> 
> HardwareInstance,
> 
> 
> UpdateImageIndex,
> 
> 
> PayloadDescriptorList[Index].SignToolPfxFile,
> 
> +
> PayloadDescriptorList[Index].SignToolSubjectName,
> 
> 
> PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
> 
> 
> PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
> 
> 
> PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
> 
> @@ -753,6 +774,7 @@ if __name__ == '__main__':
> 
> HardwareInstance,
> 
> 
> UpdateImageIndex,
> 
> 
> PayloadDescriptorList[Index].SignToolPfxFile,
> 
> +
> PayloadDescriptorList[Index].SignToolSubjectName,
> 
> 
> PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
> 
> 
> PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
> 
> 
> PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
> 
> @@ -785,6 +807,7 @@ if __name__ == '__main__':
> 
> FmpAuthHeader.CertData,
> 
> 
> SinglePayloadDescriptor.SigningToolPath,
> 
> 
> SinglePayloadDescriptor.SignToolPfxFile,
> 
> +
> SinglePayloadDescriptor.SignToolSubjectName,
> 
>                                             Verbose =
> args.Verbose
> 
>                                             )
> 
>                            else:
> 
> @@ -968,6 +991,8 @@ if __name__ == '__main__':
> 
> 
>      parser.add_argument ("--pfx-file", dest='SignToolPfxFile',
> type=argparse.FileType('rb'),
> 
>                           help="signtool PFX certificate filename.")
> 
> +    parser.add_argument ("--subject-name", dest='SignToolSubjectName',
> 
> +                         help="signtool certificate subject name.")
> 
> 
> 
>      parser.add_argument ("--signer-private-cert",
> dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),
> 
>                           help="OpenSSL signer private certificate
> filename.")
> 
> --
> 2.37.0.windows.1
> 
> 
> 
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#91180): https://edk2.groups.io/g/devel/message/91180
> Mute This Topic: https://groups.io/mt/92249403/4905953
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub
> [gaoliming@byosoft.com.cn]
> -=-=-=-=-=-=
> 




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file
  2022-07-25  4:26 ` 回复: [edk2-devel] " gaoliming
@ 2022-07-25 15:10   ` Bob Feng
  0 siblings, 0 replies; 4+ messages in thread
From: Bob Feng @ 2022-07-25 15:10 UTC (permalink / raw)
  To: Gao, Liming, devel@edk2.groups.io, Lin, Jason1
  Cc: Chen, Christine, Kinney, Michael D, Chiang, Dakota

Created the PR for merge. https://github.com/tianocore/edk2/pull/3137

-----Original Message-----
From: gaoliming <gaoliming@byosoft.com.cn> 
Sent: Monday, July 25, 2022 12:27 PM
To: devel@edk2.groups.io; Lin, Jason1 <jason1.lin@intel.com>
Cc: Feng, Bob C <bob.c.feng@intel.com>; Chen, Christine <yuwei.chen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Chiang, Dakota <dakota.chiang@intel.com>
Subject: 回复: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file

Jason:
  Thanks for you to add the detail usage model in BZ 3928. I have no other comments. Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>

Thanks
Liming
> -----邮件原件-----
> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Lin, Jason1
> 发送时间: 2022年7月8日 19:42
> 收件人: devel@edk2.groups.io
> 抄送: Jason1 Lin <jason1.lin@intel.com>; Bob Feng 
> <bob.c.feng@intel.com>; Liming Gao <gaoliming@byosoft.com.cn>; Yuwei 
> Chen <yuwei.chen@intel.com>; Michael D Kinney 
> <michael.d.kinney@intel.com>; Dakota Chiang <dakota.chiang@intel.com>
> 主题: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for 
> signtool
to
> input subject name to sign capsule file
> 
> From: Jason1 Lin <jason1.lin@intel.com>
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928
> 
> Windows-based system using signtool.exe to sign the capsule.
> Add the support to using "--subject-name" argument to assign the 
> subject name used to sign the capsule file.
> This argument would pass to signtool.exe as a part of input argument 
> with "/n" flag.
> 
> NOTE: If using signtool.exe to sign capsule at least need to
>       choose one of "--pfx-file" and "--subject-name"
>       argument to input the value.
> 
> Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Dakota Chiang <dakota.chiang@intel.com>
> ---
>  BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43
> ++++++++++++++++----
>  1 file changed, 34 insertions(+), 9 deletions(-)
> 
> diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> index b8039db878..35435946c6 100644
> --- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> +++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> @@ -10,7 +10,7 @@
>  # keep the tool as simple as possible, it has the following limitations:
> 
>  #   * Do not support vendor code bytes in a capsule.
> 
>  #
> 
> -# Copyright (c) 2018 - 2019, Intel Corporation. All rights 
> reserved.<BR>
> 
> +# Copyright (c) 2018 - 2022, Intel Corporation. All rights 
> +reserved.<BR>
> 
>  # SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>  #
> 
> 
> 
> @@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader
> import FmpPayloadHeaderClass
>  # Globals for help information
> 
>  #
> 
>  __prog__        = 'GenerateCapsule'
> 
> -__version__     = '0.9'
> 
> -__copyright__   = 'Copyright (c) 2018, Intel Corporation. All rights
reserved.'
> 
> +__version__     = '0.10'
> 
> +__copyright__   = 'Copyright (c) 2022, Intel Corporation. All rights
> reserved.'
> 
>  __description__ = 'Generate a capsule.\n'
> 
> 
> 
> -def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
> 
> +def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, 
> +Verbose
=
> False):
> 
>      #
> 
>      # Create a temporary directory
> 
>      #
> 
> @@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, 
> PfxFile, Verbose = False):
>      Command = Command + '"{Path}" '.format (Path = os.path.join
(ToolPath,
> 'signtool.exe'))
> 
>      Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData 
> /p7co 1.2.840.113549.1.7.2 '
> 
>      Command = Command + '/p7 {TempDir} '.format (TempDir =
> TempDirectoryName)
> 
> -    Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
> 
> +    if PfxFile is not None:
> 
> +        Command = Command + '/f {PfxFile} '.format (PfxFile = 
> + PfxFile)
> 
> +    if SubjectName is not None:
> 
> +        Command = Command + '/n {SubjectName} '.format
> (SubjectName = SubjectName)
> 
>      Command = Command + TempFileName
> 
>      if Verbose:
> 
>          print (Command)
> 
> @@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, 
> PfxFile, Verbose = False):
>      shutil.rmtree (TempDirectoryName)
> 
>      return Signature
> 
> 
> 
> -def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, 
> Verbose
=
> False):
> 
> +def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile,
SubjectName,
> Verbose = False):
> 
>      print ('signtool verify is not supported.')
> 
>      raise ValueError ('GenerateCapsule: error: signtool verify is not
> supported.')
> 
> 
> 
> @@ -249,6 +252,7 @@ if __name__ == '__main__':
>              HardwareInstance             = ConvertJsonValue
> (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = 
> False, Default = 0)
> 
>              MonotonicCount               = ConvertJsonValue
> (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
> = 0)
> 
>              SignToolPfxFile              = ConvertJsonValue (Config,
> 'SignToolPfxFile', os.path.expandvars, Required = False, Default = 
> None,
Open
> = True)
> 
> +            SignToolSubjectName          = ConvertJsonValue (Config,
> 'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
> Open = True)
> 
>              OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 
> 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
> 
>              OpenSslOtherPublicCertFile   = ConvertJsonValue (Config,
> 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
> None, Open = True)
> 
>              OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 
> 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
> 
> @@ -264,6 +268,7 @@ if __name__ == '__main__':
>                                              HardwareInstance,
> 
>                                              UpdateImageIndex,
> 
>                                              SignToolPfxFile,
> 
> +
> SignToolSubjectName,
> 
> 
> OpenSslSignerPrivateCertFile,
> 
> 
> OpenSslOtherPublicCertFile,
> 
> 
> OpenSslTrustedPublicCertFile,
> 
> @@ -303,6 +308,7 @@ if __name__ == '__main__':
>              UpdateImageIndex             = ConvertJsonValue
> (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = 
> False, Default = 1)
> 
>              MonotonicCount               = ConvertJsonValue
> (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
> = 0)
> 
>              SignToolPfxFile              = ConvertJsonValue (Config,
> 'SignToolPfxFile', os.path.expandvars, Required = False, Default = 
> None,
Open
> = True)
> 
> +            SignToolSubjectName          = ConvertJsonValue (Config,
> 'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
> Open = True)
> 
>              OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 
> 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
> 
>              OpenSslOtherPublicCertFile   = ConvertJsonValue (Config,
> 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
> None, Open = True)
> 
>              OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 
> 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
> 
> @@ -329,6 +335,7 @@ if __name__ == '__main__':
>                                              HardwareInstance,
> 
>                                              UpdateImageIndex,
> 
>                                              SignToolPfxFile,
> 
> +
> SignToolSubjectName,
> 
> 
> OpenSslSignerPrivateCertFile,
> 
> 
> OpenSslOtherPublicCertFile,
> 
> 
> OpenSslTrustedPublicCertFile,
> 
> @@ -348,6 +355,7 @@ if __name__ == '__main__':
>                                    "HardwareInstance":
> str(PayloadDescriptor.HardwareInstance),
> 
>                                    "UpdateImageIndex":
> str(PayloadDescriptor.UpdateImageIndex),
> 
>                                    "SignToolPfxFile":
> str(PayloadDescriptor.SignToolPfxFile),
> 
> +                                  "SignToolSubjectName":
> str(PayloadDescriptor.SignToolSubjectName),
> 
>                                    "OpenSslSignerPrivateCertFile":
> str(PayloadDescriptor.OpenSslSignerPrivateCertFile),
> 
>                                    "OpenSslOtherPublicCertFile":
> str(PayloadDescriptor.OpenSslOtherPublicCertFile),
> 
>                                    "OpenSslTrustedPublicCertFile":
> str(PayloadDescriptor.OpenSslTrustedPublicCertFile),
> 
> @@ -363,6 +371,8 @@ if __name__ == '__main__':
>          for PayloadField in PayloadSection:
> 
>              if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:
> 
>                  del PayloadField ['SignToolPfxFile']
> 
> +            if PayloadJsonDescriptorList[Index].SignToolSubjectName 
> + is
> None:
> 
> +                del PayloadField ['SignToolSubjectName']
> 
>              if
> PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None:
> 
>                  del PayloadField ['OpenSslSignerPrivateCertFile']
> 
>              if
> PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:
> 
> @@ -402,6 +412,9 @@ if __name__ == '__main__':
>          if args.SignToolPfxFile:
> 
>              print ('GenerateCapsule: error: Argument --pfx-file 
> conflicts with Argument -j')
> 
>              sys.exit (1)
> 
> +        if args.SignToolSubjectName:
> 
> +            print ('GenerateCapsule: error: Argument --SubjectName
> conflicts with Argument -j')
> 
> +            sys.exit (1)
> 
>          if args.OpenSslSignerPrivateCertFile:
> 
>              print ('GenerateCapsule: error: Argument 
> --signer-private-cert conflicts with Argument -j')
> 
>              sys.exit (1)
> 
> @@ -425,6 +438,7 @@ if __name__ == '__main__':
>                       HardwareInstance             = 0,
> 
>                       UpdateImageIndex             = 1,
> 
>                       SignToolPfxFile              = None,
> 
> +                     SignToolSubjectName          = None,
> 
>                       OpenSslSignerPrivateCertFile = None,
> 
>                       OpenSslOtherPublicCertFile   = None,
> 
>                       OpenSslTrustedPublicCertFile = None,
> 
> @@ -439,13 +453,15 @@ if __name__ == '__main__':
>              self.HardwareInstance             = HardwareInstance
> 
>              self.UpdateImageIndex             = UpdateImageIndex
> 
>              self.SignToolPfxFile              = SignToolPfxFile
> 
> +            self.SignToolSubjectName          = SignToolSubjectName
> 
>              self.OpenSslSignerPrivateCertFile = 
> OpenSslSignerPrivateCertFile
> 
>              self.OpenSslOtherPublicCertFile   =
> OpenSslOtherPublicCertFile
> 
>              self.OpenSslTrustedPublicCertFile = 
> OpenSslTrustedPublicCertFile
> 
>              self.SigningToolPath              = SigningToolPath
> 
>              self.DepexExp                     = DepexExp
> 
> 
> 
> -            self.UseSignTool = self.SignToolPfxFile is not None
> 
> +            self.UseSignTool = (self.SignToolPfxFile is not None or
> 
> +                                self.SignToolSubjectName is not
> None)
> 
>              self.UseOpenSsl  = (self.OpenSslSignerPrivateCertFile is 
> not None and
> 
>                                  self.OpenSslOtherPublicCertFile is 
> not None and
> 
>                                  self.OpenSslTrustedPublicCertFile is 
> not None)
> 
> @@ -504,8 +520,9 @@ if __name__ == '__main__':
>                          raise argparse.ArgumentTypeError 
> ('--update-image-index must be an integer in range 0x0..0xff')
> 
> 
> 
>              if self.UseSignTool:
> 
> -                self.SignToolPfxFile.close()
> 
> -                self.SignToolPfxFile = self.SignToolPfxFile.name
> 
> +                if self.SignToolPfxFile is not None:
> 
> +                    self.SignToolPfxFile.close()
> 
> +                    self.SignToolPfxFile = self.SignToolPfxFile.name
> 
>              if self.UseOpenSsl:
> 
>                  self.OpenSslSignerPrivateCertFile.close()
> 
>                  self.OpenSslOtherPublicCertFile.close()
> 
> @@ -548,6 +565,7 @@ if __name__ == '__main__':
> 
> args.HardwareInstance,
> 
> 
> args.UpdateImageIndex,
> 
>                                              args.SignToolPfxFile,
> 
> +
> args.SignToolSubjectName,
> 
> 
> args.OpenSslSignerPrivateCertFile,
> 
> 
> args.OpenSslOtherPublicCertFile,
> 
> 
> args.OpenSslTrustedPublicCertFile,
> 
> @@ -590,6 +608,7 @@ if __name__ == '__main__':
>                              Result + struct.pack ('<Q', 
> SinglePayloadDescriptor.MonotonicCount),
> 
>                              SinglePayloadDescriptor.SigningToolPath,
> 
>                              SinglePayloadDescriptor.SignToolPfxFile,
> 
> +
> SinglePayloadDescriptor.SignToolSubjectName,
> 
>                              Verbose = args.Verbose
> 
>                          )
> 
>                      else:
> 
> @@ -671,6 +690,7 @@ if __name__ == '__main__':
> 
> args.HardwareInstance,
> 
> 
> args.UpdateImageIndex,
> 
>                                              args.SignToolPfxFile,
> 
> +
> args.SignSubjectName,
> 
> 
> args.OpenSslSignerPrivateCertFile,
> 
> 
> args.OpenSslOtherPublicCertFile,
> 
> 
> args.OpenSslTrustedPublicCertFile,
> 
> @@ -715,6 +735,7 @@ if __name__ == '__main__':
> 
> HardwareInstance,
> 
> 
> UpdateImageIndex,
> 
> 
> PayloadDescriptorList[Index].SignToolPfxFile,
> 
> +
> PayloadDescriptorList[Index].SignToolSubjectName,
> 
> 
> PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
> 
> 
> PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
> 
> 
> PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
> 
> @@ -753,6 +774,7 @@ if __name__ == '__main__':
> 
> HardwareInstance,
> 
> 
> UpdateImageIndex,
> 
> 
> PayloadDescriptorList[Index].SignToolPfxFile,
> 
> +
> PayloadDescriptorList[Index].SignToolSubjectName,
> 
> 
> PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
> 
> 
> PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
> 
> 
> PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
> 
> @@ -785,6 +807,7 @@ if __name__ == '__main__':
> 
> FmpAuthHeader.CertData,
> 
> 
> SinglePayloadDescriptor.SigningToolPath,
> 
> 
> SinglePayloadDescriptor.SignToolPfxFile,
> 
> +
> SinglePayloadDescriptor.SignToolSubjectName,
> 
>                                             Verbose = args.Verbose
> 
>                                             )
> 
>                            else:
> 
> @@ -968,6 +991,8 @@ if __name__ == '__main__':
> 
> 
>      parser.add_argument ("--pfx-file", dest='SignToolPfxFile', 
> type=argparse.FileType('rb'),
> 
>                           help="signtool PFX certificate filename.")
> 
> +    parser.add_argument ("--subject-name", 
> + dest='SignToolSubjectName',
> 
> +                         help="signtool certificate subject name.")
> 
> 
> 
>      parser.add_argument ("--signer-private-cert", 
> dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),
> 
>                           help="OpenSSL signer private certificate
> filename.")
> 
> --
> 2.37.0.windows.1
> 
> 
> 
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#91180): 
> https://edk2.groups.io/g/devel/message/91180
> Mute This Topic: https://groups.io/mt/92249403/4905953
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub
> [gaoliming@byosoft.com.cn]
> -=-=-=-=-=-=
> 




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-07-25 15:11 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-08 11:41 [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file Lin, Jason1
2022-07-09 14:17 ` Bob Feng
2022-07-25  4:26 ` 回复: [edk2-devel] " gaoliming
2022-07-25 15:10   ` Bob Feng

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox