From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jiewen.yao@intel.com>
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20])
 (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 79C0681CE0
 for <edk2-devel@lists.01.org>; Tue,  1 Nov 2016 04:59:29 -0700 (PDT)
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
 by orsmga101.jf.intel.com with ESMTP; 01 Nov 2016 04:59:21 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.31,579,1473145200"; d="scan'208";a="780806033"
Received: from sliu17-mobl1.ccr.corp.intel.com (HELO
 jyao1-MOBL.ccr.corp.intel.com) ([10.254.210.237])
 by FMSMGA003.fm.intel.com with ESMTP; 01 Nov 2016 04:59:19 -0700
From: Jiewen Yao <jiewen.yao@intel.com>
To: edk2-devel@lists.01.org
Cc: Yonghong Zhu <yonghong.zhu@intel.com>, Liming Gao <liming.gao@intel.com>,
 Michael D Kinney <michael.d.kinney@intel.com>,
 Qin Long <qin.long@intel.com>
Date: Tue,  1 Nov 2016 19:59:11 +0800
Message-Id: <1478001551-6692-1-git-send-email-jiewen.yao@intel.com>
X-Mailer: git-send-email 2.7.4.windows.1
MIME-Version: 1.0
Subject: [PATCH] BaseTools/Pkcs7: Add readme.md
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2016 11:59:29 -0000
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add readme.md to describe the PKCS7 certificate generation.

Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
---
 BaseTools/Source/Python/Pkcs7Sign/Readme.md | 84 ++++++++++++++++++++
 1 file changed, 84 insertions(+)

diff --git a/BaseTools/Source/Python/Pkcs7Sign/Readme.md b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
new file mode 100644
index 0000000..39bd342
--- /dev/null
+++ b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
@@ -0,0 +1,84 @@
+# Step by step to generate PKCS7 certificate chain
+
+This readme provides some samples to generate PKCS7 certificate chain step by step.
+
+## How to generate PKCS7 certificate chain via OPENSSL
+* Set OPENSSL environment.
+
+NOTE: Below steps are required for Windows. Linux may already have the OPENSSL environment correctly.
+ 
+    set OPENSSL_HOME=c:\home\openssl\openssl-[version]
+    set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf
+
+When a user uses OpenSSL (req or ca command) to generate the certificates, OpenSSL will use the openssl.cnf file as the configuration data (can use “-config path/to/openssl.cnf” to describe the specific config file).
+
+The user need check the openssl.cnf file, to find your CA path setting, e.g. check if the path exists in [ CA_default ] section.
+
+    [ CA_default ]
+        dir = ./demoCA              # Where everything is kept
+
+You may need the following steps for initialization:
+
+    rd ./demoCA /S/Q
+    mkdir ./demoCA
+    echo "" > ./demoCA/index.txt
+    echo 01 > ./demoCA/serial
+    mkdir ./demoCA/newcerts
+
+* Generate the certificate chain:
+
+NOTE: User MUST set a UNIQUE "Common Name" on the different certificate
+
+1) Test Root CA certificate:
+
+Generate key:
+
+    openssl genrsa -aes256 -out TestRoot.key 2048
+
+Generate certificate:
+
+    openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
+    openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER
+    openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem
+
+2) Test Sub certificate:
+
+Generate key:
+
+    openssl genrsa -aes256 -out TestSub.key 2048
+
+Generate certificate:
+
+    openssl req -new -days 3650 -key TestSub.key -out TestSub.csr
+    openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key
+    openssl x509 -in TestSub.crt -out TestSub.cer -outform DER
+    openssl x509 -inform DER -in TestSub.cer -outform PEM -out TestSub.pub.pem
+
+3) Test user certificate:
+
+Generate key:
+
+    openssl genrsa -aes256 -out TestCert.key 2048
+
+Generate certificate:
+
+    openssl req -new -days 3650 -key TestCert.key -out TestCert.csr
+    openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key`
+    openssl x509 -in TestCert.crt -out TestCert.cer -outform DER
+    openssl x509 -inform DER -in TestCert.cer -outform PEM -out TestCert.pub.pem
+
+Convert Key and Certificate for signing (password is removed here via "-nodes")
+
+    openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in TestCert.crt
+    openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem
+
+* Verify
+
+1) Sign:
+
+    openssl smime -sign -binary -signer TestCert.pem -outform DER -md sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin
+
+2) Verify:
+
+    openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile TestRoot.pub.pem -out test.org.bin
+
-- 
2.7.4.windows.1