Re: [PATCH] BaseTools/Pkcs7: Add readme.md

["Yao, Jiewen" <jiewen.yao@intel.com>]

Agree. Thanks!

From: Long, Qin
Sent: Thursday, November 3, 2016 11:19 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; edk2-devel@lists.01.org
Cc: Zhu, Yonghong <yonghong.zhu@intel.com>; Gao, Liming <liming.gao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
Subject: RE: [PATCH] BaseTools/Pkcs7: Add readme.md

Hi, Jiewen,

Please update the "PKCS7 certificate chain" to "X.509 certificate chain".  The P7 certificate chain may be used as some different scope (e.g. .p7b for cert chain encapsulation.

For example:
"Step by step to generate PKCS7 certificate chain"  --> "Step by step to generate sample X.509 certificate chain and sign data with PKCS7 structure".
"How to generate PKCS7 certificate chain via OPENSSL" --> "How to generate X.509 certificate chain via OPENSSL"

The other steps looks good to me.

Reviewed-by: Qin Long <qin.long@intel.com<mailto:qin.long@intel.com>>


Best Regards & Thanks,
LONG, Qin

> -----Original Message-----
> From: Yao, Jiewen
> Sent: Thursday, November 03, 2016 10:59 AM
> To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Cc: Zhu, Yonghong; Gao, Liming; Kinney, Michael D; Long, Qin
> Subject: [PATCH] BaseTools/Pkcs7: Add readme.md
>
> Add readme.md to describe the PKCS7 certificate generation.
>
> Cc: Yonghong Zhu <yonghong.zhu@intel.com<mailto:yonghong.zhu@intel.com>>
> Cc: Liming Gao <liming.gao@intel.com<mailto:liming.gao@intel.com>>
> Cc: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
> Cc: Qin Long <qin.long@intel.com<mailto:qin.long@intel.com>>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> ---
>  BaseTools/Source/Python/Pkcs7Sign/Readme.md | 84
> ++++++++++++++++++++
>  1 file changed, 84 insertions(+)
>
> diff --git a/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> new file mode 100644
> index 0000000..be5e63b
> --- /dev/null
> +++ b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> @@ -0,0 +1,84 @@
> +# Step by step to generate PKCS7 certificate chain

> +
> +This readme provides some samples to generate PKCS7 certificate chain
> step by step.
> +
> +## How to generate PKCS7 certificate chain via OPENSSL
> +* Set OPENSSL environment.
> +
> +NOTE: Below steps are required for Windows. Linux may already have the
> OPENSSL environment correctly.
> +
> +    set OPENSSL_HOME=c:\home\openssl\openssl-[version]
> +    set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf
> +
> +When a user uses OpenSSL (req or ca command) to generate the
> certificates, OpenSSL will use the openssl.cnf file as the configuration data
> (can use “-config path/to/openssl.cnf” to describe the specific config file).
> +
> +The user need check the openssl.cnf file, to find your CA path setting, e.g.
> check if the path exists in [ CA_default ] section.
> +
> +    [ CA_default ]
> +        dir = ./demoCA              # Where everything is kept
> +
> +You may need the following steps for initialization:
> +
> +    rd ./demoCA /S/Q
> +    mkdir ./demoCA
> +    echo "" > ./demoCA/index.txt
> +    echo 01 > ./demoCA/serial
> +    mkdir ./demoCA/newcerts
> +
> +* Generate the certificate chain:
> +
> +NOTE: User MUST set a UNIQUE "Common Name" on the different
> certificate
> +
> +1) Test Root CA certificate:
> +
> +Generate key:
> +
> +    openssl genrsa -aes256 -out TestRoot.key 2048
> +
> +Generate certificate:
> +
> +    openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
> +    openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER
> +    openssl x509 -inform DER -in TestRoot.cer -outform PEM -out
> TestRoot.pub.pem
> +
> +2) Test Sub certificate:
> +
> +Generate key:
> +
> +    openssl genrsa -aes256 -out TestSub.key 2048
> +
> +Generate certificate:
> +
> +    openssl req -new -days 3650 -key TestSub.key -out TestSub.csr
> +    openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -
> cert TestRoot.crt -keyfile TestRoot.key
> +    openssl x509 -in TestSub.crt -out TestSub.cer -outform DER
> +    openssl x509 -inform DER -in TestSub.cer -outform PEM -out
> TestSub.pub.pem
> +
> +3) Test user certificate:
> +
> +Generate key:
> +
> +    openssl genrsa -aes256 -out TestCert.key 2048
> +
> +Generate certificate:
> +
> +    openssl req -new -days 3650 -key TestCert.key -out TestCert.csr
> +    openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -
> keyfile TestSub.key`
> +    openssl x509 -in TestCert.crt -out TestCert.cer -outform DER
> +    openssl x509 -inform DER -in TestCert.cer -outform PEM -out
> TestCert.pub.pem
> +
> +Convert Key and Certificate for signing (password is removed here via "-
> nodes")
> +
> +    openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in
> TestCert.crt
> +    openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem
> +
> +* Verify
> +
> +1) Sign:
> +
> +    openssl smime -sign -binary -signer TestCert.pem -outform DER -md
> sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin
> +
> +2) Verify:
> +
> +    openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile
> TestRoot.pub.pem -out test.org.bin
> +
> --
> 2.7.4.windows.1