public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Long, Qin" <qin.long@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Zhu, Yonghong" <yonghong.zhu@intel.com>,
	"Gao, Liming" <liming.gao@intel.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>
Subject: Re: [PATCH] BaseTools/Pkcs7: Add readme.md
Date: Thu, 3 Nov 2016 03:56:36 +0000	[thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C50386BD3CD@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <BF2CCE9263284D428840004653A28B6E51553F46@SHSMSX103.ccr.corp.intel.com>

Agree. Thanks!

From: Long, Qin
Sent: Thursday, November 3, 2016 11:19 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; edk2-devel@lists.01.org
Cc: Zhu, Yonghong <yonghong.zhu@intel.com>; Gao, Liming <liming.gao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
Subject: RE: [PATCH] BaseTools/Pkcs7: Add readme.md

Hi, Jiewen,

Please update the "PKCS7 certificate chain" to "X.509 certificate chain".  The P7 certificate chain may be used as some different scope (e.g. .p7b for cert chain encapsulation.

For example:
"Step by step to generate PKCS7 certificate chain"  --> "Step by step to generate sample X.509 certificate chain and sign data with PKCS7 structure".
"How to generate PKCS7 certificate chain via OPENSSL" --> "How to generate X.509 certificate chain via OPENSSL"

The other steps looks good to me.

Reviewed-by: Qin Long <qin.long@intel.com<mailto:qin.long@intel.com>>


Best Regards & Thanks,
LONG, Qin

> -----Original Message-----
> From: Yao, Jiewen
> Sent: Thursday, November 03, 2016 10:59 AM
> To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Cc: Zhu, Yonghong; Gao, Liming; Kinney, Michael D; Long, Qin
> Subject: [PATCH] BaseTools/Pkcs7: Add readme.md
>
> Add readme.md to describe the PKCS7 certificate generation.
>
> Cc: Yonghong Zhu <yonghong.zhu@intel.com<mailto:yonghong.zhu@intel.com>>
> Cc: Liming Gao <liming.gao@intel.com<mailto:liming.gao@intel.com>>
> Cc: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
> Cc: Qin Long <qin.long@intel.com<mailto:qin.long@intel.com>>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> ---
>  BaseTools/Source/Python/Pkcs7Sign/Readme.md | 84
> ++++++++++++++++++++
>  1 file changed, 84 insertions(+)
>
> diff --git a/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> new file mode 100644
> index 0000000..be5e63b
> --- /dev/null
> +++ b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> @@ -0,0 +1,84 @@
> +# Step by step to generate PKCS7 certificate chain

> +
> +This readme provides some samples to generate PKCS7 certificate chain
> step by step.
> +
> +## How to generate PKCS7 certificate chain via OPENSSL
> +* Set OPENSSL environment.
> +
> +NOTE: Below steps are required for Windows. Linux may already have the
> OPENSSL environment correctly.
> +
> +    set OPENSSL_HOME=c:\home\openssl\openssl-[version]
> +    set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf
> +
> +When a user uses OpenSSL (req or ca command) to generate the
> certificates, OpenSSL will use the openssl.cnf file as the configuration data
> (can use “-config path/to/openssl.cnf” to describe the specific config file).
> +
> +The user need check the openssl.cnf file, to find your CA path setting, e.g.
> check if the path exists in [ CA_default ] section.
> +
> +    [ CA_default ]
> +        dir = ./demoCA              # Where everything is kept
> +
> +You may need the following steps for initialization:
> +
> +    rd ./demoCA /S/Q
> +    mkdir ./demoCA
> +    echo "" > ./demoCA/index.txt
> +    echo 01 > ./demoCA/serial
> +    mkdir ./demoCA/newcerts
> +
> +* Generate the certificate chain:
> +
> +NOTE: User MUST set a UNIQUE "Common Name" on the different
> certificate
> +
> +1) Test Root CA certificate:
> +
> +Generate key:
> +
> +    openssl genrsa -aes256 -out TestRoot.key 2048
> +
> +Generate certificate:
> +
> +    openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
> +    openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER
> +    openssl x509 -inform DER -in TestRoot.cer -outform PEM -out
> TestRoot.pub.pem
> +
> +2) Test Sub certificate:
> +
> +Generate key:
> +
> +    openssl genrsa -aes256 -out TestSub.key 2048
> +
> +Generate certificate:
> +
> +    openssl req -new -days 3650 -key TestSub.key -out TestSub.csr
> +    openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -
> cert TestRoot.crt -keyfile TestRoot.key
> +    openssl x509 -in TestSub.crt -out TestSub.cer -outform DER
> +    openssl x509 -inform DER -in TestSub.cer -outform PEM -out
> TestSub.pub.pem
> +
> +3) Test user certificate:
> +
> +Generate key:
> +
> +    openssl genrsa -aes256 -out TestCert.key 2048
> +
> +Generate certificate:
> +
> +    openssl req -new -days 3650 -key TestCert.key -out TestCert.csr
> +    openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -
> keyfile TestSub.key`
> +    openssl x509 -in TestCert.crt -out TestCert.cer -outform DER
> +    openssl x509 -inform DER -in TestCert.cer -outform PEM -out
> TestCert.pub.pem
> +
> +Convert Key and Certificate for signing (password is removed here via "-
> nodes")
> +
> +    openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in
> TestCert.crt
> +    openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem
> +
> +* Verify
> +
> +1) Sign:
> +
> +    openssl smime -sign -binary -signer TestCert.pem -outform DER -md
> sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin
> +
> +2) Verify:
> +
> +    openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile
> TestRoot.pub.pem -out test.org.bin
> +
> --
> 2.7.4.windows.1

  reply	other threads:[~2016-11-03  3:56 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-03  2:59 [PATCH] BaseTools/Pkcs7: Add readme.md Jiewen Yao
2016-11-03  3:19 ` Long, Qin
2016-11-03  3:56   ` Yao, Jiewen [this message]
  -- strict thread matches above, loose matches on Subject: below --
2016-11-01 11:59 Jiewen Yao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=74D8A39837DF1E4DA445A8C0B3885C50386BD3CD@shsmsx102.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox