public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Long, Qin" <qin.long@intel.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Zhu, Yonghong" <yonghong.zhu@intel.com>,
	"Gao, Liming" <liming.gao@intel.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>
Subject: Re: [PATCH] BaseTools/Pkcs7: Add readme.md
Date: Thu, 3 Nov 2016 03:19:01 +0000	[thread overview]
Message-ID: <BF2CCE9263284D428840004653A28B6E51553F46@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <1478141969-15912-1-git-send-email-jiewen.yao@intel.com>

Hi, Jiewen,

Please update the "PKCS7 certificate chain" to "X.509 certificate chain".  The P7 certificate chain may be used as some different scope (e.g. .p7b for cert chain encapsulation. 

For example:
"Step by step to generate PKCS7 certificate chain"  --> "Step by step to generate sample X.509 certificate chain and sign data with PKCS7 structure". 
"How to generate PKCS7 certificate chain via OPENSSL" --> "How to generate X.509 certificate chain via OPENSSL"

The other steps looks good to me.

Reviewed-by: Qin Long <qin.long@intel.com>


Best Regards & Thanks,
LONG, Qin

> -----Original Message-----
> From: Yao, Jiewen
> Sent: Thursday, November 03, 2016 10:59 AM
> To: edk2-devel@lists.01.org
> Cc: Zhu, Yonghong; Gao, Liming; Kinney, Michael D; Long, Qin
> Subject: [PATCH] BaseTools/Pkcs7: Add readme.md
> 
> Add readme.md to describe the PKCS7 certificate generation.
> 
> Cc: Yonghong Zhu <yonghong.zhu@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Qin Long <qin.long@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> ---
>  BaseTools/Source/Python/Pkcs7Sign/Readme.md | 84
> ++++++++++++++++++++
>  1 file changed, 84 insertions(+)
> 
> diff --git a/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> new file mode 100644
> index 0000000..be5e63b
> --- /dev/null
> +++ b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> @@ -0,0 +1,84 @@
> +# Step by step to generate PKCS7 certificate chain
                      
> +
> +This readme provides some samples to generate PKCS7 certificate chain
> step by step.
> +
> +## How to generate PKCS7 certificate chain via OPENSSL
> +* Set OPENSSL environment.
> +
> +NOTE: Below steps are required for Windows. Linux may already have the
> OPENSSL environment correctly.
> +
> +    set OPENSSL_HOME=c:\home\openssl\openssl-[version]
> +    set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf
> +
> +When a user uses OpenSSL (req or ca command) to generate the
> certificates, OpenSSL will use the openssl.cnf file as the configuration data
> (can use “-config path/to/openssl.cnf” to describe the specific config file).
> +
> +The user need check the openssl.cnf file, to find your CA path setting, e.g.
> check if the path exists in [ CA_default ] section.
> +
> +    [ CA_default ]
> +        dir = ./demoCA              # Where everything is kept
> +
> +You may need the following steps for initialization:
> +
> +    rd ./demoCA /S/Q
> +    mkdir ./demoCA
> +    echo "" > ./demoCA/index.txt
> +    echo 01 > ./demoCA/serial
> +    mkdir ./demoCA/newcerts
> +
> +* Generate the certificate chain:
> +
> +NOTE: User MUST set a UNIQUE "Common Name" on the different
> certificate
> +
> +1) Test Root CA certificate:
> +
> +Generate key:
> +
> +    openssl genrsa -aes256 -out TestRoot.key 2048
> +
> +Generate certificate:
> +
> +    openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
> +    openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER
> +    openssl x509 -inform DER -in TestRoot.cer -outform PEM -out
> TestRoot.pub.pem
> +
> +2) Test Sub certificate:
> +
> +Generate key:
> +
> +    openssl genrsa -aes256 -out TestSub.key 2048
> +
> +Generate certificate:
> +
> +    openssl req -new -days 3650 -key TestSub.key -out TestSub.csr
> +    openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -
> cert TestRoot.crt -keyfile TestRoot.key
> +    openssl x509 -in TestSub.crt -out TestSub.cer -outform DER
> +    openssl x509 -inform DER -in TestSub.cer -outform PEM -out
> TestSub.pub.pem
> +
> +3) Test user certificate:
> +
> +Generate key:
> +
> +    openssl genrsa -aes256 -out TestCert.key 2048
> +
> +Generate certificate:
> +
> +    openssl req -new -days 3650 -key TestCert.key -out TestCert.csr
> +    openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -
> keyfile TestSub.key`
> +    openssl x509 -in TestCert.crt -out TestCert.cer -outform DER
> +    openssl x509 -inform DER -in TestCert.cer -outform PEM -out
> TestCert.pub.pem
> +
> +Convert Key and Certificate for signing (password is removed here via "-
> nodes")
> +
> +    openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in
> TestCert.crt
> +    openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem
> +
> +* Verify
> +
> +1) Sign:
> +
> +    openssl smime -sign -binary -signer TestCert.pem -outform DER -md
> sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin
> +
> +2) Verify:
> +
> +    openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile
> TestRoot.pub.pem -out test.org.bin
> +
> --
> 2.7.4.windows.1


  reply	other threads:[~2016-11-03  3:20 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-03  2:59 [PATCH] BaseTools/Pkcs7: Add readme.md Jiewen Yao
2016-11-03  3:19 ` Long, Qin [this message]
2016-11-03  3:56   ` Yao, Jiewen
  -- strict thread matches above, loose matches on Subject: below --
2016-11-01 11:59 Jiewen Yao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=BF2CCE9263284D428840004653A28B6E51553F46@SHSMSX103.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox