From: "Long, Qin" <qin.long@intel.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Zhu, Yonghong" <yonghong.zhu@intel.com>,
"Gao, Liming" <liming.gao@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>
Subject: Re: [PATCH] BaseTools/Pkcs7: Add readme.md
Date: Thu, 3 Nov 2016 03:19:01 +0000 [thread overview]
Message-ID: <BF2CCE9263284D428840004653A28B6E51553F46@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <1478141969-15912-1-git-send-email-jiewen.yao@intel.com>
Hi, Jiewen,
Please update the "PKCS7 certificate chain" to "X.509 certificate chain". The P7 certificate chain may be used as some different scope (e.g. .p7b for cert chain encapsulation.
For example:
"Step by step to generate PKCS7 certificate chain" --> "Step by step to generate sample X.509 certificate chain and sign data with PKCS7 structure".
"How to generate PKCS7 certificate chain via OPENSSL" --> "How to generate X.509 certificate chain via OPENSSL"
The other steps looks good to me.
Reviewed-by: Qin Long <qin.long@intel.com>
Best Regards & Thanks,
LONG, Qin
> -----Original Message-----
> From: Yao, Jiewen
> Sent: Thursday, November 03, 2016 10:59 AM
> To: edk2-devel@lists.01.org
> Cc: Zhu, Yonghong; Gao, Liming; Kinney, Michael D; Long, Qin
> Subject: [PATCH] BaseTools/Pkcs7: Add readme.md
>
> Add readme.md to describe the PKCS7 certificate generation.
>
> Cc: Yonghong Zhu <yonghong.zhu@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Qin Long <qin.long@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> ---
> BaseTools/Source/Python/Pkcs7Sign/Readme.md | 84
> ++++++++++++++++++++
> 1 file changed, 84 insertions(+)
>
> diff --git a/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> new file mode 100644
> index 0000000..be5e63b
> --- /dev/null
> +++ b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
> @@ -0,0 +1,84 @@
> +# Step by step to generate PKCS7 certificate chain
> +
> +This readme provides some samples to generate PKCS7 certificate chain
> step by step.
> +
> +## How to generate PKCS7 certificate chain via OPENSSL
> +* Set OPENSSL environment.
> +
> +NOTE: Below steps are required for Windows. Linux may already have the
> OPENSSL environment correctly.
> +
> + set OPENSSL_HOME=c:\home\openssl\openssl-[version]
> + set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf
> +
> +When a user uses OpenSSL (req or ca command) to generate the
> certificates, OpenSSL will use the openssl.cnf file as the configuration data
> (can use “-config path/to/openssl.cnf” to describe the specific config file).
> +
> +The user need check the openssl.cnf file, to find your CA path setting, e.g.
> check if the path exists in [ CA_default ] section.
> +
> + [ CA_default ]
> + dir = ./demoCA # Where everything is kept
> +
> +You may need the following steps for initialization:
> +
> + rd ./demoCA /S/Q
> + mkdir ./demoCA
> + echo "" > ./demoCA/index.txt
> + echo 01 > ./demoCA/serial
> + mkdir ./demoCA/newcerts
> +
> +* Generate the certificate chain:
> +
> +NOTE: User MUST set a UNIQUE "Common Name" on the different
> certificate
> +
> +1) Test Root CA certificate:
> +
> +Generate key:
> +
> + openssl genrsa -aes256 -out TestRoot.key 2048
> +
> +Generate certificate:
> +
> + openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
> + openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER
> + openssl x509 -inform DER -in TestRoot.cer -outform PEM -out
> TestRoot.pub.pem
> +
> +2) Test Sub certificate:
> +
> +Generate key:
> +
> + openssl genrsa -aes256 -out TestSub.key 2048
> +
> +Generate certificate:
> +
> + openssl req -new -days 3650 -key TestSub.key -out TestSub.csr
> + openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -
> cert TestRoot.crt -keyfile TestRoot.key
> + openssl x509 -in TestSub.crt -out TestSub.cer -outform DER
> + openssl x509 -inform DER -in TestSub.cer -outform PEM -out
> TestSub.pub.pem
> +
> +3) Test user certificate:
> +
> +Generate key:
> +
> + openssl genrsa -aes256 -out TestCert.key 2048
> +
> +Generate certificate:
> +
> + openssl req -new -days 3650 -key TestCert.key -out TestCert.csr
> + openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -
> keyfile TestSub.key`
> + openssl x509 -in TestCert.crt -out TestCert.cer -outform DER
> + openssl x509 -inform DER -in TestCert.cer -outform PEM -out
> TestCert.pub.pem
> +
> +Convert Key and Certificate for signing (password is removed here via "-
> nodes")
> +
> + openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in
> TestCert.crt
> + openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem
> +
> +* Verify
> +
> +1) Sign:
> +
> + openssl smime -sign -binary -signer TestCert.pem -outform DER -md
> sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin
> +
> +2) Verify:
> +
> + openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile
> TestRoot.pub.pem -out test.org.bin
> +
> --
> 2.7.4.windows.1
next prev parent reply other threads:[~2016-11-03 3:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-03 2:59 [PATCH] BaseTools/Pkcs7: Add readme.md Jiewen Yao
2016-11-03 3:19 ` Long, Qin [this message]
2016-11-03 3:56 ` Yao, Jiewen
-- strict thread matches above, loose matches on Subject: below --
2016-11-01 11:59 Jiewen Yao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BF2CCE9263284D428840004653A28B6E51553F46@SHSMSX103.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox