summaryrefslogtreecommitdiff
path: root/test/py/tests/test_efi_secboot/openssl.cnf
diff options
context:
space:
mode:
authorAKASHI Takahiro <takahiro.akashi@linaro.org>2020-07-21 19:35:24 +0900
committerHeinrich Schuchardt <xypron.glpk@gmx.de>2020-08-13 22:37:36 +0200
commite1174c566a61c863db1b782935269acba00e9281 (patch)
tree06ebf0bb5f2ba3f85562bd67761aa6f5ef145ddd /test/py/tests/test_efi_secboot/openssl.cnf
parent57be8cdce35189ea063ebadb9338ef510289116f (diff)
test/py: efi_secboot: add test for intermediate certificates
In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Diffstat (limited to 'test/py/tests/test_efi_secboot/openssl.cnf')
-rw-r--r--test/py/tests/test_efi_secboot/openssl.cnf48
1 files changed, 48 insertions, 0 deletions
diff --git a/test/py/tests/test_efi_secboot/openssl.cnf b/test/py/tests/test_efi_secboot/openssl.cnf
new file mode 100644
index 0000000000..f684f1df7e
--- /dev/null
+++ b/test/py/tests/test_efi_secboot/openssl.cnf
@@ -0,0 +1,48 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+new_certs_dir = .
+database = ./index.txt
+serial = ./serial
+default_md = sha256
+policy = policy_min
+
+[ req ]
+distinguished_name = def_distinguished_name
+
+[def_distinguished_name]
+
+# Extensions
+# -addext " ... = ..."
+#
+[ v3_ca ]
+ # Extensions for a typical Root CA.
+ basicConstraints = critical,CA:TRUE
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+
+[ v3_int_ca ]
+ # Extensions for a typical intermediate CA.
+ basicConstraints = critical, CA:TRUE
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+
+[ usr_cert ]
+ # Extensions for user end certificates.
+ basicConstraints = CA:FALSE
+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+ extendedKeyUsage = clientAuth, emailProtection
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+
+[ policy_min ]
+ countryName = optional
+ stateOrProvinceName = optional
+ localityName = optional
+ organizationName = optional
+ organizationalUnitName = optional
+ commonName = supplied
+ emailAddress = optional