[PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file


Lin, Jason1
 

From: Jason1 Lin <jason1.lin@...>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3928

Windows-based system using signtool.exe to sign the capsule.
Add the support to using "--subject-name" argument to assign
the subject name used to sign the capsule file.
This argument would pass to signtool.exe as a part of input
argument with "/n" flag.

NOTE: If using signtool.exe to sign capsule at least need to
choose one of "--pfx-file" and "--subject-name"
argument to input the value.

Signed-off-by: Jason1 Lin <jason1.lin@...>
Cc: Bob Feng <bob.c.feng@...>
Cc: Liming Gao <gaoliming@...>
Cc: Yuwei Chen <yuwei.chen@...>
Cc: Michael D Kinney <michael.d.kinney@...>
Cc: Dakota Chiang <dakota.chiang@...>
---
BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43 ++++++++++++++++--=
--
1 file changed, 34 insertions(+), 9 deletions(-)

diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py b/BaseTools=
/Source/Python/Capsule/GenerateCapsule.py
index b8039db878..35435946c6 100644
--- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
+++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
@@ -10,7 +10,7 @@
# keep the tool as simple as possible, it has the following limitations:=0D
# * Do not support vendor code bytes in a capsule.=0D
#=0D
-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>=0D
+# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR>=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
=0D
@@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader import FmpPa=
yloadHeaderClass
# Globals for help information=0D
#=0D
__prog__ =3D 'GenerateCapsule'=0D
-__version__ =3D '0.9'=0D
-__copyright__ =3D 'Copyright (c) 2018, Intel Corporation. All rights res=
erved.'=0D
+__version__ =3D '0.10'=0D
+__copyright__ =3D 'Copyright (c) 2022, Intel Corporation. All rights res=
erved.'=0D
__description__ =3D 'Generate a capsule.\n'=0D
=0D
-def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose =3D False):=0D
+def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose =
=3D False):=0D
#=0D
# Create a temporary directory=0D
#=0D
@@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Ver=
bose =3D False):
Command =3D Command + '"{Path}" '.format (Path =3D os.path.join (ToolP=
ath, 'signtool.exe'))=0D
Command =3D Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co =
1.2.840.113549.1.7.2 '=0D
Command =3D Command + '/p7 {TempDir} '.format (TempDir =3D TempDirecto=
ryName)=0D
- Command =3D Command + '/f {PfxFile} '.format (PfxFile =3D PfxFile)=0D
+ if PfxFile is not None:=0D
+ Command =3D Command + '/f {PfxFile} '.format (PfxFile =3D PfxFile)=
=0D
+ if SubjectName is not None:=0D
+ Command =3D Command + '/n {SubjectName} '.format (SubjectName =3D =
SubjectName)=0D
Command =3D Command + TempFileName=0D
if Verbose:=0D
print (Command)=0D
@@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Ve=
rbose =3D False):
shutil.rmtree (TempDirectoryName)=0D
return Signature=0D
=0D
-def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose =
=3D False):=0D
+def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, SubjectNa=
me, Verbose =3D False):=0D
print ('signtool verify is not supported.')=0D
raise ValueError ('GenerateCapsule: error: signtool verify is not supp=
orted.')=0D
=0D
@@ -249,6 +252,7 @@ if __name__ =3D=3D '__main__':
HardwareInstance =3D ConvertJsonValue (Config, 'Ha=
rdwareInstance', ValidateUnsignedInteger, Required =3D False, Default =3D 0=
)=0D
MonotonicCount =3D ConvertJsonValue (Config, 'Mo=
notonicCount', ValidateUnsignedInteger, Required =3D False, Default =3D 0)=
=0D
SignToolPfxFile =3D ConvertJsonValue (Config, 'Si=
gnToolPfxFile', os.path.expandvars, Required =3D False, Default =3D None, O=
pen =3D True)=0D
+ SignToolSubjectName =3D ConvertJsonValue (Config, 'Si=
gnToolSubjectName', os.path.expandvars, Required =3D False, Default =3D Non=
e, Open =3D True)=0D
OpenSslSignerPrivateCertFile =3D ConvertJsonValue (Config, 'Op=
enSslSignerPrivateCertFile', os.path.expandvars, Required =3D False, Defaul=
t =3D None, Open =3D True)=0D
OpenSslOtherPublicCertFile =3D ConvertJsonValue (Config, 'Op=
enSslOtherPublicCertFile', os.path.expandvars, Required =3D False, Default =
=3D None, Open =3D True)=0D
OpenSslTrustedPublicCertFile =3D ConvertJsonValue (Config, 'Op=
enSslTrustedPublicCertFile', os.path.expandvars, Required =3D False, Defaul=
t =3D None, Open =3D True)=0D
@@ -264,6 +268,7 @@ if __name__ =3D=3D '__main__':
HardwareInstance,=0D
UpdateImageIndex,=0D
SignToolPfxFile,=0D
+ SignToolSubjectName,=0D
OpenSslSignerPrivateCertFile,=
=0D
OpenSslOtherPublicCertFile,=0D
OpenSslTrustedPublicCertFile,=
=0D
@@ -303,6 +308,7 @@ if __name__ =3D=3D '__main__':
UpdateImageIndex =3D ConvertJsonValue (Config, 'Up=
dateImageIndex', ValidateUnsignedInteger, Required =3D False, Default =3D 1=
)=0D
MonotonicCount =3D ConvertJsonValue (Config, 'Mo=
notonicCount', ValidateUnsignedInteger, Required =3D False, Default =3D 0)=
=0D
SignToolPfxFile =3D ConvertJsonValue (Config, 'Si=
gnToolPfxFile', os.path.expandvars, Required =3D False, Default =3D None, O=
pen =3D True)=0D
+ SignToolSubjectName =3D ConvertJsonValue (Config, 'Si=
gnToolSubjectName', os.path.expandvars, Required =3D False, Default =3D Non=
e, Open =3D True)=0D
OpenSslSignerPrivateCertFile =3D ConvertJsonValue (Config, 'Op=
enSslSignerPrivateCertFile', os.path.expandvars, Required =3D False, Defaul=
t =3D None, Open =3D True)=0D
OpenSslOtherPublicCertFile =3D ConvertJsonValue (Config, 'Op=
enSslOtherPublicCertFile', os.path.expandvars, Required =3D False, Default =
=3D None, Open =3D True)=0D
OpenSslTrustedPublicCertFile =3D ConvertJsonValue (Config, 'Op=
enSslTrustedPublicCertFile', os.path.expandvars, Required =3D False, Defaul=
t =3D None, Open =3D True)=0D
@@ -329,6 +335,7 @@ if __name__ =3D=3D '__main__':
HardwareInstance,=0D
UpdateImageIndex,=0D
SignToolPfxFile,=0D
+ SignToolSubjectName,=0D
OpenSslSignerPrivateCertFile,=
=0D
OpenSslOtherPublicCertFile,=0D
OpenSslTrustedPublicCertFile,=
=0D
@@ -348,6 +355,7 @@ if __name__ =3D=3D '__main__':
"HardwareInstance": str(PayloadDescripto=
r.HardwareInstance),=0D
"UpdateImageIndex": str(PayloadDescripto=
r.UpdateImageIndex),=0D
"SignToolPfxFile": str(PayloadDescriptor=
.SignToolPfxFile),=0D
+ "SignToolSubjectName": str(PayloadDescri=
ptor.SignToolSubjectName),=0D
"OpenSslSignerPrivateCertFile": str(Payl=
oadDescriptor.OpenSslSignerPrivateCertFile),=0D
"OpenSslOtherPublicCertFile": str(Payloa=
dDescriptor.OpenSslOtherPublicCertFile),=0D
"OpenSslTrustedPublicCertFile": str(Payl=
oadDescriptor.OpenSslTrustedPublicCertFile),=0D
@@ -363,6 +371,8 @@ if __name__ =3D=3D '__main__':
for PayloadField in PayloadSection:=0D
if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:=0D
del PayloadField ['SignToolPfxFile']=0D
+ if PayloadJsonDescriptorList[Index].SignToolSubjectName is Non=
e:=0D
+ del PayloadField ['SignToolSubjectName']=0D
if PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFi=
le is None:=0D
del PayloadField ['OpenSslSignerPrivateCertFile']=0D
if PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile=
is None:=0D
@@ -402,6 +412,9 @@ if __name__ =3D=3D '__main__':
if args.SignToolPfxFile:=0D
print ('GenerateCapsule: error: Argument --pfx-file conflicts =
with Argument -j')=0D
sys.exit (1)=0D
+ if args.SignToolSubjectName:=0D
+ print ('GenerateCapsule: error: Argument --SubjectName conflic=
ts with Argument -j')=0D
+ sys.exit (1)=0D
if args.OpenSslSignerPrivateCertFile:=0D
print ('GenerateCapsule: error: Argument --signer-private-cert=
conflicts with Argument -j')=0D
sys.exit (1)=0D
@@ -425,6 +438,7 @@ if __name__ =3D=3D '__main__':
HardwareInstance =3D 0,=0D
UpdateImageIndex =3D 1,=0D
SignToolPfxFile =3D None,=0D
+ SignToolSubjectName =3D None,=0D
OpenSslSignerPrivateCertFile =3D None,=0D
OpenSslOtherPublicCertFile =3D None,=0D
OpenSslTrustedPublicCertFile =3D None,=0D
@@ -439,13 +453,15 @@ if __name__ =3D=3D '__main__':
self.HardwareInstance =3D HardwareInstance=0D
self.UpdateImageIndex =3D UpdateImageIndex=0D
self.SignToolPfxFile =3D SignToolPfxFile=0D
+ self.SignToolSubjectName =3D SignToolSubjectName=0D
self.OpenSslSignerPrivateCertFile =3D OpenSslSignerPrivateCert=
File=0D
self.OpenSslOtherPublicCertFile =3D OpenSslOtherPublicCertFi=
le=0D
self.OpenSslTrustedPublicCertFile =3D OpenSslTrustedPublicCert=
File=0D
self.SigningToolPath =3D SigningToolPath=0D
self.DepexExp =3D DepexExp=0D
=0D
- self.UseSignTool =3D self.SignToolPfxFile is not None=0D
+ self.UseSignTool =3D (self.SignToolPfxFile is not None or=0D
+ self.SignToolSubjectName is not None)=0D
self.UseOpenSsl =3D (self.OpenSslSignerPrivateCertFile is not=
None and=0D
self.OpenSslOtherPublicCertFile is not Non=
e and=0D
self.OpenSslTrustedPublicCertFile is not N=
one)=0D
@@ -504,8 +520,9 @@ if __name__ =3D=3D '__main__':
raise argparse.ArgumentTypeError ('--update-image-=
index must be an integer in range 0x0..0xff')=0D
=0D
if self.UseSignTool:=0D
- self.SignToolPfxFile.close()=0D
- self.SignToolPfxFile =3D self.SignToolPfxFile.name=0D
+ if self.SignToolPfxFile is not None:=0D
+ self.SignToolPfxFile.close()=0D
+ self.SignToolPfxFile =3D self.SignToolPfxFile.name=0D
if self.UseOpenSsl:=0D
self.OpenSslSignerPrivateCertFile.close()=0D
self.OpenSslOtherPublicCertFile.close()=0D
@@ -548,6 +565,7 @@ if __name__ =3D=3D '__main__':
args.HardwareInstance,=0D
args.UpdateImageIndex,=0D
args.SignToolPfxFile,=0D
+ args.SignToolSubjectName,=0D
args.OpenSslSignerPrivateCertF=
ile,=0D
args.OpenSslOtherPublicCertFil=
e,=0D
args.OpenSslTrustedPublicCertF=
ile,=0D
@@ -590,6 +608,7 @@ if __name__ =3D=3D '__main__':
Result + struct.pack ('<Q', SinglePayloadDescr=
iptor.MonotonicCount),=0D
SinglePayloadDescriptor.SigningToolPath,=0D
SinglePayloadDescriptor.SignToolPfxFile,=0D
+ SinglePayloadDescriptor.SignToolSubjectName,=0D
Verbose =3D args.Verbose=0D
)=0D
else:=0D
@@ -671,6 +690,7 @@ if __name__ =3D=3D '__main__':
args.HardwareInstance,=0D
args.UpdateImageIndex,=0D
args.SignToolPfxFile,=0D
+ args.SignSubjectName,=0D
args.OpenSslSignerPrivateCertF=
ile,=0D
args.OpenSslOtherPublicCertFil=
e,=0D
args.OpenSslTrustedPublicCertF=
ile,=0D
@@ -715,6 +735,7 @@ if __name__ =3D=3D '__main__':
HardwareIn=
stance,=0D
UpdateImag=
eIndex,=0D
PayloadDes=
criptorList[Index].SignToolPfxFile,=0D
+ PayloadDes=
criptorList[Index].SignToolSubjectName,=0D
PayloadDes=
criptorList[Index].OpenSslSignerPrivateCertFile,=0D
PayloadDes=
criptorList[Index].OpenSslOtherPublicCertFile,=0D
PayloadDes=
criptorList[Index].OpenSslTrustedPublicCertFile,=0D
@@ -753,6 +774,7 @@ if __name__ =3D=3D '__main__':
HardwareInstan=
ce,=0D
UpdateImageInd=
ex,=0D
PayloadDescrip=
torList[Index].SignToolPfxFile,=0D
+ PayloadDescrip=
torList[Index].SignToolSubjectName,=0D
PayloadDescrip=
torList[Index].OpenSslSignerPrivateCertFile,=0D
PayloadDescrip=
torList[Index].OpenSslOtherPublicCertFile,=0D
PayloadDescrip=
torList[Index].OpenSslTrustedPublicCertFile,=0D
@@ -785,6 +807,7 @@ if __name__ =3D=3D '__main__':
FmpAuthHeader.CertData,=0D
SinglePayloadDescriptor.Signing=
ToolPath,=0D
SinglePayloadDescriptor.SignToo=
lPfxFile,=0D
+ SinglePayloadDescriptor.SignToo=
lSubjectName,=0D
Verbose =3D args.Verbose=0D
)=0D
else:=0D
@@ -968,6 +991,8 @@ if __name__ =3D=3D '__main__':
=0D
parser.add_argument ("--pfx-file", dest=3D'SignToolPfxFile', type=3Dar=
gparse.FileType('rb'),=0D
help=3D"signtool PFX certificate filename.")=0D
+ parser.add_argument ("--subject-name", dest=3D'SignToolSubjectName',=0D
+ help=3D"signtool certificate subject name.")=0D
=0D
parser.add_argument ("--signer-private-cert", dest=3D'OpenSslSignerPri=
vateCertFile', type=3Dargparse.FileType('rb'),=0D
help=3D"OpenSSL signer private certificate filena=
me.")=0D
--=20
2.37.0.windows.1

Join devel@edk2.groups.io to automatically receive all group messages.