def test_should_be_able_to_fetch_a_builtin_signer_module(self): py_signer = signing_helper.get_signer(signing_helper.PYOPENSSL_SIGNER) self.assertTrue(hasattr(py_signer, 'sign')) signtoolsigner = signing_helper.get_signer( signing_helper.SIGNTOOL_SIGNER) self.assertTrue(hasattr(signtoolsigner, 'sign'))
def createSignedPolicy(filename: str, signer_type: str, pkcs12_test: bool = False) -> None: manf = bytes.decode(open('Manufacturer.bin', 'rb').read(), encoding='utf_16_le') prod = bytes.decode(open('Product.bin', 'rb').read(), encoding='utf_16_le') sn = bytes.decode(open('SerialNumber.bin', 'rb').read(), encoding='utf_16_le') oem1 = bytes.decode(open('OEM_01.bin', 'rb').read(), encoding='utf_16_le') oem2 = bytes.decode(open('OEM_02.bin', 'rb').read(), encoding='utf_16_le') nonceInt = struct.unpack('<Q', open('TargetNonce.bin', 'rb').read())[0] devicePolicy = 3 policy_ba = CreatePolicyFromParameters(manf, prod, sn, nonceInt, oem1, oem2, devicePolicy) signer_options = { 'key_file_format': 'pkcs12', 'key_file': os.path.abspath( os.path.join(os.path.dirname(os.path.abspath(__file__)), PFX)), 'oid': OID } if signer_type == 'signtool': signer = signing_helper.get_signer(signing_helper.SIGNTOOL_SIGNER) signature_options = { 'type': 'pkcs7', 'type_options': {'embedded'}, 'encoding': 'DER', 'hash_alg': 'sha256' } elif signer_type == 'openssl': signer = signing_helper.get_signer(signing_helper.PYOPENSSL_SIGNER) signature_options = { 'type': 'bare', 'encoding': 'binary', 'hash_alg': 'sha256' } else: raise Exception if pkcs12_test is True: signature_options['sign_alg'] = 'pkcs12' print('\nSigning ' + filename) signed = signer.sign(policy_ba, signature_options, signer_options) print('Signing complete.\n') print(signed) open(filename + '.bin', 'wb').write(policy_ba) open(filename + '.bin.p7', 'wb').write(signed)
def main(): args = get_cli_options() final_options = update_options(load_options_file(args.options_file), args.capsule_options, args.signer_options) # Verify minimum capsule options. required_capsule_options = ('fw_name', 'fw_version', 'lsv_version', 'fw_version_string', 'provider_name', 'fw_description', 'esrt_guid') missing_capsule_options = tuple(option for option in required_capsule_options if option not in final_options['capsule']) if len(missing_capsule_options) > 0: logging.error("Missing required capsule options: " + ", ".join(missing_capsule_options) + "!") logging.error( "Options MUST be provided in either the options file or on the command line." ) sys.exit(1) # Next, we're gonna need a signer. if args.builtin_signer is not None: signer = signing_helper.get_signer(args.builtin_signer) elif args.module_signer is not None: signer = signing_helper.get_signer(signing_helper.PYPATH_MODULE_SIGNER, args.module_signer) elif args.local_signer is not None: signer = signing_helper.get_signer(signing_helper.LOCAL_MODULE_SIGNER, args.local_signer) # Now, build the capsule. uefi_capsule_header = capsule_helper.build_capsule( args.capsule_payload.read(), final_options['capsule'], signer, final_options['signer']) # Save the capsule. capsule_helper.save_capsule(uefi_capsule_header, final_options['capsule'], args.output_dir) # Build the INF file. capsule_helper.create_inf_file(final_options['capsule'], args.output_dir) # Build the CAT file. capsule_helper.create_cat_file(final_options['capsule'], args.output_dir) # If requested, save the final options for provenance. if args.save_final_options: final_options_file = os.path.join(args.output_dir, 'Final_Capsule_Options.yaml') with open(final_options_file, 'w') as options_file: yaml.dump(final_options, options_file, indent=2)
def test_should_be_able_to_fetch_a_user_provided_signer_module(self): test_script_path = os.path.dirname(os.path.abspath(__file__)) # TEST NOTE: This is a little hacky and will break if relative paths are changed. module_root_path = os.path.dirname(os.path.dirname(test_script_path)) py_signer_path = os.path.join(module_root_path, 'capsule', 'pyopenssl_signer.py') self.assertTrue(os.path.isfile(py_signer_path)) py_signer = signing_helper.get_signer( signing_helper.LOCAL_MODULE_SIGNER, py_signer_path) self.assertTrue(hasattr(py_signer, 'sign'))
def test_should_be_able_to_pass_a_signing_module(self): py_signer = signing_helper.get_signer( signing_helper.PYPATH_MODULE_SIGNER, 'edk2toolext.capsule.pyopenssl_signer') self.assertTrue(hasattr(py_signer, 'sign'))