KeyCompatibility
SecureBoot in Ubuntu (key compatibility)
Canonical has access to the Microsoft signing PKCS#7 file (PCA 2010) (cdboot.pkcs). For maximum compatibility with firmware implementing the UEFI 2.3.1 specification, Canonical should use the same format for its keys, namely PKCS#7 files, RSA2048 keys, SHA256 signatures and the CA and signing certificates/keys should also be setup similarly to Microsoft's.
Analysis
To view the PKCS#7 file from Microsoft (cdboot.pkcs), convert to x509 PEM format:
$ openssl pkcs7 -print_certs -inform DER -in ./cdboot.pkcs -out cdboot.pem
At this point 'cdboot.pem' has both the signing and the CA certificates in it. While a command like gcr-viewer can handle this fine, you'll want to split those out into different files to use with openssl x509. Eg (assumes the singing certificate is manually split out into cdboot_signing.pem and cdboot_ca.pem):
$ openssl x509 -in ./cdboot_signing.pem -serial -noout
serial=6108B9A4000000000010
$ openssl x509 -in ./cdboot_signing.pem -sha1 -fingerprint -noout
SHA1 Fingerprint=CC:90:08:D2:D4:E8:0E:B9:24:E3:AD:29:CB:08:60:0F:58:57:0C:DC
$ openssl x509 -in ./cdboot_signing.pem -subject -noout
subject= /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:08:b9:a4:00:00:00:00:00:10
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows PCA 2010
Validity
Not Before: Mar 14 21:45:50 2011 GMT
Not After : Jun 14 21:55:50 2012 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:3c:0e:f7:c7:47:61:0d:d7:43:1e:1e:24:fe:
a5:65:eb:82:39:a8:e0:65:a3:bd:07:a0:63:39:b3:
8f:14:82:27:5e:62:3a:1f:b4:66:43:8c:66:40:31:
28:88:09:c6:f9:13:4e:a8:e3:23:19:eb:d5:fc:3a:
64:a0:98:80:14:86:fa:ae:6b:7b:38:b2:0b:6d:65:
60:c4:ac:71:69:89:ef:06:56:66:ae:df:44:85:0b:
f0:03:8e:f4:30:59:f1:76:a5:ae:93:44:85:59:2c:
64:a7:bf:db:0d:c3:b7:92:1a:99:fc:1b:f5:d9:11:
a4:44:53:ad:4a:20:85:11:e2:56:ef:c4:bf:9e:05:
15:16:a6:96:59:c5:df:01:81:76:70:c5:c2:81:eb:
24:aa:d2:40:1a:ce:60:81:8a:89:17:5b:6f:e8:b5:
ec:a1:1c:4b:6e:e8:24:9b:e0:1b:c1:22:c3:dd:7f:
81:0a:a0:00:11:0b:d0:37:df:6f:b7:47:a5:e0:73:
4b:8c:eb:b7:38:cc:bb:68:3d:ce:20:5f:65:ec:a8:
a1:3e:77:84:06:55:1a:e5:ff:0d:36:03:24:c4:17:
ec:13:b3:74:c4:e8:55:7b:09:68:6a:06:da:8f:94:
49:39:d9:e3:39:f3:d2:6c:04:24:24:77:e2:0a:00:
16:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
Code Signing, 1.3.6.1.4.1.311.10.3.6
X509v3 Subject Key Identifier:
BA:80:E8:9B:57:CC:A9:F7:2C:9E:37:75:83:C1:4C:F4:0F:3F:8F:B4
X509v3 Authority Key Identifier:
keyid:D1:4F:A9:8A:07:08:CE:F4:24:18:98:E5:00:FF:F3:D6:79:1D:37:BC
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicWinPCA_2010-07-06.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicWinPCA_2010-07-06.crt
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:MOPR
Signature Algorithm: sha256WithRSAEncryption
34:35:6e:51:66:54:f4:63:3a:6d:8a:53:24:3b:c1:26:14:84:
2f:84:b8:49:e7:fd:b5:15:4e:54:2d:41:06:5c:8b:8b:cb:07:
a9:1c:4f:48:f1:ef:ce:73:72:32:09:5b:58:6c:9f:18:a9:0a:
36:be:e8:e5:e8:f0:ad:c8:be:0b:7f:97:ea:d6:bb:b8:5f:df:
61:fc:1e:e5:35:9f:5a:b8:7a:29:eb:fe:39:4e:26:28:d4:0a:
0f:04:27:d7:26:f4:47:22:ea:c5:35:cf:92:bc:d2:b0:24:9e:
d8:84:e8:9a:01:c7:07:cb:ed:c0:91:d3:e1:45:d9:0d:72:d4:
86:d1:4f:82:20:4f:44:dd:42:52:a9:6f:7b:04:c4:e4:16:e9:
26:5d:4f:4f:ae:16:74:20:98:ae:6c:17:f9:78:16:00:0e:29:
32:6a:1d:90:10:d0:64:3f:14:2e:e5:51:69:3d:7b:f9:3b:d3:
67:7c:90:63:27:12:70:2c:af:8c:0b:98:73:16:73:95:35:3f:
df:44:17:23:e3:98:ed:d3:83:d1:2e:0a:5f:86:08:fd:67:73:
3d:2f:6f:7c:5f:7f:93:eb:45:a7:57:ab:89:91:29:4a:2c:28:
b5:46:5b:96:dd:b2:54:a9:f9:fc:25:b5:63:04:d1:bf:de:6c:
06:42:c2:47and cdboot_ca.pem:
$ openssl x509 -in ./cdboot_ca.pem -serial -noout
serial=610C6A19000000000004
$ openssl x509 -in ./cdboot_ca.pem -sha1 -fingerprint -noout
SHA1 Fingerprint=C0:13:86:A9:07:49:64:04:F2:76:C3:C1:85:3A:BF:4A:52:74:AF:88
$ openssl x509 -in ./cdboot_ca.pem -subject -noout
subject= /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows PCA 2010
openssl x509 -in ./cdboot_ca.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0c:6a:19:00:00:00:00:00:04
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Validity
Not Before: Jul 6 20:40:23 2010 GMT
Not After : Jul 6 20:50:23 2025 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows PCA 2010
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:79:bb:3a:b1:f0:0f:84:b8:ad:64:2a:75:16:
73:d0:bb:07:f6:3e:0d:9d:14:e4:b1:9f:c1:c8:94:
b0:38:7c:1f:d0:33:55:f5:ba:23:66:f5:2e:28:48:
53:c7:16:83:ba:f5:51:ac:7e:ac:e0:26:7f:0f:74:
fc:59:95:dc:c9:c6:a2:f7:52:70:5a:2c:1d:94:ab:
19:bf:af:95:7d:af:66:a1:6f:9b:62:6e:6d:4b:bc:
2f:35:6c:de:a4:6a:63:5a:5f:fb:f3:0d:4d:61:cc:
0a:7e:31:eb:6c:0a:d0:4d:97:0f:fd:7f:38:46:e6:
8a:c7:73:69:76:55:69:96:4c:e4:d8:f0:34:eb:ba:
b1:1f:ce:29:7e:c4:4f:9d:13:15:ab:13:1b:72:58:
62:56:6c:8a:81:a3:64:77:98:46:65:29:9d:83:14:
a5:4c:08:a0:83:d7:23:1f:f3:5f:df:6f:2c:cf:da:
16:d8:0e:72:04:28:d8:6b:3e:f8:13:b1:7c:a2:17:
79:4f:7e:dc:3a:e4:9d:70:27:6b:bf:db:fc:1e:c7:
07:d8:c0:be:0b:93:1e:28:e0:73:6d:d2:54:e9:28:
4c:bf:6b:5d:9f:ff:5d:33:12:37:95:25:61:34:6a:
42:cb:7c:9d:3a:bb:88:59:e1:a3:42:6d:3a:50:5b:
48:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
D1:4F:A9:8A:07:08:CE:F4:24:18:98:E5:00:FF:F3:D6:79:1D:37:BC
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.311.46.3
CPS: http://www.microsoft.com/PKI/docs/CPS/default.htm
User Notice:
Explicit Text:
Signature Algorithm: sha256WithRSAEncryption
2e:41:a6:86:b5:06:6f:f0:80:85:fa:3b:ca:17:e9:c9:fa:e4:
39:c2:94:70:c3:64:94:c3:d8:56:a6:90:8e:fe:e4:9a:f4:6d:
f5:6f:8e:53:8d:5a:a8:f3:ae:db:46:6c:be:7f:1d:54:56:1b:
3c:1d:71:c4:51:15:54:7e:bf:ee:a5:95:42:33:fd:0d:90:24:
24:e3:f9:dc:96:ca:fc:b8:ac:bf:f4:c2:39:56:b8:bb:ed:73:
b3:17:dd:7e:86:50:23:8b:56:24:ca:bb:a6:1d:9a:87:2f:27:
85:e7:a1:b6:0a:9c:0d:1b:8c:f3:00:62:41:ba:48:74:87:82:
fd:50:c9:f4:87:29:c3:03:aa:2b:df:1a:29:79:e8:12:24:9a:
86:ed:d0:2e:d3:40:81:f5:07:5f:33:06:54:5d:40:b5:f7:b1:
62:fd:4d:48:f7:6e:41:47:52:1c:bb:1b:c2:57:3a:a8:99:56:
93:d4:c6:de:26:a8:60:75:86:bb:ec:62:a6:f0:1d:04:45:df:
3e:a7:84:d1:5b:44:23:63:25:36:77:6f:ae:5b:dc:22:d5:14:
23:6a:41:7f:d0:42:a6:db:ef:25:7b:04:e3:d2:96:37:62:06:
af:f8:1b:0f:8e:b3:39:9a:bb:89:f5:35:06:e5:a4:5b:c3:8c:
9e:37:5f:53:d1:a3:37:fd:a4:4f:e8:1b:0e:6b:76:e4:b8:8f:
b0:c2:ea:fd:75:f7:2c:41:b7:9c:a3:e1:1e:05:fe:97:92:cb:
7f:59:03:6d:a8:4e:8d:4e:80:17:d4:d5:72:f6:56:e4:48:9f:
a3:23:ba:06:a0:c0:8e:d1:88:4f:93:20:f2:70:5f:d8:6b:72:
a3:20:49:fc:77:0c:5d:c5:c7:e1:02:0f:38:42:10:0e:db:02:
ae:9a:37:1d:50:80:29:1e:a4:a7:d9:c6:9a:25:55:fd:40:ca:
ad:64:10:e8:31:f9:12:54:79:1a:f2:0e:d8:d6:ab:1e:33:fe:
02:e7:26:6d:61:49:8f:f1:25:c2:8b:74:99:df:f9:93:1a:90:
1c:ee:dd:94:33:0e:42:50:db:7f:50:f8:9f:62:82:ec:a6:82:
16:7c:66:bc:ec:99:b0:c1:58:5d:a8:b0:9a:61:14:91:d1:99:
2f:49:e4:3e:81:99:d6:e6:ef:ca:e3:fd:3e:ee:ec:09:86:03:
07:0d:1b:0d:7c:eb:f4:5a:c9:95:cf:87:12:0a:5d:ec:c5:02:
92:cd:05:99:72:ca:7d:f1:2a:10:18:38:e4:31:a3:28:b4:e6:
4c:c5:52:a3:9c:6a:c7:7d:c0:71:09:04:0d:70:de:02:3f:87:
ee:56:a1:ec:eb:b5:4c:85NOTE: this is the CA that Microsoft explicitly said should *not* be included in KEK and db (see System.Fundamentals.Firmware.UEFISecureBoot, point 2 on page 113-114 of the Windows 8 logo requirements).
The 'Subject Alternative Name' is optional and not required (it is also not listed in the Windows 8 logo requirements or the UEFI 2.3.1 specification).
'Authority Information Access' gives information relating to the CA (not required by Windows 8 logo requirements or the UEFI 2.3.1 specification).
The certificate revocation list (CRL) can be used to point people to a list of our revoked certificates (not required by Windows 8 logo requirements or the UEFI 2.3.1 specification). Since UEFI firmware will presumably not be making calls over the internet to fetch the CRL, this can be considered optional. If needed, we could also provide a public URL for our CRL for each certificate by using (see 'man x509v3_config'):
crlDistributionPoints=URI:http://www.canonical.com/.../example.crl
1.3.6.1.4.1.311.21.1 is the Microsoft CertSrv Infrastructurer (szOID_CERTSRV_CA_VERSION, see http://support.microsoft.com/kb/287547). This seems Microsoft-specific and is not related to anything in the UEFI 2.3.1 specification.
1.3.6.1.4.1.311.20.2 is the Microsoft Enrollment Infrastructure (szOID_ENROLL_CERTTYPE_EXTENSION, see http://support.microsoft.com/kb/287547). This seems Microsoft-specific and is not relat ed to anything in the UEFI 2.3.1 specification.
Certificate Policies can be used to point people to Canonical's certificate policies. If desired, could use something like this to the '[ v3_ca ]' section (see 'man x509v3_config'):
certificatePolicies=ia5org,@polsect [polsect] # Specify an actual Canonical oid here. Commenting this out results in 'Policy: # itu-t' which refers to http://www.itu.int/net/ITU-T/info/Default.aspx #policyIdentifier = 1.3.5.8 CPS.1=http://www.canonical.com/.../cps.html userNotice.1=@notice [notice] explicitText=
Microsoft Chain of Trust
Microsoft's trust chain (for cdboot.pem) is as follows:
- CN=Microsoft Windows (sha1: CC 90 08 D2 D4 E8 0E B9 24 E3 AD 29 CB 08 60 0F 58 57 0C DC) is issued/signed by:
- CN=Microsoft Windows PCA 2010 (sha1: C0 13 86 A9 07 49 64 04 F2 76 C3 C1 85 3A BF 4A 52 74 AF 88) is issued/signed by:
- CN=Microsoft Root Certificate Authority 2010 (sha1: 3B 1E FD 3A 66 EA 28 B1 66 97 39 47 03 A7 2C A3 40 A0 5B D5, obtained from the URI given in the CA Issuers of the CN=Microsoft Windows PCA 2010 certificate) is self-signed (the root of trust)
It is believed that the intermediary CA will be in KEK and db based on the Windows 8 logo requirements (see discussion in canonical-uefi@lists.canonical.com)
Master certificate
The Microsoft signing PKCS#7 file we had access to (PCA 2010) also had the following in their master key:
- 1.3.6.1.4.1.311.21.1 (see above)
- 1.3.6.1.4.1.311.20.2 (see above)
- X509v3 CRL Distribution Points (see above)
Full Name: URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
Authority Information Access: CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Certificate Policies (see above). Microsoft's CPS entry is actually a dead link, but might point to http://www.microsoft.com/pki/rms/cps/:
Policy: 1.3.6.1.4.1.311.46.3 CPS: http://www.microsoft.com/PKI/docs/CPS/default.htm User Notice: Explicit Text:
While optional, it might be desirable to provide a public URL to our master certificate (ie, the issuer of this certificate, which since it is self-signed, is the pem file for this certificate. NOTE: may want to use DER encoding to match Microsoft) by using (see 'man x509v3_config'):
authorityInfoAccess = caIssuers;URI:http://www.canonical.com/.../master-public.pem
Signing certificate
The Microsoft signing PKCS#7 file we had access to (PCA 2010) also had the following in their signing key:
X509v3 Subject Alternative Name: DNS:MOPR
- X509v3 CRL Distribution Points
Full Name: URI:http://crl.microsoft.com/pki/crl/products/MicWinPCA_2010-07-06.crl
Authority Information Access: CA Issuers - URI:http://www.microsoft.com/pki/certs/MicWinPCA_2010-07-06.crt
And did not have the following:
- Netscape Comment: OpenSSL Generated Certificate
While optional, it might be desirable to provide a public URL to our master certificate (ie, the issuer of this certificate. NOTE: may want to use DER encoding to match Microsoft) by using (see 'man x509v3_config'):
authorityInfoAccess = caIssuers;URI:http://www.canonical.com/.../master-public.pem
UEFI/SecureBoot/KeyManagement/KeyCompatibility (last edited 2017-12-04 22:14:50 by cyphermox)