test/py: efi_secboot: add test for intermediate certificates
In this test case, an image may have a signature with additional
intermediate certificates. A chain of trust will be followed and all
the certificates in the middle of chain must be verified before loading.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
diff --git a/test/py/tests/test_efi_secboot/openssl.cnf b/test/py/tests/test_efi_secboot/openssl.cnf
new file mode 100644
index 0000000..f684f1d
--- /dev/null
+++ b/test/py/tests/test_efi_secboot/openssl.cnf
@@ -0,0 +1,48 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+new_certs_dir = .
+database = ./index.txt
+serial = ./serial
+default_md = sha256
+policy = policy_min
+
+[ req ]
+distinguished_name = def_distinguished_name
+
+[def_distinguished_name]
+
+# Extensions
+# -addext " ... = ..."
+#
+[ v3_ca ]
+ # Extensions for a typical Root CA.
+ basicConstraints = critical,CA:TRUE
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+
+[ v3_int_ca ]
+ # Extensions for a typical intermediate CA.
+ basicConstraints = critical, CA:TRUE
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+
+[ usr_cert ]
+ # Extensions for user end certificates.
+ basicConstraints = CA:FALSE
+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+ extendedKeyUsage = clientAuth, emailProtection
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+
+[ policy_min ]
+ countryName = optional
+ stateOrProvinceName = optional
+ localityName = optional
+ organizationName = optional
+ organizationalUnitName = optional
+ commonName = supplied
+ emailAddress = optional