Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence-cst: add support for cst v3.3.1 

This version supports encryption for devices with Advanced High Assurance Boot
(AHAB) capabilities. This commit also updates and simplifies Digi custom
patches.

https://jira.digi.com/browse/DEL-7175

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit is contained in:
Arturo Buzarra 2020-07-21 17:31:30 +02:00
parent 91fcbffe99
commit 68720f869b
9 changed files with 315 additions and 648 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
View File

@ -5,7 +5,7 @@ i.MX processors that integrate the HAB library in the internal boot ROM."
HOMEPAGE = "https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL"
LICENSE = "CLOSED"
DEPENDS = "openssl"
DEPENDS = "openssl byacc flex"
SRC_URI = " \
${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'file://cst-${PV}.tgz', '', d)} \
@ -15,7 +15,6 @@ SRC_URI = " \
file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \
file://0005-ahab_pki_tree.sh-automate-script.patch \
file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \
file://Makefile \
"
# Usually local files (with file:// protocol) are not checked for
@ -29,20 +28,18 @@ python() {
d.setVar('PREMIRRORS', "file://cst.* %s \\n %s" % (source_mirror_url, premirrors))
}
S = "${WORKDIR}/release"
do_configure() {
cp -f ${WORKDIR}/Makefile .
}
S = "${WORKDIR}/cst-${PV}/"
do_compile() {
oe_runmake clean && oe_runmake
cd ${S}/code/cst
oe_runmake OSTYPE=linux64 clean
oe_runmake OSTYPE=linux64 rel_bin
}
do_install() {
install -d ${D}${bindir}
install -m 0755 linux64/cst ${D}${bindir}/cst
install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool
install -m 0755 $(find ${S}/code/cst/release/linux64 -type f -name cst) ${D}${bindir}/cst
install -m 0755 $(find ${S}/code/cst/release/linux64 -type f -name srktool) ${D}${bindir}/srktool
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then

22
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch
View File

@ -12,18 +12,18 @@ https://jira.digi.com/browse/DUB-608
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
---
code/back_end/src/adapt_layer_openssl.c | 1 +
code/cst/code/back_end/src/adapt_layer_openssl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/code/back_end/src/adapt_layer_openssl.c b/code/back_end/src/adapt_layer_openssl.c
index 8513046269ea..ce6e370f2c6a 100644
--- a/code/back_end/src/adapt_layer_openssl.c
+++ b/code/back_end/src/adapt_layer_openssl.c
@@ -945,6 +945,7 @@ int32_t gen_auth_encrypted_data(const char* in_file,
}
diff --git a/code/cst/code/back_end/src/adapt_layer_openssl.c b/code/cst/code/back_end/src/adapt_layer_openssl.c
index 38b8bf5..f389e23 100755
--- a/code/cst/code/back_end/src/adapt_layer_openssl.c
+++ b/code/cst/code/back_end/src/adapt_layer_openssl.c
@@ -1146,6 +1146,7 @@ int32_t gen_auth_encrypted_data(const char* in_file,
printf("\n");
#endif
+ reuse_dek = 1;
if (reuse_dek) {
fh = fopen(key_file, "rb");
if (fh == NULL) {
if (0 == key_init_done) {
+ reuse_dek = 1;
if (reuse_dek) {
fh = fopen(key_file, "rb");
if (fh == NULL) {

614
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-hab4_pki_tree.sh-automate-script.patch
View File

@ -1,521 +1,223 @@
From: "Diaz de Grenu, Jose" <Jose.DiazdeGrenu@digi.com>
Date: Mon, 18 Jul 2016 13:21:11 +0200
From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Wed, 22 Jul 2020 14:37:03 +0200
Subject: [PATCH] hab4_pki_tree.sh: automate script
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This commit introduce a new command line argument to specify the
CSF path folder and prepare it to automate the build process.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
---
keys/hab4_pki_tree.sh | 347 ++++++++++++++++----------------------------------
1 file changed, 107 insertions(+), 240 deletions(-)
keys/hab4_pki_tree.sh | 78 ++++++++++++++++++++++++++++---------------
1 file changed, 51 insertions(+), 27 deletions(-)
diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
index 7dd67f68c8df..b2c6b71b604e 100755
index 944cc66..39ed3bf 100755
--- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh
@@ -42,84 +42,40 @@
#
#-----------------------------------------------------------------------------
-printf "\n"
-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
-printf " This script is a part of the Code signing tools for Freescale's\n"
-printf " High Assurance Boot. It generates a basic PKI tree. The PKI\n"
-printf " tree consists of one or more Super Root Keys (SRK), with each\n"
-printf " SRK having two subordinate keys: \n"
-printf " + a Command Sequence File (CSF) key \n"
-printf " + Image key. \n"
-printf " Additional keys can be added to the PKI tree but a separate \n"
-printf " script is available for this. This this script assumes openssl\n"
-printf " is installed on your system and is included in your search \n"
-printf " path. Finally, the private keys generated are password \n"
-printf " protectedwith the password provided by the file key_pass.txt.\n"
-printf " The format of the file is the password repeated twice:\n"
-printf " my_password\n"
-printf " my_password\n"
-printf " All private keys in the PKI tree are in PKCS #8 format will be\n"
-printf " protected by the same password.\n\n"
-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
-
-stty erase 
-
-printf "Do you want to use an existing CA key (y/n)?: \b"
-read existing_ca
-if [ $existing_ca = "y" ]
-then
- printf "Enter CA key name: \b"
- read ca_key
- printf "Enter CA certificate name: \b"
- read ca_cert
@@ -66,6 +66,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
stty erase 
+SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
+CSF_PATH="${1}"
+if [ ! -d "${CSF_PATH}" ]; then
+ echo "Invalid CSF_PATH: ${CSF_PATH}"
+ exit 1
fi
-printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b"
-read use_ecc
-if [ $use_ecc = "y" ]
-then
- printf "Enter length for elliptic curve to be used for PKI tree:\n"
- printf "Possible values p256, p384, p521: \b"
- read kl
-
- # Confirm that a valid key length has been entered
- case $kl in
- p256)
- cn="prime256v1" ;;
- p384)
- cn="secp384r1" ;;
- p521)
- cn="secp521r1" ;;
- *)
- echo Invalid key length. Supported key lengths: 256, 384, 521
- exit 1 ;;
- esac
-else
- printf "Enter key length in bits for PKI tree: \b"
- read kl
-
- # Confirm that a valid key length has been entered
- case $kl in
- 1024) ;;
- 2048) ;;
- 3072) ;;
- 4096) ;;
- *)
- echo Invalid key length. Supported key lengths: 1024, 2048, 3072, 4096
- exit 1 ;;
- esac
-fi
+cd "${CSF_PATH}"
+
if [ $# -gt 0 ]; then
interactive="n"
else
@@ -80,7 +82,7 @@ usage()
echo "$0"
echo
echo "Command Line Mode:"
- echo "$0 -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -duration <years> -num-srk <1-4> -srk-ca <y/n>"
+ echo "$0 [-csf-path] <CSF Path> -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -duration <years> -num-srk <1-4> -srk-ca <y/n>"
echo "Options:"
echo " -kl: -use-ecc = y then Supported key lengths: p256, p384, p521"
echo " : -use-ecc = n then Supported key lengths: 1024, 2048, 3072, 4096"
@@ -89,10 +91,18 @@ usage()
echo
}
-max_param=16
-min_param=12
+max_param=18
+min_param=1
num_param=1
+# Default values
+existing_ca="n"
+use_ecc="n"
+kl=4096
+duration=10
+num_srk=4
+srk_ca="y"
+
if [ $interactive = "n" ]
then
# Validate command line parameters
@@ -111,6 +121,11 @@ then
while [ $num_param -le $max_param ] && [ "$1" != "" ]
do
case $1 in
+ -csf-path)
+ shift
+ CSF_PATH=$1
+ shift
+ ;;
-existing-ca)
shift
existing_ca=$1
@@ -164,9 +179,8 @@ then
shift
;;
*)
- echo "ERROR: Invalid parameter: $1"
- usage
- exit 1
+ CSF_PATH=$1
+ shift
;;
esac
num_param=$(( num_param + 2 ))
@@ -242,6 +256,16 @@ then
read duration
fi
+# CSF folder structure
+if [ ! -d "${CSF_PATH}" ]; then
+ echo "Invalid CSF_PATH: ${CSF_PATH}"
+ usage
+ exit 1
+fi
+cd "${CSF_PATH}"
+[ -d crts ] || mkdir crts
+[ -d keys ] || mkdir keys
+cd keys
+existing_ca="n"
+kl="4096"
-printf "Enter PKI tree duration (years): \b"
-read duration
+# Confirm that a valid key length has been entered
+case $kl in
+ 1024) ;;
+ 2048) ;;
+ 3072) ;;
+ 4096) ;;
+ *)
+ echo Invalid key length. Supported key lengths: 1024, 2048, 3072, 4096
+ exit 1 ;;
+esac
+
+duration="10"
# Compute validity period
val_period=$((duration*365))
-printf "How many Super Root Keys should be generated? \b"
-read num_srk
+num_srk="4"
# Check that 0 < num_srk <= 4 (Max. number of SRKs)
if [ $num_srk -lt 1 ] || [ $num_srk -gt 4 ]
@@ -128,10 +84,7 @@ then
exit 1
@@ -275,9 +299,9 @@ then
script_name=$0
fi
-# Check if SRKs should be generated as CA certs or user certs
-printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b"
-read srk_ca
-
+srk_ca="y"
# Check that the file "serial" is present, if not create it:
if [ ! -f serial ]
script_path=$(cd $(dirname "${script_name}") && pwd -P)
-keys_dir=${script_path}/../keys/
-crts_dir=${script_path}/../crts/
-ca_dir=${script_path}/../ca/
+keys_dir=${CSF_PATH}/keys/
+crts_dir=${CSF_PATH}/crts/
+ca_dir=${CSF_PATH}/ca/
if [ ! -d "${keys_dir}" ]
then
@@ -154,6 +107,9 @@ echo "unique_subject = no" > index.txt.attr
if [ $existing_ca = "n" ]
then
+ ca_key=./CA1_sha256_${kl}_65537_v3_ca_key
+ ca_cert=../crts/CA1_sha256_${kl}_65537_v3_ca_crt
+
# Generate CA key and certificate
# -------------------------------
echo
@@ -161,31 +117,12 @@ then
echo + Generating CA key and certificate +
echo +++++++++++++++++++++++++++++++++++++
echo
-
- if [ $use_ecc = 'n' ]
- then
- ca_key=./CA1_sha256_${kl}_65537_v3_ca_key
- ca_cert=../crts/CA1_sha256_${kl}_65537_v3_ca_crt
- ca_subj_req=/CN=CA1_sha256_${kl}_65537_v3_ca/
- ca_key_type=rsa:${kl}
- else
-
- # Generate Elliptic Curve parameters:
- eck='ec-'$cn'.pem'
- openssl ecparam -out $eck -name $cn
-
- ca_key=./CA1_sha256_${cn}_v3_ca_key
- ca_cert=../crts/CA1_sha256_${cn}_v3_ca_crt
- ca_subj_req=/CN=CA1_sha256_${cn}_v3_ca/
- ca_key_type=ec:${eck}
- fi
-
- openssl req -newkey ${ca_key_type} -passout file:./key_pass.txt \
- -subj ${ca_subj_req} \
- -x509 -extensions v3_ca \
- -keyout temp_ca.pem \
- -out ${ca_cert}.pem \
@@ -291,11 +315,11 @@ then
exit 1
fi
-if [ ! -d "${ca_dir}" ]
-then
- echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
- exit 1
-fi
+# if [ ! -d "${ca_dir}" ]
+# then
+# echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
+# exit 1
+# fi
# Switch current working directory to keys directory, if needed.
if [ "${crt_dir}" != "${keys_dir}" ]
@@ -365,7 +389,7 @@ then
-x509 -extensions v3_ca \
-keyout temp_ca.pem \
-out ${ca_cert}.pem \
- -days ${val_period} -config ../ca/openssl.cnf
+ openssl req -newkey rsa:${kl} -passout file:./key_pass.txt \
+ -subj /CN=CA1_sha256_${kl}_65537_v3_ca/ \
+ -x509 -extensions v3_ca \
+ -keyout temp_ca.pem \
+ -out ${ca_cert}.pem \
+ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"
+ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -202,7 +139,7 @@ then
@@ -382,7 +406,7 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup
- \rm temp_ca.pem
+ rm temp_ca.pem
fi
@@ -219,64 +156,48 @@ then
echo + Generating SRK key and certificate $i +
echo ++++++++++++++++++++++++++++++++++++++++
echo
- if [ $use_ecc = 'n' ]
- then
- # Generate SRK key
- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
- -out ./temp_srk.pem ${kl}
-
- srk_subj_req=/CN=SRK${i}_sha256_${kl}_65537_v3_usr/
- srk_crt=../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt
- srk_key=./SRK${i}_sha256_${kl}_65537_v3_usr_key
- else
- # Generate Elliptic Curve parameters:
- openssl ecparam -out ./temp_srk.pem -name ${cn} -genkey
- # Generate SRK key
- openssl ec -in ./temp_srk.pem -des3 -passout file:./key_pass.txt \
- -out ./temp_srk.pem
-
- srk_subj_req=/CN=SRK${i}_sha256_${cn}_v3_usr/
- srk_crt=../crts/SRK${i}_sha256_${cn}_v3_usr_crt
- srk_key=./SRK${i}_sha256_${cn}_v3_usr_key
- fi
+
+ # Generate SRK key
+ openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
+ -out ./temp_srk.pem ${kl}
# Generate SRK certificate signing request
openssl req -new -batch -passin file:./key_pass.txt \
- -subj ${srk_subj_req} \
+ -subj /CN=SRK${i}_sha256_${kl}_65537_v3_usr/ \
-key ./temp_srk.pem \
-out ./temp_srk_req.pem
# Generate SRK certificate (this is a CA cert)
- openssl ca -batch -passin file:./key_pass.txt \
- -md sha256 -outdir ./ \
- -in ./temp_srk_req.pem \
- -cert ${ca_cert}.pem \
+ openssl ca -batch -passin file:./key_pass.txt \
+ -md sha256 -outdir ./ \
+ -in ./temp_srk_req.pem \
+ -cert ${ca_cert}.pem \
@@ -432,10 +456,10 @@ then
-in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
- -extfile ../ca/v3_usr.cnf \
- -out ${srk_crt}.pem \
- -days ${val_period} \
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
-out ${srk_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.pem \
+ -days ${val_period} \
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
- -in ${srk_crt}.pem \
- -out ${srk_crt}.der
+ -in ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.pem \
+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.der
# Generate SRK key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt \
-passout file:./key_pass.txt \
-topk8 -inform PEM -outform DER -v2 des3 \
-in temp_srk.pem \
- -out ${srk_key}.der
+ -out ./SRK${i}_sha256_${kl}_65537_v3_usr_key.der
openssl pkcs8 -passin file:./key_pass.txt \
-passout file:./key_pass.txt \
-topk8 -inform PEM -outform PEM -v2 des3 \
-in temp_srk.pem \
- -out ${srk_key}.pem
+ -out ./SRK${i}_sha256_${kl}_65537_v3_usr_key.pem
@@ -456,7 +480,7 @@ then
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
i=$((i+1))
done
else
@@ -293,98 +214,60 @@ do
echo ++++++++++++++++++++++++++++++++++++++++
echo
- if [ $use_ecc = 'n' ]
- then
- # Generate SRK key
- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
- -out ./temp_srk.pem ${kl}
-
- srk_subj_req=/CN=SRK${i}_sha256_${kl}_65537_v3_ca/
- srk_crt=../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt
- srk_key=./SRK${i}_sha256_${kl}_65537_v3_ca_key
- else
- # Generate Elliptic Curve parameters:
- openssl ecparam -out ./temp_srk.pem -name ${cn} -genkey
- # Generate SRK key
- openssl ec -in ./temp_srk.pem -des3 -passout file:./key_pass.txt \
- -out ./temp_srk.pem
-
- srk_subj_req=/CN=SRK${i}_sha256_${cn}_v3_ca/
- srk_crt=../crts/SRK${i}_sha256_${cn}_v3_ca_crt
- srk_key=./SRK${i}_sha256_${cn}_v3_ca_key
- fi
+ # Generate SRK key
+ openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
+ -out ./temp_srk.pem ${kl}
+
# Generate SRK certificate signing request
- openssl req -new -batch -passin file:./key_pass.txt \
- -subj ${srk_subj_req} \
- -key ./temp_srk.pem \
- -out ./temp_srk_req.pem
+ openssl req -new -batch -passin file:./key_pass.txt \
+ -subj /CN=SRK${i}_sha256_${kl}_65537_v3_ca/ \
+ -key ./temp_srk.pem \
+ -out ./temp_srk_req.pem
# Generate SRK certificate (this is a CA cert)
- openssl ca -batch -passin file:./key_pass.txt \
- -md sha256 -outdir ./ \
- -in ./temp_srk_req.pem \
- -cert ${ca_cert}.pem \
- -keyfile ${ca_key}.pem \
@@ -505,10 +529,10 @@ do
-in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
- -extfile ../ca/v3_ca.cnf \
- -out ${srk_crt}.pem \
- -days ${val_period} \
+ -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \
-out ${srk_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ openssl ca -batch -passin file:./key_pass.txt \
+ -md sha256 -outdir ./ \
+ -in ./temp_srk_req.pem \
+ -cert ${ca_cert}.pem \
+ -keyfile ${ca_key}.pem \
+ -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \
+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \
+ -days ${val_period} \
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
- -in ${srk_crt}.pem \
- -out ${srk_crt}.der
+ -in ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \
+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.der
# Generate SRK key in PKCS #8 format - both PEM and DER
- openssl pkcs8 -passin file:./key_pass.txt \
- -passout file:./key_pass.txt \
+ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform DER -v2 des3 \
-in temp_srk.pem \
- -out ${srk_key}.der
+ -out ./SRK${i}_sha256_${kl}_65537_v3_ca_key.der
- openssl pkcs8 -passin file:./key_pass.txt \
- -passout file:./key_pass.txt \
+ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform PEM -v2 des3 \
-in temp_srk.pem \
- -out ${srk_key}.pem
+ -out ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem
# Cleanup
\rm ./temp_srk.pem ./temp_srk_req.pem
+
echo
echo ++++++++++++++++++++++++++++++++++++++++
echo + Generating CSF key and certificate $i +
echo ++++++++++++++++++++++++++++++++++++++++
echo
- if [ $use_ecc = 'n' ]
- then
- srk_crt_i=../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem
- srk_key_i=./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem
- # Generate key
- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
- -out ./temp_csf.pem ${kl}
-
- csf_subj_req=/CN=CSF${i}_1_sha256_${kl}_65537_v3_usr/
- csf_crt=../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt
- csf_key=./CSF${i}_1_sha256_${kl}_65537_v3_usr_key
- else
- srk_crt_i=../crts/SRK${i}_sha256_${cn}_v3_ca_crt.pem
- srk_key_i=./SRK${i}_sha256_${cn}_v3_ca_key.pem
- # Generate Elliptic Curve parameters:
- openssl ecparam -out ./temp_csf.pem -name ${cn} -genkey
- # Generate key
- openssl ec -in ./temp_csf.pem -des3 -passout file:./key_pass.txt \
- -out ./temp_csf.pem
-
- csf_subj_req=/CN=CSF${i}_1_sha256_${cn}_v3_usr/
- csf_crt=../crts/CSF${i}_1_sha256_${cn}_v3_usr_crt
- csf_key=./CSF${i}_1_sha256_${cn}_v3_usr_key
- fi
+ # Generate key
+ openssl genrsa -des3 -passout file:./key_pass.txt \
+ -f4 -out ./temp_csf.pem ${kl}
# Generate CSF certificate signing request
openssl req -new -batch -passin file:./key_pass.txt \
- -subj ${csf_subj_req} \
+ -subj /CN=CSF${i}_1_sha256_${kl}_65537_v3_usr/ \
-key ./temp_csf.pem \
-out ./temp_csf_req.pem
@@ -392,31 +275,31 @@ do
openssl ca -batch -md sha256 -outdir ./ \
-passin file:./key_pass.txt \
@@ -574,10 +598,10 @@ do
-in ./temp_csf_req.pem \
- -cert ${srk_crt_i} \
- -keyfile ${srk_key_i} \
-cert ${srk_crt_i} \
-keyfile ${srk_key_i} \
- -extfile ../ca/v3_usr.cnf \
- -out ${csf_crt}.pem \
+ -cert ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \
+ -keyfile ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem \
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
+ -out ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \
-out ${csf_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert CSF Certificate to DER format
openssl x509 -inform PEM -outform DER \
- -in ${csf_crt}.pem \
- -out ${csf_crt}.der
+ -in ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \
+ -out ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.der
# Generate CSF key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform DER -v2 des3 \
-in temp_csf.pem \
- -out ${csf_key}.der
+ -out ./CSF${i}_1_sha256_${kl}_65537_v3_usr_key.der
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform PEM -v2 des3 \
-in temp_csf.pem \
- -out ${csf_key}.pem
+ -out ./CSF${i}_1_sha256_${kl}_65537_v3_usr_key.pem
@@ -596,7 +620,7 @@ do
-out ${csf_key}.pem
# Cleanup
- \rm ./temp_csf.pem ./temp_csf_req.pem
+ rm ./temp_csf.pem ./temp_csf_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
@@ -424,61 +307,45 @@ do
echo ++++++++++++++++++++++++++++++++++++++++
echo
- if [ $use_ecc = 'n' ]
- then
- # Generate key
- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
- -out ./temp_img.pem ${kl}
-
- img_subj_req=/CN=IMG${i}_1_sha256_${kl}_65537_v3_usr/
- img_crt=../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt
- img_key=./IMG${i}_1_sha256_${kl}_65537_v3_usr_key
- else
- # Generate Elliptic Curve parameters:
- openssl ecparam -out ./temp_img.pem -name ${cn} -genkey
- # Generate key
- openssl ec -in ./temp_img.pem -des3 -passout file:./key_pass.txt \
- -out ./temp_img.pem
-
- img_subj_req=/CN=IMG${i}_1_sha256_${cn}_v3_usr/
- img_crt=../crts/IMG${i}_1_sha256_${cn}_v3_usr_crt
- img_key=./IMG${i}_1_sha256_${cn}_v3_usr_key
- fi
+ # Generate key
+ openssl genrsa -des3 -passout file:./key_pass.txt \
+ -f4 -out ./temp_img.pem ${kl}
# Generate IMG certificate signing request
openssl req -new -batch -passin file:./key_pass.txt \
- -subj ${img_subj_req} \
+ -subj /CN=IMG${i}_1_sha256_${kl}_65537_v3_usr/ \
-key ./temp_img.pem \
-out ./temp_img_req.pem
openssl ca -batch -md sha256 -outdir ./ \
-passin file:./key_pass.txt \
@@ -636,10 +660,10 @@ do
-in ./temp_img_req.pem \
- -cert ${srk_crt_i} \
- -keyfile ${srk_key_i} \
-cert ${srk_crt_i} \
-keyfile ${srk_key_i} \
- -extfile ../ca/v3_usr.cnf \
- -out ${img_crt}.pem \
+ -cert ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \
+ -keyfile ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem \
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
+ -out ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \
-out ${img_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert IMG Certificate to DER format
openssl x509 -inform PEM -outform DER \
- -in ${img_crt}.pem \
- -out ${img_crt}.der
+ -in ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \
+ -out ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.der
# Generate IMG key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform DER -v2 des3 \
-in temp_img.pem \
- -out ${img_key}.der
+ -out ./IMG${i}_1_sha256_${kl}_65537_v3_usr_key.der
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform PEM -v2 des3 \
-in temp_img.pem \
- -out ${img_key}.pem
+ -out ./IMG${i}_1_sha256_${kl}_65537_v3_usr_key.pem
@@ -658,7 +682,7 @@ do
-out ${img_key}.pem
# Cleanup
- \rm ./temp_img.pem ./temp_img_req.pem
+ rm ./temp_img.pem ./temp_img_req.pem
+
i=$((i+1))
done

12
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-openssl_helper-use-dev-urandom-as-seed-source.patch
View File

@ -6,14 +6,14 @@ This is needed in order to avoid indefinitely blocking.
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
---
code/back_end/src/openssl_helper.c | 2 +-
code/cst/code/common/src/openssl_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code/back_end/src/openssl_helper.c b/code/back_end/src/openssl_helper.c
index 3c9c779092c5..f0cd4e06f0dd 100644
--- a/code/back_end/src/openssl_helper.c
+++ b/code/back_end/src/openssl_helper.c
@@ -486,7 +486,7 @@ void print_version(void)
diff --git a/code/cst/code/common/src/openssl_helper.c b/code/cst/code/common/src/openssl_helper.c
index 871cf55..b62c8a8 100755
--- a/code/cst/code/common/src/openssl_helper.c
+++ b/code/cst/code/common/src/openssl_helper.c
@@ -414,7 +414,7 @@ void print_version(void)
---------------------------*/
uint32_t seed_prng(uint32_t bytes)
{

4
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch
View File

@ -9,10 +9,10 @@ Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
index b2c6b71b604e..93347521cea1 100755
index 39ed3bf..ac6fb29 100755
--- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh
@@ -95,9 +95,10 @@ fi
@@ -342,9 +342,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then

267
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch
View File

@ -1,166 +1,157 @@
From: Mike Engel <Mike.Engel@digi.com>
Date: Fri, 24 Jan 2020 17:31:50 +0100
From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Wed, 22 Jul 2020 15:10:21 +0200
Subject: [PATCH] ahab_pki_tree.sh: automate script
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
This commit introduce a new command line argument to specify the
CSF path folder and prepare it to automate the build process.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
---
keys/ahab_pki_tree.sh | 116 ++++++++++++++++++-------------------------------------
1 file changed, 38 insertions(+), 78 deletions(-)
keys/ahab_pki_tree.sh | 70 +++++++++++++++++++++++++++++--------------
1 file changed, 47 insertions(+), 23 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index 988c27e..00dd143 100755
index f5ab36c..2c16533 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -47,74 +47,36 @@
#
#-----------------------------------------------------------------------------
-printf "\n"
-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
-printf " This script is a part of the Code signing tools for NXP's\n"
-printf " Advanced High Assurance Boot. It generates a basic PKI tree. The\n"
-printf " PKI tree consists of one or more Super Root Keys (SRK), with each\n"
-printf " SRK having one subordinate keys: \n"
-printf " + a Signing key (SGK) \n"
-printf " Additional keys can be added to the PKI tree but a separate \n"
-printf " script is available for this. This this script assumes openssl\n"
-printf " is installed on your system and is included in your search \n"
-printf " path. Finally, the private keys generated are password \n"
-printf " protectedwith the password provided by the file key_pass.txt.\n"
-printf " The format of the file is the password repeated twice:\n"
-printf " my_password\n"
-printf " my_password\n"
-printf " All private keys in the PKI tree are in PKCS #8 format will be\n"
-printf " protected by the same password.\n\n"
-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
-
-stty erase 
-
-printf "Do you want to use an existing CA key (y/n)?: \b"
-read existing_ca
-if [ $existing_ca = "y" ]
-then
- printf "Enter CA key name: \b"
- read ca_key
- printf "Enter CA certificate name: \b"
- read ca_cert
@@ -64,6 +64,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
stty erase 
+SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
+CSF_PATH="${1}"
+if [ ! -d "${CSF_PATH}" ]; then
+ echo "Invalid CSF_PATH: ${CSF_PATH}"
+ exit 1
fi
-printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b"
-read use_ecc
-if [ $use_ecc = "y" ]
-then
- printf "Enter length for elliptic curve to be used for PKI tree:\n"
- printf "Possible values p256, p384, p521: \b"
- read kl
-
- # Confirm that a valid key length has been entered
- case $kl in
- p256)
- cn="prime256v1" ;;
- p384)
- cn="secp384r1" ;;
- p521)
- cn="secp521r1" ;;
- *)
- echo Invalid key length. Supported key lengths: 256, 384, 521
- exit 1 ;;
- esac
-else
- printf "Enter key length in bits for PKI tree: \b"
- read kl
-
- # Confirm that a valid key length has been entered
- case $kl in
- 2048) ;;
- 3072) ;;
- 4096) ;;
- *)
- echo Invalid key length. Supported key lengths: 2048, 3072, 4096
- exit 1 ;;
- esac
-fi
+cd "${CSF_PATH}"
+
if [ $# -gt 0 ]; then
interactive="n"
else
@@ -78,7 +80,7 @@ usage()
echo "$0"
echo
echo "Command Line Mode:"
- echo "$0 -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>"
+ echo "$0 [-csf-path] <CSF Path> -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>"
echo "Options:"
echo " -kl: -use-ecc = y then Supported key lengths: p256, p384, p521"
echo " : -use-ecc = n then Supported key lengths: 2048, 3072, 4096"
@@ -88,10 +90,18 @@ usage()
echo
}
-max_param=16
-min_param=12
+max_param=18
+min_param=1
num_param=1
+# Default values
+existing_ca="n"
+use_ecc="y"
+kl=p521
+da=sha512
+duration=10
+srk_ca="y"
+
if [ $interactive = "n" ]
then
# Validate command line parameters
@@ -110,6 +120,11 @@ then
while [ $num_param -le $max_param ] && [ "$1" != "" ]
do
case $1 in
+ -csf-path)
+ shift
+ CSF_PATH=$1
+ shift
+ ;;
-existing-ca)
shift
existing_ca=$1
@@ -163,9 +178,8 @@ then
shift
;;
*)
- echo "ERROR: Invalid parameter: $1"
- usage
- exit 1
+ CSF_PATH=$1
+ shift
;;
esac
num_param=$(( num_param + 2 ))
@@ -255,6 +269,16 @@ then
read duration
fi
+# CSF folder structure
+if [ ! -d "${CSF_PATH}" ]; then
+ echo "Invalid CSF_PATH: ${CSF_PATH}"
+ usage
+ exit 1
+fi
+cd "${CSF_PATH}"
+[ -d crts ] || mkdir crts
+[ -d keys ] || mkdir keys
+
+cd keys
+
+use_ecc="y"
+existing_ca="n"
+kl="p521"
+cn="secp521r1"
+
+# Confirm that a valid key length has been entered
+case $kl in
+ p256);;
+ p384);;
+ p521);;
+ *)
+ echo Invalid key length. Supported key lengths: 256, 384, 521
+ exit 1 ;;
+esac
-printf "Enter the digest algorithm to use: \b"
-read da
+da="sha512"
# Confirm that a valid digest algorithm has been entered
case $da in
@@ -126,8 +88,7 @@ case $da in
exit 1 ;;
esac
-printf "Enter PKI tree duration (years): \b"
-read duration
+duration="10"
# Compute validity period
val_period=$((duration*365))
@@ -144,8 +105,7 @@ then
@@ -286,9 +310,9 @@ then
script_name=$0
fi
# Check if SRKs should be generated as CA certs or user certs
-printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b"
-read srk_ca
+srk_ca="y"
# Check that the file "serial" is present, if not create it:
if [ ! -f serial ]
@@ -201,7 +161,7 @@ then
script_path=$(cd $(dirname "${script_name}") && pwd -P)
-keys_dir=${script_path}/../keys/
-crts_dir=${script_path}/../crts/
-ca_dir=${script_path}/../ca/
+keys_dir=${CSF_PATH}/keys/
+crts_dir=${CSF_PATH}/crts/
+ca_dir=${CSF_PATH}/ca/
if [ ! -d "${keys_dir}" ]
then
@@ -302,11 +326,11 @@ then
exit 1
fi
-if [ ! -d "${ca_dir}" ]
-then
- echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
- exit 1
-fi
+# if [ ! -d "${ca_dir}" ]
+# then
+# echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
+# exit 1
+# fi
# Switch current working directory to keys directory, if needed.
if [ "${crt_dir}" != "${keys_dir}" ]
@@ -377,7 +401,7 @@ then
-x509 -extensions v3_ca \
-keyout temp_ca.pem \
-out ${ca_cert}.pem \
- -days ${val_period} -config ../ca/openssl.cnf
+ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -218,7 +178,7 @@ then
@@ -394,7 +418,7 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup
- \rm temp_ca.pem
+ rm temp_ca.pem
fi
@@ -292,7 +252,7 @@ then
@@ -468,7 +492,7 @@ then
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
i=$((i+1))
done
else
@@ -341,10 +301,10 @@ do
@@ -517,10 +541,10 @@ do
-in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
@ -170,19 +161,19 @@ index 988c27e..00dd143 100755
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -365,7 +325,7 @@ do
@@ -541,7 +565,7 @@ do
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
@@ -410,10 +370,10 @@ do
@@ -586,10 +610,10 @@ do
-in ./temp_sgk_req.pem \
-cert ${srk_crt_i} \
-keyfile ${srk_key_i} \
@ -192,15 +183,15 @@ index 988c27e..00dd143 100755
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SGK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -432,7 +392,7 @@ do
@@ -608,7 +632,7 @@ do
-out ${sgk_key}.pem
# Cleanup
- \rm ./temp_sgk.pem ./temp_sgk_req.pem
+ rm ./temp_sgk.pem ./temp_sgk_req.pem
i=$((i+1))
done

4
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch
View File

@ -9,10 +9,10 @@ Signed-off-by: Mike Engel <Mike.Engel@digi.com>
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index 00dd143..8b81143 100755
index 2c16533..b85b00d 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -117,9 +117,10 @@ fi
@@ -353,9 +353,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then

23
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/Makefile
View File

@ -1,23 +0,0 @@
TARGET = linux64/cst
LIBS = -lfrontend -lcrypto
CFLAGS += -g -Wall
.PHONY: default all clean
default: $(TARGET)
all: default
OBJECTS = code/back_end/src/*.c
HEADERS = code/back_end/hdr
LIBS_PATH = linux64/lib
%.o: %.c
$(CC) $(CFLAGS) -c $< -o $@
.PRECIOUS: $(TARGET) $(OBJECTS)
$(TARGET): $(OBJECTS)
$(CC) $(OBJECTS) $(CFLAGS) $(LDFLAGS) -L $(LIBS_PATH) $(LIBS) -I $(HEADERS) -o $@
clean:
-rm -f *.o $(TARGET)

0
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.1.0.bb → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.3.1.bb
View File