Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence-cst: hab4_pki_tree-sh: automate script 

This allows to automatically create a secure PKI tree without user
interaction.

https://jira.digi.com/browse/DUB-618

Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This commit is contained in:
Diaz de Grenu, Jose 2016-07-12 17:58:24 +02:00
parent 8ac7da51ef
commit ceb9ca1537
2 changed files with 523 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

521
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/0002-hab4_pki_tree.sh-automate-script.patch Normal file
View File

@ -0,0 +1,521 @@
From: "Diaz de Grenu, Jose" <Jose.DiazdeGrenu@digi.com>
Date: Mon, 18 Jul 2016 13:21:11 +0200
Subject: [PATCH] hab4_pki_tree.sh: automate script
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
---
keys/hab4_pki_tree.sh | 347 ++++++++++++++++----------------------------------
1 file changed, 107 insertions(+), 240 deletions(-)
diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
index 7dd67f68c8df..b2c6b71b604e 100755
--- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh
@@ -42,84 +42,40 @@
#
#-----------------------------------------------------------------------------
-printf "\n"
-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
-printf " This script is a part of the Code signing tools for Freescale's\n"
-printf " High Assurance Boot. It generates a basic PKI tree. The PKI\n"
-printf " tree consists of one or more Super Root Keys (SRK), with each\n"
-printf " SRK having two subordinate keys: \n"
-printf " + a Command Sequence File (CSF) key \n"
-printf " + Image key. \n"
-printf " Additional keys can be added to the PKI tree but a separate \n"
-printf " script is available for this. This this script assumes openssl\n"
-printf " is installed on your system and is included in your search \n"
-printf " path. Finally, the private keys generated are password \n"
-printf " protectedwith the password provided by the file key_pass.txt.\n"
-printf " The format of the file is the password repeated twice:\n"
-printf " my_password\n"
-printf " my_password\n"
-printf " All private keys in the PKI tree are in PKCS #8 format will be\n"
-printf " protected by the same password.\n\n"
-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
-
-stty erase 
-
-printf "Do you want to use an existing CA key (y/n)?: \b"
-read existing_ca
-if [ $existing_ca = "y" ]
-then
- printf "Enter CA key name: \b"
- read ca_key
- printf "Enter CA certificate name: \b"
- read ca_cert
+SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
+CSF_PATH="${1}"
+if [ ! -d "${CSF_PATH}" ]; then
+ echo "Invalid CSF_PATH: ${CSF_PATH}"
+ exit 1
fi
-printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b"
-read use_ecc
-if [ $use_ecc = "y" ]
-then
- printf "Enter length for elliptic curve to be used for PKI tree:\n"
- printf "Possible values p192, p256, p521: \b"
- read kl
-
- # Confirm that a valid key length has been entered
- case $kl in
- p192)
- cn="secp112r1" ;;
- p256)
- cn="prime256v1" ;;
- p521)
- cn="secp521r1" ;;
- *)
- echo Invalid key length. Supported key lengths: 192, 256, 521
- exit 1 ;;
- esac
-else
- printf "Enter key length in bits for PKI tree: \b"
- read kl
-
- # Confirm that a valid key length has been entered
- case $kl in
- 1024) ;;
- 2048) ;;
- 3072) ;;
- 4096) ;;
- *)
- echo Invalid key length. Supported key lengths: 1024, 2048, 3072, 4096
- exit 1 ;;
- esac
-fi
+cd "${CSF_PATH}"
+
+[ -d crts ] || mkdir crts
+[ -d keys ] || mkdir keys
+cd keys
+existing_ca="n"
+kl="4096"
-printf "Enter PKI tree duration (years): \b"
-read duration
+# Confirm that a valid key length has been entered
+case $kl in
+ 1024) ;;
+ 2048) ;;
+ 3072) ;;
+ 4096) ;;
+ *)
+ echo Invalid key length. Supported key lengths: 1024, 2048, 3072, 4096
+ exit 1 ;;
+esac
+
+duration="10"
# Compute validity period
val_period=$((duration*365))
-printf "How many Super Root Keys should be generated? \b"
-read num_srk
+num_srk="4"
# Check that 0 < num_srk <= 4 (Max. number of SRKs)
if [ $num_srk -lt 1 ] || [ $num_srk -gt 4 ]
@@ -128,10 +84,7 @@ then
exit 1
fi
-# Check if SRKs should be generated as CA certs or user certs
-printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b"
-read srk_ca
-
+srk_ca="y"
# Check that the file "serial" is present, if not create it:
if [ ! -f serial ]
then
@@ -154,6 +107,9 @@ echo "unique_subject = no" > index.txt.attr
if [ $existing_ca = "n" ]
then
+ ca_key=./CA1_sha256_${kl}_65537_v3_ca_key
+ ca_cert=../crts/CA1_sha256_${kl}_65537_v3_ca_crt
+
# Generate CA key and certificate
# -------------------------------
echo
@@ -161,31 +117,12 @@ then
echo + Generating CA key and certificate +
echo +++++++++++++++++++++++++++++++++++++
echo
-
- if [ $use_ecc = 'n' ]
- then
- ca_key=./CA1_sha256_${kl}_65537_v3_ca_key
- ca_cert=../crts/CA1_sha256_${kl}_65537_v3_ca_crt
- ca_subj_req=/CN=CA1_sha256_${kl}_65537_v3_ca/
- ca_key_type=rsa:${kl}
- else
-
- # Generate Elliptic Curve parameters:
- eck='ec-'$cn'.pem'
- openssl ecparam -out $eck -name $cn
-
- ca_key=./CA1_sha256_${cn}_v3_ca_key
- ca_cert=../crts/CA1_sha256_${cn}_v3_ca_crt
- ca_subj_req=/CN=CA1_sha256_${cn}_v3_ca/
- ca_key_type=ec:${eck}
- fi
-
- openssl req -newkey ${ca_key_type} -passout file:./key_pass.txt \
- -subj ${ca_subj_req} \
- -x509 -extensions v3_ca \
- -keyout temp_ca.pem \
- -out ${ca_cert}.pem \
- -days ${val_period} -config ../ca/openssl.cnf
+ openssl req -newkey rsa:${kl} -passout file:./key_pass.txt \
+ -subj /CN=CA1_sha256_${kl}_65537_v3_ca/ \
+ -x509 -extensions v3_ca \
+ -keyout temp_ca.pem \
+ -out ${ca_cert}.pem \
+ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -202,7 +139,7 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup
- \rm temp_ca.pem
+ rm temp_ca.pem
fi
@@ -219,64 +156,48 @@ then
echo + Generating SRK key and certificate $i +
echo ++++++++++++++++++++++++++++++++++++++++
echo
- if [ $use_ecc = 'n' ]
- then
- # Generate SRK key
- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
- -out ./temp_srk.pem ${kl}
-
- srk_subj_req=/CN=SRK${i}_sha256_${kl}_65537_v3_usr/
- srk_crt=../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt
- srk_key=./SRK${i}_sha256_${kl}_65537_v3_usr_key
- else
- # Generate Elliptic Curve parameters:
- openssl ecparam -out ./temp_srk.pem -name ${cn} -genkey
- # Generate SRK key
- openssl ec -in ./temp_srk.pem -des3 -passout file:./key_pass.txt \
- -out ./temp_srk.pem
-
- srk_subj_req=/CN=SRK${i}_sha256_${cn}_v3_usr/
- srk_crt=../crts/SRK${i}_sha256_${cn}_v3_usr_crt
- srk_key=./SRK${i}_sha256_${cn}_v3_usr_key
- fi
+
+ # Generate SRK key
+ openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
+ -out ./temp_srk.pem ${kl}
# Generate SRK certificate signing request
openssl req -new -batch -passin file:./key_pass.txt \
- -subj ${srk_subj_req} \
+ -subj /CN=SRK${i}_sha256_${kl}_65537_v3_usr/ \
-key ./temp_srk.pem \
-out ./temp_srk_req.pem
# Generate SRK certificate (this is a CA cert)
- openssl ca -batch -passin file:./key_pass.txt \
- -md sha256 -outdir ./ \
- -in ./temp_srk_req.pem \
- -cert ${ca_cert}.pem \
+ openssl ca -batch -passin file:./key_pass.txt \
+ -md sha256 -outdir ./ \
+ -in ./temp_srk_req.pem \
+ -cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
- -extfile ../ca/v3_usr.cnf \
- -out ${srk_crt}.pem \
- -days ${val_period} \
- -config ../ca/openssl.cnf
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.pem \
+ -days ${val_period} \
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
- -in ${srk_crt}.pem \
- -out ${srk_crt}.der
+ -in ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.pem \
+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.der
# Generate SRK key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt \
-passout file:./key_pass.txt \
-topk8 -inform PEM -outform DER -v2 des3 \
-in temp_srk.pem \
- -out ${srk_key}.der
+ -out ./SRK${i}_sha256_${kl}_65537_v3_usr_key.der
openssl pkcs8 -passin file:./key_pass.txt \
-passout file:./key_pass.txt \
-topk8 -inform PEM -outform PEM -v2 des3 \
-in temp_srk.pem \
- -out ${srk_key}.pem
+ -out ./SRK${i}_sha256_${kl}_65537_v3_usr_key.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
i=$((i+1))
done
else
@@ -293,98 +214,60 @@ do
echo ++++++++++++++++++++++++++++++++++++++++
echo
- if [ $use_ecc = 'n' ]
- then
- # Generate SRK key
- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
- -out ./temp_srk.pem ${kl}
-
- srk_subj_req=/CN=SRK${i}_sha256_${kl}_65537_v3_ca/
- srk_crt=../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt
- srk_key=./SRK${i}_sha256_${kl}_65537_v3_ca_key
- else
- # Generate Elliptic Curve parameters:
- openssl ecparam -out ./temp_srk.pem -name ${cn} -genkey
- # Generate SRK key
- openssl ec -in ./temp_srk.pem -des3 -passout file:./key_pass.txt \
- -out ./temp_srk.pem
-
- srk_subj_req=/CN=SRK${i}_sha256_${cn}_v3_ca/
- srk_crt=../crts/SRK${i}_sha256_${cn}_v3_ca_crt
- srk_key=./SRK${i}_sha256_${cn}_v3_ca_key
- fi
+ # Generate SRK key
+ openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
+ -out ./temp_srk.pem ${kl}
+
# Generate SRK certificate signing request
- openssl req -new -batch -passin file:./key_pass.txt \
- -subj ${srk_subj_req} \
- -key ./temp_srk.pem \
- -out ./temp_srk_req.pem
+ openssl req -new -batch -passin file:./key_pass.txt \
+ -subj /CN=SRK${i}_sha256_${kl}_65537_v3_ca/ \
+ -key ./temp_srk.pem \
+ -out ./temp_srk_req.pem
# Generate SRK certificate (this is a CA cert)
- openssl ca -batch -passin file:./key_pass.txt \
- -md sha256 -outdir ./ \
- -in ./temp_srk_req.pem \
- -cert ${ca_cert}.pem \
- -keyfile ${ca_key}.pem \
- -extfile ../ca/v3_ca.cnf \
- -out ${srk_crt}.pem \
- -days ${val_period} \
- -config ../ca/openssl.cnf
+ openssl ca -batch -passin file:./key_pass.txt \
+ -md sha256 -outdir ./ \
+ -in ./temp_srk_req.pem \
+ -cert ${ca_cert}.pem \
+ -keyfile ${ca_key}.pem \
+ -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \
+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \
+ -days ${val_period} \
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
- -in ${srk_crt}.pem \
- -out ${srk_crt}.der
+ -in ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \
+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.der
# Generate SRK key in PKCS #8 format - both PEM and DER
- openssl pkcs8 -passin file:./key_pass.txt \
- -passout file:./key_pass.txt \
+ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform DER -v2 des3 \
-in temp_srk.pem \
- -out ${srk_key}.der
+ -out ./SRK${i}_sha256_${kl}_65537_v3_ca_key.der
- openssl pkcs8 -passin file:./key_pass.txt \
- -passout file:./key_pass.txt \
+ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform PEM -v2 des3 \
-in temp_srk.pem \
- -out ${srk_key}.pem
+ -out ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem
# Cleanup
\rm ./temp_srk.pem ./temp_srk_req.pem
+
echo
echo ++++++++++++++++++++++++++++++++++++++++
echo + Generating CSF key and certificate $i +
echo ++++++++++++++++++++++++++++++++++++++++
echo
- if [ $use_ecc = 'n' ]
- then
- srk_crt_i=../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem
- srk_key_i=./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem
- # Generate key
- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
- -out ./temp_csf.pem ${kl}
-
- csf_subj_req=/CN=CSF${i}_1_sha256_${kl}_65537_v3_usr/
- csf_crt=../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt
- csf_key=./CSF${i}_1_sha256_${kl}_65537_v3_usr_key
- else
- srk_crt_i=../crts/SRK${i}_sha256_${cn}_v3_ca_crt.pem
- srk_key_i=./SRK${i}_sha256_${cn}_v3_ca_key.pem
- # Generate Elliptic Curve parameters:
- openssl ecparam -out ./temp_csf.pem -name ${cn} -genkey
- # Generate key
- openssl ec -in ./temp_csf.pem -des3 -passout file:./key_pass.txt \
- -out ./temp_csf.pem
-
- csf_subj_req=/CN=CSF${i}_1_sha256_${cn}_v3_usr/
- csf_crt=../crts/CSF${i}_1_sha256_${cn}_v3_usr_crt
- csf_key=./CSF${i}_1_sha256_${cn}_v3_usr_key
- fi
+ # Generate key
+ openssl genrsa -des3 -passout file:./key_pass.txt \
+ -f4 -out ./temp_csf.pem ${kl}
# Generate CSF certificate signing request
openssl req -new -batch -passin file:./key_pass.txt \
- -subj ${csf_subj_req} \
+ -subj /CN=CSF${i}_1_sha256_${kl}_65537_v3_usr/ \
-key ./temp_csf.pem \
-out ./temp_csf_req.pem
@@ -392,31 +275,31 @@ do
openssl ca -batch -md sha256 -outdir ./ \
-passin file:./key_pass.txt \
-in ./temp_csf_req.pem \
- -cert ${srk_crt_i} \
- -keyfile ${srk_key_i} \
- -extfile ../ca/v3_usr.cnf \
- -out ${csf_crt}.pem \
+ -cert ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \
+ -keyfile ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem \
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
+ -out ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert CSF Certificate to DER format
openssl x509 -inform PEM -outform DER \
- -in ${csf_crt}.pem \
- -out ${csf_crt}.der
+ -in ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \
+ -out ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.der
# Generate CSF key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform DER -v2 des3 \
-in temp_csf.pem \
- -out ${csf_key}.der
+ -out ./CSF${i}_1_sha256_${kl}_65537_v3_usr_key.der
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform PEM -v2 des3 \
-in temp_csf.pem \
- -out ${csf_key}.pem
+ -out ./CSF${i}_1_sha256_${kl}_65537_v3_usr_key.pem
# Cleanup
- \rm ./temp_csf.pem ./temp_csf_req.pem
+ rm ./temp_csf.pem ./temp_csf_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
@@ -424,61 +307,45 @@ do
echo ++++++++++++++++++++++++++++++++++++++++
echo
- if [ $use_ecc = 'n' ]
- then
- # Generate key
- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \
- -out ./temp_img.pem ${kl}
-
- img_subj_req=/CN=IMG${i}_1_sha256_${kl}_65537_v3_usr/
- img_crt=../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt
- img_key=./IMG${i}_1_sha256_${kl}_65537_v3_usr_key
- else
- # Generate Elliptic Curve parameters:
- openssl ecparam -out ./temp_img.pem -name ${cn} -genkey
- # Generate key
- openssl ec -in ./temp_img.pem -des3 -passout file:./key_pass.txt \
- -out ./temp_img.pem
-
- img_subj_req=/CN=IMG${i}_1_sha256_${cn}_v3_usr/
- img_crt=../crts/IMG${i}_1_sha256_${cn}_v3_usr_crt
- img_key=./IMG${i}_1_sha256_${cn}_v3_usr_key
- fi
+ # Generate key
+ openssl genrsa -des3 -passout file:./key_pass.txt \
+ -f4 -out ./temp_img.pem ${kl}
# Generate IMG certificate signing request
openssl req -new -batch -passin file:./key_pass.txt \
- -subj ${img_subj_req} \
+ -subj /CN=IMG${i}_1_sha256_${kl}_65537_v3_usr/ \
-key ./temp_img.pem \
-out ./temp_img_req.pem
openssl ca -batch -md sha256 -outdir ./ \
-passin file:./key_pass.txt \
-in ./temp_img_req.pem \
- -cert ${srk_crt_i} \
- -keyfile ${srk_key_i} \
- -extfile ../ca/v3_usr.cnf \
- -out ${img_crt}.pem \
+ -cert ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \
+ -keyfile ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem \
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
+ -out ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert IMG Certificate to DER format
openssl x509 -inform PEM -outform DER \
- -in ${img_crt}.pem \
- -out ${img_crt}.der
+ -in ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \
+ -out ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.der
# Generate IMG key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform DER -v2 des3 \
-in temp_img.pem \
- -out ${img_key}.der
+ -out ./IMG${i}_1_sha256_${kl}_65537_v3_usr_key.der
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-topk8 -inform PEM -outform PEM -v2 des3 \
-in temp_img.pem \
- -out ${img_key}.pem
+ -out ./IMG${i}_1_sha256_${kl}_65537_v3_usr_key.pem
# Cleanup
- \rm ./temp_img.pem ./temp_img_req.pem
+ rm ./temp_img.pem ./temp_img_req.pem
+
i=$((i+1))
done

2
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_2.3.2.bb
View File

@ -10,6 +10,7 @@ S= "${WORKDIR}/cst-${PV}"
SRC_URI = " \
${@base_conditional('TRUSTFENCE_SIGN', '1', 'file://cst-${PV}.tar.gz', '', d)} \
file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \
file://0002-hab4_pki_tree.sh-automate-script.patch \
file://Makefile \
"
@ -25,6 +26,7 @@ do_install () {
install -d ${D}${bindir}
install -m 0755 linux64/cst ${D}${bindir}/cst
install -m 0755 linux64/srktool ${D}${bindir}/srktool
install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf
install -m 0755 ca/v3_ca.cnf ${D}${bindir}/v3_ca.cnf
install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf