Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence-cst: merge paches, no functional change 

Merge the patches for the PKI tree generation scripts, to ease
maintenance (still keeping two separate patches for HAB4/AHAB).

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera 2023-09-18 13:42:20 +02:00
parent 441164c575
commit d7692af7a4
8 changed files with 127 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc
View File

@ -15,13 +15,10 @@ SRC_URI = " \
${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \
https://www.openssl.org/source/openssl-${OPENSSL1_VERSION}.tar.gz;name=openssl \
file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \
file://0002-hab4_pki_tree.sh-automate-script.patch \
file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \
file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \
file://0005-ahab_pki_tree.sh-automate-script.patch \
file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \
file://0007-rules.mk-weaken-specific-function-err_msg.patch \
file://0008-pki_tree.sh-extract-public-keys-from-certificates.patch \
file://0002-openssl_helper-use-dev-urandom-as-seed-source.patch \
file://0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch \
file://0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch \
file://0005-rules.mk-weaken-specific-function-err_msg.patch \
"
SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794"

0
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-openssl_helper-use-dev-urandom-as-seed-source.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-openssl_helper-use-dev-urandom-as-seed-source.patch
View File

100
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-hab4_pki_tree.sh-automate-script.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch
View File

@ -1,23 +1,31 @@
From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Wed, 22 Jul 2020 14:37:03 +0200
Subject: [PATCH] hab4_pki_tree.sh: automate script
Subject: [PATCH] hab4_pki_tree.sh: adapt script for DEY
This commit introduce a new command line argument to specify the
CSF path folder and prepare it to automate the build process.
* support non interactive execution: introduce a new command line
argument to specify the CSF path folder and prepare it to automate the
build process.
* use a random password for the default PKI generation
* extract public keys from certificates: the public key needs to be
available on the rootfs so that signed SWU packages can be authenticated.
Co-Authored-By: Hector Palacios <hector.palacios@digi.com>
Co-Authored-By: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
---
keys/hab4_pki_tree.sh | 78 ++++++++++++++++++++++++++++---------------
1 file changed, 51 insertions(+), 27 deletions(-)
keys/hab4_pki_tree.sh | 88 ++++++++++++++++++++++++++++---------------
1 file changed, 58 insertions(+), 30 deletions(-)
diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
index 944cc66..39ed3bf 100755
index 944cc66..e76f22f 100755
--- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh
@@ -66,6 +66,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
stty erase 
+SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
+
if [ $# -gt 0 ]; then
@ -35,13 +43,13 @@ index 944cc66..39ed3bf 100755
@@ -89,10 +91,18 @@ usage()
echo
}
-max_param=16
-min_param=12
+max_param=18
+min_param=1
num_param=1
+# Default values
+existing_ca="n"
+use_ecc="n"
@ -80,7 +88,7 @@ index 944cc66..39ed3bf 100755
@@ -242,6 +256,16 @@ then
read duration
fi
+# CSF folder structure
+if [ ! -d "${CSF_PATH}" ]; then
+ echo "Invalid CSF_PATH: ${CSF_PATH}"
@ -93,7 +101,7 @@ index 944cc66..39ed3bf 100755
+
# Compute validity period
val_period=$((duration*365))
@@ -275,9 +299,9 @@ then
script_name=$0
fi
@ -104,13 +112,13 @@ index 944cc66..39ed3bf 100755
+keys_dir=${CSF_PATH}/keys/
+crts_dir=${CSF_PATH}/crts/
+ca_dir=${CSF_PATH}/ca/
if [ ! -d "${keys_dir}" ]
then
@@ -291,11 +315,11 @@ then
exit 1
fi
-if [ ! -d "${ca_dir}" ]
-then
- echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
@ -121,28 +129,42 @@ index 944cc66..39ed3bf 100755
+# echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
+# exit 1
+# fi
# Switch current working directory to keys directory, if needed.
if [ "${crt_dir}" != "${keys_dir}" ]
@@ -365,7 +389,7 @@ then
@@ -318,9 +342,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then
- echo "test" > key_pass.txt
- echo "test" >> key_pass.txt
- echo "A default file 'key_pass.txt' was created with password = test!"
+ password="$(openssl rand -base64 32)"
+ echo "${password}" > key_pass.txt
+ echo "${password}" >> key_pass.txt
+ echo "A file 'key_pass.txt' was created with a random password!"
fi
# The following is required otherwise OpenSSL complains
@@ -365,7 +390,7 @@ then
-x509 -extensions v3_ca \
-keyout temp_ca.pem \
-out ${ca_cert}.pem \
- -days ${val_period} -config ../ca/openssl.cnf
+ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -382,7 +406,7 @@ then
@@ -382,7 +407,7 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup
- \rm temp_ca.pem
+ rm temp_ca.pem
fi
@@ -432,10 +456,10 @@ then
@@ -432,10 +457,10 @@ then
-in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
@ -152,19 +174,19 @@ index 944cc66..39ed3bf 100755
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -456,7 +480,7 @@ then
@@ -456,7 +481,7 @@ then
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
i=$((i+1))
done
else
@@ -505,10 +529,10 @@ do
@@ -505,10 +530,10 @@ do
-in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
@ -174,10 +196,10 @@ index 944cc66..39ed3bf 100755
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -574,10 +598,10 @@ do
@@ -574,10 +599,10 @@ do
-in ./temp_csf_req.pem \
-cert ${srk_crt_i} \
-keyfile ${srk_key_i} \
@ -187,19 +209,19 @@ index 944cc66..39ed3bf 100755
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert CSF Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -596,7 +620,7 @@ do
@@ -596,7 +621,7 @@ do
-out ${csf_key}.pem
# Cleanup
- \rm ./temp_csf.pem ./temp_csf_req.pem
+ rm ./temp_csf.pem ./temp_csf_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
@@ -636,10 +660,10 @@ do
@@ -636,10 +661,10 @@ do
-in ./temp_img_req.pem \
-cert ${srk_crt_i} \
-keyfile ${srk_key_i} \
@ -209,15 +231,19 @@ index 944cc66..39ed3bf 100755
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert IMG Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -658,7 +682,7 @@ do
@@ -657,8 +682,11 @@ do
-in temp_img.pem \
-out ${img_key}.pem
+ # Extract public key from the certificate
+ openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub
+
# Cleanup
- \rm ./temp_img.pem ./temp_img_req.pem
+ rm ./temp_img.pem ./temp_img_req.pem
i=$((i+1))
done

92
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch
View File

@ -1,23 +1,31 @@
From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Wed, 22 Jul 2020 15:10:21 +0200
Subject: [PATCH] ahab_pki_tree.sh: automate script
Subject: [PATCH] ahab_pki_tree.sh: adapt script for DEY
This commit introduce a new command line argument to specify the
CSF path folder and prepare it to automate the build process.
* support non interactive execution: introduce a new command line
argument to specify the CSF path folder and prepare it to automate the
build process.
* use a random password for the default PKI generation
* extract public keys from certificates: the public key needs to be
available on the rootfs so that signed SWU packages can be authenticated.
Co-Authored-By: Hector Palacios <hector.palacios@digi.com>
Co-Authored-By: Mike Engel <Mike.Engel@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
---
keys/ahab_pki_tree.sh | 70 +++++++++++++++++++++++++++++--------------
1 file changed, 47 insertions(+), 23 deletions(-)
keys/ahab_pki_tree.sh | 80 +++++++++++++++++++++++++++++--------------
1 file changed, 54 insertions(+), 26 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index f5ab36c..2c16533 100755
index f5ab36c..13843f9 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -64,6 +64,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
stty erase 
+SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
+
if [ $# -gt 0 ]; then
@ -35,13 +43,13 @@ index f5ab36c..2c16533 100755
@@ -88,10 +90,18 @@ usage()
echo
}
-max_param=16
-min_param=12
+max_param=18
+min_param=1
num_param=1
+# Default values
+existing_ca="n"
+use_ecc="y"
@ -80,7 +88,7 @@ index f5ab36c..2c16533 100755
@@ -255,6 +269,16 @@ then
read duration
fi
+# CSF folder structure
+if [ ! -d "${CSF_PATH}" ]; then
+ echo "Invalid CSF_PATH: ${CSF_PATH}"
@ -93,7 +101,7 @@ index f5ab36c..2c16533 100755
+
# Compute validity period
val_period=$((duration*365))
@@ -286,9 +310,9 @@ then
script_name=$0
fi
@ -104,13 +112,13 @@ index f5ab36c..2c16533 100755
+keys_dir=${CSF_PATH}/keys/
+crts_dir=${CSF_PATH}/crts/
+ca_dir=${CSF_PATH}/ca/
if [ ! -d "${keys_dir}" ]
then
@@ -302,11 +326,11 @@ then
exit 1
fi
-if [ ! -d "${ca_dir}" ]
-then
- echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
@ -121,37 +129,51 @@ index f5ab36c..2c16533 100755
+# echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
+# exit 1
+# fi
# Switch current working directory to keys directory, if needed.
if [ "${crt_dir}" != "${keys_dir}" ]
@@ -377,7 +401,7 @@ then
@@ -329,9 +353,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then
- echo "test" > key_pass.txt
- echo "test" >> key_pass.txt
- echo "A default file 'key_pass.txt' was created with password = test!"
+ password="$(openssl rand -base64 32)"
+ echo "${password}" > key_pass.txt
+ echo "${password}" >> key_pass.txt
+ echo "A file 'key_pass.txt' was created with a random password!"
fi
# The following is required otherwise OpenSSL complains
@@ -377,7 +402,7 @@ then
-x509 -extensions v3_ca \
-keyout temp_ca.pem \
-out ${ca_cert}.pem \
- -days ${val_period} -config ../ca/openssl.cnf
+ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -394,7 +418,7 @@ then
@@ -394,7 +419,7 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup
- \rm temp_ca.pem
+ rm temp_ca.pem
fi
@@ -468,7 +492,7 @@ then
@@ -468,7 +493,7 @@ then
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
i=$((i+1))
done
else
@@ -517,10 +541,10 @@ do
@@ -517,10 +542,10 @@ do
-in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
@ -161,19 +183,19 @@ index f5ab36c..2c16533 100755
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -541,7 +565,7 @@ do
@@ -541,7 +566,7 @@ do
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
@@ -586,10 +610,10 @@ do
@@ -586,10 +611,10 @@ do
-in ./temp_sgk_req.pem \
-cert ${srk_crt_i} \
-keyfile ${srk_key_i} \
@ -183,15 +205,19 @@ index f5ab36c..2c16533 100755
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SGK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -608,7 +632,7 @@ do
@@ -607,8 +632,11 @@ do
-in temp_sgk.pem \
-out ${sgk_key}.pem
+ # Extract public key from the certificate
+ openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub
+
# Cleanup
- \rm ./temp_sgk.pem ./temp_sgk_req.pem
+ rm ./temp_sgk.pem ./temp_sgk_req.pem
i=$((i+1))
done

28
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch
View File

@ -1,28 +0,0 @@
From: "Diaz de Grenu, Jose" <Jose.DiazdeGrenu@digi.com>
Date: Fri, 29 Jul 2016 17:20:28 +0200
Subject: [PATCH] hab4_pki_tree.sh: usa a random password for the default PKI
generation
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
---
keys/hab4_pki_tree.sh | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
index 39ed3bf..ac6fb29 100755
--- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh
@@ -342,9 +342,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then
- echo "test" > key_pass.txt
- echo "test" >> key_pass.txt
- echo "A default file 'key_pass.txt' was created with password = test!"
+ password="$(openssl rand -base64 32)"
+ echo "${password}" > key_pass.txt
+ echo "${password}" >> key_pass.txt
+ echo "A file 'key_pass.txt' was created with a random password!"
fi
# The following is required otherwise OpenSSL complains

3
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-rules.mk-weaken-specific-function-err_msg.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch
View File

@ -1,4 +1,3 @@
From fe51b132c7c07de5a63c3dfc5a16bc9fc7816f7e Mon Sep 17 00:00:00 2001
From: Hector Palacios <hector.palacios@digi.com>
Date: Mon, 30 Jan 2023 10:38:22 +0100
Subject: [PATCH] rules.mk: weaken specific function err_msg()
@ -19,7 +18,7 @@ https://onedigi.atlassian.net/browse/DEL-8033
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code/cst/code/build/make/rules.mk b/code/cst/code/build/make/rules.mk
index 1c0842bd070e..032e18bc5134 100755
index 1c0842b..032e18b 100755
--- a/code/cst/code/build/make/rules.mk
+++ b/code/cst/code/build/make/rules.mk
@@ -27,7 +27,7 @@ LFLAGS := -t

28
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch
View File

@ -1,28 +0,0 @@
From: Mike Engel <Mike.Engel@digi.com>
Date: Fri, 24 Jan 2020 17:47:56 +0100
Subject: [PATCH] ahab_pki_tree.sh: use a random password for the default PKI
generation
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
---
keys/ahab_pki_tree.sh | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index 2c16533..b85b00d 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -353,9 +353,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then
- echo "test" > key_pass.txt
- echo "test" >> key_pass.txt
- echo "A default file 'key_pass.txt' was created with password = test!"
+ password="$(openssl rand -base64 32)"
+ echo "${password}" > key_pass.txt
+ echo "${password}" >> key_pass.txt
+ echo "A file 'key_pass.txt' was created with a random password!"
fi
# The following is required otherwise OpenSSL complains

42
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch
View File

@ -1,42 +0,0 @@
From: Hector Palacios <hector.palacios@digi.com>
Date: Thu, 3 Aug 2023 16:25:36 +0200
Subject: [PATCH] pki_tree.sh: extract public keys from certificates
The public key needs to be available on the rootfs so that signed SWU
packages can be authenticated.
Do this on the PKI generation script so that recipes don't need to do it.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
---
keys/ahab_pki_tree.sh | 3 +++
keys/hab4_pki_tree.sh | 3 +++
2 files changed, 6 insertions(+)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index 7f10c5388146..63b5ce58ade7 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -632,6 +632,9 @@ do
-in temp_sgk.pem \
-out ${sgk_key}.pem
+ # Extract public key from the certificate
+ openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub
+
# Cleanup
rm ./temp_sgk.pem ./temp_sgk_req.pem
diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
index ac6fb29b7f91..e76f22f40643 100755
--- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh
@@ -682,6 +682,9 @@ do
-in temp_img.pem \
-out ${img_key}.pem
+ # Extract public key from the certificate
+ openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub
+
# Cleanup
rm ./temp_img.pem ./temp_img_req.pem