From d7692af7a43b9a03402b832cffccc6dc506792b0 Mon Sep 17 00:00:00 2001 From: Javier Viguera Date: Mon, 18 Sep 2023 13:42:20 +0200 Subject: [PATCH] trustfence-cst: merge paches, no functional change Merge the patches for the PKI tree generation scripts, to ease maintenance (still keeping two separate patches for HAB4/AHAB). Signed-off-by: Javier Viguera --- .../trustfence-cst/trustfence-cst-3.3.1.inc | 11 +- ...lper-use-dev-urandom-as-seed-source.patch} | 0 ...b4_pki_tree.sh-adapt-script-for-DEY.patch} | 100 +++++++++++------- ...ab_pki_tree.sh-adapt-script-for-DEY.patch} | 92 ++++++++++------ ...-usa-a-random-password-for-the-defau.patch | 28 ----- ...mk-weaken-specific-function-err_msg.patch} | 3 +- ...-use-a-random-password-for-the-defau.patch | 28 ----- ...xtract-public-keys-from-certificates.patch | 42 -------- 8 files changed, 127 insertions(+), 177 deletions(-) rename meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/{0003-openssl_helper-use-dev-urandom-as-seed-source.patch => 0002-openssl_helper-use-dev-urandom-as-seed-source.patch} (100%) rename meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/{0002-hab4_pki_tree.sh-automate-script.patch => 0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch} (79%) rename meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/{0005-ahab_pki_tree.sh-automate-script.patch => 0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch} (76%) delete mode 100644 meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch rename meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/{0007-rules.mk-weaken-specific-function-err_msg.patch => 0005-rules.mk-weaken-specific-function-err_msg.patch} (90%) delete mode 100644 meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch delete mode 100644 meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc index cf5dda093..593a5f127 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc @@ -15,13 +15,10 @@ SRC_URI = " \ ${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \ https://www.openssl.org/source/openssl-${OPENSSL1_VERSION}.tar.gz;name=openssl \ file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \ - file://0002-hab4_pki_tree.sh-automate-script.patch \ - file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \ - file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \ - file://0005-ahab_pki_tree.sh-automate-script.patch \ - file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \ - file://0007-rules.mk-weaken-specific-function-err_msg.patch \ - file://0008-pki_tree.sh-extract-public-keys-from-certificates.patch \ + file://0002-openssl_helper-use-dev-urandom-as-seed-source.patch \ + file://0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch \ + file://0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch \ + file://0005-rules.mk-weaken-specific-function-err_msg.patch \ " SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794" diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-openssl_helper-use-dev-urandom-as-seed-source.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-openssl_helper-use-dev-urandom-as-seed-source.patch similarity index 100% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-openssl_helper-use-dev-urandom-as-seed-source.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-openssl_helper-use-dev-urandom-as-seed-source.patch diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-hab4_pki_tree.sh-automate-script.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch similarity index 79% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-hab4_pki_tree.sh-automate-script.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch index b28303ae0..408bc1cd7 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-hab4_pki_tree.sh-automate-script.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch @@ -1,23 +1,31 @@ From: Arturo Buzarra Date: Wed, 22 Jul 2020 14:37:03 +0200 -Subject: [PATCH] hab4_pki_tree.sh: automate script +Subject: [PATCH] hab4_pki_tree.sh: adapt script for DEY -This commit introduce a new command line argument to specify the -CSF path folder and prepare it to automate the build process. +* support non interactive execution: introduce a new command line + argument to specify the CSF path folder and prepare it to automate the + build process. +* use a random password for the default PKI generation + +* extract public keys from certificates: the public key needs to be + available on the rootfs so that signed SWU packages can be authenticated. + +Co-Authored-By: Hector Palacios +Co-Authored-By: Diaz de Grenu, Jose Signed-off-by: Arturo Buzarra --- - keys/hab4_pki_tree.sh | 78 ++++++++++++++++++++++++++++--------------- - 1 file changed, 51 insertions(+), 27 deletions(-) + keys/hab4_pki_tree.sh | 88 ++++++++++++++++++++++++++++--------------- + 1 file changed, 58 insertions(+), 30 deletions(-) diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh -index 944cc66..39ed3bf 100755 +index 944cc66..e76f22f 100755 --- a/keys/hab4_pki_tree.sh +++ b/keys/hab4_pki_tree.sh @@ -66,6 +66,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" - + stty erase  - + +SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)" + if [ $# -gt 0 ]; then @@ -35,13 +43,13 @@ index 944cc66..39ed3bf 100755 @@ -89,10 +91,18 @@ usage() echo } - + -max_param=16 -min_param=12 +max_param=18 +min_param=1 num_param=1 - + +# Default values +existing_ca="n" +use_ecc="n" @@ -80,7 +88,7 @@ index 944cc66..39ed3bf 100755 @@ -242,6 +256,16 @@ then read duration fi - + +# CSF folder structure +if [ ! -d "${CSF_PATH}" ]; then + echo "Invalid CSF_PATH: ${CSF_PATH}" @@ -93,7 +101,7 @@ index 944cc66..39ed3bf 100755 + # Compute validity period val_period=$((duration*365)) - + @@ -275,9 +299,9 @@ then script_name=$0 fi @@ -104,13 +112,13 @@ index 944cc66..39ed3bf 100755 +keys_dir=${CSF_PATH}/keys/ +crts_dir=${CSF_PATH}/crts/ +ca_dir=${CSF_PATH}/ca/ - + if [ ! -d "${keys_dir}" ] then @@ -291,11 +315,11 @@ then exit 1 fi - + -if [ ! -d "${ca_dir}" ] -then - echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." @@ -121,28 +129,42 @@ index 944cc66..39ed3bf 100755 +# echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." +# exit 1 +# fi - + # Switch current working directory to keys directory, if needed. if [ "${crt_dir}" != "${keys_dir}" ] -@@ -365,7 +389,7 @@ then +@@ -318,9 +342,10 @@ fi + # Check that the file "key_pass.txt" is present, if not create it with default user/pwd: + if [ ! -f key_pass.txt ] + then +- echo "test" > key_pass.txt +- echo "test" >> key_pass.txt +- echo "A default file 'key_pass.txt' was created with password = test!" ++ password="$(openssl rand -base64 32)" ++ echo "${password}" > key_pass.txt ++ echo "${password}" >> key_pass.txt ++ echo "A file 'key_pass.txt' was created with a random password!" + fi + + # The following is required otherwise OpenSSL complains +@@ -365,7 +390,7 @@ then -x509 -extensions v3_ca \ -keyout temp_ca.pem \ -out ${ca_cert}.pem \ - -days ${val_period} -config ../ca/openssl.cnf + -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Generate CA key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -@@ -382,7 +406,7 @@ then +@@ -382,7 +407,7 @@ then openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der - + # Cleanup - \rm temp_ca.pem + rm temp_ca.pem fi - - -@@ -432,10 +456,10 @@ then + + +@@ -432,10 +457,10 @@ then -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ @@ -152,19 +174,19 @@ index 944cc66..39ed3bf 100755 -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -456,7 +480,7 @@ then +@@ -456,7 +481,7 @@ then -out ${srk_key}.pem - + # Cleanup - \rm ./temp_srk.pem ./temp_srk_req.pem + rm ./temp_srk.pem ./temp_srk_req.pem i=$((i+1)) done else -@@ -505,10 +529,10 @@ do +@@ -505,10 +530,10 @@ do -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ @@ -174,10 +196,10 @@ index 944cc66..39ed3bf 100755 -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -574,10 +598,10 @@ do +@@ -574,10 +599,10 @@ do -in ./temp_csf_req.pem \ -cert ${srk_crt_i} \ -keyfile ${srk_key_i} \ @@ -187,19 +209,19 @@ index 944cc66..39ed3bf 100755 -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Convert CSF Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -596,7 +620,7 @@ do +@@ -596,7 +621,7 @@ do -out ${csf_key}.pem - + # Cleanup - \rm ./temp_csf.pem ./temp_csf_req.pem + rm ./temp_csf.pem ./temp_csf_req.pem - + echo echo ++++++++++++++++++++++++++++++++++++++++ -@@ -636,10 +660,10 @@ do +@@ -636,10 +661,10 @@ do -in ./temp_img_req.pem \ -cert ${srk_crt_i} \ -keyfile ${srk_key_i} \ @@ -209,15 +231,19 @@ index 944cc66..39ed3bf 100755 -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Convert IMG Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -658,7 +682,7 @@ do +@@ -657,8 +682,11 @@ do + -in temp_img.pem \ -out ${img_key}.pem - + ++ # Extract public key from the certificate ++ openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub ++ # Cleanup - \rm ./temp_img.pem ./temp_img_req.pem + rm ./temp_img.pem ./temp_img_req.pem - + i=$((i+1)) done diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch similarity index 76% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch index e5e60aff1..55bcd3d77 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch @@ -1,23 +1,31 @@ From: Arturo Buzarra Date: Wed, 22 Jul 2020 15:10:21 +0200 -Subject: [PATCH] ahab_pki_tree.sh: automate script +Subject: [PATCH] ahab_pki_tree.sh: adapt script for DEY -This commit introduce a new command line argument to specify the -CSF path folder and prepare it to automate the build process. +* support non interactive execution: introduce a new command line + argument to specify the CSF path folder and prepare it to automate the + build process. +* use a random password for the default PKI generation + +* extract public keys from certificates: the public key needs to be + available on the rootfs so that signed SWU packages can be authenticated. + +Co-Authored-By: Hector Palacios +Co-Authored-By: Mike Engel Signed-off-by: Arturo Buzarra --- - keys/ahab_pki_tree.sh | 70 +++++++++++++++++++++++++++++-------------- - 1 file changed, 47 insertions(+), 23 deletions(-) + keys/ahab_pki_tree.sh | 80 +++++++++++++++++++++++++++++-------------- + 1 file changed, 54 insertions(+), 26 deletions(-) diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh -index f5ab36c..2c16533 100755 +index f5ab36c..13843f9 100755 --- a/keys/ahab_pki_tree.sh +++ b/keys/ahab_pki_tree.sh @@ -64,6 +64,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" - + stty erase  - + +SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)" + if [ $# -gt 0 ]; then @@ -35,13 +43,13 @@ index f5ab36c..2c16533 100755 @@ -88,10 +90,18 @@ usage() echo } - + -max_param=16 -min_param=12 +max_param=18 +min_param=1 num_param=1 - + +# Default values +existing_ca="n" +use_ecc="y" @@ -80,7 +88,7 @@ index f5ab36c..2c16533 100755 @@ -255,6 +269,16 @@ then read duration fi - + +# CSF folder structure +if [ ! -d "${CSF_PATH}" ]; then + echo "Invalid CSF_PATH: ${CSF_PATH}" @@ -93,7 +101,7 @@ index f5ab36c..2c16533 100755 + # Compute validity period val_period=$((duration*365)) - + @@ -286,9 +310,9 @@ then script_name=$0 fi @@ -104,13 +112,13 @@ index f5ab36c..2c16533 100755 +keys_dir=${CSF_PATH}/keys/ +crts_dir=${CSF_PATH}/crts/ +ca_dir=${CSF_PATH}/ca/ - + if [ ! -d "${keys_dir}" ] then @@ -302,11 +326,11 @@ then exit 1 fi - + -if [ ! -d "${ca_dir}" ] -then - echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." @@ -121,37 +129,51 @@ index f5ab36c..2c16533 100755 +# echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." +# exit 1 +# fi - + # Switch current working directory to keys directory, if needed. if [ "${crt_dir}" != "${keys_dir}" ] -@@ -377,7 +401,7 @@ then +@@ -329,9 +353,10 @@ fi + # Check that the file "key_pass.txt" is present, if not create it with default user/pwd: + if [ ! -f key_pass.txt ] + then +- echo "test" > key_pass.txt +- echo "test" >> key_pass.txt +- echo "A default file 'key_pass.txt' was created with password = test!" ++ password="$(openssl rand -base64 32)" ++ echo "${password}" > key_pass.txt ++ echo "${password}" >> key_pass.txt ++ echo "A file 'key_pass.txt' was created with a random password!" + fi + + # The following is required otherwise OpenSSL complains +@@ -377,7 +402,7 @@ then -x509 -extensions v3_ca \ -keyout temp_ca.pem \ -out ${ca_cert}.pem \ - -days ${val_period} -config ../ca/openssl.cnf + -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Generate CA key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -@@ -394,7 +418,7 @@ then +@@ -394,7 +419,7 @@ then openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der - + # Cleanup - \rm temp_ca.pem + rm temp_ca.pem fi - - -@@ -468,7 +492,7 @@ then + + +@@ -468,7 +493,7 @@ then -out ${srk_key}.pem - + # Cleanup - \rm ./temp_srk.pem ./temp_srk_req.pem + rm ./temp_srk.pem ./temp_srk_req.pem i=$((i+1)) done else -@@ -517,10 +541,10 @@ do +@@ -517,10 +542,10 @@ do -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ @@ -161,19 +183,19 @@ index f5ab36c..2c16533 100755 -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -541,7 +565,7 @@ do +@@ -541,7 +566,7 @@ do -out ${srk_key}.pem - + # Cleanup - \rm ./temp_srk.pem ./temp_srk_req.pem + rm ./temp_srk.pem ./temp_srk_req.pem - + echo echo ++++++++++++++++++++++++++++++++++++++++ -@@ -586,10 +610,10 @@ do +@@ -586,10 +611,10 @@ do -in ./temp_sgk_req.pem \ -cert ${srk_crt_i} \ -keyfile ${srk_key_i} \ @@ -183,15 +205,19 @@ index f5ab36c..2c16533 100755 -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Convert SGK Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -608,7 +632,7 @@ do +@@ -607,8 +632,11 @@ do + -in temp_sgk.pem \ -out ${sgk_key}.pem - + ++ # Extract public key from the certificate ++ openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub ++ # Cleanup - \rm ./temp_sgk.pem ./temp_sgk_req.pem + rm ./temp_sgk.pem ./temp_sgk_req.pem - + i=$((i+1)) done diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch deleted file mode 100644 index cafd77ef6..000000000 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: "Diaz de Grenu, Jose" -Date: Fri, 29 Jul 2016 17:20:28 +0200 -Subject: [PATCH] hab4_pki_tree.sh: usa a random password for the default PKI - generation - -Signed-off-by: Diaz de Grenu, Jose ---- - keys/hab4_pki_tree.sh | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh -index 39ed3bf..ac6fb29 100755 ---- a/keys/hab4_pki_tree.sh -+++ b/keys/hab4_pki_tree.sh -@@ -342,9 +342,10 @@ fi - # Check that the file "key_pass.txt" is present, if not create it with default user/pwd: - if [ ! -f key_pass.txt ] - then -- echo "test" > key_pass.txt -- echo "test" >> key_pass.txt -- echo "A default file 'key_pass.txt' was created with password = test!" -+ password="$(openssl rand -base64 32)" -+ echo "${password}" > key_pass.txt -+ echo "${password}" >> key_pass.txt -+ echo "A file 'key_pass.txt' was created with a random password!" - fi - - # The following is required otherwise OpenSSL complains diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-rules.mk-weaken-specific-function-err_msg.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch similarity index 90% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-rules.mk-weaken-specific-function-err_msg.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch index 03049e35b..1ba99780d 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-rules.mk-weaken-specific-function-err_msg.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch @@ -1,4 +1,3 @@ -From fe51b132c7c07de5a63c3dfc5a16bc9fc7816f7e Mon Sep 17 00:00:00 2001 From: Hector Palacios Date: Mon, 30 Jan 2023 10:38:22 +0100 Subject: [PATCH] rules.mk: weaken specific function err_msg() @@ -19,7 +18,7 @@ https://onedigi.atlassian.net/browse/DEL-8033 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/cst/code/build/make/rules.mk b/code/cst/code/build/make/rules.mk -index 1c0842bd070e..032e18bc5134 100755 +index 1c0842b..032e18b 100755 --- a/code/cst/code/build/make/rules.mk +++ b/code/cst/code/build/make/rules.mk @@ -27,7 +27,7 @@ LFLAGS := -t diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch deleted file mode 100644 index 1c715b10f..000000000 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Mike Engel -Date: Fri, 24 Jan 2020 17:47:56 +0100 -Subject: [PATCH] ahab_pki_tree.sh: use a random password for the default PKI - generation - -Signed-off-by: Mike Engel ---- - keys/ahab_pki_tree.sh | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh -index 2c16533..b85b00d 100755 ---- a/keys/ahab_pki_tree.sh -+++ b/keys/ahab_pki_tree.sh -@@ -353,9 +353,10 @@ fi - # Check that the file "key_pass.txt" is present, if not create it with default user/pwd: - if [ ! -f key_pass.txt ] - then -- echo "test" > key_pass.txt -- echo "test" >> key_pass.txt -- echo "A default file 'key_pass.txt' was created with password = test!" -+ password="$(openssl rand -base64 32)" -+ echo "${password}" > key_pass.txt -+ echo "${password}" >> key_pass.txt -+ echo "A file 'key_pass.txt' was created with a random password!" - fi - - # The following is required otherwise OpenSSL complains diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch deleted file mode 100644 index dcaa24120..000000000 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Hector Palacios -Date: Thu, 3 Aug 2023 16:25:36 +0200 -Subject: [PATCH] pki_tree.sh: extract public keys from certificates - -The public key needs to be available on the rootfs so that signed SWU -packages can be authenticated. -Do this on the PKI generation script so that recipes don't need to do it. - -Signed-off-by: Hector Palacios ---- - keys/ahab_pki_tree.sh | 3 +++ - keys/hab4_pki_tree.sh | 3 +++ - 2 files changed, 6 insertions(+) - -diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh -index 7f10c5388146..63b5ce58ade7 100755 ---- a/keys/ahab_pki_tree.sh -+++ b/keys/ahab_pki_tree.sh -@@ -632,6 +632,9 @@ do - -in temp_sgk.pem \ - -out ${sgk_key}.pem - -+ # Extract public key from the certificate -+ openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub -+ - # Cleanup - rm ./temp_sgk.pem ./temp_sgk_req.pem - -diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh -index ac6fb29b7f91..e76f22f40643 100755 ---- a/keys/hab4_pki_tree.sh -+++ b/keys/hab4_pki_tree.sh -@@ -682,6 +682,9 @@ do - -in temp_img.pem \ - -out ${img_key}.pem - -+ # Extract public key from the certificate -+ openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub -+ - # Cleanup - rm ./temp_img.pem ./temp_img_req.pem -