Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence-cst: merge paches, no functional change 

Merge the patches for the PKI tree generation scripts, to ease
maintenance (still keeping two separate patches for HAB4/AHAB).

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera 2023-09-18 13:42:20 +02:00
parent 441164c575
commit d7692af7a4
8 changed files with 127 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc
View File

@ -15,13 +15,10 @@ SRC_URI = " \
${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \ ${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \
https://www.openssl.org/source/openssl-${OPENSSL1_VERSION}.tar.gz;name=openssl \ https://www.openssl.org/source/openssl-${OPENSSL1_VERSION}.tar.gz;name=openssl \
file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \ file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \
file://0002-hab4_pki_tree.sh-automate-script.patch \ file://0002-openssl_helper-use-dev-urandom-as-seed-source.patch \
file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \ file://0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch \
file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \ file://0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch \
file://0005-ahab_pki_tree.sh-automate-script.patch \ file://0005-rules.mk-weaken-specific-function-err_msg.patch \
file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \
file://0007-rules.mk-weaken-specific-function-err_msg.patch \
file://0008-pki_tree.sh-extract-public-keys-from-certificates.patch \
" "
SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794" SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794"

0
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-openssl_helper-use-dev-urandom-as-seed-source.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-openssl_helper-use-dev-urandom-as-seed-source.patch
View File

56
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-hab4_pki_tree.sh-automate-script.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch
View File

@ -1,17 +1,25 @@
From: Arturo Buzarra <arturo.buzarra@digi.com> From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Wed, 22 Jul 2020 14:37:03 +0200 Date: Wed, 22 Jul 2020 14:37:03 +0200
Subject: [PATCH] hab4_pki_tree.sh: automate script Subject: [PATCH] hab4_pki_tree.sh: adapt script for DEY
This commit introduce a new command line argument to specify the * support non interactive execution: introduce a new command line
CSF path folder and prepare it to automate the build process. argument to specify the CSF path folder and prepare it to automate the
build process.
* use a random password for the default PKI generation
* extract public keys from certificates: the public key needs to be
available on the rootfs so that signed SWU packages can be authenticated.
Co-Authored-By: Hector Palacios <hector.palacios@digi.com>
Co-Authored-By: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com> Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
--- ---
keys/hab4_pki_tree.sh | 78 ++++++++++++++++++++++++++++--------------- keys/hab4_pki_tree.sh | 88 ++++++++++++++++++++++++++++---------------
1 file changed, 51 insertions(+), 27 deletions(-) 1 file changed, 58 insertions(+), 30 deletions(-)
diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
index 944cc66..39ed3bf 100755 index 944cc66..e76f22f 100755
--- a/keys/hab4_pki_tree.sh --- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh +++ b/keys/hab4_pki_tree.sh
@@ -66,6 +66,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" @@ -66,6 +66,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
@ -124,7 +132,21 @@ index 944cc66..39ed3bf 100755
# Switch current working directory to keys directory, if needed. # Switch current working directory to keys directory, if needed.
if [ "${crt_dir}" != "${keys_dir}" ] if [ "${crt_dir}" != "${keys_dir}" ]
@@ -365,7 +389,7 @@ then @@ -318,9 +342,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then
- echo "test" > key_pass.txt
- echo "test" >> key_pass.txt
- echo "A default file 'key_pass.txt' was created with password = test!"
+ password="$(openssl rand -base64 32)"
+ echo "${password}" > key_pass.txt
+ echo "${password}" >> key_pass.txt
+ echo "A file 'key_pass.txt' was created with a random password!"
fi
# The following is required otherwise OpenSSL complains
@@ -365,7 +390,7 @@ then
-x509 -extensions v3_ca \ -x509 -extensions v3_ca \
-keyout temp_ca.pem \ -keyout temp_ca.pem \
-out ${ca_cert}.pem \ -out ${ca_cert}.pem \
@ -133,7 +155,7 @@ index 944cc66..39ed3bf 100755
# Generate CA key in PKCS #8 format - both PEM and DER # Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -382,7 +406,7 @@ then @@ -382,7 +407,7 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup # Cleanup
@ -142,7 +164,7 @@ index 944cc66..39ed3bf 100755
fi fi
@@ -432,10 +456,10 @@ then @@ -432,10 +457,10 @@ then
-in ./temp_srk_req.pem \ -in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \ -cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \ -keyfile ${ca_key}.pem \
@ -155,7 +177,7 @@ index 944cc66..39ed3bf 100755
# Convert SRK Certificate to DER format # Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -456,7 +480,7 @@ then @@ -456,7 +481,7 @@ then
-out ${srk_key}.pem -out ${srk_key}.pem
# Cleanup # Cleanup
@ -164,7 +186,7 @@ index 944cc66..39ed3bf 100755
i=$((i+1)) i=$((i+1))
done done
else else
@@ -505,10 +529,10 @@ do @@ -505,10 +530,10 @@ do
-in ./temp_srk_req.pem \ -in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \ -cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \ -keyfile ${ca_key}.pem \
@ -177,7 +199,7 @@ index 944cc66..39ed3bf 100755
# Convert SRK Certificate to DER format # Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -574,10 +598,10 @@ do @@ -574,10 +599,10 @@ do
-in ./temp_csf_req.pem \ -in ./temp_csf_req.pem \
-cert ${srk_crt_i} \ -cert ${srk_crt_i} \
-keyfile ${srk_key_i} \ -keyfile ${srk_key_i} \
@ -190,7 +212,7 @@ index 944cc66..39ed3bf 100755
# Convert CSF Certificate to DER format # Convert CSF Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -596,7 +620,7 @@ do @@ -596,7 +621,7 @@ do
-out ${csf_key}.pem -out ${csf_key}.pem
# Cleanup # Cleanup
@ -199,7 +221,7 @@ index 944cc66..39ed3bf 100755
echo echo
echo ++++++++++++++++++++++++++++++++++++++++ echo ++++++++++++++++++++++++++++++++++++++++
@@ -636,10 +660,10 @@ do @@ -636,10 +661,10 @@ do
-in ./temp_img_req.pem \ -in ./temp_img_req.pem \
-cert ${srk_crt_i} \ -cert ${srk_crt_i} \
-keyfile ${srk_key_i} \ -keyfile ${srk_key_i} \
@ -212,9 +234,13 @@ index 944cc66..39ed3bf 100755
# Convert IMG Certificate to DER format # Convert IMG Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -658,7 +682,7 @@ do @@ -657,8 +682,11 @@ do
-in temp_img.pem \
-out ${img_key}.pem -out ${img_key}.pem
+ # Extract public key from the certificate
+ openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub
+
# Cleanup # Cleanup
- \rm ./temp_img.pem ./temp_img_req.pem - \rm ./temp_img.pem ./temp_img_req.pem
+ rm ./temp_img.pem ./temp_img_req.pem + rm ./temp_img.pem ./temp_img_req.pem

52
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch
View File

@ -1,17 +1,25 @@
From: Arturo Buzarra <arturo.buzarra@digi.com> From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Wed, 22 Jul 2020 15:10:21 +0200 Date: Wed, 22 Jul 2020 15:10:21 +0200
Subject: [PATCH] ahab_pki_tree.sh: automate script Subject: [PATCH] ahab_pki_tree.sh: adapt script for DEY
This commit introduce a new command line argument to specify the * support non interactive execution: introduce a new command line
CSF path folder and prepare it to automate the build process. argument to specify the CSF path folder and prepare it to automate the
build process.
* use a random password for the default PKI generation
* extract public keys from certificates: the public key needs to be
available on the rootfs so that signed SWU packages can be authenticated.
Co-Authored-By: Hector Palacios <hector.palacios@digi.com>
Co-Authored-By: Mike Engel <Mike.Engel@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com> Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
--- ---
keys/ahab_pki_tree.sh | 70 +++++++++++++++++++++++++++++-------------- keys/ahab_pki_tree.sh | 80 +++++++++++++++++++++++++++++--------------
1 file changed, 47 insertions(+), 23 deletions(-) 1 file changed, 54 insertions(+), 26 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index f5ab36c..2c16533 100755 index f5ab36c..13843f9 100755
--- a/keys/ahab_pki_tree.sh --- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh +++ b/keys/ahab_pki_tree.sh
@@ -64,6 +64,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" @@ -64,6 +64,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
@ -124,7 +132,21 @@ index f5ab36c..2c16533 100755
# Switch current working directory to keys directory, if needed. # Switch current working directory to keys directory, if needed.
if [ "${crt_dir}" != "${keys_dir}" ] if [ "${crt_dir}" != "${keys_dir}" ]
@@ -377,7 +401,7 @@ then @@ -329,9 +353,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then
- echo "test" > key_pass.txt
- echo "test" >> key_pass.txt
- echo "A default file 'key_pass.txt' was created with password = test!"
+ password="$(openssl rand -base64 32)"
+ echo "${password}" > key_pass.txt
+ echo "${password}" >> key_pass.txt
+ echo "A file 'key_pass.txt' was created with a random password!"
fi
# The following is required otherwise OpenSSL complains
@@ -377,7 +402,7 @@ then
-x509 -extensions v3_ca \ -x509 -extensions v3_ca \
-keyout temp_ca.pem \ -keyout temp_ca.pem \
-out ${ca_cert}.pem \ -out ${ca_cert}.pem \
@ -133,7 +155,7 @@ index f5ab36c..2c16533 100755
# Generate CA key in PKCS #8 format - both PEM and DER # Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -394,7 +418,7 @@ then @@ -394,7 +419,7 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup # Cleanup
@ -142,7 +164,7 @@ index f5ab36c..2c16533 100755
fi fi
@@ -468,7 +492,7 @@ then @@ -468,7 +493,7 @@ then
-out ${srk_key}.pem -out ${srk_key}.pem
# Cleanup # Cleanup
@ -151,7 +173,7 @@ index f5ab36c..2c16533 100755
i=$((i+1)) i=$((i+1))
done done
else else
@@ -517,10 +541,10 @@ do @@ -517,10 +542,10 @@ do
-in ./temp_srk_req.pem \ -in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \ -cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \ -keyfile ${ca_key}.pem \
@ -164,7 +186,7 @@ index f5ab36c..2c16533 100755
# Convert SRK Certificate to DER format # Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -541,7 +565,7 @@ do @@ -541,7 +566,7 @@ do
-out ${srk_key}.pem -out ${srk_key}.pem
# Cleanup # Cleanup
@ -173,7 +195,7 @@ index f5ab36c..2c16533 100755
echo echo
echo ++++++++++++++++++++++++++++++++++++++++ echo ++++++++++++++++++++++++++++++++++++++++
@@ -586,10 +610,10 @@ do @@ -586,10 +611,10 @@ do
-in ./temp_sgk_req.pem \ -in ./temp_sgk_req.pem \
-cert ${srk_crt_i} \ -cert ${srk_crt_i} \
-keyfile ${srk_key_i} \ -keyfile ${srk_key_i} \
@ -186,9 +208,13 @@ index f5ab36c..2c16533 100755
# Convert SGK Certificate to DER format # Convert SGK Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -608,7 +632,7 @@ do @@ -607,8 +632,11 @@ do
-in temp_sgk.pem \
-out ${sgk_key}.pem -out ${sgk_key}.pem
+ # Extract public key from the certificate
+ openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub
+
# Cleanup # Cleanup
- \rm ./temp_sgk.pem ./temp_sgk_req.pem - \rm ./temp_sgk.pem ./temp_sgk_req.pem
+ rm ./temp_sgk.pem ./temp_sgk_req.pem + rm ./temp_sgk.pem ./temp_sgk_req.pem

28
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch
View File

@ -1,28 +0,0 @@
From: "Diaz de Grenu, Jose" <Jose.DiazdeGrenu@digi.com>
Date: Fri, 29 Jul 2016 17:20:28 +0200
Subject: [PATCH] hab4_pki_tree.sh: usa a random password for the default PKI
generation
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
---
keys/hab4_pki_tree.sh | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
index 39ed3bf..ac6fb29 100755
--- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh
@@ -342,9 +342,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then
- echo "test" > key_pass.txt
- echo "test" >> key_pass.txt
- echo "A default file 'key_pass.txt' was created with password = test!"
+ password="$(openssl rand -base64 32)"
+ echo "${password}" > key_pass.txt
+ echo "${password}" >> key_pass.txt
+ echo "A file 'key_pass.txt' was created with a random password!"
fi
# The following is required otherwise OpenSSL complains

3
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-rules.mk-weaken-specific-function-err_msg.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch
View File

@ -1,4 +1,3 @@
From fe51b132c7c07de5a63c3dfc5a16bc9fc7816f7e Mon Sep 17 00:00:00 2001
From: Hector Palacios <hector.palacios@digi.com> From: Hector Palacios <hector.palacios@digi.com>
Date: Mon, 30 Jan 2023 10:38:22 +0100 Date: Mon, 30 Jan 2023 10:38:22 +0100
Subject: [PATCH] rules.mk: weaken specific function err_msg() Subject: [PATCH] rules.mk: weaken specific function err_msg()
@ -19,7 +18,7 @@ https://onedigi.atlassian.net/browse/DEL-8033
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code/cst/code/build/make/rules.mk b/code/cst/code/build/make/rules.mk diff --git a/code/cst/code/build/make/rules.mk b/code/cst/code/build/make/rules.mk
index 1c0842bd070e..032e18bc5134 100755 index 1c0842b..032e18b 100755
--- a/code/cst/code/build/make/rules.mk --- a/code/cst/code/build/make/rules.mk
+++ b/code/cst/code/build/make/rules.mk +++ b/code/cst/code/build/make/rules.mk
@@ -27,7 +27,7 @@ LFLAGS := -t @@ -27,7 +27,7 @@ LFLAGS := -t

28
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch
View File

@ -1,28 +0,0 @@
From: Mike Engel <Mike.Engel@digi.com>
Date: Fri, 24 Jan 2020 17:47:56 +0100
Subject: [PATCH] ahab_pki_tree.sh: use a random password for the default PKI
generation
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
---
keys/ahab_pki_tree.sh | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index 2c16533..b85b00d 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -353,9 +353,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then
- echo "test" > key_pass.txt
- echo "test" >> key_pass.txt
- echo "A default file 'key_pass.txt' was created with password = test!"
+ password="$(openssl rand -base64 32)"
+ echo "${password}" > key_pass.txt
+ echo "${password}" >> key_pass.txt
+ echo "A file 'key_pass.txt' was created with a random password!"
fi
# The following is required otherwise OpenSSL complains

42
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch
View File

@ -1,42 +0,0 @@
From: Hector Palacios <hector.palacios@digi.com>
Date: Thu, 3 Aug 2023 16:25:36 +0200
Subject: [PATCH] pki_tree.sh: extract public keys from certificates
The public key needs to be available on the rootfs so that signed SWU
packages can be authenticated.
Do this on the PKI generation script so that recipes don't need to do it.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
---
keys/ahab_pki_tree.sh | 3 +++
keys/hab4_pki_tree.sh | 3 +++
2 files changed, 6 insertions(+)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index 7f10c5388146..63b5ce58ade7 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -632,6 +632,9 @@ do
-in temp_sgk.pem \
-out ${sgk_key}.pem
+ # Extract public key from the certificate
+ openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub
+
# Cleanup
rm ./temp_sgk.pem ./temp_sgk_req.pem
diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
index ac6fb29b7f91..e76f22f40643 100755
--- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh
@@ -682,6 +682,9 @@ do
-in temp_img.pem \
-out ${img_key}.pem
+ # Extract public key from the certificate
+ openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub
+
# Cleanup
rm ./temp_img.pem ./temp_img_req.pem