trustfence-cst: merge paches, no functional change

Merge the patches for the PKI tree generation scripts, to ease maintenance (still keeping two separate patches for HAB4/AHAB). Signed-off-by: Javier Viguera <javier.viguera@digi.com>
2023-09-18 13:42:20 +02:00 · 2023-09-18 13:42:20 +02:00 · d7692af7a4
parent 441164c575
commit d7692af7a4
8 changed files with 127 additions and 177 deletions
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc
@ -15,13 +15,10 @@ SRC_URI = " \
    ${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \
    https://www.openssl.org/source/openssl-${OPENSSL1_VERSION}.tar.gz;name=openssl \
    file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \
-    file://0002-hab4_pki_tree.sh-automate-script.patch \
-    file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \
-    file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \
-    file://0005-ahab_pki_tree.sh-automate-script.patch \
-    file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \
-    file://0007-rules.mk-weaken-specific-function-err_msg.patch \
-    file://0008-pki_tree.sh-extract-public-keys-from-certificates.patch \
+    file://0002-openssl_helper-use-dev-urandom-as-seed-source.patch \
+    file://0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch \
+    file://0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch \
+    file://0005-rules.mk-weaken-specific-function-err_msg.patch \
 "

 SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794"
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-openssl_helper-use-dev-urandom-as-seed-source.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-openssl_helper-use-dev-urandom-as-seed-source.patch
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch
@ -1,17 +1,25 @@
 From: Arturo Buzarra <arturo.buzarra@digi.com>
 Date: Wed, 22 Jul 2020 14:37:03 +0200
-Subject: [PATCH] hab4_pki_tree.sh: automate script
+Subject: [PATCH] hab4_pki_tree.sh: adapt script for DEY

-This commit introduce a new command line argument to specify the
-CSF path folder and prepare it to automate the build process.
+* support non interactive execution: introduce a new command line
+  argument to specify the CSF path folder and prepare it to automate the
+  build process.

+* use a random password for the default PKI generation
+
+* extract public keys from certificates: the public key needs to be
+  available on the rootfs so that signed SWU packages can be authenticated.
+
+Co-Authored-By: Hector Palacios <hector.palacios@digi.com>
+Co-Authored-By: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
 Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
 ---
- keys/hab4_pki_tree.sh | 78 ++++++++++++++++++++++++++++---------------
- 1 file changed, 51 insertions(+), 27 deletions(-)
+ keys/hab4_pki_tree.sh | 88 ++++++++++++++++++++++++++++---------------
+ 1 file changed, 58 insertions(+), 30 deletions(-)

 diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
-index 944cc66..39ed3bf 100755
+index 944cc66..e76f22f 100755
 --- a/keys/hab4_pki_tree.sh
 +++ b/keys/hab4_pki_tree.sh
@@ -66,6 +66,8 @@ printf "    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
@ -124,7 +132,21 @@ index 944cc66..39ed3bf 100755
 
 # Switch current working directory to keys directory, if needed.
 if [ "${crt_dir}" != "${keys_dir}" ]
-@@ -365,7 +389,7 @@ then
+@@ -318,9 +342,10 @@ fi
+ # Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
+ if [ ! -f key_pass.txt ]
+ then
+-    echo "test" > key_pass.txt
+-    echo "test" >> key_pass.txt
+-    echo "A default file 'key_pass.txt' was created with password = test!"
+    password="$(openssl rand -base64 32)"
+    echo "${password}" > key_pass.txt
+    echo "${password}" >> key_pass.txt
+    echo "A file 'key_pass.txt' was created with a random password!"
+ fi
+ 
+ # The following is required otherwise OpenSSL complains
+@@ -365,7 +390,7 @@ then
                    -x509 -extensions v3_ca \
                    -keyout temp_ca.pem \
                    -out ${ca_cert}.pem \
@ -133,7 +155,7 @@ index 944cc66..39ed3bf 100755
 
     # Generate CA key in PKCS #8 format - both PEM and DER
     openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-@@ -382,7 +406,7 @@ then
+@@ -382,7 +407,7 @@ then
     openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
 
     # Cleanup
@ -142,7 +164,7 @@ index 944cc66..39ed3bf 100755
 fi
 
 
-@@ -432,10 +456,10 @@ then
+@@ -432,10 +457,10 @@ then
                       -in ./temp_srk_req.pem \
                       -cert ${ca_cert}.pem \
                    -keyfile ${ca_key}.pem \
@ -155,7 +177,7 @@ index 944cc66..39ed3bf 100755
 
         # Convert SRK Certificate to DER format
         openssl x509 -inform PEM -outform DER \
-@@ -456,7 +480,7 @@ then
+@@ -456,7 +481,7 @@ then
                       -out ${srk_key}.pem
 
         # Cleanup
@ -164,7 +186,7 @@ index 944cc66..39ed3bf 100755
         i=$((i+1))
     done
 else
-@@ -505,10 +529,10 @@ do
+@@ -505,10 +530,10 @@ do
                   -in ./temp_srk_req.pem \
                   -cert ${ca_cert}.pem \
                   -keyfile ${ca_key}.pem \
@ -177,7 +199,7 @@ index 944cc66..39ed3bf 100755
 
     # Convert SRK Certificate to DER format
     openssl x509 -inform PEM -outform DER \
-@@ -574,10 +598,10 @@ do
+@@ -574,10 +599,10 @@ do
                -in ./temp_csf_req.pem \
                -cert ${srk_crt_i} \
                -keyfile ${srk_key_i} \
@ -190,7 +212,7 @@ index 944cc66..39ed3bf 100755
 
     # Convert CSF Certificate to DER format
     openssl x509 -inform PEM -outform DER \
-@@ -596,7 +620,7 @@ do
+@@ -596,7 +621,7 @@ do
                   -out ${csf_key}.pem
 
     # Cleanup
@ -199,7 +221,7 @@ index 944cc66..39ed3bf 100755
 
     echo
     echo ++++++++++++++++++++++++++++++++++++++++
-@@ -636,10 +660,10 @@ do
+@@ -636,10 +661,10 @@ do
                -in ./temp_img_req.pem \
                -cert ${srk_crt_i} \
                -keyfile ${srk_key_i} \
@ -212,9 +234,13 @@ index 944cc66..39ed3bf 100755
 
     # Convert IMG Certificate to DER format
     openssl x509 -inform PEM -outform DER \
-@@ -658,7 +682,7 @@ do
+@@ -657,8 +682,11 @@ do
+                   -in temp_img.pem \
                   -out ${img_key}.pem
 
+    # Extract public key from the certificate
+    openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub
+
     # Cleanup
 -    \rm ./temp_img.pem ./temp_img_req.pem
 +    rm ./temp_img.pem ./temp_img_req.pem
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch
@ -1,17 +1,25 @@
 From: Arturo Buzarra <arturo.buzarra@digi.com>
 Date: Wed, 22 Jul 2020 15:10:21 +0200
-Subject: [PATCH] ahab_pki_tree.sh: automate script
+Subject: [PATCH] ahab_pki_tree.sh: adapt script for DEY

-This commit introduce a new command line argument to specify the
-CSF path folder and prepare it to automate the build process.
+* support non interactive execution: introduce a new command line
+  argument to specify the CSF path folder and prepare it to automate the
+  build process.

+* use a random password for the default PKI generation
+
+* extract public keys from certificates: the public key needs to be
+  available on the rootfs so that signed SWU packages can be authenticated.
+
+Co-Authored-By: Hector Palacios <hector.palacios@digi.com>
+Co-Authored-By: Mike Engel <Mike.Engel@digi.com>
 Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
 ---
- keys/ahab_pki_tree.sh | 70 +++++++++++++++++++++++++++++--------------
- 1 file changed, 47 insertions(+), 23 deletions(-)
+ keys/ahab_pki_tree.sh | 80 +++++++++++++++++++++++++++++--------------
+ 1 file changed, 54 insertions(+), 26 deletions(-)

 diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
-index f5ab36c..2c16533 100755
+index f5ab36c..13843f9 100755
 --- a/keys/ahab_pki_tree.sh
 +++ b/keys/ahab_pki_tree.sh
@@ -64,6 +64,8 @@ printf "    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
@ -124,7 +132,21 @@ index f5ab36c..2c16533 100755
 
 # Switch current working directory to keys directory, if needed.
 if [ "${crt_dir}" != "${keys_dir}" ]
-@@ -377,7 +401,7 @@ then
+@@ -329,9 +353,10 @@ fi
+ # Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
+ if [ ! -f key_pass.txt ]
+ then
+-    echo "test" > key_pass.txt
+-    echo "test" >> key_pass.txt
+-    echo "A default file 'key_pass.txt' was created with password = test!"
+    password="$(openssl rand -base64 32)"
+    echo "${password}" > key_pass.txt
+    echo "${password}" >> key_pass.txt
+    echo "A file 'key_pass.txt' was created with a random password!"
+ fi
+ 
+ # The following is required otherwise OpenSSL complains
+@@ -377,7 +402,7 @@ then
                    -x509 -extensions v3_ca \
                    -keyout temp_ca.pem \
                    -out ${ca_cert}.pem \
@ -133,7 +155,7 @@ index f5ab36c..2c16533 100755
 
     # Generate CA key in PKCS #8 format - both PEM and DER
     openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
-@@ -394,7 +418,7 @@ then
+@@ -394,7 +419,7 @@ then
     openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
 
     # Cleanup
@ -142,7 +164,7 @@ index f5ab36c..2c16533 100755
 fi
 
 
-@@ -468,7 +492,7 @@ then
+@@ -468,7 +493,7 @@ then
                       -out ${srk_key}.pem
 
         # Cleanup
@ -151,7 +173,7 @@ index f5ab36c..2c16533 100755
         i=$((i+1))
     done
 else
-@@ -517,10 +541,10 @@ do
+@@ -517,10 +542,10 @@ do
                   -in ./temp_srk_req.pem \
                   -cert ${ca_cert}.pem \
                   -keyfile ${ca_key}.pem \
@ -164,7 +186,7 @@ index f5ab36c..2c16533 100755
 
     # Convert SRK Certificate to DER format
     openssl x509 -inform PEM -outform DER \
-@@ -541,7 +565,7 @@ do
+@@ -541,7 +566,7 @@ do
                   -out ${srk_key}.pem
 
     # Cleanup
@ -173,7 +195,7 @@ index f5ab36c..2c16533 100755
 
     echo
     echo ++++++++++++++++++++++++++++++++++++++++
-@@ -586,10 +610,10 @@ do
+@@ -586,10 +611,10 @@ do
                -in ./temp_sgk_req.pem \
                -cert ${srk_crt_i} \
                -keyfile ${srk_key_i} \
@ -186,9 +208,13 @@ index f5ab36c..2c16533 100755
 
     # Convert SGK Certificate to DER format
     openssl x509 -inform PEM -outform DER \
-@@ -608,7 +632,7 @@ do
+@@ -607,8 +632,11 @@ do
+                   -in temp_sgk.pem \
                   -out ${sgk_key}.pem
 
+    # Extract public key from the certificate
+    openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub
+
     # Cleanup
 -    \rm ./temp_sgk.pem ./temp_sgk_req.pem
 +    rm ./temp_sgk.pem ./temp_sgk_req.pem
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch
@ -1,28 +0,0 @@
-From: "Diaz de Grenu, Jose" <Jose.DiazdeGrenu@digi.com>
-Date: Fri, 29 Jul 2016 17:20:28 +0200
-Subject: [PATCH] hab4_pki_tree.sh: usa a random password for the default PKI
- generation
-
-Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
---
- keys/hab4_pki_tree.sh | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
-index 39ed3bf..ac6fb29 100755
--- a/keys/hab4_pki_tree.sh
-+++ b/keys/hab4_pki_tree.sh
-@@ -342,9 +342,10 @@ fi
- # Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
- if [ ! -f key_pass.txt ]
- then
-    echo "test" > key_pass.txt
-    echo "test" >> key_pass.txt
-    echo "A default file 'key_pass.txt' was created with password = test!"
-+    password="$(openssl rand -base64 32)"
-+    echo "${password}" > key_pass.txt
-+    echo "${password}" >> key_pass.txt
-+    echo "A file 'key_pass.txt' was created with a random password!"
- fi
- 
- # The following is required otherwise OpenSSL complains
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch
@ -1,4 +1,3 @@
-From fe51b132c7c07de5a63c3dfc5a16bc9fc7816f7e Mon Sep 17 00:00:00 2001
 From: Hector Palacios <hector.palacios@digi.com>
 Date: Mon, 30 Jan 2023 10:38:22 +0100
 Subject: [PATCH] rules.mk: weaken specific function err_msg()
@ -19,7 +18,7 @@ https://onedigi.atlassian.net/browse/DEL-8033
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/code/cst/code/build/make/rules.mk b/code/cst/code/build/make/rules.mk
-index 1c0842bd070e..032e18bc5134 100755
+index 1c0842b..032e18b 100755
 --- a/code/cst/code/build/make/rules.mk
 +++ b/code/cst/code/build/make/rules.mk
@@ -27,7 +27,7 @@ LFLAGS  := -t
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch
@ -1,28 +0,0 @@
-From: Mike Engel <Mike.Engel@digi.com>
-Date: Fri, 24 Jan 2020 17:47:56 +0100
-Subject: [PATCH] ahab_pki_tree.sh: use a random password for the default PKI
- generation
-
-Signed-off-by: Mike Engel <Mike.Engel@digi.com>
---
- keys/ahab_pki_tree.sh | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
-index 2c16533..b85b00d 100755
--- a/keys/ahab_pki_tree.sh
-+++ b/keys/ahab_pki_tree.sh
-@@ -353,9 +353,10 @@ fi
- # Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
- if [ ! -f key_pass.txt ]
- then
-    echo "test" > key_pass.txt
-    echo "test" >> key_pass.txt
-    echo "A default file 'key_pass.txt' was created with password = test!"
-+    password="$(openssl rand -base64 32)"
-+    echo "${password}" > key_pass.txt
-+    echo "${password}" >> key_pass.txt
-+    echo "A file 'key_pass.txt' was created with a random password!"
- fi
- 
- # The following is required otherwise OpenSSL complains
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch
@ -1,42 +0,0 @@
-From: Hector Palacios <hector.palacios@digi.com>
-Date: Thu, 3 Aug 2023 16:25:36 +0200
-Subject: [PATCH] pki_tree.sh: extract public keys from certificates
-
-The public key needs to be available on the rootfs so that signed SWU
-packages can be authenticated.
-Do this on the PKI generation script so that recipes don't need to do it.
-
-Signed-off-by: Hector Palacios <hector.palacios@digi.com>
---
- keys/ahab_pki_tree.sh | 3 +++
- keys/hab4_pki_tree.sh | 3 +++
- 2 files changed, 6 insertions(+)
-
-diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
-index 7f10c5388146..63b5ce58ade7 100755
--- a/keys/ahab_pki_tree.sh
-+++ b/keys/ahab_pki_tree.sh
-@@ -632,6 +632,9 @@ do
-                   -in temp_sgk.pem \
-                   -out ${sgk_key}.pem
- 
-+    # Extract public key from the certificate
-+    openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub
-+
-     # Cleanup
-     rm ./temp_sgk.pem ./temp_sgk_req.pem
- 
-diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
-index ac6fb29b7f91..e76f22f40643 100755
--- a/keys/hab4_pki_tree.sh
-+++ b/keys/hab4_pki_tree.sh
-@@ -682,6 +682,9 @@ do
-                   -in temp_img.pem \
-                   -out ${img_key}.pem
- 
-+    # Extract public key from the certificate
-+    openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub
-+
-     # Cleanup
-     rm ./temp_img.pem ./temp_img_req.pem
-