From: "Diaz de Grenu, Jose" Date: Mon, 18 Jul 2016 13:21:11 +0200 Subject: [PATCH] hab4_pki_tree.sh: automate script Signed-off-by: Diaz de Grenu, Jose --- keys/hab4_pki_tree.sh | 347 ++++++++++++++++---------------------------------- 1 file changed, 107 insertions(+), 240 deletions(-) diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh index 7dd67f68c8df..b2c6b71b604e 100755 --- a/keys/hab4_pki_tree.sh +++ b/keys/hab4_pki_tree.sh @@ -42,84 +42,40 @@ # #----------------------------------------------------------------------------- -printf "\n" -printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" -printf " This script is a part of the Code signing tools for Freescale's\n" -printf " High Assurance Boot. It generates a basic PKI tree. The PKI\n" -printf " tree consists of one or more Super Root Keys (SRK), with each\n" -printf " SRK having two subordinate keys: \n" -printf " + a Command Sequence File (CSF) key \n" -printf " + Image key. \n" -printf " Additional keys can be added to the PKI tree but a separate \n" -printf " script is available for this. This this script assumes openssl\n" -printf " is installed on your system and is included in your search \n" -printf " path. Finally, the private keys generated are password \n" -printf " protectedwith the password provided by the file key_pass.txt.\n" -printf " The format of the file is the password repeated twice:\n" -printf " my_password\n" -printf " my_password\n" -printf " All private keys in the PKI tree are in PKCS #8 format will be\n" -printf " protected by the same password.\n\n" -printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" - -stty erase  - -printf "Do you want to use an existing CA key (y/n)?: \b" -read existing_ca -if [ $existing_ca = "y" ] -then - printf "Enter CA key name: \b" - read ca_key - printf "Enter CA certificate name: \b" - read ca_cert +SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)" +CSF_PATH="${1}" +if [ ! -d "${CSF_PATH}" ]; then + echo "Invalid CSF_PATH: ${CSF_PATH}" + exit 1 fi -printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b" -read use_ecc -if [ $use_ecc = "y" ] -then - printf "Enter length for elliptic curve to be used for PKI tree:\n" - printf "Possible values p192, p256, p521: \b" - read kl - - # Confirm that a valid key length has been entered - case $kl in - p192) - cn="secp112r1" ;; - p256) - cn="prime256v1" ;; - p521) - cn="secp521r1" ;; - *) - echo Invalid key length. Supported key lengths: 192, 256, 521 - exit 1 ;; - esac -else - printf "Enter key length in bits for PKI tree: \b" - read kl - - # Confirm that a valid key length has been entered - case $kl in - 1024) ;; - 2048) ;; - 3072) ;; - 4096) ;; - *) - echo Invalid key length. Supported key lengths: 1024, 2048, 3072, 4096 - exit 1 ;; - esac -fi +cd "${CSF_PATH}" + +[ -d crts ] || mkdir crts +[ -d keys ] || mkdir keys +cd keys +existing_ca="n" +kl="4096" -printf "Enter PKI tree duration (years): \b" -read duration +# Confirm that a valid key length has been entered +case $kl in + 1024) ;; + 2048) ;; + 3072) ;; + 4096) ;; + *) + echo Invalid key length. Supported key lengths: 1024, 2048, 3072, 4096 + exit 1 ;; +esac + +duration="10" # Compute validity period val_period=$((duration*365)) -printf "How many Super Root Keys should be generated? \b" -read num_srk +num_srk="4" # Check that 0 < num_srk <= 4 (Max. number of SRKs) if [ $num_srk -lt 1 ] || [ $num_srk -gt 4 ] @@ -128,10 +84,7 @@ then exit 1 fi -# Check if SRKs should be generated as CA certs or user certs -printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b" -read srk_ca - +srk_ca="y" # Check that the file "serial" is present, if not create it: if [ ! -f serial ] then @@ -154,6 +107,9 @@ echo "unique_subject = no" > index.txt.attr if [ $existing_ca = "n" ] then + ca_key=./CA1_sha256_${kl}_65537_v3_ca_key + ca_cert=../crts/CA1_sha256_${kl}_65537_v3_ca_crt + # Generate CA key and certificate # ------------------------------- echo @@ -161,31 +117,12 @@ then echo + Generating CA key and certificate + echo +++++++++++++++++++++++++++++++++++++ echo - - if [ $use_ecc = 'n' ] - then - ca_key=./CA1_sha256_${kl}_65537_v3_ca_key - ca_cert=../crts/CA1_sha256_${kl}_65537_v3_ca_crt - ca_subj_req=/CN=CA1_sha256_${kl}_65537_v3_ca/ - ca_key_type=rsa:${kl} - else - - # Generate Elliptic Curve parameters: - eck='ec-'$cn'.pem' - openssl ecparam -out $eck -name $cn - - ca_key=./CA1_sha256_${cn}_v3_ca_key - ca_cert=../crts/CA1_sha256_${cn}_v3_ca_crt - ca_subj_req=/CN=CA1_sha256_${cn}_v3_ca/ - ca_key_type=ec:${eck} - fi - - openssl req -newkey ${ca_key_type} -passout file:./key_pass.txt \ - -subj ${ca_subj_req} \ - -x509 -extensions v3_ca \ - -keyout temp_ca.pem \ - -out ${ca_cert}.pem \ - -days ${val_period} -config ../ca/openssl.cnf + openssl req -newkey rsa:${kl} -passout file:./key_pass.txt \ + -subj /CN=CA1_sha256_${kl}_65537_v3_ca/ \ + -x509 -extensions v3_ca \ + -keyout temp_ca.pem \ + -out ${ca_cert}.pem \ + -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf" # Generate CA key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ @@ -202,7 +139,7 @@ then openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der # Cleanup - \rm temp_ca.pem + rm temp_ca.pem fi @@ -219,64 +156,48 @@ then echo + Generating SRK key and certificate $i + echo ++++++++++++++++++++++++++++++++++++++++ echo - if [ $use_ecc = 'n' ] - then - # Generate SRK key - openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ - -out ./temp_srk.pem ${kl} - - srk_subj_req=/CN=SRK${i}_sha256_${kl}_65537_v3_usr/ - srk_crt=../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt - srk_key=./SRK${i}_sha256_${kl}_65537_v3_usr_key - else - # Generate Elliptic Curve parameters: - openssl ecparam -out ./temp_srk.pem -name ${cn} -genkey - # Generate SRK key - openssl ec -in ./temp_srk.pem -des3 -passout file:./key_pass.txt \ - -out ./temp_srk.pem - - srk_subj_req=/CN=SRK${i}_sha256_${cn}_v3_usr/ - srk_crt=../crts/SRK${i}_sha256_${cn}_v3_usr_crt - srk_key=./SRK${i}_sha256_${cn}_v3_usr_key - fi + + # Generate SRK key + openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ + -out ./temp_srk.pem ${kl} # Generate SRK certificate signing request openssl req -new -batch -passin file:./key_pass.txt \ - -subj ${srk_subj_req} \ + -subj /CN=SRK${i}_sha256_${kl}_65537_v3_usr/ \ -key ./temp_srk.pem \ -out ./temp_srk_req.pem # Generate SRK certificate (this is a CA cert) - openssl ca -batch -passin file:./key_pass.txt \ - -md sha256 -outdir ./ \ - -in ./temp_srk_req.pem \ - -cert ${ca_cert}.pem \ + openssl ca -batch -passin file:./key_pass.txt \ + -md sha256 -outdir ./ \ + -in ./temp_srk_req.pem \ + -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ - -extfile ../ca/v3_usr.cnf \ - -out ${srk_crt}.pem \ - -days ${val_period} \ - -config ../ca/openssl.cnf + -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ + -out ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.pem \ + -days ${val_period} \ + -config "${SCRIPT_BASEDIR}/openssl.cnf" # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ - -in ${srk_crt}.pem \ - -out ${srk_crt}.der + -in ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.pem \ + -out ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.der # Generate SRK key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt \ -passout file:./key_pass.txt \ -topk8 -inform PEM -outform DER -v2 des3 \ -in temp_srk.pem \ - -out ${srk_key}.der + -out ./SRK${i}_sha256_${kl}_65537_v3_usr_key.der openssl pkcs8 -passin file:./key_pass.txt \ -passout file:./key_pass.txt \ -topk8 -inform PEM -outform PEM -v2 des3 \ -in temp_srk.pem \ - -out ${srk_key}.pem + -out ./SRK${i}_sha256_${kl}_65537_v3_usr_key.pem # Cleanup - \rm ./temp_srk.pem ./temp_srk_req.pem + rm ./temp_srk.pem ./temp_srk_req.pem i=$((i+1)) done else @@ -293,98 +214,60 @@ do echo ++++++++++++++++++++++++++++++++++++++++ echo - if [ $use_ecc = 'n' ] - then - # Generate SRK key - openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ - -out ./temp_srk.pem ${kl} - - srk_subj_req=/CN=SRK${i}_sha256_${kl}_65537_v3_ca/ - srk_crt=../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt - srk_key=./SRK${i}_sha256_${kl}_65537_v3_ca_key - else - # Generate Elliptic Curve parameters: - openssl ecparam -out ./temp_srk.pem -name ${cn} -genkey - # Generate SRK key - openssl ec -in ./temp_srk.pem -des3 -passout file:./key_pass.txt \ - -out ./temp_srk.pem - - srk_subj_req=/CN=SRK${i}_sha256_${cn}_v3_ca/ - srk_crt=../crts/SRK${i}_sha256_${cn}_v3_ca_crt - srk_key=./SRK${i}_sha256_${cn}_v3_ca_key - fi + # Generate SRK key + openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ + -out ./temp_srk.pem ${kl} + # Generate SRK certificate signing request - openssl req -new -batch -passin file:./key_pass.txt \ - -subj ${srk_subj_req} \ - -key ./temp_srk.pem \ - -out ./temp_srk_req.pem + openssl req -new -batch -passin file:./key_pass.txt \ + -subj /CN=SRK${i}_sha256_${kl}_65537_v3_ca/ \ + -key ./temp_srk.pem \ + -out ./temp_srk_req.pem # Generate SRK certificate (this is a CA cert) - openssl ca -batch -passin file:./key_pass.txt \ - -md sha256 -outdir ./ \ - -in ./temp_srk_req.pem \ - -cert ${ca_cert}.pem \ - -keyfile ${ca_key}.pem \ - -extfile ../ca/v3_ca.cnf \ - -out ${srk_crt}.pem \ - -days ${val_period} \ - -config ../ca/openssl.cnf + openssl ca -batch -passin file:./key_pass.txt \ + -md sha256 -outdir ./ \ + -in ./temp_srk_req.pem \ + -cert ${ca_cert}.pem \ + -keyfile ${ca_key}.pem \ + -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \ + -out ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ + -days ${val_period} \ + -config "${SCRIPT_BASEDIR}/openssl.cnf" # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ - -in ${srk_crt}.pem \ - -out ${srk_crt}.der + -in ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ + -out ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.der # Generate SRK key in PKCS #8 format - both PEM and DER - openssl pkcs8 -passin file:./key_pass.txt \ - -passout file:./key_pass.txt \ + openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -topk8 -inform PEM -outform DER -v2 des3 \ -in temp_srk.pem \ - -out ${srk_key}.der + -out ./SRK${i}_sha256_${kl}_65537_v3_ca_key.der - openssl pkcs8 -passin file:./key_pass.txt \ - -passout file:./key_pass.txt \ + openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -topk8 -inform PEM -outform PEM -v2 des3 \ -in temp_srk.pem \ - -out ${srk_key}.pem + -out ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem # Cleanup \rm ./temp_srk.pem ./temp_srk_req.pem + echo echo ++++++++++++++++++++++++++++++++++++++++ echo + Generating CSF key and certificate $i + echo ++++++++++++++++++++++++++++++++++++++++ echo - if [ $use_ecc = 'n' ] - then - srk_crt_i=../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem - srk_key_i=./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem - # Generate key - openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ - -out ./temp_csf.pem ${kl} - - csf_subj_req=/CN=CSF${i}_1_sha256_${kl}_65537_v3_usr/ - csf_crt=../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt - csf_key=./CSF${i}_1_sha256_${kl}_65537_v3_usr_key - else - srk_crt_i=../crts/SRK${i}_sha256_${cn}_v3_ca_crt.pem - srk_key_i=./SRK${i}_sha256_${cn}_v3_ca_key.pem - # Generate Elliptic Curve parameters: - openssl ecparam -out ./temp_csf.pem -name ${cn} -genkey - # Generate key - openssl ec -in ./temp_csf.pem -des3 -passout file:./key_pass.txt \ - -out ./temp_csf.pem - - csf_subj_req=/CN=CSF${i}_1_sha256_${cn}_v3_usr/ - csf_crt=../crts/CSF${i}_1_sha256_${cn}_v3_usr_crt - csf_key=./CSF${i}_1_sha256_${cn}_v3_usr_key - fi + # Generate key + openssl genrsa -des3 -passout file:./key_pass.txt \ + -f4 -out ./temp_csf.pem ${kl} # Generate CSF certificate signing request openssl req -new -batch -passin file:./key_pass.txt \ - -subj ${csf_subj_req} \ + -subj /CN=CSF${i}_1_sha256_${kl}_65537_v3_usr/ \ -key ./temp_csf.pem \ -out ./temp_csf_req.pem @@ -392,31 +275,31 @@ do openssl ca -batch -md sha256 -outdir ./ \ -passin file:./key_pass.txt \ -in ./temp_csf_req.pem \ - -cert ${srk_crt_i} \ - -keyfile ${srk_key_i} \ - -extfile ../ca/v3_usr.cnf \ - -out ${csf_crt}.pem \ + -cert ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ + -keyfile ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem \ + -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ + -out ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" # Convert CSF Certificate to DER format openssl x509 -inform PEM -outform DER \ - -in ${csf_crt}.pem \ - -out ${csf_crt}.der + -in ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ + -out ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.der # Generate CSF key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -topk8 -inform PEM -outform DER -v2 des3 \ -in temp_csf.pem \ - -out ${csf_key}.der + -out ./CSF${i}_1_sha256_${kl}_65537_v3_usr_key.der openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -topk8 -inform PEM -outform PEM -v2 des3 \ -in temp_csf.pem \ - -out ${csf_key}.pem + -out ./CSF${i}_1_sha256_${kl}_65537_v3_usr_key.pem # Cleanup - \rm ./temp_csf.pem ./temp_csf_req.pem + rm ./temp_csf.pem ./temp_csf_req.pem echo echo ++++++++++++++++++++++++++++++++++++++++ @@ -424,61 +307,45 @@ do echo ++++++++++++++++++++++++++++++++++++++++ echo - if [ $use_ecc = 'n' ] - then - # Generate key - openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ - -out ./temp_img.pem ${kl} - - img_subj_req=/CN=IMG${i}_1_sha256_${kl}_65537_v3_usr/ - img_crt=../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt - img_key=./IMG${i}_1_sha256_${kl}_65537_v3_usr_key - else - # Generate Elliptic Curve parameters: - openssl ecparam -out ./temp_img.pem -name ${cn} -genkey - # Generate key - openssl ec -in ./temp_img.pem -des3 -passout file:./key_pass.txt \ - -out ./temp_img.pem - - img_subj_req=/CN=IMG${i}_1_sha256_${cn}_v3_usr/ - img_crt=../crts/IMG${i}_1_sha256_${cn}_v3_usr_crt - img_key=./IMG${i}_1_sha256_${cn}_v3_usr_key - fi + # Generate key + openssl genrsa -des3 -passout file:./key_pass.txt \ + -f4 -out ./temp_img.pem ${kl} # Generate IMG certificate signing request openssl req -new -batch -passin file:./key_pass.txt \ - -subj ${img_subj_req} \ + -subj /CN=IMG${i}_1_sha256_${kl}_65537_v3_usr/ \ -key ./temp_img.pem \ -out ./temp_img_req.pem openssl ca -batch -md sha256 -outdir ./ \ -passin file:./key_pass.txt \ -in ./temp_img_req.pem \ - -cert ${srk_crt_i} \ - -keyfile ${srk_key_i} \ - -extfile ../ca/v3_usr.cnf \ - -out ${img_crt}.pem \ + -cert ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ + -keyfile ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem \ + -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ + -out ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" # Convert IMG Certificate to DER format openssl x509 -inform PEM -outform DER \ - -in ${img_crt}.pem \ - -out ${img_crt}.der + -in ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ + -out ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.der # Generate IMG key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -topk8 -inform PEM -outform DER -v2 des3 \ -in temp_img.pem \ - -out ${img_key}.der + -out ./IMG${i}_1_sha256_${kl}_65537_v3_usr_key.der openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -topk8 -inform PEM -outform PEM -v2 des3 \ -in temp_img.pem \ - -out ${img_key}.pem + -out ./IMG${i}_1_sha256_${kl}_65537_v3_usr_key.pem # Cleanup - \rm ./temp_img.pem ./temp_img_req.pem + rm ./temp_img.pem ./temp_img_req.pem + i=$((i+1)) done