Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
meta-digi/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-autom...

198 lines
5.7 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Wed, 22 Jul 2020 15:10:21 +0200
Subject: [PATCH] ahab_pki_tree.sh: automate script
This commit introduce a new command line argument to specify the
CSF path folder and prepare it to automate the build process.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
---
keys/ahab_pki_tree.sh | 70 +++++++++++++++++++++++++++++--------------
1 file changed, 47 insertions(+), 23 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index f5ab36c..2c16533 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -64,6 +64,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
stty erase 
+SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
+
if [ $# -gt 0 ]; then
interactive="n"
else
@@ -78,7 +80,7 @@ usage()
echo "$0"
echo
echo "Command Line Mode:"
- echo "$0 -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>"
+ echo "$0 [-csf-path] <CSF Path> -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>"
echo "Options:"
echo " -kl: -use-ecc = y then Supported key lengths: p256, p384, p521"
echo " : -use-ecc = n then Supported key lengths: 2048, 3072, 4096"
@@ -88,10 +90,18 @@ usage()
echo
}
-max_param=16
-min_param=12
+max_param=18
+min_param=1
num_param=1
+# Default values
+existing_ca="n"
+use_ecc="y"
+kl=p521
+da=sha512
+duration=10
+srk_ca="y"
+
if [ $interactive = "n" ]
then
# Validate command line parameters
@@ -110,6 +120,11 @@ then
while [ $num_param -le $max_param ] && [ "$1" != "" ]
do
case $1 in
+ -csf-path)
+ shift
+ CSF_PATH=$1
+ shift
+ ;;
-existing-ca)
shift
existing_ca=$1
@@ -163,9 +178,8 @@ then
shift
;;
*)
- echo "ERROR: Invalid parameter: $1"
- usage
- exit 1
+ CSF_PATH=$1
+ shift
;;
esac
num_param=$(( num_param + 2 ))
@@ -255,6 +269,16 @@ then
read duration
fi
+# CSF folder structure
+if [ ! -d "${CSF_PATH}" ]; then
+ echo "Invalid CSF_PATH: ${CSF_PATH}"
+ usage
+ exit 1
+fi
+cd "${CSF_PATH}"
+[ -d crts ] || mkdir crts
+[ -d keys ] || mkdir keys
+
# Compute validity period
val_period=$((duration*365))
@@ -286,9 +310,9 @@ then
script_name=$0
fi
script_path=$(cd $(dirname "${script_name}") && pwd -P)
-keys_dir=${script_path}/../keys/
-crts_dir=${script_path}/../crts/
-ca_dir=${script_path}/../ca/
+keys_dir=${CSF_PATH}/keys/
+crts_dir=${CSF_PATH}/crts/
+ca_dir=${CSF_PATH}/ca/
if [ ! -d "${keys_dir}" ]
then
@@ -302,11 +326,11 @@ then
exit 1
fi
-if [ ! -d "${ca_dir}" ]
-then
- echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
- exit 1
-fi
+# if [ ! -d "${ca_dir}" ]
+# then
+# echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
+# exit 1
+# fi
# Switch current working directory to keys directory, if needed.
if [ "${crt_dir}" != "${keys_dir}" ]
@@ -377,7 +401,7 @@ then
-x509 -extensions v3_ca \
-keyout temp_ca.pem \
-out ${ca_cert}.pem \
- -days ${val_period} -config ../ca/openssl.cnf
+ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -394,7 +418,7 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup
- \rm temp_ca.pem
+ rm temp_ca.pem
fi
@@ -468,7 +492,7 @@ then
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
i=$((i+1))
done
else
@@ -517,10 +541,10 @@ do
-in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
- -extfile ../ca/v3_ca.cnf \
+ -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \
-out ${srk_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -541,7 +565,7 @@ do
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
@@ -586,10 +610,10 @@ do
-in ./temp_sgk_req.pem \
-cert ${srk_crt_i} \
-keyfile ${srk_key_i} \
- -extfile ../ca/v3_usr.cnf \
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
-out ${sgk_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SGK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -608,7 +632,7 @@ do
-out ${sgk_key}.pem
# Cleanup
- \rm ./temp_sgk.pem ./temp_sgk_req.pem
+ rm ./temp_sgk.pem ./temp_sgk_req.pem
i=$((i+1))
done
Reference in New Issue View Git Blame Copy Permalink