Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
meta-digi/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-autom...

207 lines
6.1 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From: Mike Engel <Mike.Engel@digi.com>
Date: Fri, 24 Jan 2020 17:31:50 +0100
Subject: [PATCH] ahab_pki_tree.sh: automate script
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
---
keys/ahab_pki_tree.sh | 116 ++++++++++++++++++-------------------------------------
1 file changed, 38 insertions(+), 78 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index 988c27e..00dd143 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -47,74 +47,36 @@
#
#-----------------------------------------------------------------------------
-printf "\n"
-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
-printf " This script is a part of the Code signing tools for NXP's\n"
-printf " Advanced High Assurance Boot. It generates a basic PKI tree. The\n"
-printf " PKI tree consists of one or more Super Root Keys (SRK), with each\n"
-printf " SRK having one subordinate keys: \n"
-printf " + a Signing key (SGK) \n"
-printf " Additional keys can be added to the PKI tree but a separate \n"
-printf " script is available for this. This this script assumes openssl\n"
-printf " is installed on your system and is included in your search \n"
-printf " path. Finally, the private keys generated are password \n"
-printf " protectedwith the password provided by the file key_pass.txt.\n"
-printf " The format of the file is the password repeated twice:\n"
-printf " my_password\n"
-printf " my_password\n"
-printf " All private keys in the PKI tree are in PKCS #8 format will be\n"
-printf " protected by the same password.\n\n"
-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
-
-stty erase 
-
-printf "Do you want to use an existing CA key (y/n)?: \b"
-read existing_ca
-if [ $existing_ca = "y" ]
-then
- printf "Enter CA key name: \b"
- read ca_key
- printf "Enter CA certificate name: \b"
- read ca_cert
+SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
+CSF_PATH="${1}"
+if [ ! -d "${CSF_PATH}" ]; then
+ echo "Invalid CSF_PATH: ${CSF_PATH}"
+ exit 1
fi
-printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b"
-read use_ecc
-if [ $use_ecc = "y" ]
-then
- printf "Enter length for elliptic curve to be used for PKI tree:\n"
- printf "Possible values p256, p384, p521: \b"
- read kl
-
- # Confirm that a valid key length has been entered
- case $kl in
- p256)
- cn="prime256v1" ;;
- p384)
- cn="secp384r1" ;;
- p521)
- cn="secp521r1" ;;
- *)
- echo Invalid key length. Supported key lengths: 256, 384, 521
- exit 1 ;;
- esac
-else
- printf "Enter key length in bits for PKI tree: \b"
- read kl
-
- # Confirm that a valid key length has been entered
- case $kl in
- 2048) ;;
- 3072) ;;
- 4096) ;;
- *)
- echo Invalid key length. Supported key lengths: 2048, 3072, 4096
- exit 1 ;;
- esac
-fi
+cd "${CSF_PATH}"
+
+[ -d crts ] || mkdir crts
+[ -d keys ] || mkdir keys
+
+cd keys
+
+use_ecc="y"
+existing_ca="n"
+kl="p521"
+cn="secp521r1"
+
+# Confirm that a valid key length has been entered
+case $kl in
+ p256);;
+ p384);;
+ p521);;
+ *)
+ echo Invalid key length. Supported key lengths: 256, 384, 521
+ exit 1 ;;
+esac
-printf "Enter the digest algorithm to use: \b"
-read da
+da="sha512"
# Confirm that a valid digest algorithm has been entered
case $da in
@@ -126,8 +88,7 @@ case $da in
exit 1 ;;
esac
-printf "Enter PKI tree duration (years): \b"
-read duration
+duration="10"
# Compute validity period
val_period=$((duration*365))
@@ -144,8 +105,7 @@ then
fi
# Check if SRKs should be generated as CA certs or user certs
-printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b"
-read srk_ca
+srk_ca="y"
# Check that the file "serial" is present, if not create it:
if [ ! -f serial ]
@@ -201,7 +161,7 @@ then
-x509 -extensions v3_ca \
-keyout temp_ca.pem \
-out ${ca_cert}.pem \
- -days ${val_period} -config ../ca/openssl.cnf
+ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -218,7 +178,7 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup
- \rm temp_ca.pem
+ rm temp_ca.pem
fi
@@ -292,7 +252,7 @@ then
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
i=$((i+1))
done
else
@@ -341,10 +301,10 @@ do
-in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
- -extfile ../ca/v3_ca.cnf \
+ -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \
-out ${srk_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -365,7 +325,7 @@ do
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
@@ -410,10 +370,10 @@ do
-in ./temp_sgk_req.pem \
-cert ${srk_crt_i} \
-keyfile ${srk_key_i} \
- -extfile ../ca/v3_usr.cnf \
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
-out ${sgk_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SGK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -432,7 +392,7 @@ do
-out ${sgk_key}.pem
# Cleanup
- \rm ./temp_sgk.pem ./temp_sgk_req.pem
+ rm ./temp_sgk.pem ./temp_sgk_req.pem
i=$((i+1))
done
Reference in New Issue View Git Blame Copy Permalink