From 34f3483f9ea7fc1dbaa5da0d4055504e7c54d19e Mon Sep 17 00:00:00 2001
From: Jean-Michel Picod <jmichel@google.com>
Date: Mon, 14 Sep 2020 14:03:57 +0200
Subject: [PATCH] Decoralate AAGUID and certificates

---
 Cargo.toml                 |  1 +
 build.rs                   | 11 ++++++++---
 tools/gen_key_materials.sh | 12 ++++++++++--
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 22252d0..a11d0f7 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -35,6 +35,7 @@ enum-iterator = "0.6.0"
 
 [build-dependencies]
 openssl = "0.10"
+uuid = { version = "0.8", features = ["v4"] }
 
 [profile.dev]
 panic = "abort"
diff --git a/build.rs b/build.rs
index c8c9007..e9f2835 100644
--- a/build.rs
+++ b/build.rs
@@ -21,8 +21,10 @@ use openssl::pkey::PKey;
 use openssl::x509;
 use std::env;
 use std::fs::File;
+use std::io::Read;
 use std::io::Write;
 use std::path::Path;
+use uuid::Uuid;
 
 fn main() {
     println!("cargo:rerun-if-changed=crypto_data/opensk.key");
@@ -84,7 +86,10 @@ fn main() {
     cert_bin_file.write_all(&cert.to_der().unwrap()).unwrap();
 
     let mut aaguid_bin_file = File::create(&aaguid_bin_path).unwrap();
-    let mut serial = cert.serial_number().to_bn().unwrap().to_vec();
-    serial.resize(16, 0);
-    aaguid_bin_file.write_all(&serial).unwrap();
+    let mut aaguid_txt_file = File::open("crypto_data/aaguid.txt").unwrap();
+    let mut content = String::new();
+    aaguid_txt_file.read_to_string(&mut content).unwrap();
+    content.truncate(36);
+    let aaguid = Uuid::parse_str(&content).unwrap();
+    aaguid_bin_file.write_all(aaguid.as_bytes()).unwrap();
 }
diff --git a/tools/gen_key_materials.sh b/tools/gen_key_materials.sh
index f8a7bca..d9aa432 100755
--- a/tools/gen_key_materials.sh
+++ b/tools/gen_key_materials.sh
@@ -14,6 +14,9 @@
 # limitations under the License.
 
 generate_crypto_materials () {
+  # OpenSK AAGUID
+  local aaguid_file=crypto_data/aaguid.txt
+
   # Root CA key pair and certificate
   local ca_priv_key=crypto_data/opensk_ca.key
   local ca_cert_name=crypto_data/opensk_ca
@@ -49,7 +52,7 @@ generate_crypto_materials () {
       -new \
       -key "${ca_priv_key}" \
       -out "${ca_cert_name}.csr" \
-      -subj "/CN=Google OpenSK CA"
+      -subj "/CN=OpenSK CA"
     "${openssl}" x509 \
       -trustout \
       -req \
@@ -72,7 +75,7 @@ generate_crypto_materials () {
       -new \
       -key "${opensk_key}" \
       -out "${opensk_cert_name}.csr" \
-      -subj "/CN=Google OpenSK Hacker Edition"
+      -subj "/CN=OpenSK Hacker Edition"
     "${openssl}" x509 \
       -req \
       -days 3652 \
@@ -84,6 +87,11 @@ generate_crypto_materials () {
       -out "${opensk_cert_name}.pem" \
       -sha256
   fi
+
+  if [ "${force_generate}" = "Y" -o ! -f "${aaguid_file}" ]
+  then
+    uuidgen > "${aaguid_file}"
+  fi
 }
 
 generate_crypto_materials "$1"