Change PKI so that attestation certs are fully compliant. (#668)
* Change PKI so that attestation certs are fully compliant. Initially we generated the smallest certificate possible. Unfortunately sometimes attestation certificates are thoroughly checked and the FIDO x509v3 extensions must be present. This PR now creates a PKI (root CA and signing CA) with corresponding CRLs and also allows to create multiple batch certificates for the keys instead of a single one. The latest generated batch cert/key is automatically symlinked so that the previous documentation still holds. * Change openssl options to support older versions * OSX doesn't support long options --------- Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>
This commit is contained in:
Jean-Michel Picod
committed by
GitHub
GitHub
parent
5fdc6e0739
commit
6b8aa3aaf3
8
setup.sh
8
setup.sh
@@ -1,5 +1,5 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright 2019 Google LLC
|
||||
# Copyright 2019-2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -40,7 +40,11 @@ check_command "$PIP"
|
||||
|
||||
# Ensure we have certificates, keys, etc. so that the tests can run
|
||||
source tools/gen_key_materials.sh
|
||||
generate_crypto_materials N
|
||||
generate_pki N
|
||||
if [ ! -f "crypto_data/opensk.key" -o ! -f "crypto_data/opensk_cert.pem" ]
|
||||
then
|
||||
generate_new_batch
|
||||
fi
|
||||
|
||||
rustup show
|
||||
"$PIP" install --upgrade -r requirements.txt
|
||||
|
||||
Reference in New Issue
Block a user