Change the way private key and cert are embedded.

OpenSSL seems to serialize bigints as signed value, which means the ECC key may end up being 33 bytes instead of the 32 bytes we're expecting, causing build to fail. The shell script extraction is now replaced by a build.rs script that uses OpenSSL to extract the content and do sanity checks. Forcing generating cryptographic materials now always generate a key and a certificate (useful to compile/flash multiple keys without them being considered as clones). The self-signed CA is left untouched.
2020-02-05 18:43:59 +01:00
parent 3d3f3554b3
commit fdbfb1be2a
5 changed files with 105 additions and 87 deletions
--- a/src/ctap/key_material.rs
+++ b/src/ctap/key_material.rs
@@ -0,0 +1,21 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+pub const AAGUID: [u8; 16] = *include_bytes!(concat!(env!("OUT_DIR"), "/opensk_aaguid.bin"));
+
+pub const ATTESTATION_CERTIFICATE: &[u8] =
+    include_bytes!(concat!(env!("OUT_DIR"), "/opensk_cert.bin"));
+
+pub const ATTESTATION_PRIVATE_KEY: [u8; 32] =
+    *include_bytes!(concat!(env!("OUT_DIR"), "/opensk_pkey.bin"));