* Change PKI so that attestation certs are fully compliant.
Initially we generated the smallest certificate possible.
Unfortunately sometimes attestation certificates are
thoroughly checked and the FIDO x509v3 extensions must be present.
This PR now creates a PKI (root CA and signing CA) with corresponding
CRLs and also allows to create multiple batch certificates for the keys
instead of a single one.
The latest generated batch cert/key is automatically symlinked so that
the previous documentation still holds.
* Change openssl options to support older versions
* OSX doesn't support long options
---------
Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>
Updated the shell script that generates the certificates and the
documentation accordingly.
Caveat: now installation is a 2-step procedure, installing OS and
application are split into 2 commands.
OpenSSL seems to serialize bigints as signed value, which means the ECC
key may end up being 33 bytes instead of the 32 bytes we're expecting,
causing build to fail.
The shell script extraction is now replaced by a build.rs script that
uses OpenSSL to extract the content and do sanity checks.
Forcing generating cryptographic materials now always generate a key and
a certificate (useful to compile/flash multiple keys without them being
considered as clones). The self-signed CA is left untouched.
