fdbfb1be2a
OpenSSL seems to serialize bigints as signed value, which means the ECC key may end up being 33 bytes instead of the 32 bytes we're expecting, causing build to fail. The shell script extraction is now replaced by a build.rs script that uses OpenSSL to extract the content and do sanity checks. Forcing generating cryptographic materials now always generate a key and a certificate (useful to compile/flash multiple keys without them being considered as clones). The self-signed CA is left untouched.
88 lines
2.5 KiB
Bash
88 lines
2.5 KiB
Bash
#!/bin/bash
|
|
# Copyright 2019 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
generate_crypto_materials () {
|
|
# Root CA key pair and certificate
|
|
local ca_priv_key=crypto_data/opensk_ca.key
|
|
local ca_cert_name=crypto_data/opensk_ca
|
|
|
|
# Attestation key pair and certificate that will be embedded into the
|
|
# firmware. The certificate will be signed by the Root CA.
|
|
local opensk_key=crypto_data/opensk.key
|
|
local opensk_cert_name=crypto_data/opensk_cert
|
|
|
|
# Rust file that we will generate will all cryptographic data.
|
|
local rust_file=src/ctap/key_material.rs
|
|
|
|
# Allow invoker to override the command with a full path.
|
|
local openssl=${OPENSSL:-$(which openssl)}
|
|
|
|
# We need openssl command to continue
|
|
if [ ! -x "${openssl}" ]
|
|
then
|
|
echo "Missing openssl command. Try to specify its full path using OPENSSL environment variable."
|
|
exit 1
|
|
fi
|
|
|
|
force_generate="$1"
|
|
mkdir -p crypto_data
|
|
if [ ! -f "${ca_priv_key}" ]
|
|
then
|
|
"${openssl}" ecparam -genkey -name prime256v1 -out "${ca_priv_key}"
|
|
fi
|
|
|
|
if [ ! -f "${ca_cert_name}.pem" ]
|
|
then
|
|
"${openssl}" req \
|
|
-new \
|
|
-key "${ca_priv_key}" \
|
|
-out "${ca_cert_name}.csr" \
|
|
-subj "/CN=Google OpenSK CA"
|
|
"${openssl}" x509 \
|
|
-trustout \
|
|
-req \
|
|
-days 7305 \
|
|
-in "${ca_cert_name}.csr" \
|
|
-signkey "${ca_priv_key}" \
|
|
-outform pem \
|
|
-out "${ca_cert_name}.pem" \
|
|
-sha256
|
|
fi
|
|
|
|
if [ "${force_generate}" = "Y" -o ! -f "${opensk_key}" ]
|
|
then
|
|
"${openssl}" ecparam -genkey -name prime256v1 -out "${opensk_key}"
|
|
fi
|
|
|
|
if [ "${force_generate}" = "Y" -o ! -f "${opensk_cert_name}.pem" ]
|
|
then
|
|
"${openssl}" req \
|
|
-new \
|
|
-key "${opensk_key}" \
|
|
-out "${opensk_cert_name}.csr" \
|
|
-subj "/CN=Google OpenSK Hacker Edition"
|
|
"${openssl}" x509 \
|
|
-req \
|
|
-days 3652 \
|
|
-in "${opensk_cert_name}.csr" \
|
|
-CA "${ca_cert_name}.pem" \
|
|
-CAkey "${ca_priv_key}" \
|
|
-CAcreateserial \
|
|
-outform pem \
|
|
-out "${opensk_cert_name}.pem" \
|
|
-sha256
|
|
fi
|
|
}
|