kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
999e3313063cf8a298a7bc9831310c7d0f097314
OpenSK/tools/gen_key_materials.sh
Jean-Michel Picod 7d421d3ae0 Replace shell script with a python3 script. 
Updated the shell script that generates the certificates and the
documentation accordingly.
Caveat: now installation is a 2-step procedure, installing OS and
application are split into 2 commands.
2020-02-19 11:34:43 +01:00

90 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
generate_crypto_materials () {
# Root CA key pair and certificate
local ca_priv_key=crypto_data/opensk_ca.key
local ca_cert_name=crypto_data/opensk_ca
# Attestation key pair and certificate that will be embedded into the
# firmware. The certificate will be signed by the Root CA.
local opensk_key=crypto_data/opensk.key
local opensk_cert_name=crypto_data/opensk_cert
# Allow invoker to override the command with a full path.
local openssl=${OPENSSL:-$(which openssl)}
# We need openssl command to continue
if [ ! -x "${openssl}" ]
then
echo "Missing openssl command. Try to specify its full path using OPENSSL environment variable."
exit 1
fi
# Exit on first error
set -e
force_generate="$1"
mkdir -p crypto_data
if [ ! -f "${ca_priv_key}" ]
then
"${openssl}" ecparam -genkey -name prime256v1 -out "${ca_priv_key}"
fi
if [ ! -f "${ca_cert_name}.pem" ]
then
"${openssl}" req \
-new \
-key "${ca_priv_key}" \
-out "${ca_cert_name}.csr" \
-subj "/CN=Google OpenSK CA"
"${openssl}" x509 \
-trustout \
-req \
-days 7305 \
-in "${ca_cert_name}.csr" \
-signkey "${ca_priv_key}" \
-outform pem \
-out "${ca_cert_name}.pem" \
-sha256
fi
if [ "${force_generate}" = "Y" -o ! -f "${opensk_key}" ]
then
"${openssl}" ecparam -genkey -name prime256v1 -out "${opensk_key}"
fi
if [ "${force_generate}" = "Y" -o ! -f "${opensk_cert_name}.pem" ]
then
"${openssl}" req \
-new \
-key "${opensk_key}" \
-out "${opensk_cert_name}.csr" \
-subj "/CN=Google OpenSK Hacker Edition"
"${openssl}" x509 \
-req \
-days 3652 \
-in "${opensk_cert_name}.csr" \
-CA "${ca_cert_name}.pem" \
-CAkey "${ca_priv_key}" \
-CAcreateserial \
-outform pem \
-out "${opensk_cert_name}.pem" \
-sha256
fi
}
generate_crypto_materials "$1"
Reference in New Issue View Git Blame Copy Permalink