diff options
| author | Lans Zhang <jia.zhang@windriver.com> | 2017-07-03 15:50:59 +0800 |
|---|---|---|
| committer | Lans Zhang <jia.zhang@windriver.com> | 2017-07-03 15:50:59 +0800 |
| commit | 353a003f1bd422ea71ed7009e2d7ed04476bc6e2 (patch) | |
| tree | badd337c0b4bc19b81f33fc3b8f6d72c0e7a4422 /meta-signing-key | |
| parent | 3816bb03fd895b37d9eca3b2e4f68283a999c3e6 (diff) | |
| download | meta-secure-core-353a003f1bd422ea71ed7009e2d7ed04476bc6e2.tar.gz | |
Use the DER-formatted system trusted key
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
Diffstat (limited to 'meta-signing-key')
| -rw-r--r-- | meta-signing-key/recipes-support/key-store/key-store_0.1.bb | 6 | ||||
| -rwxr-xr-x | meta-signing-key/scripts/create-user-key-store.sh | 24 |
2 files changed, 26 insertions, 4 deletions
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 7b9572e..41e6797 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb | |||
| @@ -29,10 +29,10 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg" | |||
| 29 | SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" | 29 | SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" |
| 30 | 30 | ||
| 31 | # For ${PN}-ima-privkey | 31 | # For ${PN}-ima-privkey |
| 32 | IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.pem" | 32 | IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt" |
| 33 | 33 | ||
| 34 | # For ${PN}-system-trusted-cert | 34 | # For ${PN}-system-trusted-cert |
| 35 | SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.pem" | 35 | SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.der" |
| 36 | FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" | 36 | FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" |
| 37 | CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" | 37 | CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" |
| 38 | 38 | ||
| @@ -83,7 +83,7 @@ do_install() { | |||
| 83 | install -d "${D}${KEY_DIR}" | 83 | install -d "${D}${KEY_DIR}" |
| 84 | 84 | ||
| 85 | key_dir="${@uks_system_trusted_keys_dir(d)}" | 85 | key_dir="${@uks_system_trusted_keys_dir(d)}" |
| 86 | install -m 0644 "$key_dir/system_trusted_key.pem" "${D}${SYSTEM_CERT}" | 86 | install -m 0644 "$key_dir/system_trusted_key.der" "${D}${SYSTEM_CERT}" |
| 87 | 87 | ||
| 88 | if [ "${@uks_signing_model(d)}" = "sample" ]; then | 88 | if [ "${@uks_signing_model(d)}" = "sample" ]; then |
| 89 | install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" | 89 | install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" |
diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh index fc871a7..b8cce9e 100755 --- a/meta-signing-key/scripts/create-user-key-store.sh +++ b/meta-signing-key/scripts/create-user-key-store.sh | |||
| @@ -47,6 +47,13 @@ MOK_SB_KEYS_DIR="$KEYS_DIR/mok_sb_keys" | |||
| 47 | SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys" | 47 | SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys" |
| 48 | IMA_KEYS_DIR="$KEYS_DIR/ima_keys" | 48 | IMA_KEYS_DIR="$KEYS_DIR/ima_keys" |
| 49 | 49 | ||
| 50 | pem2der() { | ||
| 51 | local src="$1" | ||
| 52 | local dst="${src/.crt/.der}" | ||
| 53 | |||
| 54 | openssl x509 -in "$src" -outform DER -out "$dst" | ||
| 55 | } | ||
| 56 | |||
| 50 | ca_sign() { | 57 | ca_sign() { |
| 51 | local key_dir="$1" | 58 | local key_dir="$1" |
| 52 | local key_name="$2" | 59 | local key_name="$2" |
| @@ -68,8 +75,17 @@ ca_sign() { | |||
| 68 | -keyout "$key_dir/$key_name.key" \ | 75 | -keyout "$key_dir/$key_name.key" \ |
| 69 | -out "$key_dir/$key_name.csr" | 76 | -out "$key_dir/$key_name.csr" |
| 70 | 77 | ||
| 78 | local ca_cert="$ca_key_dir/$ca_key_name.crt" | ||
| 79 | local ca_cert_form="PEM" | ||
| 80 | |||
| 81 | [ ! -s "$ca_cert" ] && { | ||
| 82 | ca_cert="$ca_key_dir/$ca_key_name.der" | ||
| 83 | ca_cert_form="DER" | ||
| 84 | } | ||
| 85 | |||
| 71 | openssl x509 -req -in "$key_dir/$key_name.csr" \ | 86 | openssl x509 -req -in "$key_dir/$key_name.csr" \ |
| 72 | -CA "$ca_key_dir/$ca_key_name.crt" \ | 87 | -CA "$ca_cert" \ |
| 88 | -CAform "$ca_cert_form" \ | ||
| 73 | -CAkey "$ca_key_dir/$ca_key_name.key" \ | 89 | -CAkey "$ca_key_dir/$ca_key_name.key" \ |
| 74 | -set_serial 1 -days 3650 \ | 90 | -set_serial 1 -days 3650 \ |
| 75 | -out "$key_dir/$key_name.crt" | 91 | -out "$key_dir/$key_name.crt" |
| @@ -109,6 +125,9 @@ create_system_user_key() { | |||
| 109 | 125 | ||
| 110 | ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \ | 126 | ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \ |
| 111 | "/CN=System Trusted Certificate for $USER@`hostname`/" | 127 | "/CN=System Trusted Certificate for $USER@`hostname`/" |
| 128 | |||
| 129 | pem2der "$key_dir/system_trusted_key.crt" | ||
| 130 | rm -f "$key_dir/system_trusted_key.crt" | ||
| 112 | } | 131 | } |
| 113 | 132 | ||
| 114 | create_ima_user_key() { | 133 | create_ima_user_key() { |
| @@ -118,6 +137,9 @@ create_ima_user_key() { | |||
| 118 | 137 | ||
| 119 | ca_sign "$key_dir" x509_ima "$SYSTEM_KEYS_DIR" system_trusted_key \ | 138 | ca_sign "$key_dir" x509_ima "$SYSTEM_KEYS_DIR" system_trusted_key \ |
| 120 | "/CN=IMA Trusted Certificate for $USER@`hostname`/" | 139 | "/CN=IMA Trusted Certificate for $USER@`hostname`/" |
| 140 | |||
| 141 | pem2der "$key_dir/x509_ima.crt" | ||
| 142 | rm -f "$key_dir/x509_ima.crt" | ||
| 121 | } | 143 | } |
| 122 | 144 | ||
| 123 | create_user_keys() { | 145 | create_user_keys() { |