From 6ab1f5473202d135c5e813b5f0af629a6f6a2c41 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Tue, 11 Jul 2017 12:54:40 +0800
Subject: create-user-key-store.sh: clean up subject and support password
 protection for private key

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
 meta-signing-key/scripts/create-user-key-store.sh | 35 +++++++++++++++--------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh
index db05f4f..e2a246e 100755
--- a/meta-signing-key/scripts/create-user-key-store.sh
+++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -64,6 +64,7 @@ ca_sign() {
     local ca_key_dir="$3"
     local ca_key_name="$4"
     local subject="$5"
+    local encrypted="$6"
 
     # Self signing ?
     if [ "$key_name" = "$ca_key_name" ]; then
@@ -73,11 +74,21 @@ ca_sign() {
             -keyout "$key_dir/$key_name.key" \
             -out "$key_dir/$key_name.crt"
     else
-        openssl req -new -newkey rsa:2048 \
-            -sha256 -nodes \
-            -subj "$subject" \
-            -keyout "$key_dir/$key_name.key" \
-            -out "$key_dir/$key_name.csr"
+        if [ -z "$encrypted" ]; then
+            openssl req -new -newkey rsa:2048 \
+                -sha256 -nodes \
+                -subj "$subject" \
+                -keyout "$key_dir/$key_name.key" \
+                -out "$key_dir/$key_name.csr"
+        else
+            # Prompt user to type the password
+            openssl genrsa -des3 -out "$key_dir/$key_name.key" 2048
+
+            openssl req -new -sha256 \
+                -subj "$subject" \
+                -key "$key_dir/$key_name.key" \
+                -out "$key_dir/$key_name.csr"
+        fi
 
         local ca_cert="$ca_key_dir/$ca_key_name.crt"
         local ca_cert_form="PEM"
@@ -105,11 +116,11 @@ create_uefi_sb_user_keys() {
     [ ! -d "$key_dir" ] && mkdir -p "$key_dir"
 
     ca_sign "$key_dir" PK "$key_dir" PK \
-        "/CN=PK Certificate for $USER@`hostname`/"
+        "/CN=PK Certificate/"
     ca_sign "$key_dir" KEK "$key_dir" PK \
-        "/CN=KEK Certificate for $USER@`hostname`"
+        "/CN=KEK Certificate"
     ca_sign "$key_dir" DB "$key_dir" KEK \
-        "/CN=DB Certificate for $USER@`hostname`"
+        "/CN=DB Certificate"
 }
 
 create_mok_sb_user_keys() {
@@ -118,9 +129,9 @@ create_mok_sb_user_keys() {
     [ ! -d "$key_dir" ] && mkdir -p "$key_dir"
 
     ca_sign "$key_dir" shim_cert "$key_dir" shim_cert \
-        "/CN=Shim Certificate for $USER@`hostname`/"
+        "/CN=Shim Certificate/"
     ca_sign "$key_dir" vendor_cert "$key_dir" vendor_cert \
-        "/CN=Vendor Certificate for $USER@`hostname`/"
+        "/CN=Vendor Certificate/"
 }
 
 create_system_user_key() {
@@ -129,7 +140,7 @@ create_system_user_key() {
     [ ! -d "$key_dir" ] && mkdir -p "$key_dir"
 
     ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \
-        "/CN=System Trusted Certificate for $USER@`hostname`/"
+        "/CN=System Trusted Certificate/"
 }
 
 create_ima_user_key() {
@@ -138,7 +149,7 @@ create_ima_user_key() {
     [ ! -d "$key_dir" ] && mkdir -p "$key_dir"
 
     ca_sign "$key_dir" x509_ima "$SYSTEM_KEYS_DIR" system_trusted_key \
-        "/CN=IMA Trusted Certificate for $USER@`hostname`/"
+        "/CN=IMA Trusted Certificate/" "enc"
 
     pem2der "$key_dir/x509_ima.crt"
     rm -f "$key_dir/x509_ima.crt"
-- 
cgit v1.2.3-54-g00ecf