efitools: support to build with openssl-1.1.x

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
2017-08-16 20:31:33 +08:00
parent 8ff4d25a90
commit d5a4de8f09
3 changed files with 78 additions and 0 deletions
@@ -28,6 +28,8 @@ SRC_URI = "\
file://Don-t-build-PreLoader.efi.patch \
file://Reuse-xxdi.pl.patch \
file://Add-static-keyword-for-IsValidVariableHeader.patch \
file://Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch \
file://cert-to-efi-hash-list-support-to-build-with-openssl-.patch \
"
SRCREV = "0649468475d20d8ca5634433c4912467cef3ce93"
@@ -40,6 +42,7 @@ inherit perlnative
EXTRA_OEMAKE = "\
HELP2MAN='${STAGING_BINDIR_NATIVE}/help2man' \
OPENSSL='${STAGING_BINDIR_NATIVE}/openssl' \
OPENSSL_CFG=' -config ${STAGING_LIBDIR_NATIVE}/ssl-1.1/openssl.cnf' \
SBSIGN='${STAGING_BINDIR_NATIVE}/sbsign' \
OPENSSL_LIB='${STAGING_LIBDIR}' \
NM='${NM}' AR='${AR}' \
@@ -0,0 +1,43 @@
From ae36390629bd9c92cb732800a341f04ca11cd9c7 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Wed, 16 Aug 2017 22:59:12 +0800
Subject: [PATCH] Dynamically load openssl.cnf for openssl-1.0.x and 1.1.x
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
Make.rules | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/Make.rules b/Make.rules
index 38c7a22..69c57cb 100644
--- a/Make.rules
+++ b/Make.rules
@@ -117,13 +117,23 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
$(CC) -S $(INCDIR) $(cflags) $(cppflags) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
%.crt:
- $(OPENSSL) req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
+ @if [ -s "$(OPENSSL_LIB)/ssl/openssl.cnf" ]; then \
+ cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
+ else \
+ cfg="$(OPENSSL_LIB)/ssl-1.1/openssl.cnf"; \
+ fi; \
+ $(OPENSSL) req -config $$cfg -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
%.cer: %.crt
$(OPENSSL) x509 -in $< -out $@ -outform DER
%-subkey.csr:
- $(OPENSSL) req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
+ @if [ -s "$(OPENSSL_LIB)/ssl/openssl.cnf" ]; then \
+ cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
+ else \
+ cfg="$(OPENSSL_LIB)/ssl-1.1/openssl.cnf"; \
+ fi; \
+ $(OPENSSL) req -config $$cfg -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
%-subkey.crt: %-subkey.csr KEK.crt
$(OPENSSL) x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
--
2.7.5
@@ -0,0 +1,32 @@
From 1b87c0e53efdccec4c05d2b92699f49cd3d6ec79 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Wed, 16 Aug 2017 19:52:37 +0800
Subject: [PATCH] cert-to-efi-hash-list: support to build with openssl-1.1.x
X509 becomes opaque since openssl-1.1.x and thus uses the equivalent
function i2d_re_X509_tbs() instead to encode tbs portion of the certificate.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
cert-to-efi-hash-list.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/cert-to-efi-hash-list.c b/cert-to-efi-hash-list.c
index 3792553..2f2584c 100644
--- a/cert-to-efi-hash-list.c
+++ b/cert-to-efi-hash-list.c
@@ -135,7 +135,11 @@ main(int argc, char *argv[])
X509 *cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL);
unsigned char *cert_buf = NULL;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
int cert_len = i2d_X509_CINF(cert->cert_info, &cert_buf);
+#else
+ int cert_len = i2d_re_X509_tbs(cert, &cert_buf);
+#endif
ERR_print_errors_fp(stdout);
int len, digest_len, time_offset;
--
2.7.5