mirror of
https://git.yoctoproject.org/meta-security
synced 2026-01-11 15:00:34 +00:00
0652c9fd74
For shorted file signatures use EC keys rather than RSA keys. Document the debug keys and their purpose. Adapt the scripts for creating these types of keys to now create EC keys. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
43 lines
1.3 KiB
Bash
Executable File
43 lines
1.3 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# Copied from ima-evm-utils.
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License
|
|
# version 2 as published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
GENKEY=ima-local-ca.genkey
|
|
|
|
cat << __EOF__ >$GENKEY
|
|
[ req ]
|
|
distinguished_name = req_distinguished_name
|
|
prompt = no
|
|
string_mask = utf8only
|
|
x509_extensions = v3_ca
|
|
|
|
[ req_distinguished_name ]
|
|
O = example.com
|
|
CN = meta-intel-iot-security example certificate signing key
|
|
emailAddress = john.doe@example.com
|
|
|
|
[ v3_ca ]
|
|
basicConstraints=CA:TRUE
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid:always,issuer
|
|
keyUsage = cRLSign, keyCertSign
|
|
__EOF__
|
|
|
|
openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \
|
|
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
|
|
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
|
|
|
|
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
|