2012-09-13 22:17:21 +08:00
|
|
|
#
|
|
|
|
# Makefile for asymmetric cryptographic keys
|
|
|
|
#
|
|
|
|
|
|
|
|
obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
|
|
|
|
|
2012-09-22 06:25:04 +08:00
|
|
|
asymmetric_keys-y := asymmetric_type.o signature.o
|
2012-09-22 06:24:55 +08:00
|
|
|
|
|
|
|
obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
|
2012-09-22 06:25:40 +08:00
|
|
|
obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o
|
2012-09-25 00:11:48 +08:00
|
|
|
|
|
|
|
#
|
|
|
|
# X.509 Certificate handling
|
|
|
|
#
|
|
|
|
obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o
|
|
|
|
x509_key_parser-y := \
|
|
|
|
x509-asn1.o \
|
|
|
|
x509_rsakey-asn1.o \
|
|
|
|
x509_cert_parser.o \
|
|
|
|
x509_public_key.o
|
|
|
|
|
|
|
|
$(obj)/x509_cert_parser.o: $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.h
|
|
|
|
$(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h
|
|
|
|
$(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h
|
|
|
|
|
|
|
|
clean-files += x509-asn1.c x509-asn1.h
|
|
|
|
clean-files += x509_rsakey-asn1.c x509_rsakey-asn1.h
|
2014-07-01 23:40:19 +08:00
|
|
|
|
|
|
|
#
|
|
|
|
# PKCS#7 message handling
|
|
|
|
#
|
|
|
|
obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o
|
|
|
|
pkcs7_message-y := \
|
|
|
|
pkcs7-asn1.o \
|
2014-07-01 23:40:19 +08:00
|
|
|
pkcs7_parser.o \
|
2014-07-01 23:40:20 +08:00
|
|
|
pkcs7_trust.o \
|
2014-07-01 23:40:19 +08:00
|
|
|
pkcs7_verify.o
|
2014-07-01 23:40:19 +08:00
|
|
|
|
|
|
|
$(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h
|
|
|
|
$(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h
|
|
|
|
|
|
|
|
clean-files += pkcs7-asn1.c pkcs7-asn1.h
|
PKCS#7: Provide a key type for testing PKCS#7
Provide a key type for testing the PKCS#7 parser. It is given a non-detached
PKCS#7 message as payload:
keyctl padd pkcs7_test a @s <stuff.pkcs7
The PKCS#7 wrapper is validated against the trusted certificates available and
then stripped off. If successful, the key can be read, which will give the
data content of the PKCS#7 message.
A suitable message can be created by running make on the attached Makefile.
This will produce a file called stuff.pkcs7 for test loading. The key3.x509
file should be put into the kernel source tree before it is built and
converted to DER form:
openssl x509 -in .../pkcs7/key3.x509 -outform DER -out key3.x509
###############################################################################
#
# Create a pkcs7 message and sign it twice
#
# openssl x509 -text -inform PEM -noout -in key2.x509
#
###############################################################################
stuff.pkcs7: stuff.txt key2.priv key2.x509 key4.priv key4.x509 certs
$(RM) $@
openssl smime -sign \
-signer key2.x509 \
-inkey key2.priv \
-signer key4.x509 \
-inkey key4.priv \
-in stuff.txt \
-certfile certs \
-out $@ -binary -outform DER -nodetach
openssl pkcs7 -inform DER -in stuff.pkcs7 -print_certs -noout
openssl asn1parse -inform DER -in stuff.pkcs7 -i >out
stuff.txt:
echo "The quick red fox jumped over the lazy brown dog" >stuff.txt
certs: key1.x509 key2.x509 key3.x509 key4.x509
cat key{1,3}.x509 >$@
###############################################################################
#
# Generate a signed key
#
# openssl x509 -text -inform PEM -noout -in key2.x509
#
###############################################################################
key2.x509: key2.x509_unsigned key1.priv key1.x509
openssl x509 \
-req -in key2.x509_unsigned \
-out key2.x509 \
-extfile key2.genkey -extensions myexts \
-CA key1.x509 \
-CAkey key1.priv \
-CAcreateserial
key2.priv key2.x509_unsigned: key2.genkey
openssl req -new -nodes -utf8 -sha1 -days 36500 \
-batch -outform PEM \
-config key2.genkey \
-keyout key2.priv \
-out key2.x509_unsigned
key2.genkey:
@echo Generating X.509 key generation config
@echo >$@ "[ req ]"
@echo >>$@ "default_bits = 4096"
@echo >>$@ "distinguished_name = req_distinguished_name"
@echo >>$@ "prompt = no"
@echo >>$@ "string_mask = utf8only"
@echo >>$@ "x509_extensions = myexts"
@echo >>$@
@echo >>$@ "[ req_distinguished_name ]"
@echo >>$@ "O = Magrathea"
@echo >>$@ "CN = PKCS7 key 2"
@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
@echo >>$@
@echo >>$@ "[ myexts ]"
@echo >>$@ "basicConstraints=critical,CA:FALSE"
@echo >>$@ "keyUsage=digitalSignature"
@echo >>$@ "subjectKeyIdentifier=hash"
@echo >>$@ "authorityKeyIdentifier=keyid"
###############################################################################
#
# Generate a couple of signing keys
#
# openssl x509 -text -inform PEM -noout -in key1.x509
#
###############################################################################
key1.x509: key1.x509_unsigned key4.priv key4.x509
openssl x509 \
-req -in key1.x509_unsigned \
-out key1.x509 \
-extfile key1.genkey -extensions myexts \
-CA key4.x509 \
-CAkey key4.priv \
-CAcreateserial
key1.priv key1.x509_unsigned: key1.genkey
openssl req -new -nodes -utf8 -sha1 -days 36500 \
-batch -outform PEM \
-config key1.genkey \
-keyout key1.priv \
-out key1.x509_unsigned
key1.genkey:
@echo Generating X.509 key generation config
@echo >$@ "[ req ]"
@echo >>$@ "default_bits = 4096"
@echo >>$@ "distinguished_name = req_distinguished_name"
@echo >>$@ "prompt = no"
@echo >>$@ "string_mask = utf8only"
@echo >>$@ "x509_extensions = myexts"
@echo >>$@
@echo >>$@ "[ req_distinguished_name ]"
@echo >>$@ "O = Magrathea"
@echo >>$@ "CN = PKCS7 key 1"
@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
@echo >>$@
@echo >>$@ "[ myexts ]"
@echo >>$@ "basicConstraints=critical,CA:TRUE"
@echo >>$@ "keyUsage=digitalSignature,keyCertSign"
@echo >>$@ "subjectKeyIdentifier=hash"
@echo >>$@ "authorityKeyIdentifier=keyid"
###############################################################################
#
# Generate a signed key
#
# openssl x509 -text -inform PEM -noout -in key4.x509
#
###############################################################################
key4.x509: key4.x509_unsigned key3.priv key3.x509
openssl x509 \
-req -in key4.x509_unsigned \
-out key4.x509 \
-extfile key4.genkey -extensions myexts \
-CA key3.x509 \
-CAkey key3.priv \
-CAcreateserial
key4.priv key4.x509_unsigned: key4.genkey
openssl req -new -nodes -utf8 -sha1 -days 36500 \
-batch -outform PEM \
-config key4.genkey \
-keyout key4.priv \
-out key4.x509_unsigned
key4.genkey:
@echo Generating X.509 key generation config
@echo >$@ "[ req ]"
@echo >>$@ "default_bits = 4096"
@echo >>$@ "distinguished_name = req_distinguished_name"
@echo >>$@ "prompt = no"
@echo >>$@ "string_mask = utf8only"
@echo >>$@ "x509_extensions = myexts"
@echo >>$@
@echo >>$@ "[ req_distinguished_name ]"
@echo >>$@ "O = Magrathea"
@echo >>$@ "CN = PKCS7 key 4"
@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
@echo >>$@
@echo >>$@ "[ myexts ]"
@echo >>$@ "basicConstraints=critical,CA:TRUE"
@echo >>$@ "keyUsage=digitalSignature,keyCertSign"
@echo >>$@ "subjectKeyIdentifier=hash"
@echo >>$@ "authorityKeyIdentifier=keyid"
###############################################################################
#
# Generate a couple of signing keys
#
# openssl x509 -text -inform PEM -noout -in key3.x509
#
###############################################################################
key3.priv key3.x509: key3.genkey
openssl req -new -nodes -utf8 -sha1 -days 36500 \
-batch -x509 -outform PEM \
-config key3.genkey \
-keyout key3.priv \
-out key3.x509
key3.genkey:
@echo Generating X.509 key generation config
@echo >$@ "[ req ]"
@echo >>$@ "default_bits = 4096"
@echo >>$@ "distinguished_name = req_distinguished_name"
@echo >>$@ "prompt = no"
@echo >>$@ "string_mask = utf8only"
@echo >>$@ "x509_extensions = myexts"
@echo >>$@
@echo >>$@ "[ req_distinguished_name ]"
@echo >>$@ "O = Magrathea"
@echo >>$@ "CN = PKCS7 key 3"
@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
@echo >>$@
@echo >>$@ "[ myexts ]"
@echo >>$@ "basicConstraints=critical,CA:TRUE"
@echo >>$@ "keyUsage=digitalSignature,keyCertSign"
@echo >>$@ "subjectKeyIdentifier=hash"
@echo >>$@ "authorityKeyIdentifier=keyid"
clean:
$(RM) *~
$(RM) key1.* key2.* key3.* key4.* stuff.* out certs
Signed-off-by: David Howells <dhowells@redhat.com>
2014-07-02 02:06:18 +08:00
|
|
|
|
|
|
|
#
|
|
|
|
# PKCS#7 parser testing key
|
|
|
|
#
|
|
|
|
obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o
|
|
|
|
pkcs7_test_key-y := \
|
|
|
|
pkcs7_key_type.o
|
2014-07-01 23:02:51 +08:00
|
|
|
|
|
|
|
#
|
|
|
|
# Signed PE binary-wrapped key handling
|
|
|
|
#
|
|
|
|
obj-$(CONFIG_SIGNED_PE_FILE_VERIFICATION) += verify_signed_pefile.o
|
|
|
|
|
|
|
|
verify_signed_pefile-y := \
|
|
|
|
verify_pefile.o
|