mirror of
https://github.com/Telecominfraproject/OpenCellular.git
synced 2025-11-24 02:05:01 +00:00
551037b10e
This change makes dumpRSAPublicKey directly accept a public key in PEM format. This makes it possible to avoid the unnecessary step of generating a self-signed certificate to dump the public key in .keyb format. The old style certificate input is still accepted. Using certs (as done previously): dumpRSAPublicKey -cert <certfile> Directly using public keys: dumpRSAPublicKey -pub <pubfile> Change-Id: Ic35b59aff6613d145d7947212650da281f734b74 BUG=7576 TEST=manual $ openssl genrsa -F4 -out test.pem 4096 $ openssl rsa -in test.pem -out test.pub $ dumpRSAPublicKey -pub test.pub >test.pub.keyb Verify that this matches the output we get using the old style <cert> input. $ openssl req -batch -new -x509 -key test.pem -out test.cert $ dumpRSAPublicKey -cert test.cert >test.cert.keyb $ diff test.pub.keyb test.cert.keyb $ Review URL: http://codereview.chromium.org/4215006
83 lines
2.3 KiB
Bash
Executable File
83 lines
2.3 KiB
Bash
Executable File
#!/bin/bash -e
|
|
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
#
|
|
|
|
# Check args first.
|
|
if [ "$#" -lt "1" ]; then
|
|
cat <<EOF 1>&2
|
|
|
|
Usage: ${0##*/} BASENAME [ALG]
|
|
|
|
This creates BASENAME.vbpubk and BASENAME.vbprivk pairs for use in signing
|
|
developer files. This also creates a BASENAME.keyblock file containing the
|
|
BASENAME.vbpubk, which can be used to sign a developer kernel.
|
|
|
|
If specified, ALG is one of:
|
|
|
|
0 = RSA1024 with SHA1
|
|
1 = RSA1024 with SHA256
|
|
2 = RSA1024 with SHA512
|
|
3 = RSA2048 with SHA1
|
|
4 = RSA2048 with SHA256
|
|
5 = RSA2048 with SHA512
|
|
6 = RSA4096 with SHA1
|
|
7 = RSA4096 with SHA256
|
|
8 = RSA4096 with SHA512
|
|
9 = RSA8192 with SHA1
|
|
10 = RSA8192 with SHA256
|
|
11 = RSA8192 with SHA512
|
|
|
|
If ALG is not specified, a default value will be used.
|
|
|
|
EOF
|
|
exit 1
|
|
fi
|
|
|
|
|
|
# Compute the key length assuming the sizes shown above.
|
|
function alg_to_keylen {
|
|
echo $(( 1 << (10 + ($1 / 3)) ))
|
|
}
|
|
|
|
# Emit .vbpubk and .vbprivk using given basename and algorithm.
|
|
function make_pair {
|
|
local base=$1
|
|
local alg=$2
|
|
local len=$(alg_to_keylen $alg)
|
|
|
|
# make the RSA keypair
|
|
openssl genrsa -F4 -out "${base}_${len}.pem" $len
|
|
# create a self-signed certificate
|
|
openssl req -batch -new -x509 -key "${base}_${len}.pem" \
|
|
-out "${base}_${len}.crt"
|
|
# generate pre-processed RSA public key
|
|
dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb"
|
|
|
|
# wrap the public key
|
|
vbutil_key \
|
|
--pack "${base}.vbpubk" \
|
|
--key "${base}_${len}.keyb" \
|
|
--version 1 \
|
|
--algorithm $alg
|
|
|
|
# wrap the private key
|
|
vbutil_key \
|
|
--pack "${base}.vbprivk" \
|
|
--key "${base}_${len}.pem" \
|
|
--algorithm $alg
|
|
|
|
# remove intermediate files
|
|
rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb"
|
|
}
|
|
|
|
# First create the .vbpubk and .vbprivk pair.
|
|
make_pair "$1" "${2:-4}"
|
|
|
|
# Now create a .keyblock to hold our .vbpubk. Since it's for developer use, it
|
|
# won't be signed, just checksummed. Developer kernels can only be run in
|
|
# non-recovery mode with the developer switch enabled, but it won't hurt us to
|
|
# turn on all the flags bits anyway.
|
|
vbutil_keyblock --pack "$1.keyblock" --datapubkey "$1.vbpubk" --flags 15
|