From: Andrej Shadura Date: Mon, 2 Jun 2025 14:42:22 +0200 Subject: Undo 3.3.1 changes which break the script for no good reason Fall back to the installed openssl configuration directory if none is given. Based on the original patch by Sean Anderson --- keys/add_key.sh | 56 +++++-------------------------------- keys/ahab_pki_tree.sh | 66 ++++++++------------------------------------ keys/hab4_pki_tree.sh | 70 ++++++++++------------------------------------- keys/hsm_add_key.sh | 45 +++++------------------------- keys/hsm_ahab_pki_tree.sh | 65 ++++++++----------------------------------- keys/hsm_hab4_pki_tree.sh | 70 ++++++++++------------------------------------- 6 files changed, 66 insertions(+), 306 deletions(-) diff --git a/keys/add_key.sh b/keys/add_key.sh index 6f4d3db..77ed2a7 100755 --- a/keys/add_key.sh +++ b/keys/add_key.sh @@ -307,47 +307,16 @@ else fi fi -# Check existance of keys/, crts/ and ca/ directories of before generating keys and -# switch current working directory to /keys directory, if needed. -crt_dir=$(pwd) -script_name=$(readlink "$0") -if [ "${script_name}" = "" ] -then - script_name=$0 -fi -script_path=$(cd $(dirname "${script_name}") && pwd -P) -keys_dir=${script_path}/../keys/ -crts_dir=${script_path}/../crts/ -ca_dir=${script_path}/../ca/ - -if [ ! -d "${keys_dir}" ] -then - echo ERROR: "Private keys directory ${keys_dir} is missing. Expecting script to be located inside /keys directory." - exit 1 -fi - -if [ ! -d "${crts_dir}" ] -then - echo ERROR: "Public keys directory ${crts_dir} is missing. Expecting /crts directory to be already created." - exit 1 -fi +keys_dir=../keys +crts_dir=../crts +ca_dir=../ca if [ ! -d "${ca_dir}" ] then - echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." - exit 1 + ca_dir=/usr/share/doc/imx-code-signing-tool/pki_scripts/ca fi -# Switch current working directory to keys directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${keys_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${keys_dir}" - exit 1 - fi -fi +mkdir -p "$crts_dir" # Generate outputs if [ $kt = "ecc" ] @@ -379,10 +348,10 @@ openssl ca -batch -passin file:./key_pass.txt \ -in ./${key_fullname}_req.pem \ -cert ${signing_crt} \ -keyfile ${signing_key} \ - -extfile ../ca/v3_${ca}.cnf \ + -extfile $ca_dir/v3_${ca}.cnf \ -out ../crts/${key_fullname}_crt.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config $ca_dir/openssl.cnf # Convert certificate to DER format openssl x509 -inform PEM -outform DER \ @@ -406,15 +375,4 @@ mv ${key_fullname}_key_tmp.pem ${key_fullname}_key.pem # Clean up \rm -f *_req.pem - -# Switch back to initial working directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${crt_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${crt_dir}" - exit 1 - fi -fi exit 0 diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh index 87e0ddc..4b93d83 100755 --- a/keys/ahab_pki_tree.sh +++ b/keys/ahab_pki_tree.sh @@ -296,47 +296,16 @@ then read srk_ca fi -# Check existance of keys/, crts/ and ca/ directories of before generating keys and -# switch current working directory to /keys directory, if needed. -crt_dir=$(pwd) -script_name=$(readlink "$0") -if [ "${script_name}" = "" ] -then - script_name=$0 -fi -script_path=$(cd $(dirname "${script_name}") && pwd -P) -keys_dir=${script_path}/../keys/ -crts_dir=${script_path}/../crts/ -ca_dir=${script_path}/../ca/ - -if [ ! -d "${keys_dir}" ] -then - echo ERROR: "Private keys directory ${keys_dir} is missing. Expecting script to be located inside /keys directory." - exit 1 -fi - -if [ ! -d "${crts_dir}" ] -then - echo ERROR: "Public keys directory ${crts_dir} is missing. Expecting /crts directory to be already created." - exit 1 -fi +keys_dir=../keys +crts_dir=../crts +ca_dir=../ca if [ ! -d "${ca_dir}" ] then - echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." - exit 1 + ca_dir=/usr/share/doc/imx-code-signing-tool/pki_scripts/ca fi -# Switch current working directory to keys directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${keys_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${keys_dir}" - exit 1 - fi -fi +mkdir -p "$crts_dir" # Check that the file "serial" is present, if not create it: if [ ! -f serial ] @@ -396,7 +365,7 @@ then -x509 -extensions v3_ca \ -keyout temp_ca.pem \ -out ${ca_cert}.pem \ - -days ${val_period} -config ../ca/openssl.cnf + -days ${val_period} -config $ca_dir/openssl.cnf # Generate CA key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ @@ -464,10 +433,10 @@ then -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ - -extfile ../ca/v3_usr.cnf \ + -extfile $ca_dir/v3_usr.cnf \ -out ${srk_crt}.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config $ca_dir/openssl.cnf # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ @@ -539,10 +508,10 @@ do -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ - -extfile ../ca/v3_ca.cnf \ + -extfile $ca_dir/v3_ca.cnf \ -out ${srk_crt}.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config $ca_dir/openssl.cnf # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ @@ -609,10 +578,10 @@ do -in ./temp_sgk_req.pem \ -cert ${srk_crt_i} \ -keyfile ${srk_key_i} \ - -extfile ../ca/v3_usr.cnf \ + -extfile $ca_dir/v3_usr.cnf \ -out ${sgk_crt}.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config $ca_dir/openssl.cnf # Convert SGK Certificate to DER format openssl x509 -inform PEM -outform DER \ @@ -636,15 +605,4 @@ do i=$((i+1)) done fi - -# Switch back to initial working directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${crt_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${crt_dir}" - exit 1 - fi -fi exit 0 diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh index be9f968..7d2378a 100755 --- a/keys/hab4_pki_tree.sh +++ b/keys/hab4_pki_tree.sh @@ -285,47 +285,16 @@ then read srk_ca fi -# Check existance of keys/, crts/ and ca/ directories of before generating keys and -# switch current working directory to /keys directory, if needed. -crt_dir=$(pwd) -script_name=$(readlink "$0") -if [ "${script_name}" = "" ] -then - script_name=$0 -fi -script_path=$(cd $(dirname "${script_name}") && pwd -P) -keys_dir=${script_path}/../keys/ -crts_dir=${script_path}/../crts/ -ca_dir=${script_path}/../ca/ - -if [ ! -d "${keys_dir}" ] -then - echo ERROR: "Private keys directory ${keys_dir} is missing. Expecting script to be located inside /keys directory." - exit 1 -fi - -if [ ! -d "${crts_dir}" ] -then - echo ERROR: "Public keys directory ${crts_dir} is missing. Expecting /crts directory to be already created." - exit 1 -fi +keys_dir=../keys +crts_dir=../crts +ca_dir=../ca if [ ! -d "${ca_dir}" ] then - echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." - exit 1 + ca_dir=/usr/share/doc/imx-code-signing-tool/pki_scripts/ca fi -# Switch current working directory to keys directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${keys_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${keys_dir}" - exit 1 - fi -fi +mkdir -p "$crts_dir" # Check that the file "serial" is present, if not create it: if [ ! -f serial ] @@ -384,7 +353,7 @@ then -x509 -extensions v3_ca \ -keyout temp_ca.pem \ -out ${ca_cert}.pem \ - -days ${val_period} -config ../ca/openssl.cnf + -days ${val_period} -config $ca_dir/openssl.cnf # Generate CA key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ @@ -452,10 +421,10 @@ then -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ - -extfile ../ca/v3_usr.cnf \ + -extfile $ca_dir/v3_usr.cnf \ -out ${srk_crt}.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config $ca_dir/openssl.cnf # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ @@ -526,10 +495,10 @@ do -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ - -extfile ../ca/v3_ca.cnf \ + -extfile $ca_dir/v3_ca.cnf \ -out ${srk_crt}.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config $ca_dir/openssl.cnf # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ @@ -596,10 +565,10 @@ do -in ./temp_csf_req.pem \ -cert ${srk_crt_i} \ -keyfile ${srk_key_i} \ - -extfile ../ca/v3_usr.cnf \ + -extfile $ca_dir/v3_usr.cnf \ -out ${csf_crt}.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config $ca_dir/openssl.cnf # Convert CSF Certificate to DER format openssl x509 -inform PEM -outform DER \ @@ -659,10 +628,10 @@ do -in ./temp_img_req.pem \ -cert ${srk_crt_i} \ -keyfile ${srk_key_i} \ - -extfile ../ca/v3_usr.cnf \ + -extfile $ca_dir/v3_usr.cnf \ -out ${img_crt}.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config $ca_dir/openssl.cnf # Convert IMG Certificate to DER format openssl x509 -inform PEM -outform DER \ @@ -686,15 +655,4 @@ do i=$((i+1)) done fi - -# Switch back to initial working directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${crt_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${crt_dir}" - exit 1 - fi -fi exit 0 diff --git a/keys/hsm_add_key.sh b/keys/hsm_add_key.sh index 5fb010e..eff1844 100755 --- a/keys/hsm_add_key.sh +++ b/keys/hsm_add_key.sh @@ -330,47 +330,16 @@ else fi fi -# Check existance of keys/, crts/ and ca/ directories of before generating keys and -# switch current working directory to /keys directory, if needed. -crt_dir=$(pwd) -script_name=$(readlink "$0") -if [ "${script_name}" = "" ] -then - script_name=$0 -fi -script_path=$(cd $(dirname "${script_name}") && pwd -P) -keys_dir=${script_path}/../keys/ -crts_dir=${script_path}/../crts/ -ca_dir=${script_path}/../ca/ - -if [ ! -d "${keys_dir}" ] -then - echo ERROR: "Private keys directory ${keys_dir} is missing. Expecting script to be located inside /keys directory." - exit 1 -fi - -if [ ! -d "${crts_dir}" ] -then - echo ERROR: "Public keys directory ${crts_dir} is missing. Expecting /crts directory to be already created." - exit 1 -fi +keys_dir=../keys +crts_dir=../crts +ca_dir=../ca if [ ! -d "${ca_dir}" ] then - echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." - exit 1 + ca_dir=/usr/share/doc/imx-code-signing-tool/pki_scripts/ca fi -# Switch current working directory to keys directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${keys_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${keys_dir}" - exit 1 - fi -fi +mkdir -p "$crts_dir" # Generate outputs if [ $kt = "ecc" ] @@ -405,11 +374,11 @@ openssl ca -engine pkcs11 -batch \ -cert "${signing_crt}" \ -keyform engine \ -keyfile "label_${signing_key_label}" \ - -extfile ../ca/v3_${ca}.cnf \ + -extfile $ca_dir/v3_${ca}.cnf \ -out "../crts/${key_label}_crt.pem" \ -notext \ -days ${val_period} \ - -config ../ca/openssl.cnf \ + -config $ca_dir/openssl.cnf \ -passin pass:$USR_PIN # # Convert certificate to DER format diff --git a/keys/hsm_ahab_pki_tree.sh b/keys/hsm_ahab_pki_tree.sh index b2d26d1..ee740ad 100755 --- a/keys/hsm_ahab_pki_tree.sh +++ b/keys/hsm_ahab_pki_tree.sh @@ -289,47 +289,16 @@ then read srk_ca fi -# Check existance of keys/, crts/ and ca/ directories of before generating keys and -# switch current working directory to /keys directory, if needed. -crt_dir=$(pwd) -script_name=$(readlink "$0") -if [ "${script_name}" = "" ] -then - script_name=$0 -fi -script_path=$(cd $(dirname "${script_name}") && pwd -P) -keys_dir=${script_path}/../keys/ -crts_dir=${script_path}/../crts/ -ca_dir=${script_path}/../ca/ - -if [ ! -d "${keys_dir}" ] -then - echo ERROR: "Private keys directory ${keys_dir} is missing. Expecting script to be located inside /keys directory." - exit 1 -fi - -if [ ! -d "${crts_dir}" ] -then - echo ERROR: "Public keys directory ${crts_dir} is missing. Expecting /crts directory to be already created." - exit 1 -fi +keys_dir=../keys +crts_dir=../crts +ca_dir=../ca if [ ! -d "${ca_dir}" ] then - echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." - exit 1 + ca_dir=/usr/share/doc/imx-code-signing-tool/pki_scripts/ca fi -# Switch current working directory to keys directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${keys_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${keys_dir}" - exit 1 - fi -fi +mkdir -p "$crts_dir" # Check that the file "serial" is present, if not create it: if [ ! -f serial ] @@ -387,7 +356,7 @@ then -out ${ca_cert}.pem \ -text -x509 -extensions v3_ca \ -days ${val_period} \ - -config ../ca/openssl.cnf \ + -config $ca_dir/openssl.cnf \ -passin pass:$USR_PIN # # Convert CA Certificate to DER format @@ -447,11 +416,11 @@ then -cert "${ca_cert}.pem" \ -keyform engine \ -keyfile "label_${ca_key_label}" \ - -extfile ../ca/v3_usr.cnf \ + -extfile $ca_dir/v3_usr.cnf \ -out "${srk_crt}.pem" \ -notext \ -days ${val_period} \ - -config ../ca/openssl.cnf \ + -config $ca_dir/openssl.cnf \ -passin pass:$USR_PIN # # Convert SRK Certificate to DER format @@ -522,11 +491,11 @@ do -cert "${ca_cert}.pem" \ -keyform engine \ -keyfile "label_${ca_key_label}" \ - -extfile ../ca/v3_ca.cnf \ + -extfile $ca_dir/v3_ca.cnf \ -out "${srk_crt}.pem" \ -notext \ -days ${val_period} \ - -config ../ca/openssl.cnf \ + -config $ca_dir/openssl.cnf \ -passin pass:$USR_PIN # # Convert SRK Certificate to DER format @@ -594,11 +563,11 @@ do -cert "${srk_crt_i}.pem" \ -keyform engine \ -keyfile "label_${srk_key_i_label}" \ - -extfile ../ca/v3_usr.cnf \ + -extfile $ca_dir/v3_usr.cnf \ -out "${sgk_crt}.pem" \ -notext \ -days ${val_period} \ - -config ../ca/openssl.cnf \ + -config $ca_dir/openssl.cnf \ -passin pass:$USR_PIN # # Convert SGK Certificate to DER format @@ -621,14 +590,4 @@ do done fi -# Switch back to initial working directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${crt_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${crt_dir}" - exit 1 - fi -fi exit 0 diff --git a/keys/hsm_hab4_pki_tree.sh b/keys/hsm_hab4_pki_tree.sh index f3d15aa..d46d1b1 100755 --- a/keys/hsm_hab4_pki_tree.sh +++ b/keys/hsm_hab4_pki_tree.sh @@ -277,47 +277,16 @@ then read srk_ca fi -# Check existance of keys/, crts/ and ca/ directories of before generating keys and -# switch current working directory to /keys directory, if needed. -crt_dir=$(pwd) -script_name=$(readlink "$0") -if [ "${script_name}" = "" ] -then - script_name=$0 -fi -script_path=$(cd $(dirname "${script_name}") && pwd -P) -keys_dir=${script_path}/../keys/ -crts_dir=${script_path}/../crts/ -ca_dir=${script_path}/../ca/ - -if [ ! -d "${keys_dir}" ] -then - echo ERROR: "Private keys directory ${keys_dir} is missing. Expecting script to be located inside /keys directory." - exit 1 -fi - -if [ ! -d "${crts_dir}" ] -then - echo ERROR: "Public keys directory ${crts_dir} is missing. Expecting /crts directory to be already created." - exit 1 -fi +keys_dir=../keys +crts_dir=../crts +ca_dir=../ca if [ ! -d "${ca_dir}" ] then - echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." - exit 1 + ca_dir=/usr/share/doc/imx-code-signing-tool/pki_scripts/ca fi -# Switch current working directory to keys directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${keys_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${keys_dir}" - exit 1 - fi -fi +mkdir -p "$crts_dir" # Check that the file "serial" is present, if not create it: if [ ! -f serial ] @@ -373,7 +342,7 @@ then -out ${ca_cert}.pem \ -text -x509 -extensions v3_ca \ -days ${val_period} \ - -config ../ca/openssl.cnf \ + -config $ca_dir/openssl.cnf \ -passin pass:$USR_PIN # # Convert CA Certificate to DER format @@ -433,11 +402,11 @@ then -cert "${ca_cert}.pem" \ -keyform engine \ -keyfile "label_${ca_key_label}" \ - -extfile ../ca/v3_usr.cnf \ + -extfile $ca_dir/v3_usr.cnf \ -out "${srk_crt}.pem" \ -notext \ -days ${val_period} \ - -config ../ca/openssl.cnf \ + -config $ca_dir/openssl.cnf \ -passin pass:$USR_PIN # # Convert SRK Certificate to DER format @@ -508,11 +477,11 @@ do -cert "${ca_cert}.pem" \ -keyform engine \ -keyfile "label_${ca_key_label}" \ - -extfile ../ca/v3_ca.cnf \ + -extfile $ca_dir/v3_ca.cnf \ -out "${srk_crt}.pem" \ -notext \ -days ${val_period} \ - -config ../ca/openssl.cnf \ + -config $ca_dir/openssl.cnf \ -passin pass:$USR_PIN # # Convert SRK Certificate to DER format @@ -580,11 +549,11 @@ do -cert "${srk_crt_i}.pem" \ -keyform engine \ -keyfile "label_${srk_key_i_label}" \ - -extfile ../ca/v3_usr.cnf \ + -extfile $ca_dir/v3_usr.cnf \ -out "${csf_crt}.pem" \ -notext \ -days ${val_period} \ - -config ../ca/openssl.cnf \ + -config $ca_dir/openssl.cnf \ -passin pass:$USR_PIN # # Convert CSF Certificate to DER format @@ -646,11 +615,11 @@ do -cert "${srk_crt_i}.pem" \ -keyform engine \ -keyfile "label_${srk_key_i_label}" \ - -extfile ../ca/v3_usr.cnf \ + -extfile $ca_dir/v3_usr.cnf \ -out "${img_crt}.pem" \ -notext \ -days ${val_period} \ - -config ../ca/openssl.cnf \ + -config $ca_dir/openssl.cnf \ -passin pass:$USR_PIN # # Convert IMG Certificate to DER format @@ -672,15 +641,4 @@ do i=$((i+1)) done fi - -# Switch back to initial working directory, if needed. -if [ "${crt_dir}" != "${keys_dir}" ] -then - cd "${crt_dir}" - if [ $? -ge 1 ] - then - echo ERROR: "Cannot change directory to ${crt_dir}" - exit 1 - fi -fi exit 0