1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
|
#!/bin/bash
#-----------------------------------------------------------------------------
#
# File: hsm_ahab_pki_tree.sh
#
# Description: This script generates a basic AHAB PKI tree for the NXP
# AHAB code signing feature using HSM. What the PKI tree looks like
# depends on whether the SRK is chosen to be a CA key or not. If the
# SRKs are chosen to be CA keys then this script will generate the
# following PKI tree:
#
# CA Key
# | | |
# -------- + | +---------------
# / | \
# SRK1 SRK2 ... SRKN
# | | |
# | | |
# SGK1 SGK2 SGKN
#
# where: N can be 1 to 4.
#
# Additional keys can be added to the tree separately. In this
# configuration SRKs may only be used to sign/verify other
# keys/certificates
#
# If the SRKs are chosen to be non-CA keys then this script will
# generate the following PKI tree:
#
# CA Key
# | | |
# -------- + | +---------------
# / | \
# SRK1 SRK2 ... SRKN
#
# In this configuration SRKs may only be used to sign code/data
# and not other keys. Note that not all NXP processors
# including AHAB support this option.
#
# Copyright 2021-2023 NXP
#
#
#-----------------------------------------------------------------------------
printf "\n"
printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
printf " ------ HSM based key and cert generation script ------ \n"
printf " This script is a part of the Code signing tools for NXP's\n"
printf " Advanced High Assurance Boot. It generates a basic PKI tree. The\n"
printf " PKI tree consists of one or more Super Root Keys (SRK), with each\n"
printf " SRK having one subordinate keys: \n"
printf " + a Signing key (SGK) \n"
printf " Additional keys can be added to the PKI tree but a separate \n"
printf " script is available for this. This this script assumes openssl\n"
printf " is installed on your system and is included in your search \n"
printf " path. Finally, the private keys generated are PIN protected \n"
printf " provided by the user during token initialization.\n"
printf " All private keys in the PKI tree are protected by the PIN.\n\n"
printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
stty erase
if [ $# -gt 0 ]; then
interactive="n"
else
interactive="y"
fi
usage()
{
echo
echo "Usage:"
echo "Interactive Mode:"
echo "$0"
echo
echo "Command Line Mode:"
echo "$0 -existing-ca <y/n> [-ca-key-label <CA key label> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>"
echo "Options:"
echo " -kl: -use-ecc = y then Supported key lengths: p256, p384, p521"
echo " : -use-ecc = n then Supported key lengths: 2048, 3072, 4096"
echo " -da: Supported digest algorithms: sha256, sha384, sha512"
echo
echo "$0 -h | --help : This text"
echo
}
max_param=16
min_param=12
num_param=1
id=1000
# Check USR_PIN is defined, if not then set default
if [[ -v "${USR_PIN}" || -z "${USR_PIN}" ]]
then
USR_PIN=123456
fi
# Throw error if PKCS11_MODULE_PATH undefined
if [[ -v "${PKCS11_MODULE_PATH}" || -z "${PKCS11_MODULE_PATH}" ]]
then
echo "ERROR: PKCS11_MODULE_PATH must be set"
echo
exit 1
fi
if [ $interactive = "n" ]
then
# Validate command line parameters
if [ "$1" = "-h" ] || [ "$1" = "--help" ]
then
usage
exit 0
elif [ $# -lt $min_param ] || [ $# -gt $max_param ]
then
echo "ERROR: Correct parameters required in non-interactive mode"
usage
exit 1
fi
# Process command line inputs
while [ $num_param -le $max_param ] && [ "$1" != "" ]
do
case $1 in
-existing-ca)
shift
existing_ca=$1
shift
if [ "$existing_ca" = "y" ] && [ "$1" != "-ca-key-label" ]
then
echo "ERROR: CA key is required."
usage
exit 1
fi
;;
-ca-key-label)
shift
ca_key_label=$1
shift
if [ "$existing_ca" = "y" ] && [ "$1" != "-ca-cert" ]
then
echo "ERROR: CA cert is required."
usage
exit 1
fi
;;
-ca-cert)
shift
ca_cert=$1
shift
;;
-use-ecc)
shift
use_ecc=$1
shift
;;
-kl)
shift
kl=$1
shift
;;
-da)
shift
da=$1
shift
;;
-duration)
shift
duration=$1
shift
;;
-srk-ca)
shift
srk_ca=$1
shift
;;
*)
echo "ERROR: Invalid parameter: $1"
usage
exit 1
;;
esac
num_param=$(( num_param + 2 ))
done
fi # interactive=n
if [ $interactive = "y" ]
then
printf "Do you want to use an existing CA key (y/n)?: \b"
read existing_ca
if [ $existing_ca = "y" ]
then
printf "Enter CA key name: \b"
read ca_key
printf "Enter CA certificate name: \b"
read ca_cert
fi
fi
if [ "$interactive" = "y" ]
then
printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b"
read use_ecc
fi
if [ $use_ecc = "y" ]
then
if [ "$interactive" = "y" ]
then
printf "Enter length for elliptic curve to be used for PKI tree:\n"
printf "Possible values p256, p384, p521: \b"
read kl
fi
# Confirm that a valid key length has been entered
case $kl in
p256)
cn="prime256v1" ;;
p384)
cn="secp384r1" ;;
p521)
cn="secp521r1" ;;
*)
echo Invalid key length. Supported key lengths: 256, 384, 521
usage
exit 1 ;;
esac
else
if [ "$interactive" = "y" ]
then
printf "Enter key length in bits for PKI tree: \b"
read kl
fi
# Confirm that a valid key length has been entered
case $kl in
2048) ;;
3072) ;;
4096) ;;
*)
echo Invalid key length. Supported key lengths: 2048, 3072, 4096
usage
exit 1 ;;
esac
fi
if [ "$interactive" = "y" ]
then
printf "Enter the digest algorithm to use: \b"
read da
fi
# Confirm that a valid digest algorithm has been entered
case $da in
sha256) ;;
sha384) ;;
sha512) ;;
*)
echo Invalid digest algorithm. Supported digest algorithms: sha256, sha384, sha512
usage
exit 1 ;;
esac
if [ "$interactive" = "y" ]
then
printf "Enter PKI tree duration (years): \b"
read duration
fi
# Compute validity period
val_period=$((duration*365))
# printf "How many Super Root Keys should be generated? \b"
# read num_srk
num_srk=4
# Check that 0 < num_srk <= 4 (Max. number of SRKs)
if [ $num_srk -lt 1 ] || [ $num_srk -gt 4 ]
then
echo The number of SRKs generated must be between 1 and 4
usage
exit 1
fi
if [ "$interactive" = "y" ]
then
# Check if SRKs should be generated as CA certs or user certs
printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b"
read srk_ca
fi
keys_dir=../keys
crts_dir=../crts
ca_dir=../ca
if [ ! -d "${ca_dir}" ]
then
ca_dir=/usr/share/doc/imx-code-signing-tool/pki_scripts/ca
fi
mkdir -p "$crts_dir"
# Check that the file "serial" is present, if not create it:
if [ ! -f serial ]
then
echo "12345678" > serial
echo "A default 'serial' file was created!"
fi
# The following is required otherwise OpenSSL complains
if [ -f index.txt ]
then
rm index.txt
fi
touch index.txt
echo "unique_subject = no" > index.txt.attr
if [ $existing_ca = "n" ]
then
# Generate CA key and certificate
# -------------------------------
echo
echo +++++++++++++++++++++++++++++++++++++
echo + Generating CA key and certificate +
echo +++++++++++++++++++++++++++++++++++++
echo
if [ $use_ecc = 'n' ]
then
ca_key_label=./CA1_${da}_${kl}_65537_v3_ca
ca_cert=../crts/CA1_${da}_${kl}_65537_v3_ca_crt
ca_subj_req=/CN=CA1_${da}_${kl}_65537_v3_ca/
ca_key_type=rsa:${kl}
else
ca_key_label=./CA1_${da}_${cn}_v3_ca
ca_cert=../crts/CA1_${da}_${cn}_v3_ca_crt
ca_subj_req=/CN=CA1_${da}_${cn}_v3_ca/
ca_key_type=EC:${cn}
fi
# # Generate CA Key
pkcs11-tool --module $PKCS11_MODULE_PATH -l \
--pin $USR_PIN \
--keypairgen \
--key-type $ca_key_type \
--label $ca_key_label \
--id $id
# # Generate self-signed CA certificate
openssl req -engine pkcs11 -new -batch \
-${da} \
-subj ${ca_subj_req} \
-key "label_${ca_key_label}" \
-keyform engine \
-out ${ca_cert}.pem \
-text -x509 -extensions v3_ca \
-days ${val_period} \
-config $ca_dir/openssl.cnf \
-passin pass:$USR_PIN
# # Convert CA Certificate to DER format
openssl x509 -outform DER \
-in ${ca_cert}.pem \
-out ${ca_cert}.der
fi
if [ $srk_ca != "y" ]
then
# Generate SRK keys and certificates (non-CA)
# SRKs suitable for signing code/data
# -------------------------------------------
i=1; # SRK Loop index
while [ $i -le $num_srk ]
do
echo
echo ++++++++++++++++++++++++++++++++++++++++
echo + Generating SRK key and certificate $i +
echo ++++++++++++++++++++++++++++++++++++++++
echo
if [ $use_ecc = 'n' ]
then
srk_subj_req=/CN=SRK${i}_${da}_${kl}_65537_v3_usr/
srk_crt=../crts/SRK${i}_${da}_${kl}_65537_v3_usr_crt
srk_key_label=./SRK${i}_${da}_${kl}_65537_v3_usr
srk_key_type=rsa:${kl}
else
srk_subj_req=/CN=SRK${i}_${da}_${cn}_v3_usr/
srk_crt=../crts/SRK${i}_${da}_${cn}_v3_usr_crt
srk_key_label=./SRK${i}_${da}_${cn}_v3_usr
srk_key_type=EC:${cn}
fi
id=$((id + 1))
# # Generate SRK key
pkcs11-tool --module $PKCS11_MODULE_PATH -l \
--pin $USR_PIN \
--keypairgen \
--key-type $srk_key_type \
--label $srk_key_label \
--id $id
# # Generate SRK certificate signing request
openssl req -engine pkcs11 -new -batch \
-subj ${srk_subj_req} \
-keyform engine \
-key "label_${srk_key_label}" \
-out temp_srk_req.pem \
-passin pass:$USR_PIN
# # Generate SRK certificate (this is a CA cert)
openssl ca -engine pkcs11 -batch \
-md ${da} -outdir ./ \
-in ./temp_srk_req.pem \
-cert "${ca_cert}.pem" \
-keyform engine \
-keyfile "label_${ca_key_label}" \
-extfile $ca_dir/v3_usr.cnf \
-out "${srk_crt}.pem" \
-notext \
-days ${val_period} \
-config $ca_dir/openssl.cnf \
-passin pass:$USR_PIN
# # Convert SRK Certificate to DER format
openssl x509 -outform DER \
-in ${srk_crt}.pem \
-out ${srk_crt}.der
# # Store DER certificate back to the HSM
pkcs11-tool --module $PKCS11_MODULE_PATH -l \
--write-object ${srk_crt}.der \
--type cert \
--label $srk_key_label \
--pin $USR_PIN \
--id $id
# Cleanup
\rm ./temp_srk_req.pem
i=$((i+1))
done
else
# Generate AHAB keys and certificates
# -----------------------------------
i=1; # SRK Loop index
while [ $i -le $num_srk ]
do
echo
echo ++++++++++++++++++++++++++++++++++++++++
echo + Generating SRK key and certificate $i +
echo ++++++++++++++++++++++++++++++++++++++++
echo
if [ $use_ecc = 'n' ]
then
srk_subj_req=/CN=SRK${i}_${da}_${kl}_65537_v3_ca/
srk_crt=../crts/SRK${i}_${da}_${kl}_65537_v3_ca_crt
srk_key_label=./SRK${i}_${da}_${kl}_65537_v3_ca
srk_key_type=rsa:${kl}
else
srk_subj_req=/CN=SRK${i}_${da}_${cn}_v3_ca/
srk_crt=../crts/SRK${i}_${da}_${cn}_v3_ca_crt
srk_key_label=./SRK${i}_${da}_${cn}_v3_ca
srk_key_type=EC:${cn}
fi
id=$((id + 1))
# # Generate SRK key
pkcs11-tool --module $PKCS11_MODULE_PATH -l \
--pin $USR_PIN \
--keypairgen \
--key-type $srk_key_type \
--label $srk_key_label \
--id $id
# # Generate SRK certificate signing request
openssl req -engine pkcs11 -new -batch \
-subj ${srk_subj_req} \
-keyform engine \
-key "label_${srk_key_label}" \
-out temp_srk_req.pem \
-passin pass:$USR_PIN
# # Generate SRK certificate (this is a CA cert)
openssl ca -engine pkcs11 -batch \
-md ${da} -outdir ./ \
-in ./temp_srk_req.pem \
-cert "${ca_cert}.pem" \
-keyform engine \
-keyfile "label_${ca_key_label}" \
-extfile $ca_dir/v3_ca.cnf \
-out "${srk_crt}.pem" \
-notext \
-days ${val_period} \
-config $ca_dir/openssl.cnf \
-passin pass:$USR_PIN
# # Convert SRK Certificate to DER format
openssl x509 -outform DER \
-in ${srk_crt}.pem \
-out ${srk_crt}.der
# # Store DER certificate back to the HSM
pkcs11-tool --module $PKCS11_MODULE_PATH -l \
--write-object ${srk_crt}.der \
--type cert \
--label $srk_key_label \
--pin $USR_PIN \
--id $id
# Cleanup
\rm ./temp_srk_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
echo + Generating SGK key and certificate $i +
echo ++++++++++++++++++++++++++++++++++++++++
echo
if [ $use_ecc = 'n' ]
then
srk_crt_i=../crts/SRK${i}_${da}_${kl}_65537_v3_ca_crt
srk_key_i_label=./SRK${i}_${da}_${kl}_65537_v3_ca
sgk_subj_req=/CN=SGK${i}_1_${da}_${kl}_65537_v3_usr/
sgk_crt=../crts/SGK${i}_1_${da}_${kl}_65537_v3_usr_crt
sgk_key_label=./SGK${i}_1_${da}_${kl}_65537_v3_usr
sgk_key_type=rsa:${kl}
else
srk_crt_i=../crts/SRK${i}_${da}_${cn}_v3_ca_crt
srk_key_i_label=./SRK${i}_${da}_${cn}_v3_ca
sgk_subj_req=/CN=SGK${i}_1_${da}_${cn}_v3_usr/
sgk_crt=../crts/SGK${i}_1_${da}_${cn}_v3_usr_crt
sgk_key_label=./SGK${i}_1_${da}_${cn}_v3_usr
sgk_key_type=EC:${cn}
fi
id=$((id + 1))
# # Generate key
pkcs11-tool --module $PKCS11_MODULE_PATH -l \
--pin $USR_PIN \
--keypairgen \
--key-type $sgk_key_type \
--label $sgk_key_label \
--id $id
# # Generate SGK certificate signing request
openssl req -engine pkcs11 -new -batch \
-subj ${sgk_subj_req} \
-keyform engine \
-key "label_${sgk_key_label}" \
-out temp_sgk_req.pem \
-passin pass:$USR_PIN
# # Generate SGK certificate (this is a user cert)
openssl ca -engine pkcs11 -batch \
-md ${da} -outdir ./ \
-in ./temp_sgk_req.pem \
-cert "${srk_crt_i}.pem" \
-keyform engine \
-keyfile "label_${srk_key_i_label}" \
-extfile $ca_dir/v3_usr.cnf \
-out "${sgk_crt}.pem" \
-notext \
-days ${val_period} \
-config $ca_dir/openssl.cnf \
-passin pass:$USR_PIN
# # Convert SGK Certificate to DER format
openssl x509 -outform DER \
-in ${sgk_crt}.pem \
-out ${sgk_crt}.der
# # Store DER certificate back to the HSM
pkcs11-tool --module $PKCS11_MODULE_PATH -l \
--write-object ${sgk_crt}.der \
--type cert \
--label $sgk_key_label \
--pin $USR_PIN \
--id $id
# Cleanup
\rm ./temp_sgk_req.pem
i=$((i+1))
done
fi
exit 0
|
