Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-23 13:51:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

image: fix script for PKI generation

Browse Source 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2022-12-08 13:44:51 +01:00
parent 9d0d561726
commit 1709da0085
1 changed files with 10 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
image/secure-boot/genkeys.sh
View File

@ -12,30 +12,26 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd) script_dir=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
TEMPLATES=${SCRIPT_DIR}/templates templates=${script_dir}/templates
BASE_DIR=$(realpath "${SCRIPT_DIR}/..") base_dir=$(realpath "${script_dir}/..")
if [[ -z ${PKI} ]]; then pki="${PKI:-${base_dir}/pki}"
PKI=${BASE_DIR}/pki pki_set="${PKI_SET:-dev}"
fi
if [[ -z ${PKI_SET} ]]; then
PKI_SET=dev
fi
gen_pki() { gen_pki() {
# Only use for non-production images. # Only use for non-production images.
# Use real PKI for production images instead. # Use real PKI for production images instead.
count=$(find "${PKI}" -maxdepth 1 \( -name '*.key' -o -name '*.crt' -o -name '*.cer' -o -name '*.esl' -o -name '*.auth' \) 2> /dev/null | wc -l) mkdir -p "${pki}"
count=$(find "${pki}" -maxdepth 1 \( -name '*.key' -o -name '*.crt' -o -name '*.cer' -o -name '*.esl' -o -name '*.auth' \) 2> /dev/null | wc -l)
if [[ ${count} != 0 ]]; then if [[ ${count} != 0 ]]; then
echo PKI files "$(ls -1 "$(realpath "--relative-to=$(pwd)" "${PKI}")"/*.{key,crt,cer,esl,auth})" already exist echo PKI files "$(ls -1 "$(realpath "--relative-to=$(pwd)" "${pki}")"/*.{key,crt,cer,esl,auth})" already exist
return return
fi fi
mkdir -p "${PKI}" pushd "${pki}" || exit 1
pushd "${PKI}" || exit 1
uuid=$(systemd-id128 new --uuid) uuid=$(systemd-id128 new --uuid)
for key in PK KEK db; do for key in PK KEK db; do
openssl req -new -x509 -config "${TEMPLATES}/${PKI_SET}_${key}.conf" -keyout "${key}.key" -out "${key}.crt" -nodes openssl req -new -x509 -config "${templates}/${pki_set}_${key}.conf" -keyout "${key}.key" -out "${key}.crt" -nodes
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl"
done done