Home Explore Help
Sign In
seokj
/
vboot
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
vboot
/
utility
/
dev_make_keypair

dev_make_keypair 2.3 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384 
  1. #!/bin/bash -e
    2. 

  2. # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
    3. 

  3. # Use of this source code is governed by a BSD-style license that can be
    4. 

  4. # found in the LICENSE file.
    5. 

  5. #
    6. 

  6. 

  7. # Check args first.
    8. 

  8. if [ "$#" -lt "1" ]; then
    9. 

  9.   cat <<EOF 1>&2
    10. 

  10. 

  11. Usage:  ${0##*/} BASENAME [ALG]
    12. 

  12. 

  13. This creates BASENAME.vbpubk and BASENAME.vbprivk pairs for use in signing
    14. 

  14. developer files. This also creates a BASENAME.keyblock file containing the
    15. 

  15. BASENAME.vbpubk, which can be used to sign a developer kernel.
    16. 

  16. 

  17. If specified, ALG is one of:
    18. 

  18. 

  19.   0    =  RSA1024 with SHA1
    20. 

  20.   1    =  RSA1024 with SHA256
    21. 

  21.   2    =  RSA1024 with SHA512
    22. 

  22.   3    =  RSA2048 with SHA1
    23. 

  23.   4    =  RSA2048 with SHA256
    24. 

  24.   5    =  RSA2048 with SHA512
    25. 

  25.   6    =  RSA4096 with SHA1
    26. 

  26.   7    =  RSA4096 with SHA256
    27. 

  27.   8    =  RSA4096 with SHA512
    28. 

  28.   9    =  RSA8192 with SHA1
    29. 

  29.   10   =  RSA8192 with SHA256
    30. 

  30.   11   =  RSA8192 with SHA512
    31. 

  31. 

  32. If ALG is not specified, a default value will be used.
    33. 

  33. 

  34. EOF
    35. 

  35.   exit 1
    36. 

  36. fi
    37. 

  37. 

  38. 

  39. # Compute the key length assuming the sizes shown above.
    40. 

  40. function alg_to_keylen {
    41. 

  41.   echo $(( 1 << (10 + ($1 / 3)) ))
    42. 

  42. }
    43. 

  43. 

  44. # Emit .vbpubk and .vbprivk using given basename and algorithm.
    45. 

  45. function make_pair {
    46. 

  46.   local base=$1
    47. 

  47.   local alg=$2
    48. 

  48.   local len=$(alg_to_keylen $alg)
    49. 

  49. 

  50.   # make the RSA keypair
    51. 

  51.   openssl genrsa -F4 -out "${base}_${len}.pem" $len
    52. 

  52.   # create a self-signed certificate
    53. 

  53.   openssl req -batch -new -x509 -key "${base}_${len}.pem" \
    54. 

  54.     -out "${base}_${len}.crt"
    55. 

  55.   # generate pre-processed RSA public key
    56. 

  56.   dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb"
    57. 

  57. 

  58.   # wrap the public key
    59. 

  59.   futility vbutil_key \
    60. 

  60.     --pack "${base}.vbpubk" \
    61. 

  61.     --key "${base}_${len}.keyb" \
    62. 

  62.     --version 1 \
    63. 

  63.     --algorithm $alg
    64. 

  64. 

  65.   # wrap the private key
    66. 

  66.   futility vbutil_key \
    67. 

  67.     --pack "${base}.vbprivk" \
    68. 

  68.     --key "${base}_${len}.pem" \
    69. 

  69.     --algorithm $alg
    70. 

  70. 

  71.   # remove intermediate files
    72. 

  72.   rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb"
    73. 

  73. }
    74. 

  74. 

  75. # First create the .vbpubk and .vbprivk pair.
    76. 

  76. make_pair "$1" "${2:-4}"
    77. 

  77. 

  78. # Now create a .keyblock to hold our .vbpubk. Since it's for developer use, it
    79. 

  79. # won't be signed, just checksummed. Developer kernels can only be run in
    80. 

  80. # non-recovery mode with the developer switch enabled, but it won't hurt us to
    81. 

  81. # turn on all the flags bits anyway.
    82. 

  82. futility vbutil_keyblock --pack "$1.keyblock" \
    83. 

  83.   --datapubkey "$1.vbpubk" --flags 15
    84. 

  84.