diff --git a/Makefile.am b/Makefile.am index 949c353d..daed1e3f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -10,10 +10,7 @@ endif doc_DATA = \ examples/ima-genkey-self.sh \ examples/ima-genkey.sh \ - examples/ima-gen-local-ca.sh \ - examples/ima-genkey-self-ecc.sh \ - examples/ima-genkey-ecc.sh \ - examples/ima-gen-local-ca-ecc.sh + examples/ima-gen-local-ca.sh EXTRA_DIST = autogen.sh $(doc_DATA) CLEANFILES = *.html *.xsl diff --git a/examples/functions b/examples/functions new file mode 100755 index 00000000..697cc34d --- /dev/null +++ b/examples/functions @@ -0,0 +1,179 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later + +# For help screens to display supported algorithms +SUPPORTED_ALGORITHMS="rsa:2048, rsa:3072, rsa:4096, prime256v1, secp384r1, and secp521r1" + +# Get the OpenSSL keyalgo parameter +# @param1: The key algorithm; must be a name that OpenSSL command line tool +# accepts +get_ossl_keyalgo() +{ + case "$1" in + rsa:2048|rsa:3072|rsa:4096) + echo "$1" + ;; + prime256v1|secp384r1|secp521r1) + echo "ec" + ;; + esac +} + +# Get the OpenSSL -pkeyopt that may be necessary for the given key algo +# @param1: The key algorithm; must be a name that OpenSSL command line tool +# accepts +get_ossl_keyalgo_detail() +{ + case "$1" in + rsa:2048|rsa:3072|rsa:4096) + echo "" + ;; + prime256v1|secp384r1|secp521r1) + echo "-pkeyopt ec_paramgen_curve:${keyalgo}" + ;; + esac +} + +# Create an IMA file signing key +# @param1: The key algorithm; must be a name that OpenSSL command line tool +# accepts: rsa:2048, rsa:3072, rsa:4096, prime256v1 +ima_gen_signing_key() +{ + keyalgo="$1" + + GENKEY=ima.genkey + + ossl_keyalgo=$(get_ossl_keyalgo "$keyalgo") + if [ -z "$ossl_keyalgo" ]; then + echo "Error: Unsupported key algorithm $keyalgo." >&2 + return 1 + fi + ossl_keyalgo_detail=$(get_ossl_keyalgo_detail "$keyalgo") + + cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_usr + +[ req_distinguished_name ] +O = $(hostname) +CN = $(whoami) signing key +emailAddress = $(whoami)@$(hostname) + +[ v3_usr ] +basicConstraints=critical,CA:FALSE +#basicConstraints=CA:FALSE +keyUsage=digitalSignature +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +#authorityKeyIdentifier=keyid,issuer +__EOF__ + + openssl req -new -nodes -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem \ + -newkey "${ossl_keyalgo}" \ + ${ossl_keyalgo_detail:+${ossl_keyalgo_detail}} || return $? + openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ + -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ + -outform DER -out x509_ima.der + return $? +} + +# Create a local CA +# @param1: The key algorithm; must be a name that OpenSSL command line tool +# accepts: rsa:2048, rsa:3072, rsa:4096, prime256v1 +ima_gen_localca() +{ + keyalgo="$1" + + GENKEY=ima-local-ca.genkey + + ossl_keyalgo=$(get_ossl_keyalgo "$keyalgo") + if [ -z "$ossl_keyalgo" ]; then + echo "Error: Unsupported key algorithm $keyalgo." >&2 + return 1 + fi + ossl_keyalgo_detail=$(get_ossl_keyalgo_detail "$keyalgo") + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_ca + +[ req_distinguished_name ] +O = IMA-CA +CN = IMA/EVM certificate signing key +emailAddress = ca@ima-ca + +[ v3_ca ] +basicConstraints=CA:TRUE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +keyUsage = cRLSign, keyCertSign +__EOF__ + + openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \ + -newkey "${ossl_keyalgo}" \ + ${ossl_keyalgo_detail:+${ossl_keyalgo_detail}} || return $? + + openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem + + return $? +} + +# Create an EVM/IMA signing key that is also a key of a self-signed CA +# @param1: The key algorithm; must be a name that OpenSSL command line tool +# accepts: rsa:2048, rsa:3072, rsa:4096, prime256v1 +ima_gen_signing_key_selfsigned() +{ + GENKEY=x509_evm.genkey + + ossl_keyalgo=$(get_ossl_keyalgo "$keyalgo") + if [ -z "$ossl_keyalgo" ]; then + echo "Error: Unsupported key algorithm $keyalgo." >&2 + return 1 + fi + ossl_keyalgo_detail=$(get_ossl_keyalgo_detail "$keyalgo") + + cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = $(hostname) +CN = $(whoami) signing key +emailAddress = $(whoami)@$(hostname) + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +__EOF__ + + openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \ + -outform DER -out x509_evm.der -keyout privkey_evm.pem \ + -newkey "${ossl_keyalgo}" \ + ${ossl_keyalgo_detail:+${ossl_keyalgo_detail}} || return $? + + case "$keyalgo" in + rsa:*) + openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem + ;; + primve256v1|secp384r1|secp521r1) + openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem + ;; + esac + + return $? +} diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh deleted file mode 100755 index d5ab6e75..00000000 --- a/examples/ima-gen-local-ca-ecc.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh - -GENKEY=ima-local-ca.genkey - -cat << __EOF__ >$GENKEY -[ req ] -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = v3_ca - -[ req_distinguished_name ] -O = IMA-CA -CN = IMA/EVM certificate signing key -emailAddress = ca@ima-ca - -[ v3_ca ] -basicConstraints=CA:TRUE -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer -keyUsage = cRLSign, keyCertSign -__EOF__ - -openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ - -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \ - -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 - -openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/examples/ima-gen-local-ca.sh b/examples/ima-gen-local-ca.sh index 6fd49975..0d1f9180 100755 --- a/examples/ima-gen-local-ca.sh +++ b/examples/ima-gen-local-ca.sh @@ -1,29 +1,34 @@ #!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later -GENKEY=ima-local-ca.genkey +DIR=$(dirname "$0") -cat << __EOF__ >$GENKEY -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = v3_ca +cd "${DIR}" 1>/dev/null || exit 1 -[ req_distinguished_name ] -O = IMA-CA -CN = IMA/EVM certificate signing key -emailAddress = ca@ima-ca +. ./functions -[ v3_ca ] -basicConstraints=CA:TRUE -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer -keyUsage = cRLSign, keyCertSign -__EOF__ +#default key algorithm +keyalgo=rsa:2048 -openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ - -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv +if [ "$1" = "-?" ] || [ "$1" = "--help" ]; then + cat <<_EOF_ +Create a local CA with a given key algorithm. -openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem +Usage: $0 [options] keyalgo +The following key algorithms are supported: + ${SUPPORTED_ALGORITHMS} + +The following options are supported: + -?, --help : Display this help screen and exit + +_EOF_ + exit 0 +fi + +if [ "$1" != "" ]; then + keyalgo="$1" +fi + +ima_gen_localca "${keyalgo}" +exit $? diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh deleted file mode 100755 index e6301a62..00000000 --- a/examples/ima-genkey-ecc.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -GENKEY=ima.genkey - -cat << __EOF__ >$GENKEY -[ req ] -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = v3_usr - -[ req_distinguished_name ] -O = `hostname` -CN = `whoami` signing key -emailAddress = `whoami`@`hostname` - -[ v3_usr ] -basicConstraints=critical,CA:FALSE -#basicConstraints=CA:FALSE -keyUsage=digitalSignature -#keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage=critical,codeSigning -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid -#authorityKeyIdentifier=keyid,issuer -__EOF__ - -openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \ - -out csr_ima.pem -keyout privkey_ima.pem \ - -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ - -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ - -outform DER -out x509_ima.der diff --git a/examples/ima-genkey-self-ecc.sh b/examples/ima-genkey-self-ecc.sh deleted file mode 100755 index f4ef49ff..00000000 --- a/examples/ima-genkey-self-ecc.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh - -GENKEY=x509_evm.genkey - -cat << __EOF__ >$GENKEY -[ req ] -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = myexts - -[ req_distinguished_name ] -O = `hostname` -CN = `whoami` signing key -emailAddress = `whoami`@`hostname` - -[ myexts ] -basicConstraints=critical,CA:FALSE -keyUsage=digitalSignature -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid -__EOF__ - -openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \ - -outform DER -out x509_evm.der -keyout privkey_evm.pem \ - -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 - -openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem diff --git a/examples/ima-genkey-self.sh b/examples/ima-genkey-self.sh index c04df372..62ac8bce 100755 --- a/examples/ima-genkey-self.sh +++ b/examples/ima-genkey-self.sh @@ -1,29 +1,35 @@ #!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later -GENKEY=x509_evm.genkey +DIR=$(dirname "$0") -cat << __EOF__ >$GENKEY -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = myexts +cd "${DIR}" 1>/dev/null || exit 1 -[ req_distinguished_name ] -O = `hostname` -CN = `whoami` signing key -emailAddress = `whoami`@`hostname` +. ./functions -[ myexts ] -basicConstraints=critical,CA:FALSE -keyUsage=digitalSignature -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid -__EOF__ +#default key algorithm +keyalgo=rsa:2048 -openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \ - -outform DER -out x509_evm.der -keyout privkey_evm.pem +if [ "$1" = "-?" ] || [ "$1" = "--help" ]; then + cat <<_EOF_ +Create an EVM/IMA file signing key with a given key algorithm. The key is also +used by a self-signed CA. -openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem +Usage: $0 [options] keyalgo +The following key algorithms are supported: + ${SUPPORTED_ALGORITHMS} + +The following options are supported: + -?, --help : Display this help screen and exit + +_EOF_ + exit 0 +fi + +if [ "$1" != "" ]; then + keyalgo="$1" +fi + +ima_gen_signing_key_selfsigned "${keyalgo}" +exit $? diff --git a/examples/ima-genkey.sh b/examples/ima-genkey.sh index 00fa6486..6bcdeb35 100755 --- a/examples/ima-genkey.sh +++ b/examples/ima-genkey.sh @@ -1,34 +1,34 @@ #!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later -GENKEY=ima.genkey - -cat << __EOF__ >$GENKEY -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = v3_usr - -[ req_distinguished_name ] -O = `hostname` -CN = `whoami` signing key -emailAddress = `whoami`@`hostname` - -[ v3_usr ] -basicConstraints=critical,CA:FALSE -#basicConstraints=CA:FALSE -keyUsage=digitalSignature -#keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage=critical,codeSigning -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid -#authorityKeyIdentifier=keyid,issuer -__EOF__ - -openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \ - -out csr_ima.pem -keyout privkey_ima.pem -openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ - -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ - -outform DER -out x509_ima.der +DIR=$(dirname "$0") +cd "${DIR}" 1>/dev/null || exit 1 + +. ./functions + +#default key algorithm +keyalgo=rsa:2048 + +if [ "$1" = "-?" ] || [ "$1" = "--help" ]; then + cat <<_EOF_ +Create an EVM/IMA file signing key with a given algorithm. + +Usage: $0 [options] keyalgo + +The following key algorithms are supported: + ${SUPPORTED_ALGORITHMS} + +The following options are supported: + -?, --help : Display this help screen and exit + +_EOF_ + exit 0 +fi + +if [ "$1" != "" ]; then + keyalgo="$1" +fi + +ima_gen_signing_key "${keyalgo}" +exit $?