Consolidate example scripts

Makefile.am

@@ -10,10 +10,7 @@ endif
 doc_DATA = \
 	 examples/ima-genkey-self.sh \
 	 examples/ima-genkey.sh \
-	 examples/ima-gen-local-ca.sh \
-	 examples/ima-genkey-self-ecc.sh \
-	 examples/ima-genkey-ecc.sh \
-	 examples/ima-gen-local-ca-ecc.sh
+	 examples/ima-gen-local-ca.sh
 EXTRA_DIST = autogen.sh $(doc_DATA)
 
 CLEANFILES = *.html *.xsl

examples/functions

@@ -0,0 +1,179 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+# For help screens to display supported algorithms
+SUPPORTED_ALGORITHMS="rsa:2048, rsa:3072, rsa:4096, prime256v1, secp384r1, and secp521r1"
+
+# Get the OpenSSL keyalgo parameter
+# @param1: The key algorithm; must be a name that OpenSSL command line tool
+#          accepts
+get_ossl_keyalgo()
+{
+	case "$1" in
+	rsa:2048|rsa:3072|rsa:4096)
+		echo "$1"
+		;;
+	prime256v1|secp384r1|secp521r1)
+		echo "ec"
+		;;
+	esac
+}
+
+# Get the OpenSSL -pkeyopt that may be necessary for the given key algo
+# @param1: The key algorithm; must be a name that OpenSSL command line tool
+#          accepts
+get_ossl_keyalgo_detail()
+{
+	case "$1" in
+	rsa:2048|rsa:3072|rsa:4096)
+		echo ""
+		;;
+	prime256v1|secp384r1|secp521r1)
+		echo "-pkeyopt ec_paramgen_curve:${keyalgo}"
+		;;
+	esac
+}
+
+# Create an IMA file signing key
+# @param1: The key algorithm; must be a name that OpenSSL command line tool
+#          accepts: rsa:2048, rsa:3072, rsa:4096, prime256v1
+ima_gen_signing_key()
+{
+	keyalgo="$1"
+
+	GENKEY=ima.genkey
+
+	ossl_keyalgo=$(get_ossl_keyalgo "$keyalgo")
+	if [ -z "$ossl_keyalgo" ]; then
+		echo "Error: Unsupported key algorithm $keyalgo." >&2
+		return 1
+	fi
+	ossl_keyalgo_detail=$(get_ossl_keyalgo_detail "$keyalgo")
+
+	cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_usr
+
+[ req_distinguished_name ]
+O = $(hostname)
+CN = $(whoami) signing key
+emailAddress = $(whoami)@$(hostname)
+
+[ v3_usr ]
+basicConstraints=critical,CA:FALSE
+#basicConstraints=CA:FALSE
+keyUsage=digitalSignature
+#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+#authorityKeyIdentifier=keyid,issuer
+__EOF__
+
+	openssl req -new -nodes -batch -config $GENKEY \
+		-out csr_ima.pem -keyout privkey_ima.pem \
+		-newkey "${ossl_keyalgo}" \
+		${ossl_keyalgo_detail:+${ossl_keyalgo_detail}} || return $?
+	openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
+		-outform DER -out x509_ima.der
+	return $?
+}
+
+# Create a local CA
+# @param1: The key algorithm; must be a name that OpenSSL command line tool
+#          accepts: rsa:2048, rsa:3072, rsa:4096, prime256v1
+ima_gen_localca()
+{
+	keyalgo="$1"
+
+	GENKEY=ima-local-ca.genkey
+
+	ossl_keyalgo=$(get_ossl_keyalgo "$keyalgo")
+	if [ -z "$ossl_keyalgo" ]; then
+		echo "Error: Unsupported key algorithm $keyalgo." >&2
+		return 1
+	fi
+	ossl_keyalgo_detail=$(get_ossl_keyalgo_detail "$keyalgo")
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+O = IMA-CA
+CN = IMA/EVM certificate signing key
+emailAddress = ca@ima-ca
+
+[ v3_ca ]
+basicConstraints=CA:TRUE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+keyUsage = cRLSign, keyCertSign
+__EOF__
+
+	openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
+		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \
+		-newkey "${ossl_keyalgo}" \
+		${ossl_keyalgo_detail:+${ossl_keyalgo_detail}} || return $?
+
+	openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
+
+	return $?
+}
+
+# Create an EVM/IMA signing key that is also a key of a self-signed CA
+# @param1: The key algorithm; must be a name that OpenSSL command line tool
+#          accepts: rsa:2048, rsa:3072, rsa:4096, prime256v1
+ima_gen_signing_key_selfsigned()
+{
+	GENKEY=x509_evm.genkey
+
+	ossl_keyalgo=$(get_ossl_keyalgo "$keyalgo")
+	if [ -z "$ossl_keyalgo" ]; then
+		echo "Error: Unsupported key algorithm $keyalgo." >&2
+		return 1
+	fi
+	ossl_keyalgo_detail=$(get_ossl_keyalgo_detail "$keyalgo")
+
+	cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = $(hostname)
+CN = $(whoami) signing key
+emailAddress = $(whoami)@$(hostname)
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+__EOF__
+
+	openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \
+		-outform DER -out x509_evm.der -keyout privkey_evm.pem \
+		-newkey "${ossl_keyalgo}" \
+		${ossl_keyalgo_detail:+${ossl_keyalgo_detail}} || return $?
+
+	case "$keyalgo" in
+	rsa:*)
+		openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
+		;;
+	primve256v1|secp384r1|secp521r1)
+		openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem
+		;;
+	esac
+
+	return $?
+}

examples/ima-gen-local-ca.sh

@@ -1,29 +1,34 @@
 #!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
 
-GENKEY=ima-local-ca.genkey
+DIR=$(dirname "$0")
 
-cat << __EOF__ >$GENKEY
-[ req ]
-default_bits = 2048
-distinguished_name = req_distinguished_name
-prompt = no
-string_mask = utf8only
-x509_extensions = v3_ca
+cd "${DIR}" 1>/dev/null || exit 1
 
-[ req_distinguished_name ]
-O = IMA-CA
-CN = IMA/EVM certificate signing key
-emailAddress = ca@ima-ca
+. ./functions
 
-[ v3_ca ]
-basicConstraints=CA:TRUE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-keyUsage = cRLSign, keyCertSign
-__EOF__
+#default key algorithm
+keyalgo=rsa:2048
 
-openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
+if [ "$1" = "-?" ] || [ "$1" = "--help" ]; then
+	cat <<_EOF_
+Create a local CA with a given key algorithm.
 
-openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
+Usage: $0 [options] keyalgo
 
+The following key algorithms are supported:
+  ${SUPPORTED_ALGORITHMS}
+
+The following options are supported:
+    -?, --help  : Display this help screen and exit
+
+_EOF_
+	exit 0
+fi
+
+if [ "$1" != "" ]; then
+	keyalgo="$1"
+fi
+
+ima_gen_localca "${keyalgo}"
+exit $?

examples/ima-genkey-self.sh

@@ -1,29 +1,35 @@
 #!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
 
-GENKEY=x509_evm.genkey
+DIR=$(dirname "$0")
 
-cat << __EOF__ >$GENKEY
-[ req ]
-default_bits = 2048
-distinguished_name = req_distinguished_name
-prompt = no
-string_mask = utf8only
-x509_extensions = myexts
+cd "${DIR}" 1>/dev/null || exit 1
 
-[ req_distinguished_name ]
-O = `hostname`
-CN = `whoami` signing key
-emailAddress = `whoami`@`hostname`
+. ./functions
 
-[ myexts ]
-basicConstraints=critical,CA:FALSE
-keyUsage=digitalSignature
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
-__EOF__
+#default key algorithm
+keyalgo=rsa:2048
 
-openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-		-outform DER -out x509_evm.der -keyout privkey_evm.pem
+if [ "$1" = "-?" ] || [ "$1" = "--help" ]; then
+	cat <<_EOF_
+Create an EVM/IMA file signing key with a given key algorithm. The key is also
+used by a self-signed CA.
 
-openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
+Usage: $0 [options] keyalgo
 
+The following key algorithms are supported:
+  ${SUPPORTED_ALGORITHMS}
+
+The following options are supported:
+    -?, --help  : Display this help screen and exit
+
+_EOF_
+	exit 0
+fi
+
+if [ "$1" != "" ]; then
+	keyalgo="$1"
+fi
+
+ima_gen_signing_key_selfsigned "${keyalgo}"
+exit $?