diff options
| author | trasz <trasz@FreeBSD.org> | 2015-05-15 15:10:34 +0000 |
|---|---|---|
| committer | trasz <trasz@FreeBSD.org> | 2015-05-15 15:10:34 +0000 |
| commit | 3e1105b367e942c41bdccdfffe5f9779667f9726 (patch) | |
| tree | 44f6152c49415e388422ef11cc249ed8c94a3e05 /share | |
| parent | 0ba19b5b1c5d32c9b8ddf7913ce3c60ca062db93 (diff) | |
| download | FreeBSD-src-3e1105b367e942c41bdccdfffe5f9779667f9726.zip FreeBSD-src-3e1105b367e942c41bdccdfffe5f9779667f9726.tar.gz | |
MFC r279317:
Add key/cert generation script for uefisign(8).
Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'share')
| -rw-r--r-- | share/examples/Makefile | 6 | ||||
| -rwxr-xr-x | share/examples/uefisign/uefikeys | 40 |
2 files changed, 44 insertions, 2 deletions
diff --git a/share/examples/Makefile b/share/examples/Makefile index 00951d9..9d71e7a 100644 --- a/share/examples/Makefile +++ b/share/examples/Makefile @@ -27,7 +27,8 @@ LDIRS= BSD_daemon \ printing \ ses \ scsi_target \ - sunrpc + sunrpc \ + uefisign XFILES= BSD_daemon/FreeBSD.pfa \ BSD_daemon/README \ @@ -181,7 +182,8 @@ XFILES= BSD_daemon/FreeBSD.pfa \ sunrpc/sort/Makefile \ sunrpc/sort/rsort.c \ sunrpc/sort/sort.x \ - sunrpc/sort/sort_proc.c + sunrpc/sort/sort_proc.c \ + uefisign/uefikeys BINDIR= ${SHAREDIR}/examples diff --git a/share/examples/uefisign/uefikeys b/share/examples/uefisign/uefikeys new file mode 100755 index 0000000..5f9171b --- /dev/null +++ b/share/examples/uefisign/uefikeys @@ -0,0 +1,40 @@ +#!/bin/sh +# +# See uefisign(8) manual page for usage instructions. +# +# $FreeBSD$ +# + +die() { + echo "$*" > /dev/stderr + exit 1 +} + +if [ $# -ne 1 ]; then + echo "usage: $0 common-name" + exit 1 +fi + +certfile="${1}.pem" +efifile="${1}.cer" +keyfile="${1}.key" +p12file="${1}.p12" +# XXX: Set this to ten years; we don't want system to suddenly stop booting +# due to certificate expiration. Better way would be to use Authenticode +# Timestamp. That said, the rumor is UEFI implementations ignore it anyway. +days="3650" +subj="/CN=${1}" + +[ ! -e "${certfile}" ] || die "${certfile} already exists" +[ ! -e "${efifile}" ] || die "${efifile} already exists" +[ ! -e "${keyfile}" ] || die "${keyfile} already exists" +[ ! -e "${p12file}" ] || die "${p12file} already exists" + +umask 077 || die "umask 077 failed" + +openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed" +openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed" +openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed" +openssl pkcs12 -export -out "${p12file}" -inkey "${keyfile}" -in "${certfile}" -password 'pass:' || die "openssl pkcs12 failed" + +echo "certificate: ${certfile}; private key: ${keyfile}; UEFI public key: ${efifile}; private key with empty password for pesign: ${p12file}" |
