kernel-keys/key.sh

#!/bin/sh
# Usage: EMAIL=vasya@pupkin.ru NUM=1 GOST_KEY=1 sh key.sh
set -efu

cat << EOF > "x509_${NUM}.genkey.tpl"
[ req ]
prompt = no
string_mask = utf8only
distinguished_name = req_distinguished_name
x509_extensions = myexts
[ req_distinguished_name ]
organizationName = ROSA Linux
commonName = Kernel modules signing @ALGO@ key ${NUM}
emailAddress = ${EMAIL}
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

sed -e 's,@ALGO@,RSA,g' "x509_${NUM}.genkey.tpl" > "x509_${NUM}.genkey.RSA"
sed -e 's,@ALGO@,GOST R 34.10-2012,g' "x509_${NUM}.genkey.tpl" > "x509_${NUM}.genkey.GOST"

_libressl_gen_key(){
	if [ "$GOST_KEY" = 1 ]
	then
		lssl_req_gost_args="\
			-newkey gost2001 \
			-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
			-streebog512"
		OUT="full_key_GOST_${NUM}.pem"
		CONFIG="x509_${NUM}.genkey.GOST"
	else
		lssl_req_gost_args=""
		OUT="full_key_RSA_${NUM}.pem"
		CONFIG="x509_${NUM}.genkey.RSA"
	fi
		libressl req -new -nodes -utf8 -batch \
			$lssl_req_gost_args \
			-days 109500 \
			-x509 -config "$CONFIG" \
			-outform PEM \
			-out "$OUT" \
			-keyout "$OUT"

	# Verify
	if [ "$GOST_KEY" = 1 ]; then
		libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
			| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
		libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
			| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
		libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
			| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
	fi
	
	sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' "$OUT" > "$(echo "$OUT" | sed -e 's,full_key_,public_key_,g')"
}

_libressl_gen_key
Init (for import/kernel-5.3) 2019-11-17 16:28:40 +03:00			`#!/bin/sh`
Generate GOST keys as in import/kernel-5.4/kernel.spec 2020-03-20 21:10:53 +03:00			`# Usage: EMAIL=vasya@pupkin.ru NUM=1 GOST_KEY=1 sh key.sh`
Init (for import/kernel-5.3) 2019-11-17 16:28:40 +03:00			`set -efu`

Generate GOST keys as in import/kernel-5.4/kernel.spec 2020-03-20 21:10:53 +03:00			`cat << EOF > "x509_${NUM}.genkey.tpl"`
Init (for import/kernel-5.3) 2019-11-17 16:28:40 +03:00			`[ req ]`
			`prompt = no`
Generate GOST keys as in import/kernel-5.4/kernel.spec 2020-03-20 21:10:53 +03:00			`string_mask = utf8only`
Init (for import/kernel-5.3) 2019-11-17 16:28:40 +03:00			`distinguished_name = req_distinguished_name`
Generate GOST keys as in import/kernel-5.4/kernel.spec 2020-03-20 21:10:53 +03:00			`x509_extensions = myexts`
Init (for import/kernel-5.3) 2019-11-17 16:28:40 +03:00			`[ req_distinguished_name ]`
			`organizationName = ROSA Linux`
Generate GOST keys as in import/kernel-5.4/kernel.spec 2020-03-20 21:10:53 +03:00			`commonName = Kernel modules signing @ALGO@ key ${NUM}`
Init (for import/kernel-5.3) 2019-11-17 16:28:40 +03:00			`emailAddress = ${EMAIL}`
Generate GOST keys as in import/kernel-5.4/kernel.spec 2020-03-20 21:10:53 +03:00			`[ myexts ]`
			`basicConstraints=critical,CA:FALSE`
			`keyUsage=digitalSignature`
			`subjectKeyIdentifier=hash`
			`authorityKeyIdentifier=keyid`
Init (for import/kernel-5.3) 2019-11-17 16:28:40 +03:00			`EOF`

Generate GOST keys as in import/kernel-5.4/kernel.spec 2020-03-20 21:10:53 +03:00			`sed -e 's,@ALGO@,RSA,g' "x509_${NUM}.genkey.tpl" > "x509_${NUM}.genkey.RSA"`
			`sed -e 's,@ALGO@,GOST R 34.10-2012,g' "x509_${NUM}.genkey.tpl" > "x509_${NUM}.genkey.GOST"`
Init (for import/kernel-5.3) 2019-11-17 16:28:40 +03:00
Generate GOST keys as in import/kernel-5.4/kernel.spec 2020-03-20 21:10:53 +03:00			`_libressl_gen_key(){`
			`if [ "$GOST_KEY" = 1 ]`
			`then`
			`lssl_req_gost_args="\`
			`-newkey gost2001 \`
			`-pkeyopt dgst:streebog512 -pkeyopt paramset:A \`
			`-streebog512"`
			`OUT="full_key_GOST_${NUM}.pem"`
			`CONFIG="x509_${NUM}.genkey.GOST"`
			`else`
			`lssl_req_gost_args=""`
			`OUT="full_key_RSA_${NUM}.pem"`
			`CONFIG="x509_${NUM}.genkey.RSA"`
			`fi`
			`libressl req -new -nodes -utf8 -batch \`
			`$lssl_req_gost_args \`
			`-days 109500 \`
			`-x509 -config "$CONFIG" \`
			`-outform PEM \`
			`-out "$OUT" \`
			`-keyout "$OUT"`

			`# Verify`
			`if [ "$GOST_KEY" = 1 ]; then`
			`libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \`
			`\| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'`
			`libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \`
			`\| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'`
			`libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \`
			`\| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'`
			`fi`

			`sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' "$OUT" > "$(echo "$OUT" \| sed -e 's,full_key_,public_key_,g')"`
			`}`

			`_libressl_gen_key`