From e5863297fd5e51b8cf9145bbcfddbe7027c60574 Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Fri, 20 Mar 2020 21:10:53 +0300
Subject: [PATCH] Generate GOST keys as in import/kernel-5.4/kernel.spec

---
 .gitignore |  2 +-
 key.sh     | 61 ++++++++++++++++++++++++++++++++++++++++++------------
 2 files changed, 49 insertions(+), 14 deletions(-)

diff --git a/.gitignore b/.gitignore
index 53d3a89..3eb36c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-x509*.genkey
+x509*.genkey*
 *.pem
 *.tar
 sha*.list
diff --git a/key.sh b/key.sh
index 1a389aa..46dee9f 100755
--- a/key.sh
+++ b/key.sh
@@ -1,25 +1,60 @@
 #!/bin/sh
-# Usage: EMAIL=vasya@pupkin.ru NUM=1 sh key.sh
+# Usage: EMAIL=vasya@pupkin.ru NUM=1 GOST_KEY=1 sh key.sh
 set -efu
 
-cat << EOF > "x509_${NUM}.genkey"
+cat << EOF > "x509_${NUM}.genkey.tpl"
 [ req ]
 prompt = no
-default_bits = 4096
-default_md = sha512
-default_keyfile = full_key${NUM}.pem
+string_mask = utf8only
 distinguished_name = req_distinguished_name
+x509_extensions = myexts
 [ req_distinguished_name ]
 organizationName = ROSA Linux
-commonName = Additional private kernel modules signing key #${NUM}
+commonName = Kernel modules signing @ALGO@ key ${NUM}
 emailAddress = ${EMAIL}
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
 EOF
 
-openssl req -new -nodes -utf8 -batch -x509 \
-	-days 109500 \
-	-config "x509_${NUM}.genkey" \
-	-outform PEM \
-	-out "full_key${NUM}.pem" \
-	-keyout "full_key${NUM}.pem" 
+sed -e 's,@ALGO@,RSA,g' "x509_${NUM}.genkey.tpl" > "x509_${NUM}.genkey.RSA"
+sed -e 's,@ALGO@,GOST R 34.10-2012,g' "x509_${NUM}.genkey.tpl" > "x509_${NUM}.genkey.GOST"
 
-sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' "full_key${NUM}.pem" > "public${NUM}.pem"
+_libressl_gen_key(){
+	if [ "$GOST_KEY" = 1 ]
+	then
+		lssl_req_gost_args="\
+			-newkey gost2001 \
+			-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
+			-streebog512"
+		OUT="full_key_GOST_${NUM}.pem"
+		CONFIG="x509_${NUM}.genkey.GOST"
+	else
+		lssl_req_gost_args=""
+		OUT="full_key_RSA_${NUM}.pem"
+		CONFIG="x509_${NUM}.genkey.RSA"
+	fi
+		libressl req -new -nodes -utf8 -batch \
+			$lssl_req_gost_args \
+			-days 109500 \
+			-x509 -config "$CONFIG" \
+			-outform PEM \
+			-out "$OUT" \
+			-keyout "$OUT"
+
+	# Verify
+	if [ "$GOST_KEY" = 1 ]; then
+		libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
+			| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
+		libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
+			| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
+		libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
+			| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
+	fi
+	
+	sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' "$OUT" > "$(echo "$OUT" | sed -e 's,full_key_,public_key_,g')"
+}
+
+_libressl_gen_key