Djam/kernel-keys
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/kernel-keys.git synced 2025-02-23 08:32:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Generate GOST keys as in import/kernel-5.4/kernel.spec

Browse source
This commit is contained in:
Mikhail Novosyolov 2020-03-20 21:10:53 +03:00
parent ef09314737
commit e5863297fd
2 changed files with 49 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1,4 +1,4 @@
x509*.genkey x509*.genkey*
*.pem *.pem
*.tar *.tar
sha*.list sha*.list

61
key.sh
View file

@ -1,25 +1,60 @@
#!/bin/sh #!/bin/sh
# Usage: EMAIL=vasya@pupkin.ru NUM=1 sh key.sh # Usage: EMAIL=vasya@pupkin.ru NUM=1 GOST_KEY=1 sh key.sh
set -efu set -efu
cat << EOF > "x509_${NUM}.genkey" cat << EOF > "x509_${NUM}.genkey.tpl"
[ req ] [ req ]
prompt = no prompt = no
default_bits = 4096 string_mask = utf8only
default_md = sha512
default_keyfile = full_key${NUM}.pem
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
x509_extensions = myexts
[ req_distinguished_name ] [ req_distinguished_name ]
organizationName = ROSA Linux organizationName = ROSA Linux
commonName = Additional private kernel modules signing key #${NUM} commonName = Kernel modules signing @ALGO@ key ${NUM}
emailAddress = ${EMAIL} emailAddress = ${EMAIL}
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF EOF
openssl req -new -nodes -utf8 -batch -x509 \ sed -e 's,@ALGO@,RSA,g' "x509_${NUM}.genkey.tpl" > "x509_${NUM}.genkey.RSA"
-days 109500 \ sed -e 's,@ALGO@,GOST R 34.10-2012,g' "x509_${NUM}.genkey.tpl" > "x509_${NUM}.genkey.GOST"
-config "x509_${NUM}.genkey" \
-outform PEM \
-out "full_key${NUM}.pem" \
-keyout "full_key${NUM}.pem"
sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' "full_key${NUM}.pem" > "public${NUM}.pem" _libressl_gen_key(){
if [ "$GOST_KEY" = 1 ]
then
lssl_req_gost_args="\
-newkey gost2001 \
-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
-streebog512"
OUT="full_key_GOST_${NUM}.pem"
CONFIG="x509_${NUM}.genkey.GOST"
else
lssl_req_gost_args=""
OUT="full_key_RSA_${NUM}.pem"
CONFIG="x509_${NUM}.genkey.RSA"
fi
libressl req -new -nodes -utf8 -batch \
$lssl_req_gost_args \
-days 109500 \
-x509 -config "$CONFIG" \
-outform PEM \
-out "$OUT" \
-keyout "$OUT"
# Verify
if [ "$GOST_KEY" = 1 ]; then
libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
fi
sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' "$OUT" > "$(echo "$OUT" | sed -e 's,full_key_,public_key_,g')"
}
_libressl_gen_key