mirror of
https://abf.rosa.ru/djam/kernel-keys.git
synced 2025-02-23 08:32:50 +00:00
Generate GOST keys as in import/kernel-5.4/kernel.spec
This commit is contained in:
Mikhail Novosyolov
parent
ef09314737
commit
e5863297fd
2 changed files with 49 additions and 14 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
|
@ -1,4 +1,4 @@
|
|||
x509*.genkey
|
||||
x509*.genkey*
|
||||
*.pem
|
||||
*.tar
|
||||
sha*.list
|
||||
|
|
|
|||
61
key.sh
61
key.sh
|
|
@ -1,25 +1,60 @@
|
|||
#!/bin/sh
|
||||
# Usage: EMAIL=vasya@pupkin.ru NUM=1 sh key.sh
|
||||
# Usage: EMAIL=vasya@pupkin.ru NUM=1 GOST_KEY=1 sh key.sh
|
||||
set -efu
|
||||
|
||||
cat << EOF > "x509_${NUM}.genkey"
|
||||
cat << EOF > "x509_${NUM}.genkey.tpl"
|
||||
[ req ]
|
||||
prompt = no
|
||||
default_bits = 4096
|
||||
default_md = sha512
|
||||
default_keyfile = full_key${NUM}.pem
|
||||
string_mask = utf8only
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = myexts
|
||||
[ req_distinguished_name ]
|
||||
organizationName = ROSA Linux
|
||||
commonName = Additional private kernel modules signing key #${NUM}
|
||||
commonName = Kernel modules signing @ALGO@ key ${NUM}
|
||||
emailAddress = ${EMAIL}
|
||||
[ myexts ]
|
||||
basicConstraints=critical,CA:FALSE
|
||||
keyUsage=digitalSignature
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid
|
||||
EOF
|
||||
|
||||
openssl req -new -nodes -utf8 -batch -x509 \
|
||||
-days 109500 \
|
||||
-config "x509_${NUM}.genkey" \
|
||||
-outform PEM \
|
||||
-out "full_key${NUM}.pem" \
|
||||
-keyout "full_key${NUM}.pem"
|
||||
sed -e 's,@ALGO@,RSA,g' "x509_${NUM}.genkey.tpl" > "x509_${NUM}.genkey.RSA"
|
||||
sed -e 's,@ALGO@,GOST R 34.10-2012,g' "x509_${NUM}.genkey.tpl" > "x509_${NUM}.genkey.GOST"
|
||||
|
||||
sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' "full_key${NUM}.pem" > "public${NUM}.pem"
|
||||
_libressl_gen_key(){
|
||||
if [ "$GOST_KEY" = 1 ]
|
||||
then
|
||||
lssl_req_gost_args="\
|
||||
-newkey gost2001 \
|
||||
-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
|
||||
-streebog512"
|
||||
OUT="full_key_GOST_${NUM}.pem"
|
||||
CONFIG="x509_${NUM}.genkey.GOST"
|
||||
else
|
||||
lssl_req_gost_args=""
|
||||
OUT="full_key_RSA_${NUM}.pem"
|
||||
CONFIG="x509_${NUM}.genkey.RSA"
|
||||
fi
|
||||
libressl req -new -nodes -utf8 -batch \
|
||||
$lssl_req_gost_args \
|
||||
-days 109500 \
|
||||
-x509 -config "$CONFIG" \
|
||||
-outform PEM \
|
||||
-out "$OUT" \
|
||||
-keyout "$OUT"
|
||||
|
||||
# Verify
|
||||
if [ "$GOST_KEY" = 1 ]; then
|
||||
libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
|
||||
| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
|
||||
libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
|
||||
| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
|
||||
libressl x509 -in "full_key_GOST_${NUM}.pem" -text -noout \
|
||||
| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
|
||||
fi
|
||||
|
||||
sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' "$OUT" > "$(echo "$OUT" | sed -e 's,full_key_,public_key_,g')"
|
||||
}
|
||||
|
||||
_libressl_gen_key
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue