From 50df393c3d906e8288ba87cef134d6e51629ceec Mon Sep 17 00:00:00 2001 From: jocover Date: Wed, 28 Feb 2024 00:16:51 +0800 Subject: [PATCH] update certificate generation script to support v3 certificates --- main/cert/u2f_genkeys.sh | 10 +++++++--- main/cert/v3.ext | 4 ++++ 2 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 main/cert/v3.ext diff --git a/main/cert/u2f_genkeys.sh b/main/cert/u2f_genkeys.sh index abe93ed..9bb4185 100644 --- a/main/cert/u2f_genkeys.sh +++ b/main/cert/u2f_genkeys.sh @@ -6,10 +6,14 @@ if [ \! -e esp32key.pem ]; then openssl ecparam -genkey -out esp32key.pem -name prime256v1 fi +openssl ecparam -genkey -name prime256v1 -out root_key.pem +openssl req -new -key root_key.pem -out root_key.pem.csr -subj "/C=US/ST=Maine/O=OpenSourceSecurity/OU=Root CA/CN=ROOT CA/emailAddress=example@example.com" +openssl x509 -trustout -req -days 18250 -in root_key.pem.csr -signkey root_key.pem -out root_cert.pem -sha256 + openssl ec -in esp32key.pem -outform DER -no_public | tail -c +8 | head -c 32 > u2f_cert_key.bin -openssl req -new -key esp32key.pem -out esp32cert.req -subj "/CN=ESP32 U2F" -openssl x509 -req -in esp32cert.req -signkey esp32key.pem -days 3650 -out esp32cert.pem +openssl req -new -key esp32key.pem -out esp32cert.req -subj "/C=US/ST=Maine/O=OpenSourceSecurity/OU=Authenticator Attestation/CN=ESP32 U2F/emailAddress=example@example.com" +openssl x509 -req -in esp32cert.req -CA root_cert.pem -CAkey root_key.pem -extfile v3.ext -set_serial 01 -days 18250 -out esp32cert.pem -sha256 openssl x509 -in esp32cert.pem -outform der -out u2f_cert.bin -rm esp32cert.req esp32cert.pem +rm root_key.pem.csr esp32cert.req esp32cert.pem diff --git a/main/cert/v3.ext b/main/cert/v3.ext new file mode 100644 index 0000000..59b5829 --- /dev/null +++ b/main/cert/v3.ext @@ -0,0 +1,4 @@ +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment \ No newline at end of file