From a0d6141b9dae48cb669e85535d069e3b87a80f9a Mon Sep 17 00:00:00 2001 From: Itxaka Date: Tue, 26 Sep 2023 09:31:17 +0200 Subject: [PATCH] More uki improvements - Use test keys for development, easier to test if we always sign with the same key as we only need to insert into the EFI once - Sign systemd-boot - Also copy and create an entry for mokmanager so we can enroll keys using it if needed - Bump packages with uki fixes for layout Signed-off-by: Itxaka --- Earthfile | 97 ++++++++++++++++++++--------------------- framework-profile.yaml | 4 +- tests/keys/DB.crt | 19 ++++++++ tests/keys/DB.der | Bin 0 -> 781 bytes tests/keys/DB.key | 28 ++++++++++++ tests/keys/KEK.crt | 19 ++++++++ tests/keys/KEK.der | Bin 0 -> 783 bytes tests/keys/KEK.key | 28 ++++++++++++ tests/keys/PK.crt | 19 ++++++++ tests/keys/PK.der | Bin 0 -> 781 bytes tests/keys/PK.key | 28 ++++++++++++ tests/keys/README.md | 8 ++++ 12 files changed, 198 insertions(+), 52 deletions(-) create mode 100644 tests/keys/DB.crt create mode 100644 tests/keys/DB.der create mode 100644 tests/keys/DB.key create mode 100644 tests/keys/KEK.crt create mode 100644 tests/keys/KEK.der create mode 100644 tests/keys/KEK.key create mode 100644 tests/keys/PK.crt create mode 100644 tests/keys/PK.der create mode 100644 tests/keys/PK.key create mode 100644 tests/keys/README.md diff --git a/Earthfile b/Earthfile index 4beb94596a..a555424a20 100644 --- a/Earthfile +++ b/Earthfile @@ -544,18 +544,24 @@ uki: uki-signed: FROM +uki-tools-image + # HOW TO: Generate the keys # Platform key - RUN openssl req -new -x509 -subj "/CN=Kairos PK/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout PK.key -out PK.crt - # CER keys are for FW install - RUN openssl x509 -in PK.crt -out PK.auth -outform DER + # RUN openssl req -new -x509 -subj "/CN=Kairos PK/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout PK.key -out PK.crt + # DER keys are for FW install + # RUN openssl x509 -in PK.crt -out PK.der -outform DER # Key exchange - RUN openssl req -new -x509 -subj "/CN=Kairos KEK/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout KEK.key -out KEK.crt - # CER keys are for FW install - RUN openssl x509 -in KEK.crt -out KEK.auth -outform DER + # RUN openssl req -new -x509 -subj "/CN=Kairos KEK/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout KEK.key -out KEK.crt + # DER keys are for FW install + # RUN openssl x509 -in KEK.crt -out KEK.der -outform DER # Signature DB - RUN openssl req -new -x509 -subj "/CN=Kairos DB/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout DB.key -out DB.crt - # CER keys are for FW install - RUN openssl x509 -in DB.crt -out DB.auth -outform DER + # RUN openssl req -new -x509 -subj "/CN=Kairos DB/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout DB.key -out DB.crt + # DER keys are for FW install + # RUN openssl x509 -in DB.crt -out DB.der -outform DER + # But for now just use test keys pre-generated for easy testing. + # NOTE: NEVER EVER EVER use this keys for signing anything that its going outside your computer + # This is for easy testing SecureBoot locally for development purposes + # Installing this keys in other place than a VM for testing SecureBoot is irresponsible + COPY tests/keys/* . COPY +uki/uki.efi uki.efi COPY +uki/Uname Uname ARG KVERSION=$(cat Uname) @@ -565,18 +571,17 @@ uki-signed: ARG TARGETARCH ARG ISO_NAME=${OS_ID}-${VARIANT}-${FLAVOR}-${TARGETARCH}-${MODEL}-${VERSION} + # Actuall signing of the binaries with the keys RUN sbsign --key DB.key --cert DB.crt --output uki.signed.efi uki.efi - - SAVE ARTIFACT /boot/efi/EFI/fedora/mmx64.efi MokManager.efi - SAVE ARTIFACT PK.key PK.key AS LOCAL build/PK.key - SAVE ARTIFACT PK.crt PK.crt AS LOCAL build/PK.crt - SAVE ARTIFACT PK.auth PK.auth AS LOCAL build/PK.auth - SAVE ARTIFACT KEK.key KEK.key AS LOCAL build/KEK.key - SAVE ARTIFACT KEK.crt KEK.crt AS LOCAL build/KEK.crt - SAVE ARTIFACT KEK.auth KEK.auth AS LOCAL build/KEK.auth - SAVE ARTIFACT DB.key DB.key AS LOCAL build/DB.key - SAVE ARTIFACT DB.crt DB.crt AS LOCAL build/DB.crt - SAVE ARTIFACT DB.auth DB.auth AS LOCAL build/DB.auth + RUN sbsign --key DB.key --cert DB.crt --output systemd-bootx64.signed.efi /usr/lib/systemd/boot/efi/systemd-bootx64.efi + RUN sbsign --key DB.key --cert DB.crt --output MokManager.signed.efi /boot/efi/EFI/fedora/mmx64.efi + + SAVE ARTIFACT MokManager.signed.efi MokManager.efi + SAVE ARTIFACT systemd-bootx64.signed.efi systemd-bootx64.efi + # Only provide the der files as those are the one for installing in the firmware (like public keys kind of?) + SAVE ARTIFACT PK.der PK.der AS LOCAL build/PK.der + SAVE ARTIFACT KEK.der KEK.der AS LOCAL build/KEK.der + SAVE ARTIFACT DB.der DB.der AS LOCAL build/DB.der SAVE ARTIFACT uki.signed.efi uki.efi AS LOCAL build/$ISO_NAME.signed-$KVERSION.efi # This target will prepare a disk.img ready with the uki artifact on it for qemu. Just attach it to qemu and mark you vm to boot from that disk @@ -587,15 +592,9 @@ prepare-uki-disk-image: ARG SIGNED_EFI=false IF [ "$SIGNED_EFI" = "true" ] COPY +uki-signed/uki.efi . - COPY +uki-signed/PK.key . - COPY +uki-signed/PK.crt . - COPY +uki-signed/PK.auth . - COPY +uki-signed/KEK.key . - COPY +uki-signed/KEK.crt . - COPY +uki-signed/KEK.auth . - COPY +uki-signed/DB.key . - COPY +uki-signed/DB.crt . - COPY +uki-signed/DB.auth . + COPY +uki-signed/PK.der . + COPY +uki-signed/KEK.der . + COPY +uki-signed/DB.der . COPY +uki-signed/MokManager.efi . ELSE COPY +uki/uki.efi . @@ -606,15 +605,9 @@ prepare-uki-disk-image: RUN mmd -i disk.img ::/EFI/BOOT RUN mcopy -i disk.img uki.efi ::/EFI/BOOT/BOOTX64.efi IF [ "$SIGNED_EFI" = "true" ] - RUN mcopy -i disk.img PK.key ::/EFI/BOOT/PK.key - RUN mcopy -i disk.img PK.crt ::/EFI/BOOT/PK.crt - RUN mcopy -i disk.img PK.cer ::/EFI/BOOT/PK.auth - RUN mcopy -i disk.img KEK.key ::/EFI/BOOT/KEK.key - RUN mcopy -i disk.img KEK.crt ::/EFI/BOOT/KEK.crt - RUN mcopy -i disk.img KEK.cer ::/EFI/BOOT/KEK.auth - RUN mcopy -i disk.img DB.key ::/EFI/BOOT/DB.key - RUN mcopy -i disk.img DB.crt ::/EFI/BOOT/DB.crt - RUN mcopy -i disk.img DB.cer ::/EFI/BOOT/DB.auth + RUN mcopy -i disk.img PK.cer ::/EFI/BOOT/PK.der + RUN mcopy -i disk.img KEK.cer ::/EFI/BOOT/KEK.der + RUN mcopy -i disk.img DB.cer ::/EFI/BOOT/DB.der RUN mcopy -i disk.img MokManager.efi ::/EFI/BOOT/mmx64.efi END RUN mdir -i disk.img ::/EFI/BOOT @@ -649,13 +642,15 @@ iso-uki: FROM $OSBUILDER_IMAGE WORKDIR /build COPY +uki-signed/uki.efi . - COPY +uki-signed/PK.auth . - COPY +uki-signed/KEK.auth . - COPY +uki-signed/DB.auth . + COPY +uki-signed/PK.der . + COPY +uki-signed/KEK.der . + COPY +uki-signed/DB.der . COPY +uki-signed/MokManager.efi . + COPY +uki-signed/systemd-bootx64.efi . # Set the name for kairos manually as otherwise it picks it from the os-release automatically RUN printf "title Kairos ${FLAVOR} ${VERSION}\nefi /EFI/kairos/kairos.efi" > kairos.conf - RUN printf "default kairos.conf" > loader.conf + RUN printf "title MokManager\nefi /EFI/tools/MokManager.efi" > mokmanager.conf + RUN printf "default kairos.conf" > loader.conf RUN mkdir -p /build/efi # TODO: Create the img size based on the actual efi size! RUN dd if=/dev/zero of=/build/efi/efiboot.img bs=1G count=1 @@ -668,19 +663,21 @@ iso-uki: RUN mmd -i /build/efi/efiboot.img ::loader/entries RUN mmd -i /build/efi/efiboot.img ::loader/keys RUN mmd -i /build/efi/efiboot.img ::loader/keys/kairos - # Copy keys, not sure which ones lol - RUN mcopy -i /build/efi/efiboot.img /build/PK.auth ::loader/keys/kairos/PK.auth - RUN mcopy -i /build/efi/efiboot.img /build/KEK.auth ::loader/keys/kairos/KEK.auth - RUN mcopy -i /build/efi/efiboot.img /build/DB.auth ::loader/keys/kairos/DB.auth - # Copy kairos efi. This dir will make system-boot autosearch and add to entries automatically - # /EFI/Linux/ - # but here we do it by using systemd-boot + # Mokmanager + RUN mcopy -i /build/efi/efiboot.img /build/MokManager.efi ::EFI/tools/MokManager.efi + RUN mcopy -i /build/efi/efiboot.img /build/mokmanager.conf ::loader/entries/mokmanager.conf + # Copy keys + RUN mcopy -i /build/efi/efiboot.img /build/PK.der ::loader/keys/kairos/PK.der + RUN mcopy -i /build/efi/efiboot.img /build/KEK.der ::loader/keys/kairos/KEK.der + RUN mcopy -i /build/efi/efiboot.img /build/DB.der ::loader/keys/kairos/DB.der + # Copy kairos efi. This dir would make system-boot autosearch and add to entries automatically /EFI/Linux/ + # but here we do it by using systemd-boot as fallback so it sets the proper efivars RUN mcopy -i /build/efi/efiboot.img /build/kairos.conf ::loader/entries/kairos.conf RUN mcopy -i /build/efi/efiboot.img /build/uki.efi ::EFI/kairos/kairos.EFI # systemd-boot as bootloader RUN mcopy -i /build/efi/efiboot.img /build/loader.conf ::loader/loader.conf # TODO: TARGETARCH should change the output name to BOOTAA64.EFI in arm64! - RUN mcopy -i /build/efi/efiboot.img /usr/lib/systemd/boot/efi/systemd-bootx64.efi ::EFI/BOOT/BOOTX64.EFI + RUN mcopy -i /build/efi/efiboot.img /build/systemd-bootx64.efi ::EFI/BOOT/BOOTX64.EFI RUN xorriso -as mkisofs -V 'UKI_ISO_INSTALL' -e efiboot.img -no-emul-boot -o /build/$ISO_NAME.iso /build/efi/ SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso diff --git a/framework-profile.yaml b/framework-profile.yaml index 38345d4b90..20667b9132 100755 --- a/framework-profile.yaml +++ b/framework-profile.yaml @@ -173,9 +173,9 @@ repositories: priority: 2 urls: - "quay.io/kairos/packages" - reference: 20230925160905-repository.yaml + reference: 20230925211559-repository.yaml - !!merge <<: *kairos arch: arm64 urls: - "quay.io/kairos/packages-arm64" - reference: 20230925160137-repository.yaml + reference: 20230925212810-repository.yaml diff --git a/tests/keys/DB.crt b/tests/keys/DB.crt new file mode 100644 index 0000000000..213756bb1e --- /dev/null +++ b/tests/keys/DB.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAfGgAwIBAgIUQ8Ef+QHp6mLYXXvX8/9YsKJDINYwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAwwJS2Fpcm9zIERCMB4XDTIzMDkyNTE5NDg1NFoXDTMzMDky +MjE5NDg1NFowFDESMBAGA1UEAwwJS2Fpcm9zIERCMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA7yiYejq/rA33hFx4D2pg8pbCfZFpA2r1CGgJpaOw0emY +m9pe6PmHhfT+mifXUao3mC9hjtB+cD/LQNlu6gR4x6UMs3c6+i+y1PMldsO/F2vS +0mNz759BEawiO4x0bopr+oPJSvpkP5UUjYvJ8Cd5q5ON4rBEeCT9d8E9nG9uH3XQ +oQPAvzo9ehhnzAAmHS35i2hSl6rUMgwp6S24CKcGbwl1pNvoU528W0xr1hYOazba +/+rZQtuGqscUYUAbOLE1hOp/UWGms/m0ezTBsVkQ1RyQn6cWGrKVpTzaaN+1e5ai +xYyXc9/QzY5Rqd4qisTmwYBsHdeVhXp3ihJkWnTzrwIDAQABo1MwUTAdBgNVHQ4E +FgQU1McSdX5TgJ/FcIjI+SNwm6ss4MwwHwYDVR0jBBgwFoAU1McSdX5TgJ/FcIjI ++SNwm6ss4MwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAzO5C +E5BjEhwq050bxqqVDYGYXXaLHQsTBDeJGSnJnggODz4o5aKCiBjOAvNeT46maHAe +g7jJ4eNw5Beiqu2LQoTFQC/eCFs6frYRBNCewPMezmT+i+YqZvc/RZfgTY+64SRx +AHvfJuelU3pAS2gWAeg7gQZa0KTJG0ZWnULwy+pAcN2yckz5NOZ7Hl2PPTCUGyhz +uIgoZp1ds4xd6LmGssuMZB6phyhAdvhokrYesJT9BT8tCGgiqjUZWSpG8gJBoJXC +2KHn5iE70B4V/LICBa20PucH7rDgaJTJaKOJ5hp51S6dCUAt3prgPsD0sx+42LvN +OLolFoaI8pH5yJOehQ== +-----END CERTIFICATE----- diff --git a/tests/keys/DB.der b/tests/keys/DB.der new file mode 100644 index 0000000000000000000000000000000000000000..14468da23b54603067db2c7ba5fd7a12e82f9c87 GIT binary patch literal 781 zcmXqLV&*hxV*I#(nTe5!NyPb}{7=T0uaa)WR$u@8KVrioXN7A9ylk9WZ60mkc^MhG zSs4sO4228?*qB3En0Yw86ElnQixpg)4CKUljf@Q}jZ6(KO)N}JqQrTPL0ls!7l*DU zMkQq98Ce;an;7{SfG*-ZuLul)0NMvWrz2R zXJ5LMT>O5%qu?4P>zj*B-bWi;DpdZKAGDp5pC?~> zVIlK@{Z_VB66t3c)MRykc4q`lUvQw`v%6nQ}N1h#Q$dSE1wY93eODH9( zT&T1zxMBX$f{qhEl?!IC)_HKoKprHm%pzeR)_`3BKS+TvBjbM-Rs&`rg&gd_SOo?< zBg2_@PQnwCg=DlY&y_y5YASEzjM%bnS#Dt#^G-?4lk+(E`0X^FE^6wKILGuk&cAP2 zMuA-Oj*|}`7d#PPwCZiQQ_E2Y{d*kIR(0D1SuV^w@LBF$%D?VsT4~?yU8g_r?ceoK zrI4ZezS{Gp!Br048DfkttQ*;)E-X1I?G`rI>BH$)4h45N75V%$c~&hK+iz8>akawb$jyP+Daw8L8#=iOF%n)I&EG zK7XcYeL+t2&n70;wOj0-v%lN$AY;nOjK!VLq$;oK&E<5^y*KND-GMKg<#*iJeb!=^ Qs#sgcr-?sLOrF;Y08#5lTmS$7 literal 0 HcmV?d00001 diff --git a/tests/keys/DB.key b/tests/keys/DB.key new file mode 100644 index 0000000000..71e796021f --- /dev/null +++ b/tests/keys/DB.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDvKJh6Or+sDfeE +XHgPamDylsJ9kWkDavUIaAmlo7DR6Zib2l7o+YeF9P6aJ9dRqjeYL2GO0H5wP8tA +2W7qBHjHpQyzdzr6L7LU8yV2w78Xa9LSY3Pvn0ERrCI7jHRuimv6g8lK+mQ/lRSN +i8nwJ3mrk43isER4JP13wT2cb24fddChA8C/Oj16GGfMACYdLfmLaFKXqtQyDCnp +LbgIpwZvCXWk2+hTnbxbTGvWFg5rNtr/6tlC24aqxxRhQBs4sTWE6n9RYaaz+bR7 +NMGxWRDVHJCfpxYaspWlPNpo37V7lqLFjJdz39DNjlGp3iqKxObBgGwd15WFeneK +EmRadPOvAgMBAAECggEAAcwXzT9YxmW6ePOq8U622MvaPVBU7jIlEkGZ5PVEdGdh +frZW5UBOzOpo6WaoPxRc45djj8uwT46jK+MWasrKz5FFdanNNykZmnETVH+nFXl5 +dZxKuD/FoOjevvzQuS3wHstTvW0BSNsJcwDcbSIWz3vF4rC5av+4Kei5Wk4aEUFx +Ll/mwtDNbkXPRK1xXWg8Z69BwPIxIo9CESNkwRAQZr/1btBUXaMpHjmF8c76vj8z +ayD9gsDLGNYnU11cVbdlREi0J5CIVyPbBFuOoU27U9scTBJfrRBCCRLe19N6B0cQ +LEoLCdaG4CJz3kGX2ErBRWBu2w7qHZd3rD0JdE9KfQKBgQD3vHlT34+MFVG/4+z2 +8kfThHA/EfseK7KDy5FUGMomFXVlR5+6UbWmWcbjN9wl/iB+FfkYYSbX+gS0gYuq +hwlecIIM+sbPly0xjVvTXf8iihzaZsRx+fCfctHi087ZvbhCHXgYHRSBZ1u0dKoA +y4rnpeWP0I9ZGBvNznah2baCrQKBgQD3It+Z+7Pr1O1cBdqBHRJtzO1z1s2Opj5L +NICjHXCEcU1GzR1rGc20FXXaDcMbgisRob1w92ESrxHRsypUlboKtMfcf0/HbckN +FZLDxkxZENBUql9DenT69m4hEFn3KKOqi2D/RVjYBZrU+joWkv3tXcXiBjB+srgw +xeU1+j+3SwKBgQDoWPKKAZFGVvB3QrQK4C0RapND8/9LyrwA9Dn3X9Coa1PRi515 +SA1QWb85eDiXwYKD/uPDQ8sEoU8sZJuzcjcNRgQTXFh+dlFCuku3L9+Ma3CoPd5c +74gIY84KKZFFkrRv/eeW5h9HRsMxuoF/gWdj36owefEYJI5fNhb5sZGFeQKBgHxr +ICtDnuchwYXMpJ7P5hFFVF43TDF+3Gm8Ou7jyVvENuVoKmFbEkaRb02iFBHrTIeJ +5/fRcxuW69+o1azT3F+7d8s4hQ+f49IkhEjvskw8vMWDKIauRep62iLnOoPF/+/C +T8j0PrAy0ipa95eZ1SEFTrRl7VA75aMYXjb4j89VAoGAK+7UBmtTOLTVNUxNFXIP +66Ue0ZX+FOLollJYx42QvXmoqXayOb2H5EjZIIW3narom5Ox454zlWbty4Luncqr +bhfKBLhPqeoOw05h6Z+s9lfr++7rR6ZC8Q+r3m8W2MiEAVDxPIucwB1FPoy2zFG2 +jOLVMOsPlJ9FcRQKWupurdo= +-----END PRIVATE KEY----- diff --git a/tests/keys/KEK.crt b/tests/keys/KEK.crt new file mode 100644 index 0000000000..6cad9ab994 --- /dev/null +++ b/tests/keys/KEK.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCzCCAfOgAwIBAgIUFElXQYJNL9OmNok3nLKNWzDExuUwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKS2Fpcm9zIEtFSzAeFw0yMzA5MjUxOTQ4NDVaFw0zMzA5 +MjIxOTQ4NDVaMBUxEzARBgNVBAMMCkthaXJvcyBLRUswggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCapyZdRd6TFgnrJJtYYUAgfCfFSzpRQLorYgqUfaY1 +UnNxlE1ngcBs1GHRQAO7jdYPvL3QiIY+qKoDGJ12/UKs6SpfNHLQtHQ2NrQrVDXF +gt+ttauhsa+T0ll46qDc3H6x9s1jUhGIFZgkmQ+aXj5YFHwjDtoxw5vtJw/p77rj +e4bEs58Fr0ovrlDm2en2kpiVvXSQdWxy1pLBt1QahfZf4jqgQJ13A+oURx7pgyoM +ayvtVjG4lLtkkPm5L5JXImGG03XkjOehckKoQR88oAmhzzDat96i+18dMd3HR2gk +V4/hXQnPPtCffHBV5r26kqe4KojCx9riz3yEylvMMtE5AgMBAAGjUzBRMB0GA1Ud +DgQWBBQ8+vEr6ovmH40ZA5FJiT+zYLBitDAfBgNVHSMEGDAWgBQ8+vEr6ovmH40Z +A5FJiT+zYLBitDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAw +sjmqYzHnQF06SlICMh06obnXSkzf06whvkhl+mWUMBKVtMFR6D3sHs7pznNhMkpY +Fa9j6hY44fjU+6tkQaMccz/KOMDKpJlPmILKuixraYgCV7HcoBmpKE32xwCzEId3 +NZ38JDxRFmijIDtdCUspHxeMn+PpHDhkvBdEK60+bA7BZis9b2qDoiAo6NpxjdVL +kMBVzdGgqGcN6SPNujgy78/N/vndxGRxyN2fscmnvf0qzs1OP696AyTDQ9VZ/4fP +Q/kmLfL9JNu8d4cx1wdgV/20FtMnHhr1Q7f1/Gqr5S2zt3L9WLwnTDOrLd3UZ9wl +wtpRye1107RaagwlTnvh +-----END CERTIFICATE----- diff --git a/tests/keys/KEK.der b/tests/keys/KEK.der new file mode 100644 index 0000000000000000000000000000000000000000..1a01f4e3567210bf27e8957491c330560c4c389d GIT binary patch literal 783 zcmXqLV&*nzV*I>-nTe5!Nkqgm+_A}5|MD`kPV+gNdZP`F9D8cO%f_kI=F#?@mywa1 zmBB#NP}o3_jX9KsnTN|eF|#PYSi#%X+dxj7*T~qw(#X`%(!|2VG)kP;7{oP#a&c*E zVpKx5fRUAfxrvdV0q7}?pc+r7*ckea+J$o;7wArm##Vj$m?61?Bms;^AMHjY|n3-+S4lzC2 zbbsyE)eASSpL{8@;?;sXcj`8NJDVIN*daPYWhVcuIJ*du8fCs)hKFarRp)>Ce%Isb zwj-P8v#$5jUl;J~=F4xBW=!2%GNCl5=-Q-%+e4&Uzr{bYTHr9ZocWcAyWGoWEuL)c zw_%1mrtD6c@N=jBq;RFgw#%hYdY&&Va$4aiZ?k}N;dz5w+wU#<9WQHm_qcn8N_hXn zSkCiy7v|R#gg)E5Ytr%^S{;Xu-+FYursY)h8KaAqOw5c7jEjQ}0u5w=VJ^$ZBE}+O z^XsGbtL|s=y^_omJv;3;Cu~UCVjvHaR%Vef5Np7$fFGnln33^63#$P$kU|c2V7vl@ zosq#{ljW*p!{-jMR$f6&MzU55cV74Mxqo?$;y#bmU#U|Jgr;se82G~Wjoi7H=ZX`J zydp%`C%+Q2c=+SW@6{=ei)D)KPgxu|wPdFMjHXk&bh0x$n8G*SSs=Mm!}r^9hRp)) z<)(B0sMrLGWh_>(j^*^$lo#)r|M;bhMamv=7wxrnIeZ7xv~BaVninZ(ytq}^d)0fw zfzY!T7pzF`fov%jzZ$Iz+ zQ%(2NUzOW?%G(XEvnPcA-6D2bT~6w&^Y*WQvQ|IU-Mqc%Z^RyTALG@!cdw-1Q9X1k S@Z{Ul%UhzdcvStW9|8b(97Zw# literal 0 HcmV?d00001 diff --git a/tests/keys/KEK.key b/tests/keys/KEK.key new file mode 100644 index 0000000000..7cc3981cd1 --- /dev/null +++ b/tests/keys/KEK.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCapyZdRd6TFgnr +JJtYYUAgfCfFSzpRQLorYgqUfaY1UnNxlE1ngcBs1GHRQAO7jdYPvL3QiIY+qKoD +GJ12/UKs6SpfNHLQtHQ2NrQrVDXFgt+ttauhsa+T0ll46qDc3H6x9s1jUhGIFZgk +mQ+aXj5YFHwjDtoxw5vtJw/p77rje4bEs58Fr0ovrlDm2en2kpiVvXSQdWxy1pLB +t1QahfZf4jqgQJ13A+oURx7pgyoMayvtVjG4lLtkkPm5L5JXImGG03XkjOehckKo +QR88oAmhzzDat96i+18dMd3HR2gkV4/hXQnPPtCffHBV5r26kqe4KojCx9riz3yE +ylvMMtE5AgMBAAECggEAJCuz7VzKEdy1tSl6q9ETDoX7R0mw+hAJetwTXWeF2DLQ +jWACOpM+TjXeKvKt7M/foQ6j1oIX48/O86puKcZSMd7W6i16LRYHmCZzPS8U5H0X +k6lJ2yeTyR8Jjh5SQVXQzA7NOs2XDB0A2I5z98bTDga8gfaXUcxOS8k3D5/iNhHw +oBWjk9MSkxXPDS67mFOZGeia+CcG/k3r/GXrakBj8Iq183X0GH53VJr+y6DLXJax +tHdg0mio57HFvG7LvzODy25Ymr/r8RFIuSqrCEjgeQQt/oERqVToZDFB0pELgSK/ +A1JuPvPWT2CXPymXHl9uBJvNQS1eaoI+wKZ0ui7BgQKBgQDZpo6fdMR88Z9RDLgk +E6PfVNxq4KHIVtSErpGYKVx56CIVrhOu9Jk66kJq7eQma6UCUZd6qHMx9CG/ligZ +yk4u51kDM2btqRdtsnXbKiqONcoorn6E8UZHSJxDBrRSAUIruaJC+zxwACVtwasz +4Pc5HNvqFGqpMi7ujs8rP1/hZwKBgQC15v3sKv54KZwOxEGxdabRE/T/hQmiasG/ +34qdNV/DRDLxIpyBPbKR/EjJyNsFzzySLG2oeDCUY7JX1B9iZ24RgT8OmTka0nSW +yi4RhH99hzLglDCHe55Zrr6oDK9xwhxWKIHU98hNVCKGDptd5HQ140sdZTwQsJ26 +RYbbj/j0XwKBgQCQjEpqYj1gkYPyaxUceKK73vsoTBmGGQy5NcriGI4fNGj2pw7R +ggcGFrCXnXiJf7IuEQweXSNsSKvlNo9ZWX+FLQZz1r6EFmnF4+Db9mwe2GBzljfW +iPrYusN0zE4TrFxK99Vo0Lw50g8JjrbqFH18Q8tV8ctIpVh//P5fxY4i/wKBgDhk +2shDNA1Q6R7y3WMFFKixRT2Ko0gFTPgNd83xZDUHibuUfWzcEeaMjoxwhuawLxkq +SPz39ierGPl9vBUn98nZhhEik7+rC5ZMLCgmKdhi9/UEPF9khd1L/bPf6uybv2k+ +ubGq+CBxOxrQoH5le1nRk9ITNqH9/4hmUb70TbyFAoGAC0w4pJM8R3kaFqKdDVo8 +bD3buojiE0ORPeLdnhe5yc9XaLsM6Ti3MPCeiQ3gZRCuvOlsy4noDnATUXYusNfa +u7WLPO56ne5ewAWWmtywQ/D8IZHWHkNM1n8yHWCZXyZgF7sh1CXsIXOam7F9Syzm +8uZGoFciL4vV9F5x3CBk70M= +-----END PRIVATE KEY----- diff --git a/tests/keys/PK.crt b/tests/keys/PK.crt new file mode 100644 index 0000000000..a37ee5222c --- /dev/null +++ b/tests/keys/PK.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAfGgAwIBAgIUeKRpRkHvYxAffzrfw90J8MAlTDIwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAwwJS2Fpcm9zIFBLMB4XDTIzMDkyNTE5NDgyOFoXDTMzMDky +MjE5NDgyOFowFDESMBAGA1UEAwwJS2Fpcm9zIFBLMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAqfXx/rkk1TPZTWisQFnhRr5T8t6I7i9zK3DO+URrsg6V +7+5ztM8udc1RUg1VndkZRNMKazgVqH7ZfKHkxUdQc4Xq+EKscywJirtcjsMKVAUt +IEt9M/NeQN+CIEsSgOyEqJZGazcVPpL8Q7x4xcZ4SewJyobS5u+txY9Ei/EA40ih +AxycYmhoUHLLwjtO9O1UKf/6HW3KgkMYpAualrJjd70g0WsV0lFGUCG4rpSEN6Dn +p17zF1y5USCCstgxp3KSMuBFlBFzFChjy6w8v0LUlFADYj6Z83oPOD/2x+UeJui8 +Hxcrgu3VnXVmLoQaggml1EqbW7cu8S3YxlbAH5pQrwIDAQABo1MwUTAdBgNVHQ4E +FgQUHzloQNy/RNHN71Ihn0YaxwhdcrgwHwYDVR0jBBgwFoAUHzloQNy/RNHN71Ih +n0YaxwhdcrgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAASMw +sw9kOeNNhcA4o5MnIG6uqH/4jIMG8UjcqyuNKtH/2eLs/xNCSDIJG0VVuY2y3kzw +GLZmphdxvtvWW6c9A9+mdM/JBi3AeGyIGk2hfFVoFcV/7VuGgphAJcTKY6KXgj7e +F6hjatCCUUYiRkiPL50X5wJQ/COAOe7/5BzeAZhbxNQ9z6IG4StdS31uSE7Vl2Nn +G+V1Gkqmc/6Z3Nkd2iGPiLIiqkDn8Xcincn/f0ybgnOdVljtXlzJm0pN4FrVkdPa +en/HLiMCjKTSWl1wXF3GUZkmCITryJ4O6SWtsuWTqmvohb2QAMqdnybFW7hjzGoG +A0UKl8yqRzdGBa0mHg== +-----END CERTIFICATE----- diff --git a/tests/keys/PK.der b/tests/keys/PK.der new file mode 100644 index 0000000000000000000000000000000000000000..97b65b5c1456d3bb86971b80e4bb9b09244d6a66 GIT binary patch literal 781 zcmXqLV&*hxV*I#(nTe5!Nu**)rkmsYWC8hltNVxVa(+0V>SJWU%f_kI=F#?@mywa1 zmBB#7P{=@ljX9KsnTOLmF|#PYSRugMKu(<3$k@Qr$kfo%#KOoTN}Sgi#5IC)ap-Dd zR6;hMk(GhDiIJZH=prtrCPqevm0v&p+o^KZ_@-~h8i&Y-Zu^2i-RpR#U#wkl?x#!k zCcdff-xY5;uUC3DFo-vF?oCOT%UszOqATid)+~H-)IFfM_0MD5G8h?&+xZkAUE!6O)WyLhNY;#e&Nq?O8R2)54;rWL1RNJLz@7Esfcj^Af@YrJ^ zv&@{NjEsPy(}%46zPt_5{QpZf_f(U!#1igV(>5iS?^U>%EqW=?EkJR{x+yK@3!X2J z`z#)_Gf<&v(+$JrMU#vkxK0r)7STvPy~bw0)0HU!%t>}LKUeWv*nd0zR8H;19(i%? zrngt;mZs^oNHuXTz2Y@Hdb{37-5bZk4#>|6SkJ`F$iTQb*dWkA78v5Pd@N!tBJ!3Q z4tMsuTs-?eNO8WK)Nzj3q8$eEAZcY52?MbP>4;{ThE-uxGK@-X6*b`9OxyXl_K z2Z?QI%ft)!-M$vR+?M(NvXb*B*>n$7