From 4b0ddc65aebed03af46669fd7f0500802aff411e Mon Sep 17 00:00:00 2001 From: Edward Tomasz Napierala Date: Fri, 15 May 2015 15:10:34 +0000 Subject: [PATCH] MFC r279317: Add key/cert generation script for uefisign(8). Sponsored by: The FreeBSD Foundation --- etc/mtree/BSD.usr.dist | 2 ++ share/examples/Makefile | 6 +++-- share/examples/uefisign/uefikeys | 40 ++++++++++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 2 deletions(-) create mode 100755 share/examples/uefisign/uefikeys diff --git a/etc/mtree/BSD.usr.dist b/etc/mtree/BSD.usr.dist index 6bdb88c06672..723845bdfc40 100644 --- a/etc/mtree/BSD.usr.dist +++ b/etc/mtree/BSD.usr.dist @@ -409,6 +409,8 @@ .. tcsh .. + uefisign + .. .. games fortune diff --git a/share/examples/Makefile b/share/examples/Makefile index 00951d9e0c33..9d71e7a0b82d 100644 --- a/share/examples/Makefile +++ b/share/examples/Makefile @@ -27,7 +27,8 @@ LDIRS= BSD_daemon \ printing \ ses \ scsi_target \ - sunrpc + sunrpc \ + uefisign XFILES= BSD_daemon/FreeBSD.pfa \ BSD_daemon/README \ @@ -181,7 +182,8 @@ XFILES= BSD_daemon/FreeBSD.pfa \ sunrpc/sort/Makefile \ sunrpc/sort/rsort.c \ sunrpc/sort/sort.x \ - sunrpc/sort/sort_proc.c + sunrpc/sort/sort_proc.c \ + uefisign/uefikeys BINDIR= ${SHAREDIR}/examples diff --git a/share/examples/uefisign/uefikeys b/share/examples/uefisign/uefikeys new file mode 100755 index 000000000000..5f9171bc1d21 --- /dev/null +++ b/share/examples/uefisign/uefikeys @@ -0,0 +1,40 @@ +#!/bin/sh +# +# See uefisign(8) manual page for usage instructions. +# +# $FreeBSD$ +# + +die() { + echo "$*" > /dev/stderr + exit 1 +} + +if [ $# -ne 1 ]; then + echo "usage: $0 common-name" + exit 1 +fi + +certfile="${1}.pem" +efifile="${1}.cer" +keyfile="${1}.key" +p12file="${1}.p12" +# XXX: Set this to ten years; we don't want system to suddenly stop booting +# due to certificate expiration. Better way would be to use Authenticode +# Timestamp. That said, the rumor is UEFI implementations ignore it anyway. +days="3650" +subj="/CN=${1}" + +[ ! -e "${certfile}" ] || die "${certfile} already exists" +[ ! -e "${efifile}" ] || die "${efifile} already exists" +[ ! -e "${keyfile}" ] || die "${keyfile} already exists" +[ ! -e "${p12file}" ] || die "${p12file} already exists" + +umask 077 || die "umask 077 failed" + +openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed" +openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed" +openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed" +openssl pkcs12 -export -out "${p12file}" -inkey "${keyfile}" -in "${certfile}" -password 'pass:' || die "openssl pkcs12 failed" + +echo "certificate: ${certfile}; private key: ${keyfile}; UEFI public key: ${efifile}; private key with empty password for pesign: ${p12file}"