diff options
author | Nicolas Dechesne <nicolas.dechesne@linaro.org> | 2016-11-23 22:44:49 +0100 |
---|---|---|
committer | Nicolas Dechesne <nicolas.dechesne@linaro.org> | 2016-11-23 22:44:49 +0100 |
commit | caeeb9b7f5a8bd05877a80ef4f990482ec80d1c5 (patch) | |
tree | 47f70d2abddf534045b6ac262dc81f54a32bddb9 | |
parent | 4ec444d4f929722af2875cb61812625f18cd504e (diff) |
signlk: remove unset fields820
Some fields in the certificate's DN might not be set (or might be empty). Newer
version of openssl (e.g. 1.1+) have a stricter DN parsing and fail to parse
empty (or too short) fields. For example, we can see such errors:
140708458570880:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string
too short:crypto/asn1/a_mbstr.c:102:minsize=1
Removing the empty (or short) fields fixes the openssl error, and XBL is still
able to authenticate the ELF file.
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
-rw-r--r-- | signlk.sh | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -154,10 +154,10 @@ echo "basicConstraints=CA:FALSE,pathlen:0" >> $tmp_att_file echo "keyUsage=digitalSignature" >> $tmp_att_file openssl version > $tmpdir/days -openssl req -new -x509 -keyout $tmpdir/root_key.PEM -nodes -newkey rsa:2048 -days 7300 -set_serial 1 -sha256 -subj "/CN=$CN/O=$OU/C=/CN=DRAGONBOARD TEST PKI – NOT SECURE/L=/O=S/ST=/OU=01 0000000000000009 SW_ID/OU=02 0000000000000000 HW_ID" -out $tmpdir/root_certificate.PEM 2>/dev/null +openssl req -new -x509 -keyout $tmpdir/root_key.PEM -nodes -newkey rsa:2048 -days 7300 -set_serial 1 -sha256 -subj "/CN=DRAGONBOARD TEST PKI – NOT SECURE/O=S/OU=01 0000000000000009 SW_ID/OU=02 0000000000000000 HW_ID" -out $tmpdir/root_certificate.PEM 2>/dev/null openssl x509 -in $tmpdir/root_certificate.PEM -inform PEM -outform DER -out $ROOT 2>/dev/null openssl genpkey -algorithm RSA -outform PEM -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 -out $tmpdir/atte_key.PEM 2>/dev/null -openssl req -new -key $tmpdir/atte_key.PEM -subj "/CN=$CN/O=$OU/C=/CN=DRAGONBOARD TEST PKI – NOT SECURE/L=/O=/ST=/OU=01 0000000000000009 SW_ID/OU=02 0000000000000000 HW_ID" -days 7300 -out $tmpdir/atte_csr.PEM 2>/dev/null +openssl req -new -key $tmpdir/atte_key.PEM -subj "/CN=DRAGONBOARD TEST PKI – NOT SECURE/OU=01 0000000000000009 SW_ID/OU=02 0000000000000000 HW_ID" -days 7300 -out $tmpdir/atte_csr.PEM 2>/dev/null openssl x509 -req -in $tmpdir/atte_csr.PEM -CAkey $tmpdir/root_key.PEM -CA $tmpdir/root_certificate.PEM -days 7300 -set_serial 1 -extfile $tmp_att_file -sha256 -out $tmpdir/atte_cert.PEM 2>/dev/null openssl x509 -in $tmpdir/atte_cert.PEM -inform PEM -outform DER -out $ATT 2>/dev/null openssl pkeyutl -sign -inkey $tmpdir/atte_key.PEM -in $CODE -out $SIG 2>/dev/null |