signlk: remove unset fields820

Some fields in the certificate's DN might not be set (or might be empty). Newer version of openssl (e.g. 1.1+) have a stricter DN parsing and fail to parse empty (or too short) fields. For example, we can see such errors: 140708458570880:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:crypto/asn1/a_mbstr.c:102:minsize=1 Removing the empty (or short) fields fixes the openssl error, and XBL is still able to authenticate the ELF file. Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
author: Nicolas Dechesne <nicolas.dechesne@linaro.org> 2016-11-23 22:44:49 +0100
committer: Nicolas Dechesne <nicolas.dechesne@linaro.org> 2016-11-23 22:44:49 +0100
commit: caeeb9b7f5a8bd05877a80ef4f990482ec80d1c5 (patch)
tree: 47f70d2abddf534045b6ac262dc81f54a32bddb9
parent: 4ec444d4f929722af2875cb61812625f18cd504e (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/signlk.sh b/signlk.sh
index 8af15ea..36b93f3 100644
--- a/signlk.sh
+++ b/signlk.sh
@@ -154,10 +154,10 @@ echo "basicConstraints=CA:FALSE,pathlen:0" >> $tmp_att_file
 echo "keyUsage=digitalSignature" >> $tmp_att_file
 
 openssl version > $tmpdir/days
-openssl req -new -x509 -keyout $tmpdir/root_key.PEM -nodes -newkey rsa:2048 -days 7300 -set_serial 1 -sha256 -subj "/CN=$CN/O=$OU/C=/CN=DRAGONBOARD TEST PKI – NOT SECURE/L=/O=S/ST=/OU=01 0000000000000009 SW_ID/OU=02 0000000000000000 HW_ID" -out $tmpdir/root_certificate.PEM   2>/dev/null
+openssl req -new -x509 -keyout $tmpdir/root_key.PEM -nodes -newkey rsa:2048 -days 7300 -set_serial 1 -sha256 -subj "/CN=DRAGONBOARD TEST PKI – NOT SECURE/O=S/OU=01 0000000000000009 SW_ID/OU=02 0000000000000000 HW_ID" -out $tmpdir/root_certificate.PEM   2>/dev/null
 openssl x509 -in $tmpdir/root_certificate.PEM -inform PEM -outform DER -out $ROOT 2>/dev/null
 openssl genpkey -algorithm RSA -outform PEM -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 -out $tmpdir/atte_key.PEM  2>/dev/null
-openssl req -new -key $tmpdir/atte_key.PEM -subj "/CN=$CN/O=$OU/C=/CN=DRAGONBOARD TEST PKI – NOT SECURE/L=/O=/ST=/OU=01 0000000000000009 SW_ID/OU=02 0000000000000000 HW_ID" -days 7300 -out $tmpdir/atte_csr.PEM  2>/dev/null
+openssl req -new -key $tmpdir/atte_key.PEM -subj "/CN=DRAGONBOARD TEST PKI – NOT SECURE/OU=01 0000000000000009 SW_ID/OU=02 0000000000000000 HW_ID" -days 7300 -out $tmpdir/atte_csr.PEM  2>/dev/null
 openssl x509 -req -in $tmpdir/atte_csr.PEM -CAkey $tmpdir/root_key.PEM -CA $tmpdir/root_certificate.PEM -days 7300 -set_serial 1 -extfile $tmp_att_file -sha256 -out $tmpdir/atte_cert.PEM 2>/dev/null
 openssl x509 -in $tmpdir/atte_cert.PEM -inform PEM -outform DER -out $ATT 2>/dev/null
 openssl pkeyutl -sign -inkey $tmpdir/atte_key.PEM -in $CODE -out $SIG 2>/dev/null
author	Nicolas Dechesne <nicolas.dechesne@linaro.org>	2016-11-23 22:44:49 +0100
committer	Nicolas Dechesne <nicolas.dechesne@linaro.org>	2016-11-23 22:44:49 +0100
commit	caeeb9b7f5a8bd05877a80ef4f990482ec80d1c5 (patch)
tree	47f70d2abddf534045b6ac262dc81f54a32bddb9
parent	4ec444d4f929722af2875cb61812625f18cd504e (diff)