Date: Thu, 26 Feb 2015 09:31:25 +0000 (UTC) From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r279317 - in head: etc/mtree share/examples share/examples/uefisign Message-ID: <201502260931.t1Q9VPBY084521@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trasz Date: Thu Feb 26 09:31:25 2015 New Revision: 279317 URL: https://svnweb.freebsd.org/changeset/base/279317 Log: Add key/cert generation script for uefisign(8). (Forgot about Relnotes in the commit that added uefisign(8), so set it here.) MFC after: 1 month Relnotes: yes Sponsored by: The FreeBSD Foundation Added: head/share/examples/uefisign/ head/share/examples/uefisign/uefikeys (contents, props changed) Modified: head/etc/mtree/BSD.usr.dist head/share/examples/Makefile Modified: head/etc/mtree/BSD.usr.dist ============================================================================== --- head/etc/mtree/BSD.usr.dist Thu Feb 26 09:16:36 2015 (r279316) +++ head/etc/mtree/BSD.usr.dist Thu Feb 26 09:31:25 2015 (r279317) @@ -415,6 +415,8 @@ .. tcsh .. + uefisign + .. .. games fortune Modified: head/share/examples/Makefile ============================================================================== --- head/share/examples/Makefile Thu Feb 26 09:16:36 2015 (r279316) +++ head/share/examples/Makefile Thu Feb 26 09:31:25 2015 (r279317) @@ -27,7 +27,8 @@ LDIRS= BSD_daemon \ printing \ ses \ scsi_target \ - sunrpc + sunrpc \ + uefisign XFILES= BSD_daemon/FreeBSD.pfa \ BSD_daemon/README \ @@ -181,7 +182,8 @@ XFILES= BSD_daemon/FreeBSD.pfa \ sunrpc/sort/Makefile \ sunrpc/sort/rsort.c \ sunrpc/sort/sort.x \ - sunrpc/sort/sort_proc.c + sunrpc/sort/sort_proc.c \ + uefisign/uefikeys BINDIR= ${SHAREDIR}/examples Added: head/share/examples/uefisign/uefikeys ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/examples/uefisign/uefikeys Thu Feb 26 09:31:25 2015 (r279317) @@ -0,0 +1,40 @@ +#!/bin/sh +# +# See uefisign(8) manual page for usage instructions. +# +# $FreeBSD$ +# + +die() { + echo "$*" > /dev/stderr + exit 1 +} + +if [ $# -ne 1 ]; then + echo "usage: $0 common-name" + exit 1 +fi + +certfile="${1}.pem" +efifile="${1}.cer" +keyfile="${1}.key" +p12file="${1}.p12" +# XXX: Set this to ten years; we don't want system to suddenly stop booting +# due to certificate expiration. Better way would be to use Authenticode +# Timestamp. That said, the rumor is UEFI implementations ignore it anyway. +days="3650" +subj="/CN=${1}" + +[ ! -e "${certfile}" ] || die "${certfile} already exists" +[ ! -e "${efifile}" ] || die "${efifile} already exists" +[ ! -e "${keyfile}" ] || die "${keyfile} already exists" +[ ! -e "${p12file}" ] || die "${p12file} already exists" + +umask 077 || die "umask 077 failed" + +openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed" +openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed" +openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed" +openssl pkcs12 -export -out "${p12file}" -inkey "${keyfile}" -in "${certfile}" -password 'pass:' || die "openssl pkcs12 failed" + +echo "certificate: ${certfile}; private key: ${keyfile}; UEFI public key: ${efifile}; private key with empty password for pesign: ${p12file}"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201502260931.t1Q9VPBY084521>