From owner-svn-src-head@FreeBSD.ORG  Thu Feb 26 09:31:26 2015
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C50E316E;
 Thu, 26 Feb 2015 09:31:26 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B075279F;
 Thu, 26 Feb 2015 09:31:26 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t1Q9VQqG084524;
 Thu, 26 Feb 2015 09:31:26 GMT (envelope-from trasz@FreeBSD.org)
Received: (from trasz@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id t1Q9VPBY084521;
 Thu, 26 Feb 2015 09:31:25 GMT (envelope-from trasz@FreeBSD.org)
Message-Id: <201502260931.t1Q9VPBY084521@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: trasz set sender to
 trasz@FreeBSD.org using -f
From: Edward Tomasz Napierala <trasz@FreeBSD.org>
Date: Thu, 26 Feb 2015 09:31:25 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r279317 - in head: etc/mtree share/examples
 share/examples/uefisign
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 09:31:27 -0000

Author: trasz
Date: Thu Feb 26 09:31:25 2015
New Revision: 279317
URL: https://svnweb.freebsd.org/changeset/base/279317

Log:
  Add key/cert generation script for uefisign(8).
  
  (Forgot about Relnotes in the commit that added uefisign(8), so set it here.)
  
  MFC after:	1 month
  Relnotes:	yes
  Sponsored by:	The FreeBSD Foundation

Added:
  head/share/examples/uefisign/
  head/share/examples/uefisign/uefikeys   (contents, props changed)
Modified:
  head/etc/mtree/BSD.usr.dist
  head/share/examples/Makefile

Modified: head/etc/mtree/BSD.usr.dist
==============================================================================
--- head/etc/mtree/BSD.usr.dist	Thu Feb 26 09:16:36 2015	(r279316)
+++ head/etc/mtree/BSD.usr.dist	Thu Feb 26 09:31:25 2015	(r279317)
@@ -415,6 +415,8 @@
             ..
             tcsh
             ..
+            uefisign
+            ..
         ..
         games
             fortune

Modified: head/share/examples/Makefile
==============================================================================
--- head/share/examples/Makefile	Thu Feb 26 09:16:36 2015	(r279316)
+++ head/share/examples/Makefile	Thu Feb 26 09:31:25 2015	(r279317)
@@ -27,7 +27,8 @@ LDIRS=	BSD_daemon \
 	printing \
 	ses \
 	scsi_target \
-	sunrpc
+	sunrpc \
+	uefisign
 
 XFILES=	BSD_daemon/FreeBSD.pfa \
 	BSD_daemon/README \
@@ -181,7 +182,8 @@ XFILES=	BSD_daemon/FreeBSD.pfa \
 	sunrpc/sort/Makefile \
 	sunrpc/sort/rsort.c \
 	sunrpc/sort/sort.x \
-	sunrpc/sort/sort_proc.c
+	sunrpc/sort/sort_proc.c \
+	uefisign/uefikeys
 
 BINDIR= ${SHAREDIR}/examples
 

Added: head/share/examples/uefisign/uefikeys
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/examples/uefisign/uefikeys	Thu Feb 26 09:31:25 2015	(r279317)
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# See uefisign(8) manual page for usage instructions.
+#
+# $FreeBSD$
+#
+
+die() {
+	echo "$*" > /dev/stderr
+	exit 1
+}
+
+if [ $# -ne 1 ]; then
+	echo "usage: $0 common-name"
+	exit 1
+fi
+
+certfile="${1}.pem"
+efifile="${1}.cer"
+keyfile="${1}.key"
+p12file="${1}.p12"
+# XXX: Set this to ten years; we don't want system to suddenly stop booting
+#      due to certificate expiration.  Better way would be to use Authenticode
+#      Timestamp.  That said, the rumor is UEFI implementations ignore it anyway.
+days="3650"
+subj="/CN=${1}"
+
+[ ! -e "${certfile}" ] || die "${certfile} already exists"
+[ ! -e "${efifile}" ] || die "${efifile} already exists"
+[ ! -e "${keyfile}" ] || die "${keyfile} already exists"
+[ ! -e "${p12file}" ] || die "${p12file} already exists"
+
+umask 077 || die "umask 077 failed"
+
+openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed"
+openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed"
+openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed"
+openssl pkcs12 -export -out "${p12file}" -inkey "${keyfile}" -in "${certfile}" -password 'pass:' || die "openssl pkcs12 failed"
+
+echo "certificate: ${certfile}; private key: ${keyfile}; UEFI public key: ${efifile}; private key with empty password for pesign: ${p12file}"