michaelkuc6/U2FDevice
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Hopefully improved attestation certificate creation README.

Browse Source 
Fixes #3.
This commit is contained in:
Michael Kuc
2019-08-05 13:00:50 +01:00
parent 4ce52d4da3
commit 0ce5793414
1 changed files with 35 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
Readme.AttestationCertificateGeneration.txt → Readme.AttestationCertificateGeneration.md
View File

@@ -7,39 +7,54 @@ https://www.guyrutenberg.com/2013/12/28/creating-self-signed-ecdsa-ssl-certifica
d = private key is it 256 bits (32 bytes) d = private key is it 256 bits (32 bytes)
G = generator point - it is part of the curve definition G = generator point - it is part of the curve definition
W = public key point - it is a (256, 256) bits - 64 bytes W = public key point - it is a (256, 256) bits - 64 bytes
1) generate a key pair - the private key will be saved in PKCS8 format in ecprivkey.pem 1) Generate a key pair - the private key will be saved in PKCS8 format in ecprivkey.pem
openssl ecparam -name prime256v1 -genkey -noout -out ecprivkey.pem
2) dump out the private key in hex format - it will be a 32 byte key `openssl ecparam -name prime256v1 -genkey -noout -out ecprivkey.pem`
openssl asn1parse -in ecprivkey.pem
3) compute the public key from the private key and the curve 2) Dump out the private key in hex format - it will be a 32 byte key
openssl ec -in ecprivkey.pem -pubout -out ecpubkey.pem
4) dump out the public key in hex format - it will be 66 byte - the first two bytes are 00 04, `openssl asn1parse -in ecprivkey.pem`
openssl ec -in ecprivkey.pem -pubout -text
after that is the point W - 32 byte + 32 byte 3) Compute the public key from the private key and the curve
5) generate a self signed certificate
openssl req -new -x509 -key ecprivkey.pem -out server.pem -days 3650 `openssl ec -in ecprivkey.pem -pubout -out ecpubkey.pem`
For the Certificate name give a unique certificate name. There is a 128 bit unique identification number burned into every
Teensy chip - see http://cache.freescale.com/files/32bit/doc/data_sheet/K20P64M72SF1.pdf 4) Dump out the public key in hex format - it will be 66 byte - the first two bytes are 00 04,
You can print out the number from your Teensy using this simple program given below
`openssl ec -in ecprivkey.pem -pubout -text`
after that is the point W - 32 byte + 32 byte
5) Generate a self signed certificate
`openssl req -new -x509 -key ecprivkey.pem -out certificate.pem -days 3650`
For the Certificate name give a unique certificate name.
6) Display the certificate 6) Display the certificate
openssl x509 -in server.pem -text -noout
`openssl x509 -in certificate.pem -text -noout`
7) Convert PEM certificate to DER 7) Convert PEM certificate to DER
openssl x509 -outform der -in server.pem -out certificate.der
`openssl x509 -outform der -in certificate.pem -out certificate.der`
8) Generate a usable c-array for source code 8) Generate a usable c-array for source code
xxd --include certificate.pem
`xxd --include certificate.der`
Copy output into appropriate array in 'Certificates.cpp', overwriting existing values Copy output into appropriate array in 'Certificates.cpp', overwriting existing values
9) Repeat steps 7 & 8 for public key and private key 9) Repeat steps 7 & 8 for public key and private key
So: So:
`
```
openssl asn1parse -in ecprivkey.pem 2>/dev/null | grep 'HEX DUMP' | perl -pe 's/^.*\[HEX DUMP\]:(.+)$/$1/' 2>/dev/null | xxd -r -p > privkey.der && xxd --include privkey.der openssl asn1parse -in ecprivkey.pem 2>/dev/null | grep 'HEX DUMP' | perl -pe 's/^.*\[HEX DUMP\]:(.+)$/$1/' 2>/dev/null | xxd -r -p > privkey.der && xxd --include privkey.der
openssl ec -in ecprivkey.pem -pubout -text 2>/dev/null | perl -0777 -ne 'print /pub:.+ASN1/sg' 2>/dev/null | sed -e '/pub:/d;/ASN1/d' | perl -pe 's/^\s+(.+):?$/$1/gm' 2>/dev/null | perl -pe 's/\n//' 2>/dev/null | perl -pe 's/(.{2}):?/$1/g' 2>/dev/null | xxd -r -p > pubkey.der && xxd --include pubkey.der openssl ec -in ecprivkey.pem -pubout -text 2>/dev/null | perl -0777 -ne 'print /pub:.+ASN1/sg' 2>/dev/null | sed -e '/pub:/d;/ASN1/d' | perl -pe 's/^\s+(.+):?$/$1/gm' 2>/dev/null | perl -pe 's/\n//' 2>/dev/null | perl -pe 's/(.{2}):?/$1/g' 2>/dev/null | xxd -r -p > pubkey.der && xxd --include pubkey.der
` ```
and copy the arrays into the correct arrays in Certificates.cpp
and copy the arrays into the correct arrays in Certificates.cpp.
If any arrays have different lengths than shown in Certificates.hpp, update these too. If any arrays have different lengths than shown in Certificates.hpp, update these too.