michaelkuc6/U2FDevice
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Implemented automated certificate generation.

Browse Source 
Removed existing certificates as private key was shared.
Updated makefile to require certificate generation.
This commit is contained in:
Michael Kuc
2019-09-09 16:02:03 +01:00
parent 89b4b7d949
commit 152bc721e1
13 changed files with 97 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
Readme.AttestationCertificateGeneration.md
View File

@@ -1,19 +1,20 @@
From https://github.com/pratikd650/Teensy_U2F/blob/master/Teensy_U2F.cpp line 292
From [Teensy U2F](https://github.com/pratikd650/Teensy_U2F/blob/master/Teensy_U2F.cpp) line 292
Instructions to generate attestation certificate using open ssl
https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations
https://www.guyrutenberg.com/2013/12/28/creating-self-signed-ecdsa-ssl-certificate-using-openssl/
[OpenSSL wiki](https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations)
[Guy Rutenberg](https://www.guyrutenberg.com/2013/12/28/creating-self-signed-ecdsa-ssl-certificate-using-openssl/)
P-256 (also secp256r1) EC key pair is W = dG (Note secp256k1 is Koblitz curve - not P256)
d = private key is it 256 bits (32 bytes)
G = generator point - it is part of the curve definition
W = public key point - it is a (256, 256) bits - 64 bytes
1) Generate a key pair - the private key will be saved in PKCS8 format in ecprivkey.pem
`openssl ecparam -name prime256v1 -genkey -noout -out ecprivkey.pem`
2) Dump out the private key in hex format - it will be a 32 byte key
`openssl asn1parse -in ecprivkey.pem`
`openssl asn1parse -in ecprivkey.pem`
3) Compute the public key from the private key and the curve
@@ -41,20 +42,20 @@ For the Certificate name give a unique certificate name.
8) Generate a usable c-array for source code
`xxd --include certificate.der`
`xxd --include certificate.der | sed -e '0,/{/d;/};/,$d'`
Copy output into appropriate array in 'Certificates.cpp', overwriting existing values
9) Repeat steps 7 & 8 for public key and private key
9) Find the public key
So:
`openssl ec -in ecprivkey.pem -pubout -text -noout 2>/dev/null | sed -e '0,/priv:/d;/pub:/,$d' -e 's/\s//g;s/:/, /g' -e 's/^/\t/g;s/\s\+$//g' -e 's/\(\s\)/\10x/g'`
```
openssl asn1parse -in ecprivkey.pem 2>/dev/null | grep 'HEX DUMP' | perl -pe 's/^.*\[HEX DUMP\]:(.+)$/$1/' 2>/dev/null | xxd -r -p > privkey.der && xxd --include privkey.der
10) Find the private key
openssl ec -in ecprivkey.pem -pubout -text 2>/dev/null | perl -0777 -ne 'print /pub:.+ASN1/sg' 2>/dev/null | sed -e '/pub:/d;/ASN1/d' | perl -pe 's/^\s+(.+):?$/$1/gm' 2>/dev/null | perl -pe 's/\n//' 2>/dev/null | perl -pe 's/(.{2}):?/$1/g' 2>/dev/null | xxd -r -p > pubkey.der && xxd --include pubkey.der
```
`openssl ec -in ecprivkey.pem -pubout -text -noout 2>/dev/null | sed -e '0,/pub:/d;/ASN1/,$d' | sed -e 's/\s//g;s/:/, /g' -e 's/^/\t/g;s/\s\+$//g' -e 's/\(\s\)/\10x/g'`
and copy the arrays into the correct arrays in Certificates.cpp.
11)
Copy the arrays into the correct arrays in Certificates.cpp.
If any arrays have different lengths than shown in Certificates.hpp, update these too.