michaelkuc6/U2FDevice
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Hopefully improved attestation certificate creation README.

Browse Source 
Fixes #3.
This commit is contained in:
Michael Kuc
2019-08-05 13:00:50 +01:00
parent f3fa1d29ba
commit 4ffdeb3eda
1 changed files with 35 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
Readme.AttestationCertificateGeneration.txt → Readme.AttestationCertificateGeneration.md
View File

@@ -7,39 +7,54 @@ https://www.guyrutenberg.com/2013/12/28/creating-self-signed-ecdsa-ssl-certifica
d = private key is it 256 bits (32 bytes) d = private key is it 256 bits (32 bytes)
G = generator point - it is part of the curve definition G = generator point - it is part of the curve definition
W = public key point - it is a (256, 256) bits - 64 bytes W = public key point - it is a (256, 256) bits - 64 bytes
1) generate a key pair - the private key will be saved in PKCS8 format in ecprivkey.pem 1) Generate a key pair - the private key will be saved in PKCS8 format in ecprivkey.pem
openssl ecparam -name prime256v1 -genkey -noout -out ecprivkey.pem
2) dump out the private key in hex format - it will be a 32 byte key `openssl ecparam -name prime256v1 -genkey -noout -out ecprivkey.pem`
openssl asn1parse -in ecprivkey.pem
3) compute the public key from the private key and the curve 2) Dump out the private key in hex format - it will be a 32 byte key
openssl ec -in ecprivkey.pem -pubout -out ecpubkey.pem
4) dump out the public key in hex format - it will be 66 byte - the first two bytes are 00 04, `openssl asn1parse -in ecprivkey.pem`
openssl ec -in ecprivkey.pem -pubout -text
3) Compute the public key from the private key and the curve
`openssl ec -in ecprivkey.pem -pubout -out ecpubkey.pem`
4) Dump out the public key in hex format - it will be 66 byte - the first two bytes are 00 04,
`openssl ec -in ecprivkey.pem -pubout -text`
after that is the point W - 32 byte + 32 byte after that is the point W - 32 byte + 32 byte
5) generate a self signed certificate
openssl req -new -x509 -key ecprivkey.pem -out server.pem -days 3650 5) Generate a self signed certificate
For the Certificate name give a unique certificate name. There is a 128 bit unique identification number burned into every
Teensy chip - see http://cache.freescale.com/files/32bit/doc/data_sheet/K20P64M72SF1.pdf `openssl req -new -x509 -key ecprivkey.pem -out certificate.pem -days 3650`
You can print out the number from your Teensy using this simple program given below
For the Certificate name give a unique certificate name.
6) Display the certificate 6) Display the certificate
openssl x509 -in server.pem -text -noout
`openssl x509 -in certificate.pem -text -noout`
7) Convert PEM certificate to DER 7) Convert PEM certificate to DER
openssl x509 -outform der -in server.pem -out certificate.der
`openssl x509 -outform der -in certificate.pem -out certificate.der`
8) Generate a usable c-array for source code 8) Generate a usable c-array for source code
xxd --include certificate.pem
`xxd --include certificate.der`
Copy output into appropriate array in 'Certificates.cpp', overwriting existing values Copy output into appropriate array in 'Certificates.cpp', overwriting existing values
9) Repeat steps 7 & 8 for public key and private key 9) Repeat steps 7 & 8 for public key and private key
So: So:
`
```
openssl asn1parse -in ecprivkey.pem 2>/dev/null | grep 'HEX DUMP' | perl -pe 's/^.*\[HEX DUMP\]:(.+)$/$1/' 2>/dev/null | xxd -r -p > privkey.der && xxd --include privkey.der openssl asn1parse -in ecprivkey.pem 2>/dev/null | grep 'HEX DUMP' | perl -pe 's/^.*\[HEX DUMP\]:(.+)$/$1/' 2>/dev/null | xxd -r -p > privkey.der && xxd --include privkey.der
openssl ec -in ecprivkey.pem -pubout -text 2>/dev/null | perl -0777 -ne 'print /pub:.+ASN1/sg' 2>/dev/null | sed -e '/pub:/d;/ASN1/d' | perl -pe 's/^\s+(.+):?$/$1/gm' 2>/dev/null | perl -pe 's/\n//' 2>/dev/null | perl -pe 's/(.{2}):?/$1/g' 2>/dev/null | xxd -r -p > pubkey.der && xxd --include pubkey.der openssl ec -in ecprivkey.pem -pubout -text 2>/dev/null | perl -0777 -ne 'print /pub:.+ASN1/sg' 2>/dev/null | sed -e '/pub:/d;/ASN1/d' | perl -pe 's/^\s+(.+):?$/$1/gm' 2>/dev/null | perl -pe 's/\n//' 2>/dev/null | perl -pe 's/(.{2}):?/$1/g' 2>/dev/null | xxd -r -p > pubkey.der && xxd --include pubkey.der
` ```
and copy the arrays into the correct arrays in Certificates.cpp
and copy the arrays into the correct arrays in Certificates.cpp.
If any arrays have different lengths than shown in Certificates.hpp, update these too. If any arrays have different lengths than shown in Certificates.hpp, update these too.