michaelkuc6/U2FDevice
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Hopefully improved attestation certificate creation README.

Browse Source 
Fixes #3.
This commit is contained in:
Michael Kuc
2019-08-05 13:00:50 +01:00
parent f3fa1d29ba
commit 4ffdeb3eda
1 changed files with 35 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
Readme.AttestationCertificateGeneration.txt → Readme.AttestationCertificateGeneration.md
View File

@@ -7,39 +7,54 @@ https://www.guyrutenberg.com/2013/12/28/creating-self-signed-ecdsa-ssl-certifica
d = private key is it 256 bits (32 bytes)
G = generator point - it is part of the curve definition
W = public key point - it is a (256, 256) bits - 64 bytes
1) generate a key pair - the private key will be saved in PKCS8 format in ecprivkey.pem
openssl ecparam -name prime256v1 -genkey -noout -out ecprivkey.pem
2) dump out the private key in hex format - it will be a 32 byte key
openssl asn1parse -in ecprivkey.pem
3) compute the public key from the private key and the curve
openssl ec -in ecprivkey.pem -pubout -out ecpubkey.pem
4) dump out the public key in hex format - it will be 66 byte - the first two bytes are 00 04,
openssl ec -in ecprivkey.pem -pubout -text
1) Generate a key pair - the private key will be saved in PKCS8 format in ecprivkey.pem
`openssl ecparam -name prime256v1 -genkey -noout -out ecprivkey.pem`
2) Dump out the private key in hex format - it will be a 32 byte key
`openssl asn1parse -in ecprivkey.pem`
3) Compute the public key from the private key and the curve
`openssl ec -in ecprivkey.pem -pubout -out ecpubkey.pem`
4) Dump out the public key in hex format - it will be 66 byte - the first two bytes are 00 04,
`openssl ec -in ecprivkey.pem -pubout -text`
after that is the point W - 32 byte + 32 byte
5) generate a self signed certificate
openssl req -new -x509 -key ecprivkey.pem -out server.pem -days 3650
For the Certificate name give a unique certificate name. There is a 128 bit unique identification number burned into every
Teensy chip - see http://cache.freescale.com/files/32bit/doc/data_sheet/K20P64M72SF1.pdf
You can print out the number from your Teensy using this simple program given below
5) Generate a self signed certificate
`openssl req -new -x509 -key ecprivkey.pem -out certificate.pem -days 3650`
For the Certificate name give a unique certificate name.
6) Display the certificate
openssl x509 -in server.pem -text -noout
`openssl x509 -in certificate.pem -text -noout`
7) Convert PEM certificate to DER
openssl x509 -outform der -in server.pem -out certificate.der
`openssl x509 -outform der -in certificate.pem -out certificate.der`
8) Generate a usable c-array for source code
xxd --include certificate.pem
`xxd --include certificate.der`
Copy output into appropriate array in 'Certificates.cpp', overwriting existing values
9) Repeat steps 7 & 8 for public key and private key
So:
`
```
openssl asn1parse -in ecprivkey.pem 2>/dev/null | grep 'HEX DUMP' | perl -pe 's/^.*\[HEX DUMP\]:(.+)$/$1/' 2>/dev/null | xxd -r -p > privkey.der && xxd --include privkey.der
openssl ec -in ecprivkey.pem -pubout -text 2>/dev/null | perl -0777 -ne 'print /pub:.+ASN1/sg' 2>/dev/null | sed -e '/pub:/d;/ASN1/d' | perl -pe 's/^\s+(.+):?$/$1/gm' 2>/dev/null | perl -pe 's/\n//' 2>/dev/null | perl -pe 's/(.{2}):?/$1/g' 2>/dev/null | xxd -r -p > pubkey.der && xxd --include pubkey.der
`
and copy the arrays into the correct arrays in Certificates.cpp
```
and copy the arrays into the correct arrays in Certificates.cpp.
If any arrays have different lengths than shown in Certificates.hpp, update these too.