michaelkuc6/U2FDevice
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
android
U2FDevice/Readme.AttestationCertificateGeneration.md
Michael Kuc 152bc721e1 Implemented automated certificate generation. 
Removed existing certificates as private key was shared.
Updated makefile to require certificate generation.
2019-09-10 17:22:58 +01:00

2.2 KiB
Raw Permalink Blame History

From Teensy U2F line 292

Instructions to generate attestation certificate using open ssl OpenSSL wiki Guy Rutenberg P-256 (also secp256r1) EC key pair is W = dG (Note secp256k1 is Koblitz curve - not P256) d = private key is it 256 bits (32 bytes) G = generator point - it is part of the curve definition W = public key point - it is a (256, 256) bits - 64 bytes

  1. Generate a key pair - the private key will be saved in PKCS8 format in ecprivkey.pem

openssl ecparam -name prime256v1 -genkey -noout -out ecprivkey.pem

  1. Dump out the private key in hex format - it will be a 32 byte key

openssl asn1parse -in ecprivkey.pem

  1. Compute the public key from the private key and the curve

openssl ec -in ecprivkey.pem -pubout -out ecpubkey.pem

  1. Dump out the public key in hex format - it will be 66 byte - the first two bytes are 00 04,

openssl ec -in ecprivkey.pem -pubout -text

after that is the point W - 32 byte + 32 byte

  1. Generate a self signed certificate

openssl req -new -x509 -key ecprivkey.pem -out certificate.pem -days 3650

For the Certificate name give a unique certificate name.

  1. Display the certificate

openssl x509 -in certificate.pem -text -noout

  1. Convert PEM certificate to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

  1. Generate a usable c-array for source code

xxd --include certificate.der | sed -e '0,/{/d;/};/,$d'

Copy output into appropriate array in 'Certificates.cpp', overwriting existing values

  1. Find the public key

openssl ec -in ecprivkey.pem -pubout -text -noout 2>/dev/null | sed -e '0,/priv:/d;/pub:/,$d' -e 's/\s//g;s/:/, /g' -e 's/^/\t/g;s/\s\+$//g' -e 's/\(\s\)/\10x/g'

  1. Find the private key

openssl ec -in ecprivkey.pem -pubout -text -noout 2>/dev/null | sed -e '0,/pub:/d;/ASN1/,$d' | sed -e 's/\s//g;s/:/, /g' -e 's/^/\t/g;s/\s\+$//g' -e 's/\(\s\)/\10x/g'

Copy the arrays into the correct arrays in Certificates.cpp.

If any arrays have different lengths than shown in Certificates.hpp, update these too.

Reference in New Issue View Git Blame Copy Permalink