michaelkuc6/U2FDevice
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
android
U2FDevice/Readme.AttestationCertificateGeneration.md
Michael Kuc 152bc721e1 Implemented automated certificate generation. 
Removed existing certificates as private key was shared.
Updated makefile to require certificate generation.
2019-09-10 17:22:58 +01:00

62 lines
2.2 KiB
Markdown
Raw Permalink Blame History

From [Teensy U2F](https://github.com/pratikd650/Teensy_U2F/blob/master/Teensy_U2F.cpp) line 292
Instructions to generate attestation certificate using open ssl
[OpenSSL wiki](https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations)
[Guy Rutenberg](https://www.guyrutenberg.com/2013/12/28/creating-self-signed-ecdsa-ssl-certificate-using-openssl/)
P-256 (also secp256r1) EC key pair is W = dG (Note secp256k1 is Koblitz curve - not P256)
d = private key is it 256 bits (32 bytes)
G = generator point - it is part of the curve definition
W = public key point - it is a (256, 256) bits - 64 bytes
1) Generate a key pair - the private key will be saved in PKCS8 format in ecprivkey.pem
`openssl ecparam -name prime256v1 -genkey -noout -out ecprivkey.pem`
2) Dump out the private key in hex format - it will be a 32 byte key
`openssl asn1parse -in ecprivkey.pem`
3) Compute the public key from the private key and the curve
`openssl ec -in ecprivkey.pem -pubout -out ecpubkey.pem`
4) Dump out the public key in hex format - it will be 66 byte - the first two bytes are 00 04,
`openssl ec -in ecprivkey.pem -pubout -text`
after that is the point W - 32 byte + 32 byte
5) Generate a self signed certificate
`openssl req -new -x509 -key ecprivkey.pem -out certificate.pem -days 3650`
For the Certificate name give a unique certificate name.
6) Display the certificate
`openssl x509 -in certificate.pem -text -noout`
7) Convert PEM certificate to DER
`openssl x509 -outform der -in certificate.pem -out certificate.der`
8) Generate a usable c-array for source code
`xxd --include certificate.der | sed -e '0,/{/d;/};/,$d'`
Copy output into appropriate array in 'Certificates.cpp', overwriting existing values
9) Find the public key
`openssl ec -in ecprivkey.pem -pubout -text -noout 2>/dev/null | sed -e '0,/priv:/d;/pub:/,$d' -e 's/\s//g;s/:/, /g' -e 's/^/\t/g;s/\s\+$//g' -e 's/\(\s\)/\10x/g'`
10) Find the private key
`openssl ec -in ecprivkey.pem -pubout -text -noout 2>/dev/null | sed -e '0,/pub:/d;/ASN1/,$d' | sed -e 's/\s//g;s/:/, /g' -e 's/^/\t/g;s/\s\+$//g' -e 's/\(\s\)/\10x/g'`
11)
Copy the arrays into the correct arrays in Certificates.cpp.
If any arrays have different lengths than shown in Certificates.hpp, update these too.
Reference in New Issue View Git Blame Copy Permalink