Add key/cert generation script for uefisign(8).

(Forgot about Relnotes in the commit that added uefisign(8), so set it here.) MFC after: 1 month Relnotes: yes Sponsored by: The FreeBSD Foundation
svn path=/head/; revision=279317
2015-02-26 09:31:25 +00:00 · 2015-02-26 09:31:25 +00:00 · 12fe6c356b · 2020-12-20 02:59:44 +00:00
commit 12fe6c356b
parent d66023a059
3 changed files with 46 additions and 2 deletions
--- a/etc/mtree/BSD.usr.dist
+++ b/etc/mtree/BSD.usr.dist
@ -415,6 +415,8 @@
            ..
            tcsh
            ..
+            uefisign
+            ..
        ..
        games
            fortune
--- a/share/examples/Makefile
+++ b/share/examples/Makefile
@ -27,7 +27,8 @@ LDIRS=	BSD_daemon \
 	printing \
 	ses \
 	scsi_target \
-	sunrpc
+	sunrpc \
+	uefisign

 XFILES=	BSD_daemon/FreeBSD.pfa \
 	BSD_daemon/README \
@ -181,7 +182,8 @@ XFILES=	BSD_daemon/FreeBSD.pfa \
 	sunrpc/sort/Makefile \
 	sunrpc/sort/rsort.c \
 	sunrpc/sort/sort.x \
-	sunrpc/sort/sort_proc.c
+	sunrpc/sort/sort_proc.c \
+	uefisign/uefikeys

 BINDIR= ${SHAREDIR}/examples

--- a/share/examples/uefisign/uefikeys
+++ b/share/examples/uefisign/uefikeys
@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# See uefisign(8) manual page for usage instructions.
+#
+# $FreeBSD$
+#
+
+die() {
+	echo "$*" > /dev/stderr
+	exit 1
+}
+
+if [ $# -ne 1 ]; then
+	echo "usage: $0 common-name"
+	exit 1
+fi
+
+certfile="${1}.pem"
+efifile="${1}.cer"
+keyfile="${1}.key"
+p12file="${1}.p12"
+# XXX: Set this to ten years; we don't want system to suddenly stop booting
+#      due to certificate expiration.  Better way would be to use Authenticode
+#      Timestamp.  That said, the rumor is UEFI implementations ignore it anyway.
+days="3650"
+subj="/CN=${1}"
+
+[ ! -e "${certfile}" ] || die "${certfile} already exists"
+[ ! -e "${efifile}" ] || die "${efifile} already exists"
+[ ! -e "${keyfile}" ] || die "${keyfile} already exists"
+[ ! -e "${p12file}" ] || die "${p12file} already exists"
+
+umask 077 || die "umask 077 failed"
+
+openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed"
+openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed"
+openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed"
+openssl pkcs12 -export -out "${p12file}" -inkey "${keyfile}" -in "${certfile}" -password 'pass:' || die "openssl pkcs12 failed"
+
+echo "certificate: ${certfile}; private key: ${keyfile}; UEFI public key: ${efifile}; private key with empty password for pesign: ${p12file}"