MFC r279317:
Add key/cert generation script for uefisign(8). Sponsored by: The FreeBSD Foundation
This commit is contained in:
parent
0ba19b5b1c
commit
3e1105b367
@ -409,6 +409,8 @@
|
||||
..
|
||||
tcsh
|
||||
..
|
||||
uefisign
|
||||
..
|
||||
..
|
||||
games
|
||||
fortune
|
||||
|
@ -27,7 +27,8 @@ LDIRS= BSD_daemon \
|
||||
printing \
|
||||
ses \
|
||||
scsi_target \
|
||||
sunrpc
|
||||
sunrpc \
|
||||
uefisign
|
||||
|
||||
XFILES= BSD_daemon/FreeBSD.pfa \
|
||||
BSD_daemon/README \
|
||||
@ -181,7 +182,8 @@ XFILES= BSD_daemon/FreeBSD.pfa \
|
||||
sunrpc/sort/Makefile \
|
||||
sunrpc/sort/rsort.c \
|
||||
sunrpc/sort/sort.x \
|
||||
sunrpc/sort/sort_proc.c
|
||||
sunrpc/sort/sort_proc.c \
|
||||
uefisign/uefikeys
|
||||
|
||||
BINDIR= ${SHAREDIR}/examples
|
||||
|
||||
|
40
share/examples/uefisign/uefikeys
Executable file
40
share/examples/uefisign/uefikeys
Executable file
@ -0,0 +1,40 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# See uefisign(8) manual page for usage instructions.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
die() {
|
||||
echo "$*" > /dev/stderr
|
||||
exit 1
|
||||
}
|
||||
|
||||
if [ $# -ne 1 ]; then
|
||||
echo "usage: $0 common-name"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
certfile="${1}.pem"
|
||||
efifile="${1}.cer"
|
||||
keyfile="${1}.key"
|
||||
p12file="${1}.p12"
|
||||
# XXX: Set this to ten years; we don't want system to suddenly stop booting
|
||||
# due to certificate expiration. Better way would be to use Authenticode
|
||||
# Timestamp. That said, the rumor is UEFI implementations ignore it anyway.
|
||||
days="3650"
|
||||
subj="/CN=${1}"
|
||||
|
||||
[ ! -e "${certfile}" ] || die "${certfile} already exists"
|
||||
[ ! -e "${efifile}" ] || die "${efifile} already exists"
|
||||
[ ! -e "${keyfile}" ] || die "${keyfile} already exists"
|
||||
[ ! -e "${p12file}" ] || die "${p12file} already exists"
|
||||
|
||||
umask 077 || die "umask 077 failed"
|
||||
|
||||
openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed"
|
||||
openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed"
|
||||
openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed"
|
||||
openssl pkcs12 -export -out "${p12file}" -inkey "${keyfile}" -in "${certfile}" -password 'pass:' || die "openssl pkcs12 failed"
|
||||
|
||||
echo "certificate: ${certfile}; private key: ${keyfile}; UEFI public key: ${efifile}; private key with empty password for pesign: ${p12file}"
|
Loading…
Reference in New Issue
Block a user