Google Git
Sign in
coral / a71ch-crypto-support / 8dc1f1434da50a4b7361d651239c1f3f4f8cc25b / . / sss / plugin / mbedtls / scripts / create_and_provision_ecc_keys.py
blob: 1e7e568c3038a236d273308a7ea2223c3fd3f02e [file] [log] [blame]
#
# Copyright 2019 NXP
# SPDX-License-Identifier: Apache-2.0
#
#
# Create Keys for MbedTLS ALT testing
#
# Preconditions
# - Openssl installed
#
import os
import sys
import logging
import re
import subprocess
import os.path
from util import *
import sss.sss_api as apis
PycliKeyTypeMap = {
'prime192v1':'NIST_P192',
'secp224r1':'NIST_P224',
'prime256v1':'NIST_P256',
'secp384r1':'NIST_P384',
'secp521r1':'NIST_P521',
'brainpoolP256r1':'Brainpool256',
'brainpoolP384r1':'Brainpool384',
'brainpoolP512r1':'Brainpool512',
'secp192k1':'Secp192k1',
'secp224k1':'Secp224k1',
'secp256k1':'Secp256k1',
}
CLIENT_CERT_KEY_ID = 0x20181002
CLIENT_KEY_PAIR_ID = 0x20181001
ROOT_CA_PUB_KEY_ID = 0x7DCCBB22
def run(cmd_str, ignore_result=0, exp_retcode=0):
print("Running command: %s" %cmd_str)
pipes = subprocess.Popen(
cmd_str,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True,
)
std_out, std_err = pipes.communicate()
std_out = std_out.strip()
std_err = std_err.strip()
if not ignore_result:
if pipes.returncode != exp_retcode:
print("Command execution failed.")
else:
print("Command execution was successful.")
assert pipes.returncode == exp_retcode
def printUsage():
print('Invalid input argument')
print('Run as - create_and_provision_ecc_keys.py <keyType> <connection_type> <connection_string> <iot_se (optional. Default - se05x)> <auth (optional. Default - None)> <auth_key>')
print('supported key types -')
print(ecc_types)
print('supported auth types -')
print(auth_types)
print('Example invocation - create_and_provision_ecc_keys.py prime256v1 jrcpv2 127.0.0.1:8050')
print('Example invocation - create_and_provision_ecc_keys.py prime256v1 vcom COM1 a71ch')
print('Example invocation - create_and_provision_ecc_keys.py prime256v1 t1oi2c none se05x PlatformSCP')
print('Example invocation - create_and_provision_ecc_keys.py prime256v1 sci2c none a71ch')
sys.exit()
print (len(sys.argv))
if len(sys.argv) < 4:
printUsage()
cur_dir = os.path.abspath(os.path.dirname(__file__))
keytype = sys.argv[1]
if isValidECKeyType(keytype) != True:
printUsage()
connection_type = sys.argv[2];
connection_string = sys.argv[3];
iot_se = 'se05x'
if len(sys.argv) > 4:
iot_se = sys.argv[4]
auth_type = "None"
if len(sys.argv) > 5:
auth_type = sys.argv[5]
auth_key = "None"
if len(sys.argv) > 6:
auth_key = sys.argv[6]
if iot_se == "a71ch":
if keytype != "prime256v1":
print('Only prime256v1 is supported with a71ch')
sys.exit()
if os.path.isdir(os.path.join(cur_dir, '..', 'keys', keytype)) == False:
os.mkdir(os.path.join(cur_dir, '..', 'keys', keytype))
KEY_TYPE_FILE_NAME = keytype + '.pem'
KEY_TYPE_FILE = os.path.join(cur_dir, '..', 'keys', keytype, KEY_TYPE_FILE_NAME)
ROOT_CA_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.cer')
ROOT_CA_SRL = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.srl')
ROOT_CA_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_key.pem')
ROOT_CA_KEY_PUBLIC_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_pub_key.pem')
ROOT_CA_KEY_DER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_key.der')
CLIENT_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key.pem')
CLIENT_KEY_PUBLIC_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key_pub.pem')
CLIENT_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client.cer')
SERVER_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server_key.pem')
SERVER_CSR = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.csr')
SERVER_CERTIFICATE = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.cer')
openssl_config_file = os.path.join(cur_dir, '..', '..', '..', '..', 'ext', 'openssl', 'ssl', 'openssl.cnf')
if sys.platform.startswith("win"):
openssl = os.path.join(cur_dir, '..', '..', '..', '..', 'ext', 'openssl', 'bin', 'openssl.exe')
os.environ['OPENSSL_CONF'] = openssl_config_file
else:
openssl = 'openssl'
SUBJECT = "/C=AB/ST=XY/L=LH/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost"
cmd_str = "\"%s\" ecparam -name \"%s\" -out \"%s\"" % (openssl, keytype, KEY_TYPE_FILE)
run(cmd_str)
cmd_str = "\"%s\" ecparam -in \"%s\" -genkey -noout -out \"%s\"" % (openssl, KEY_TYPE_FILE, ROOT_CA_KEY_PEM)
run(cmd_str)
cmd_str = "\"%s\" ec -in \"%s\" -text -noout" % (openssl, ROOT_CA_KEY_PEM)
run(cmd_str)
cmd_str = "\"%s\" ec -in \"%s\" -outform DER -out \"%s\"" % (openssl, ROOT_CA_KEY_PEM, ROOT_CA_KEY_DER)
run(cmd_str)
cmd_str = "\"%s\" ec -in \"%s\" -pubout -out \"%s\"" % (openssl, ROOT_CA_KEY_PEM, ROOT_CA_KEY_PUBLIC_PEM)
run(cmd_str)
#create CA certificates
cmd_str = "\"%s\" req -x509 -new -nodes -key \"%s\" -subj \"%s\" -days 2800 -out \"%s\" -config \"%s\"" % (openssl, ROOT_CA_KEY_PEM, SUBJECT, ROOT_CA_CER, openssl_config_file)
run(cmd_str)
cmd_str = "\"%s\" x509 -in \"%s\" -text -noout" % (openssl, ROOT_CA_CER)
run(cmd_str)
#Create client key and extract public part
cmd_str = "\"%s\" ecparam -in \"%s\" -genkey -out \"%s\"" % (openssl, KEY_TYPE_FILE, CLIENT_KEY_PEM)
run(cmd_str)
cmd_str = "\"%s\" ec -in \"%s\" -text -noout" % (openssl, CLIENT_KEY_PEM)
run(cmd_str)
cmd_str = "\"%s\" ec -in \"%s\" -pubout -out \"%s\"" % (openssl, CLIENT_KEY_PEM, CLIENT_KEY_PUBLIC_PEM)
run(cmd_str)
#Now create CSR
cmd_str = "\"%s\" req -new -key \"%s\" -subj \"%s\" -out \"%s\" -config \"%s\"" % (openssl, CLIENT_KEY_PEM, SUBJECT, CLIENT_CER, openssl_config_file)
run(cmd_str)
cmd_str = "\"%s\" req -in \"%s\" -text -config \"%s\"" % (openssl, CLIENT_CER, openssl_config_file)
run(cmd_str)
#Create CA signed client certificate
if os.path.isfile(ROOT_CA_SRL) == True:
cmd_str = "\"%s\" x509 -req -sha256 -days 2800 -in \"%s\" -CAserial \"%s\" -CA \"%s\" -CAkey \"%s\" -out \"%s\" " % (openssl, CLIENT_CER, ROOT_CA_SRL, ROOT_CA_CER, ROOT_CA_KEY_PEM, CLIENT_CER)
else:
cmd_str = "\"%s\" x509 -req -sha256 -days 2800 -in \"%s\" -CAserial \"%s\" -CAcreateserial -CA \"%s\" -CAkey \"%s\" -out \"%s\" " % (openssl, CLIENT_CER, ROOT_CA_SRL, ROOT_CA_CER, ROOT_CA_KEY_PEM, CLIENT_CER)
run(cmd_str)
cmd_str = "\"%s\" x509 -in \"%s\" -text -noout" % (openssl, CLIENT_CER)
run(cmd_str)
#Create server key
cmd_str = "\"%s\" ecparam -in \"%s\" -genkey -out \"%s\"" % (openssl, KEY_TYPE_FILE, SERVER_KEY_PEM)
run(cmd_str)
cmd_str = "\"%s\" ec -in \"%s\" -text -noout" % (openssl, SERVER_KEY_PEM)
run(cmd_str)
#Create CSR a new
cmd_str = "\"%s\" req -new -key \"%s\" -subj \"%s\" -out \"%s\" -config \"%s\"" % (openssl, SERVER_KEY_PEM, SUBJECT, SERVER_CSR, openssl_config_file)
run(cmd_str)
cmd_str = "\"%s\" req -in \"%s\" -text -noout -config \"%s\"" % (openssl, SERVER_CSR, openssl_config_file)
run(cmd_str)
#Create a CA signed server certificate
if os.path.isfile(ROOT_CA_SRL) == True:
cmd_str = "\"%s\" x509 -req -sha256 -days 2800 -in \"%s\" -CAserial \"%s\" -CA \"%s\" -CAkey \"%s\" -out \"%s\" " % (openssl, SERVER_CSR, ROOT_CA_SRL, ROOT_CA_CER, ROOT_CA_KEY_PEM, SERVER_CERTIFICATE)
else:
cmd_str = "\"%s\" x509 -req -sha256 -days 2800 -in \"%s\" -CAserial \"%s\" -CAcreateserial -CA \"%s\" -CAkey \"%s\" -out \"%s\" " % (openssl, SERVER_CSR, ROOT_CA_SRL, ROOT_CA_CER, ROOT_CA_KEY_PEM, SERVER_CERTIFICATE)
run(cmd_str)
cmd_str = "\"%s\" x509 -in \"%s\" -text -noout" % (openssl, SERVER_CERTIFICATE)
run(cmd_str)
#Provision the keys
session_close(None)
session = session_open(iot_se, connection_string, connection_type, auth_type, auth_key)
if session is None:
print("Error in session_open")
sys.exit()
reset(session)
# Inject client certificate to the Secure Element
status = set_cert(session, CLIENT_CERT_KEY_ID, CLIENT_CER)
if status != apis.kStatus_SSS_Success:
print("Error in set_cert")
# Inject root ca public key to the Secure Element
status = set_ecc_pub(session, ROOT_CA_PUB_KEY_ID, ROOT_CA_KEY_PUBLIC_PEM)
if status != apis.kStatus_SSS_Success:
print("Error in set_ecc_pub")
# Inject client ecc pair key to the Secure Element
status = set_ecc_pair(session, CLIENT_KEY_PAIR_ID, CLIENT_KEY_PEM)
if status != apis.kStatus_SSS_Success:
print("Error in set_ecc_pair")
session_close(None)