| # |
| # Copyright 2019,2020 NXP |
| # SPDX-License-Identifier: Apache-2.0 |
| # |
| # |
| |
| # Create Keys for MbedTLS ALT testing |
| # |
| # Preconditions |
| # - Openssl installed |
| # |
| |
| import os |
| import sys |
| import logging |
| import re |
| import subprocess |
| import os.path |
| from util import * |
| import sss.sss_api as apis |
| |
| KeyLenMap = { |
| 'rsa2048': 2048, |
| 'rsa3072': 3072, |
| 'rsa4096': 4096, |
| } |
| |
| CLIENT_CERT_KEY_ID = 0x20181002 |
| CLIENT_KEY_PAIR_ID = 0x20181001 |
| ROOT_CA_PUB_KEY_ID = 0x7DCCBB22 |
| |
| def run(cmd_str, ignore_result=0, exp_retcode=0): |
| print("Running command: %s" %cmd_str) |
| pipes = subprocess.Popen( |
| cmd_str, |
| stdout=subprocess.PIPE, |
| stderr=subprocess.PIPE, |
| shell=True, |
| ) |
| std_out, std_err = pipes.communicate() |
| std_out = std_out.strip() |
| std_err = std_err.strip() |
| if not ignore_result: |
| if pipes.returncode != exp_retcode: |
| print("Command execution failed.") |
| else: |
| print("Command execution was successful.") |
| assert pipes.returncode == exp_retcode |
| |
| |
| def printUsage(): |
| print('Invalid input argument') |
| print('Run as - create_and_provision_rsa_keys.py <keyType> <connection_type> <connection_string> <auth (optional. Default - None)> <auth_key>' ) |
| print('supported key types -') |
| print(rsa_types) |
| print('supported auth types -') |
| print(auth_types) |
| print('Example invocation - create_and_provision_rsa_keys.py rsa2048 jrcpv2 127.0.0.1:8050') |
| print('Example invocation - create_and_provision_rsa_keys.py rsa2048 vcom COM1') |
| print('Example invocation - create_and_provision_rsa_keys.py rsa2048 t1oi2c none se05x PlatformSCP') |
| print('Example invocation - create_and_provision_rsa_keys.py rsa2048 sci2c none') |
| sys.exit() |
| |
| |
| if len(sys.argv) < 4: |
| printUsage() |
| |
| cur_dir = os.path.abspath(os.path.dirname(__file__)) |
| |
| keytype = sys.argv[1] |
| if isValidRSAKeyType(keytype) != True: |
| printUsage() |
| |
| connection_type = sys.argv[2]; |
| connection_string = sys.argv[3]; |
| |
| iot_se = 'se05x' |
| |
| auth_type = "None" |
| if len(sys.argv) > 4: |
| auth_type = sys.argv[4] |
| |
| auth_key = "None" |
| if len(sys.argv) > 5: |
| auth_key = sys.argv[5] |
| |
| if os.path.isdir(os.path.join(cur_dir, '..', 'keys', keytype)) == False: |
| os.mkdir(os.path.join(cur_dir, '..', 'keys', keytype)) |
| |
| KEY_TYPE_FILE_NAME = keytype + '.pem' |
| KEY_TYPE_FILE = os.path.join(cur_dir, '..', 'keys', keytype, KEY_TYPE_FILE_NAME) |
| |
| ROOT_CA_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.pem') |
| ROOT_CA_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.cer') |
| ROOT_CA_SRL = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.srl') |
| ROOT_CA_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_key.pem') |
| ROOT_CA_KEY_PUBLIC_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_pub_key.pem') |
| ROOT_CA_KEY_DER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_key.der') |
| |
| CLIENT_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key.pem') |
| CLIENT_KEY_PUBLIC_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key_pub.pem') |
| CLIENT_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client.cer') |
| CLIENT_CSR = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key.csr') |
| CLIENT_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client.pem') |
| |
| SERVER_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server_key.pem') |
| SERVER_CERTIFICATE = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.cer') |
| SERVER_CSR = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server_key.csr') |
| SERVER_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.pem') |
| SERVER_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.cer') |
| |
| if sys.platform.startswith("win"): |
| openssl = os.path.join(cur_dir, '..', '..', '..', '..', 'ext', 'openssl', 'bin', 'openssl.exe') |
| openssl_config_file = os.path.join(cur_dir, '..', '..', '..', '..', 'ext', 'openssl', 'ssl', 'openssl.cnf') |
| os.environ['OPENSSL_CONF'] = openssl_config_file |
| else: |
| openssl = 'openssl' |
| |
| SUBJECT = "/C=AB/ST=XY/L=LH/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost" |
| KEY_LEN = KeyLenMap[keytype] |
| |
| |
| cmd_str = "\"%s\" genrsa -out \"%s\" \"%s\" " % (openssl, ROOT_CA_KEY_PEM, KEY_LEN) |
| run(cmd_str) |
| |
| cmd_str = "\"%s\" req -x509 -new -nodes -key \"%s\" -sha256 -days 1000 -out \"%s\" -subj \"%s\"" % (openssl, ROOT_CA_KEY_PEM, ROOT_CA_PEM, SUBJECT) |
| run(cmd_str) |
| |
| cmd_str = "\"%s\" x509 -outform der -in \"%s\" -out \"%s\" " % (openssl, ROOT_CA_PEM, ROOT_CA_CER) |
| run(cmd_str) |
| |
| cmd_str = "\"%s\" x509 -pubkey -noout -in \"%s\" > \"%s\"" % (openssl, ROOT_CA_PEM, ROOT_CA_KEY_PUBLIC_PEM) |
| run(cmd_str) |
| |
| |
| |
| cmd_str = "\"%s\" genrsa -out \"%s\" \"%s\"" % (openssl, CLIENT_KEY_PEM, KEY_LEN) |
| run(cmd_str) |
| |
| cmd_str = "\"%s\" req -new -key \"%s\" -out \"%s\" -subj \"%s\" " % (openssl, CLIENT_KEY_PEM, CLIENT_CSR, SUBJECT) |
| run(cmd_str) |
| |
| cmd_str = "\"%s\" x509 -req -in \"%s\" -CA \"%s\" -CAkey \"%s\" -CAcreateserial -out \"%s\" -days 1000 -sha256" % (openssl, CLIENT_CSR, ROOT_CA_PEM, ROOT_CA_KEY_PEM, CLIENT_PEM) |
| run(cmd_str) |
| |
| cmd_str = "\"%s\" x509 -outform der -in \"%s\" -out \"%s\"" % (openssl, CLIENT_PEM, CLIENT_CER) |
| run(cmd_str) |
| |
| |
| cmd_str = "\"%s\" genrsa -out \"%s\" \"%s\"" % (openssl, SERVER_KEY_PEM, KEY_LEN) |
| run(cmd_str) |
| |
| cmd_str = "\"%s\" req -new -key \"%s\" -out \"%s\" -subj \"%s\" " % (openssl, SERVER_KEY_PEM, SERVER_CSR, SUBJECT) |
| run(cmd_str) |
| |
| cmd_str = "\"%s\" x509 -req -in \"%s\" -CA \"%s\" -CAkey \"%s\" -CAcreateserial -out \"%s\" -days 1000 -sha256" % (openssl, SERVER_CSR, ROOT_CA_PEM, ROOT_CA_KEY_PEM, SERVER_PEM) |
| run(cmd_str) |
| |
| cmd_str = "\"%s\" x509 -outform der -in \"%s\" -out \"%s\"" % (openssl, SERVER_PEM, SERVER_CER) |
| run(cmd_str) |
| |
| |
| #Provision the keys |
| |
| session_close(None) |
| session = session_open(iot_se, connection_string, connection_type, auth_type, auth_key) |
| if session is None: |
| print("Error in session_open") |
| sys.exit() |
| |
| reset(session) |
| |
| # Inject client certificate to the Secure Element |
| status = set_cert(session, CLIENT_CERT_KEY_ID, CLIENT_PEM) |
| if status != apis.kStatus_SSS_Success: |
| print("Error in set_cert") |
| |
| # Inject root ca public key to the Secure Element |
| status = set_rsa_pub(session, ROOT_CA_PUB_KEY_ID, ROOT_CA_KEY_PUBLIC_PEM) |
| if status != apis.kStatus_SSS_Success: |
| print("Error in set_rsa_pub") |
| |
| # Inject client rsa pair key to the Secure Element |
| status = set_rsa_pair(session, CLIENT_KEY_PAIR_ID, CLIENT_KEY_PEM) |
| if status != apis.kStatus_SSS_Success: |
| print("Error in set_rsa_pair") |
| |
| session_close(None) |