sss/plugin/mbedtls/scripts/create_and_provision_rsa_keys.py - a71ch-crypto-support - Git at Google

 #
 # Copyright 2019,2020 NXP
 # SPDX-License-Identifier: Apache-2.0
 #
 #

 # Create Keys for MbedTLS ALT testing
 #
 # Preconditions
 # - Openssl installed
 #

 import os
 import sys
 import logging
 import re
 import subprocess
 import os.path
 from util import *
 import sss.sss_api as apis

 KeyLenMap = {
     'rsa2048': 2048,
     'rsa3072': 3072,
     'rsa4096': 4096,
 }

 CLIENT_CERT_KEY_ID = 0x20181002
 CLIENT_KEY_PAIR_ID = 0x20181001
 ROOT_CA_PUB_KEY_ID = 0x7DCCBB22

 def run(cmd_str, ignore_result=0, exp_retcode=0):
     print("Running command: %s" %cmd_str)
     pipes = subprocess.Popen(
         cmd_str,
         stdout=subprocess.PIPE,
         stderr=subprocess.PIPE,
         shell=True,
     )
     std_out, std_err = pipes.communicate()
     std_out = std_out.strip()
     std_err = std_err.strip()
     if not ignore_result:
         if pipes.returncode != exp_retcode:
             print("Command execution failed.")
         else:
             print("Command execution was successful.")
     assert pipes.returncode == exp_retcode


 def printUsage():
     print('Invalid input argument')
     print('Run as -  create_and_provision_rsa_keys.py  <keyType> <connection_type> <connection_string> <auth (optional. Default - None)> <auth_key>' )
     print('supported key types -')
     print(rsa_types)
     print('supported auth types -')
     print(auth_types)
     print('Example invocation - create_and_provision_rsa_keys.py rsa2048 jrcpv2 127.0.0.1:8050')
     print('Example invocation - create_and_provision_rsa_keys.py rsa2048 vcom COM1')
     print('Example invocation - create_and_provision_rsa_keys.py rsa2048 t1oi2c none se05x PlatformSCP')
     print('Example invocation - create_and_provision_rsa_keys.py rsa2048 sci2c none')
     sys.exit()


 if len(sys.argv) < 4:
     printUsage()

 cur_dir = os.path.abspath(os.path.dirname(__file__))

 keytype = sys.argv[1]
 if isValidRSAKeyType(keytype) != True:
     printUsage()

 connection_type = sys.argv[2];
 connection_string = sys.argv[3];

 iot_se = 'se05x'

 auth_type = "None"
 if len(sys.argv) > 4:
     auth_type = sys.argv[4]

 auth_key = "None"
 if len(sys.argv) > 5:
     auth_key = sys.argv[5]

 if os.path.isdir(os.path.join(cur_dir, '..', 'keys', keytype)) == False:
     os.mkdir(os.path.join(cur_dir, '..', 'keys', keytype))

 KEY_TYPE_FILE_NAME = keytype + '.pem'
 KEY_TYPE_FILE = os.path.join(cur_dir, '..', 'keys', keytype, KEY_TYPE_FILE_NAME)

 ROOT_CA_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.pem')
 ROOT_CA_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.cer')
 ROOT_CA_SRL = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.srl')
 ROOT_CA_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_key.pem')
 ROOT_CA_KEY_PUBLIC_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_pub_key.pem')
 ROOT_CA_KEY_DER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_key.der')

 CLIENT_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key.pem')
 CLIENT_KEY_PUBLIC_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key_pub.pem')
 CLIENT_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client.cer')
 CLIENT_CSR = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key.csr')
 CLIENT_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client.pem')

 SERVER_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server_key.pem')
 SERVER_CERTIFICATE = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.cer')
 SERVER_CSR = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server_key.csr')
 SERVER_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.pem')
 SERVER_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.cer')

 if sys.platform.startswith("win"):
     openssl = os.path.join(cur_dir, '..', '..', '..', '..', 'ext', 'openssl', 'bin', 'openssl.exe')
     openssl_config_file = os.path.join(cur_dir, '..', '..', '..', '..', 'ext', 'openssl', 'ssl', 'openssl.cnf')
     os.environ['OPENSSL_CONF'] = openssl_config_file
 else:
     openssl = 'openssl'

 SUBJECT = "/C=AB/ST=XY/L=LH/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost"
 KEY_LEN = KeyLenMap[keytype]


 cmd_str = "\"%s\" genrsa -out \"%s\" \"%s\" " % (openssl, ROOT_CA_KEY_PEM, KEY_LEN)
 run(cmd_str)

 cmd_str = "\"%s\" req -x509 -new -nodes -key \"%s\" -sha256 -days 1000 -out \"%s\" -subj \"%s\"" % (openssl, ROOT_CA_KEY_PEM, ROOT_CA_PEM, SUBJECT)
 run(cmd_str)

 cmd_str = "\"%s\" x509 -outform der -in \"%s\" -out \"%s\" " % (openssl, ROOT_CA_PEM, ROOT_CA_CER)
 run(cmd_str)

 cmd_str = "\"%s\" x509 -pubkey -noout -in \"%s\" > \"%s\"" % (openssl, ROOT_CA_PEM, ROOT_CA_KEY_PUBLIC_PEM)
 run(cmd_str)


 cmd_str = "\"%s\" genrsa -out \"%s\" \"%s\"" % (openssl, CLIENT_KEY_PEM, KEY_LEN)
 run(cmd_str)

 cmd_str = "\"%s\" req -new -key \"%s\" -out \"%s\" -subj \"%s\" " % (openssl, CLIENT_KEY_PEM, CLIENT_CSR, SUBJECT)
 run(cmd_str)

 cmd_str = "\"%s\" x509 -req -in \"%s\" -CA \"%s\" -CAkey \"%s\" -CAcreateserial -out \"%s\" -days 1000 -sha256" % (openssl, CLIENT_CSR, ROOT_CA_PEM, ROOT_CA_KEY_PEM, CLIENT_PEM)
 run(cmd_str)

 cmd_str = "\"%s\" x509 -outform der -in \"%s\" -out \"%s\"" % (openssl, CLIENT_PEM, CLIENT_CER)
 run(cmd_str)


 cmd_str = "\"%s\" genrsa -out \"%s\" \"%s\"" % (openssl, SERVER_KEY_PEM, KEY_LEN)
 run(cmd_str)

 cmd_str = "\"%s\" req -new -key \"%s\" -out \"%s\" -subj \"%s\" " % (openssl, SERVER_KEY_PEM, SERVER_CSR, SUBJECT)
 run(cmd_str)

 cmd_str = "\"%s\" x509 -req -in \"%s\" -CA \"%s\" -CAkey \"%s\" -CAcreateserial -out \"%s\" -days 1000 -sha256" % (openssl, SERVER_CSR, ROOT_CA_PEM, ROOT_CA_KEY_PEM, SERVER_PEM)
 run(cmd_str)

 cmd_str = "\"%s\" x509 -outform der -in \"%s\" -out \"%s\"" % (openssl, SERVER_PEM, SERVER_CER)
 run(cmd_str)


 #Provision the keys

 session_close(None)
 session = session_open(iot_se, connection_string, connection_type, auth_type, auth_key)
 if session is None:
     print("Error in session_open")
     sys.exit()

 reset(session)

 # Inject client certificate to the Secure Element
 status = set_cert(session, CLIENT_CERT_KEY_ID, CLIENT_PEM)
 if status != apis.kStatus_SSS_Success:
     print("Error in set_cert")

 # Inject root ca public key to the Secure Element
 status = set_rsa_pub(session, ROOT_CA_PUB_KEY_ID, ROOT_CA_KEY_PUBLIC_PEM)
 if status != apis.kStatus_SSS_Success:
     print("Error in set_rsa_pub")

 # Inject client rsa pair key to the Secure Element
 status = set_rsa_pair(session, CLIENT_KEY_PAIR_ID, CLIENT_KEY_PEM)
 if status != apis.kStatus_SSS_Success:
     print("Error in set_rsa_pair")

 session_close(None)
	#
	# Copyright 2019,2020 NXP
	# SPDX-License-Identifier: Apache-2.0
	#
	#

	# Create Keys for MbedTLS ALT testing
	#
	# Preconditions
	# - Openssl installed
	#

	import os
	import sys
	import logging
	import re
	import subprocess
	import os.path
	from util import *
	import sss.sss_api as apis

	KeyLenMap = {
	'rsa2048': 2048,
	'rsa3072': 3072,
	'rsa4096': 4096,
	}

	CLIENT_CERT_KEY_ID = 0x20181002
	CLIENT_KEY_PAIR_ID = 0x20181001
	ROOT_CA_PUB_KEY_ID = 0x7DCCBB22

	def run(cmd_str, ignore_result=0, exp_retcode=0):
	print("Running command: %s" %cmd_str)
	pipes = subprocess.Popen(
	cmd_str,
	stdout=subprocess.PIPE,
	stderr=subprocess.PIPE,
	shell=True,
	)
	std_out, std_err = pipes.communicate()
	std_out = std_out.strip()
	std_err = std_err.strip()
	if not ignore_result:
	if pipes.returncode != exp_retcode:
	print("Command execution failed.")
	else:
	print("Command execution was successful.")
	assert pipes.returncode == exp_retcode


	def printUsage():
	print('Invalid input argument')
	print('Run as - create_and_provision_rsa_keys.py <keyType> <connection_type> <connection_string> <auth (optional. Default - None)> <auth_key>' )
	print('supported key types -')
	print(rsa_types)
	print('supported auth types -')
	print(auth_types)
	print('Example invocation - create_and_provision_rsa_keys.py rsa2048 jrcpv2 127.0.0.1:8050')
	print('Example invocation - create_and_provision_rsa_keys.py rsa2048 vcom COM1')
	print('Example invocation - create_and_provision_rsa_keys.py rsa2048 t1oi2c none se05x PlatformSCP')
	print('Example invocation - create_and_provision_rsa_keys.py rsa2048 sci2c none')
	sys.exit()


	if len(sys.argv) < 4:
	printUsage()

	cur_dir = os.path.abspath(os.path.dirname(__file__))

	keytype = sys.argv[1]
	if isValidRSAKeyType(keytype) != True:
	printUsage()

	connection_type = sys.argv[2];
	connection_string = sys.argv[3];

	iot_se = 'se05x'

	auth_type = "None"
	if len(sys.argv) > 4:
	auth_type = sys.argv[4]

	auth_key = "None"
	if len(sys.argv) > 5:
	auth_key = sys.argv[5]

	if os.path.isdir(os.path.join(cur_dir, '..', 'keys', keytype)) == False:
	os.mkdir(os.path.join(cur_dir, '..', 'keys', keytype))

	KEY_TYPE_FILE_NAME = keytype + '.pem'
	KEY_TYPE_FILE = os.path.join(cur_dir, '..', 'keys', keytype, KEY_TYPE_FILE_NAME)

	ROOT_CA_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.pem')
	ROOT_CA_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.cer')
	ROOT_CA_SRL = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.srl')
	ROOT_CA_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_key.pem')
	ROOT_CA_KEY_PUBLIC_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_pub_key.pem')
	ROOT_CA_KEY_DER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_key.der')

	CLIENT_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key.pem')
	CLIENT_KEY_PUBLIC_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key_pub.pem')
	CLIENT_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client.cer')
	CLIENT_CSR = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key.csr')
	CLIENT_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client.pem')

	SERVER_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server_key.pem')
	SERVER_CERTIFICATE = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.cer')
	SERVER_CSR = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server_key.csr')
	SERVER_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.pem')
	SERVER_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.cer')

	if sys.platform.startswith("win"):
	openssl = os.path.join(cur_dir, '..', '..', '..', '..', 'ext', 'openssl', 'bin', 'openssl.exe')
	openssl_config_file = os.path.join(cur_dir, '..', '..', '..', '..', 'ext', 'openssl', 'ssl', 'openssl.cnf')
	os.environ['OPENSSL_CONF'] = openssl_config_file
	else:
	openssl = 'openssl'

	SUBJECT = "/C=AB/ST=XY/L=LH/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost"
	KEY_LEN = KeyLenMap[keytype]


	cmd_str = "\"%s\" genrsa -out \"%s\" \"%s\" " % (openssl, ROOT_CA_KEY_PEM, KEY_LEN)
	run(cmd_str)

	cmd_str = "\"%s\" req -x509 -new -nodes -key \"%s\" -sha256 -days 1000 -out \"%s\" -subj \"%s\"" % (openssl, ROOT_CA_KEY_PEM, ROOT_CA_PEM, SUBJECT)
	run(cmd_str)

	cmd_str = "\"%s\" x509 -outform der -in \"%s\" -out \"%s\" " % (openssl, ROOT_CA_PEM, ROOT_CA_CER)
	run(cmd_str)

	cmd_str = "\"%s\" x509 -pubkey -noout -in \"%s\" > \"%s\"" % (openssl, ROOT_CA_PEM, ROOT_CA_KEY_PUBLIC_PEM)
	run(cmd_str)



	cmd_str = "\"%s\" genrsa -out \"%s\" \"%s\"" % (openssl, CLIENT_KEY_PEM, KEY_LEN)
	run(cmd_str)

	cmd_str = "\"%s\" req -new -key \"%s\" -out \"%s\" -subj \"%s\" " % (openssl, CLIENT_KEY_PEM, CLIENT_CSR, SUBJECT)
	run(cmd_str)

	cmd_str = "\"%s\" x509 -req -in \"%s\" -CA \"%s\" -CAkey \"%s\" -CAcreateserial -out \"%s\" -days 1000 -sha256" % (openssl, CLIENT_CSR, ROOT_CA_PEM, ROOT_CA_KEY_PEM, CLIENT_PEM)
	run(cmd_str)

	cmd_str = "\"%s\" x509 -outform der -in \"%s\" -out \"%s\"" % (openssl, CLIENT_PEM, CLIENT_CER)
	run(cmd_str)


	cmd_str = "\"%s\" genrsa -out \"%s\" \"%s\"" % (openssl, SERVER_KEY_PEM, KEY_LEN)
	run(cmd_str)

	cmd_str = "\"%s\" req -new -key \"%s\" -out \"%s\" -subj \"%s\" " % (openssl, SERVER_KEY_PEM, SERVER_CSR, SUBJECT)
	run(cmd_str)

	cmd_str = "\"%s\" x509 -req -in \"%s\" -CA \"%s\" -CAkey \"%s\" -CAcreateserial -out \"%s\" -days 1000 -sha256" % (openssl, SERVER_CSR, ROOT_CA_PEM, ROOT_CA_KEY_PEM, SERVER_PEM)
	run(cmd_str)

	cmd_str = "\"%s\" x509 -outform der -in \"%s\" -out \"%s\"" % (openssl, SERVER_PEM, SERVER_CER)
	run(cmd_str)


	#Provision the keys

	session_close(None)
	session = session_open(iot_se, connection_string, connection_type, auth_type, auth_key)
	if session is None:
	print("Error in session_open")
	sys.exit()

	reset(session)

	# Inject client certificate to the Secure Element
	status = set_cert(session, CLIENT_CERT_KEY_ID, CLIENT_PEM)
	if status != apis.kStatus_SSS_Success:
	print("Error in set_cert")

	# Inject root ca public key to the Secure Element
	status = set_rsa_pub(session, ROOT_CA_PUB_KEY_ID, ROOT_CA_KEY_PUBLIC_PEM)
	if status != apis.kStatus_SSS_Success:
	print("Error in set_rsa_pub")

	# Inject client rsa pair key to the Secure Element
	status = set_rsa_pair(session, CLIENT_KEY_PAIR_ID, CLIENT_KEY_PEM)
	if status != apis.kStatus_SSS_Success:
	print("Error in set_rsa_pair")

	session_close(None)