Google Git
Sign in
coral / a71ch-crypto-support / 8dc1f1434da50a4b7361d651239c1f3f4f8cc25b / . / sss / plugin / mbedtls / scripts / windowsProvisionEC.bat
blob: b0e3d6b12c95121f996300b64c9ad9ab506ebf38 [file] [log] [blame]
@echo off
SETLOCAL
@REM Copyright 2019 NXP
@REM
@REM SPDX-License-Identifier: Apache-2.0
@REM
@REM
@REM Use openssl and ssscli to provision attached secure element
@REM Note-1: Connect via JRCP_v2 (default) or JRCP_v1 (aka RJCT) server
@REM Note-2: Set IOT_SE to either se050 or a71ch
@REM
@REM The script takes two mandatory parameters:
@REM ec_keytype
@REM the ip_address:port of the JRCP server to connect to
@REM e.g.:
@REM windowsProvision.bat prime256v1 192.168.2.75:8050
@REM
@REM An optional third parameter specifies the secure element targeted.
@REM The default secure element is se050
@set IOT_SE=se050
@REM @set IOT_SE=a71ch
@REM Handle parameters passed, do a sanity check before proceeding
IF NOT "%~1" == "" (
IF "%~1"=="prime192v1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="NIST_P192"
) ELSE IF "%~1"=="secp224r1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="NIST_P224"
) ELSE IF "%~1"=="prime256v1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="NIST_P256"
) ELSE IF "%~1"=="secp384r1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="NIST_P384"
) ELSE IF "%~1"=="secp521r1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="NIST_P521"
) ELSE IF "%~1"=="brainpoolP256r1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="Brainpool256"
) ELSE IF "%~1"=="brainpoolP384r1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="Brainpool384"
) ELSE IF "%~1"=="brainpoolP512r1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="Brainpool512"
) ELSE IF "%~1"=="secp192k1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="Secp192k1"
) ELSE IF "%~1"=="secp224k1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="Secp224k1"
) ELSE IF "%~1"=="secp256k1" (
@set EC_KEY_TYPE=%~1
@set PYCLI_EC_KEY_TYPE="Secp256k1"
) ELSE (
echo %~1 is not a supported key type
goto :SUPPORTED_KEYTYPES
)
) ELSE (
goto :SUPPORTED_KEYTYPES
)
IF "%~2" == "jrcpv2" (
IF NOT "%~3" == "" (
@SET CONNECTION_TYPE=%~2
@SET CONNECTION_PARAM=%~3
) ELSE (
echo Please provide ip_address:port of JRCP server as third argument
pause
goto :EOF
)
) ELSE IF "%~2" == "vcom" (
IF NOT "%~3" == "" (
@SET CONNECTION_TYPE=%~2
@SET CONNECTION_PARAM=%~3
) ELSE (
echo Please provide port name as third argument
pause
goto :EOF
)
) ELSE (
echo Invalid argumenets
pause
goto :EOF
)
IF NOT "%~4" == "" (
@SET IOT_SE=%~4
)
@set KEY_DIR=keys/%EC_KEY_TYPE%
@set KEY_DIR_DOS=keys\%EC_KEY_TYPE%
@cd /d %~dp0
@set OPENSSL=..\..\..\..\ext\openssl\bin\openssl.exe
@set OPENSSL_CONF=..\..\..\..\ext\openssl\ssl\openssl.cnf
if not exist ..\%KEY_DIR_DOS%\NUL (
echo "Folder ..\%KEY_DIR_DOS% does not exist, creating it"
mkdir ..\%KEY_DIR_DOS%
)
@set ROOT_CA=tls_rootca
@set CLIENT_FILE=tls_client
@set SERVER_FILE=tls_server
@set DIR_PATH=..\keys\%EC_KEY_TYPE%
@set ROOT_CA_CER=%DIR_PATH%\%ROOT_CA%.cer
@SET ROOT_CA_SR1=%DIR_PATH%\%ROOT_CA%.srl
@set KEY_TYPE_FILE=%DIR_PATH%\%EC_KEY_TYPE%.pem
@set ROOT_CA_KEY_PEM=%DIR_PATH%\%ROOT_CA%_key.pem
@set ROOT_CA_KEY_PUBLIC_PEM=%DIR_PATH%\%ROOT_CA%_pub_key.pem
@set ROOT_CA_KEY_DER=%DIR_PATH%\%ROOT_CA%_key.der
@set CLIENT_KEY_PEM=%DIR_PATH%\%CLIENT_FILE%_key.pem
@set CLIENT_KEY_PUBLIC_PEM=%DIR_PATH%\%CLIENT_FILE%_key_pub.pem
@set CLIENT_CER=%DIR_PATH%\%CLIENT_FILE%.cer
@set SERVER_KEY_PEM=%DIR_PATH%\%SERVER_FILE%_key.pem
@set SERVER_CSR=%DIR_PATH%\%SERVER_FILE%.csr
@set SERVER_CERTIFICATE=%DIR_PATH%\%SERVER_FILE%.cer
%OPENSSL% ecparam -name %EC_KEY_TYPE% -out %KEY_TYPE_FILE%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
@REM Conditionally create CA key
%OPENSSL% ecparam -in %KEY_TYPE_FILE% -genkey -noout -out %ROOT_CA_KEY_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% ec -in %ROOT_CA_KEY_PEM% -text -noout
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% ec -in %ROOT_CA_KEY_PEM% -outform DER -out %ROOT_CA_KEY_DER%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
@REM Extract public part
%OPENSSL% ec -in %ROOT_CA_KEY_PEM% -pubout -out %ROOT_CA_KEY_PUBLIC_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
@REM create CA certificates
%OPENSSL% req -x509 -new -nodes -key %ROOT_CA_KEY_PEM% -subj "/C=BE/ST=VlaamsBrabant/L=Leuven/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost" -days 2800 -out %ROOT_CA_CER% -config %OPENSSL_CONF%
%OPENSSL% x509 -in %ROOT_CA_CER% -text -noout
@REM Create client key and extract public part
%OPENSSL% ecparam -in %KEY_TYPE_FILE% -genkey -out %CLIENT_KEY_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% ec -in %CLIENT_KEY_PEM% -text -noout
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% ec -in %CLIENT_KEY_PEM% -pubout -out %CLIENT_KEY_PUBLIC_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
@REM Now create CSR
%OPENSSL% req -new -key %CLIENT_KEY_PEM% -subj "/C=BE/ST=VlaamsBrabant/L=Leuven/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost" -out %CLIENT_CER% -config %OPENSSL_CONF%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% req -in %CLIENT_CER% -text -config %OPENSSL_CONF%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
IF EXIST %ROOT_CA_SR1% (
@echo ">> %ROOT_CA_SR1% already exists, use it"
@SET x509_serial=-CAserial %ROOT_CA_SR1%
) ELSE (
@echo ">> no %ROOT_CA_SR1% found, create it"
@SET x509_serial=-CAserial %ROOT_CA_SR1% -CAcreateserial
)
@REM Create CA signed client certificate
%OPENSSL% x509 -req -sha256 -days 2800 -in %CLIENT_CER% %x509_serial% -CA %ROOT_CA_CER% -CAkey %ROOT_CA_KEY_PEM% -out %CLIENT_CER%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% x509 -in %CLIENT_CER% -text -noout
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
@REM Conditionally create server key
%OPENSSL% ecparam -in %KEY_TYPE_FILE% -genkey -out %SERVER_KEY_PEM%
%OPENSSL% ec -in %SERVER_KEY_PEM% -text -noout
@REM Create CSR anew
%OPENSSL% req -new -key %SERVER_KEY_PEM% -subj "/C=BE/ST=VlaamsBrabant/L=Leuven/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost" -out %SERVER_CSR% -config %OPENSSL_CONF%
%OPENSSL% req -in %SERVER_CSR% -text -noout -config %OPENSSL_CONF%
@REM Always create a CA signed server certificate
%OPENSSL% x509 -req -sha256 -days 2800 -in %SERVER_CSR% %x509_serial% -CA %ROOT_CA_CER% -CAkey %ROOT_CA_KEY_PEM% -out %SERVER_CERTIFICATE%
%OPENSSL% x509 -in %SERVER_CERTIFICATE% -text -noout
@REM Provision using ssscli tool
IF "%CONNECTION_TYPE%" == "vcom" (
@REM Use precompiled ssscli binary for vcom connection
@set ssscli=..\..\..\..\binaries\pySSSCLI\ssscli.exe
) ELSE (
@REM Use ssscli from vertualenv setup
@set ssscli=ssscli
)
%ssscli% -v disconnect
if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL
if "%IOT_SE%" == "a71ch" (
%ssscli% -v connect a71ch %CONNECTION_TYPE% %CONNECTION_PARAM%
%ssscli% -v a71ch reset
) else if "%IOT_SE%" == "se05x" (
echo %ssscli% -v connect se05x %CONNECTION_TYPE% %CONNECTION_PARAM%
%ssscli% -v connect se05x %CONNECTION_TYPE% %CONNECTION_PARAM%
%ssscli% -v se05x reset
) else (
echo %IOT_SE% is not supported as secure element
goto :EOF
)
@set client_cert_key_id=20181002
%ssscli% -v set cert %client_cert_key_id% %CLIENT_CER%
if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL
@set client_key_pair_id=20181001
%ssscli% -v set ecc pair %client_key_pair_id% %CLIENT_KEY_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL
@set root_cer_pub_id=7DCCBB22
%ssscli% -v set ecc pub %root_cer_pub_id% %ROOT_CA_KEY_PUBLIC_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL
echo ## Program completed successfully
goto :EOF
@REM Usage
:SUPPORTED_KEYTYPES
echo Please provide as first argument: ec_keytype
echo 'Please provide as second argument: connection type - vcom, jrcpv2'
echo 'Please provide as third argument: connection parameter - eg. COM3 , 127.0.0.1:8050'
echo 'Please provide as fourth argument: Iot SE - eg. a71ch , Default:se05x'
echo Example invocations
echo %~nx0 prime256v1 jrcpv2 127.0.0.1:8050
echo %~nx0 prime256v1 vcom COM3 a71ch
echo Supported key types:
echo prime192v1
echo secp224r1
echo prime256v1
echo secp384r1
echo secp521r1
echo brainpoolP256r1
echo brainpoolP384r1
echo brainpoolP512r1
echo secp192k1
echo secp224k1
echo secp256k1
pause
goto :EOF
@REM Error Handling
:OPENSSL_FAILED
echo ### OpenSSL failed
pause
goto :EOF
:CONFIG_TOOL
echo ### No configuration tool (ssscli)
pause
goto :EOF