sss/plugin/mbedtls/scripts/windowsProvisionRSA.bat - a71ch-crypto-support - Git at Google

 @echo off

 SETLOCAL

 @REM Copyright 2018,2019 NXP
 @REM
 @REM SPDX-License-Identifier: Apache-2.0
 @REM
 @REM
 @REM Use openssl and ssscli to provision attached secure element
 @REM Note-1: Connect via JRCP_v2 (default) or JRCP_v1 (aka RJCT) server
 @REM Note-2: Set IOT_SE to either se050 or a71ch
 @REM
 @REM The script takes two mandatory parameters:
 @REM    ec_keytype
 @REM    the ip_address:port of the JRCP server to connect to
 @REM e.g.:
 @REM    windowsProvision.bat prime256v1 192.168.2.75:8050
 @REM
 @REM An optional third parameter specifies the secure element targeted.
 @REM The default secure element is se050

 @set IOT_SE=se050
 @REM @set IOT_SE=a71ch

 @REM Handle parameters passed, do a sanity check before proceeding
 IF NOT "%~1" == "" (
     IF "%~1"=="rsa1024" (
         echo MbedTLS default configuration is RSA bit len greater or equal to 2048.
         goto :SUPPORTED_KEYTYPES
     ) ELSE IF "%~1"=="rsa2048" (
         @set RSA_KEY_TYPE=%~1
         @set RSA_KEY_LEN=2048
     ) ELSE IF "%~1"=="rsa3072" (
         @set RSA_KEY_TYPE=%~1
         @set RSA_KEY_LEN=3072
     ) ELSE IF "%~1"=="rsa4096" (
         @set RSA_KEY_TYPE=%~1
         @set RSA_KEY_LEN=4096
     ) ELSE (
         echo %~1 is not a supported key type
         goto :SUPPORTED_KEYTYPES
     )
 ) ELSE (
     goto :SUPPORTED_KEYTYPES
 )

 IF "%~2" == "jrcpv2" (
     IF NOT "%~3" == "" (
         @SET CONNECTION_TYPE=%~2
         @SET CONNECTION_PARAM=%~3
     ) ELSE (
         echo Please provide ip_address:port of JRCP server as third argument
         pause
         goto :EOF
     )
 ) ELSE IF "%~2" == "vcom" (
     IF NOT "%~3" == "" (
         @SET CONNECTION_TYPE=%~2
         @SET CONNECTION_PARAM=%~3
     ) ELSE (
         echo Please provide port name as third argument
         pause
         goto :EOF
     )
 ) ELSE (
     echo Invalid argumenets
     pause
     goto :EOF
 )

 IF NOT "%~4" == "" (
     @SET IOT_SE=%~4
 )

 @set KEY_DIR=keys/%RSA_KEY_TYPE%
 @set KEY_DIR_DOS=keys\%RSA_KEY_TYPE%

 @cd /d %~dp0
 @set OPENSSL=..\..\..\..\ext\openssl\bin\openssl.exe
 @set OPENSSL_CONF=..\..\..\..\ext\openssl\ssl\openssl.cnf

 if not exist ..\%KEY_DIR_DOS%\NUL (
     echo "Folder ..\%KEY_DIR_DOS% does not exist, creating it"
     mkdir ..\%KEY_DIR_DOS%
 )

 @set SUBJECT="/C=GB/ST=ABC/L=ABC/O=Global Security/OU=IT Department/CN=localhost"
 @set ROOT_CA=tls_rootca
 @set CLIENT_FILE=tls_client
 @set SERVER_FILE=tls_server
 @set DIR_PATH=..\keys\%RSA_KEY_TYPE%
 @set SHA_TYPE=-sha256

 @REM @set pss_option=-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -sigopt rsa_mgf1_md:sha256 -sha256
 @REM goto :PROVISION

 %OPENSSL% genrsa -out %DIR_PATH%\%ROOT_CA%_key.pem %RSA_KEY_LEN% %pss_option%
 %OPENSSL% req -x509 -new -nodes -key %DIR_PATH%\%ROOT_CA%_key.pem %SHA_TYPE% -days 1000 -out %DIR_PATH%\%ROOT_CA%.pem -subj %SUBJECT% %pss_option%
 %OPENSSL% x509 -outform der -in %DIR_PATH%\%ROOT_CA%.pem -out %DIR_PATH%\%ROOT_CA%.cer %pss_option%
 %OPENSSL% x509 -pubkey -noout -in %DIR_PATH%\%ROOT_CA%.pem > %DIR_PATH%\%ROOT_CA%_pub_key.pem %pss_option%

 %OPENSSL% genrsa -out %DIR_PATH%\%CLIENT_FILE%_key.pem %RSA_KEY_LEN% %pss_option%
 %OPENSSL% req -new -key %DIR_PATH%\%CLIENT_FILE%_key.pem -out %DIR_PATH%\%CLIENT_FILE%_key.csr -subj %SUBJECT% %pss_option%
 %OPENSSL% x509 -req -in %DIR_PATH%\%CLIENT_FILE%_key.csr -CA %DIR_PATH%\%ROOT_CA%.pem -CAkey %DIR_PATH%\%ROOT_CA%_key.pem -CAcreateserial -out %DIR_PATH%\%CLIENT_FILE%.pem -days 1000 %SHA_TYPE% %pss_option%
 %OPENSSL% x509 -outform der -in %DIR_PATH%\%CLIENT_FILE%.pem -out %DIR_PATH%\%CLIENT_FILE%.cer %pss_option%

 %OPENSSL% genrsa -out %DIR_PATH%\%SERVER_FILE%_key.pem %RSA_KEY_LEN% %pss_option%
 %OPENSSL% req -new -key %DIR_PATH%\%SERVER_FILE%_key.pem -out %DIR_PATH%\%SERVER_FILE%_key.csr -subj %SUBJECT% %pss_option%
 %OPENSSL% x509 -req -in %DIR_PATH%\%SERVER_FILE%_key.csr -CA %DIR_PATH%\%ROOT_CA%.pem -CAkey %DIR_PATH%\%ROOT_CA%_key.pem -CAcreateserial -out %DIR_PATH%\%SERVER_FILE%.pem -days 1000 %pss_option%
 %OPENSSL% x509 -outform der -in %DIR_PATH%\%SERVER_FILE%.pem -out %DIR_PATH%\%SERVER_FILE%.cer %pss_option%


 :PROVISION

 @REM Provision using ssscli tool

 IF "%CONNECTION_TYPE%" == "vcom" (
     @REM Use precompiled ssscli binary for vcom connection
     @set ssscli=..\..\..\..\binaries\pySSSCLI\ssscli.exe
 ) ELSE (
     @REM Use ssscli from vertualenv setup
     @set ssscli=ssscli
 )

 %ssscli% -v disconnect
 if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL

 if "%IOT_SE%" == "a71ch" (
     %ssscli% -v connect a71ch %CONNECTION_TYPE% %CONNECTION_PARAM%
     %ssscli% -v a71ch reset
 ) else if "%IOT_SE%" == "se05x" (
     %ssscli% -v connect se05x %CONNECTION_TYPE% %CONNECTION_PARAM%
     %ssscli% -v se05x reset
 ) else (
     echo %IOT_SE% is not supported as secure element
     goto :EOF
 )


 @set client_cert_key_id=20181002
 %ssscli% -v set cert %client_cert_key_id% %DIR_PATH%\%CLIENT_FILE%.pem
 if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL

 @set client_key_pair_id=20181001
 %ssscli% -v set rsa pair %client_key_pair_id% %DIR_PATH%\%CLIENT_FILE%_key.pem
 if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL

 @set root_cer_pub_id=7DCCBB22
 %ssscli% -v set rsa pub %root_cer_pub_id% %DIR_PATH%\%ROOT_CA%_pub_key.pem
 if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL


 echo ## Program completed successfully
 goto :EOF


 @REM Usage
 :SUPPORTED_KEYTYPES
     echo Please provide as first argument:  rsa_keytype
     echo 'Please provide as second argument: connection type - vcom, jrcpv2'
     echo 'Please provide as third argument: connection parameter  - eg. COM3 , 127.0.0.1:8050'
     echo 'Please provide as fourth argument: platform <a71ch / se05x / mbedtls>. Default se05x '
     echo Example invocations
     echo   %~nx0 rsa2048 jrcpv2 127.0.0.1:8050
     echo   %~nx0 rsa2048 vcom COM3
     echo Supported key types:
     echo   rsa2048
     echo   rsa3072
     echo   rsa4096
     pause
     goto :EOF

 @REM Error Handling
 :OPENSSL_FAILED
     echo ### OpenSSL failed
     pause
     goto :EOF

 :CONFIG_TOOL
     echo ### No configuration tool (ssscli)
     pause
     goto :EOF
	@echo off

	SETLOCAL

	@REM Copyright 2018,2019 NXP
	@REM
	@REM SPDX-License-Identifier: Apache-2.0
	@REM
	@REM
	@REM Use openssl and ssscli to provision attached secure element
	@REM Note-1: Connect via JRCP_v2 (default) or JRCP_v1 (aka RJCT) server
	@REM Note-2: Set IOT_SE to either se050 or a71ch
	@REM
	@REM The script takes two mandatory parameters:
	@REM ec_keytype
	@REM the ip_address:port of the JRCP server to connect to
	@REM e.g.:
	@REM windowsProvision.bat prime256v1 192.168.2.75:8050
	@REM
	@REM An optional third parameter specifies the secure element targeted.
	@REM The default secure element is se050

	@set IOT_SE=se050
	@REM @set IOT_SE=a71ch

	@REM Handle parameters passed, do a sanity check before proceeding
	IF NOT "%~1" == "" (
	IF "%~1"=="rsa1024" (
	echo MbedTLS default configuration is RSA bit len greater or equal to 2048.
	goto :SUPPORTED_KEYTYPES
	) ELSE IF "%~1"=="rsa2048" (
	@set RSA_KEY_TYPE=%~1
	@set RSA_KEY_LEN=2048
	) ELSE IF "%~1"=="rsa3072" (
	@set RSA_KEY_TYPE=%~1
	@set RSA_KEY_LEN=3072
	) ELSE IF "%~1"=="rsa4096" (
	@set RSA_KEY_TYPE=%~1
	@set RSA_KEY_LEN=4096
	) ELSE (
	echo %~1 is not a supported key type
	goto :SUPPORTED_KEYTYPES
	)
	) ELSE (
	goto :SUPPORTED_KEYTYPES
	)

	IF "%~2" == "jrcpv2" (
	IF NOT "%~3" == "" (
	@SET CONNECTION_TYPE=%~2
	@SET CONNECTION_PARAM=%~3
	) ELSE (
	echo Please provide ip_address:port of JRCP server as third argument
	pause
	goto :EOF
	)
	) ELSE IF "%~2" == "vcom" (
	IF NOT "%~3" == "" (
	@SET CONNECTION_TYPE=%~2
	@SET CONNECTION_PARAM=%~3
	) ELSE (
	echo Please provide port name as third argument
	pause
	goto :EOF
	)
	) ELSE (
	echo Invalid argumenets
	pause
	goto :EOF
	)

	IF NOT "%~4" == "" (
	@SET IOT_SE=%~4
	)

	@set KEY_DIR=keys/%RSA_KEY_TYPE%
	@set KEY_DIR_DOS=keys\%RSA_KEY_TYPE%

	@cd /d %~dp0
	@set OPENSSL=..\..\..\..\ext\openssl\bin\openssl.exe
	@set OPENSSL_CONF=..\..\..\..\ext\openssl\ssl\openssl.cnf

	if not exist ..\%KEY_DIR_DOS%\NUL (
	echo "Folder ..\%KEY_DIR_DOS% does not exist, creating it"
	mkdir ..\%KEY_DIR_DOS%
	)

	@set SUBJECT="/C=GB/ST=ABC/L=ABC/O=Global Security/OU=IT Department/CN=localhost"
	@set ROOT_CA=tls_rootca
	@set CLIENT_FILE=tls_client
	@set SERVER_FILE=tls_server
	@set DIR_PATH=..\keys\%RSA_KEY_TYPE%
	@set SHA_TYPE=-sha256

	@REM @set pss_option=-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -sigopt rsa_mgf1_md:sha256 -sha256
	@REM goto :PROVISION

	%OPENSSL% genrsa -out %DIR_PATH%\%ROOT_CA%_key.pem %RSA_KEY_LEN% %pss_option%
	%OPENSSL% req -x509 -new -nodes -key %DIR_PATH%\%ROOT_CA%_key.pem %SHA_TYPE% -days 1000 -out %DIR_PATH%\%ROOT_CA%.pem -subj %SUBJECT% %pss_option%
	%OPENSSL% x509 -outform der -in %DIR_PATH%\%ROOT_CA%.pem -out %DIR_PATH%\%ROOT_CA%.cer %pss_option%
	%OPENSSL% x509 -pubkey -noout -in %DIR_PATH%\%ROOT_CA%.pem > %DIR_PATH%\%ROOT_CA%_pub_key.pem %pss_option%

	%OPENSSL% genrsa -out %DIR_PATH%\%CLIENT_FILE%_key.pem %RSA_KEY_LEN% %pss_option%
	%OPENSSL% req -new -key %DIR_PATH%\%CLIENT_FILE%_key.pem -out %DIR_PATH%\%CLIENT_FILE%_key.csr -subj %SUBJECT% %pss_option%
	%OPENSSL% x509 -req -in %DIR_PATH%\%CLIENT_FILE%_key.csr -CA %DIR_PATH%\%ROOT_CA%.pem -CAkey %DIR_PATH%\%ROOT_CA%_key.pem -CAcreateserial -out %DIR_PATH%\%CLIENT_FILE%.pem -days 1000 %SHA_TYPE% %pss_option%
	%OPENSSL% x509 -outform der -in %DIR_PATH%\%CLIENT_FILE%.pem -out %DIR_PATH%\%CLIENT_FILE%.cer %pss_option%

	%OPENSSL% genrsa -out %DIR_PATH%\%SERVER_FILE%_key.pem %RSA_KEY_LEN% %pss_option%
	%OPENSSL% req -new -key %DIR_PATH%\%SERVER_FILE%_key.pem -out %DIR_PATH%\%SERVER_FILE%_key.csr -subj %SUBJECT% %pss_option%
	%OPENSSL% x509 -req -in %DIR_PATH%\%SERVER_FILE%_key.csr -CA %DIR_PATH%\%ROOT_CA%.pem -CAkey %DIR_PATH%\%ROOT_CA%_key.pem -CAcreateserial -out %DIR_PATH%\%SERVER_FILE%.pem -days 1000 %pss_option%
	%OPENSSL% x509 -outform der -in %DIR_PATH%\%SERVER_FILE%.pem -out %DIR_PATH%\%SERVER_FILE%.cer %pss_option%


	:PROVISION

	@REM Provision using ssscli tool

	IF "%CONNECTION_TYPE%" == "vcom" (
	@REM Use precompiled ssscli binary for vcom connection
	@set ssscli=..\..\..\..\binaries\pySSSCLI\ssscli.exe
	) ELSE (
	@REM Use ssscli from vertualenv setup
	@set ssscli=ssscli
	)

	%ssscli% -v disconnect
	if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL

	if "%IOT_SE%" == "a71ch" (
	%ssscli% -v connect a71ch %CONNECTION_TYPE% %CONNECTION_PARAM%
	%ssscli% -v a71ch reset
	) else if "%IOT_SE%" == "se05x" (
	%ssscli% -v connect se05x %CONNECTION_TYPE% %CONNECTION_PARAM%
	%ssscli% -v se05x reset
	) else (
	echo %IOT_SE% is not supported as secure element
	goto :EOF
	)


	@set client_cert_key_id=20181002
	%ssscli% -v set cert %client_cert_key_id% %DIR_PATH%\%CLIENT_FILE%.pem
	if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL

	@set client_key_pair_id=20181001
	%ssscli% -v set rsa pair %client_key_pair_id% %DIR_PATH%\%CLIENT_FILE%_key.pem
	if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL

	@set root_cer_pub_id=7DCCBB22
	%ssscli% -v set rsa pub %root_cer_pub_id% %DIR_PATH%\%ROOT_CA%_pub_key.pem
	if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL


	echo ## Program completed successfully
	goto :EOF


	@REM Usage
	:SUPPORTED_KEYTYPES
	echo Please provide as first argument: rsa_keytype
	echo 'Please provide as second argument: connection type - vcom, jrcpv2'
	echo 'Please provide as third argument: connection parameter - eg. COM3 , 127.0.0.1:8050'
	echo 'Please provide as fourth argument: platform <a71ch / se05x / mbedtls>. Default se05x '
	echo Example invocations
	echo %~nx0 rsa2048 jrcpv2 127.0.0.1:8050
	echo %~nx0 rsa2048 vcom COM3
	echo Supported key types:
	echo rsa2048
	echo rsa3072
	echo rsa4096
	pause
	goto :EOF

	@REM Error Handling
	:OPENSSL_FAILED
	echo ### OpenSSL failed
	pause
	goto :EOF

	:CONFIG_TOOL
	echo ### No configuration tool (ssscli)
	pause
	goto :EOF