sss/plugin/openssl/scripts/openssl_asym_provisionRSA.py - a71ch-crypto-support - Git at Google

 # Copyright 2020 NXP
 #
 # SPDX-License-Identifier: Apache-2.0
 #


 """

 Optionally create a set of RSA key files (*.pem) (existing ones overwritten).
 Optionally perform a debug reset of the attached secure element.
 Provision attached secure element with RSA key.
 Create reference key for the injected RSA key.

 PYTHONPATH=../scripts/ python3 openssl_asym_provisionRSA.py --no_reset --create --key_type rsa2048 --connection_data 192.168.1.190:8040

 """

 import argparse

 import sss.sss_api as apis
 from func_timeout import *

 from openssl_util import *

 example_text = '''

 Example invocation::

     python %s --key_type rsa1024
     python %s --key_type rsa2048 --no_reset --connection_data 127.0.0.1:8050
     python %s --key_type rsa2048 --create --connection_data 127.0.0.1:8040

 ''' % (__file__, __file__, __file__,)


 def parse_in_args():
     parser = argparse.ArgumentParser(
         description=__doc__, epilog=example_text,
         formatter_class=argparse.RawTextHelpFormatter)
     required = parser.add_argument_group('required arguments')
     optional = parser.add_argument_group('optional arguments')
     required.add_argument(
         '--key_type',
         default="",
         help='Supported key types => ``%s``' % ("``, ``".join(SUPPORTED_RSA_KEY_TYPES)), required=True)
     optional.add_argument(
         '--connection_type',
         default="t1oi2c",
         help='Supported connection types => ``%s``. Default: ``t1oi2c``' % ("``, ``".join(SUPPORTED_CONNECTION_TYPES)))
     optional.add_argument(
         '--connection_data',
         default="none",
         help='Parameter to connect to SE => eg. ``COM3``, ``127.0.0.1:8050``, ``none``. Default: ``none``')
     optional.add_argument(
         '--subsystem',
         default="se05x",
         help='Supported subsystem => ``se05x``, ``mbedtls``. Default: ``se05x``')
     optional.add_argument(
         '--auth_type',
         default="None",
         help='Supported subsystem => ``None``, ``PlatformSCP``, ``UserID``, ``ECKey``, ``AESKey``, '
         '``UserID_PlatformSCP``, ``ECKey_PlatformSCP``, ``AESKey_PlatformSCP``. Default: ``None``')
     optional.add_argument(
         '--scpkey',
         default="None",
         help='')
     optional.add_argument(
         '--create',
         action="store_true",
         help="create (and overwrite) credentials")
     optional.add_argument(
         '--no_reset',
         action="store_true",
         help="do not reset contents of attached secure element")

     if len(sys.argv) == 1:
         parser.print_help(sys.stderr)
         return None

     args = parser.parse_args()
     if args.key_type not in SUPPORTED_RSA_KEY_TYPES:
         parser.print_help(sys.stderr)
         return None

     if args.auth_type not in ["None", "PlatformSCP", "UserID", "ECKey", "AESKey", "UserID_PlatformSCP", "ECKey_PlatformSCP", "AESKey_PlatformSCP"]:
         parser.print_help(sys.stderr)
         return None

     if args.connection_data.find(':') >= 0:
         port_data = args.connection_data.split(':')
         jrcp_host_name = port_data[0]
         jrcp_port = port_data[1]
         os.environ['JRCP_HOSTNAME'] = jrcp_host_name
         os.environ['JRCP_PORT'] = jrcp_port
         log.info("JRCP_HOSTNAME: %s" % jrcp_host_name)
         log.info("JRCP_PORT: %s" % jrcp_port)
         if args.connection_type == "t1oi2c":
             args.connection_type = "jrcpv1"
     elif args.connection_data.find('COM') >= 0:
         if args.connection_type == "t1oi2c":
             args.connection_type = "vcom"
     elif args.connection_data.find('none') >= 0:
         pass
     else:
         parser.print_help(sys.stderr)
         return None

     if args.connection_type not in SUPPORTED_CONNECTION_TYPES:
         parser.print_help(sys.stderr)
         return None

     if args.subsystem not in ["se05x", "mbedtls"]:
         parser.print_help(sys.stderr)
         return None

     return args


 def main():
     args = parse_in_args()
     if args is None:
         return

     keys_dir = os.path.join(cur_dir, '..', 'tst_keys')

     key_size = args.key_type.replace("rsa", "")
     # if not os.path.exists(keys_dir):
     #     os.mkdir(keys_dir)


     rsa_key_pair_a = keys_dir + os.sep + "rsa_A_" + key_size + "_kp.pem"
     rsa_key_pub_a = keys_dir + os.sep + "rsa_A_" + key_size + "_pub.pem"
     rsa_ref_key_pair_a = keys_dir + os.sep + "rsa_A_" + key_size + "_kp_ref.pem"

     rsa_key_pair_b = keys_dir + os.sep + "rsa_B_" + key_size + "_kp.pem"
     rsa_key_pub_b = keys_dir + os.sep + "rsa_B_" + key_size + "_pub.pem"
     rsa_ref_key_pair_b = keys_dir + os.sep + "rsa_B_" + key_size + "_kp_ref.pem"

     if args.create:
         run("%s genrsa -out %s %d" % (openssl, rsa_key_pair_a, int(key_size)))
         run("%s genrsa -out %s %d" % (openssl, rsa_key_pair_b, int(key_size)))
         run("%s rsa -in %s -RSAPublicKey_out -out %s" % (openssl, rsa_key_pair_a, rsa_key_pub_a))
         run("%s rsa -in %s -RSAPublicKey_out -out %s" % (openssl, rsa_key_pair_b, rsa_key_pub_b))


     session_close(None)

     session = session_open(args.subsystem, args.connection_data, args.connection_type, args.auth_type, args.scpkey)
     if session is None:
         return

     if not args.no_reset:
         reset(session)

     key_id = [0x7D010000, 0x7D010001]
     key_kp = [rsa_key_pair_a, rsa_key_pair_b]
     key_ref = [rsa_ref_key_pair_a, rsa_ref_key_pair_b]
     i = 0
     while i < len(key_id):
         status = set_rsa_pair(session, key_id[i], key_kp[i])
         if status != apis.kStatus_SSS_Success:
             return
         status = refpem_rsa(session, key_id[i], key_ref[i])
         if status != apis.kStatus_SSS_Success:
             return
         i += 1

     session_close(session)

     log.info("##############################################################")
     log.info("#                                                            #")
     log.info("#     Program completed successfully                         #")
     log.info("#                                                            #")
     log.info("##############################################################")


 if __name__ == '__main__':
     logging.basicConfig(level=logging.DEBUG)
     func_timeout(180, main, None)  # Time out set to 3 minutes.
	# Copyright 2020 NXP
	#
	# SPDX-License-Identifier: Apache-2.0
	#


	"""

	Optionally create a set of RSA key files (*.pem) (existing ones overwritten).
	Optionally perform a debug reset of the attached secure element.
	Provision attached secure element with RSA key.
	Create reference key for the injected RSA key.

	PYTHONPATH=../scripts/ python3 openssl_asym_provisionRSA.py --no_reset --create --key_type rsa2048 --connection_data 192.168.1.190:8040

	"""

	import argparse

	import sss.sss_api as apis
	from func_timeout import *

	from openssl_util import *

	example_text = '''

	Example invocation::

	python %s --key_type rsa1024
	python %s --key_type rsa2048 --no_reset --connection_data 127.0.0.1:8050
	python %s --key_type rsa2048 --create --connection_data 127.0.0.1:8040

	''' % (__file__, __file__, __file__,)


	def parse_in_args():
	parser = argparse.ArgumentParser(
	description=__doc__, epilog=example_text,
	formatter_class=argparse.RawTextHelpFormatter)
	required = parser.add_argument_group('required arguments')
	optional = parser.add_argument_group('optional arguments')
	required.add_argument(
	'--key_type',
	default="",
	help='Supported key types => ``%s``' % ("``, ``".join(SUPPORTED_RSA_KEY_TYPES)), required=True)
	optional.add_argument(
	'--connection_type',
	default="t1oi2c",
	help='Supported connection types => ``%s``. Default: ``t1oi2c``' % ("``, ``".join(SUPPORTED_CONNECTION_TYPES)))
	optional.add_argument(
	'--connection_data',
	default="none",
	help='Parameter to connect to SE => eg. ``COM3``, ``127.0.0.1:8050``, ``none``. Default: ``none``')
	optional.add_argument(
	'--subsystem',
	default="se05x",
	help='Supported subsystem => ``se05x``, ``mbedtls``. Default: ``se05x``')
	optional.add_argument(
	'--auth_type',
	default="None",
	help='Supported subsystem => ``None``, ``PlatformSCP``, ``UserID``, ``ECKey``, ``AESKey``, '
	'``UserID_PlatformSCP``, ``ECKey_PlatformSCP``, ``AESKey_PlatformSCP``. Default: ``None``')
	optional.add_argument(
	'--scpkey',
	default="None",
	help='')
	optional.add_argument(
	'--create',
	action="store_true",
	help="create (and overwrite) credentials")
	optional.add_argument(
	'--no_reset',
	action="store_true",
	help="do not reset contents of attached secure element")

	if len(sys.argv) == 1:
	parser.print_help(sys.stderr)
	return None

	args = parser.parse_args()
	if args.key_type not in SUPPORTED_RSA_KEY_TYPES:
	parser.print_help(sys.stderr)
	return None

	if args.auth_type not in ["None", "PlatformSCP", "UserID", "ECKey", "AESKey", "UserID_PlatformSCP", "ECKey_PlatformSCP", "AESKey_PlatformSCP"]:
	parser.print_help(sys.stderr)
	return None

	if args.connection_data.find(':') >= 0:
	port_data = args.connection_data.split(':')
	jrcp_host_name = port_data[0]
	jrcp_port = port_data[1]
	os.environ['JRCP_HOSTNAME'] = jrcp_host_name
	os.environ['JRCP_PORT'] = jrcp_port
	log.info("JRCP_HOSTNAME: %s" % jrcp_host_name)
	log.info("JRCP_PORT: %s" % jrcp_port)
	if args.connection_type == "t1oi2c":
	args.connection_type = "jrcpv1"
	elif args.connection_data.find('COM') >= 0:
	if args.connection_type == "t1oi2c":
	args.connection_type = "vcom"
	elif args.connection_data.find('none') >= 0:
	pass
	else:
	parser.print_help(sys.stderr)
	return None

	if args.connection_type not in SUPPORTED_CONNECTION_TYPES:
	parser.print_help(sys.stderr)
	return None

	if args.subsystem not in ["se05x", "mbedtls"]:
	parser.print_help(sys.stderr)
	return None

	return args


	def main():
	args = parse_in_args()
	if args is None:
	return

	keys_dir = os.path.join(cur_dir, '..', 'tst_keys')

	key_size = args.key_type.replace("rsa", "")
	# if not os.path.exists(keys_dir):
	# os.mkdir(keys_dir)



	rsa_key_pair_a = keys_dir + os.sep + "rsa_A_" + key_size + "_kp.pem"
	rsa_key_pub_a = keys_dir + os.sep + "rsa_A_" + key_size + "_pub.pem"
	rsa_ref_key_pair_a = keys_dir + os.sep + "rsa_A_" + key_size + "_kp_ref.pem"

	rsa_key_pair_b = keys_dir + os.sep + "rsa_B_" + key_size + "_kp.pem"
	rsa_key_pub_b = keys_dir + os.sep + "rsa_B_" + key_size + "_pub.pem"
	rsa_ref_key_pair_b = keys_dir + os.sep + "rsa_B_" + key_size + "_kp_ref.pem"

	if args.create:
	run("%s genrsa -out %s %d" % (openssl, rsa_key_pair_a, int(key_size)))
	run("%s genrsa -out %s %d" % (openssl, rsa_key_pair_b, int(key_size)))
	run("%s rsa -in %s -RSAPublicKey_out -out %s" % (openssl, rsa_key_pair_a, rsa_key_pub_a))
	run("%s rsa -in %s -RSAPublicKey_out -out %s" % (openssl, rsa_key_pair_b, rsa_key_pub_b))


	session_close(None)

	session = session_open(args.subsystem, args.connection_data, args.connection_type, args.auth_type, args.scpkey)
	if session is None:
	return

	if not args.no_reset:
	reset(session)

	key_id = [0x7D010000, 0x7D010001]
	key_kp = [rsa_key_pair_a, rsa_key_pair_b]
	key_ref = [rsa_ref_key_pair_a, rsa_ref_key_pair_b]
	i = 0
	while i < len(key_id):
	status = set_rsa_pair(session, key_id[i], key_kp[i])
	if status != apis.kStatus_SSS_Success:
	return
	status = refpem_rsa(session, key_id[i], key_ref[i])
	if status != apis.kStatus_SSS_Success:
	return
	i += 1

	session_close(session)

	log.info("##############################################################")
	log.info("# #")
	log.info("# Program completed successfully #")
	log.info("# #")
	log.info("##############################################################")


	if __name__ == '__main__':
	logging.basicConfig(level=logging.DEBUG)
	func_timeout(180, main, None) # Time out set to 3 minutes.