# # Copyright 2019 NXP # SPDX-License-Identifier: Apache-2.0 # # # Create Keys for MbedTLS ALT testing # # Preconditions # - Openssl installed # import os import sys import logging import re import subprocess import os.path from util import * import sss.sss_api as apis PycliKeyTypeMap = { 'prime192v1':'NIST_P192', 'secp224r1':'NIST_P224', 'prime256v1':'NIST_P256', 'secp384r1':'NIST_P384', 'secp521r1':'NIST_P521', 'brainpoolP256r1':'Brainpool256', 'brainpoolP384r1':'Brainpool384', 'brainpoolP512r1':'Brainpool512', 'secp192k1':'Secp192k1', 'secp224k1':'Secp224k1', 'secp256k1':'Secp256k1', } CLIENT_CERT_KEY_ID = 0x20181002 CLIENT_KEY_PAIR_ID = 0x20181001 ROOT_CA_PUB_KEY_ID = 0x7DCCBB22 def run(cmd_str, ignore_result=0, exp_retcode=0): print("Running command: %s" %cmd_str) pipes = subprocess.Popen( cmd_str, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, ) std_out, std_err = pipes.communicate() std_out = std_out.strip() std_err = std_err.strip() if not ignore_result: if pipes.returncode != exp_retcode: print("Command execution failed.") else: print("Command execution was successful.") assert pipes.returncode == exp_retcode def printUsage(): print('Invalid input argument') print('Run as - create_and_provision_ecc_keys.py ') print('supported key types -') print(ecc_types) print('supported auth types -') print(auth_types) print('Example invocation - create_and_provision_ecc_keys.py prime256v1 jrcpv2 127.0.0.1:8050') print('Example invocation - create_and_provision_ecc_keys.py prime256v1 vcom COM1 a71ch') print('Example invocation - create_and_provision_ecc_keys.py prime256v1 t1oi2c none se05x PlatformSCP') print('Example invocation - create_and_provision_ecc_keys.py prime256v1 sci2c none a71ch') sys.exit() print (len(sys.argv)) if len(sys.argv) < 4: printUsage() cur_dir = os.path.abspath(os.path.dirname(__file__)) keytype = sys.argv[1] if isValidECKeyType(keytype) != True: printUsage() connection_type = sys.argv[2]; connection_string = sys.argv[3]; iot_se = 'se05x' if len(sys.argv) > 4: iot_se = sys.argv[4] auth_type = "None" if len(sys.argv) > 5: auth_type = sys.argv[5] auth_key = "None" if len(sys.argv) > 6: auth_key = sys.argv[6] if iot_se == "a71ch": if keytype != "prime256v1": print('Only prime256v1 is supported with a71ch') sys.exit() if os.path.isdir(os.path.join(cur_dir, '..', 'keys', keytype)) == False: os.mkdir(os.path.join(cur_dir, '..', 'keys', keytype)) KEY_TYPE_FILE_NAME = keytype + '.pem' KEY_TYPE_FILE = os.path.join(cur_dir, '..', 'keys', keytype, KEY_TYPE_FILE_NAME) ROOT_CA_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.cer') ROOT_CA_SRL = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca.srl') ROOT_CA_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_key.pem') ROOT_CA_KEY_PUBLIC_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_pub_key.pem') ROOT_CA_KEY_DER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_rootca_key.der') CLIENT_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key.pem') CLIENT_KEY_PUBLIC_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client_key_pub.pem') CLIENT_CER = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_client.cer') SERVER_KEY_PEM = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server_key.pem') SERVER_CSR = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.csr') SERVER_CERTIFICATE = os.path.join(cur_dir, '..', 'keys', keytype, 'tls_server.cer') openssl_config_file = os.path.join(cur_dir, '..', '..', '..', '..', 'ext', 'openssl', 'ssl', 'openssl.cnf') if sys.platform.startswith("win"): openssl = os.path.join(cur_dir, '..', '..', '..', '..', 'ext', 'openssl', 'bin', 'openssl.exe') os.environ['OPENSSL_CONF'] = openssl_config_file else: openssl = 'openssl' SUBJECT = "/C=AB/ST=XY/L=LH/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost" cmd_str = "\"%s\" ecparam -name \"%s\" -out \"%s\"" % (openssl, keytype, KEY_TYPE_FILE) run(cmd_str) cmd_str = "\"%s\" ecparam -in \"%s\" -genkey -noout -out \"%s\"" % (openssl, KEY_TYPE_FILE, ROOT_CA_KEY_PEM) run(cmd_str) cmd_str = "\"%s\" ec -in \"%s\" -text -noout" % (openssl, ROOT_CA_KEY_PEM) run(cmd_str) cmd_str = "\"%s\" ec -in \"%s\" -outform DER -out \"%s\"" % (openssl, ROOT_CA_KEY_PEM, ROOT_CA_KEY_DER) run(cmd_str) cmd_str = "\"%s\" ec -in \"%s\" -pubout -out \"%s\"" % (openssl, ROOT_CA_KEY_PEM, ROOT_CA_KEY_PUBLIC_PEM) run(cmd_str) #create CA certificates cmd_str = "\"%s\" req -x509 -new -nodes -key \"%s\" -subj \"%s\" -days 2800 -out \"%s\" -config \"%s\"" % (openssl, ROOT_CA_KEY_PEM, SUBJECT, ROOT_CA_CER, openssl_config_file) run(cmd_str) cmd_str = "\"%s\" x509 -in \"%s\" -text -noout" % (openssl, ROOT_CA_CER) run(cmd_str) #Create client key and extract public part cmd_str = "\"%s\" ecparam -in \"%s\" -genkey -out \"%s\"" % (openssl, KEY_TYPE_FILE, CLIENT_KEY_PEM) run(cmd_str) cmd_str = "\"%s\" ec -in \"%s\" -text -noout" % (openssl, CLIENT_KEY_PEM) run(cmd_str) cmd_str = "\"%s\" ec -in \"%s\" -pubout -out \"%s\"" % (openssl, CLIENT_KEY_PEM, CLIENT_KEY_PUBLIC_PEM) run(cmd_str) #Now create CSR cmd_str = "\"%s\" req -new -key \"%s\" -subj \"%s\" -out \"%s\" -config \"%s\"" % (openssl, CLIENT_KEY_PEM, SUBJECT, CLIENT_CER, openssl_config_file) run(cmd_str) cmd_str = "\"%s\" req -in \"%s\" -text -config \"%s\"" % (openssl, CLIENT_CER, openssl_config_file) run(cmd_str) #Create CA signed client certificate if os.path.isfile(ROOT_CA_SRL) == True: cmd_str = "\"%s\" x509 -req -sha256 -days 2800 -in \"%s\" -CAserial \"%s\" -CA \"%s\" -CAkey \"%s\" -out \"%s\" " % (openssl, CLIENT_CER, ROOT_CA_SRL, ROOT_CA_CER, ROOT_CA_KEY_PEM, CLIENT_CER) else: cmd_str = "\"%s\" x509 -req -sha256 -days 2800 -in \"%s\" -CAserial \"%s\" -CAcreateserial -CA \"%s\" -CAkey \"%s\" -out \"%s\" " % (openssl, CLIENT_CER, ROOT_CA_SRL, ROOT_CA_CER, ROOT_CA_KEY_PEM, CLIENT_CER) run(cmd_str) cmd_str = "\"%s\" x509 -in \"%s\" -text -noout" % (openssl, CLIENT_CER) run(cmd_str) #Create server key cmd_str = "\"%s\" ecparam -in \"%s\" -genkey -out \"%s\"" % (openssl, KEY_TYPE_FILE, SERVER_KEY_PEM) run(cmd_str) cmd_str = "\"%s\" ec -in \"%s\" -text -noout" % (openssl, SERVER_KEY_PEM) run(cmd_str) #Create CSR a new cmd_str = "\"%s\" req -new -key \"%s\" -subj \"%s\" -out \"%s\" -config \"%s\"" % (openssl, SERVER_KEY_PEM, SUBJECT, SERVER_CSR, openssl_config_file) run(cmd_str) cmd_str = "\"%s\" req -in \"%s\" -text -noout -config \"%s\"" % (openssl, SERVER_CSR, openssl_config_file) run(cmd_str) #Create a CA signed server certificate if os.path.isfile(ROOT_CA_SRL) == True: cmd_str = "\"%s\" x509 -req -sha256 -days 2800 -in \"%s\" -CAserial \"%s\" -CA \"%s\" -CAkey \"%s\" -out \"%s\" " % (openssl, SERVER_CSR, ROOT_CA_SRL, ROOT_CA_CER, ROOT_CA_KEY_PEM, SERVER_CERTIFICATE) else: cmd_str = "\"%s\" x509 -req -sha256 -days 2800 -in \"%s\" -CAserial \"%s\" -CAcreateserial -CA \"%s\" -CAkey \"%s\" -out \"%s\" " % (openssl, SERVER_CSR, ROOT_CA_SRL, ROOT_CA_CER, ROOT_CA_KEY_PEM, SERVER_CERTIFICATE) run(cmd_str) cmd_str = "\"%s\" x509 -in \"%s\" -text -noout" % (openssl, SERVER_CERTIFICATE) run(cmd_str) #Provision the keys session_close(None) session = session_open(iot_se, connection_string, connection_type, auth_type, auth_key) if session is None: print("Error in session_open") sys.exit() reset(session) # Inject client certificate to the Secure Element status = set_cert(session, CLIENT_CERT_KEY_ID, CLIENT_CER) if status != apis.kStatus_SSS_Success: print("Error in set_cert") # Inject root ca public key to the Secure Element status = set_ecc_pub(session, ROOT_CA_PUB_KEY_ID, ROOT_CA_KEY_PUBLIC_PEM) if status != apis.kStatus_SSS_Success: print("Error in set_ecc_pub") # Inject client ecc pair key to the Secure Element status = set_ecc_pair(session, CLIENT_KEY_PAIR_ID, CLIENT_KEY_PEM) if status != apis.kStatus_SSS_Success: print("Error in set_ecc_pair") session_close(None)