def genkey(ctx: click.Context, path: str, password: str, force: bool) -> None:
"""Generate key pair for RoT or DCK.
\b
PATH - path where the key pairs will be stored
"""
is_rsa = ctx.obj['is_rsa']
key_param = ctx.obj['key_param']
check_destination_dir(path, force)
check_file_exists(path, force)
if is_rsa:
logger.info("Generating RSA private key...")
priv_key_rsa = generate_rsa_private_key(key_size=key_param)
logger.info("Generating RSA corresponding public key...")
pub_key_rsa = generate_rsa_public_key(priv_key_rsa)
logger.info("Saving RSA key pair...")
save_rsa_private_key(priv_key_rsa, path, password if password else None)
save_rsa_public_key(pub_key_rsa, os.path.splitext(path)[0] + '.pub')
else:
logger.info("Generating ECC private key...")
priv_key_ec = generate_ecc_private_key(curve_name=key_param)
logger.info("Generating ECC public key...")
pub_key_ec = generate_ecc_public_key(priv_key_ec)
logger.info("Saving ECC key pair...")
save_ecc_private_key(priv_key_ec, path, password if password else None)
save_ecc_public_key(pub_key_ec, os.path.splitext(path)[0] + '.pub')
def test_certificate_generation(tmpdir):
ca_priv_key = generate_rsa_private_key()
save_rsa_private_key(ca_priv_key, path.join(tmpdir, "ca_private_key.pem"))
ca_pub_key = generate_rsa_public_key(ca_priv_key)
save_rsa_public_key(ca_pub_key, path.join(tmpdir, "ca_pub_key.pem"))
assert path.isfile(path.join(tmpdir, "ca_private_key.pem"))
assert path.isfile(path.join(tmpdir, "ca_pub_key.pem"))
subject = issuer = generate_name_struct("highest", "CZ")
ca_cert = generate_certificate(subject,
issuer,
ca_pub_key,
ca_priv_key,
if_ca=True)
save_crypto_item(ca_cert, path.join(tmpdir, "ca_cert.pem"))
assert path.isfile(path.join(tmpdir, "ca_cert.pem"))
srk_priv_key = generate_rsa_private_key()
save_rsa_private_key(srk_priv_key, path.join(tmpdir, "srk_priv_key.pem"))
assert path.isfile(path.join(tmpdir, "srk_priv_key.pem"))
srk_pub_key = generate_rsa_public_key(srk_priv_key)
save_rsa_public_key(srk_pub_key, path.join(tmpdir, "srk_pub_key.pem"))
assert path.isfile(path.join(tmpdir, "srk_pub_key.pem"))
srk_subject = generate_name_struct("srk", "UK")
srk_cert = generate_certificate(srk_subject,
issuer,
srk_pub_key,
ca_priv_key,
if_ca=False)
save_crypto_item(srk_cert, path.join(tmpdir, "srk1.pem"))
assert path.isfile(path.join(tmpdir, "srk1.pem"))
def test_certificate_generation(tmpdir):
ca_priv_key = generate_rsa_private_key()
save_rsa_private_key(ca_priv_key, path.join(tmpdir, "ca_private_key.pem"))
ca_pub_key = generate_rsa_public_key(ca_priv_key)
save_rsa_public_key(ca_pub_key, path.join(tmpdir, "ca_pub_key.pem"))
assert path.isfile(path.join(tmpdir, "ca_private_key.pem"))
assert path.isfile(path.join(tmpdir, "ca_pub_key.pem"))
data = yaml.safe_load(
"""
COMMON_NAME: xyz
DOMAIN_COMPONENT: [com, nxp, wbi]
ORGANIZATIONAL_UNIT_NAME: [NXP, CZ, Managed Users, Developers]
"""
)
subject = issuer = generate_name(data)
ca_cert = generate_certificate(subject, issuer, ca_pub_key, ca_priv_key, if_ca=True)
save_crypto_item(ca_cert, path.join(tmpdir, "ca_cert.pem"))
assert path.isfile(path.join(tmpdir, "ca_cert.pem"))
data = yaml.safe_load(
"""
- COMMON_NAME: ccccc
- DOMAIN_COMPONENT: [com, nxp, wbi]
- ORGANIZATIONAL_UNIT_NAME: NXP
- ORGANIZATIONAL_UNIT_NAME: CZ
- ORGANIZATIONAL_UNIT_NAME: Managed Users
- ORGANIZATIONAL_UNIT_NAME: Developers
"""
)
subject = issuer = generate_name(data)
ca_cert = generate_certificate(subject, issuer, ca_pub_key, ca_priv_key, if_ca=True)
save_crypto_item(ca_cert, path.join(tmpdir, "ca_cert_1.pem"))
assert path.isfile(path.join(tmpdir, "ca_cert_1.pem"))
def test_generate_csf_img(
cpu_params: CpuParams,
srk_key_index: int,
cert_name_prefix: str,
cert_index: int,
key_size: int = 2048,
) -> None:
"""Generate additional CSF or IMG certificate for selected SRK key
:param cpu_params: processor specific parameters of the test
:param srk_key_index: index of SRK, for which new certificate is going to be generated
:param cert_name_prefix: prefix/type of the generated certificate: either 'CSF' or 'IMG'
:param cert_index: index of the generated certificate
:param key_size: size of the generated key in bits, 2048 by default
"""
# validate arguments
assert 1 <= srk_key_index <= 4
assert cert_name_prefix == "CSF" or cert_name_prefix == "IMG"
assert 1 <= cert_index
# build names
base_key_name = f"_sha256_{str(key_size)}_65537_v3_" # middle path of the output filename
srk_name = f"SRK{srk_key_index}" + base_key_name + "ca"
out_name = cert_name_prefix + str(srk_key_index) + "_" + str(
cert_index) + base_key_name + "usr"
out_key_path = os.path.join(cpu_params.keys_data_dir, out_name + "_key")
# generate private key
gen_priv_key = generate_rsa_private_key(key_size=key_size)
save_rsa_private_key(gen_priv_key,
out_key_path + ".pem",
password=PRIV_KEY_PASSWORD,
encoding=Encoding.PEM)
save_rsa_private_key(gen_priv_key,
out_key_path + ".der",
password=PRIV_KEY_PASSWORD,
encoding=Encoding.DER)
# generate public key
gen_pub_key = generate_rsa_public_key(gen_priv_key)
# load private key of the issuer (SRK)
srk_priv_key = load_pem_private_key(
load_binary(cpu_params.keys_data_dir, srk_name + "_key.pem"),
password=PRIV_KEY_PASSWORD,
backend=default_backend(),
)
# generate certificate
gen_cert = generate_certificate(
x509_common_name(out_name),
x509_common_name(srk_name),
gen_pub_key,
srk_priv_key,
serial_number=0x199999A7,
if_ca=False,
duration=3560,
)
save_crypto_item(
gen_cert, os.path.join(cpu_params.cert_data_dir,
out_name + "_crt.pem"), Encoding.PEM)
save_crypto_item(
gen_cert, os.path.join(cpu_params.cert_data_dir,
out_name + "_crt.der"), Encoding.DER)
def main(log_level: str, key_type: str, path: str, password: str,
force: bool) -> int:
"""NXP Key Generator Tool.
\b
PATH - output file path, where the key pairs (private and public key) will be stored.
Each key will be stored in separate file (.pub and .pem).
"""
logging.basicConfig(level=log_level.upper())
key_param = key_type.lower().strip()
is_rsa = "rsa" in key_param
check_destination_dir(path, force)
check_file_exists(path, force)
pub_key_path = os.path.splitext(path)[0] + ".pub"
check_file_exists(pub_key_path, force)
if is_rsa:
logger.info("Generating RSA private key...")
priv_key_rsa = generate_rsa_private_key(
key_size=int(key_param.replace("rsa", "")))
logger.info("Generating RSA corresponding public key...")
pub_key_rsa = generate_rsa_public_key(priv_key_rsa)
logger.info("Saving RSA key pair...")
save_rsa_private_key(priv_key_rsa, path,
password if password else None)
save_rsa_public_key(pub_key_rsa, pub_key_path)
else:
logger.info("Generating ECC private key...")
priv_key_ec = generate_ecc_private_key(curve_name=key_param)
logger.info("Generating ECC public key...")
pub_key_ec = generate_ecc_public_key(priv_key_ec)
logger.info("Saving ECC key pair...")
save_ecc_private_key(priv_key_ec, path, password if password else None)
save_ecc_public_key(pub_key_ec, pub_key_path)
return 0
def keys_generation(data_dir):
priv_key = generate_rsa_private_key()
pub_key = generate_rsa_public_key(priv_key)
save_rsa_private_key(priv_key, path.join(data_dir, "priv.pem"))
save_rsa_public_key(pub_key, path.join(data_dir, "pub.pem"))