From f9b17a653e9f147a70980df6888c25f83ae4aadd Mon Sep 17 00:00:00 2001 From: TommyLike Date: Fri, 27 Oct 2023 09:13:38 +0800 Subject: [PATCH 1/2] Support codesign --- scripts/initialize-user-and-keys.sh | 6 ++--- src/infra/sign_plugin/x509.rs | 35 ++++++++++++++++------------- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/scripts/initialize-user-and-keys.sh b/scripts/initialize-user-and-keys.sh index 98bf99e..9b030f8 100755 --- a/scripts/initialize-user-and-keys.sh +++ b/scripts/initialize-user-and-keys.sh @@ -23,19 +23,19 @@ function create_default_admin { function create_default_x509_ca { echo "start to create default x509 CA identified with default-x509" RUST_LOG=info ./target/debug/control-admin --config ./config/server.toml generate-keys --name default-x509ca --description "used for test purpose only" --key-type x509ca --email tommylikehu@gmail.com --param-key-type rsa --param-key-size 2048 \ - --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit Infra --digest-algorithm sha2_256 --visibility public + --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit "Infra CA" --digest-algorithm sha2_256 --visibility public } function create_default_x509_ica { echo "start to create default x509 ICA identified with default-x509" RUST_LOG=info ./target/debug/control-admin --config ./config/server.toml generate-keys --name default-x509ica --description "used for test purpose only" --key-type x509ica --email tommylikehu@gmail.com --param-key-type rsa --param-key-size 2048 \ - --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit Infra --digest-algorithm sha2_256 --param-x509-parent-name default-x509ca --visibility public + --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit "Infra ICA" --digest-algorithm sha2_256 --param-x509-parent-name default-x509ca --visibility public } function create_default_x509_ee { echo "start to create default x509 EE certificate identified with default-x509" RUST_LOG=info ./target/debug/control-admin --config ./config/server.toml generate-keys --name default-x509ee --description "used for test purpose only" --key-type x509ee --email tommylikehu@gmail.com --param-key-type rsa --param-key-size 2048 \ - --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit Infra --digest-algorithm sha2_256 --param-x509-parent-name default-x509ica --visibility public + --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit "Infra EE" --digest-algorithm sha2_256 --param-x509-parent-name default-x509ica --visibility public } function create_default_openpgp_rsa { diff --git a/src/infra/sign_plugin/x509.rs b/src/infra/sign_plugin/x509.rs index 2362b7e..47188e0 100644 --- a/src/infra/sign_plugin/x509.rs +++ b/src/infra/sign_plugin/x509.rs @@ -29,9 +29,7 @@ use openssl::pkcs7::{Pkcs7, Pkcs7Flags}; use openssl::pkey::PKey; use openssl::stack::Stack; use openssl::x509; -use openssl::x509::extension::{ - AuthorityKeyIdentifier, BasicConstraints, KeyUsage, SubjectKeyIdentifier, -}; +use openssl::x509::extension::{AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectKeyIdentifier}; use openssl::x509::{X509Crl, X509Extension}; use openssl_sys::{ X509_CRL_add0_revoked, X509_CRL_new, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate, @@ -329,12 +327,13 @@ impl X509Plugin { .critical() .build()?, )?; - generator.append_extension(X509Extension::new_nid( - None, - None, - Nid::CRL_DISTRIBUTION_POINTS, - &self.generate_crl_endpoint(&self.parent_key.clone().unwrap().name, infra_config)?, - )?)?; + //NOTE: sbverify for EFI file will fail, enable when fixed + // generator.append_extension(X509Extension::new_nid( + // None, + // None, + // Nid::CRL_DISTRIBUTION_POINTS, + // &self.generate_crl_endpoint(&self.parent_key.clone().unwrap().name, infra_config)?, + // )?)?; generator.append_extension(X509Extension::new_nid( None, None, @@ -432,12 +431,18 @@ impl X509Plugin { .critical() .build()?, )?; - generator.append_extension(X509Extension::new_nid( - None, - None, - Nid::CRL_DISTRIBUTION_POINTS, - &self.generate_crl_endpoint(&self.parent_key.clone().unwrap().name, infra_config)?, - )?)?; + generator.append_extension( + ExtendedKeyUsage::new() + .code_signing() + .build()?, + )?; + //NOTE: sbverify for EFI file will fail, enable when fixed + // generator.append_extension(X509Extension::new_nid( + // None, + // None, + // Nid::CRL_DISTRIBUTION_POINTS, + // &self.generate_crl_endpoint(&self.parent_key.clone().unwrap().name, infra_config)?, + // )?)?; generator.append_extension(X509Extension::new_nid( None, None, -- Gitee From be0a2a5f2801eb53339f0e0f2a1db2b18fdd3046 Mon Sep 17 00:00:00 2001 From: TommyLike Date: Fri, 27 Oct 2023 10:52:03 +0800 Subject: [PATCH 2/2] Fix cargo fmt --- src/infra/sign_plugin/x509.rs | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/infra/sign_plugin/x509.rs b/src/infra/sign_plugin/x509.rs index 47188e0..99e82a1 100644 --- a/src/infra/sign_plugin/x509.rs +++ b/src/infra/sign_plugin/x509.rs @@ -29,7 +29,9 @@ use openssl::pkcs7::{Pkcs7, Pkcs7Flags}; use openssl::pkey::PKey; use openssl::stack::Stack; use openssl::x509; -use openssl::x509::extension::{AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectKeyIdentifier}; +use openssl::x509::extension::{ + AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectKeyIdentifier, +}; use openssl::x509::{X509Crl, X509Extension}; use openssl_sys::{ X509_CRL_add0_revoked, X509_CRL_new, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate, @@ -431,11 +433,7 @@ impl X509Plugin { .critical() .build()?, )?; - generator.append_extension( - ExtendedKeyUsage::new() - .code_signing() - .build()?, - )?; + generator.append_extension(ExtendedKeyUsage::new().code_signing().build()?)?; //NOTE: sbverify for EFI file will fail, enable when fixed // generator.append_extension(X509Extension::new_nid( // None, -- Gitee