-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpc_certgen.sh
executable file
·281 lines (232 loc) · 8.48 KB
/
pc_certgen.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
#!/bin/bash
# ******************************************************************************
# * @file pc_certgen.sh
# * @author Thomas Grübl
# * @brief paccor4esp
# ******************************************************************************
# * @attention
# *
# * [REF] Parts of the code have been adapted from
# * https://github.com/nsacyber/paccor/blob/main/scripts/windows/pc_certgen.ps1
# *
# * All other parts:
# * Copyright (c) 2024 Thomas Grübl.
# * All rights reserved.
# *
# * This software is licensed under terms that can be found in the LICENSE file
# * in the root directory of this software component.
# *
# ******************************************************************************
# Tested on Ubuntu 22.04.3 LTS and ESP32S3
# Dependencies:
# 1. ESP-IDF (Espressif IoT Development Framework)
# https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/linux-macos-setup.html
# Building, flashing and monitoring the ESP project is automatically done in this script
# 2. Python>=3.8 and python-pip
# Make sure you can run python scripts and pip commands from your Shell
# 3. CMake
# 4. Git
# 5. Java
# Install Java and make sure to set $JAVA_HOME
# make this script executable by running 'chmod 777 pc_certgen.sh' and run with sudo
timestamp=$(date +%Y%m%d%H%M%S)
#### Project directories
ESPRESSIF_IDF_HOME="/home/tom/esp/esp-idf"
PROJECT_HOME="/home/tom/sampleproject"
PROJECT_NAME=$(basename "$PROJECT_HOME")
#### Scripts and executable
IDF_SCRIPT_PATH="$ESPRESSIF_IDF_HOME""/tools"
ESP_CRYPTOAUTH="$ESPRESSIF_IDF_HOME""/components/esp-cryptoauthlib/esp_cryptoauth_utility/secure_cert_mfg.py"
policymaker_script="$PROJECT_HOME""/referenceoptions.sh"
extensions_script="$PROJECT_HOME""/otherextensions.sh"
signer_bin="$PROJECT_HOME""/bin/signer"
validator_bin="$PROJECT_HOME""/bin/validator"
### Files
LOG_FILE="$PROJECT_HOME""/esp_logfile.txt"
SDKCONFIG="$PROJECT_HOME""/sdkconfig"
workspace="$PROJECT_HOME""/pc_testgen"
componentlist="$workspace""/localhost-componentlist.json"
policyreference="$workspace""/localhost-policyreference.json"
ekcert="$workspace""/ek.crt"
pccert="$workspace""/platform_cert.""$timestamp"".crt"
sigkey="$workspace""/private.pem"
pcsigncert="$workspace""/PCTestCA.example.com.pem"
extsettings="$workspace""/extentions.json"
### Certificate params
serialnumber="0001"
dateNotBefore=$(date '+%Y%m%d')
dateNotAfter=$(date '+%Y%m%d' -d "+10 years")
### Key Pair params
subjectDN="/C=US/O=example.com/OU=PCTest"
daysValid="3652"
sigalg="rsa:2048"
### ESP-specific variables
PORT="/dev/ttyACM0"
BAUD_RATE="115200"
TARGET_DEVICE="esp32s3"
SDA_PIN="16"
SCL_PIN="17"
declare -a SDKCONFIG_VARIABLES=( "CONFIG_BT_ENABLED=y"
"CONFIG_PARTITION_TABLE_CUSTOM=y"
"CONFIG_PARTITION_TABLE_OFFSET=0xa000"
"CONFIG_APP_REPRODUCIBLE_BUILD=y"
"CONFIG_SECURE_BOOT=y"
"CONFIG_ATECC608A_TNG=y"
"CONFIG_ATCA_MBEDTLS_ECDSA=y"
"CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN=y",
"CONFIG_MBEDTLS_ATCA_HW_ECDSA_VERIFY=y"
"CONFIG_ATCA_I2C_SDA_PIN=16"
"CONFIG_ATCA_I2C_SCL_PIN=17"
"CONFIG_ATCA_I2C_ADDRESS=0x6A"
"CONFIG_ESP_TLS_USE_SECURE_ELEMENT"
)
extractESPData() {
if [ ! -d "$ESPRESSIF_IDF_HOME" ]; then
echo "Invalid Espressif IDF home path."
exit 1
fi
if [ ! -d "$PROJECT_HOME" ]; then
echo "Invalid project home path."
exit 1
fi
if [ ! -d "$PROJECT_HOME""/main" ]; then
echo "\nC source files should be placed in the main directory of your project."
echo "Creating main directory..."
mkdir "$PROJECT_HOME""/main"
exit 1
fi
### Change serial port permissions
sudo chmod 666 "$PORT"
### Install dbus-x11
sudo apt install dbus-x11
### Enable ESP-IDF in the current bash session
sh "$ESPRESSIF_IDF_HOME""/install.sh"
. "$ESPRESSIF_IDF_HOME""/export.sh"
### Create CMakeLists file (needs adjustment depending on the project)
echo -e "cmake_minimum_required(VERSION 3.16)\ninclude($ENV${IDF_PATH}/tools/cmake/project.cmake)\nproject($PROJECT_NAME)" > "$PROJECT_HOME""/CMakeLists.txt"
echo -e "idf_component_register(SRCS \"main.c\" \"conf.c\" \"allcomponents.c\")" > "$PROJECT_HOME""/main/CMakeLists.txt"
### Set target device
cd "$IDF_SCRIPT_PATH"
python idf.py -C "$PROJECT_HOME" set-target "$TARGET_DEVICE"
### Enable bluetooth, set partition app_size large and enable reproducible build
### Important: Reproducible build needs to be enabled to retain consistent firmware/bootloader/ELF hashes
for i in "${SDKCONFIG_VARIABLES[@]}"
do
echo "$i" >> "$SDKCONFIG"
done
### Alternatively set sdkconfig variables using menuconfig
# python idf.py -C "$PROJECT_HOME" menuconfig
### Build project
python idf.py -C "$PROJECT_HOME" build
echo "\nBuild successful\n"
### Flash ESP (UART)
python idf.py -C "$PROJECT_HOME" -p "$PORT" -b "$BAUD_RATE" flash
echo "\nFlash successful\n"
echo "\nExtracting logs from $TARGET_DEVICE ...\n"
### Start monitor on device and receive logs
x-terminal-emulator -e "python idf.py -C \"$PROJECT_HOME\" -p \"$PORT\" -b \"$BAUD_RATE\" monitor > \"$LOG_FILE\"" &
sleep 10
### Reset path
cd "$PROJECT_HOME"
if ! [ -e "$LOG_FILE" ]; then
echo "\nFailed to generate log file.\n"
exit 1
fi
echo "\nSuccessfully extracted logs from $TARGET_DEVICE\n"
return 0
}
# identical to original PACCOR script https://github.com/nsacyber/paccor/blob/main/scripts/windows/pc_certgen.sh
createWorkspace() {
if [ ! -d "$workspace" ]; then
mkdir "$workspace"
sudo chmod -R 777 "$workspace"
if [ $? -ne 0 ]; then
echo "Failed to make a working directory in ""$workspace"
exit 1
fi
fi
return 0
}
getEKReference() {
# Sample EK certificate. DO NOT use for production code. Extract your EK cert from the secure element of your choice.
$(openssl req -x509 -nodes -days "$daysValid" -newkey "$sigalg" -out "$ekcert" -subj "/C=US/O=example.com/OU=mockEK" >> /dev/null)
}
createComponentListJSON() {
if ! [ -e "$componentlist" ]; then
python allcomponents.py
else
echo "Component file exists, skipping"
fi
}
# identical to original PACCOR script https://github.com/nsacyber/paccor/blob/main/scripts/windows/pc_certgen.sh
getPolicyReferenceJSON() {
if ! [ -e "$policyreference" ]; then
echo "Creating a Platform policy JSON file"
bash "$policymaker_script" > "$policyreference"
if [ $? -ne 0 ]; then
echo "Failed to create the policy reference, exiting"
rm -f "$policyreference"
exit 1
fi
else
echo "Policy settings file exists, skipping"
fi
}
# identical to original PACCOR script https://github.com/nsacyber/paccor/blob/main/scripts/windows/pc_certgen.sh
createExtensionsJSON() {
if ! [ -e "$extsettings" ]; then
echo "Creating an extensions JSON file"
bash "$extensions_script" > "$extsettings"
if [ $? -ne 0 ]; then
echo "Failed to create the extensions file, exiting"
rm -f "$extsettings"
exit 1
fi
else
echo "Extensions file exists, skipping"
fi
}
# identical to original PACCOR script https://github.com/nsacyber/paccor/blob/main/scripts/windows/pc_certgen.sh
createSigningKeyPair() {
if ! [ -e "$pcsigncert" ]; then
echo "Creating a signing key for signing platform credentials"
$(openssl req -x509 -nodes -days "$daysValid" -newkey "$sigalg" -keyout "$sigkey" -out "$pcsigncert" -subj "$subjectDN" >> /dev/null)
if [ $? -ne 0 ]; then
echo "Failed to create the key pair, exiting"
exit 1
fi
else
echo "Platform Signing file exists, skipping"
fi
}
# identical to original PACCOR script https://github.com/nsacyber/paccor/blob/main/scripts/windows/pc_certgen.sh
sign() {
echo "Generating a signed Platform Credential"
bash $signer_bin -x "$extsettings" -c "$componentlist" -e "$ekcert" -p "$policyreference" -k "$sigkey" -P "$pcsigncert" -N "$serialnumber" -b "$dateNotBefore" -a "$dateNotAfter" -f "$pccert"
if [ $? -ne 0 ]; then
echo "The signer could not produce a Platform Credential, exiting"
exit 1
fi
}
# identical to original PACCOR script https://github.com/nsacyber/paccor/blob/main/scripts/windows/pc_certgen.sh
validate() {
echo "Validating the signature"
bash $validator_bin -P "$pcsigncert" -X "$pccert"
if [ $? -eq 0 ]; then
echo "PC Credential Creation Complete."
echo "Platform Credential has been placed in ""$pccert"
else
rm -f "$pccert"
echo "Error with signature validation of the credential."
fi
}
# function calls
extractESPData
createWorkspace
getEKReference
createComponentListJSON
getPolicyReferenceJSON
createExtensionsJSON
createSigningKeyPair
sign
validate