Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Sign MokManager with a locally-generated key

shim needs to verify that MokManager hasn't been modified, but we want to
be able to support configurations where shim is shipped without a vendor
certificate. This patch adds support for generating a certificate at build
time, incorporating the public half into shim and signing MokManager with
the private half. It uses pesign and nss, but still requires openssl for
key generation. Anyone using sbsign will need to figure this out for
themselves.
  • Loading branch information...
commit 6d50f87a06ff70d2075863f4c145235c081263d6 1 parent 2fd180a
Matthew Garrett authored

Showing 3 changed files with 597 additions and 9 deletions. Show diff stats Hide diff stats

  1. +25 3 Makefile
  2. +554 0 make-certs
  3. +18 6 shim.c
28 Makefile
@@ -28,15 +28,33 @@ LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH
28 28
29 29 VERSION = 0.2
30 30
31   -TARGET = shim.efi MokManager.efi
  31 +TARGET = shim.efi MokManager.efi.signed
32 32 OBJS = shim.o netboot.o cert.o dbx.o
  33 +KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key
33 34 SOURCES = shim.c shim.h netboot.c signature.h PeImage.h
34 35 MOK_OBJS = MokManager.o
35 36 MOK_SOURCES = MokManager.c shim.h
36 37
37 38 all: $(TARGET)
38 39
39   -shim.o: $(SOURCES)
  40 +shim.crt:
  41 + ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
  42 +
  43 +shim.cer: shim.crt
  44 + openssl x509 -outform der -in $< -out $@
  45 +
  46 +shim_cert.h: shim.cer
  47 + echo "static UINT8 shim_cert[] = {" > $@
  48 + hexdump -v -e '1/1 "0x%02x, "' $< >> $@
  49 + echo "};" >> $@
  50 +
  51 +certdb/secmod.db: shim.crt
  52 + -mkdir certdb
  53 + certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt
  54 + pk12util -d certdb/ -i shim.p12 -W "" -K ""
  55 + certutil -d certdb/ -A -i shim.crt -n shim -t u
  56 +
  57 +shim.o: $(SOURCES) shim_cert.h
40 58
41 59 cert.o : cert.S
42 60 $(CC) $(CFLAGS) -c -o $@ $<
@@ -70,10 +88,14 @@ Cryptlib/OpenSSL/libopenssl.a:
70 88 -j .debug_line -j .debug_str -j .debug_ranges \
71 89 --target=efi-app-$(ARCH) $^ $@.debug
72 90
  91 +%.efi.signed: %.efi certdb/secmod.db
  92 + pesign -n certdb -i $< -c "shim" -s -o $@ -f
  93 +
73 94 clean:
74 95 $(MAKE) -C Cryptlib clean
75 96 $(MAKE) -C Cryptlib/OpenSSL clean
76   - rm -f $(TARGET) $(OBJS)
  97 + rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(KEYS) certdb
  98 + rm -f *.debug *.so
77 99
78 100 GITTAG = $(VERSION)
79 101
554 make-certs
... ... @@ -0,0 +1,554 @@
  1 +#!/bin/bash -e
  2 +#
  3 +# Generate a root CA cert for signing, and then a subject cert.
  4 +# Usage: make-certs.sh hostname [user[@domain]] [more ...]
  5 +# For testing only, probably still has some bugs in it.
  6 +#
  7 +
  8 +DOMAIN=xn--u4h.net
  9 +DAYS=365
  10 +KEYTYPE=RSA
  11 +KEYSIZE=2048
  12 +DIGEST=SHA256
  13 +CRLHOURS=24
  14 +CRLDAYS=
  15 +
  16 +# Cleanup temporary files at exit.
  17 +touch openssl.cnf
  18 +newcertdir=`mktemp -d`
  19 +cleanup() {
  20 + test -f openssl.cnf && rm -f openssl.cnf
  21 + test -f ca.txt && rm -f ca.txt
  22 + test -f ocsp.txt && rm -f ocsp.txt
  23 + test -n "$newcertdir" && rm -fr "$newcertdir"
  24 +}
  25 +trap cleanup EXIT
  26 +
  27 +# The first argument is either a common name value or a flag indicating that
  28 +# we're doing something other than issuing a cert.
  29 +commonname="$1"
  30 +refresh_crl=false
  31 +revoke_cert=false
  32 +ocsp_serve=false
  33 +if test "x$commonname" = "x-refresh-crl" ; then
  34 + refresh_crl=true
  35 + commonname="$1"
  36 +fi
  37 +if test "x$commonname" = "x-refresh_crl" ; then
  38 + refresh_crl=true
  39 + commonname="$1"
  40 +fi
  41 +if test "x$commonname" = "x-revoke" ; then
  42 + revoke_cert=true
  43 + shift
  44 + commonname="$1"
  45 +fi
  46 +if test "x$commonname" = "x-ocsp" ; then
  47 + ocsp_serve=true
  48 + commonname="$1"
  49 +fi
  50 +if test "x$commonname" = x ; then
  51 + echo Usage: `basename $0` 'commonname' user'[@domain]' '[more [...]]'
  52 + echo Usage: `basename $0` -revoke 'commonname'
  53 + echo Usage: `basename $0` -ocsp
  54 + echo Usage: `basename $0` -refresh-crl
  55 + echo More:
  56 + echo -e \\tKey usage: "[sign|signing|encrypt|encryption|all]"
  57 + echo -e \\tAuthority Access Info OCSP responder: "ocsp:URI"
  58 + echo -e \\tCRL distribution point: "crl:URI"
  59 + echo -e \\tSubject Alternative Name:
  60 + echo -e \\t\\tHostname: "*"
  61 + echo -e \\t\\tIP address: w.x.y.z
  62 + echo -e \\t\\tEmail address: "*@*.com/edu/net/org/local"
  63 + echo -e \\t\\tKerberos principal name: "*@*.COM/EDU/NET/ORG/LOCAL"
  64 + echo -e \\tExtended key usage:
  65 + echo -e \\t\\t1....
  66 + echo -e \\t\\t2....
  67 + echo -e \\t\\tid-kp-server-auth \| tls-server
  68 + echo -e \\t\\tid-kp-client-auth \| tls-client
  69 + echo -e \\t\\tid-kp-email-protection \| email
  70 + echo -e \\t\\tid-ms-kp-sc-logon \| id-ms-sc-logon
  71 + echo -e \\t\\tid-pkinit-kp-client-auth \| id-pkinit-client
  72 + echo -e \\t\\tid-pkinit-kp-kdc \| id-pkinit-kdc
  73 + echo -e \\t\\tca \| CA
  74 + exit 1
  75 +fi
  76 +
  77 +# Choose a user name part for email attributes.
  78 +GIVENUSER=$2
  79 +test x"$GIVENUSER" = x && GIVENUSER=$USER
  80 +echo "$GIVENUSER" | grep -q @ || GIVENUSER="$GIVENUSER"@$DOMAIN
  81 +DOMAIN=`echo "$GIVENUSER" | cut -f2- -d@`
  82 +
  83 +shift || true
  84 +shift || true
  85 +
  86 +# Done already?
  87 +done=:
  88 +
  89 +keygen() {
  90 + case "$KEYTYPE" in
  91 + DSA)
  92 + openssl dsaparam -out "$1".param $KEYSIZE
  93 + openssl gendsa "$1".param
  94 + ;;
  95 + RSA|*)
  96 + #openssl genrsa $KEYSIZE -passout pass:qweqwe
  97 + openssl genrsa $KEYSIZE
  98 + #openssl genrsa $KEYSIZE -nodes
  99 + ;;
  100 + esac
  101 +}
  102 +
  103 +# Set some defaults.
  104 +CA=FALSE
  105 +if test -s ca.crldp.uri.txt ; then
  106 + crlval="`cat ca.crldp.uri.txt`"
  107 + crl="URI:$crlval"
  108 +fi
  109 +if test -s ca.ocsp.uri.txt ; then
  110 + aiaval="`cat ca.ocsp.uri.txt`"
  111 + aia="OCSP;URI:$aiaval"
  112 +fi
  113 +if test -s ca.domain.txt ; then
  114 + domval="`cat ca.domain.txt`"
  115 + if test -n "$domval" ; then
  116 + DOMAIN="$domval"
  117 + fi
  118 +fi
  119 +
  120 +# Parse the arguments which indicate what sort of information we want.
  121 +while test $# -gt 0 ; do
  122 + type=
  123 + value="$1"
  124 + case "$value" in
  125 + RSA|rsa)
  126 + KEYTYPE=RSA
  127 + ;;
  128 + DSA|dsa)
  129 + KEYTYPE=DSA
  130 + ;;
  131 + OCSP:*|ocsp:*)
  132 + aiaval=`echo "$value" | cut -f2- -d:`
  133 + aia="OCSP;URI:$aiaval"
  134 + ;;
  135 + CRL:*|crl:*)
  136 + crlval=`echo "$value" | cut -f2- -d:`
  137 + crl="URI:$crlval"
  138 + ;;
  139 + signing|sign)
  140 + keyusage="${keyusage:+${keyusage},}nonRepudiation,digitalSignature"
  141 + ;;
  142 + encryption|encrypt)
  143 + keyusage="${keyusage:+${keyusage},}keyEncipherment,dataEncipherment"
  144 + ;;
  145 + all)
  146 + keyusage="digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly"
  147 + ;;
  148 + ca|CA)
  149 + CA=TRUE
  150 + keyusage="${keyusage:+${keyusage},}nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign"
  151 + ;;
  152 + 1.*|2.*|id-*|tls-*|email|mail|codesign)
  153 + ekuval=`echo "$value" | tr '[A-Z]' '[a-z]' | sed 's,\-,,g'`
  154 + case "$ekuval" in
  155 + idkpserverauth|tlsserver) ekuval=1.3.6.1.5.5.7.3.1;;
  156 + idkpclientauth|tlsclient) ekuval=1.3.6.1.5.5.7.3.2;;
  157 + idkpemailprotection|email|mail) ekuval=1.3.6.1.5.5.7.3.4;;
  158 + idkpcodesign|codesign) ekuval=1.3.6.1.5.5.7.3.3;;
  159 + idmskpsclogon|idmssclogon) ekuval=1.3.6.1.4.1.311.20.2.2;;
  160 + idpkinitkpclientauth|idpkinitclient) ekuval=1.3.6.1.5.2.3.4;;
  161 + idpkinitkpkdc|idpkinitkdc) ekuval=1.3.6.1.5.2.3.5;;
  162 + esac
  163 + if test -z "$eku" ; then
  164 + eku="$ekuval"
  165 + else
  166 + eku="$eku,$ekuval"
  167 + fi
  168 + ;;
  169 + *@*.COM|*@*.EDU|*@*.NET|*@*.ORG|*@*.LOCAL)
  170 + luser=`echo "$value" | tr '[A-Z]' '[a-z]'`
  171 + if test "$luser" = "$value" ; then
  172 + luser=
  173 + fi
  174 + type="otherName:1.3.6.1.5.2.2;SEQUENCE:$value,${luser:+otherName:1.3.6.1.4.1.311.20.2.3;UTF8:${luser},}otherName:1.3.6.1.4.1.311.20.2.3;UTF8"
  175 + unset luser
  176 + principals="$principals $value"
  177 + ;;
  178 + *@*.com|*@*.edu|*@*.net|*@*.org|*@*.local) type=email;;
  179 + [0-9]*.[0-9]*.[0-9]*.[0-9]*) type=IP;;
  180 + *) type=DNS;;
  181 + esac
  182 + if test -n "$type" ; then
  183 + newvalue="${type}:$value"
  184 + if test -z "$altnames" ; then
  185 + altnames="${newvalue}"
  186 + else
  187 + altnames="${altnames},${newvalue}"
  188 + fi
  189 + fi
  190 + shift
  191 +done
  192 +
  193 +# Build the configuration file, including bits on how to construct the CA
  194 +# certificate, an OCSP responder certificate, and the issued certificate.
  195 +cat > openssl.cnf <<- EOF
  196 +[ca]
  197 +default_ca = issuer
  198 +
  199 +[issuer]
  200 +private_key = `pwd`/ca.key
  201 +certificate = `pwd`/ca.crt
  202 +database = `pwd`/ca.db
  203 +serial = `pwd`/ca.srl
  204 +default_md = $DIGEST
  205 +new_certs_dir = $newcertdir
  206 +policy = no_policy
  207 +
  208 +[no_policy]
  209 +
  210 +[req_oids]
  211 +domainComponent = 0.9.2342.19200300.100.1.25
  212 +
  213 +[req_ca]
  214 +prompt = no
  215 +oid_section = req_oids
  216 +distinguished_name = req_ca_name
  217 +default_md = $DIGEST
  218 +subjectKeyIdentifier=hash
  219 +
  220 +[req_ca_name]
  221 +C=US
  222 +#stateOrProvinceName=SomeState
  223 +localityName=SomeCity
  224 +O=SomeOrg
  225 +EOF
  226 +#echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
  227 +cat >> openssl.cnf <<- EOF
  228 +#commonName = Test Certifying CA
  229 +
  230 +[v3_ca]
  231 +subjectKeyIdentifier=hash
  232 +authorityKeyIdentifier=keyid:always
  233 +#authorityKeyIdentifier=keyid:always,issuer:always
  234 +keyUsage=nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
  235 +basicConstraints=critical,CA:TRUE
  236 +nsComment="Testing CA Certificate"
  237 +EOF
  238 +if test -n "$aia" ; then
  239 + echo "authorityInfoAccess = ${aia}" >> openssl.cnf
  240 + echo -n "$aiaval" > ca.ocsp.uri.txt
  241 +fi
  242 +if test -n "$crl" ; then
  243 + echo "crlDistributionPoints = ${crl}" >> openssl.cnf
  244 + echo -n "$crlval" > ca.crldp.uri.txt
  245 +fi
  246 +echo "$DOMAIN" > ca.domain.txt
  247 +cat >> openssl.cnf <<- EOF
  248 +
  249 +[req_ocsp]
  250 +prompt = no
  251 +oid_section = req_oids
  252 +distinguished_name = req_ocsp_name
  253 +default_md = $DIGEST
  254 +
  255 +[req_ocsp_name]
  256 +C=US
  257 +#stateOrProvinceName=SomeState
  258 +localityName=SomeOrg
  259 +O=SomeOrg
  260 +EOF
  261 +#echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
  262 +cat >> openssl.cnf <<- EOF
  263 +#commonName = OCSP Signer for Test Certifying CA
  264 +
  265 +[v3_ocsp]
  266 +subjectKeyIdentifier=hash
  267 +#authorityKeyIdentifier=keyid:always,issuer:always
  268 +authorityKeyIdentifier=keyid:always
  269 +keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
  270 +extendedKeyUsage=1.3.6.1.5.5.7.3.9
  271 +#basicConstraints=CA:FALSE
  272 +basicConstraints=CA:TRUE
  273 +nsComment="Testing OCSP Certificate"
  274 +1.3.6.1.5.5.7.48.1.5=ASN1:NULL
  275 +EOF
  276 +if test -n "$aia" ; then
  277 + echo "authorityInfoAccess = ${aia}" >> openssl.cnf
  278 +fi
  279 +if test -n "$crl" ; then
  280 + echo "crlDistributionPoints = ${crl}" >> openssl.cnf
  281 +fi
  282 +cat >> openssl.cnf <<- EOF
  283 +
  284 +[req_issued]
  285 +prompt = no
  286 +oid_section = req_oids
  287 +distinguished_name = req_issued_name
  288 +default_md = $DIGEST
  289 +
  290 +[req_issued_name]
  291 +C=US
  292 +#stateOrProvinceName=SomeState
  293 +localityName=SomeCity
  294 +O=SomeOrg
  295 +EOF
  296 +#echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
  297 +#mail = $GIVENUSER
  298 +cat >> openssl.cnf <<- EOF
  299 +commonName = $commonname
  300 +
  301 +[v3_issued]
  302 +#certificatePolicies=2.5.29.32.0${eku:+,${eku}}
  303 +subjectKeyIdentifier=hash
  304 +authorityKeyIdentifier=keyid:always
  305 +#authorityKeyIdentifier=keyid:always,issuer:always
  306 +EOF
  307 +if test -n "$aia" ; then
  308 + echo "authorityInfoAccess = ${aia}" >> openssl.cnf
  309 +fi
  310 +if test -n "$crl" ; then
  311 + echo "crlDistributionPoints = ${crl}" >> openssl.cnf
  312 +fi
  313 +if test -n "$keyusage" ; then
  314 + echo "keyUsage = critical,${keyusage}" >> openssl.cnf
  315 +fi
  316 +if test -n "$altnames" ; then
  317 + echo "subjectAltName = ${altnames}" >> openssl.cnf
  318 +fi
  319 +if test -n "$eku" ; then
  320 + echo "extendedKeyUsage = ${eku}" >> openssl.cnf
  321 + :
  322 +fi
  323 +if test "x$CA" = xTRUE ; then
  324 + echo "basicConstraints=critical,CA:TRUE" >> openssl.cnf
  325 + echo 'nsComment="Testing CA Certificate for '"$commonname"'"' >> openssl.cnf
  326 +else
  327 + echo "basicConstraints=CA:FALSE" >> openssl.cnf
  328 + echo 'nsComment="Testing Certificate for '"$commonname"'"' >> openssl.cnf
  329 +fi
  330 +for value in $principals; do
  331 + user=`echo "$value" | cut -f1 -d@`
  332 + realm=`echo "$value" | cut -f2- -d@`
  333 + echo "" >> openssl.cnf
  334 + echo "[$value]" >> openssl.cnf
  335 + echo "realm=EXPLICIT:0,GeneralString:$realm" >> openssl.cnf
  336 + echo "kerberosname=EXPLICIT:1,SEQUENCE:krb5$user" >> openssl.cnf
  337 +
  338 + echo "" >> openssl.cnf
  339 + echo "[krb5$user]" >> openssl.cnf
  340 + echo "nametype=EXPLICIT:0,INTEGER:1" >> openssl.cnf
  341 + echo "namelist=EXPLICIT:1,SEQUENCE:krb5basic$user" >> openssl.cnf
  342 +
  343 + echo "[krb5basic$user]" >> openssl.cnf
  344 + count=0
  345 + for part in `echo "$user" | sed 's,/, ,g'` ; do
  346 + echo "$count.part=GeneralString:$part" >> openssl.cnf
  347 + count=`expr "$count" + 1`
  348 + done
  349 +done
  350 +
  351 +# Create the data files for a new CA.
  352 +if ! test -s ca.srl ; then
  353 + (dd if=/dev/urandom bs=8 count=1 2> /dev/null) | od -t x1c | head -n 1 | awk '{$1="00";OFS="";print}' > ca.srl
  354 +else
  355 + echo "You already have a ca.srl file; not replacing."
  356 +fi
  357 +if ! test -s ca.db ; then
  358 + touch ca.db
  359 +else
  360 + echo "You already have a ca.db file; not replacing."
  361 +fi
  362 +if ! test -s ca.db.attr ; then
  363 + touch ca.db.attr
  364 +else
  365 + echo "You already have a ca.db.attr file; not replacing."
  366 +fi
  367 +
  368 +# If we need a CA key, generate one.
  369 +if ! test -s ca.key ; then
  370 + umask=`umask -p`
  371 + umask 077
  372 + keygen ca > ca.key 2> /dev/null
  373 + $umask
  374 +else
  375 + echo "You already have a ca.key file; not replacing."
  376 + done=echo
  377 +fi
  378 +
  379 +# If we need a CA certificate, generate one.
  380 +if ! test -s ca.crt ; then
  381 + sed -i -e 's,^\[req_ca\]$,\[req\],g' `pwd`/openssl.cnf
  382 + openssl req -config `pwd`/openssl.cnf -new -key ca.key > ca.csr 2> /dev/null -passin pass:shim
  383 + sed -i -e 's,^\[req\]$,\[req_ca\],g' `pwd`/openssl.cnf
  384 + openssl x509 -extfile `pwd`/openssl.cnf -CAserial ca.srl -signkey ca.key -extensions v3_ca -req -in ca.csr -days $DAYS -out ca.crt ; : 2> /dev/null
  385 + openssl x509 -noout -text -in ca.crt > ca.txt
  386 + cat ca.crt >> ca.txt
  387 + cat ca.txt > ca.crt
  388 + rm ca.txt
  389 + cat ca.crt > ca.chain.crt
  390 +else
  391 + echo "You already have a ca.crt file; not replacing."
  392 + done=echo
  393 +fi
  394 +
  395 +# If we need an OCSP key, generate one.
  396 +if ! test -s ocsp.key ; then
  397 + umask=`umask -p`
  398 + umask 077
  399 + keygen ocsp > ocsp.key 2> /dev/null
  400 + $umask
  401 +else
  402 + echo "You already have an ocsp.key file; not replacing."
  403 + done=echo
  404 +fi
  405 +
  406 +# Generate the OCSP signing cert. Set the X.509v3 basic constraints and EKU.
  407 +if ! test -s ocsp.crt ; then
  408 + sed -i -e 's,^\[req_ocsp\]$,\[req\],g' `pwd`/openssl.cnf
  409 + openssl req -config `pwd`/openssl.cnf -new -key ocsp.key > ocsp.csr 2> /dev/null
  410 + sed -i -e 's,^\[req\]$,\[req_ocsp\],g' `pwd`/openssl.cnf
  411 + openssl ca -batch -config `pwd`/openssl.cnf -extensions v3_ocsp -preserveDN -in ocsp.csr -days $DAYS -out ocsp.crt 2> /dev/null
  412 + openssl x509 -noout -text -in ocsp.crt > ocsp.txt
  413 + cat ocsp.crt >> ocsp.txt
  414 + cat ocsp.txt > ocsp.crt
  415 + rm ocsp.txt
  416 +else
  417 + echo "You already have an ocsp.crt file; not replacing."
  418 + done=echo
  419 +fi
  420 +
  421 +# If we were told to revoke the certificate with the specified common name,
  422 +# do so.
  423 +if $revoke_cert ; then
  424 + openssl ca -config `pwd`/openssl.cnf -revoke "$commonname".crt
  425 +fi
  426 +
  427 +# Always refresh the CRL.
  428 +openssl ca -config `pwd`/openssl.cnf -gencrl ${CRLHOURS:+-crlhours ${CRLHOURS}} ${CRLDAYS:+-crldays ${CRLDAYS}} -out ca.crl.pem
  429 +openssl crl -in ca.crl.pem -outform der -out ca.crl
  430 +openssl crl -in ca.crl -inform der -noout -text > ca.crl.pem
  431 +openssl crl -in ca.crl -inform der >> ca.crl.pem
  432 +
  433 +# If we were told to start up the mini OCSP server, do so.
  434 +if $ocsp_serve ; then
  435 + openssl ocsp -text -index `pwd`/ca.db -CA `pwd`/ca.crt -rsigner `pwd`/ocsp.crt -rkey `pwd`/ocsp.key -rother `pwd`/ocsp.crt -port "`cut -f3 -d/ ca.ocsp.uri.txt | sed -r 's,(^[^:]*),0.0.0.0,g'`"
  436 + exit 0
  437 +fi
  438 +
  439 +# If we're just here to do a revocation or refresh the CRL, we're done.
  440 +if $revoke_cert || $refresh_crl ; then
  441 + exit 0
  442 +fi
  443 +
  444 +# Create a new serial number and whatnot if this is a new sub-CA.
  445 +if test "x$CA" = xTRUE ; then
  446 + if ! test -d "$commonname" ; then
  447 + mkdir "$commonname"
  448 + fi
  449 + if ! test -s "$commonname/ca.srl" ; then
  450 + (dd if=/dev/urandom bs=8 count=1 2> /dev/null) | od -t x1c | head -n 1 | awk '{$1="00";OFS="";print}' > "$commonname/ca.srl"
  451 + else
  452 + echo "You already have a $commonname/ca.srl file; not replacing."
  453 + fi
  454 + if test -n "$aia" ; then
  455 + echo -n "$aiaval" > "$commonname/ca.ocsp.uri.txt"
  456 + fi
  457 + if test -n "$crl" ; then
  458 + echo -n "$crlval" > "$commonname/ca.crldp.uri.txt"
  459 + fi
  460 + echo "$DOMAIN" > "$commonname/ca.domain.txt"
  461 + touch "$commonname/ca.db" "$commonname/ca.db.attr"
  462 + cert="$commonname/ca.crt"
  463 + csr="$commonname/ca.csr"
  464 + key="$commonname/ca.key"
  465 + pem="$commonname/ca.pem"
  466 + pfx="$commonname/ca.p12"
  467 + ln -s ../`basename $0` "$commonname"/
  468 +else
  469 + cert="$commonname.crt"
  470 + csr="$commonname.csr"
  471 + key="$commonname.key"
  472 + pem="$commonname.pem"
  473 + pfx="$commonname.p12"
  474 +fi
  475 +
  476 +# Generate the subject's certificate. Set the X.509v3 basic constraints.
  477 +if ! test -s "$cert" ; then
  478 + # Generate another key, unless we have a key or CSR.
  479 + if ! test -s "$key" && ! test -s "$csr" ; then
  480 + umask=`umask -p`
  481 + umask 077
  482 + keygen "$commonname" > "$key" 2> /dev/null
  483 + $umask
  484 + else
  485 + echo "You already have a $key or $csr file; not replacing."
  486 + done=echo
  487 + fi
  488 +
  489 + if ! test -s "$csr" ; then
  490 + sed -i -e 's,^\[req_issued\]$,\[req\],g' `pwd`/openssl.cnf
  491 + openssl req -config `pwd`/openssl.cnf -new -key "$key" > "$csr" 2> /dev/null
  492 + sed -i -e 's,^\[req\]$,\[req_issued\],g' `pwd`/openssl.cnf
  493 + fi
  494 + openssl ca -batch -config `pwd`/openssl.cnf -extensions v3_issued -preserveDN -in "$csr" -days $DAYS -out "$cert" 2> /dev/null
  495 + openssl x509 -noout -text -in "$cert" > "$cert.txt"
  496 + cat "$cert" >> "$cert.txt"
  497 + cat "$cert.txt" > "$cert"
  498 + rm -f "$cert.txt"
  499 +else
  500 + echo "You already have a $cert file; not replacing."
  501 + done=echo
  502 +fi
  503 +
  504 +if test -s ca.chain.crt ; then
  505 + chain=ca.chain.crt
  506 +else
  507 + chain=ca.crt
  508 +fi
  509 +if test "x$CA" = xTRUE ; then
  510 + cat "$chain" "$cert" > "$commonname/ca.chain.crt"
  511 +fi
  512 +
  513 +# Create ca.pem and the subject's name.pem for the benefit of applications
  514 +# which expect both the private key and the certificate in one file.
  515 +umask=`umask -p`
  516 +umask 077
  517 +if ! test -s ca.pem ; then
  518 + cat ca.key ca.crt > ca.pem
  519 +else
  520 + echo "You already have a ca.pem file; not replacing."
  521 + done=echo
  522 +fi
  523 +if ! test -s "$pem" ; then
  524 + cat "$key" "$cert" > "$pem"
  525 +else
  526 + echo "You already have a $pem file; not replacing."
  527 + done=echo
  528 +fi
  529 +if ! test -s "$pfx" ; then
  530 + #openssl pkcs12 -export -inkey "$key" -in "$cert" -name "$commonname" -out "$pfx" -nodes -passout pass:qweqwe
  531 + openssl pkcs12 -export -inkey "$key" -in "$cert" -name "$commonname" -out "$pfx" -nodes -passout pass:
  532 +else
  533 + echo "You already have a $pfx file; not replacing."
  534 + done=echo
  535 +fi
  536 +$umask
  537 +$done
  538 +
  539 +echo CA certificate:
  540 +openssl x509 -noout -issuer -in ca.crt | sed s,=\ ,\ ,g
  541 +openssl x509 -noout -subject -in ca.crt | sed s,=\ ,\ ,g
  542 +echo
  543 +echo End entity certificate:
  544 +openssl x509 -noout -issuer -in "$cert" | sed s,=\ ,\ ,g
  545 +openssl x509 -noout -subject -in "$cert" | sed s,=\ ,\ ,g
  546 +openssl x509 -noout -serial -in "$cert" | sed s,=,\ ,g
  547 +echo
  548 +echo PKCS12 bag:
  549 +openssl pkcs12 -in "$pfx" -nodes -nokeys -nocerts -info -passin pass:
  550 +#openssl pkcs12 -in "$pfx" -nodes -nokeys -nocerts -info -passin pass:qweqwe
  551 +echo
  552 +echo Verifying:
  553 +echo + openssl verify -CAfile "$chain" "$cert"
  554 +openssl verify -CAfile "$chain" "$cert"
24 shim.c
@@ -40,6 +40,7 @@
40 40 #include "shim.h"
41 41 #include "signature.h"
42 42 #include "netboot.h"
  43 +#include "shim_cert.h"
43 44
44 45 #define SECOND_STAGE L"\\grub.efi"
45 46 #define MOK_MANAGER L"\\MokManager.efi"
@@ -415,6 +416,8 @@ static BOOLEAN secure_mode (void)
415 416 UINT8 sb, setupmode;
416 417 UINT32 attributes;
417 418
  419 + return TRUE;
  420 +
418 421 if (insecure_mode)
419 422 return FALSE;
420 423
@@ -696,6 +699,19 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
696 699 }
697 700
698 701 /*
  702 + * Check against the shim build key
  703 + */
  704 + if (AuthenticodeVerify(cert->CertData,
  705 + context->SecDir->Size - sizeof(cert->Hdr),
  706 + shim_cert, sizeof(shim_cert), sha256hash,
  707 + SHA256_DIGEST_SIZE)) {
  708 + status = EFI_SUCCESS;
  709 + Print(L"Binary is verified by the vendor certificate\n");
  710 + return status;
  711 + }
  712 +
  713 +
  714 + /*
699 715 * And finally, check against shim's built-in key
700 716 */
701 717 if (AuthenticodeVerify(cert->CertData,
@@ -1180,12 +1196,8 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle)
1180 1196
1181 1197 efi_status = start_image(image_handle, SECOND_STAGE);
1182 1198
1183   - if (efi_status != EFI_SUCCESS) {
1184   - if (efi_status == EFI_ACCESS_DENIED)
1185   - efi_status = start_image(image_handle, MOK_MANAGER);
1186   - else
1187   - Print(L"Failed to start grub\n");
1188   - }
  1199 + if (efi_status != EFI_SUCCESS)
  1200 + efi_status = start_image(image_handle, MOK_MANAGER);
1189 1201 done:
1190 1202
1191 1203 return efi_status;

0 comments on commit 6d50f87

Please sign in to comment.
Something went wrong with that request. Please try again.