pass fido2 tests

2018-10-28 16:30:55 -04:00
parent 2f911368da
commit 2fd96f8e4b
23 changed files with 900 additions and 318 deletions
--- a/tools/gencert/cbytes.py
+++ b/tools/gencert/cbytes.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python
 from __future__ import print_function
+import base64
 """
    cbytes.py

@@ -39,4 +40,6 @@ print()
 print('code uint8_t __attest[] = \n%s;' % c_str)
 print('const uint16_t __attest_size = sizeof(__attest)-1;')

-
+b = base64.b64encode(buf)
+print('b64: ')
+print(b)
--- a/tools/gencert/gen_intermediate.sh
+++ b/tools/gencert/gen_intermediate.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+keyname=interkey.pem
+certname=intercert.pem
+smallcertname=intercert.der
+curve=prime256v1
+
+[[ "$#" != 2 ]] && echo "usage: $0 <signing-key> <root-ca>" && exit 1
+
+# generate EC private key
+openssl ecparam -genkey -name "$curve" -out "$keyname" -rand seed.txt
+
+# generate a "signing request"
+openssl req -new -key "$keyname" -out "$keyname".csr -subj "/C=US/ST=Maryland/O=Solo Keys/OU=Authenticator Attestation/CN=solokeys.com/emailAddress=hello@solokeys.com"
+
+# sign the request
+openssl x509 -req -days 18250  -in "$keyname".csr -extfile v3.ext -CA "$2" -CAkey "$1" -set_serial 01 -out "$certname" -sha256
+
+# convert to smaller size format DER
+openssl  x509 -in $certname  -outform der -out $smallcertname
+
+openssl x509 -in $certname -text -noout
--- a/tools/gencert/genca.sh
+++ b/tools/gencert/genca.sh
@@ -6,12 +6,13 @@ smallcertname=cert.der
 curve=prime256v1

 # generate EC private key
-openssl ecparam -genkey -name "$curve" -out "$keyname"
+openssl ecparam -genkey -name "$curve" -out "$keyname" -rand seed.txt
 # generate a "signing request"
-openssl req -new -key "$keyname" -out "$keyname".csr
+openssl req -new -key "$keyname" -out "$keyname".csr  -subj "/C=US/ST=Maryland/O=Solo Keys/OU=Root CA/CN=solokeys.com/emailAddress=hello@solokeys.com"
 # self sign the request
-openssl x509 -req -days 18250  -in "$keyname".csr -signkey "$keyname" -out "$certname"
+openssl x509 -trustout -req -days 18250  -in "$keyname".csr -signkey "$keyname" -out "$certname" -sha256 

 # convert to smaller size format DER
 openssl  x509 -in $certname  -outform der -out $smallcertname

+openssl x509 -in $certname -text -noout
--- a/tools/gencert/print_x_y.py
+++ b/tools/gencert/print_x_y.py
@@ -0,0 +1,16 @@
+import sys
+from ecdsa import SigningKey, NIST256p
+
+sk = SigningKey.from_pem(open(sys.argv[1]).read())
+
+
+print('Private key in various formats:')
+print()
+print([c for c in sk.to_string()])
+print()
+print(''.join(['%02x'%c for c in sk.to_string()]))
+print()
+print('"\\x' + '\\x'.join(['%02x'%c for c in sk.to_string()]) + '"')
+print()
+
+
--- a/tools/gencert/verify_certs.sh
+++ b/tools/gencert/verify_certs.sh
@@ -0,0 +1,22 @@
+
+# verify that the root CA/keypair and intermediate CA/keypairs are set up correctly.
+
+[[ "$#" != 4 ]] && echo "usage: $0 <inter-key> <inter-cert> <root-key> <root-cert>" && exit 1
+
+ikey=$1
+icert=$2
+
+rkey=$3
+rcert=$4
+
+echo 'challenge $RANDOM' > chal.txt
+
+# check that they are actual key pairs
+openssl dgst -sha256 -sign "$ikey" -out sig.txt chal.txt
+openssl dgst -sha256 -verify  <(openssl x509 -in "$icert"  -pubkey -noout)  -signature sig.txt chal.txt
+
+openssl dgst -sha256 -sign "$rkey" -out sig.txt chal.txt
+openssl dgst -sha256 -verify  <(openssl x509 -in "$rcert"  -pubkey -noout)  -signature sig.txt chal.txt
+
+# Check they are a chain
+openssl verify -verbose -CAfile "$rcert" "$icert"