1#!/bin/bash -e
2# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
3# Use of this source code is governed by a BSD-style license that can be
4# found in the LICENSE file.
5#
6
7# Check args first.
8if [ "$#" -lt "1" ]; then
9  cat <<EOF 1>&2
10
11Usage:  ${0##*/} BASENAME [ALG]
12
13This creates BASENAME.vbpubk and BASENAME.vbprivk pairs for use in signing
14developer files. This also creates a BASENAME.keyblock file containing the
15BASENAME.vbpubk, which can be used to sign a developer kernel.
16
17If specified, ALG is one of:
18
19  0    =  RSA1024 with SHA1
20  1    =  RSA1024 with SHA256
21  2    =  RSA1024 with SHA512
22  3    =  RSA2048 with SHA1
23  4    =  RSA2048 with SHA256
24  5    =  RSA2048 with SHA512
25  6    =  RSA4096 with SHA1
26  7    =  RSA4096 with SHA256
27  8    =  RSA4096 with SHA512
28  9    =  RSA8192 with SHA1
29  10   =  RSA8192 with SHA256
30  11   =  RSA8192 with SHA512
31
32If ALG is not specified, a default value will be used.
33
34EOF
35  exit 1
36fi
37
38
39# Compute the key length assuming the sizes shown above.
40function alg_to_keylen {
41  echo $(( 1 << (10 + ($1 / 3)) ))
42}
43
44# Emit .vbpubk and .vbprivk using given basename and algorithm.
45function make_pair {
46  local base=$1
47  local alg=$2
48  local len=$(alg_to_keylen $alg)
49
50  # make the RSA keypair
51  openssl genrsa -F4 -out "${base}_${len}.pem" $len
52  # create a self-signed certificate
53  openssl req -batch -new -x509 -key "${base}_${len}.pem" \
54    -out "${base}_${len}.crt"
55  # generate pre-processed RSA public key
56  dumpRSAPublicKey -cert "${base}_${len}.crt" > "${base}_${len}.keyb"
57
58  # wrap the public key
59  futility vbutil_key \
60    --pack "${base}.vbpubk" \
61    --key "${base}_${len}.keyb" \
62    --version 1 \
63    --algorithm $alg
64
65  # wrap the private key
66  futility vbutil_key \
67    --pack "${base}.vbprivk" \
68    --key "${base}_${len}.pem" \
69    --algorithm $alg
70
71  # remove intermediate files
72  rm -f "${base}_${len}.pem" "${base}_${len}.crt" "${base}_${len}.keyb"
73}
74
75# First create the .vbpubk and .vbprivk pair.
76make_pair "$1" "${2:-4}"
77
78# Now create a .keyblock to hold our .vbpubk. Since it's for developer use, it
79# won't be signed, just checksummed. Developer kernels can only be run in
80# non-recovery mode with the developer switch enabled, but it won't hurt us to
81# turn on all the flags bits anyway.
82futility vbutil_keyblock --pack "$1.keyblock" \
83  --datapubkey "$1.vbpubk" --flags 15
84