forked from Linaro/lite_bootstrap_server
-
Notifications
You must be signed in to change notification settings - Fork 0
/
new-device.sh
executable file
·144 lines (111 loc) · 4.59 KB
/
new-device.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#!/usr/bin/env bash
# Copyright (c) 2022, Linaro. All rights reserved.
# SPDX-License-Identifier: BSD-3-Clause
# Exit on command failure
set -o errexit
# Fail on unset variable
# Use "${VARNAME-}" instead of "$VARNAME" to access unset variable(s)
set -o nounset
# Enable debug mode if $TRACE is set
# To enable, run with: "env TRACE=1 ./new-device.sh"
if [[ "${TRACE-0}" == "1" ]]; then
set -o xtrace
fi
# Check for too many parameters
if [ $# -gt 1 ]
then
echo "Too many paramters provided."
echo "Run './new-device.sh -h' for help."
exit 1
fi
# Check if the first arg is -h or --help
if [[ "${1-}" =~ ^-*h(elp)?$ ]]; then
echo "Usage: ./new-device.sh [hostname]
Simulates provisioning of a new client device.
This script generates a random UUID to identify a client hardware device, then
creates a certificate signing request (CSR) which includes that UUID. It then
calls 'make_csr_cbor.go', which converts the CSR into a CBOR file that can be
sent to the CA in the bootstrap server using the REST API. The encoded CSR file
is then sent to the CA server for processing, which will return a DER-encoded
certificate in a CBOR wrapper. This DER-encoded CBOR-wrapped certificate is
finally converted to a PEM-encoded certificate for convenience sake.
The following files are placed them in the 'certs' folder:
- certs/{UUID}.crt PEM-encoded client device certificate
- certs/{UUID}.key The private key associated with {UUID}.crt
You can view the content of the certificate via:
$ openssl x509 -in certs/{UUID}.crt -noout -text
HOSTNAME
--------
A consistent hostname must be used in your network layout or the TLS handshake
will fail.
For this script, you can set the hostname value through several mechanism:
1. Via the '[hostname]' parameter when calling this script, i.e.:
$ ./new-device.sh myhostname.local
2. Setting the 'CAHOSTNAME' environment variable before running this script:
$ export CAHOSTNAME=myhostname.local
$ ./new-device.sh
3. Not doing anything, which will cause the script to evaluate the system
hostname via the 'hostname' command.
NOTE: 'localhost' is useful for testing, particularly if you are behind a NAT,
but won't allow access from a remote device. In order for this server to work
in that network topology, you'll need to set the hostname to a valid DNS name
that resolves to this host.
If you get an error like 'failed: Connection refused', make sure that you are
setting the correct hostname value before running this script.
"
exit
fi
# These steps can be followed to simulate a certificate request from a
# hardware device.
#
# This test scenario calls `make_csr_cbor.go`, which takes a
# certificate signing request (CSR) file, and converts it into a CBOR
# file that can be sent to the CA server using the REST API. The
# encoded CSR file can then be sent to the CA server using `wget`,
# which will return the generated certificate as a CBOR payload.
# Please follow the steps in `README.md` and make sure the liteboot
# server is running (`run-server.sh`), before running this script.
# Resolve hostname
if [ $# -eq 1 ]
then
# Use command line parameter for hostname value if present
HOSTNAME=$1
else
# Check for CAHOSTNAME env variable, default to 'hostname' cmd if undefined
HOSTNAME=${CAHOSTNAME:-$(hostname)}
fi
# Generate a device ID. BSD's uuidgen outputs uppercase, so convert
# that here.
DEVID=$(uuidgen | tr '[:upper:]' '[:lower:]')
DEVPATH=certs/$DEVID
DEVVENDOR="Test Vendor"
echo New device: "$DEVID"
# Generate a private user key for this device.
openssl ecparam -name prime256v1 -genkey -out "$DEVPATH.key"
# Generate the CSR for this key.
openssl req -new \
-key "$DEVPATH.key" \
-out "$DEVPATH.csr" \
-subj "/O=$DEVVENDOR/CN=$DEVID/OU=Signing"
# Convert this CSR to cbor.
go run make_csr_cbor.go -in "$DEVPATH.csr" -out "$DEVPATH.cbor"
# Submit the CSR.
wget --ca-certificate=certs/SERVER.crt \
--certificate=certs/BOOTSTRAP.crt \
--private-key=certs/BOOTSTRAP.key \
--post-file "$DEVPATH.cbor" \
--header "Content-Type: application/cbor" \
"https://$HOSTNAME:1443/api/v1/cr" \
-O "$DEVPATH.rsp"
# When this is successfully processed by the CA, it will return a DER
# encoded certificate enclosed in a CBOR wrapper. The following
# commands will convert this to a PEM-encoded certificate file.
go run get_cert_cbor.go -in "$DEVPATH.rsp" -out "$DEVPATH.crt"
# Display the certificate
openssl x509 -in "$DEVPATH.crt" -noout -text
# Verify the generated certificate against the CA.
openssl verify -CAfile certs/CA.crt "$DEVPATH.crt"
# Delete the files that aren't needed
rm "$DEVPATH.csr"
rm "$DEVPATH.cbor"
rm "$DEVPATH.rsp"