update cert gen script

main/cert/attestation-ca-cert.cnf

@@ -0,0 +1,14 @@
+[req]
+distinguished_name = distinguished_name_sec
+attributes         = attributes_sec
+prompt             = no
+
+[attributes_sec]
+
+[distinguished_name_sec]
+CN = CanoKeys FIDO Attestation Root CA No.1
+
+[ca_extensions_sec]
+subjectKeyIdentifier = hash
+basicConstraints     = CA:TRUE, pathlen:0
+keyUsage             = critical, cRLSign, keyCertSign

main/cert/attestation-device-cert.cnf

@@ -0,0 +1,21 @@
+[req]
+distinguished_name = distinguished_name_sec
+attributes         = attributes_sec
+req_extensions     = extensions_sec
+prompt = no
+
+[attributes_sec]
+
+[distinguished_name_sec]
+CN = CanoKey Serial 123456
+OU = Authenticator Attestation
+O = CanoKeys
+C = CN
+
+[extensions_sec]
+# subjectKeyIdentifier = hash
+basicConstraints = CA:FALSE
+# AAGUID: should match the value in ctap.c (the prefix "04 10" is required for ASN.1 encoding)
+1.3.6.1.4.1.45724.1.1.4 = DER:04:10:24:4e:b2:9e:e0:90:4e:49:81:fe:1f:20:f8:d3:b8:f4
+# fido-u2f-authenticator-transports-extension-v1.2-ps-20170411.html
+# 1.3.6.1.4.1.45724.2.1.1 = DER:03:02:04:30

main/cert/gen_attestation_ca.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -e
+openssl genrsa -out ca.key 2048
+openssl req -config ./attestation-ca-cert.cnf -extensions ca_extensions_sec -x509 -days 7120 -new -key ca.key -nodes -out ca.pem
+echo 01 >ca.srl # create the serial file

main/cert/gen_attestation_devive_cert.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+openssl ecparam -out ec_key.pem -name secp256r1 -genkey -out dev.key
+openssl req -config ./attestation-device-cert.cnf -new -key dev.key -nodes -out dev.csr
+openssl x509 -extfile ./attestation-device-cert.cnf -extensions extensions_sec -days 3560 -req -in dev.csr -CA ca.pem -CAserial ca.srl -CAkey ca.key -out dev.pem
+openssl x509 -outform der -in dev.pem -out dev.der
+rm dev.csr
+
+openssl ec -in dev.key -outform DER -no_public | tail -c +8 | head -c 32  > u2f_cert_key.bin
+

main/cert/u2f_aaguid.bin

@@ -1 +1 @@
-fM�g��A*������m
+$N����NI�� �Ӹ�