From 793d36aec107e6bd562540663342189d998c6959 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Enrico=20J=C3=B6rns?= <ejo@pengutronix.de>
Date: Sat, 1 Feb 2025 21:16:43 +0100
Subject: [PATCH] qemuarm/qemux86: replace key generation by pre-generated keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Most layers use pre-generated keys anyway and while generating keys
might motivate to not use known keys for production, people might
misunderstand the scripts as a recommendation for creating their own
PKIs.

Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
---
 create-example-keys.sh            | 133 ------------------------------
 meta-rauc-qemuarm/README.rst      |   4 -
 meta-rauc-qemuarm/conf/layer.conf |   4 +
 meta-rauc-qemux86/README.rst      |   4 -
 meta-rauc-qemux86/conf/layer.conf |   4 +
 5 files changed, 8 insertions(+), 141 deletions(-)
 delete mode 100755 create-example-keys.sh

diff --git a/create-example-keys.sh b/create-example-keys.sh
deleted file mode 100755
index f9c0bea..0000000
--- a/create-example-keys.sh
+++ /dev/null
@@ -1,133 +0,0 @@
-#!/bin/bash
-
-set -e
-
-if [ -z $BBPATH ]; then
-  printf "Please call from within a set-up bitbake environment!\nRun 'source oe-init-build-env <builddir>' first\n"
-  exit 1
-fi
-
-ORG="Test Org"
-CA="rauc CA"
-
-# After the CRL expires, signatures cannot be verified anymore
-CRL="-crldays 5000"
-
-BASE="$BBPATH/example-ca"
-
-if [ -e $BASE ]; then
-  echo "$BASE already exists"
-  exit 1
-fi
-
-mkdir -p $BASE/{private,certs}
-touch $BASE/index.txt
-echo 01 > $BASE/serial
-
-cat > $BASE/openssl.cnf <<EOF
-[ ca ]
-default_ca      = CA_default               # The default ca section
-
-[ CA_default ]
-
-dir            = .                         # top dir
-database       = \$dir/index.txt           # index file.
-new_certs_dir  = \$dir/certs               # new certs dir
-
-certificate    = \$dir/ca.cert.pem         # The CA cert
-serial         = \$dir/serial              # serial no file
-private_key    = \$dir/private/ca.key.pem  # CA private key
-RANDFILE       = \$dir/private/.rand       # random number file
-
-default_startdate = 19700101000000Z
-default_enddate = 99991231235959Z
-default_crl_days= 30                       # how long before next CRL
-default_md     = sha256                    # md to use
-
-policy         = policy_any                # default policy
-email_in_dn    = no                        # Don't add the email into cert DN
-
-name_opt       = ca_default                # Subject name display option
-cert_opt       = ca_default                # Certificate display option
-copy_extensions = none                     # Don't copy extensions from request
-
-[ policy_any ]
-organizationName       = match
-commonName             = supplied
-
-[ req ]
-default_bits           = 4096
-distinguished_name     = req_distinguished_name
-x509_extensions        = v3_leaf
-encrypt_key = no
-default_md = sha256
-attributes             = req_attributes
-prompt                 = no
-input_password         = rauc
-output_password        = rauc
-
-[ req_attributes ]
-challengePassword              = Robust Auto-Update Controller
-
-[ req_distinguished_name ]
-commonName                     = Common Name (eg, YOUR name)
-commonName_max                 = 64
-
-[ v3_ca ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:TRUE
-
-[ v3_inter ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:TRUE,pathlen:0
-
-[ v3_leaf ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:FALSE
-EOF
-
-export OPENSSL_CONF=$BASE/openssl.cnf
-
-cd $BASE
-
-echo "Development CA"
-oe-run-native openssl-native openssl req -config $OPENSSL_CONF -newkey rsa:4096 -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
-
-oe-run-native openssl-native openssl ca -config $OPENSSL_CONF -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
-
-echo "Development Signing Keys 1"
-oe-run-native openssl-native openssl req -config $OPENSSL_CONF -newkey rsa:4096 -keyout private/development-1.key.pem -out development-1.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
-oe-run-native openssl-native openssl ca -config $OPENSSL_CONF -batch -extensions v3_leaf -in development-1.csr.pem -out development-1.cert.pem
-
-
-CONFFILE=${BUILDDIR}/conf/site.conf
-
-echo ""
-echo "Writing RAUC key configuration to site.conf ..."
-
-if test -f $CONFFILE; then
-if grep -q "^RAUC_KEYRING_FILE.*=" $CONFFILE; then
-	echo "RAUC_KEYRING_FILE already configured, aborting key configuration"
-	exit 0
-fi
-if grep -q "^RAUC_KEY_FILE.*=" $CONFFILE; then
-	echo "RAUC_KEY_FILE already configured, aborting key configuration"
-	exit 0
-fi
-if grep -q "^RAUC_CERT_FILE.*=" $CONFFILE; then
-	echo "RAUC_CERT_FILE already configured, aborting key configuration"
-	exit 0
-fi
-fi
-
-echo "RAUC_KEYRING_FILE=\"${BUILDDIR}/example-ca/ca.cert.pem\"" >> $CONFFILE
-echo "RAUC_KEY_FILE=\"${BUILDDIR}/example-ca/private/development-1.key.pem\"" >> $CONFFILE
-echo "RAUC_CERT_FILE=\"${BUILDDIR}/example-ca/development-1.cert.pem\"" >> $CONFFILE
-
-echo "Key configuration successfully written to ${BUILDDIR}/conf/site.conf"
diff --git a/meta-rauc-qemuarm/README.rst b/meta-rauc-qemuarm/README.rst
index 6471a4e..a8780c0 100644
--- a/meta-rauc-qemuarm/README.rst
+++ b/meta-rauc-qemuarm/README.rst
@@ -70,10 +70,6 @@ interaction with the system::
    EXTRA_IMAGE_FEATURES += "debug-tweaks"
    EXTRA_IMAGE_FEATURES += "ssh-server-openssh"
 
-Create example authentication keys (from sourced environment)::
-
-  $ ../meta-rauc-community/create-example-keys.sh
-
 This will place the keys in a directory ``example-ca/`` in your build dir and
 configure your ``conf/site.conf`` to let ``RAUC_KEYRING_FILE``,
 ``RAUC_KEY_FILE`` and ``RAUC_CERT_FILE`` point to this.
diff --git a/meta-rauc-qemuarm/conf/layer.conf b/meta-rauc-qemuarm/conf/layer.conf
index 45772f2..2d3a97e 100644
--- a/meta-rauc-qemuarm/conf/layer.conf
+++ b/meta-rauc-qemuarm/conf/layer.conf
@@ -11,3 +11,7 @@ BBFILE_PRIORITY_meta-rauc-qemuarm = "6"
 
 LAYERDEPENDS_meta-rauc-qemuarm = "core"
 LAYERSERIES_COMPAT_meta-rauc-qemuarm = "styhead"
+
+RAUC_KEY_FILE ?= "${LAYERDIR}/../files/rauc-example-keys/development-1.key.pem"
+RAUC_CERT_FILE ?= "${LAYERDIR}/../files/rauc-example-keys/development-1.cert.pem"
+RAUC_KEYRING_FILE ?= "${LAYERDIR}/../files/rauc-example-keys/ca.cert.pem"
diff --git a/meta-rauc-qemux86/README.rst b/meta-rauc-qemux86/README.rst
index 3bf260d..857c666 100644
--- a/meta-rauc-qemux86/README.rst
+++ b/meta-rauc-qemux86/README.rst
@@ -75,10 +75,6 @@ It is also recommended, but not strictly necessary, to enable 'systemd'::
 
    INIT_MANAGER = "systemd"
 
-Create example authentication keys (from sourced environment)::
-
-  $ ../meta-rauc-community/create-example-keys.sh
-
 This will place the keys in a directory ``example-ca/`` in your build dir and
 configure your ``conf/site.conf`` to let ``RAUC_KEYRING_FILE``,
 ``RAUC_KEY_FILE`` and ``RAUC_CERT_FILE`` point to this.
diff --git a/meta-rauc-qemux86/conf/layer.conf b/meta-rauc-qemux86/conf/layer.conf
index 69aa53b..f18ffc2 100644
--- a/meta-rauc-qemux86/conf/layer.conf
+++ b/meta-rauc-qemux86/conf/layer.conf
@@ -11,3 +11,7 @@ BBFILE_PRIORITY_meta-rauc-qemux86 = "6"
 
 LAYERDEPENDS_meta-rauc-qemux86 = "core"
 LAYERSERIES_COMPAT_meta-rauc-qemux86 = "styhead"
+
+RAUC_KEY_FILE ?= "${LAYERDIR}/../files/rauc-example-keys/development-1.key.pem"
+RAUC_CERT_FILE ?= "${LAYERDIR}/../files/rauc-example-keys/development-1.cert.pem"
+RAUC_KEYRING_FILE ?= "${LAYERDIR}/../files/rauc-example-keys/ca.cert.pem"