OPENSSL生成自签公钥证书和私钥

generate key

创建EC参数和私钥文件
openssl ecparam -genkey -name prime256v1 -out attestation_key.pem

查看EC私钥文件
cat attestation_key.pem

查看EC私钥
openssl ecparam -in attestation_key.pem -text

验证EC参数
openssl ecparam -in attestation_key.pem -check

self-signed certificate

创建公钥证书
openssl req -new -sha256 -key attestation_key.pem -out csr.csr -subj “/C=CN/ST=Shanghai/O=WhoAreYou/CN=WAY\ Fingerprint\ U2F\ Authenticator”

自签发公钥证书至attestation.pem
openssl req -config opnssl.cnf -x509 -sha256 -days 3650 -key attestation_key.pem -in csr.csr -out attestation.pem

convert to der

openssl x509 -outform der -in attestation.pem -out attestation.der
openssl ec -in attestation_key.pem -outform der -out attestation_key.der

generate C code

python dump-der.py > certificates.c || ( rm certificates.c && exit 1 )

gen.sh

#!/bin/bash

set -e

cat > opnssl.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
EOF

# generate key and self-signed certificate
openssl ecparam -genkey -name prime256v1 -out attestation_key.pem
openssl req -new -sha256 -key attestation_key.pem -out csr.csr -subj "/CN=U2F Token"
openssl req -config opnssl.cnf -x509 -sha256 -days 3650 -key attestation_key.pem -in csr.csr -out attestation.pem

# convert to der
openssl x509 -outform der -in attestation.pem -out attestation.der
openssl ec -in attestation_key.pem -outform der -out attestation_key.der

# generate C code
python dump-der.py > certificates.c || ( rm certificates.c && exit 1 )

dump-der.py

from __future__ import print_function
from asn1crypto.keys import ECPrivateKey

def pk_to_c_array(name, pk_der):
    # parse der format
    pk = ECPrivateKey.load(pk_der)

    # extract private key
    pk_native = pk['private_key'].native

    # translate to hex string
    pk_hex = format(pk_native, '064x')

    # split by pairs of characters
    hex_bytes = ["0x" + pk_hex[i:i + 2] for i in range(0, len(pk_hex), 2)]

    # make string C array declaration
    return "const uint8_t " + name + "[32] = {" + ", ".join(hex_bytes) + "};"

def cert_to_c_array(name, der):
    defname = name.upper() + "_LEN"
    if hasattr(der, 'hex'):
        hex_str = der.hex()
    else:
        hex_str = der.encode('hex')
    hex_bytes = ["0x" + hex_str[i:i + 2] for i in range(0, len(hex_str), 2)]

    define = "#define " + defname + " " + str(len(der))
    array = "const uint8_t " + name + "[" + defname + "] = {" + ", ".join(hex_bytes) + "};"
    return define + "\n" + array

with open("attestation.der", "rb") as f:
    print(cert_to_c_array("attestation_der", f.read()))

with open("attestation_key.der", "rb") as f:
    print(pk_to_c_array("attestation_key", f.read()))