1# $FreeBSD$ 2 3# Consider this file an example. 4# 5# For Junos this is how we obtain trust anchor .pems 6# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm) 7# for each key will provide the appropriate certificate chain on request 8 9# force these for Junos 10#MANIFEST_SKIP_ALWAYS= boot 11VE_HASH_LIST= \ 12 SHA1 \ 13 SHA256 \ 14 SHA384 \ 15 SHA512 16 17VE_SIGNATURE_LIST= \ 18 ECDSA \ 19 RSA 20 21VE_SIGNATURE_EXT_LIST= \ 22 esig \ 23 rsig 24 25VE_SELF_TESTS= yes 26 27.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests" 28 29VE_SIGNATURE_LIST+= \ 30 DEPRECATED_RSA_SHA1 31 32VE_SIGNATURE_EXT_LIST+= \ 33 sig 34.endif 35 36# add OpenPGP support - possibly dormant 37VE_SIGNATURE_LIST+= OPENPGP 38VE_SIGNATURE_EXT_LIST+= asc 39 40# allow site override of all the above 41.-include "site.trust.mk" 42 43SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py 44 45.if exists(${SIGNER}) 46SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net 47ECDSA_PORT:= ${133%y:L:gmtime} 48SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256 49RSA2_PORT:= ${163%y:L:gmtime} 50SIGN_RSA2= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256 51 52# deal with quirk of our .esig format 53XCFLAGS.vets+= -DVE_ECDSA_HASH_AGAIN 54 55.if !empty(OPENPGP_SIGN_URL) 56XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H 57 58VE_SIGNATURE_LIST+= OPENPGP 59VE_SIGNATURE_EXT_LIST+= asc 60 61SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL} 62 63ta_openpgp.asc: 64 ${SIGN_OPENPGP} -C ${.TARGET} 65 66ta_asc.h: ta_openpgp.asc 67 68.if ${VE_SELF_TESTS} != "no" 69# for self test 70vc_openpgp.asc: ta_openpgp.asc 71 ${SIGN_OPENPGP} ${.ALLSRC:M*.asc} 72 mv ta_openpgp.asc.asc ${.TARGET} 73 74ta_asc.h: vc_openpgp.asc 75.endif 76.endif 77 78rcerts.pem: 79 ${SIGN_RSA2} -C ${.TARGET} 80 81ecerts.pem: 82 ${SIGN_ECDSA} -C ${.TARGET} 83 84.if ${VE_SIGNATURE_LIST:tu:MECDSA} != "" 85# the last cert in the chain is the one we want 86ta_ec.pem: ecerts.pem _LAST_PEM_USE 87ta.h: ta_ec.pem 88.if ${VE_SELF_TESTS} != "no" 89# these are for verification self test 90vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE 91ta.h: vc_ec.pem 92.endif 93.endif 94 95.if ${VE_SIGNATURE_LIST:tu:MRSA} != "" 96ta_rsa.pem: rcerts.pem _LAST_PEM_USE 97ta.h: ta_rsa.pem 98.if ${VE_SELF_TESTS} != "no" 99vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE 100ta.h: vc_rsa.pem 101.endif 102.endif 103 104# we take the mtime of this as our baseline time 105#BUILD_UTC_FILE= ecerts.pem 106#VE_DEBUG_LEVEL=3 107#VE_VERBOSE_DEFAULT=1 108 109.else 110# you need to provide t*.pem or t*.asc files for each trust anchor 111.if empty(TRUST_ANCHORS) 112TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null 113.endif 114.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes" 115.error Need TRUST_ANCHORS see ${.PARSEDIR}/README.rst 116.endif 117.if ${TRUST_ANCHORS:T:Mt*.pem} != "" 118ta.h: ${TRUST_ANCHORS:M*.pem} 119.endif 120.if ${TRUST_ANCHORS:T:Mt*.asc} != "" 121VE_SIGNATURE_LIST+= OPENPGP 122VE_SIGNATURE_EXT_LIST+= asc 123ta_asc.h: ${TRUST_ANCHORS:M*.asc} 124.endif 125# we take the mtime of this as our baseline time 126BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]} 127.endif 128 129