1# $FreeBSD$ 2 3# Consider this file an example. 4# 5# For Junos this is how we obtain trust anchor .pems 6# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm) 7# for each key will provide the appropriate certificate chain on request 8 9# force these for Junos 10#MANIFEST_SKIP_ALWAYS= boot 11VE_HASH_LIST= \ 12 SHA1 \ 13 SHA256 \ 14 SHA384 \ 15 SHA512 16 17VE_SIGNATURE_LIST= \ 18 ECDSA \ 19 RSA 20 21VE_SIGNATURE_EXT_LIST= \ 22 esig \ 23 rsig 24 25VE_SELF_TESTS= yes 26 27.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests" 28 29VE_SIGNATURE_LIST+= \ 30 DEPRECATED_RSA_SHA1 31 32VE_SIGNATURE_EXT_LIST+= \ 33 sig 34.endif 35 36SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py 37 38.if exists(${SIGNER}) 39SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net 40ECDSA_PORT:= ${133%y:L:gmtime} 41SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256 42RSA2_PORT:= ${163%y:L:gmtime} 43SIGN_RSA2= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256 44 45.if !empty(OPENPGP_SIGN_URL) 46VE_SIGNATURE_LIST+= OPENPGP 47VE_SIGNATURE_EXT_LIST+= asc 48 49SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL} 50 51ta_openpgp.asc: 52 ${SIGN_OPENPGP} -C ${.TARGET} 53 54ta_asc.h: ta_openpgp.asc 55 56.if ${VE_SELF_TESTS} != "no" 57# for self test 58vc_openpgp.asc: ta_openpgp.asc 59 ${SIGN_OPENPGP} ${.ALLSRC:M*.asc} 60 mv ta_openpgp.asc.asc ${.TARGET} 61 62ta_asc.h: vc_openpgp.asc 63.endif 64.endif 65 66rcerts.pem: 67 ${SIGN_RSA2} -C ${.TARGET} 68 69ecerts.pem: 70 ${SIGN_ECDSA} -C ${.TARGET} 71 72.if ${VE_SIGNATURE_LIST:tu:MECDSA} != "" 73# the last cert in the chain is the one we want 74ta_ec.pem: ecerts.pem _LAST_PEM_USE 75ta.h: ta_ec.pem 76.if ${VE_SELF_TESTS} != "no" 77# these are for verification self test 78vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE 79ta.h: vc_ec.pem 80.endif 81.endif 82 83.if ${VE_SIGNATURE_LIST:tu:MRSA} != "" 84ta_rsa.pem: rcerts.pem _LAST_PEM_USE 85ta.h: ta_rsa.pem 86.if ${VE_SELF_TESTS} != "no" 87vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE 88ta.h: vc_rsa.pem 89.endif 90.endif 91 92# we take the mtime of this as our baseline time 93#BUILD_UTC_FILE= ecerts.pem 94#VE_DEBUG_LEVEL=3 95#VE_VERBOSE_DEFAULT=1 96 97.else 98# you need to provide t*.pem or t*.asc files for each trust anchor 99.if empty(TRUST_ANCHORS) 100TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null 101.endif 102.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes" 103.error Need TRUST_ANCHORS see ${.CURDIR}/README.rst 104.endif 105.if ${TRUST_ANCHORS:T:Mt*.pem} != "" 106ta.h: ${TRUST_ANCHORS:M*.pem} 107.endif 108.if ${TRUST_ANCHORS:T:Mt*.asc} != "" 109VE_SIGNATURE_LIST+= OPENPGP 110VE_SIGNATURE_EXT_LIST+= asc 111ta_asc.h: ${TRUST_ANCHORS:M*.asc} 112.endif 113# we take the mtime of this as our baseline time 114BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]} 115.endif 116 117