1# $FreeBSD$ 2 3# Consider this file an example. 4# 5# For Junos this is how we obtain trust anchor .pems 6# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm) 7# for each key will provide the appropriate certificate chain on request 8 9# force these for Junos 10#MANIFEST_SKIP_ALWAYS= boot 11VE_HASH_LIST= \ 12 SHA1 \ 13 SHA256 \ 14 SHA384 \ 15 SHA512 16 17VE_SIGNATURE_LIST= \ 18 ECDSA \ 19 RSA 20 21VE_SIGNATURE_EXT_LIST= \ 22 esig \ 23 rsig 24 25VE_SELF_TESTS= yes 26 27.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests" 28 29VE_SIGNATURE_LIST+= \ 30 DEPRECATED_RSA_SHA1 31 32VE_SIGNATURE_EXT_LIST+= \ 33 sig 34.endif 35 36# add OpenPGP support - possibly dormant 37VE_SIGNATURE_LIST+= OPENPGP 38VE_SIGNATURE_EXT_LIST+= asc 39 40SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py 41 42.if exists(${SIGNER}) 43SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net 44ECDSA_PORT:= ${133%y:L:gmtime} 45SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256 46RSA2_PORT:= ${163%y:L:gmtime} 47SIGN_RSA2= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256 48 49# deal with quirk of our .esig format 50XCFLAGS.vets+= -DVE_ECDSA_HASH_AGAIN 51 52.if !empty(OPENPGP_SIGN_URL) 53XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H 54 55VE_SIGNATURE_LIST+= OPENPGP 56VE_SIGNATURE_EXT_LIST+= asc 57 58SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL} 59 60ta_openpgp.asc: 61 ${SIGN_OPENPGP} -C ${.TARGET} 62 63ta_asc.h: ta_openpgp.asc 64 65.if ${VE_SELF_TESTS} != "no" 66# for self test 67vc_openpgp.asc: ta_openpgp.asc 68 ${SIGN_OPENPGP} ${.ALLSRC:M*.asc} 69 mv ta_openpgp.asc.asc ${.TARGET} 70 71ta_asc.h: vc_openpgp.asc 72.endif 73.endif 74 75rcerts.pem: 76 ${SIGN_RSA2} -C ${.TARGET} 77 78ecerts.pem: 79 ${SIGN_ECDSA} -C ${.TARGET} 80 81.if ${VE_SIGNATURE_LIST:tu:MECDSA} != "" 82# the last cert in the chain is the one we want 83ta_ec.pem: ecerts.pem _LAST_PEM_USE 84ta.h: ta_ec.pem 85.if ${VE_SELF_TESTS} != "no" 86# these are for verification self test 87vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE 88ta.h: vc_ec.pem 89.endif 90.endif 91 92.if ${VE_SIGNATURE_LIST:tu:MRSA} != "" 93ta_rsa.pem: rcerts.pem _LAST_PEM_USE 94ta.h: ta_rsa.pem 95.if ${VE_SELF_TESTS} != "no" 96vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE 97ta.h: vc_rsa.pem 98.endif 99.endif 100 101# we take the mtime of this as our baseline time 102#BUILD_UTC_FILE= ecerts.pem 103#VE_DEBUG_LEVEL=3 104#VE_VERBOSE_DEFAULT=1 105 106.else 107# you need to provide t*.pem or t*.asc files for each trust anchor 108.if empty(TRUST_ANCHORS) 109TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null 110.endif 111.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes" 112.error Need TRUST_ANCHORS see ${.CURDIR}/README.rst 113.endif 114.if ${TRUST_ANCHORS:T:Mt*.pem} != "" 115ta.h: ${TRUST_ANCHORS:M*.pem} 116.endif 117.if ${TRUST_ANCHORS:T:Mt*.asc} != "" 118VE_SIGNATURE_LIST+= OPENPGP 119VE_SIGNATURE_EXT_LIST+= asc 120ta_asc.h: ${TRUST_ANCHORS:M*.asc} 121.endif 122# we take the mtime of this as our baseline time 123BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]} 124.endif 125 126