1 2# Consider this file an example. 3# 4# For Junos this is how we obtain trust anchor .pems 5# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm) 6# for each key will provide the appropriate certificate chain on request 7 8# force these for Junos 9#MANIFEST_SKIP_ALWAYS= boot 10VE_HASH_LIST= \ 11 SHA1 \ 12 SHA256 \ 13 SHA384 \ 14 SHA512 15 16VE_SIGNATURE_LIST= \ 17 ECDSA \ 18 RSA 19 20VE_SIGNATURE_EXT_LIST= \ 21 esig \ 22 rsig 23 24VE_SELF_TESTS= yes 25 26.if ${MACHINE} == "host" && ${.CURDIR:T} == "tests" 27 28VE_SIGNATURE_LIST+= \ 29 DEPRECATED_RSA_SHA1 30 31VE_SIGNATURE_EXT_LIST+= \ 32 sig 33.endif 34 35# add OpenPGP support - possibly dormant 36VE_SIGNATURE_LIST+= OPENPGP 37VE_SIGNATURE_EXT_LIST+= asc 38 39# allow site override of all the above 40.-include "site.trust.mk" 41 42SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py 43 44.if exists(${SIGNER}) 45SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net 46ECDSA_PORT:= ${133%y:L:gmtime} 47SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256 48RSA2_PORT:= ${163%y:L:gmtime} 49SIGN_RSA2= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256 50 51# deal with quirk of our .esig format 52XCFLAGS.vets+= -DVE_ECDSA_HASH_AGAIN 53 54.if !empty(OPENPGP_SIGN_URL) 55XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H 56 57VE_SIGNATURE_LIST+= OPENPGP 58VE_SIGNATURE_EXT_LIST+= asc 59 60SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL} 61 62ta_openpgp.asc: 63 ${SIGN_OPENPGP} -C ${.TARGET} 64 65ta_asc.h: ta_openpgp.asc 66 67.if ${VE_SELF_TESTS} != "no" 68# for self test 69vc_openpgp.asc: ta_openpgp.asc 70 ${SIGN_OPENPGP} ${.ALLSRC:M*.asc} 71 mv ta_openpgp.asc.asc ${.TARGET} 72 73ta_asc.h: vc_openpgp.asc 74.endif 75.endif 76 77rcerts.pem: 78 ${SIGN_RSA2} -C ${.TARGET} 79 80ecerts.pem: 81 ${SIGN_ECDSA} -C ${.TARGET} 82 83.if ${VE_SIGNATURE_LIST:tu:MECDSA} != "" 84# the last cert in the chain is the one we want 85ta_ec.pem: ecerts.pem _LAST_PEM_USE 86ta.h: ta_ec.pem 87.if ${VE_SELF_TESTS} != "no" 88# these are for verification self test 89vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE 90ta.h: vc_ec.pem 91.endif 92.endif 93 94.if ${VE_SIGNATURE_LIST:tu:MRSA} != "" 95ta_rsa.pem: rcerts.pem _LAST_PEM_USE 96ta.h: ta_rsa.pem 97.if ${VE_SELF_TESTS} != "no" 98vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE 99ta.h: vc_rsa.pem 100.endif 101.endif 102 103# we take the mtime of this as our baseline time 104#BUILD_UTC_FILE= ecerts.pem 105#VE_DEBUG_LEVEL=3 106#VE_VERBOSE_DEFAULT=1 107 108.else 109# you need to provide t*.pem or t*.asc files for each trust anchor 110.if empty(TRUST_ANCHORS) 111TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null 112.endif 113.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes" 114.error Need TRUST_ANCHORS see ${.PARSEDIR}/README.rst 115.endif 116.if ${TRUST_ANCHORS:T:Mt*.pem} != "" 117ta.h: ${TRUST_ANCHORS:M*.pem} 118.endif 119.if ${TRUST_ANCHORS:T:Mt*.asc} != "" 120VE_SIGNATURE_LIST+= OPENPGP 121VE_SIGNATURE_EXT_LIST+= asc 122ta_asc.h: ${TRUST_ANCHORS:M*.asc} 123.endif 124# we take the mtime of this as our baseline time 125BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]} 126.endif 127 128