Working order in testing for both RSA 3072 and p256

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
linuxboot · May 16, 2024 · d3a61d1 · d3a61d1
1 parent 12888ea
commit d3a61d1
Showing 1 changed file with 9 additions and 8 deletions.
diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
@@ -38,9 +38,10 @@ MAX_HOTP_GPG_PIN_LENGTH=25
 CUSTOM_PASS_AFFECTED_COMPONENTS=""
 
 # Default GPG Algorithm is RSA
+# p256 also supported (TODO: nk3 supports RSA 4096 in secure element in firmare v1.7.1. Switch!?
 GPG_ALGO="RSA"
-# Default RSA key length
-RSA_KEY_LENGTH=2048
+# Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard
+RSA_KEY_LENGTH=3072
 
 GPG_USER_NAME="OEM Key"
 GPG_KEY_NAME=$(date +%Y%m%d%H%M%S)
@@ -96,11 +97,11 @@ generate_inmemory_RSA_master_and_subkeys() {
     {
         echo "Key-Type: RSA"                     # RSA key
         echo "Key-Length: ${RSA_KEY_LENGTH}"     # RSA key length
-        echo "Key-Usage: cert"                   # RSA key usage as certificate
+        echo "Key-Usage: sign"                   # RSA key usage
         echo "Name-Real: ${GPG_USER_NAME}"       # User name
         echo "Name-Comment: ${GPG_USER_COMMENT}" # User comment
         echo "Name-Email: ${GPG_USER_MAIL}"      # User email
-        echo "Expire-Date: 0"                    # No validity/expiration date
+        echo "Expire-Date: 0"                    # No expiration date
         echo "Passphrase: ${ADMIN_PIN}"          # Admin PIN
         echo "%commit"                           # Commit changes
     } | DO_WITH_DEBUG gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key >/tmp/gpg_card_edit_output 2>&1
@@ -156,7 +157,7 @@ generate_inmemory_RSA_master_and_subkeys() {
         echo A                 # enable authentication capability
         echo Q                 # Quit
         echo ${RSA_KEY_LENGTH} # Authentication key size set to RSA_KEY_LENGTH
-        echo 0                 # No validity/expiration date
+        echo 0                 # No expiration date
         echo ${ADMIN_PIN}      # Local keyring admin pin
         echo y                 # confirm
         echo save              # save changes and commit to keyring
@@ -183,7 +184,7 @@ generate_inmemory_p256_master_and_subkeys() {
         echo "Name-Comment: ${GPG_USER_COMMENT}" # User comment
         echo "Name-Email: ${GPG_USER_MAIL}"      # User email
         echo "Passphrase: ${ADMIN_PIN}"          # Local keyring admin pin
-        echo "Expire-Date: 0"                    # No validity/expiration date
+        echo "Expire-Date: 0"                    # No expiration date
         echo "%commit"                           # Commit changes
     } | DO_WITH_DEBUG gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key \
         >/tmp/gpg_card_edit_output 2>&1
@@ -233,7 +234,7 @@ generate_inmemory_p256_master_and_subkeys() {
         echo A            # activate auth
         echo Q            # Quit
         echo 3            # P-256
-        echo 0            # No validity/expiration date
+        echo 0            # no expiration
         echo ${ADMIN_PIN} # Local keyring admin pin
         echo save         # save changes and commit to keyring
     } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
@@ -1125,7 +1126,7 @@ assert_signable
 # Action time...
 
 # clear gpg-agent cache so that next gpg calls doesn't have past keyring in memory
-killall gpg-agent scdaemon >/dev/null 2>&1 || true
+killall gpg-agent >/dev/null 2>&1 || true
 # clear local keyring
 rm -rf /.gnupg/*.kbx /.gnupg/*.gpg >/dev/null 2>&1 || true