add USER_ overrides for pubkey/prvkey/cert chain

Author: bigbrett

Makefile

@@ -40,17 +40,67 @@ ifneq ($(TARGET),library)
 	OBJS+=./hal/$(TARGET).o
 endif
 
+# User-provided key configuration
+# - USER_PRIVATE_KEY: Path to user's private key (DER format)
+# - USER_PUBLIC_KEY: Path to user's public key (DER format)
+# - USER_CERT_CHAIN: Path to user's certificate chain (DER format)
+# All must be provided together, or none at all
+
+# Validate USER_PRIVATE_KEY and USER_PUBLIC_KEY are used together
+ifneq ($(USER_PRIVATE_KEY),)
+  ifeq ($(USER_PUBLIC_KEY),)
+    $(error USER_PRIVATE_KEY requires USER_PUBLIC_KEY to also be set)
+  endif
+  ifeq ($(wildcard $(USER_PRIVATE_KEY)),)
+    $(error USER_PRIVATE_KEY file not found: $(USER_PRIVATE_KEY))
+  endif
+endif
+
+ifneq ($(USER_PUBLIC_KEY),)
+  ifeq ($(USER_PRIVATE_KEY),)
+    $(error USER_PUBLIC_KEY requires USER_PRIVATE_KEY to also be set)
+  endif
+  ifeq ($(wildcard $(USER_PUBLIC_KEY)),)
+    $(error USER_PUBLIC_KEY file not found: $(USER_PUBLIC_KEY))
+  endif
+endif
+
+# Validate USER_CERT_CHAIN requires USER_PRIVATE_KEY and USER_PUBLIC_KEY
+ifneq ($(USER_CERT_CHAIN),)
+  ifeq ($(USER_PRIVATE_KEY),)
+    $(error USER_CERT_CHAIN requires USER_PRIVATE_KEY to also be set)
+  endif
+  ifeq ($(USER_PUBLIC_KEY),)
+    $(error USER_CERT_CHAIN requires USER_PUBLIC_KEY to also be set)
+  endif
+  ifeq ($(wildcard $(USER_CERT_CHAIN)),)
+    $(error USER_CERT_CHAIN file not found: $(USER_CERT_CHAIN))
+  endif
+endif
+
 ifeq ($(SIGN),NONE)
   PRIVATE_KEY=
 else
   # Key selection logic:
-  # - Without CERT_CHAIN_GEN: Single key (wolfboot_signing_private_key.der) signs everything
-  # - With CERT_CHAIN_GEN: Generate cert chain, use leaf key (test-dummy-ca/leaf-prvkey.der) for signing
-  # - With PRIVATE_KEY override: Use user-provided key (for offline cert chain workflow)
-  ifneq ($(CERT_CHAIN_GEN),)
-    PRIVATE_KEY?=test-dummy-ca/leaf-prvkey.der
+  # 1. User-provided keys take precedence (USER_PRIVATE_KEY)
+  # 2. If CERT_CHAIN_VERIFY enabled and USER_CERT_CHAIN not provided, auto-generate cert chain
+  # 3. Otherwise use standard single key mode
+  # PRIVATE_KEY can still be overridden on CLI
+  ifneq ($(USER_PRIVATE_KEY),)
+    PRIVATE_KEY=$(USER_PRIVATE_KEY)
   else
-    PRIVATE_KEY?=wolfboot_signing_private_key.der
+    ifneq ($(CERT_CHAIN_VERIFY),)
+      ifeq ($(USER_CERT_CHAIN),)
+        # Auto-generate cert chain mode - use leaf key
+        PRIVATE_KEY?=test-dummy-ca/leaf-prvkey.der
+      else
+        # User provided cert chain but no USER_PRIVATE_KEY - should have been caught by validation
+        PRIVATE_KEY?=wolfboot_signing_private_key.der
+      endif
+    else
+      # No cert chain verification - standard single key mode
+      PRIVATE_KEY?=wolfboot_signing_private_key.der
+    endif
   endif
   ifeq ($(FLASH_OTP_KEYSTORE),1)
     OBJS+=./src/flash_otp_keystore.o
@@ -269,21 +319,31 @@ hal/$(TARGET).o:
 
 keytools_check: keytools
 
-# Generate the initial signing key
-# - Always creates wolfboot_signing_private_key.der
-# - If CERT_CHAIN_GEN is set, also generates cert chain with leaf key
+# Generate the initial signing key (only if not using user-provided keys)
+# - Creates wolfboot_signing_private_key.der when USER_PRIVATE_KEY is not set
+# - If CERT_CHAIN_VERIFY is enabled and USER_CERT_CHAIN not provided, also generates cert chain with leaf key
 wolfboot_signing_private_key.der:
+ifeq ($(USER_PRIVATE_KEY),)
 	$(Q)$(MAKE) keytools_check
 	$(Q)(test $(SIGN) = NONE) || ($(SIGN_ENV) "$(KEYGEN_TOOL)" $(KEYGEN_OPTIONS) -g wolfboot_signing_private_key.der) || true
 	$(Q)(test $(SIGN) = NONE) && (echo "// SIGN=NONE" >  src/keystore.c) || true
 	$(Q)(test "$(FLASH_OTP_KEYSTORE)" = "1") && (make -C tools/keytools/otp) || true
-	$(Q)(test $(SIGN) = NONE) || (test "$(CERT_CHAIN_VERIFY)" = "") || (test "$(CERT_CHAIN_GEN)" = "") || (tools/scripts/sim-gen-dummy-chain.sh --algo $(CERT_CHAIN_GEN_ALGO) --leaf wolfboot_signing_private_key.der)
+	$(Q)(test $(SIGN) = NONE) || (test "$(CERT_CHAIN_VERIFY)" = "") || (test "$(USER_CERT_CHAIN)" != "") || (tools/scripts/sim-gen-dummy-chain.sh --algo $(CERT_CHAIN_GEN_ALGO) --leaf wolfboot_signing_private_key.der)
+else
+	@echo "Using user-provided private key: $(USER_PRIVATE_KEY)"
+endif
 
-# CERT_CHAIN_GEN only: Ensure leaf key exists after cert chain generation
-ifneq ($(CERT_CHAIN_GEN),)
+# Auto-generate cert chain mode: Ensure leaf key exists after cert chain generation
+# Only applies when CERT_CHAIN_VERIFY is enabled and USER_CERT_CHAIN not provided
+# Skip this when using user-provided keys
+ifeq ($(USER_PRIVATE_KEY),)
+ifneq ($(CERT_CHAIN_VERIFY),)
+ifeq ($(USER_CERT_CHAIN),)
 $(PRIVATE_KEY): wolfboot_signing_private_key.der
 	@test -f $(PRIVATE_KEY) || (echo "Error: $(PRIVATE_KEY) not found" && exit 1)
 endif
+endif
+endif
 
 $(SECONDARY_PRIVATE_KEY): $(PRIVATE_KEY) keystore.der
 	$(Q)$(MAKE) keytools_check
@@ -436,13 +496,12 @@ srec: wolfboot.srec
 	@echo "\t[ELF2SREC] $@"
 	@$(OBJCOPY) -O srec $^ $@
 
-# When IMPORT_PUBLIC_KEY is set, generate keystore.c from the imported public key
-# instead of relying on key generation. This supports offline cert chain workflow.
-ifneq ($(IMPORT_PUBLIC_KEY),)
-src/keystore.c: $(IMPORT_PUBLIC_KEY)
-	@echo "Generating keystore from imported public key: $(IMPORT_PUBLIC_KEY)"
+# Keystore generation: use user-provided public key if available
+ifneq ($(USER_PUBLIC_KEY),)
+src/keystore.c: $(USER_PUBLIC_KEY)
+	@echo "Generating keystore from user-provided public key: $(USER_PUBLIC_KEY)"
 	$(Q)$(MAKE) keytools_check
-	$(Q)$(SIGN_ENV) "$(KEYGEN_TOOL)" $(KEYGEN_OPTIONS) --force -i $(IMPORT_PUBLIC_KEY)
+	$(Q)$(SIGN_ENV) "$(KEYGEN_TOOL)" $(KEYGEN_OPTIONS) --force -i $(USER_PUBLIC_KEY)
 else
 src/keystore.c: $(PRIVATE_KEY)
 endif
@@ -489,7 +548,7 @@ utilsclean: clean
 
 keysclean: clean
 	$(Q)rm -f *.pem *.der tags ./src/*_pub_key.c ./src/keystore.c include/target.h
-	$(Q)(test "$(CERT_CHAIN_GEN)" = "") || rm -rf test-dummy-ca || true
+	$(Q)(test "$(CERT_CHAIN_VERIFY)" = "" || test "$(USER_CERT_CHAIN)" != "") || rm -rf test-dummy-ca || true
 
 distclean: clean keysclean utilsclean
 	$(Q)rm -f *.bin *.elf

config/examples/aurix-tc375-elf-wolfHSM-certs.config

@@ -26,7 +26,6 @@ ELF_FLASH_SCATTER=1
 
 # Cert chain options
 CERT_CHAIN_VERIFY=1
-CERT_CHAIN_GEN=1
 
 # Ensure header is large enough to hold the cert chain (check sign tool output)
 # for actual length

config/examples/aurix-tc375-hsm-wolfHSM-certs.config

@@ -23,7 +23,6 @@ WOLFHSM_SERVER=1
 
 # Cert chain options
 CERT_CHAIN_VERIFY=1
-CERT_CHAIN_GEN=1
 
 # Ensure header is large enough to hold the cert chain (check sign tool output)
 # for actual length

config/examples/sim-wolfHSM-client-certchain.config

@@ -9,7 +9,6 @@ SPMATH=1
 
 # Cert chain options
 CERT_CHAIN_VERIFY=1
-CERT_CHAIN_GEN=1
 
 # Ensure header is large enough to hold the cert chain (check sign tool output)
 # for actual length

config/examples/sim-wolfHSM-server-certchain.config

@@ -9,7 +9,6 @@ SPMATH=1
 
 # Cert chain options
 CERT_CHAIN_VERIFY=1
-CERT_CHAIN_GEN=1
 
 # Ensure header is large enough to hold the cert chain (check sign tool output)
 # for actual length

options.mk

@@ -992,11 +992,15 @@ ifneq ($(CERT_CHAIN_VERIFY),)
   CFLAGS += -DWOLFBOOT_CERT_CHAIN_VERIFY
   # export the private key in DER format so it can be used with certificates
   KEYGEN_OPTIONS += --der
-  ifneq ($(CERT_CHAIN_GEN),)
-    # Use dummy cert chain file if not provided (needs to be generated when keys are generated)
+
+  # User-provided cert chain takes precedence
+  ifneq ($(USER_CERT_CHAIN),)
+    CERT_CHAIN_FILE = $(USER_CERT_CHAIN)
+  else
+    # Auto-generate dummy cert chain (when USER_CERT_CHAIN not provided)
     CERT_CHAIN_FILE = test-dummy-ca/raw-chain.der
 
-    # Set appropriate cert gen options based on sigalg
+    # Set appropriate cert gen algo based on signature algorithm
     ifeq ($(SIGN),ECC256)
       CERT_CHAIN_GEN_ALGO+=ecc256
     endif
@@ -1006,10 +1010,6 @@ ifneq ($(CERT_CHAIN_VERIFY),)
     ifeq ($(SIGN),RSA4096)
       CERT_CHAIN_GEN_ALGO+=rsa4096
     endif
-  else
-    ifeq ($(CERT_CHAIN_FILE),)
-      $(error CERT_CHAIN_FILE must be specified when CERT_CHAIN_VERIFY is enabled and not using CERT_CHAIN_GEN)
-    endif
   endif
   SIGN_OPTIONS += --cert-chain $(CERT_CHAIN_FILE)
 endif