swtpm_localca: Add support for creating IAK and IDevID certs

Add documentation to the man page. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger · Mar 19, 2024 · 56f94d7 · 56f94d7
1 parent e48d92a
commit 56f94d7
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/man/man8/swtpm_localca.pod b/man/man8/swtpm_localca.pod
@@ -41,7 +41,7 @@ The following options are supported:
 =item B<--type type>
 
 This parameter indicates the type of certificate to create. The type parameter may
-be one of the following: I<ek>, or I<platform>
+be one of the following: I<ek>, I<platform>, I<iak>, I<idevid>
 
 =item B<--dir dir>
 

diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
@@ -393,6 +393,7 @@ static int create_cert(unsigned long flags, const gchar *typ, const gchar *direc
     g_autofree gchar *parentkey_pwd_file = NULL;
     g_autofree gchar *parentkey_pwd_file_param = NULL;
     gboolean success;
+    g_autofree gchar *tmp_typ = g_strdup(typ);
     g_autofree gchar *standard_output = NULL;
     g_autofree gchar *standard_error = NULL;
     g_autofree gchar *swtpm_cert_path = NULL;
@@ -513,11 +514,13 @@ static int create_cert(unsigned long flags, const gchar *typ, const gchar *direc
 
     cmd = concat_arrays(cmd, tpm_attr_params, TRUE);
 
-    if (strcmp(typ, "platform") == 0) {
-        certfile = g_strjoin(G_DIR_SEPARATOR_S, directory, "platform.cert", NULL);
+    if (strcmp(typ, "platform") == 0 || strcmp(typ, "iak") == 0 || strcmp(typ, "idevid") == 0) {
+        g_autofree gchar *certfn = g_strconcat(typ, ".cert", NULL);
+
+        certfile = g_strjoin(G_DIR_SEPARATOR_S, directory, certfn, NULL);
         cmd = concat_arrays(cmd,
                             (gchar *[]){
-                                "--type", "platform",
+                                "--type", tmp_typ,
                                 "--out-cert", certfile,
                                 NULL},
                             TRUE);
@@ -542,7 +545,7 @@ static int create_cert(unsigned long flags, const gchar *typ, const gchar *direc
     if (strcmp(typ, "ek") == 0)
         certtype = "EK";
     else
-        certtype = "platform";
+        certtype = typ;
 #if 0
     {
         g_autofree gchar *join = g_strjoinv(" ", cmd);