feat(cert-create): add pkcs11 engine support
Add pkcs11 engine support which allows using keys that are securely
stored on a HSM or TPM. To use this feature the user has to supply
an RFC 7512 compliant PKCS11 URI to a key instead of a file as an
argument to one of the key options. This change is fully backwards
compatible.
This change makes use of the openssl engine API which is deprecated
since openssl 3.0 and will most likely be removed in version 4. So
pkcs11 support will have to be updated to the openssl provider API
in the near future.
Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Change-Id: If96725988ca62c5613ec59123943bf15922f5d1f
diff --git a/tools/cert_create/src/cca/cot.c b/tools/cert_create/src/cca/cot.c
index e39b036..372d908 100644
--- a/tools/cert_create/src/cca/cot.c
+++ b/tools/cert_create/src/cca/cot.c
@@ -414,35 +414,35 @@
[ROT_KEY] = {
.id = ROT_KEY,
.opt = "rot-key",
- .help_msg = "Root Of Trust key (input/output file)",
+ .help_msg = "Root Of Trust key file or PKCS11 URI",
.desc = "Root Of Trust key"
},
[SWD_ROT_KEY] = {
.id = SWD_ROT_KEY,
.opt = "swd-rot-key",
- .help_msg = "Secure World Root of Trust key",
+ .help_msg = "Secure World Root of Trust key file or PKCS11 URI",
.desc = "Secure World Root of Trust key"
},
[CORE_SWD_KEY] = {
.id = CORE_SWD_KEY,
.opt = "core-swd-key",
- .help_msg = "Core Secure World key",
+ .help_msg = "Core Secure World key file or PKCS11 URI",
.desc = "Core Secure World key"
},
[PROT_KEY] = {
.id = PROT_KEY,
.opt = "prot-key",
- .help_msg = "Platform Root of Trust key",
+ .help_msg = "Platform Root of Trust key file or PKCS11 URI",
.desc = "Platform Root of Trust key"
},
[PLAT_KEY] = {
.id = PLAT_KEY,
.opt = "plat-key",
- .help_msg = "Platform key",
+ .help_msg = "Platform key file or PKCS11 URI",
.desc = "Platform key"
},
};
diff --git a/tools/cert_create/src/dualroot/cot.c b/tools/cert_create/src/dualroot/cot.c
index 4dd4cf0..81a7d75 100644
--- a/tools/cert_create/src/dualroot/cot.c
+++ b/tools/cert_create/src/dualroot/cot.c
@@ -540,42 +540,42 @@
[ROT_KEY] = {
.id = ROT_KEY,
.opt = "rot-key",
- .help_msg = "Root Of Trust key (input/output file)",
+ .help_msg = "Root Of Trust key file or PKCS11 URI",
.desc = "Root Of Trust key"
},
[TRUSTED_WORLD_KEY] = {
.id = TRUSTED_WORLD_KEY,
.opt = "trusted-world-key",
- .help_msg = "Trusted World key (input/output file)",
+ .help_msg = "Trusted World key file or PKCS11 URI",
.desc = "Trusted World key"
},
[SCP_FW_CONTENT_CERT_KEY] = {
.id = SCP_FW_CONTENT_CERT_KEY,
.opt = "scp-fw-key",
- .help_msg = "SCP Firmware Content Certificate key (input/output file)",
+ .help_msg = "SCP Firmware Content Certificate key file or PKCS11 URI",
.desc = "SCP Firmware Content Certificate key"
},
[SOC_FW_CONTENT_CERT_KEY] = {
.id = SOC_FW_CONTENT_CERT_KEY,
.opt = "soc-fw-key",
- .help_msg = "SoC Firmware Content Certificate key (input/output file)",
+ .help_msg = "SoC Firmware Content Certificate key file or PKCS11 URI",
.desc = "SoC Firmware Content Certificate key"
},
[TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
.id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
.opt = "tos-fw-key",
- .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)",
+ .help_msg = "Trusted OS Firmware Content Certificate key file or PKCS11 URI",
.desc = "Trusted OS Firmware Content Certificate key"
},
[PROT_KEY] = {
.id = PROT_KEY,
.opt = "prot-key",
- .help_msg = "Platform Root of Trust key",
+ .help_msg = "Platform Root of Trust key file or PKCS11 URI",
.desc = "Platform Root of Trust key"
},
};
diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c
index dc953d7..32229d1 100644
--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@@ -9,7 +9,11 @@
#include <stdlib.h>
#include <string.h>
+/* Suppress OpenSSL engine deprecation warnings */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
#include <openssl/conf.h>
+#include <openssl/engine.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
@@ -189,29 +193,69 @@
return 0;
}
+static EVP_PKEY *key_load_pkcs11(const char *uri)
+{
+ char *key_pass;
+ EVP_PKEY *pkey;
+ ENGINE *e;
+
+ ENGINE_load_builtin_engines();
+ e = ENGINE_by_id("pkcs11");
+ if (!e) {
+ fprintf(stderr, "Cannot Load PKCS#11 ENGINE\n");
+ return NULL;
+ }
+
+ if (!ENGINE_init(e)) {
+ fprintf(stderr, "Cannot ENGINE_init\n");
+ goto err;
+ }
+
+ key_pass = getenv("PKCS11_PIN");
+ if (key_pass) {
+ if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
+ fprintf(stderr, "Cannot Set PKCS#11 PIN\n");
+ goto err;
+ }
+ }
+
+ pkey = ENGINE_load_private_key(e, uri, NULL, NULL);
+ if (pkey)
+ return pkey;
+err:
+ ENGINE_free(e);
+ return NULL;
+
+}
+
int key_load(key_t *key, unsigned int *err_code)
{
FILE *fp;
if (key->fn) {
- /* Load key from file */
- fp = fopen(key->fn, "r");
- if (fp) {
- key->key = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
- fclose(fp);
- if (key->key) {
- *err_code = KEY_ERR_NONE;
- return 1;
+ if (!strncmp(key->fn, "pkcs11:", 7)) {
+ /* Load key through pkcs11 */
+ key->key = key_load_pkcs11(key->fn);
+ } else {
+ /* Load key from file */
+ fp = fopen(key->fn, "r");
+ if (fp) {
+ key->key = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
+ fclose(fp);
} else {
- ERROR("Cannot load key from %s\n", key->fn);
- *err_code = KEY_ERR_LOAD;
+ WARN("Cannot open file %s\n", key->fn);
+ *err_code = KEY_ERR_OPEN;
}
+ }
+ if (key->key) {
+ *err_code = KEY_ERR_NONE;
+ return 1;
} else {
- WARN("Cannot open file %s\n", key->fn);
- *err_code = KEY_ERR_OPEN;
+ ERROR("Cannot load key from %s\n", key->fn);
+ *err_code = KEY_ERR_LOAD;
}
} else {
- VERBOSE("Key filename not specified\n");
+ VERBOSE("Key not specified\n");
*err_code = KEY_ERR_FILENAME;
}
@@ -223,6 +267,10 @@
FILE *fp;
if (key->fn) {
+ if (!strncmp(key->fn, "pkcs11:", 7)) {
+ ERROR("PKCS11 URI provided instead of a file");
+ return 0;
+ }
fp = fopen(key->fn, "w");
if (fp) {
PEM_write_PrivateKey(fp, key->key,
diff --git a/tools/cert_create/src/tbbr/tbb_key.c b/tools/cert_create/src/tbbr/tbb_key.c
index a81f0e4..5b84b6e 100644
--- a/tools/cert_create/src/tbbr/tbb_key.c
+++ b/tools/cert_create/src/tbbr/tbb_key.c
@@ -15,43 +15,43 @@
[ROT_KEY] = {
.id = ROT_KEY,
.opt = "rot-key",
- .help_msg = "Root Of Trust key (input/output file)",
+ .help_msg = "Root Of Trust key file or PKCS11 URI",
.desc = "Root Of Trust key"
},
[TRUSTED_WORLD_KEY] = {
.id = TRUSTED_WORLD_KEY,
.opt = "trusted-world-key",
- .help_msg = "Trusted World key (input/output file)",
+ .help_msg = "Trusted World key file or PKCS11 URI",
.desc = "Trusted World key"
},
[NON_TRUSTED_WORLD_KEY] = {
.id = NON_TRUSTED_WORLD_KEY,
.opt = "non-trusted-world-key",
- .help_msg = "Non Trusted World key (input/output file)",
+ .help_msg = "Non Trusted World key file or PKCS11 URI",
.desc = "Non Trusted World key"
},
[SCP_FW_CONTENT_CERT_KEY] = {
.id = SCP_FW_CONTENT_CERT_KEY,
.opt = "scp-fw-key",
- .help_msg = "SCP Firmware Content Certificate key (input/output file)",
+ .help_msg = "SCP Firmware Content Certificate key file or PKCS11 URI",
.desc = "SCP Firmware Content Certificate key"
},
[SOC_FW_CONTENT_CERT_KEY] = {
.id = SOC_FW_CONTENT_CERT_KEY,
.opt = "soc-fw-key",
- .help_msg = "SoC Firmware Content Certificate key (input/output file)",
+ .help_msg = "SoC Firmware Content Certificate key file or PKCS11 URI",
.desc = "SoC Firmware Content Certificate key"
},
[TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
.id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
.opt = "tos-fw-key",
- .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)",
+ .help_msg = "Trusted OS Firmware Content Certificate key file or PKCS11 URI",
.desc = "Trusted OS Firmware Content Certificate key"
},
[NON_TRUSTED_FW_CONTENT_CERT_KEY] = {
.id = NON_TRUSTED_FW_CONTENT_CERT_KEY,
.opt = "nt-fw-key",
- .help_msg = "Non Trusted Firmware Content Certificate key (input/output file)",
+ .help_msg = "Non Trusted Firmware Content Certificate key file or PKCS11 URI",
.desc = "Non Trusted Firmware Content Certificate key"
}
};