Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 3168a207a3f951d3eacaaa633f6b83da230d0991 / . / tools / cert_create / src / cert.c
blob: c68a265b4337ff417e8fbfeef77b70c3bd55e1fb [file] [log] [blame]
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]1/*
Justin Chadwell3168a202019-09-09 15:24:31 +0100[diff] [blame^]2 * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]3 *
dp-armfa3cf0b2017-05-03 09:38:09 +0100[diff] [blame]4 * SPDX-License-Identifier: BSD-3-Clause
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]5 */
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <openssl/conf.h>
12#include <openssl/err.h>
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]13#include <openssl/opensslv.h>
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]14#include <openssl/pem.h>
15#include <openssl/sha.h>
16#include <openssl/x509v3.h>
17
Masahiro Yamadaa27c1662017-05-22 12:11:24 +0900[diff] [blame]18#if USE_TBBR_DEFS
19#include <tbbr_oid.h>
20#else
21#include <platform_oid.h>
22#endif
23
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]24#include "cert.h"
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]25#include "cmd_opt.h"
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]26#include "debug.h"
27#include "key.h"
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]28#include "sha.h"
29
30#define SERIAL_RAND_BITS 64
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]31#define RSA_SALT_LEN 32
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]32
33int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
34{
35 BIGNUM *btmp;
36 int ret = 0;
37 if (b)
38 btmp = b;
39 else
40 btmp = BN_new();
41
42 if (!btmp)
43 return 0;
44
45 if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
46 goto error;
47 if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
48 goto error;
49
50 ret = 1;
51
52error:
53
54 if (!b)
55 BN_free(btmp);
56
57 return ret;
58}
Qixiang Xu76a5a9b2017-11-09 13:51:58 +0800[diff] [blame]59const EVP_MD *get_digest(int alg)
60{
61 switch (alg) {
62 case HASH_ALG_SHA256:
63 return EVP_sha256();
64 case HASH_ALG_SHA384:
65 return EVP_sha384();
66 case HASH_ALG_SHA512:
67 return EVP_sha512();
68 default:
69 return NULL;
70 }
71}
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]72
73int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
74{
75 X509_EXTENSION *ex;
76 X509V3_CTX ctx;
77
78 /* No configuration database */
79 X509V3_set_ctx_nodb(&ctx);
80
81 /* Set issuer and subject certificates in the context */
82 X509V3_set_ctx(&ctx, issuer, subject, NULL, NULL, 0);
83 ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
84 if (!ex) {
85 ERR_print_errors_fp(stdout);
86 return 0;
87 }
88
89 X509_add_ext(subject, ex, -1);
90 X509_EXTENSION_free(ex);
91
92 return 1;
93}
94
Qixiang Xu76a5a9b2017-11-09 13:51:58 +0800[diff] [blame]95int cert_new(
Qixiang Xu76a5a9b2017-11-09 13:51:58 +0800[diff] [blame]96 int md_alg,
97 cert_t *cert,
98 int days,
99 int ca,
100 STACK_OF(X509_EXTENSION) * sk)
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]101{
Juan Castilloe6d30e92015-06-12 11:27:59 +0100[diff] [blame]102 EVP_PKEY *pkey = keys[cert->key].key;
103 cert_t *issuer_cert = &certs[cert->issuer];
104 EVP_PKEY *ikey = keys[issuer_cert->key].key;
105 X509 *issuer = issuer_cert->x;
Masahiro Yamada48cb5e52017-02-06 19:47:44 +0900[diff] [blame]106 X509 *x;
107 X509_EXTENSION *ex;
108 X509_NAME *name;
109 ASN1_INTEGER *sno;
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]110 int i, num, rc = 0;
Michalis Pappas38628942017-10-06 16:11:44 +0800[diff] [blame]111 EVP_MD_CTX *mdCtx;
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]112 EVP_PKEY_CTX *pKeyCtx = NULL;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]113
114 /* Create the certificate structure */
115 x = X509_new();
116 if (!x) {
117 return 0;
118 }
119
120 /* If we do not have a key, use the issuer key (the certificate will
121 * become self signed). This happens in content certificates. */
122 if (!pkey) {
123 pkey = ikey;
124 }
125
126 /* If we do not have an issuer certificate, use our own (the certificate
127 * will become self signed) */
128 if (!issuer) {
129 issuer = x;
130 }
131
Michalis Pappas38628942017-10-06 16:11:44 +0800[diff] [blame]132 mdCtx = EVP_MD_CTX_create();
133 if (mdCtx == NULL) {
134 ERR_print_errors_fp(stdout);
135 goto END;
136 }
Soby Mathew2fd70f62017-08-31 11:50:29 +0100[diff] [blame]137
138 /* Sign the certificate with the issuer key */
Qixiang Xu76a5a9b2017-11-09 13:51:58 +0800[diff] [blame]139 if (!EVP_DigestSignInit(mdCtx, &pKeyCtx, get_digest(md_alg), NULL, ikey)) {
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]140 ERR_print_errors_fp(stdout);
141 goto END;
142 }
143
Soby Mathew2fd70f62017-08-31 11:50:29 +0100[diff] [blame]144 /*
Justin Chadwell3168a202019-09-09 15:24:31 +0100[diff] [blame^]145 * Set additional parameters if issuing public key algorithm is RSA.
146 * This is not required for ECDSA.
Soby Mathew2fd70f62017-08-31 11:50:29 +0100[diff] [blame]147 */
Justin Chadwell3168a202019-09-09 15:24:31 +0100[diff] [blame^]148 if (EVP_PKEY_base_id(ikey) == EVP_PKEY_RSA) {
Soby Mathew2fd70f62017-08-31 11:50:29 +0100[diff] [blame]149 if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
150 ERR_print_errors_fp(stdout);
151 goto END;
152 }
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]153
Soby Mathew2fd70f62017-08-31 11:50:29 +0100[diff] [blame]154 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) {
155 ERR_print_errors_fp(stdout);
156 goto END;
157 }
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]158
Qixiang Xu76a5a9b2017-11-09 13:51:58 +0800[diff] [blame]159 if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, get_digest(md_alg))) {
Soby Mathew2fd70f62017-08-31 11:50:29 +0100[diff] [blame]160 ERR_print_errors_fp(stdout);
161 goto END;
162 }
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]163 }
164
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]165 /* x509.v3 */
166 X509_set_version(x, 2);
167
168 /* Random serial number */
169 sno = ASN1_INTEGER_new();
170 rand_serial(NULL, sno);
171 X509_set_serialNumber(x, sno);
172 ASN1_INTEGER_free(sno);
173
174 X509_gmtime_adj(X509_get_notBefore(x), 0);
175 X509_gmtime_adj(X509_get_notAfter(x), (long)60*60*24*days);
176 X509_set_pubkey(x, pkey);
177
178 /* Subject name */
179 name = X509_get_subject_name(x);
180 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
181 (const unsigned char *)cert->cn, -1, -1, 0);
182 X509_set_subject_name(x, name);
183
184 /* Issuer name */
185 name = X509_get_issuer_name(x);
186 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
Juan Castilloe6d30e92015-06-12 11:27:59 +0100[diff] [blame]187 (const unsigned char *)issuer_cert->cn, -1, -1, 0);
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]188 X509_set_issuer_name(x, name);
189
190 /* Add various extensions: standard extensions */
191 cert_add_ext(issuer, x, NID_subject_key_identifier, "hash");
192 cert_add_ext(issuer, x, NID_authority_key_identifier, "keyid:always");
193 if (ca) {
194 cert_add_ext(issuer, x, NID_basic_constraints, "CA:TRUE");
195 cert_add_ext(issuer, x, NID_key_usage, "keyCertSign");
196 } else {
197 cert_add_ext(issuer, x, NID_basic_constraints, "CA:FALSE");
198 }
199
200 /* Add custom extensions */
201 if (sk != NULL) {
202 num = sk_X509_EXTENSION_num(sk);
203 for (i = 0; i < num; i++) {
204 ex = sk_X509_EXTENSION_value(sk, i);
205 X509_add_ext(x, ex, -1);
206 }
207 }
208
Michalis Pappas38628942017-10-06 16:11:44 +0800[diff] [blame]209 if (!X509_sign_ctx(x, mdCtx)) {
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]210 ERR_print_errors_fp(stdout);
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]211 goto END;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]212 }
213
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]214 /* X509 certificate signed successfully */
215 rc = 1;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]216 cert->x = x;
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]217
218END:
Michalis Pappas38628942017-10-06 16:11:44 +0800[diff] [blame]219 EVP_MD_CTX_destroy(mdCtx);
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]220 return rc;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]221}
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]222
223int cert_init(void)
224{
Juan Castillo212f7382015-12-15 16:37:57 +0000[diff] [blame]225 cmd_opt_t cmd_opt;
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]226 cert_t *cert;
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]227 unsigned int i;
228
229 for (i = 0; i < num_certs; i++) {
230 cert = &certs[i];
Juan Castillo212f7382015-12-15 16:37:57 +0000[diff] [blame]231 cmd_opt.long_opt.name = cert->opt;
232 cmd_opt.long_opt.has_arg = required_argument;
233 cmd_opt.long_opt.flag = NULL;
234 cmd_opt.long_opt.val = CMD_OPT_CERT;
235 cmd_opt.help_msg = cert->help_msg;
236 cmd_opt_add(&cmd_opt);
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]237 }
238
Juan Castillo212f7382015-12-15 16:37:57 +0000[diff] [blame]239 return 0;
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]240}
241
242cert_t *cert_get_by_opt(const char *opt)
243{
Masahiro Yamada48cb5e52017-02-06 19:47:44 +0900[diff] [blame]244 cert_t *cert;
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]245 unsigned int i;
246
247 for (i = 0; i < num_certs; i++) {
248 cert = &certs[i];
249 if (0 == strcmp(cert->opt, opt)) {
250 return cert;
251 }
252 }
253
254 return NULL;
255}