Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 1 | /* |
Juan Pablo Conde | 3539c74 | 2022-10-25 19:41:02 -0400 | [diff] [blame^] | 2 | * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved. |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 3 | * |
dp-arm | fa3cf0b | 2017-05-03 09:38:09 +0100 | [diff] [blame] | 4 | * SPDX-License-Identifier: BSD-3-Clause |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 5 | */ |
| 6 | |
Juan Castillo | 212f738 | 2015-12-15 16:37:57 +0000 | [diff] [blame] | 7 | #include <assert.h> |
| 8 | #include <ctype.h> |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 9 | #include <getopt.h> |
| 10 | #include <stdio.h> |
| 11 | #include <stdlib.h> |
| 12 | #include <string.h> |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 13 | #include <stdbool.h> |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 14 | |
| 15 | #include <openssl/conf.h> |
| 16 | #include <openssl/engine.h> |
| 17 | #include <openssl/err.h> |
| 18 | #include <openssl/pem.h> |
| 19 | #include <openssl/sha.h> |
| 20 | #include <openssl/x509v3.h> |
| 21 | |
| 22 | #include "cert.h" |
Juan Castillo | 1218dd5 | 2015-07-03 16:23:16 +0100 | [diff] [blame] | 23 | #include "cmd_opt.h" |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 24 | #include "debug.h" |
| 25 | #include "ext.h" |
| 26 | #include "key.h" |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 27 | #include "sha.h" |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 28 | |
| 29 | /* |
| 30 | * Helper macros to simplify the code. This macro assigns the return value of |
| 31 | * the 'fn' function to 'v' and exits if the value is NULL. |
| 32 | */ |
| 33 | #define CHECK_NULL(v, fn) \ |
| 34 | do { \ |
| 35 | v = fn; \ |
| 36 | if (v == NULL) { \ |
| 37 | ERROR("NULL object at %s:%d\n", __FILE__, __LINE__); \ |
| 38 | exit(1); \ |
| 39 | } \ |
| 40 | } while (0) |
| 41 | |
| 42 | /* |
| 43 | * This macro assigns the NID corresponding to 'oid' to 'v' and exits if the |
| 44 | * NID is undefined. |
| 45 | */ |
| 46 | #define CHECK_OID(v, oid) \ |
| 47 | do { \ |
| 48 | v = OBJ_txt2nid(oid); \ |
| 49 | if (v == NID_undef) { \ |
Sandrine Bailleux | 0d11b48 | 2020-01-15 11:01:25 +0100 | [diff] [blame] | 50 | ERROR("Cannot find extension %s\n", oid); \ |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 51 | exit(1); \ |
| 52 | } \ |
| 53 | } while (0) |
| 54 | |
| 55 | #define MAX_FILENAME_LEN 1024 |
| 56 | #define VAL_DAYS 7300 |
| 57 | #define ID_TO_BIT_MASK(id) (1 << id) |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 58 | #define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0]))) |
Juan Castillo | 212f738 | 2015-12-15 16:37:57 +0000 | [diff] [blame] | 59 | #define HELP_OPT_MAX_LEN 128 |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 60 | |
| 61 | /* Global options */ |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 62 | static int key_alg; |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 63 | static int hash_alg; |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 64 | static int key_size; |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 65 | static int new_keys; |
| 66 | static int save_keys; |
| 67 | static int print_cert; |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 68 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 69 | /* Info messages created in the Makefile */ |
| 70 | extern const char build_msg[]; |
| 71 | extern const char platform_msg[]; |
| 72 | |
| 73 | |
| 74 | static char *strdup(const char *str) |
| 75 | { |
| 76 | int n = strlen(str) + 1; |
| 77 | char *dup = malloc(n); |
| 78 | if (dup) { |
| 79 | strcpy(dup, str); |
| 80 | } |
| 81 | return dup; |
| 82 | } |
| 83 | |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 84 | static const char *key_algs_str[] = { |
| 85 | [KEY_ALG_RSA] = "rsa", |
Juan Castillo | a2224ab | 2015-06-30 13:36:57 +0100 | [diff] [blame] | 86 | #ifndef OPENSSL_NO_EC |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 87 | [KEY_ALG_ECDSA] = "ecdsa" |
Juan Castillo | a2224ab | 2015-06-30 13:36:57 +0100 | [diff] [blame] | 88 | #endif /* OPENSSL_NO_EC */ |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 89 | }; |
| 90 | |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 91 | static const char *hash_algs_str[] = { |
| 92 | [HASH_ALG_SHA256] = "sha256", |
| 93 | [HASH_ALG_SHA384] = "sha384", |
| 94 | [HASH_ALG_SHA512] = "sha512", |
| 95 | }; |
| 96 | |
Juan Castillo | 1218dd5 | 2015-07-03 16:23:16 +0100 | [diff] [blame] | 97 | static void print_help(const char *cmd, const struct option *long_opt) |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 98 | { |
Juan Castillo | 212f738 | 2015-12-15 16:37:57 +0000 | [diff] [blame] | 99 | int rem, i = 0; |
| 100 | const struct option *opt; |
| 101 | char line[HELP_OPT_MAX_LEN]; |
| 102 | char *p; |
| 103 | |
| 104 | assert(cmd != NULL); |
| 105 | assert(long_opt != NULL); |
| 106 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 107 | printf("\n\n"); |
| 108 | printf("The certificate generation tool loads the binary images and\n" |
| 109 | "optionally the RSA keys, and outputs the key and content\n" |
| 110 | "certificates properly signed to implement the chain of trust.\n" |
| 111 | "If keys are provided, they must be in PEM format.\n" |
| 112 | "Certificates are generated in DER format.\n"); |
| 113 | printf("\n"); |
Juan Castillo | 212f738 | 2015-12-15 16:37:57 +0000 | [diff] [blame] | 114 | printf("Usage:\n"); |
| 115 | printf("\t%s [OPTIONS]\n\n", cmd); |
| 116 | |
| 117 | printf("Available options:\n"); |
Juan Castillo | 212f738 | 2015-12-15 16:37:57 +0000 | [diff] [blame] | 118 | opt = long_opt; |
| 119 | while (opt->name) { |
| 120 | p = line; |
| 121 | rem = HELP_OPT_MAX_LEN; |
| 122 | if (isalpha(opt->val)) { |
| 123 | /* Short format */ |
| 124 | sprintf(p, "-%c,", (char)opt->val); |
| 125 | p += 3; |
| 126 | rem -= 3; |
| 127 | } |
| 128 | snprintf(p, rem, "--%s %s", opt->name, |
| 129 | (opt->has_arg == required_argument) ? "<arg>" : ""); |
| 130 | printf("\t%-32s %s\n", line, cmd_opt_get_help_msg(i)); |
| 131 | opt++; |
| 132 | i++; |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 133 | } |
| 134 | printf("\n"); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 135 | } |
| 136 | |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 137 | static int get_key_alg(const char *key_alg_str) |
| 138 | { |
| 139 | int i; |
| 140 | |
| 141 | for (i = 0 ; i < NUM_ELEM(key_algs_str) ; i++) { |
| 142 | if (0 == strcmp(key_alg_str, key_algs_str[i])) { |
| 143 | return i; |
| 144 | } |
| 145 | } |
| 146 | |
| 147 | return -1; |
| 148 | } |
| 149 | |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 150 | static int get_key_size(const char *key_size_str) |
| 151 | { |
| 152 | char *end; |
| 153 | long key_size; |
| 154 | |
| 155 | key_size = strtol(key_size_str, &end, 10); |
| 156 | if (*end != '\0') |
| 157 | return -1; |
| 158 | |
| 159 | return key_size; |
| 160 | } |
| 161 | |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 162 | static int get_hash_alg(const char *hash_alg_str) |
| 163 | { |
| 164 | int i; |
| 165 | |
| 166 | for (i = 0 ; i < NUM_ELEM(hash_algs_str) ; i++) { |
| 167 | if (0 == strcmp(hash_alg_str, hash_algs_str[i])) { |
| 168 | return i; |
| 169 | } |
| 170 | } |
| 171 | |
| 172 | return -1; |
| 173 | } |
| 174 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 175 | static void check_cmd_params(void) |
| 176 | { |
Juan Castillo | 86958fd | 2015-07-08 12:11:38 +0100 | [diff] [blame] | 177 | cert_t *cert; |
| 178 | ext_t *ext; |
| 179 | key_t *key; |
| 180 | int i, j; |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 181 | bool valid_size; |
Juan Castillo | 86958fd | 2015-07-08 12:11:38 +0100 | [diff] [blame] | 182 | |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 183 | /* Only save new keys */ |
| 184 | if (save_keys && !new_keys) { |
| 185 | ERROR("Only new keys can be saved to disk\n"); |
| 186 | exit(1); |
| 187 | } |
| 188 | |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 189 | /* Validate key-size */ |
| 190 | valid_size = false; |
| 191 | for (i = 0; i < KEY_SIZE_MAX_NUM; i++) { |
| 192 | if (key_size == KEY_SIZES[key_alg][i]) { |
| 193 | valid_size = true; |
| 194 | break; |
| 195 | } |
| 196 | } |
| 197 | if (!valid_size) { |
| 198 | ERROR("'%d' is not a valid key size for '%s'\n", |
| 199 | key_size, key_algs_str[key_alg]); |
| 200 | NOTICE("Valid sizes are: "); |
| 201 | for (i = 0; i < KEY_SIZE_MAX_NUM && |
| 202 | KEY_SIZES[key_alg][i] != 0; i++) { |
| 203 | printf("%d ", KEY_SIZES[key_alg][i]); |
| 204 | } |
| 205 | printf("\n"); |
| 206 | exit(1); |
| 207 | } |
| 208 | |
Juan Castillo | 86958fd | 2015-07-08 12:11:38 +0100 | [diff] [blame] | 209 | /* Check that all required options have been specified in the |
| 210 | * command line */ |
| 211 | for (i = 0; i < num_certs; i++) { |
| 212 | cert = &certs[i]; |
| 213 | if (cert->fn == NULL) { |
| 214 | /* Certificate not requested. Skip to the next one */ |
| 215 | continue; |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 216 | } |
| 217 | |
Juan Castillo | 86958fd | 2015-07-08 12:11:38 +0100 | [diff] [blame] | 218 | /* Check that all parameters required to create this certificate |
| 219 | * have been specified in the command line */ |
| 220 | for (j = 0; j < cert->num_ext; j++) { |
| 221 | ext = &extensions[cert->ext[j]]; |
| 222 | switch (ext->type) { |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 223 | case EXT_TYPE_NVCOUNTER: |
| 224 | /* Counter value must be specified */ |
| 225 | if ((!ext->optional) && (ext->arg == NULL)) { |
| 226 | ERROR("Value for '%s' not specified\n", |
| 227 | ext->ln); |
| 228 | exit(1); |
| 229 | } |
| 230 | break; |
Juan Castillo | 86958fd | 2015-07-08 12:11:38 +0100 | [diff] [blame] | 231 | case EXT_TYPE_PKEY: |
| 232 | /* Key filename must be specified */ |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 233 | key = &keys[ext->attr.key]; |
Juan Castillo | 86958fd | 2015-07-08 12:11:38 +0100 | [diff] [blame] | 234 | if (!new_keys && key->fn == NULL) { |
| 235 | ERROR("Key '%s' required by '%s' not " |
| 236 | "specified\n", key->desc, |
| 237 | cert->cn); |
| 238 | exit(1); |
| 239 | } |
| 240 | break; |
| 241 | case EXT_TYPE_HASH: |
Yatharth Kochar | 5752b59 | 2015-08-21 15:30:55 +0100 | [diff] [blame] | 242 | /* |
| 243 | * Binary image must be specified |
| 244 | * unless it is explicitly made optional. |
| 245 | */ |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 246 | if ((!ext->optional) && (ext->arg == NULL)) { |
Juan Castillo | 86958fd | 2015-07-08 12:11:38 +0100 | [diff] [blame] | 247 | ERROR("Image for '%s' not specified\n", |
| 248 | ext->ln); |
| 249 | exit(1); |
| 250 | } |
| 251 | break; |
| 252 | default: |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 253 | ERROR("Unknown extension type '%d' in '%s'\n", |
| 254 | ext->type, ext->ln); |
Juan Castillo | 86958fd | 2015-07-08 12:11:38 +0100 | [diff] [blame] | 255 | exit(1); |
| 256 | break; |
| 257 | } |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 258 | } |
| 259 | } |
| 260 | } |
| 261 | |
Juan Castillo | 212f738 | 2015-12-15 16:37:57 +0000 | [diff] [blame] | 262 | /* Common command line options */ |
| 263 | static const cmd_opt_t common_cmd_opt[] = { |
| 264 | { |
| 265 | { "help", no_argument, NULL, 'h' }, |
| 266 | "Print this message and exit" |
| 267 | }, |
| 268 | { |
| 269 | { "key-alg", required_argument, NULL, 'a' }, |
Justin Chadwell | 3168a20 | 2019-09-09 15:24:31 +0100 | [diff] [blame] | 270 | "Key algorithm: 'rsa' (default)- RSAPSS scheme as per PKCS#1 v2.1, 'ecdsa'" |
Juan Castillo | 212f738 | 2015-12-15 16:37:57 +0000 | [diff] [blame] | 271 | }, |
| 272 | { |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 273 | { "key-size", required_argument, NULL, 'b' }, |
| 274 | "Key size (for supported algorithms)." |
| 275 | }, |
| 276 | { |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 277 | { "hash-alg", required_argument, NULL, 's' }, |
| 278 | "Hash algorithm : 'sha256' (default), 'sha384', 'sha512'" |
| 279 | }, |
| 280 | { |
Juan Castillo | 212f738 | 2015-12-15 16:37:57 +0000 | [diff] [blame] | 281 | { "save-keys", no_argument, NULL, 'k' }, |
| 282 | "Save key pairs into files. Filenames must be provided" |
| 283 | }, |
| 284 | { |
| 285 | { "new-keys", no_argument, NULL, 'n' }, |
| 286 | "Generate new key pairs if no key files are provided" |
| 287 | }, |
| 288 | { |
| 289 | { "print-cert", no_argument, NULL, 'p' }, |
| 290 | "Print the certificates in the standard output" |
| 291 | } |
| 292 | }; |
| 293 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 294 | int main(int argc, char *argv[]) |
| 295 | { |
Masahiro Yamada | 48cb5e5 | 2017-02-06 19:47:44 +0900 | [diff] [blame] | 296 | STACK_OF(X509_EXTENSION) * sk; |
Michalis Pappas | 3862894 | 2017-10-06 16:11:44 +0800 | [diff] [blame] | 297 | X509_EXTENSION *cert_ext = NULL; |
Masahiro Yamada | 48cb5e5 | 2017-02-06 19:47:44 +0900 | [diff] [blame] | 298 | ext_t *ext; |
| 299 | key_t *key; |
| 300 | cert_t *cert; |
| 301 | FILE *file; |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 302 | int i, j, ext_nid, nvctr; |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 303 | int c, opt_idx = 0; |
Juan Castillo | 1218dd5 | 2015-07-03 16:23:16 +0100 | [diff] [blame] | 304 | const struct option *cmd_opt; |
| 305 | const char *cur_opt; |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 306 | unsigned int err_code; |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 307 | unsigned char md[SHA512_DIGEST_LENGTH]; |
| 308 | unsigned int md_len; |
Juan Castillo | ac40293 | 2015-03-05 14:30:00 +0000 | [diff] [blame] | 309 | const EVP_MD *md_info; |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 310 | |
| 311 | NOTICE("CoT Generation Tool: %s\n", build_msg); |
| 312 | NOTICE("Target platform: %s\n", platform_msg); |
| 313 | |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 314 | /* Set default options */ |
| 315 | key_alg = KEY_ALG_RSA; |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 316 | hash_alg = HASH_ALG_SHA256; |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 317 | key_size = -1; |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 318 | |
Juan Castillo | 1218dd5 | 2015-07-03 16:23:16 +0100 | [diff] [blame] | 319 | /* Add common command line options */ |
Juan Castillo | 212f738 | 2015-12-15 16:37:57 +0000 | [diff] [blame] | 320 | for (i = 0; i < NUM_ELEM(common_cmd_opt); i++) { |
| 321 | cmd_opt_add(&common_cmd_opt[i]); |
| 322 | } |
Juan Castillo | 1218dd5 | 2015-07-03 16:23:16 +0100 | [diff] [blame] | 323 | |
| 324 | /* Initialize the certificates */ |
| 325 | if (cert_init() != 0) { |
| 326 | ERROR("Cannot initialize certificates\n"); |
| 327 | exit(1); |
| 328 | } |
| 329 | |
| 330 | /* Initialize the keys */ |
| 331 | if (key_init() != 0) { |
| 332 | ERROR("Cannot initialize keys\n"); |
| 333 | exit(1); |
| 334 | } |
| 335 | |
| 336 | /* Initialize the new types and register OIDs for the extensions */ |
| 337 | if (ext_init() != 0) { |
Sandrine Bailleux | 0d11b48 | 2020-01-15 11:01:25 +0100 | [diff] [blame] | 338 | ERROR("Cannot initialize extensions\n"); |
Juan Castillo | 1218dd5 | 2015-07-03 16:23:16 +0100 | [diff] [blame] | 339 | exit(1); |
| 340 | } |
| 341 | |
| 342 | /* Get the command line options populated during the initialization */ |
| 343 | cmd_opt = cmd_opt_get_array(); |
| 344 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 345 | while (1) { |
| 346 | /* getopt_long stores the option index here. */ |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 347 | c = getopt_long(argc, argv, "a:b:hknps:", cmd_opt, &opt_idx); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 348 | |
| 349 | /* Detect the end of the options. */ |
| 350 | if (c == -1) { |
| 351 | break; |
| 352 | } |
| 353 | |
| 354 | switch (c) { |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 355 | case 'a': |
| 356 | key_alg = get_key_alg(optarg); |
| 357 | if (key_alg < 0) { |
| 358 | ERROR("Invalid key algorithm '%s'\n", optarg); |
| 359 | exit(1); |
| 360 | } |
| 361 | break; |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 362 | case 'b': |
| 363 | key_size = get_key_size(optarg); |
| 364 | if (key_size <= 0) { |
| 365 | ERROR("Invalid key size '%s'\n", optarg); |
| 366 | exit(1); |
| 367 | } |
| 368 | break; |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 369 | case 'h': |
Juan Castillo | 1218dd5 | 2015-07-03 16:23:16 +0100 | [diff] [blame] | 370 | print_help(argv[0], cmd_opt); |
Roberto Vargas | 58a5b2b | 2018-06-27 08:23:22 +0100 | [diff] [blame] | 371 | exit(0); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 372 | case 'k': |
| 373 | save_keys = 1; |
| 374 | break; |
| 375 | case 'n': |
| 376 | new_keys = 1; |
| 377 | break; |
| 378 | case 'p': |
| 379 | print_cert = 1; |
| 380 | break; |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 381 | case 's': |
| 382 | hash_alg = get_hash_alg(optarg); |
| 383 | if (hash_alg < 0) { |
| 384 | ERROR("Invalid hash algorithm '%s'\n", optarg); |
| 385 | exit(1); |
| 386 | } |
| 387 | break; |
Juan Castillo | 1218dd5 | 2015-07-03 16:23:16 +0100 | [diff] [blame] | 388 | case CMD_OPT_EXT: |
| 389 | cur_opt = cmd_opt_get_name(opt_idx); |
| 390 | ext = ext_get_by_opt(cur_opt); |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 391 | ext->arg = strdup(optarg); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 392 | break; |
Juan Castillo | 1218dd5 | 2015-07-03 16:23:16 +0100 | [diff] [blame] | 393 | case CMD_OPT_KEY: |
| 394 | cur_opt = cmd_opt_get_name(opt_idx); |
| 395 | key = key_get_by_opt(cur_opt); |
| 396 | key->fn = strdup(optarg); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 397 | break; |
Juan Castillo | 1218dd5 | 2015-07-03 16:23:16 +0100 | [diff] [blame] | 398 | case CMD_OPT_CERT: |
| 399 | cur_opt = cmd_opt_get_name(opt_idx); |
| 400 | cert = cert_get_by_opt(cur_opt); |
| 401 | cert->fn = strdup(optarg); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 402 | break; |
| 403 | case '?': |
| 404 | default: |
Juan Castillo | 212f738 | 2015-12-15 16:37:57 +0000 | [diff] [blame] | 405 | print_help(argv[0], cmd_opt); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 406 | exit(1); |
| 407 | } |
| 408 | } |
| 409 | |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 410 | /* Select a reasonable default key-size */ |
| 411 | if (key_size == -1) { |
| 412 | key_size = KEY_SIZES[key_alg][0]; |
| 413 | } |
| 414 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 415 | /* Check command line arguments */ |
| 416 | check_cmd_params(); |
| 417 | |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 418 | /* Indicate SHA as image hash algorithm in the certificate |
Juan Castillo | ac40293 | 2015-03-05 14:30:00 +0000 | [diff] [blame] | 419 | * extension */ |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 420 | if (hash_alg == HASH_ALG_SHA384) { |
| 421 | md_info = EVP_sha384(); |
| 422 | md_len = SHA384_DIGEST_LENGTH; |
| 423 | } else if (hash_alg == HASH_ALG_SHA512) { |
| 424 | md_info = EVP_sha512(); |
| 425 | md_len = SHA512_DIGEST_LENGTH; |
| 426 | } else { |
| 427 | md_info = EVP_sha256(); |
| 428 | md_len = SHA256_DIGEST_LENGTH; |
| 429 | } |
Juan Castillo | ac40293 | 2015-03-05 14:30:00 +0000 | [diff] [blame] | 430 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 431 | /* Load private keys from files (or generate new ones) */ |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 432 | for (i = 0 ; i < num_keys ; i++) { |
Juan Pablo Conde | 3539c74 | 2022-10-25 19:41:02 -0400 | [diff] [blame^] | 433 | #if !USING_OPENSSL3 |
Masahiro Yamada | bccb109 | 2017-02-06 21:15:01 +0900 | [diff] [blame] | 434 | if (!key_new(&keys[i])) { |
| 435 | ERROR("Failed to allocate key container\n"); |
| 436 | exit(1); |
| 437 | } |
Juan Pablo Conde | 3539c74 | 2022-10-25 19:41:02 -0400 | [diff] [blame^] | 438 | #endif |
Masahiro Yamada | bccb109 | 2017-02-06 21:15:01 +0900 | [diff] [blame] | 439 | |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 440 | /* First try to load the key from disk */ |
| 441 | if (key_load(&keys[i], &err_code)) { |
| 442 | /* Key loaded successfully */ |
| 443 | continue; |
| 444 | } |
| 445 | |
| 446 | /* Key not loaded. Check the error code */ |
Masahiro Yamada | bccb109 | 2017-02-06 21:15:01 +0900 | [diff] [blame] | 447 | if (err_code == KEY_ERR_LOAD) { |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 448 | /* File exists, but it does not contain a valid private |
| 449 | * key. Abort. */ |
| 450 | ERROR("Error loading '%s'\n", keys[i].fn); |
| 451 | exit(1); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 452 | } |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 453 | |
| 454 | /* File does not exist, could not be opened or no filename was |
| 455 | * given */ |
| 456 | if (new_keys) { |
| 457 | /* Try to create a new key */ |
| 458 | NOTICE("Creating new key for '%s'\n", keys[i].desc); |
Justin Chadwell | febe86c | 2019-07-29 17:13:45 +0100 | [diff] [blame] | 459 | if (!key_create(&keys[i], key_alg, key_size)) { |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 460 | ERROR("Error creating key '%s'\n", keys[i].desc); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 461 | exit(1); |
| 462 | } |
Juan Castillo | f9f39c3 | 2015-06-01 16:34:23 +0100 | [diff] [blame] | 463 | } else { |
| 464 | if (err_code == KEY_ERR_OPEN) { |
| 465 | ERROR("Error opening '%s'\n", keys[i].fn); |
| 466 | } else { |
| 467 | ERROR("Key '%s' not specified\n", keys[i].desc); |
| 468 | } |
| 469 | exit(1); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 470 | } |
| 471 | } |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 472 | |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 473 | /* Create the certificates */ |
| 474 | for (i = 0 ; i < num_certs ; i++) { |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 475 | |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 476 | cert = &certs[i]; |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 477 | |
Manish V Badarkhe | 2b7e70e | 2021-01-26 10:55:49 +0000 | [diff] [blame] | 478 | if (cert->fn == NULL) { |
| 479 | /* Certificate not requested. Skip to the next one */ |
| 480 | continue; |
| 481 | } |
| 482 | |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 483 | /* Create a new stack of extensions. This stack will be used |
| 484 | * to create the certificate */ |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 485 | CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 486 | |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 487 | for (j = 0 ; j < cert->num_ext ; j++) { |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 488 | |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 489 | ext = &extensions[cert->ext[j]]; |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 490 | |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 491 | /* Get OpenSSL internal ID for this extension */ |
| 492 | CHECK_OID(ext_nid, ext->oid); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 493 | |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 494 | /* |
| 495 | * Three types of extensions are currently supported: |
| 496 | * - EXT_TYPE_NVCOUNTER |
| 497 | * - EXT_TYPE_HASH |
| 498 | * - EXT_TYPE_PKEY |
| 499 | */ |
| 500 | switch (ext->type) { |
| 501 | case EXT_TYPE_NVCOUNTER: |
Jimmy Brisson | c913fa6 | 2021-01-20 15:34:51 -0600 | [diff] [blame] | 502 | if (ext->optional && ext->arg == NULL) { |
| 503 | /* Skip this NVCounter */ |
| 504 | continue; |
| 505 | } else { |
| 506 | /* Checked by `check_cmd_params` */ |
| 507 | assert(ext->arg != NULL); |
Yatharth Kochar | 79f8640 | 2016-06-22 14:49:27 +0100 | [diff] [blame] | 508 | nvctr = atoi(ext->arg); |
| 509 | CHECK_NULL(cert_ext, ext_new_nvcounter(ext_nid, |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 510 | EXT_CRIT, nvctr)); |
Yatharth Kochar | 79f8640 | 2016-06-22 14:49:27 +0100 | [diff] [blame] | 511 | } |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 512 | break; |
| 513 | case EXT_TYPE_HASH: |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 514 | if (ext->arg == NULL) { |
Yatharth Kochar | 5752b59 | 2015-08-21 15:30:55 +0100 | [diff] [blame] | 515 | if (ext->optional) { |
| 516 | /* Include a hash filled with zeros */ |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 517 | memset(md, 0x0, SHA512_DIGEST_LENGTH); |
Yatharth Kochar | 5752b59 | 2015-08-21 15:30:55 +0100 | [diff] [blame] | 518 | } else { |
| 519 | /* Do not include this hash in the certificate */ |
Jimmy Brisson | c913fa6 | 2021-01-20 15:34:51 -0600 | [diff] [blame] | 520 | continue; |
Yatharth Kochar | 5752b59 | 2015-08-21 15:30:55 +0100 | [diff] [blame] | 521 | } |
| 522 | } else { |
| 523 | /* Calculate the hash of the file */ |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 524 | if (!sha_file(hash_alg, ext->arg, md)) { |
Yatharth Kochar | 5752b59 | 2015-08-21 15:30:55 +0100 | [diff] [blame] | 525 | ERROR("Cannot calculate hash of %s\n", |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 526 | ext->arg); |
Yatharth Kochar | 5752b59 | 2015-08-21 15:30:55 +0100 | [diff] [blame] | 527 | exit(1); |
| 528 | } |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 529 | } |
| 530 | CHECK_NULL(cert_ext, ext_new_hash(ext_nid, |
| 531 | EXT_CRIT, md_info, md, |
Qixiang Xu | 76a5a9b | 2017-11-09 13:51:58 +0800 | [diff] [blame] | 532 | md_len)); |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 533 | break; |
| 534 | case EXT_TYPE_PKEY: |
| 535 | CHECK_NULL(cert_ext, ext_new_key(ext_nid, |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 536 | EXT_CRIT, keys[ext->attr.key].key)); |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 537 | break; |
| 538 | default: |
Juan Castillo | 4352998 | 2016-01-22 11:05:24 +0000 | [diff] [blame] | 539 | ERROR("Unknown extension type '%d' in %s\n", |
| 540 | ext->type, cert->cn); |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 541 | exit(1); |
| 542 | } |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 543 | |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 544 | /* Push the extension into the stack */ |
| 545 | sk_X509_EXTENSION_push(sk, cert_ext); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 546 | } |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 547 | |
Soby Mathew | 2fd70f6 | 2017-08-31 11:50:29 +0100 | [diff] [blame] | 548 | /* Create certificate. Signed with corresponding key */ |
Manish V Badarkhe | 2b7e70e | 2021-01-26 10:55:49 +0000 | [diff] [blame] | 549 | if (!cert_new(hash_alg, cert, VAL_DAYS, 0, sk)) { |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 550 | ERROR("Cannot create %s\n", cert->cn); |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 551 | exit(1); |
| 552 | } |
| 553 | |
Jimmy Brisson | 63d0693 | 2020-07-24 14:31:48 -0500 | [diff] [blame] | 554 | for (cert_ext = sk_X509_EXTENSION_pop(sk); cert_ext != NULL; |
| 555 | cert_ext = sk_X509_EXTENSION_pop(sk)) { |
| 556 | X509_EXTENSION_free(cert_ext); |
| 557 | } |
| 558 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 559 | sk_X509_EXTENSION_free(sk); |
| 560 | } |
| 561 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 562 | |
| 563 | /* Print the certificates */ |
| 564 | if (print_cert) { |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 565 | for (i = 0 ; i < num_certs ; i++) { |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 566 | if (!certs[i].x) { |
| 567 | continue; |
| 568 | } |
| 569 | printf("\n\n=====================================\n\n"); |
| 570 | X509_print_fp(stdout, certs[i].x); |
| 571 | } |
| 572 | } |
| 573 | |
| 574 | /* Save created certificates to files */ |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 575 | for (i = 0 ; i < num_certs ; i++) { |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 576 | if (certs[i].x && certs[i].fn) { |
| 577 | file = fopen(certs[i].fn, "w"); |
| 578 | if (file != NULL) { |
| 579 | i2d_X509_fp(file, certs[i].x); |
| 580 | fclose(file); |
| 581 | } else { |
| 582 | ERROR("Cannot create file %s\n", certs[i].fn); |
| 583 | } |
| 584 | } |
| 585 | } |
| 586 | |
| 587 | /* Save keys */ |
| 588 | if (save_keys) { |
Juan Castillo | e6d30e9 | 2015-06-12 11:27:59 +0100 | [diff] [blame] | 589 | for (i = 0 ; i < num_keys ; i++) { |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 590 | if (!key_store(&keys[i])) { |
| 591 | ERROR("Cannot save %s\n", keys[i].desc); |
| 592 | } |
| 593 | } |
| 594 | } |
| 595 | |
Jimmy Brisson | 5328796 | 2020-07-27 10:43:40 -0500 | [diff] [blame] | 596 | /* If we got here, then we must have filled the key array completely. |
| 597 | * We can then safely call free on all of the keys in the array |
| 598 | */ |
Juan Pablo Conde | 3539c74 | 2022-10-25 19:41:02 -0400 | [diff] [blame^] | 599 | key_cleanup(); |
Jimmy Brisson | 5328796 | 2020-07-27 10:43:40 -0500 | [diff] [blame] | 600 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 601 | #ifndef OPENSSL_NO_ENGINE |
| 602 | ENGINE_cleanup(); |
| 603 | #endif |
| 604 | CRYPTO_cleanup_all_ex_data(); |
| 605 | |
Jimmy Brisson | 54db69e | 2020-07-27 11:23:20 -0500 | [diff] [blame] | 606 | |
| 607 | /* We allocated strings through strdup, so now we have to free them */ |
Jimmy Brisson | 54db69e | 2020-07-27 11:23:20 -0500 | [diff] [blame] | 608 | |
Juan Pablo Conde | 3539c74 | 2022-10-25 19:41:02 -0400 | [diff] [blame^] | 609 | ext_cleanup(); |
Jimmy Brisson | 54db69e | 2020-07-27 11:23:20 -0500 | [diff] [blame] | 610 | |
Juan Pablo Conde | 3539c74 | 2022-10-25 19:41:02 -0400 | [diff] [blame^] | 611 | cert_cleanup(); |
Jimmy Brisson | 54db69e | 2020-07-27 11:23:20 -0500 | [diff] [blame] | 612 | |
Juan Castillo | 11abdcd | 2014-10-21 11:30:42 +0100 | [diff] [blame] | 613 | return 0; |
| 614 | } |