Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / c3028a1d022cabc069b81e189eacc9b652d970b2 / . / tools / cert_create / src / cert.c
blob: 9775664a38d3d2b9cb9805a804b99ca24b7de80c [file] [log] [blame]
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]1/*
Masahiro Yamadaa27c1662017-05-22 12:11:24 +0900[diff] [blame]2 * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]3 *
dp-armfa3cf0b2017-05-03 09:38:09 +0100[diff] [blame]4 * SPDX-License-Identifier: BSD-3-Clause
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]5 */
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <openssl/conf.h>
12#include <openssl/err.h>
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]13#include <openssl/opensslv.h>
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]14#include <openssl/pem.h>
15#include <openssl/sha.h>
16#include <openssl/x509v3.h>
17
Masahiro Yamadaa27c1662017-05-22 12:11:24 +0900[diff] [blame]18#if USE_TBBR_DEFS
19#include <tbbr_oid.h>
20#else
21#include <platform_oid.h>
22#endif
23
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]24#include "cert.h"
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]25#include "cmd_opt.h"
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]26#include "debug.h"
27#include "key.h"
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]28#include "sha.h"
29
30#define SERIAL_RAND_BITS 64
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]31#define RSA_SALT_LEN 32
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]32
33int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
34{
35 BIGNUM *btmp;
36 int ret = 0;
37 if (b)
38 btmp = b;
39 else
40 btmp = BN_new();
41
42 if (!btmp)
43 return 0;
44
45 if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
46 goto error;
47 if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
48 goto error;
49
50 ret = 1;
51
52error:
53
54 if (!b)
55 BN_free(btmp);
56
57 return ret;
58}
59
60int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
61{
62 X509_EXTENSION *ex;
63 X509V3_CTX ctx;
64
65 /* No configuration database */
66 X509V3_set_ctx_nodb(&ctx);
67
68 /* Set issuer and subject certificates in the context */
69 X509V3_set_ctx(&ctx, issuer, subject, NULL, NULL, 0);
70 ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
71 if (!ex) {
72 ERR_print_errors_fp(stdout);
73 return 0;
74 }
75
76 X509_add_ext(subject, ex, -1);
77 X509_EXTENSION_free(ex);
78
79 return 1;
80}
81
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]82int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
83{
Juan Castilloe6d30e92015-06-12 11:27:59 +0100[diff] [blame]84 EVP_PKEY *pkey = keys[cert->key].key;
85 cert_t *issuer_cert = &certs[cert->issuer];
86 EVP_PKEY *ikey = keys[issuer_cert->key].key;
87 X509 *issuer = issuer_cert->x;
Masahiro Yamada48cb5e52017-02-06 19:47:44 +0900[diff] [blame]88 X509 *x;
89 X509_EXTENSION *ex;
90 X509_NAME *name;
91 ASN1_INTEGER *sno;
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]92 int i, num, rc = 0;
93 EVP_MD_CTX mdCtx;
94 EVP_PKEY_CTX *pKeyCtx = NULL;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]95
96 /* Create the certificate structure */
97 x = X509_new();
98 if (!x) {
99 return 0;
100 }
101
102 /* If we do not have a key, use the issuer key (the certificate will
103 * become self signed). This happens in content certificates. */
104 if (!pkey) {
105 pkey = ikey;
106 }
107
108 /* If we do not have an issuer certificate, use our own (the certificate
109 * will become self signed) */
110 if (!issuer) {
111 issuer = x;
112 }
113
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]114 EVP_MD_CTX_init(&mdCtx);
115 if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
116 ERR_print_errors_fp(stdout);
117 goto END;
118 }
119
120 if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
121 ERR_print_errors_fp(stdout);
122 goto END;
123 }
124
125 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) {
126 ERR_print_errors_fp(stdout);
127 goto END;
128 }
129
130 if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) {
131 ERR_print_errors_fp(stdout);
132 goto END;
133 }
134
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]135 /* x509.v3 */
136 X509_set_version(x, 2);
137
138 /* Random serial number */
139 sno = ASN1_INTEGER_new();
140 rand_serial(NULL, sno);
141 X509_set_serialNumber(x, sno);
142 ASN1_INTEGER_free(sno);
143
144 X509_gmtime_adj(X509_get_notBefore(x), 0);
145 X509_gmtime_adj(X509_get_notAfter(x), (long)60*60*24*days);
146 X509_set_pubkey(x, pkey);
147
148 /* Subject name */
149 name = X509_get_subject_name(x);
150 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
151 (const unsigned char *)cert->cn, -1, -1, 0);
152 X509_set_subject_name(x, name);
153
154 /* Issuer name */
155 name = X509_get_issuer_name(x);
156 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
Juan Castilloe6d30e92015-06-12 11:27:59 +0100[diff] [blame]157 (const unsigned char *)issuer_cert->cn, -1, -1, 0);
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]158 X509_set_issuer_name(x, name);
159
160 /* Add various extensions: standard extensions */
161 cert_add_ext(issuer, x, NID_subject_key_identifier, "hash");
162 cert_add_ext(issuer, x, NID_authority_key_identifier, "keyid:always");
163 if (ca) {
164 cert_add_ext(issuer, x, NID_basic_constraints, "CA:TRUE");
165 cert_add_ext(issuer, x, NID_key_usage, "keyCertSign");
166 } else {
167 cert_add_ext(issuer, x, NID_basic_constraints, "CA:FALSE");
168 }
169
170 /* Add custom extensions */
171 if (sk != NULL) {
172 num = sk_X509_EXTENSION_num(sk);
173 for (i = 0; i < num; i++) {
174 ex = sk_X509_EXTENSION_value(sk, i);
175 X509_add_ext(x, ex, -1);
176 }
177 }
178
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]179 if (!X509_sign_ctx(x, &mdCtx)) {
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]180 ERR_print_errors_fp(stdout);
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]181 goto END;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]182 }
183
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]184 /* X509 certificate signed successfully */
185 rc = 1;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]186 cert->x = x;
Soby Mathewd5b22d32017-05-22 16:12:33 +0100[diff] [blame]187
188END:
189 EVP_MD_CTX_cleanup(&mdCtx);
190 return rc;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]191}
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]192
193int cert_init(void)
194{
Juan Castillo212f7382015-12-15 16:37:57 +0000[diff] [blame]195 cmd_opt_t cmd_opt;
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]196 cert_t *cert;
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]197 unsigned int i;
198
199 for (i = 0; i < num_certs; i++) {
200 cert = &certs[i];
Juan Castillo212f7382015-12-15 16:37:57 +0000[diff] [blame]201 cmd_opt.long_opt.name = cert->opt;
202 cmd_opt.long_opt.has_arg = required_argument;
203 cmd_opt.long_opt.flag = NULL;
204 cmd_opt.long_opt.val = CMD_OPT_CERT;
205 cmd_opt.help_msg = cert->help_msg;
206 cmd_opt_add(&cmd_opt);
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]207 }
208
Juan Castillo212f7382015-12-15 16:37:57 +0000[diff] [blame]209 return 0;
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]210}
211
212cert_t *cert_get_by_opt(const char *opt)
213{
Masahiro Yamada48cb5e52017-02-06 19:47:44 +0900[diff] [blame]214 cert_t *cert;
Juan Castillo1218dd52015-07-03 16:23:16 +0100[diff] [blame]215 unsigned int i;
216
217 for (i = 0; i < num_certs; i++) {
218 cert = &certs[i];
219 if (0 == strcmp(cert->opt, opt)) {
220 return cert;
221 }
222 }
223
224 return NULL;
225}