Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / f072f66f7380557e9a3a5d2613be6943ced2f803 / . / tools / cert_create / src / main.c
blob: c78d87ad729fb256990929ed7b4411da78ef581a [file] [log] [blame]
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]1/*
2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 *
7 * Redistributions of source code must retain the above copyright notice, this
8 * list of conditions and the following disclaimer.
9 *
10 * Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 *
14 * Neither the name of ARM nor the names of its contributors may be used
15 * to endorse or promote products derived from this software without specific
16 * prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <getopt.h>
32#include <stdio.h>
33#include <stdlib.h>
34#include <string.h>
35
36#include <openssl/conf.h>
37#include <openssl/engine.h>
38#include <openssl/err.h>
39#include <openssl/pem.h>
40#include <openssl/sha.h>
41#include <openssl/x509v3.h>
42
43#include "cert.h"
44#include "debug.h"
45#include "ext.h"
46#include "key.h"
47#include "platform_oid.h"
48#include "sha.h"
49#include "tbb_ext.h"
50#include "tbb_cert.h"
51#include "tbb_key.h"
52
53/*
54 * Helper macros to simplify the code. This macro assigns the return value of
55 * the 'fn' function to 'v' and exits if the value is NULL.
56 */
57#define CHECK_NULL(v, fn) \
58 do { \
59 v = fn; \
60 if (v == NULL) { \
61 ERROR("NULL object at %s:%d\n", __FILE__, __LINE__); \
62 exit(1); \
63 } \
64 } while (0)
65
66/*
67 * This macro assigns the NID corresponding to 'oid' to 'v' and exits if the
68 * NID is undefined.
69 */
70#define CHECK_OID(v, oid) \
71 do { \
72 v = OBJ_txt2nid(oid); \
73 if (v == NID_undef) { \
74 ERROR("Cannot find TBB extension %s\n", oid); \
75 exit(1); \
76 } \
77 } while (0)
78
79#define MAX_FILENAME_LEN 1024
80#define VAL_DAYS 7300
81#define ID_TO_BIT_MASK(id) (1 << id)
82#define NVCOUNTER_VALUE 0
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]83#define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0])))
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]84
85/* Files */
86enum {
87 /* Image file names (inputs) */
88 BL2_ID = 0,
89 BL30_ID,
90 BL31_ID,
91 BL32_ID,
92 BL33_ID,
93 /* Certificate file names (outputs) */
94 BL2_CERT_ID,
95 TRUSTED_KEY_CERT_ID,
96 BL30_KEY_CERT_ID,
97 BL30_CERT_ID,
98 BL31_KEY_CERT_ID,
99 BL31_CERT_ID,
100 BL32_KEY_CERT_ID,
101 BL32_CERT_ID,
102 BL33_KEY_CERT_ID,
103 BL33_CERT_ID,
104 /* Key file names (input/output) */
105 ROT_KEY_ID,
106 TRUSTED_WORLD_KEY_ID,
107 NON_TRUSTED_WORLD_KEY_ID,
108 BL30_KEY_ID,
109 BL31_KEY_ID,
110 BL32_KEY_ID,
111 BL33_KEY_ID,
112 NUM_OPTS
113};
114
115/* Global options */
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]116static int key_alg;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]117static int new_keys;
118static int save_keys;
119static int print_cert;
120static int bl30_present;
121static int bl32_present;
122
123/* We are not checking nvcounters in TF. Include them in the certificates but
124 * the value will be set to 0 */
125static int tf_nvcounter;
126static int non_tf_nvcounter;
127
128/* Info messages created in the Makefile */
129extern const char build_msg[];
130extern const char platform_msg[];
131
132
133static char *strdup(const char *str)
134{
135 int n = strlen(str) + 1;
136 char *dup = malloc(n);
137 if (dup) {
138 strcpy(dup, str);
139 }
140 return dup;
141}
142
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]143static const char *key_algs_str[] = {
144 [KEY_ALG_RSA] = "rsa",
Juan Castilloa2224ab2015-06-30 13:36:57 +0100[diff] [blame]145#ifndef OPENSSL_NO_EC
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]146 [KEY_ALG_ECDSA] = "ecdsa"
Juan Castilloa2224ab2015-06-30 13:36:57 +0100[diff] [blame]147#endif /* OPENSSL_NO_EC */
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]148};
149
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]150/* Command line options */
151static const struct option long_opt[] = {
152 /* Binary images */
153 {"bl2", required_argument, 0, BL2_ID},
154 {"bl30", required_argument, 0, BL30_ID},
155 {"bl31", required_argument, 0, BL31_ID},
156 {"bl32", required_argument, 0, BL32_ID},
157 {"bl33", required_argument, 0, BL33_ID},
158 /* Certificate files */
159 {"bl2-cert", required_argument, 0, BL2_CERT_ID},
160 {"trusted-key-cert", required_argument, 0, TRUSTED_KEY_CERT_ID},
161 {"bl30-key-cert", required_argument, 0, BL30_KEY_CERT_ID},
162 {"bl30-cert", required_argument, 0, BL30_CERT_ID},
163 {"bl31-key-cert", required_argument, 0, BL31_KEY_CERT_ID},
164 {"bl31-cert", required_argument, 0, BL31_CERT_ID},
165 {"bl32-key-cert", required_argument, 0, BL32_KEY_CERT_ID},
166 {"bl32-cert", required_argument, 0, BL32_CERT_ID},
167 {"bl33-key-cert", required_argument, 0, BL33_KEY_CERT_ID},
168 {"bl33-cert", required_argument, 0, BL33_CERT_ID},
169 /* Private key files */
170 {"rot-key", required_argument, 0, ROT_KEY_ID},
171 {"trusted-world-key", required_argument, 0, TRUSTED_WORLD_KEY_ID},
172 {"non-trusted-world-key", required_argument, 0, NON_TRUSTED_WORLD_KEY_ID},
173 {"bl30-key", required_argument, 0, BL30_KEY_ID},
174 {"bl31-key", required_argument, 0, BL31_KEY_ID},
175 {"bl32-key", required_argument, 0, BL32_KEY_ID},
176 {"bl33-key", required_argument, 0, BL33_KEY_ID},
177 /* Common options */
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]178 {"key-alg", required_argument, 0, 'a'},
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]179 {"help", no_argument, 0, 'h'},
180 {"save-keys", no_argument, 0, 'k'},
181 {"new-chain", no_argument, 0, 'n'},
182 {"print-cert", no_argument, 0, 'p'},
183 {0, 0, 0, 0}
184};
185
186static void print_help(const char *cmd)
187{
188 int i = 0;
189 printf("\n\n");
190 printf("The certificate generation tool loads the binary images and\n"
191 "optionally the RSA keys, and outputs the key and content\n"
192 "certificates properly signed to implement the chain of trust.\n"
193 "If keys are provided, they must be in PEM format.\n"
194 "Certificates are generated in DER format.\n");
195 printf("\n");
196 printf("Usage:\n\n");
197 printf(" %s [-hknp] \\\n", cmd);
198 for (i = 0; i < NUM_OPTS; i++) {
199 printf(" --%s <file> \\\n", long_opt[i].name);
200 }
201 printf("\n");
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]202 printf("-a Key algorithm: rsa (default), ecdsa\n");
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]203 printf("-h Print help and exit\n");
204 printf("-k Save key pairs into files. Filenames must be provided\n");
205 printf("-n Generate new key pairs if no key files are provided\n");
206 printf("-p Print the certificates in the standard output\n");
207 printf("\n");
208
209 exit(0);
210}
211
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]212static int get_key_alg(const char *key_alg_str)
213{
214 int i;
215
216 for (i = 0 ; i < NUM_ELEM(key_algs_str) ; i++) {
217 if (0 == strcmp(key_alg_str, key_algs_str[i])) {
218 return i;
219 }
220 }
221
222 return -1;
223}
224
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]225static void check_cmd_params(void)
226{
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]227 /* Only save new keys */
228 if (save_keys && !new_keys) {
229 ERROR("Only new keys can be saved to disk\n");
230 exit(1);
231 }
232
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]233 /* BL2, BL31 and BL33 are mandatory */
234 if (certs[BL2_CERT].bin == NULL) {
235 ERROR("BL2 image not specified\n");
236 exit(1);
237 }
238
239 if (certs[BL31_CERT].bin == NULL) {
240 ERROR("BL31 image not specified\n");
241 exit(1);
242 }
243
244 if (certs[BL33_CERT].bin == NULL) {
245 ERROR("BL33 image not specified\n");
246 exit(1);
247 }
248
249 /* BL30 and BL32 are optional */
250 if (certs[BL30_CERT].bin != NULL) {
251 bl30_present = 1;
252 }
253
254 if (certs[BL32_CERT].bin != NULL) {
255 bl32_present = 1;
256 }
257
258 /* TODO: Certificate filenames */
259
260 /* Filenames to store keys must be specified */
261 if (save_keys || !new_keys) {
262 if (keys[ROT_KEY].fn == NULL) {
263 ERROR("ROT key not specified\n");
264 exit(1);
265 }
266
267 if (keys[TRUSTED_WORLD_KEY].fn == NULL) {
268 ERROR("Trusted World key not specified\n");
269 exit(1);
270 }
271
272 if (keys[NON_TRUSTED_WORLD_KEY].fn == NULL) {
273 ERROR("Non-trusted World key not specified\n");
274 exit(1);
275 }
276
277 if (keys[BL31_KEY].fn == NULL) {
278 ERROR("BL31 key not specified\n");
279 exit(1);
280 }
281
282 if (keys[BL33_KEY].fn == NULL) {
283 ERROR("BL33 key not specified\n");
284 exit(1);
285 }
286
287 if (bl30_present && (keys[BL30_KEY].fn == NULL)) {
288 ERROR("BL30 key not specified\n");
289 exit(1);
290 }
291
292 if (bl32_present && (keys[BL32_KEY].fn == NULL)) {
293 ERROR("BL32 key not specified\n");
294 exit(1);
295 }
296 }
297}
298
299int main(int argc, char *argv[])
300{
301 STACK_OF(X509_EXTENSION) * sk = NULL;
302 X509_EXTENSION *hash_ext = NULL;
303 X509_EXTENSION *nvctr_ext = NULL;
304 X509_EXTENSION *trusted_key_ext = NULL;
305 X509_EXTENSION *non_trusted_key_ext = NULL;
306 FILE *file = NULL;
307 int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
308 int c, opt_idx = 0;
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]309 unsigned int err_code;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]310 unsigned char md[SHA256_DIGEST_LENGTH];
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]311 const EVP_MD *md_info;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]312
313 NOTICE("CoT Generation Tool: %s\n", build_msg);
314 NOTICE("Target platform: %s\n", platform_msg);
315
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]316 /* Set default options */
317 key_alg = KEY_ALG_RSA;
318
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]319 while (1) {
320 /* getopt_long stores the option index here. */
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]321 c = getopt_long(argc, argv, "ahknp", long_opt, &opt_idx);
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]322
323 /* Detect the end of the options. */
324 if (c == -1) {
325 break;
326 }
327
328 switch (c) {
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]329 case 'a':
330 key_alg = get_key_alg(optarg);
331 if (key_alg < 0) {
332 ERROR("Invalid key algorithm '%s'\n", optarg);
333 exit(1);
334 }
335 break;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]336 case 'h':
337 print_help(argv[0]);
338 break;
339 case 'k':
340 save_keys = 1;
341 break;
342 case 'n':
343 new_keys = 1;
344 break;
345 case 'p':
346 print_cert = 1;
347 break;
348 case BL2_ID:
349 certs[BL2_CERT].bin = strdup(optarg);
350 break;
351 case BL30_ID:
352 certs[BL30_CERT].bin = strdup(optarg);
353 break;
354 case BL31_ID:
355 certs[BL31_CERT].bin = strdup(optarg);
356 break;
357 case BL32_ID:
358 certs[BL32_CERT].bin = strdup(optarg);
359 break;
360 case BL33_ID:
361 certs[BL33_CERT].bin = strdup(optarg);
362 break;
363 case BL2_CERT_ID:
364 certs[BL2_CERT].fn = strdup(optarg);
365 break;
366 case TRUSTED_KEY_CERT_ID:
367 certs[TRUSTED_KEY_CERT].fn = strdup(optarg);
368 break;
369 case BL30_KEY_CERT_ID:
370 certs[BL30_KEY_CERT].fn = strdup(optarg);
371 break;
372 case BL30_CERT_ID:
373 certs[BL30_CERT].fn = strdup(optarg);
374 break;
375 case BL31_KEY_CERT_ID:
376 certs[BL31_KEY_CERT].fn = strdup(optarg);
377 break;
378 case BL31_CERT_ID:
379 certs[BL31_CERT].fn = strdup(optarg);
380 break;
381 case BL32_KEY_CERT_ID:
382 certs[BL32_KEY_CERT].fn = strdup(optarg);
383 break;
384 case BL32_CERT_ID:
385 certs[BL32_CERT].fn = strdup(optarg);
386 break;
387 case BL33_KEY_CERT_ID:
388 certs[BL33_KEY_CERT].fn = strdup(optarg);
389 break;
390 case BL33_CERT_ID:
391 certs[BL33_CERT].fn = strdup(optarg);
392 break;
393 case ROT_KEY_ID:
394 keys[ROT_KEY].fn = strdup(optarg);
395 break;
396 case TRUSTED_WORLD_KEY_ID:
397 keys[TRUSTED_WORLD_KEY].fn = strdup(optarg);
398 break;
399 case NON_TRUSTED_WORLD_KEY_ID:
400 keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg);
401 break;
402 case BL30_KEY_ID:
403 keys[BL30_KEY].fn = strdup(optarg);
404 break;
405 case BL31_KEY_ID:
406 keys[BL31_KEY].fn = strdup(optarg);
407 break;
408 case BL32_KEY_ID:
409 keys[BL32_KEY].fn = strdup(optarg);
410 break;
411 case BL33_KEY_ID:
412 keys[BL33_KEY].fn = strdup(optarg);
413 break;
414 case '?':
415 default:
416 printf("%s\n", optarg);
417 exit(1);
418 }
419 }
420
421 /* Set the value of the NVCounters */
422 tf_nvcounter = NVCOUNTER_VALUE;
423 non_tf_nvcounter = NVCOUNTER_VALUE;
424
425 /* Check command line arguments */
426 check_cmd_params();
427
428 /* Register the new types and OIDs for the extensions */
429 if (ext_init(tbb_ext) != 0) {
430 ERROR("Cannot initialize TBB extensions\n");
431 exit(1);
432 }
433
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]434 /* Indicate SHA256 as image hash algorithm in the certificate
435 * extension */
436 md_info = EVP_sha256();
437
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]438 /* Get non-volatile counters NIDs */
439 CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
440 CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
441
442 /* Load private keys from files (or generate new ones) */
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]443 for (i = 0 ; i < NUM_KEYS ; i++) {
444 /* First try to load the key from disk */
445 if (key_load(&keys[i], &err_code)) {
446 /* Key loaded successfully */
447 continue;
448 }
449
450 /* Key not loaded. Check the error code */
451 if (err_code == KEY_ERR_MALLOC) {
452 /* Cannot allocate memory. Abort. */
453 ERROR("Malloc error while loading '%s'\n", keys[i].fn);
454 exit(1);
455 } else if (err_code == KEY_ERR_LOAD) {
456 /* File exists, but it does not contain a valid private
457 * key. Abort. */
458 ERROR("Error loading '%s'\n", keys[i].fn);
459 exit(1);
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]460 }
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]461
462 /* File does not exist, could not be opened or no filename was
463 * given */
464 if (new_keys) {
465 /* Try to create a new key */
466 NOTICE("Creating new key for '%s'\n", keys[i].desc);
467 if (!key_create(&keys[i], key_alg)) {
468 ERROR("Error creating key '%s'\n", keys[i].desc);
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]469 exit(1);
470 }
Juan Castillof9f39c32015-06-01 16:34:23 +0100[diff] [blame]471 } else {
472 if (err_code == KEY_ERR_OPEN) {
473 ERROR("Error opening '%s'\n", keys[i].fn);
474 } else {
475 ERROR("Key '%s' not specified\n", keys[i].desc);
476 }
477 exit(1);
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]478 }
479 }
480
481 /* *********************************************************************
482 * BL2 certificate (Trusted Boot Firmware certificate):
483 * - Self-signed with OEM ROT private key
484 * - Extensions:
485 * - TrustedFirmwareNVCounter (TODO)
486 * - BL2 hash
487 **********************************************************************/
488 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
489
490 /* Add the NVCounter as a critical extension */
491 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
492 tf_nvcounter));
493 sk_X509_EXTENSION_push(sk, nvctr_ext);
494
495 /* Add hash of BL2 as an extension */
496 if (!sha_file(certs[BL2_CERT].bin, md)) {
497 ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin);
498 exit(1);
499 }
500 CHECK_OID(hash_nid, BL2_HASH_OID);
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]501 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]502 SHA256_DIGEST_LENGTH));
503 sk_X509_EXTENSION_push(sk, hash_ext);
504
505 /* Create certificate. Signed with ROT key */
506 if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) {
507 ERROR("Cannot create %s\n", certs[BL2_CERT].cn);
508 exit(1);
509 }
510 sk_X509_EXTENSION_free(sk);
511
512 /* *********************************************************************
513 * Trusted Key certificate:
514 * - Self-signed with OEM ROT private key
515 * - Extensions:
516 * - TrustedFirmwareNVCounter (TODO)
517 * - TrustedWorldPK
518 * - NonTrustedWorldPK
519 **********************************************************************/
520 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
521 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
522 tf_nvcounter));
523 sk_X509_EXTENSION_push(sk, nvctr_ext);
524 CHECK_OID(pk_nid, TZ_WORLD_PK_OID);
525 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
526 keys[TRUSTED_WORLD_KEY].key));
527 sk_X509_EXTENSION_push(sk, trusted_key_ext);
528 CHECK_OID(pk_nid, NTZ_WORLD_PK_OID);
529 CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
530 keys[NON_TRUSTED_WORLD_KEY].key));
531 sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
532 if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) {
533 ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn);
534 exit(1);
535 }
536 sk_X509_EXTENSION_free(sk);
537
538 /* *********************************************************************
539 * BL30 Key certificate (Trusted SCP Firmware Key certificate):
540 * - Self-signed with Trusted World key
541 * - Extensions:
542 * - TrustedFirmwareNVCounter (TODO)
543 * - SCPFirmwareContentCertPK
544 **********************************************************************/
545 if (bl30_present) {
546 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
547 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
548 tf_nvcounter));
549 sk_X509_EXTENSION_push(sk, nvctr_ext);
550 CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID);
551 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
552 keys[BL30_KEY].key));
553 sk_X509_EXTENSION_push(sk, trusted_key_ext);
554 if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) {
555 ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn);
556 exit(1);
557 }
558 sk_X509_EXTENSION_free(sk);
559 }
560
561 /* *********************************************************************
562 * BL30 certificate (SCP Firmware Content certificate):
563 * - Signed with Trusted World Key
564 * - Extensions:
565 * - TrustedFirmwareNVCounter (TODO)
566 * - SCPFirmwareHash
567 **********************************************************************/
568 if (bl30_present) {
569 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
570 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
571 tf_nvcounter));
572 sk_X509_EXTENSION_push(sk, nvctr_ext);
573
574 if (!sha_file(certs[BL30_CERT].bin, md)) {
575 ERROR("Cannot calculate the hash of %s\n",
576 certs[BL30_CERT].bin);
577 exit(1);
578 }
579 CHECK_OID(hash_nid, BL30_HASH_OID);
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]580 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
581 md, SHA256_DIGEST_LENGTH));
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]582 sk_X509_EXTENSION_push(sk, hash_ext);
583
584 if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
585 ERROR("Cannot create %s\n", certs[BL30_CERT].cn);
586 exit(1);
587 }
588
589 sk_X509_EXTENSION_free(sk);
590 }
591
592 /* *********************************************************************
593 * BL31 Key certificate (Trusted SoC Firmware Key certificate):
594 * - Self-signed with Trusted World key
595 * - Extensions:
596 * - TrustedFirmwareNVCounter (TODO)
597 * - SoCFirmwareContentCertPK
598 **********************************************************************/
599 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
600 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
601 tf_nvcounter));
602 sk_X509_EXTENSION_push(sk, nvctr_ext);
603 CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID);
604 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
605 keys[BL31_KEY].key));
606 sk_X509_EXTENSION_push(sk, trusted_key_ext);
607 if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) {
608 ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn);
609 exit(1);
610 }
611 sk_X509_EXTENSION_free(sk);
612
613 /* *********************************************************************
614 * BL31 certificate (SOC Firmware Content certificate):
615 * - Signed with Trusted World Key
616 * - Extensions:
617 * - TrustedFirmwareNVCounter (TODO)
618 * - BL31 hash
619 **********************************************************************/
620 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
621 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
622 tf_nvcounter));
623 sk_X509_EXTENSION_push(sk, nvctr_ext);
624
625 if (!sha_file(certs[BL31_CERT].bin, md)) {
626 ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin);
627 exit(1);
628 }
629 CHECK_OID(hash_nid, BL31_HASH_OID);
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]630 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]631 SHA256_DIGEST_LENGTH));
632 sk_X509_EXTENSION_push(sk, hash_ext);
633
634 if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) {
635 ERROR("Cannot create %s\n", certs[BL31_CERT].cn);
636 exit(1);
637 }
638
639 sk_X509_EXTENSION_free(sk);
640
641 /* *********************************************************************
642 * BL32 Key certificate (Trusted OS Firmware Key certificate):
643 * - Self-signed with Trusted World key
644 * - Extensions:
645 * - TrustedFirmwareNVCounter (TODO)
646 * - TrustedOSFirmwareContentCertPK
647 **********************************************************************/
648 if (bl32_present) {
649 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
650 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
651 tf_nvcounter));
652 sk_X509_EXTENSION_push(sk, nvctr_ext);
653 CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID);
654 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
655 keys[BL32_KEY].key));
656 sk_X509_EXTENSION_push(sk, trusted_key_ext);
657 if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) {
658 ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn);
659 exit(1);
660 }
661 sk_X509_EXTENSION_free(sk);
662 }
663
664 /* *********************************************************************
665 * BL32 certificate (TrustedOS Firmware Content certificate):
666 * - Signed with Trusted World Key
667 * - Extensions:
668 * - TrustedFirmwareNVCounter (TODO)
669 * - BL32 hash
670 **********************************************************************/
671 if (bl32_present) {
672 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
673 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
674 tf_nvcounter));
675 sk_X509_EXTENSION_push(sk, nvctr_ext);
676
677 if (!sha_file(certs[BL32_CERT].bin, md)) {
678 ERROR("Cannot calculate the hash of %s\n",
679 certs[BL32_CERT].bin);
680 exit(1);
681 }
682 CHECK_OID(hash_nid, BL32_HASH_OID);
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]683 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
684 md, SHA256_DIGEST_LENGTH));
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]685 sk_X509_EXTENSION_push(sk, hash_ext);
686
687 if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
688 ERROR("Cannot create %s\n", certs[BL32_CERT].cn);
689 exit(1);
690 }
691
692 sk_X509_EXTENSION_free(sk);
693 }
694
695 /* *********************************************************************
696 * BL33 Key certificate (Non Trusted Firmware Key certificate):
697 * - Self-signed with Non Trusted World key
698 * - Extensions:
699 * - NonTrustedFirmwareNVCounter (TODO)
700 * - NonTrustedFirmwareContentCertPK
701 **********************************************************************/
702 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
703 CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
704 non_tf_nvcounter));
705 sk_X509_EXTENSION_push(sk, nvctr_ext);
706 CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID);
707 CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
708 keys[BL33_KEY].key));
709 sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
710 if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) {
711 ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn);
712 exit(1);
713 }
714 sk_X509_EXTENSION_free(sk);
715
716 /* *********************************************************************
717 * BL33 certificate (Non-Trusted World Content certificate):
718 * - Signed with Non-Trusted World Key
719 * - Extensions:
720 * - NonTrustedFirmwareNVCounter (TODO)
721 * - BL33 hash
722 **********************************************************************/
723 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
724 CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
725 non_tf_nvcounter));
726 sk_X509_EXTENSION_push(sk, nvctr_ext);
727
728 if (!sha_file(certs[BL33_CERT].bin, md)) {
729 ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin);
730 exit(1);
731 }
732 CHECK_OID(hash_nid, BL33_HASH_OID);
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]733 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]734 SHA256_DIGEST_LENGTH));
735 sk_X509_EXTENSION_push(sk, hash_ext);
736
737 if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) {
738 ERROR("Cannot create %s\n", certs[BL33_CERT].cn);
739 exit(1);
740 }
741 sk_X509_EXTENSION_free(sk);
742
743 /* Print the certificates */
744 if (print_cert) {
745 for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
746 if (!certs[i].x) {
747 continue;
748 }
749 printf("\n\n=====================================\n\n");
750 X509_print_fp(stdout, certs[i].x);
751 }
752 }
753
754 /* Save created certificates to files */
755 for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
756 if (certs[i].x && certs[i].fn) {
757 file = fopen(certs[i].fn, "w");
758 if (file != NULL) {
759 i2d_X509_fp(file, certs[i].x);
760 fclose(file);
761 } else {
762 ERROR("Cannot create file %s\n", certs[i].fn);
763 }
764 }
765 }
766
767 /* Save keys */
768 if (save_keys) {
769 for (i = 0 ; i < NUM_KEYS ; i++) {
770 if (!key_store(&keys[i])) {
771 ERROR("Cannot save %s\n", keys[i].desc);
772 }
773 }
774 }
775
776 X509_EXTENSION_free(hash_ext);
777 X509_EXTENSION_free(nvctr_ext);
778 X509_EXTENSION_free(trusted_key_ext);
779 X509_EXTENSION_free(non_trusted_key_ext);
780
781#ifndef OPENSSL_NO_ENGINE
782 ENGINE_cleanup();
783#endif
784 CRYPTO_cleanup_all_ex_data();
785
786 return 0;
787}