Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / f18daf7db473988bd9c5a1b34c4370accb077f9f / . / tools / cert_create / src / main.c
blob: 2af5247fc5e8bc52bd956b8adafe089efdcfad88 [file] [log] [blame]
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]1/*
2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 *
7 * Redistributions of source code must retain the above copyright notice, this
8 * list of conditions and the following disclaimer.
9 *
10 * Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 *
14 * Neither the name of ARM nor the names of its contributors may be used
15 * to endorse or promote products derived from this software without specific
16 * prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <getopt.h>
32#include <stdio.h>
33#include <stdlib.h>
34#include <string.h>
35
36#include <openssl/conf.h>
37#include <openssl/engine.h>
38#include <openssl/err.h>
39#include <openssl/pem.h>
40#include <openssl/sha.h>
41#include <openssl/x509v3.h>
42
43#include "cert.h"
44#include "debug.h"
45#include "ext.h"
46#include "key.h"
47#include "platform_oid.h"
48#include "sha.h"
49#include "tbb_ext.h"
50#include "tbb_cert.h"
51#include "tbb_key.h"
52
53/*
54 * Helper macros to simplify the code. This macro assigns the return value of
55 * the 'fn' function to 'v' and exits if the value is NULL.
56 */
57#define CHECK_NULL(v, fn) \
58 do { \
59 v = fn; \
60 if (v == NULL) { \
61 ERROR("NULL object at %s:%d\n", __FILE__, __LINE__); \
62 exit(1); \
63 } \
64 } while (0)
65
66/*
67 * This macro assigns the NID corresponding to 'oid' to 'v' and exits if the
68 * NID is undefined.
69 */
70#define CHECK_OID(v, oid) \
71 do { \
72 v = OBJ_txt2nid(oid); \
73 if (v == NID_undef) { \
74 ERROR("Cannot find TBB extension %s\n", oid); \
75 exit(1); \
76 } \
77 } while (0)
78
79#define MAX_FILENAME_LEN 1024
80#define VAL_DAYS 7300
81#define ID_TO_BIT_MASK(id) (1 << id)
82#define NVCOUNTER_VALUE 0
83
84/* Files */
85enum {
86 /* Image file names (inputs) */
87 BL2_ID = 0,
88 BL30_ID,
89 BL31_ID,
90 BL32_ID,
91 BL33_ID,
92 /* Certificate file names (outputs) */
93 BL2_CERT_ID,
94 TRUSTED_KEY_CERT_ID,
95 BL30_KEY_CERT_ID,
96 BL30_CERT_ID,
97 BL31_KEY_CERT_ID,
98 BL31_CERT_ID,
99 BL32_KEY_CERT_ID,
100 BL32_CERT_ID,
101 BL33_KEY_CERT_ID,
102 BL33_CERT_ID,
103 /* Key file names (input/output) */
104 ROT_KEY_ID,
105 TRUSTED_WORLD_KEY_ID,
106 NON_TRUSTED_WORLD_KEY_ID,
107 BL30_KEY_ID,
108 BL31_KEY_ID,
109 BL32_KEY_ID,
110 BL33_KEY_ID,
111 NUM_OPTS
112};
113
114/* Global options */
115static int new_keys;
116static int save_keys;
117static int print_cert;
118static int bl30_present;
119static int bl32_present;
120
121/* We are not checking nvcounters in TF. Include them in the certificates but
122 * the value will be set to 0 */
123static int tf_nvcounter;
124static int non_tf_nvcounter;
125
126/* Info messages created in the Makefile */
127extern const char build_msg[];
128extern const char platform_msg[];
129
130
131static char *strdup(const char *str)
132{
133 int n = strlen(str) + 1;
134 char *dup = malloc(n);
135 if (dup) {
136 strcpy(dup, str);
137 }
138 return dup;
139}
140
141/* Command line options */
142static const struct option long_opt[] = {
143 /* Binary images */
144 {"bl2", required_argument, 0, BL2_ID},
145 {"bl30", required_argument, 0, BL30_ID},
146 {"bl31", required_argument, 0, BL31_ID},
147 {"bl32", required_argument, 0, BL32_ID},
148 {"bl33", required_argument, 0, BL33_ID},
149 /* Certificate files */
150 {"bl2-cert", required_argument, 0, BL2_CERT_ID},
151 {"trusted-key-cert", required_argument, 0, TRUSTED_KEY_CERT_ID},
152 {"bl30-key-cert", required_argument, 0, BL30_KEY_CERT_ID},
153 {"bl30-cert", required_argument, 0, BL30_CERT_ID},
154 {"bl31-key-cert", required_argument, 0, BL31_KEY_CERT_ID},
155 {"bl31-cert", required_argument, 0, BL31_CERT_ID},
156 {"bl32-key-cert", required_argument, 0, BL32_KEY_CERT_ID},
157 {"bl32-cert", required_argument, 0, BL32_CERT_ID},
158 {"bl33-key-cert", required_argument, 0, BL33_KEY_CERT_ID},
159 {"bl33-cert", required_argument, 0, BL33_CERT_ID},
160 /* Private key files */
161 {"rot-key", required_argument, 0, ROT_KEY_ID},
162 {"trusted-world-key", required_argument, 0, TRUSTED_WORLD_KEY_ID},
163 {"non-trusted-world-key", required_argument, 0, NON_TRUSTED_WORLD_KEY_ID},
164 {"bl30-key", required_argument, 0, BL30_KEY_ID},
165 {"bl31-key", required_argument, 0, BL31_KEY_ID},
166 {"bl32-key", required_argument, 0, BL32_KEY_ID},
167 {"bl33-key", required_argument, 0, BL33_KEY_ID},
168 /* Common options */
169 {"help", no_argument, 0, 'h'},
170 {"save-keys", no_argument, 0, 'k'},
171 {"new-chain", no_argument, 0, 'n'},
172 {"print-cert", no_argument, 0, 'p'},
173 {0, 0, 0, 0}
174};
175
176static void print_help(const char *cmd)
177{
178 int i = 0;
179 printf("\n\n");
180 printf("The certificate generation tool loads the binary images and\n"
181 "optionally the RSA keys, and outputs the key and content\n"
182 "certificates properly signed to implement the chain of trust.\n"
183 "If keys are provided, they must be in PEM format.\n"
184 "Certificates are generated in DER format.\n");
185 printf("\n");
186 printf("Usage:\n\n");
187 printf(" %s [-hknp] \\\n", cmd);
188 for (i = 0; i < NUM_OPTS; i++) {
189 printf(" --%s <file> \\\n", long_opt[i].name);
190 }
191 printf("\n");
192 printf("-h Print help and exit\n");
193 printf("-k Save key pairs into files. Filenames must be provided\n");
194 printf("-n Generate new key pairs if no key files are provided\n");
195 printf("-p Print the certificates in the standard output\n");
196 printf("\n");
197
198 exit(0);
199}
200
201static void check_cmd_params(void)
202{
203 /* BL2, BL31 and BL33 are mandatory */
204 if (certs[BL2_CERT].bin == NULL) {
205 ERROR("BL2 image not specified\n");
206 exit(1);
207 }
208
209 if (certs[BL31_CERT].bin == NULL) {
210 ERROR("BL31 image not specified\n");
211 exit(1);
212 }
213
214 if (certs[BL33_CERT].bin == NULL) {
215 ERROR("BL33 image not specified\n");
216 exit(1);
217 }
218
219 /* BL30 and BL32 are optional */
220 if (certs[BL30_CERT].bin != NULL) {
221 bl30_present = 1;
222 }
223
224 if (certs[BL32_CERT].bin != NULL) {
225 bl32_present = 1;
226 }
227
228 /* TODO: Certificate filenames */
229
230 /* Filenames to store keys must be specified */
231 if (save_keys || !new_keys) {
232 if (keys[ROT_KEY].fn == NULL) {
233 ERROR("ROT key not specified\n");
234 exit(1);
235 }
236
237 if (keys[TRUSTED_WORLD_KEY].fn == NULL) {
238 ERROR("Trusted World key not specified\n");
239 exit(1);
240 }
241
242 if (keys[NON_TRUSTED_WORLD_KEY].fn == NULL) {
243 ERROR("Non-trusted World key not specified\n");
244 exit(1);
245 }
246
247 if (keys[BL31_KEY].fn == NULL) {
248 ERROR("BL31 key not specified\n");
249 exit(1);
250 }
251
252 if (keys[BL33_KEY].fn == NULL) {
253 ERROR("BL33 key not specified\n");
254 exit(1);
255 }
256
257 if (bl30_present && (keys[BL30_KEY].fn == NULL)) {
258 ERROR("BL30 key not specified\n");
259 exit(1);
260 }
261
262 if (bl32_present && (keys[BL32_KEY].fn == NULL)) {
263 ERROR("BL32 key not specified\n");
264 exit(1);
265 }
266 }
267}
268
269int main(int argc, char *argv[])
270{
271 STACK_OF(X509_EXTENSION) * sk = NULL;
272 X509_EXTENSION *hash_ext = NULL;
273 X509_EXTENSION *nvctr_ext = NULL;
274 X509_EXTENSION *trusted_key_ext = NULL;
275 X509_EXTENSION *non_trusted_key_ext = NULL;
276 FILE *file = NULL;
277 int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
278 int c, opt_idx = 0;
279 unsigned char md[SHA256_DIGEST_LENGTH];
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]280 const EVP_MD *md_info;
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]281
282 NOTICE("CoT Generation Tool: %s\n", build_msg);
283 NOTICE("Target platform: %s\n", platform_msg);
284
285 while (1) {
286 /* getopt_long stores the option index here. */
287 c = getopt_long(argc, argv, "hknp", long_opt, &opt_idx);
288
289 /* Detect the end of the options. */
290 if (c == -1) {
291 break;
292 }
293
294 switch (c) {
295 case 'h':
296 print_help(argv[0]);
297 break;
298 case 'k':
299 save_keys = 1;
300 break;
301 case 'n':
302 new_keys = 1;
303 break;
304 case 'p':
305 print_cert = 1;
306 break;
307 case BL2_ID:
308 certs[BL2_CERT].bin = strdup(optarg);
309 break;
310 case BL30_ID:
311 certs[BL30_CERT].bin = strdup(optarg);
312 break;
313 case BL31_ID:
314 certs[BL31_CERT].bin = strdup(optarg);
315 break;
316 case BL32_ID:
317 certs[BL32_CERT].bin = strdup(optarg);
318 break;
319 case BL33_ID:
320 certs[BL33_CERT].bin = strdup(optarg);
321 break;
322 case BL2_CERT_ID:
323 certs[BL2_CERT].fn = strdup(optarg);
324 break;
325 case TRUSTED_KEY_CERT_ID:
326 certs[TRUSTED_KEY_CERT].fn = strdup(optarg);
327 break;
328 case BL30_KEY_CERT_ID:
329 certs[BL30_KEY_CERT].fn = strdup(optarg);
330 break;
331 case BL30_CERT_ID:
332 certs[BL30_CERT].fn = strdup(optarg);
333 break;
334 case BL31_KEY_CERT_ID:
335 certs[BL31_KEY_CERT].fn = strdup(optarg);
336 break;
337 case BL31_CERT_ID:
338 certs[BL31_CERT].fn = strdup(optarg);
339 break;
340 case BL32_KEY_CERT_ID:
341 certs[BL32_KEY_CERT].fn = strdup(optarg);
342 break;
343 case BL32_CERT_ID:
344 certs[BL32_CERT].fn = strdup(optarg);
345 break;
346 case BL33_KEY_CERT_ID:
347 certs[BL33_KEY_CERT].fn = strdup(optarg);
348 break;
349 case BL33_CERT_ID:
350 certs[BL33_CERT].fn = strdup(optarg);
351 break;
352 case ROT_KEY_ID:
353 keys[ROT_KEY].fn = strdup(optarg);
354 break;
355 case TRUSTED_WORLD_KEY_ID:
356 keys[TRUSTED_WORLD_KEY].fn = strdup(optarg);
357 break;
358 case NON_TRUSTED_WORLD_KEY_ID:
359 keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg);
360 break;
361 case BL30_KEY_ID:
362 keys[BL30_KEY].fn = strdup(optarg);
363 break;
364 case BL31_KEY_ID:
365 keys[BL31_KEY].fn = strdup(optarg);
366 break;
367 case BL32_KEY_ID:
368 keys[BL32_KEY].fn = strdup(optarg);
369 break;
370 case BL33_KEY_ID:
371 keys[BL33_KEY].fn = strdup(optarg);
372 break;
373 case '?':
374 default:
375 printf("%s\n", optarg);
376 exit(1);
377 }
378 }
379
380 /* Set the value of the NVCounters */
381 tf_nvcounter = NVCOUNTER_VALUE;
382 non_tf_nvcounter = NVCOUNTER_VALUE;
383
384 /* Check command line arguments */
385 check_cmd_params();
386
387 /* Register the new types and OIDs for the extensions */
388 if (ext_init(tbb_ext) != 0) {
389 ERROR("Cannot initialize TBB extensions\n");
390 exit(1);
391 }
392
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]393 /* Indicate SHA256 as image hash algorithm in the certificate
394 * extension */
395 md_info = EVP_sha256();
396
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]397 /* Get non-volatile counters NIDs */
398 CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
399 CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
400
401 /* Load private keys from files (or generate new ones) */
402 if (new_keys) {
403 for (i = 0 ; i < NUM_KEYS ; i++) {
404 if (!key_new(&keys[i])) {
405 ERROR("Error creating %s\n", keys[i].desc);
406 exit(1);
407 }
408 }
409 } else {
410 for (i = 0 ; i < NUM_KEYS ; i++) {
411 if (!key_load(&keys[i])) {
412 ERROR("Error loading %s\n", keys[i].desc);
413 exit(1);
414 }
415 }
416 }
417
418 /* *********************************************************************
419 * BL2 certificate (Trusted Boot Firmware certificate):
420 * - Self-signed with OEM ROT private key
421 * - Extensions:
422 * - TrustedFirmwareNVCounter (TODO)
423 * - BL2 hash
424 **********************************************************************/
425 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
426
427 /* Add the NVCounter as a critical extension */
428 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
429 tf_nvcounter));
430 sk_X509_EXTENSION_push(sk, nvctr_ext);
431
432 /* Add hash of BL2 as an extension */
433 if (!sha_file(certs[BL2_CERT].bin, md)) {
434 ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin);
435 exit(1);
436 }
437 CHECK_OID(hash_nid, BL2_HASH_OID);
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]438 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]439 SHA256_DIGEST_LENGTH));
440 sk_X509_EXTENSION_push(sk, hash_ext);
441
442 /* Create certificate. Signed with ROT key */
443 if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) {
444 ERROR("Cannot create %s\n", certs[BL2_CERT].cn);
445 exit(1);
446 }
447 sk_X509_EXTENSION_free(sk);
448
449 /* *********************************************************************
450 * Trusted Key certificate:
451 * - Self-signed with OEM ROT private key
452 * - Extensions:
453 * - TrustedFirmwareNVCounter (TODO)
454 * - TrustedWorldPK
455 * - NonTrustedWorldPK
456 **********************************************************************/
457 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
458 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
459 tf_nvcounter));
460 sk_X509_EXTENSION_push(sk, nvctr_ext);
461 CHECK_OID(pk_nid, TZ_WORLD_PK_OID);
462 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
463 keys[TRUSTED_WORLD_KEY].key));
464 sk_X509_EXTENSION_push(sk, trusted_key_ext);
465 CHECK_OID(pk_nid, NTZ_WORLD_PK_OID);
466 CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
467 keys[NON_TRUSTED_WORLD_KEY].key));
468 sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
469 if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) {
470 ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn);
471 exit(1);
472 }
473 sk_X509_EXTENSION_free(sk);
474
475 /* *********************************************************************
476 * BL30 Key certificate (Trusted SCP Firmware Key certificate):
477 * - Self-signed with Trusted World key
478 * - Extensions:
479 * - TrustedFirmwareNVCounter (TODO)
480 * - SCPFirmwareContentCertPK
481 **********************************************************************/
482 if (bl30_present) {
483 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
484 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
485 tf_nvcounter));
486 sk_X509_EXTENSION_push(sk, nvctr_ext);
487 CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID);
488 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
489 keys[BL30_KEY].key));
490 sk_X509_EXTENSION_push(sk, trusted_key_ext);
491 if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) {
492 ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn);
493 exit(1);
494 }
495 sk_X509_EXTENSION_free(sk);
496 }
497
498 /* *********************************************************************
499 * BL30 certificate (SCP Firmware Content certificate):
500 * - Signed with Trusted World Key
501 * - Extensions:
502 * - TrustedFirmwareNVCounter (TODO)
503 * - SCPFirmwareHash
504 **********************************************************************/
505 if (bl30_present) {
506 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
507 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
508 tf_nvcounter));
509 sk_X509_EXTENSION_push(sk, nvctr_ext);
510
511 if (!sha_file(certs[BL30_CERT].bin, md)) {
512 ERROR("Cannot calculate the hash of %s\n",
513 certs[BL30_CERT].bin);
514 exit(1);
515 }
516 CHECK_OID(hash_nid, BL30_HASH_OID);
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]517 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
518 md, SHA256_DIGEST_LENGTH));
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]519 sk_X509_EXTENSION_push(sk, hash_ext);
520
521 if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
522 ERROR("Cannot create %s\n", certs[BL30_CERT].cn);
523 exit(1);
524 }
525
526 sk_X509_EXTENSION_free(sk);
527 }
528
529 /* *********************************************************************
530 * BL31 Key certificate (Trusted SoC Firmware Key certificate):
531 * - Self-signed with Trusted World key
532 * - Extensions:
533 * - TrustedFirmwareNVCounter (TODO)
534 * - SoCFirmwareContentCertPK
535 **********************************************************************/
536 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
537 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
538 tf_nvcounter));
539 sk_X509_EXTENSION_push(sk, nvctr_ext);
540 CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID);
541 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
542 keys[BL31_KEY].key));
543 sk_X509_EXTENSION_push(sk, trusted_key_ext);
544 if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) {
545 ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn);
546 exit(1);
547 }
548 sk_X509_EXTENSION_free(sk);
549
550 /* *********************************************************************
551 * BL31 certificate (SOC Firmware Content certificate):
552 * - Signed with Trusted World Key
553 * - Extensions:
554 * - TrustedFirmwareNVCounter (TODO)
555 * - BL31 hash
556 **********************************************************************/
557 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
558 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
559 tf_nvcounter));
560 sk_X509_EXTENSION_push(sk, nvctr_ext);
561
562 if (!sha_file(certs[BL31_CERT].bin, md)) {
563 ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin);
564 exit(1);
565 }
566 CHECK_OID(hash_nid, BL31_HASH_OID);
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]567 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]568 SHA256_DIGEST_LENGTH));
569 sk_X509_EXTENSION_push(sk, hash_ext);
570
571 if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) {
572 ERROR("Cannot create %s\n", certs[BL31_CERT].cn);
573 exit(1);
574 }
575
576 sk_X509_EXTENSION_free(sk);
577
578 /* *********************************************************************
579 * BL32 Key certificate (Trusted OS Firmware Key certificate):
580 * - Self-signed with Trusted World key
581 * - Extensions:
582 * - TrustedFirmwareNVCounter (TODO)
583 * - TrustedOSFirmwareContentCertPK
584 **********************************************************************/
585 if (bl32_present) {
586 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
587 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
588 tf_nvcounter));
589 sk_X509_EXTENSION_push(sk, nvctr_ext);
590 CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID);
591 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
592 keys[BL32_KEY].key));
593 sk_X509_EXTENSION_push(sk, trusted_key_ext);
594 if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) {
595 ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn);
596 exit(1);
597 }
598 sk_X509_EXTENSION_free(sk);
599 }
600
601 /* *********************************************************************
602 * BL32 certificate (TrustedOS Firmware Content certificate):
603 * - Signed with Trusted World Key
604 * - Extensions:
605 * - TrustedFirmwareNVCounter (TODO)
606 * - BL32 hash
607 **********************************************************************/
608 if (bl32_present) {
609 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
610 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
611 tf_nvcounter));
612 sk_X509_EXTENSION_push(sk, nvctr_ext);
613
614 if (!sha_file(certs[BL32_CERT].bin, md)) {
615 ERROR("Cannot calculate the hash of %s\n",
616 certs[BL32_CERT].bin);
617 exit(1);
618 }
619 CHECK_OID(hash_nid, BL32_HASH_OID);
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]620 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
621 md, SHA256_DIGEST_LENGTH));
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]622 sk_X509_EXTENSION_push(sk, hash_ext);
623
624 if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
625 ERROR("Cannot create %s\n", certs[BL32_CERT].cn);
626 exit(1);
627 }
628
629 sk_X509_EXTENSION_free(sk);
630 }
631
632 /* *********************************************************************
633 * BL33 Key certificate (Non Trusted Firmware Key certificate):
634 * - Self-signed with Non Trusted World key
635 * - Extensions:
636 * - NonTrustedFirmwareNVCounter (TODO)
637 * - NonTrustedFirmwareContentCertPK
638 **********************************************************************/
639 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
640 CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
641 non_tf_nvcounter));
642 sk_X509_EXTENSION_push(sk, nvctr_ext);
643 CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID);
644 CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
645 keys[BL33_KEY].key));
646 sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
647 if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) {
648 ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn);
649 exit(1);
650 }
651 sk_X509_EXTENSION_free(sk);
652
653 /* *********************************************************************
654 * BL33 certificate (Non-Trusted World Content certificate):
655 * - Signed with Non-Trusted World Key
656 * - Extensions:
657 * - NonTrustedFirmwareNVCounter (TODO)
658 * - BL33 hash
659 **********************************************************************/
660 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
661 CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
662 non_tf_nvcounter));
663 sk_X509_EXTENSION_push(sk, nvctr_ext);
664
665 if (!sha_file(certs[BL33_CERT].bin, md)) {
666 ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin);
667 exit(1);
668 }
669 CHECK_OID(hash_nid, BL33_HASH_OID);
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]670 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
Juan Castillo11abdcd2014-10-21 11:30:42 +0100[diff] [blame]671 SHA256_DIGEST_LENGTH));
672 sk_X509_EXTENSION_push(sk, hash_ext);
673
674 if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) {
675 ERROR("Cannot create %s\n", certs[BL33_CERT].cn);
676 exit(1);
677 }
678 sk_X509_EXTENSION_free(sk);
679
680 /* Print the certificates */
681 if (print_cert) {
682 for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
683 if (!certs[i].x) {
684 continue;
685 }
686 printf("\n\n=====================================\n\n");
687 X509_print_fp(stdout, certs[i].x);
688 }
689 }
690
691 /* Save created certificates to files */
692 for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
693 if (certs[i].x && certs[i].fn) {
694 file = fopen(certs[i].fn, "w");
695 if (file != NULL) {
696 i2d_X509_fp(file, certs[i].x);
697 fclose(file);
698 } else {
699 ERROR("Cannot create file %s\n", certs[i].fn);
700 }
701 }
702 }
703
704 /* Save keys */
705 if (save_keys) {
706 for (i = 0 ; i < NUM_KEYS ; i++) {
707 if (!key_store(&keys[i])) {
708 ERROR("Cannot save %s\n", keys[i].desc);
709 }
710 }
711 }
712
713 X509_EXTENSION_free(hash_ext);
714 X509_EXTENSION_free(nvctr_ext);
715 X509_EXTENSION_free(trusted_key_ext);
716 X509_EXTENSION_free(non_trusted_key_ext);
717
718#ifndef OPENSSL_NO_ENGINE
719 ENGINE_cleanup();
720#endif
721 CRYPTO_cleanup_all_ex_data();
722
723 return 0;
724}