static int sbromsw_toc1_traverse(void)
{
sbrom_toc1_item_group item_group;
int ret;
uint len, i;
u8 buffer[SUNXI_X509_CERTIFF_MAX_LEN];
sunxi_certif_info_t root_certif;
sunxi_certif_info_t sub_certif;
u8 hash_of_file[256];
//u8 hash_in_certif[256];
//u8 key_certif_extension[260];
//u8 content_certif_key[520];
int out_to_ns;
toc1_item_traverse();
printf("probe root certif\n");
sunxi_ss_open();
memset(buffer, 0, SUNXI_X509_CERTIFF_MAX_LEN);
len = toc1_item_read_rootcertif(buffer, SUNXI_X509_CERTIFF_MAX_LEN);
if(!len)
{
printf("%s error: cant read rootkey certif\n", __func__);
return -1;
}
if(sunxi_certif_verify_itself(&root_certif, buffer, len))
{
printf("certif invalid: root certif verify itself failed\n");
return -1;
}
do
{
memset(&item_group, 0, sizeof(sbrom_toc1_item_group));
ret = toc1_item_probe_next(&item_group);
if(ret < 0)
{
printf("sbromsw_toc1_traverse err in toc1_item_probe_next\n");
return -1;
}
else if(ret == 0)
{
printf("sbromsw_toc1_traverse find out all items\n");
return 0;
}
if(item_group.bin_certif)
{
memset(buffer, 0, SUNXI_X509_CERTIFF_MAX_LEN);
len = toc1_item_read(item_group.bin_certif, buffer, SUNXI_X509_CERTIFF_MAX_LEN);
if(!len)
{
printf("%s error: cant read content key certif\n", __func__);
return -1;
}
//证书内容进行自校验,确保没有被替换
if(sunxi_certif_verify_itself(&sub_certif, buffer, len))
{
printf("%s error: cant verify the content certif\n", __func__);
return -1;
}
// printf("key n:\n");
// ndump(sub_certif.pubkey.n, sub_certif.pubkey.n_len);
// printf("key e:\n");
// ndump(sub_certif.pubkey.e, sub_certif.pubkey.e_len);
//每当发现一个公钥证书,即在根证书中寻找匹配项目,找不到则认为有错误
for(i=0;i<root_certif.extension.extension_num;i++)
{
if(!strcmp((const char *)root_certif.extension.name[i], item_group.bin_certif->name))
{
printf("find %s key stored in root certif\n", item_group.bin_certif->name);
if(memcmp(root_certif.extension.value[i], sub_certif.pubkey.n+1, sub_certif.pubkey.n_len-1))
{
printf("%s key n is incompatible\n", item_group.bin_certif->name);
printf(">>>>>>>key in rootcertif<<<<<<<<<<\n");
ndump(root_certif.extension.value[i], sub_certif.pubkey.n_len-1);
printf(">>>>>>>key in certif<<<<<<<<<<\n");
ndump(sub_certif.pubkey.n+1, sub_certif.pubkey.n_len-1);
return -1;
}
if(memcmp(root_certif.extension.value[i] + sub_certif.pubkey.n_len-1, sub_certif.pubkey.e, sub_certif.pubkey.e_len))
{
printf("%s key e is incompatible\n", item_group.bin_certif->name);
printf(">>>>>>>key in rootcertif<<<<<<<<<<\n");
ndump(root_certif.extension.value[i] + sub_certif.pubkey.n_len-1, sub_certif.pubkey.e_len);
printf(">>>>>>>key in certif<<<<<<<<<<\n");
ndump(sub_certif.pubkey.e, sub_certif.pubkey.e_len);
return -1;
}
break;
}
}
if(i==root_certif.extension.extension_num)
{
printf("cant find %s key stored in root certif", item_group.bin_certif->name);
return -1;
}
}
if(item_group.binfile)
{
//读出bin文件内容到内存
len = sunxi_flash_read(item_group.binfile->data_offset/512, (item_group.binfile->data_len+511)/512, (void *)item_group.binfile->run_addr);
//len = sunxi_flash_read(item_group.binfile->data_offset/512, (item_group.binfile->data_len+511)/512, (void *)0x2a000000);
if(!len)
{
printf("%s error: cant read bin file\n", __func__);
return -1;
}
//计算文件hash
memset(hash_of_file, 0, sizeof(hash_of_file));
ret = sunxi_sha_calc(hash_of_file, sizeof(hash_of_file), (u8 *)item_group.binfile->run_addr, item_group.binfile->data_len);
//ret = sunxi_sha_calc(hash_of_file, sizeof(hash_of_file), (u8 *)0x2a000000, item_group.binfile->data_len);
if(ret)
{
printf("sunxi_sha_calc: calc sha256 with hardware err\n");
return -1;
}
//使用内容证书的扩展项,和文件hash进行比较
//开始比较文件hash(小机端阶段计算得到)和证书hash(PC端计算得到)
if(memcmp(hash_of_file, sub_certif.extension.value[0], 32))
{
printf("hash compare is not correct\n");
printf(">>>>>>>hash of file<<<<<<<<<<\n");
ndump(hash_of_file, 32);
printf(">>>>>>>hash in certif<<<<<<<<<<\n");
ndump(sub_certif.extension.value[0], 32);
return -1;
}
printf("ready to run %s\n", item_group.binfile->name);
if(strcmp(item_group.binfile->name, "u-boot"))
{
out_to_ns = 0;
}
else
{
out_to_ns = 1;
}
go_exec(item_group.binfile->run_addr, CONFIG_TOC0_CONFIG_ADDR, out_to_ns);
}
}
while(1);
return 0;
}
int sunxi_verify_signature(void *buff, uint len, const char *cert_name)
{
u8 hash_of_file[32];
int ret;
struct sbrom_toc1_head_info *toc1_head;
struct sbrom_toc1_item_info *toc1_item;
sunxi_certif_info_t sub_certif;
int i;
memset(hash_of_file, 0, 32);
sunxi_ss_open();
ret = sunxi_sha_calc(hash_of_file, 32, buff, len);
if(ret)
{
printf("sunxi_verify_signature err: calc hash failed\n");
//sunxi_ss_close();
return -1;
}
//sunxi_ss_close();
printf("show hash of file\n");
sunxi_dump(hash_of_file, 32);
//获取来自toc1的证书序列
toc1_head = (struct sbrom_toc1_head_info *)CONFIG_TOC1_STORE_IN_DRAM_BASE;
toc1_item = (struct sbrom_toc1_item_info *)(CONFIG_TOC1_STORE_IN_DRAM_BASE + sizeof(struct sbrom_toc1_head_info));
for(i=1;i<toc1_head->items_nr;i++, toc1_item++)
{
if(toc1_item->type == TOC_ITEM_ENTRY_TYPE_BIN_CERTIF)
{
printf("find cert name %s\n", toc1_item->name);
if(!strcmp((const char *)toc1_item->name, cert_name))
{
//取出证书的扩展项
if(sunxi_certif_probe_ext(&sub_certif, (u8 *)(CONFIG_TOC1_STORE_IN_DRAM_BASE + toc1_item->data_offset), toc1_item->data_len))
{
printf("%s error: cant verify the content certif\n", __func__);
return -1;
}
//比较扩展项和hash
printf("show hash in certif\n");
sunxi_dump(sub_certif.extension.value[0], 32);
if(memcmp(hash_of_file, sub_certif.extension.value[0], 32))
{
printf("hash compare is not correct\n");
printf(">>>>>>>hash of file<<<<<<<<<<\n");
sunxi_dump(hash_of_file, 32);
printf(">>>>>>>hash in certif<<<<<<<<<<\n");
sunxi_dump(sub_certif.extension.value[0], 32);
return -1;
}
return 0;
}
}
}
printf("cant find a certif belong to %s\n", cert_name);
return -1;
}