/*
* Sets X509_EXTENSIONs
*/
static VALUE
ossl_x509crl_set_extensions(VALUE self, VALUE ary)
{
X509_CRL *crl;
X509_EXTENSION *ext;
int i;
Check_Type(ary, T_ARRAY);
/* All ary members should be X509 Extensions */
for (i=0; i<RARRAY_LEN(ary); i++) {
OSSL_Check_Kind(RARRAY_PTR(ary)[i], cX509Ext);
}
GetX509CRL(self, crl);
sk_X509_EXTENSION_pop_free(crl->crl->extensions, X509_EXTENSION_free);
crl->crl->extensions = NULL;
for (i=0; i<RARRAY_LEN(ary); i++) {
ext = DupX509ExtPtr(RARRAY_PTR(ary)[i]);
if(!X509_CRL_add_ext(crl, ext, -1)) { /* DUPs ext - FREE it */
X509_EXTENSION_free(ext);
ossl_raise(eX509CRLError, NULL);
}
X509_EXTENSION_free(ext);
}
return ary;
}
/*============================================================================
* OpcUa_P_OpenSSL_X509_AddCustomExtension
*===========================================================================*/
OpcUa_StatusCode OpcUa_P_OpenSSL_X509_AddCustomExtension(
X509** a_ppCertificate,
OpcUa_Crypto_Extension* a_pExtension,
X509V3_CTX* a_pX509V3Context)
{
X509_EXTENSION* pExtension = OpcUa_Null;
char* pName = OpcUa_Null;
char* pValue = OpcUa_Null;
OpcUa_InitializeStatus(OpcUa_Module_P_OpenSSL, "X509_AddCustomExtension");
OpcUa_ReturnErrorIfArgumentNull(a_pX509V3Context);
OpcUa_ReturnErrorIfArgumentNull(a_pExtension->key);
OpcUa_ReturnErrorIfArgumentNull(a_pExtension->value);
pName = (char*)a_pExtension->key;
pValue = (char*)a_pExtension->value;
/* create the extension. */
pExtension = X509V3_EXT_conf(
OpcUa_Null,
a_pX509V3Context,
pName,
pValue);
if(pExtension == OpcUa_Null)
{
OpcUa_GotoErrorWithStatus(OpcUa_Bad);
}
/* add it to the certificate. */
if(!X509_add_ext(*a_ppCertificate, pExtension, -1))
{
OpcUa_GotoErrorWithStatus(OpcUa_Bad);
}
/* free the extension. */
X509_EXTENSION_free(pExtension);
OpcUa_ReturnStatusCode;
OpcUa_BeginErrorHandling;
if(pExtension != OpcUa_Null)
{
X509_EXTENSION_free(pExtension);
}
OpcUa_FinishErrorHandling;
}
/*
* Add a X509v3 extension to a certificate and handle errors.
* Returns -1 on errors, 0 on success.
*/
int
ssl_x509_v3ext_add(X509V3_CTX *ctx, X509 *crt, char *k, char *v)
{
X509_EXTENSION *ext;
if (!(ext = X509V3_EXT_conf(NULL, ctx, k, v))) {
return -1;
}
if (X509_add_ext(crt, ext, -1) != 1) {
X509_EXTENSION_free(ext);
return -1;
}
X509_EXTENSION_free(ext);
return 0;
}
static int test_ocsp_url_svcloc_new(void)
{
static const char * urls[] = {
"www.openssl.org",
"www.openssl.net",
NULL
};
X509 *issuer = NULL;
X509_EXTENSION * ext = NULL;
int ret = 0;
if (!TEST_true(get_cert(&issuer)))
goto err;
/*
* Test calling this ocsp method to catch any memory leak
*/
ext = OCSP_url_svcloc_new(X509_get_issuer_name(issuer), urls);
if (!TEST_ptr(ext))
goto err;
X509_EXTENSION_free(ext);
ret = 1;
err:
X509_free(issuer);
return ret;
}
sqbind::SQINT COsslCert::SetExtension( const sqbind::stdString &sField, const sqbind::stdString &sValue )
{ _STT();
if ( !m_pX509 )
return 0;
if ( !sField.length() )
return 0;
// Find this extension by short name
const ASN1_OBJECT* pObj = COSSLCERT_SnToObj( oexStrToMb( sqbind::std2oex( sField ) ).Ptr() );
if ( !pObj )
return 0;
// Create extension
X509_EXTENSION *ex = X509V3_EXT_conf_nid( oexNULL, oexNULL, pObj->nid, (char*)oexStrToMb( sqbind::std2oex( sValue ) ).Ptr() );
if ( !ex )
return 0;
// Add to cert
X509_add_ext( m_pX509, ex, -1 );
X509_EXTENSION_free( ex );
return 1;
}
/* Adds X509v3 extensions to a certificate. */
int add_ext(X509 *cacert, X509 *usrcert)
{
X509_EXTENSION *ext = NULL;
X509V3_CTX ctx;
int i = 0;
if (cacert == NULL || usrcert == NULL)
return OPENSSLCA_ERR_ARGS;
/* Set extension context */
X509V3_set_ctx_nodb(&ctx);
X509V3_set_ctx(&ctx, cacert, usrcert, NULL, NULL, 0);
/* Add all specified extensions */
while (ext_entries[i].nid) {
if ((ext = X509V3_EXT_conf_nid(NULL, &ctx, ext_entries[i].nid, ext_entries[i].value)) == NULL)
return OPENSSLCA_ERR_EXT_MAKE;
if (!X509_add_ext(usrcert, ext, -1))
return OPENSSLCA_ERR_EXT_ADD;
X509_EXTENSION_free(ext);
i++;
}
return OPENSSLCA_NO_ERR;
}
static VALUE
ossl_x509crl_add_extension(VALUE self, VALUE extension)
{
X509_CRL *crl;
X509_EXTENSION *ext;
GetX509CRL(self, crl);
ext = DupX509ExtPtr(extension);
if (!X509_CRL_add_ext(crl, ext, -1)) { /* DUPs ext - FREE it */
X509_EXTENSION_free(ext);
ossl_raise(eX509CRLError, NULL);
}
X509_EXTENSION_free(ext);
return extension;
}
static X509_REVOKED *create_revoked(lua_State*L, const BIGNUM* bn, time_t t, int reason)
{
X509_REVOKED *revoked = X509_REVOKED_new();
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_INTEGER *it = BN_to_ASN1_INTEGER((BIGNUM*)bn, NULL);;
ASN1_TIME_set(tm, t);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
revoked->reason = reason;
#else
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_data(ext, e);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_REVOKED_add_ext(revoked, ext, 0);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
#endif
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
return revoked;
}
extern "C" void X509ExtensionDestroy(X509_EXTENSION* a)
{
if (a != nullptr)
{
X509_EXTENSION_free(a);
}
}
void pki_crl::addV3ext(const x509v3ext &e)
{
X509_EXTENSION *ext = e.get();
X509_CRL_add_ext(crl, ext, -1);
X509_EXTENSION_free(ext);
pki_openssl_error();
}
static X509_REVOKED *create_revoked(const BIGNUM* bn, time_t t, int reason)
{
X509_REVOKED *revoked = X509_REVOKED_new();
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_INTEGER *it = BN_to_ASN1_INTEGER(bn, NULL);;
ASN1_TIME_set(tm, t);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_data(ext, e);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_REVOKED_add_ext(revoked, ext, 0);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
return revoked;
}
static int openssl_xext_free(lua_State* L)
{
X509_EXTENSION *x = CHECK_OBJECT(1, X509_EXTENSION, "openssl.x509_extension");
lua_pushnil(L);
lua_setmetatable(L, 1);
X509_EXTENSION_free(x);
return 0;
};
/*
* Deallocate the memory used by the X509Extension object
*
* Arguments: self - The X509Extension object
* Returns: None
*/
static void
crypto_X509Extension_dealloc(crypto_X509ExtensionObj *self)
{
/* Sometimes we don't have to dealloc this */
if (self->dealloc)
X509_EXTENSION_free(self->x509_extension);
PyObject_Del(self);
}
DWORD
VMCAUpdateAuthorityKeyIdentifier(
X509_CRL *pCrl,
PVMCA_X509_CA pCA
)
{
DWORD dwError = 0;
X509V3_CTX ctx;
X509_EXTENSION *pExtension = NULL;
if (!pCA ||
!pCA->pCertificate ||
!pCrl
)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMCA_ERROR (dwError);
}
X509V3_set_ctx_nodb (&ctx);
X509V3_set_ctx(
&ctx,
pCA->pCertificate,
NULL,
NULL,
pCrl,
0
);
pExtension = X509V3_EXT_conf_nid(
NULL,
&ctx,
NID_authority_key_identifier,
"keyid"
);
if (!pExtension)
{
goto error;
}
X509_CRL_add_ext (pCrl, pExtension, -1);
cleanup:
if (pExtension)
{
X509_EXTENSION_free(pExtension);
}
return dwError;
error:
goto cleanup;
}
void PKI_X509_EXTENSION_free ( PKI_X509_EXTENSION *ext ) {
if( ext ) {
if( ext->value ) X509_EXTENSION_free ( ext->value );
PKI_Free (ext);
}
return;
}
/**
* Returns true on success, false on failure
*
* Example:
* @code
* <#example#>
* @endcode
*/
static bool
_addCertificateExtension(X509 *cert, int nid, char *value)
{
X509_EXTENSION *extension = X509V3_EXT_conf_nid(NULL, NULL, nid, value);
if (extension == NULL) {
return false;
}
X509_add_ext(cert, extension, -1);
X509_EXTENSION_free(extension);
return true;
}
int SDMMD__add_ext(X509 *cert, int flag, char *name)
{
int result = 0;
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, cert, cert, 0, 0, 0);
X509_EXTENSION *ex = X509V3_EXT_conf_nid(0, &ctx, flag, name);
if (ex) {
result = X509_add_ext(cert, ex, -1);
X509_EXTENSION_free(ex);
}
return result;
}
int add_ext(X509 *cert, int nid, char *value)
{
X509_EXTENSION *ex;
X509V3_CTX ctx;
X509V3_set_ctx_nodb(&ctx);
X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
if (!ex) return 0;
X509_add_ext(cert,ex,-1);
X509_EXTENSION_free(ex);
return 1;
}
/*
* Set one extension in a given certificate
*/
static int set_extension(X509 * issuer, X509 * cert, int nid, char * value)
{
X509_EXTENSION * ext ;
X509V3_CTX ctx ;
X509V3_set_ctx(&ctx, issuer, cert, NULL, NULL, 0);
ext = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
if (!ext)
return -1;
X509_add_ext(cert, ext, -1);
X509_EXTENSION_free(ext);
return 0 ;
}
// Add extension using V3 code: we can set the config file as NULL because we wont reference any other sections.
int __fastcall util_add_ext(X509 *cert, int nid, char *value)
{
X509_EXTENSION *ex;
X509V3_CTX ctx;
// This sets the 'context' of the extensions. No configuration database
X509V3_set_ctx_nodb(&ctx);
// Issuer and subject certs: both the target since it is self signed, no request and no CRL
X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
if (!ex) return 0;
X509_add_ext(cert,ex,-1);
X509_EXTENSION_free(ex);
return 1;
}
int add_ext( X509 *issuer, X509 *subj, int nid, const char* value ) {
X509V3_CTX ctx;
X509V3_set_ctx( &ctx, issuer, subj, NULL, NULL, 0 );
X509_EXTENSION *ex = X509V3_EXT_conf_nid( NULL, &ctx, nid, (char *) value );
if( !ex ) {
return 0;
}
// removing old extensions of the same type
int loc = -1;
while( ( loc = X509_get_ext_by_NID(subj, nid, loc) ) != -1 ){
printf("Removing old extension number %d\n", loc);
X509_EXTENSION *old = X509_delete_ext(subj, loc);
X509_EXTENSION_free(old);
}
// adding the new extension
X509_add_ext( subj, ex, -1 );
X509_EXTENSION_free( ex );
return 1;
}
static X509 *pki_certificate(X509_NAME *issuer, EVP_PKEY *keyring, X509_REQ *cert_req,
uint8_t is_cert_authority, uint32_t serial, uint32_t expiration_delay)
{
jlog(L_DEBUG, "pki_certificate");
X509 *certificate;
X509_NAME *subject;
X509V3_CTX ctx;
X509_EXTENSION *ext;
// create a new certificate
certificate = X509_new();
// set certificate unique serial number
ASN1_INTEGER_set(X509_get_serialNumber(certificate), serial);
// set certificate 'Subject:'
subject = X509_REQ_get_subject_name(cert_req);
X509_set_subject_name(certificate, subject);
// set certificate 'Issuer:'
X509_set_issuer_name(certificate, issuer);
// set X509v3 extension "basicConstraints" CA:TRUE/FALSE
X509V3_set_ctx(&ctx, NULL, certificate, cert_req, NULL, 0);
if (is_cert_authority == true)
ext = X509V3_EXT_conf(NULL, &ctx, "basicConstraints", "CA:TRUE");
else
ext = X509V3_EXT_conf(NULL, &ctx, "basicConstraints", "CA:FALSE");
X509_add_ext(certificate, ext, -1);
X509_EXTENSION_free(ext);
// set certificate version 3
X509_set_version(certificate, 0x2);
// set certificate public key
X509_set_pubkey(certificate, keyring);
// set the 'notBefore' to yersterday
X509_gmtime_adj(X509_get_notBefore(certificate), -(24*60*60));
// set certificate expiration delay
X509_gmtime_adj(X509_get_notAfter(certificate), expiration_delay);
return certificate;
}
/**
* Returns true on success, false on failure
*
* Example:
* @code
* <#example#>
* @endcode
*/
static bool
_addCertificateExtensionWithContext(X509 *cert, int nid, char *value)
{
X509_EXTENSION *extension;
X509V3_CTX context;
X509V3_set_ctx_nodb(&context);
X509V3_set_ctx(&context, cert, cert, NULL, NULL, 0);
extension = X509V3_EXT_conf_nid(NULL, &context, nid, value);
if (extension == NULL) {
return false;
}
X509_add_ext(cert, extension, -1);
X509_EXTENSION_free(extension);
return true;
}
void add_ext(X509 *cert, int nid, const char *value)
{
X509_EXTENSION *ex = NULL;
X509V3_CTX ctx;
/* This sets the 'context' of the extensions. */
/* No configuration database */
X509V3_set_ctx_nodb(&ctx);
/* Issuer and subject certs: both the target since it is self signed,
* no request and no CRL
*/
X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
MORDOR_VERIFY(X509V3_EXT_conf_nid(NULL, &ctx, nid, (char*) value));
X509_add_ext(cert,ex,-1);
X509_EXTENSION_free(ex);
}
// verify if prefix is part of the resources listed in cert
// CA and untrusted are needed, because the resources in cert could be inherited
// prefix_as_ext is the text-representation of an ip-address block like you would specify in an extension file
// when creating a certificate, e.g. IPv6:2001:0638::/32
int verify_prefix_with_cert(
int CA_der_count,
int CA_der_length,
const char* CAs_der,
int untrusted_der_count,
int untrusted_der_length,
const char* untrusted_der,
int cert_der_length,
const char* cert_der,
char* prefix_as_ext
)
{
X509_EXTENSION *prefix_ext;
IPAddrBlocks *prefix_blocks = NULL;
STACK_OF(X509) *chain = NULL;
int allow_inheritance = 0; // router prefix cannot inherit
int ret = 0;
if ((prefix_ext = X509V3_EXT_conf_nid(NULL, NULL, NID_sbgp_ipAddrBlock, prefix_as_ext)) == NULL){
ret = -1;
goto end;
}
prefix_blocks = (IPAddrBlocks *) X509V3_EXT_d2i(prefix_ext);
X509_EXTENSION_free(prefix_ext);
chain = get_verified_chain(
CA_der_count,
CA_der_length,
CAs_der,
untrusted_der_count,
untrusted_der_length,
untrusted_der,
cert_der_length,
cert_der
);
if (chain == NULL) {
ret = 0;
} else {
ret = v3_addr_validate_resource_set(chain, prefix_blocks, allow_inheritance);
}
end:
if (prefix_blocks != NULL) sk_IPAddressFamily_pop_free(prefix_blocks, IPAddressFamily_free);
if (chain != NULL) sk_X509_pop_free(chain, X509_free);
return ret;
}
int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
X509_CRL *crl)
{
X509_EXTENSION *ext;
STACK_OF(CONF_VALUE) *nval;
CONF_VALUE *val;
int i;
if(!(nval = CONF_get_section(conf, section))) return 0;
for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
return 0;
if(crl) X509_CRL_add_ext(crl, ext, -1);
X509_EXTENSION_free(ext);
}
return 1;
}
DeltaCRLIndicatorExtension::DeltaCRLIndicatorExtension(X509_EXTENSION* ext) throw (CertificationException) : Extension(ext)
{
ASN1_INTEGER* serialAsn1 = NULL;
if (OBJ_obj2nid(ext->object) != NID_delta_crl)
{
X509_EXTENSION_free(ext);
throw CertificationException(CertificationException::INVALID_TYPE, "DeltaCRLIndicatorExtension::DeltaCRLIndicatorExtension");
}
serialAsn1 = (ASN1_INTEGER *)X509V3_EXT_d2i(ext);
if(!serialAsn1)
{
throw CertificationException(CertificationException::INTERNAL_ERROR, "DeltaCRLIndicatorExtension::DeltaCRLIndicatorExtension");
}
this->baseCrlNumber = ASN1_INTEGER_get(serialAsn1);
ASN1_INTEGER_free(serialAsn1);
}
/*
* Sets X509_EXTENSIONs
*/
static VALUE
ossl_x509crl_set_extensions(VALUE self, VALUE ary)
{
X509_CRL *crl;
X509_EXTENSION *ext;
long i;
Check_Type(ary, T_ARRAY);
/* All ary members should be X509 Extensions */
for (i=0; i<RARRAY_LEN(ary); i++) {
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
}
GetX509CRL(self, crl);
while ((ext = X509_CRL_delete_ext(crl, 0)))
X509_EXTENSION_free(ext);
for (i=0; i<RARRAY_LEN(ary); i++) {
ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); /* NO NEED TO DUP */
if (!X509_CRL_add_ext(crl, ext, -1)) {
ossl_raise(eX509CRLError, NULL);
}
}
return ary;
}
static VALUE
ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
VALUE reason, VALUE revtime,
VALUE thisupd, VALUE nextupd, VALUE ext)
{
OCSP_BASICRESP *bs;
OCSP_SINGLERESP *single;
OCSP_CERTID *id;
int st, rsn;
ASN1_TIME *ths, *nxt, *rev;
int error, i, rstatus = 0;
VALUE tmp;
st = NUM2INT(status);
rsn = NIL_P(status) ? 0 : NUM2INT(reason);
if(!NIL_P(ext)) {
/* All ary's members should be X509Extension */
Check_Type(ext, T_ARRAY);
for (i = 0; i < RARRAY_LEN(ext); i++)
OSSL_Check_Kind(RARRAY_AT(ext, i), cX509Ext);
}
error = 0;
ths = nxt = rev = NULL;
if(!NIL_P(revtime)) {
tmp = rb_protect(rb_Integer, revtime, &rstatus);
if(rstatus) goto err;
rev = X509_gmtime_adj(NULL, NUM2INT(tmp));
}
tmp = rb_protect(rb_Integer, thisupd, &rstatus);
if(rstatus) goto err;
ths = X509_gmtime_adj(NULL, NUM2INT(tmp));
tmp = rb_protect(rb_Integer, nextupd, &rstatus);
if(rstatus) goto err;
nxt = X509_gmtime_adj(NULL, NUM2INT(tmp));
GetOCSPBasicRes(self, bs);
SafeGetOCSPCertId(cid, id);
if(!(single = OCSP_basic_add1_status(bs, id, st, rsn, rev, ths, nxt))) {
error = 1;
goto err;
}
if(!NIL_P(ext)) {
X509_EXTENSION *x509ext;
sk_X509_EXTENSION_pop_free(single->singleExtensions, X509_EXTENSION_free);
single->singleExtensions = NULL;
for(i = 0; i < RARRAY_LEN(ext); i++) {
x509ext = DupX509ExtPtr(RARRAY_AT(ext, i));
if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)) {
X509_EXTENSION_free(x509ext);
error = 1;
goto err;
}
X509_EXTENSION_free(x509ext);
}
}
err:
ASN1_TIME_free(ths);
ASN1_TIME_free(nxt);
ASN1_TIME_free(rev);
if(error) ossl_raise(eOCSPError, NULL);
if(rstatus) rb_jump_tag(rstatus);
return self;
}
int main(int argc, char *argv[])
{
STACK_OF(X509_EXTENSION) * sk = NULL;
X509_EXTENSION *hash_ext = NULL;
X509_EXTENSION *nvctr_ext = NULL;
X509_EXTENSION *trusted_key_ext = NULL;
X509_EXTENSION *non_trusted_key_ext = NULL;
FILE *file = NULL;
int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
int c, opt_idx = 0;
unsigned int err_code;
unsigned char md[SHA256_DIGEST_LENGTH];
const EVP_MD *md_info;
NOTICE("CoT Generation Tool: %s\n", build_msg);
NOTICE("Target platform: %s\n", platform_msg);
/* Set default options */
key_alg = KEY_ALG_RSA;
while (1) {
/* getopt_long stores the option index here. */
c = getopt_long(argc, argv, "ahknp", long_opt, &opt_idx);
/* Detect the end of the options. */
if (c == -1) {
break;
}
switch (c) {
case 'a':
key_alg = get_key_alg(optarg);
if (key_alg < 0) {
ERROR("Invalid key algorithm '%s'\n", optarg);
exit(1);
}
break;
case 'h':
print_help(argv[0]);
break;
case 'k':
save_keys = 1;
break;
case 'n':
new_keys = 1;
break;
case 'p':
print_cert = 1;
break;
case BL2_ID:
certs[BL2_CERT].bin = strdup(optarg);
break;
case BL30_ID:
certs[BL30_CERT].bin = strdup(optarg);
break;
case BL31_ID:
certs[BL31_CERT].bin = strdup(optarg);
break;
case BL32_ID:
certs[BL32_CERT].bin = strdup(optarg);
break;
case BL33_ID:
certs[BL33_CERT].bin = strdup(optarg);
break;
case BL2_CERT_ID:
certs[BL2_CERT].fn = strdup(optarg);
break;
case TRUSTED_KEY_CERT_ID:
certs[TRUSTED_KEY_CERT].fn = strdup(optarg);
break;
case BL30_KEY_CERT_ID:
certs[BL30_KEY_CERT].fn = strdup(optarg);
break;
case BL30_CERT_ID:
certs[BL30_CERT].fn = strdup(optarg);
break;
case BL31_KEY_CERT_ID:
certs[BL31_KEY_CERT].fn = strdup(optarg);
break;
case BL31_CERT_ID:
certs[BL31_CERT].fn = strdup(optarg);
break;
case BL32_KEY_CERT_ID:
certs[BL32_KEY_CERT].fn = strdup(optarg);
break;
case BL32_CERT_ID:
certs[BL32_CERT].fn = strdup(optarg);
break;
case BL33_KEY_CERT_ID:
certs[BL33_KEY_CERT].fn = strdup(optarg);
break;
case BL33_CERT_ID:
certs[BL33_CERT].fn = strdup(optarg);
break;
case ROT_KEY_ID:
keys[ROT_KEY].fn = strdup(optarg);
break;
case TRUSTED_WORLD_KEY_ID:
keys[TRUSTED_WORLD_KEY].fn = strdup(optarg);
break;
case NON_TRUSTED_WORLD_KEY_ID:
keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg);
break;
case BL30_KEY_ID:
keys[BL30_KEY].fn = strdup(optarg);
break;
case BL31_KEY_ID:
keys[BL31_KEY].fn = strdup(optarg);
break;
case BL32_KEY_ID:
keys[BL32_KEY].fn = strdup(optarg);
break;
case BL33_KEY_ID:
keys[BL33_KEY].fn = strdup(optarg);
break;
case '?':
default:
printf("%s\n", optarg);
exit(1);
}
}
/* Set the value of the NVCounters */
tf_nvcounter = NVCOUNTER_VALUE;
non_tf_nvcounter = NVCOUNTER_VALUE;
/* Check command line arguments */
check_cmd_params();
/* Register the new types and OIDs for the extensions */
if (ext_init(tbb_ext) != 0) {
ERROR("Cannot initialize TBB extensions\n");
exit(1);
}
/* Indicate SHA256 as image hash algorithm in the certificate
* extension */
md_info = EVP_sha256();
/* Get non-volatile counters NIDs */
CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
/* Load private keys from files (or generate new ones) */
for (i = 0 ; i < NUM_KEYS ; i++) {
/* First try to load the key from disk */
if (key_load(&keys[i], &err_code)) {
/* Key loaded successfully */
continue;
}
/* Key not loaded. Check the error code */
if (err_code == KEY_ERR_MALLOC) {
/* Cannot allocate memory. Abort. */
ERROR("Malloc error while loading '%s'\n", keys[i].fn);
exit(1);
} else if (err_code == KEY_ERR_LOAD) {
/* File exists, but it does not contain a valid private
* key. Abort. */
ERROR("Error loading '%s'\n", keys[i].fn);
exit(1);
}
/* File does not exist, could not be opened or no filename was
* given */
if (new_keys) {
/* Try to create a new key */
NOTICE("Creating new key for '%s'\n", keys[i].desc);
if (!key_create(&keys[i], key_alg)) {
ERROR("Error creating key '%s'\n", keys[i].desc);
exit(1);
}
} else {
if (err_code == KEY_ERR_OPEN) {
ERROR("Error opening '%s'\n", keys[i].fn);
} else {
ERROR("Key '%s' not specified\n", keys[i].desc);
}
exit(1);
}
}
/* *********************************************************************
* BL2 certificate (Trusted Boot Firmware certificate):
* - Self-signed with OEM ROT private key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL2 hash
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
/* Add the NVCounter as a critical extension */
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
/* Add hash of BL2 as an extension */
if (!sha_file(certs[BL2_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL2_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
/* Create certificate. Signed with ROT key */
if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL2_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* Trusted Key certificate:
* - Self-signed with OEM ROT private key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - TrustedWorldPK
* - NonTrustedWorldPK
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, TZ_WORLD_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[TRUSTED_WORLD_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
CHECK_OID(pk_nid, NTZ_WORLD_PK_OID);
CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[NON_TRUSTED_WORLD_KEY].key));
sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL30 Key certificate (Trusted SCP Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SCPFirmwareContentCertPK
**********************************************************************/
if (bl30_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL30_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL30 certificate (SCP Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SCPFirmwareHash
**********************************************************************/
if (bl30_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL30_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n",
certs[BL30_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL30_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
md, SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL30_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL31 Key certificate (Trusted SoC Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SoCFirmwareContentCertPK
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL31_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL31 certificate (SOC Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL31 hash
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL31_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL31_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL31_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL32 Key certificate (Trusted OS Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - TrustedOSFirmwareContentCertPK
**********************************************************************/
if (bl32_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL32_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL32 certificate (TrustedOS Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL32 hash
**********************************************************************/
if (bl32_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL32_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n",
certs[BL32_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL32_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
md, SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL32_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL33 Key certificate (Non Trusted Firmware Key certificate):
* - Self-signed with Non Trusted World key
* - Extensions:
* - NonTrustedFirmwareNVCounter (TODO)
* - NonTrustedFirmwareContentCertPK
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
non_tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID);
CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL33_KEY].key));
sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL33 certificate (Non-Trusted World Content certificate):
* - Signed with Non-Trusted World Key
* - Extensions:
* - NonTrustedFirmwareNVCounter (TODO)
* - BL33 hash
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
non_tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL33_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL33_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL33_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* Print the certificates */
if (print_cert) {
for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
if (!certs[i].x) {
continue;
}
printf("\n\n=====================================\n\n");
X509_print_fp(stdout, certs[i].x);
}
}
/* Save created certificates to files */
for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
if (certs[i].x && certs[i].fn) {
file = fopen(certs[i].fn, "w");
if (file != NULL) {
i2d_X509_fp(file, certs[i].x);
fclose(file);
} else {
ERROR("Cannot create file %s\n", certs[i].fn);
}
}
}
/* Save keys */
if (save_keys) {
for (i = 0 ; i < NUM_KEYS ; i++) {
if (!key_store(&keys[i])) {
ERROR("Cannot save %s\n", keys[i].desc);
}
}
}
X509_EXTENSION_free(hash_ext);
X509_EXTENSION_free(nvctr_ext);
X509_EXTENSION_free(trusted_key_ext);
X509_EXTENSION_free(non_trusted_key_ext);
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
return 0;
}
