/* Writes a certificate to a new file. */
int write_cert(X509 *cert)
{
FILE *fp = NULL;
char filename[MAX_PATH], serialstr[20];
long serial = ASN1_INTEGER_get(X509_get_serialNumber(cert));
int ret;
/* Create file name from serial number */
strcpy(filename, CA_PATH(caIni.newCertsDir));
strcat(filename, _ltoa(serial, serialstr, 10));
strcat(filename, caIni.newCertsExt);
fp = fopen(filename, "w");
if (fp == NULL)
return OPENSSLCA_ERR_CERT_OPEN;
/* Write certificate text */
if (X509_print_fp(fp, cert) != 1) {
ret = OPENSSLCA_ERR_CERT_WRITE;
goto err;
}
/* Write PEM */
if (PEM_write_X509(fp, cert) != 1) {
ret = OPENSSLCA_ERR_CERT_WRITE;
goto err;
}
err:
if (fp)
fclose(fp);
return ret;
}
/*
* Callback function passed to est_client_init()
*/
static int client_manual_cert_verify(X509 *cur_cert, int openssl_cert_error)
{
BIO *bio_err;
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
int approve = 0;
if (openssl_cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) {
return (1);
}
/*
* Print out the specifics of this cert
*/
printf("%s: OpenSSL/EST server cert verification failed with the following error: openssl_cert_error = %d (%s)\n",
__FUNCTION__, openssl_cert_error,
X509_verify_cert_error_string(openssl_cert_error));
printf("Failing Cert:\n");
X509_print_fp(stdout,cur_cert);
/*
* Next call prints out the signature which can be used as the fingerprint
* This fingerprint can be checked against the anticipated value to determine
* whether or not the server's cert should be approved.
*/
// X509_signature_print(bio_err, cur_cert->sig_alg, cur_cert->signature);
BIO_free(bio_err);
return approve;
}
int main()
{
BIO *bio_err;
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
mkit(&x509, &pkey, 512, 0, 365);
RSA_print_fp(stdout, pkey->pkey.rsa, 0);
X509_print_fp(stdout, x509);
PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL);
PEM_write_X509(stdout, x509);
X509_free(x509);
EVP_PKEY_free(pkey);
#ifdef CUSTOM_EXT
/* Only needed if we add objects or custom extensions */
X509V3_EXT_cleanup();
OBJ_cleanup();
#endif
CRYPTO_mem_leaks(bio_err);
BIO_free(bio_err);
return (0);
}
int main(int argc, char **argv)
{
BIO *bio_err;
X509 *x509=NULL;
EVP_PKEY *pkey=NULL;
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
mkcert(&x509,&pkey,argv[1],1024,0,365);
FILE* file = fopen(argv[2], "w");
PEM_write_PrivateKey(file,pkey,NULL,NULL,0,NULL, NULL);
fclose(file);
printf("Private key written to: %s\n", argv[2]);
file = fopen(argv[3], "w");
X509_print_fp(file,x509);
PEM_write_X509(file,x509);
fclose(file);
printf("Certificate written to: %s\n", argv[3]);
X509_free(x509);
EVP_PKEY_free(pkey);
ENGINE_cleanup();
CRYPTO_cleanup_all_ex_data();
CRYPTO_mem_leaks(bio_err);
BIO_free(bio_err);
return(0);
}
int main(int argc, char **argv)
{
BIO *bio_err;
X509 *x509=NULL;
EVP_PKEY *pkey=NULL;
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
mkcert(&x509,&pkey,512,0,365);
RSA_print_fp(stdout,pkey->pkey.rsa,0);
X509_print_fp(stdout,x509);
PEM_write_PrivateKey(stdout,pkey,NULL,NULL,0,NULL, NULL);
PEM_write_X509(stdout,x509);
X509_free(x509);
EVP_PKEY_free(pkey);
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
CRYPTO_mem_leaks(bio_err);
BIO_free(bio_err);
return(0);
}
int
crypto_cert_print_fp(FILE * fp, CRYPTO_CERT * cert)
{
#ifdef CRYPTO_OPENSSL
return X509_print_fp(fp, cert);
#else /* built-in crypto */
return ssl_cert_print_fp(fp, cert);
#endif
}
/** send the TCP queries and print answers */
static void
send_em(const char* svr, int udp, int usessl, int noanswer, int num, char** qs)
{
sldns_buffer* buf = sldns_buffer_new(65553);
int fd = open_svr(svr, udp);
int i;
SSL_CTX* ctx = NULL;
SSL* ssl = NULL;
if(!buf) fatal_exit("out of memory");
if(usessl) {
ctx = connect_sslctx_create(NULL, NULL, NULL);
if(!ctx) fatal_exit("cannot create ssl ctx");
ssl = outgoing_ssl_fd(ctx, fd);
if(!ssl) fatal_exit("cannot create ssl");
while(1) {
int r;
ERR_clear_error();
if( (r=SSL_do_handshake(ssl)) == 1)
break;
r = SSL_get_error(ssl, r);
if(r != SSL_ERROR_WANT_READ &&
r != SSL_ERROR_WANT_WRITE) {
log_crypto_err("could not ssl_handshake");
exit(1);
}
}
if(1) {
X509* x = SSL_get_peer_certificate(ssl);
if(!x) printf("SSL: no peer certificate\n");
else {
X509_print_fp(stdout, x);
X509_free(x);
}
}
}
for(i=0; i<num; i+=3) {
printf("\nNext query is %s %s %s\n", qs[i], qs[i+1], qs[i+2]);
write_q(fd, udp, ssl, buf, (uint16_t)get_random(), qs[i],
qs[i+1], qs[i+2]);
/* print at least one result */
if(!noanswer)
recv_one(fd, udp, ssl, buf);
}
if(usessl) {
SSL_shutdown(ssl);
SSL_free(ssl);
SSL_CTX_free(ctx);
}
#ifndef USE_WINSOCK
close(fd);
#else
closesocket(fd);
#endif
sldns_buffer_free(buf);
printf("orderly exit\n");
}
void mkcert(X509_REQ* req, const char* rootkey, const char* rootcert, const char* passwd)
{
RSA* rsa_key = EVP_PKEY_get1_RSA(X509_PUBKEY_get(req->req_info->pubkey));
int key_length = RSA_size(rsa_key);
if (key_len != 128) {
fprintf(stderr, "CA::key length of req is %d, not long enough\n");
return NULL;
}
X509* cacert = X509_new();
assert(cacert != NULL);
load_cacert(&cacert, rootcert);
EVP_PKEY* cakey = EVP_PKEY_new();
load_cakey(&cakey, rootkey, passwd);
PEM_write_PrivateKey(stdout, cakey, NULL, NULL, 0, NULL, NULL);
PEM_write_PUBKEY(stdout, cakey);
X509* x = X509_new();
X509_set_version(x, 3);
ASN1_INTEGER_set(X509_get_serialNumber(x), 1024);
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * 365);
X509_set_pubkey(x, X509_PUBKEY_get(req->req_info->pubkey));
X509_set_subject_name(x, X509_REQ_get_subject_name(req));
X509_set_issuer_name(x, X509_get_subject_name(cacert));
assert(X509_sign(x, cakey, EVP_sha1()) > 0);
FILE* f = fopen("usercert.pem", "wb");
PEM_write_X509(f, x);
fclose(f);
X509_print_fp(stdout, x);
PEM_write_X509(stdout, x);
X509_free(cacert);
EVP_PKEY_free(cakey);
}
X509 *
ssl_update_certificate(X509 *oldcert, EVP_PKEY *pkey, EVP_PKEY *capkey,
X509 *cacert)
{
char name[2][TLS_NAME_SIZE];
X509 *cert = NULL;
name[0][0] = name[1][0] = '\0';
if (!X509_NAME_oneline(X509_get_subject_name(oldcert),
name[0], sizeof(name[0])) ||
!X509_NAME_oneline(X509_get_issuer_name(oldcert),
name[1], sizeof(name[1])))
goto done;
if ((cert = X509_dup(oldcert)) == NULL)
goto done;
/* Update certificate key and use our CA as the issuer */
X509_set_pubkey(cert, pkey);
X509_set_issuer_name(cert, X509_get_subject_name(cacert));
/* Sign with our CA */
if (!X509_sign(cert, capkey, EVP_sha1())) {
X509_free(cert);
cert = NULL;
}
#if DEBUG_CERT
log_debug("%s: subject %s", __func__, name[0]);
log_debug("%s: issuer %s", __func__, name[1]);
#if DEBUG > 2
X509_print_fp(stdout, cert);
#endif
#endif
done:
if (cert == NULL)
ssl_error(__func__, name[0]);
return (cert);
}
/* cr_load_certs : loads private key and certificates from files
* if cert_file and key_file are NULL , the function will generate
* a dynamic certificate and private key
*/
void cr_load_certs(SSL_CTX *ssl,u_char *cert_file,u_char *key_file)
{
X509 *cert = NULL;
EVP_PKEY *pkey = NULL;
if(cert_file == NULL || key_file == NULL) {
/* generate a public certificate and a private key */
cr_make_cert(&cert,&pkey,2048,0,365);
SSL_CTX_use_certificate(ssl, cert);
SSL_CTX_use_PrivateKey(ssl, pkey);
#ifdef CR_MK_CERT
RSA_print_fp(stdout,pkey->pkey.rsa,0);
X509_print_fp(stdout,cert);
PEM_write_PrivateKey(stdout,pkey,NULL,NULL,0,NULL, NULL);
PEM_write_X509(stdout,cert);
#endif
} else {
if (SSL_CTX_use_certificate_file(ssl, (const char*)cert_file,
SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(3);
}
if (SSL_CTX_use_RSAPrivateKey_file(ssl, (const char*)key_file,
SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(4);
}
}
if (!SSL_CTX_check_private_key(ssl)) {
perrx("Private key does not match the certificate public key\n");
exit(5);
}
}
int main(int argc, char *argv[])
{
STACK_OF(X509_EXTENSION) * sk = NULL;
X509_EXTENSION *hash_ext = NULL;
X509_EXTENSION *nvctr_ext = NULL;
X509_EXTENSION *trusted_key_ext = NULL;
X509_EXTENSION *non_trusted_key_ext = NULL;
FILE *file = NULL;
int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
int c, opt_idx = 0;
unsigned int err_code;
unsigned char md[SHA256_DIGEST_LENGTH];
const EVP_MD *md_info;
NOTICE("CoT Generation Tool: %s\n", build_msg);
NOTICE("Target platform: %s\n", platform_msg);
/* Set default options */
key_alg = KEY_ALG_RSA;
while (1) {
/* getopt_long stores the option index here. */
c = getopt_long(argc, argv, "ahknp", long_opt, &opt_idx);
/* Detect the end of the options. */
if (c == -1) {
break;
}
switch (c) {
case 'a':
key_alg = get_key_alg(optarg);
if (key_alg < 0) {
ERROR("Invalid key algorithm '%s'\n", optarg);
exit(1);
}
break;
case 'h':
print_help(argv[0]);
break;
case 'k':
save_keys = 1;
break;
case 'n':
new_keys = 1;
break;
case 'p':
print_cert = 1;
break;
case BL2_ID:
certs[BL2_CERT].bin = strdup(optarg);
break;
case BL30_ID:
certs[BL30_CERT].bin = strdup(optarg);
break;
case BL31_ID:
certs[BL31_CERT].bin = strdup(optarg);
break;
case BL32_ID:
certs[BL32_CERT].bin = strdup(optarg);
break;
case BL33_ID:
certs[BL33_CERT].bin = strdup(optarg);
break;
case BL2_CERT_ID:
certs[BL2_CERT].fn = strdup(optarg);
break;
case TRUSTED_KEY_CERT_ID:
certs[TRUSTED_KEY_CERT].fn = strdup(optarg);
break;
case BL30_KEY_CERT_ID:
certs[BL30_KEY_CERT].fn = strdup(optarg);
break;
case BL30_CERT_ID:
certs[BL30_CERT].fn = strdup(optarg);
break;
case BL31_KEY_CERT_ID:
certs[BL31_KEY_CERT].fn = strdup(optarg);
break;
case BL31_CERT_ID:
certs[BL31_CERT].fn = strdup(optarg);
break;
case BL32_KEY_CERT_ID:
certs[BL32_KEY_CERT].fn = strdup(optarg);
break;
case BL32_CERT_ID:
certs[BL32_CERT].fn = strdup(optarg);
break;
case BL33_KEY_CERT_ID:
certs[BL33_KEY_CERT].fn = strdup(optarg);
break;
case BL33_CERT_ID:
certs[BL33_CERT].fn = strdup(optarg);
break;
case ROT_KEY_ID:
keys[ROT_KEY].fn = strdup(optarg);
break;
case TRUSTED_WORLD_KEY_ID:
keys[TRUSTED_WORLD_KEY].fn = strdup(optarg);
break;
case NON_TRUSTED_WORLD_KEY_ID:
keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg);
break;
case BL30_KEY_ID:
keys[BL30_KEY].fn = strdup(optarg);
break;
case BL31_KEY_ID:
keys[BL31_KEY].fn = strdup(optarg);
break;
case BL32_KEY_ID:
keys[BL32_KEY].fn = strdup(optarg);
break;
case BL33_KEY_ID:
keys[BL33_KEY].fn = strdup(optarg);
break;
case '?':
default:
printf("%s\n", optarg);
exit(1);
}
}
/* Set the value of the NVCounters */
tf_nvcounter = NVCOUNTER_VALUE;
non_tf_nvcounter = NVCOUNTER_VALUE;
/* Check command line arguments */
check_cmd_params();
/* Register the new types and OIDs for the extensions */
if (ext_init(tbb_ext) != 0) {
ERROR("Cannot initialize TBB extensions\n");
exit(1);
}
/* Indicate SHA256 as image hash algorithm in the certificate
* extension */
md_info = EVP_sha256();
/* Get non-volatile counters NIDs */
CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
/* Load private keys from files (or generate new ones) */
for (i = 0 ; i < NUM_KEYS ; i++) {
/* First try to load the key from disk */
if (key_load(&keys[i], &err_code)) {
/* Key loaded successfully */
continue;
}
/* Key not loaded. Check the error code */
if (err_code == KEY_ERR_MALLOC) {
/* Cannot allocate memory. Abort. */
ERROR("Malloc error while loading '%s'\n", keys[i].fn);
exit(1);
} else if (err_code == KEY_ERR_LOAD) {
/* File exists, but it does not contain a valid private
* key. Abort. */
ERROR("Error loading '%s'\n", keys[i].fn);
exit(1);
}
/* File does not exist, could not be opened or no filename was
* given */
if (new_keys) {
/* Try to create a new key */
NOTICE("Creating new key for '%s'\n", keys[i].desc);
if (!key_create(&keys[i], key_alg)) {
ERROR("Error creating key '%s'\n", keys[i].desc);
exit(1);
}
} else {
if (err_code == KEY_ERR_OPEN) {
ERROR("Error opening '%s'\n", keys[i].fn);
} else {
ERROR("Key '%s' not specified\n", keys[i].desc);
}
exit(1);
}
}
/* *********************************************************************
* BL2 certificate (Trusted Boot Firmware certificate):
* - Self-signed with OEM ROT private key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL2 hash
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
/* Add the NVCounter as a critical extension */
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
/* Add hash of BL2 as an extension */
if (!sha_file(certs[BL2_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL2_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
/* Create certificate. Signed with ROT key */
if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL2_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* Trusted Key certificate:
* - Self-signed with OEM ROT private key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - TrustedWorldPK
* - NonTrustedWorldPK
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, TZ_WORLD_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[TRUSTED_WORLD_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
CHECK_OID(pk_nid, NTZ_WORLD_PK_OID);
CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[NON_TRUSTED_WORLD_KEY].key));
sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL30 Key certificate (Trusted SCP Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SCPFirmwareContentCertPK
**********************************************************************/
if (bl30_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL30_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL30 certificate (SCP Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SCPFirmwareHash
**********************************************************************/
if (bl30_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL30_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n",
certs[BL30_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL30_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
md, SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL30_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL31 Key certificate (Trusted SoC Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SoCFirmwareContentCertPK
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL31_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL31 certificate (SOC Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL31 hash
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL31_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL31_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL31_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL32 Key certificate (Trusted OS Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - TrustedOSFirmwareContentCertPK
**********************************************************************/
if (bl32_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL32_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL32 certificate (TrustedOS Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL32 hash
**********************************************************************/
if (bl32_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL32_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n",
certs[BL32_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL32_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
md, SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL32_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL33 Key certificate (Non Trusted Firmware Key certificate):
* - Self-signed with Non Trusted World key
* - Extensions:
* - NonTrustedFirmwareNVCounter (TODO)
* - NonTrustedFirmwareContentCertPK
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
non_tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID);
CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL33_KEY].key));
sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL33 certificate (Non-Trusted World Content certificate):
* - Signed with Non-Trusted World Key
* - Extensions:
* - NonTrustedFirmwareNVCounter (TODO)
* - BL33 hash
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
non_tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL33_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL33_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL33_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* Print the certificates */
if (print_cert) {
for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
if (!certs[i].x) {
continue;
}
printf("\n\n=====================================\n\n");
X509_print_fp(stdout, certs[i].x);
}
}
/* Save created certificates to files */
for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
if (certs[i].x && certs[i].fn) {
file = fopen(certs[i].fn, "w");
if (file != NULL) {
i2d_X509_fp(file, certs[i].x);
fclose(file);
} else {
ERROR("Cannot create file %s\n", certs[i].fn);
}
}
}
/* Save keys */
if (save_keys) {
for (i = 0 ; i < NUM_KEYS ; i++) {
if (!key_store(&keys[i])) {
ERROR("Cannot save %s\n", keys[i].desc);
}
}
}
X509_EXTENSION_free(hash_ext);
X509_EXTENSION_free(nvctr_ext);
X509_EXTENSION_free(trusted_key_ext);
X509_EXTENSION_free(non_trusted_key_ext);
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
return 0;
}
int
crypto_cert_print_fp(FILE * fp, CryptoCert cert)
{
return X509_print_fp(fp, cert->px509);
}
EAPI void
eet_identity_certificate_print(const unsigned char *certificate,
int der_length,
FILE *out)
{
#ifdef HAVE_SIGNATURE
if (!certificate || !out || der_length <= 0)
{
ERR("No certificate provided.");
return;
}
if (!emile_cipher_init()) return ;
# ifdef HAVE_GNUTLS
gnutls_datum_t datum;
gnutls_x509_crt_t cert;
/* Create an understanding certificate structure for gnutls */
datum.data = (void *)certificate;
datum.size = der_length;
if (gnutls_x509_crt_init(&cert))
goto on_error;
if (gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER))
goto on_error;
/* Pretty print the certificate */
datum.data = NULL;
datum.size = 0;
if (gnutls_x509_crt_print(cert, GNUTLS_X509_CRT_FULL, &datum))
goto on_error;
INF("Public certificate :");
INF("%s", datum.data);
on_error:
if (datum.data)
gnutls_free(datum.data);
gnutls_x509_crt_deinit(cert);
# else /* ifdef HAVE_GNUTLS */
const unsigned char *tmp;
X509 *x509;
/* Strange but d2i_X509 seems to put 0 all over the place. */
tmp = alloca(der_length);
memcpy((char *)tmp, certificate, der_length);
x509 = d2i_X509(NULL, &tmp, der_length);
if (!x509)
{
INF("Not a valid certificate.");
return;
}
INF("Public certificate :");
X509_print_fp(out, x509);
X509_free(x509);
# endif /* ifdef HAVE_GNUTLS */
#else /* ifdef HAVE_SIGNATURE */
certificate = NULL;
der_length = 0;
out = NULL;
ERR("You need to compile signature support in EET.");
#endif /* ifdef HAVE_SIGNATURE */
}
EAPI void
eet_identity_print(Eet_Key *key,
FILE *out)
{
#ifdef HAVE_SIGNATURE
# ifdef HAVE_GNUTLS
const char *names[6] = {
"Modulus",
"Public exponent",
"Private exponent",
"First prime",
"Second prime",
"Coefficient"
};
int err = 0;
gnutls_datum_t data = { NULL, 0 };
gnutls_datum_t rsa_raw[6];
size_t size = 128;
char *res = NULL;
char buf[33];
unsigned int i, j;
if (!key)
return;
if (!emile_cipher_init()) return ;
if (key->private_key)
{
if (gnutls_x509_privkey_export_rsa_raw(key->private_key,
rsa_raw + 0, /* Modulus */
rsa_raw + 1, /* Public exponent */
rsa_raw + 2, /* Private exponent */
rsa_raw + 3, /* First prime */
rsa_raw + 4, /* Second prime */
rsa_raw + 5)) /* Coefficient */
goto on_error;
if (!(res = malloc(size)))
goto on_error;
fprintf(out, "Private Key:\n");
buf[32] = '\0';
for (i = 0; i < 6; i++)
{
while ((err = gnutls_hex_encode(rsa_raw + i, res, &size)) ==
GNUTLS_E_SHORT_MEMORY_BUFFER)
{
char *temp;
size += 128;
if (!(temp = realloc(res, size)))
goto on_error;
res = temp;
}
if (err)
goto on_error;
fprintf(out, "\t%s:\n", names[i]);
for (j = 0; strlen(res) > j; j += 32)
{
snprintf(buf, 32, "%s", res + j);
fprintf(out, "\t\t%s\n", buf);
}
}
free(res);
res = NULL;
}
if (key->certificate)
{
fprintf(out, "Public certificate:\n");
if (gnutls_x509_crt_print(key->certificate, GNUTLS_X509_CRT_FULL,
&data))
goto on_error;
fprintf(out, "%s\n", data.data);
gnutls_free(data.data);
data.data = NULL;
}
on_error:
if (res)
free(res);
if (data.data)
gnutls_free(data.data);
return;
# else /* ifdef HAVE_GNUTLS */
RSA *rsa;
DSA *dsa;
DH *dh;
if (!key)
return;
if (!emile_cipher_init()) return ;
rsa = EVP_PKEY_get1_RSA(key->private_key);
if (rsa)
{
fprintf(out, "Private key (RSA):\n");
RSA_print_fp(out, rsa, 0);
}
dsa = EVP_PKEY_get1_DSA(key->private_key);
if (dsa)
{
fprintf(out, "Private key (DSA):\n");
DSA_print_fp(out, dsa, 0);
}
dh = EVP_PKEY_get1_DH(key->private_key);
if (dh)
{
fprintf(out, "Private key (DH):\n");
DHparams_print_fp(out, dh);
}
fprintf(out, "Public certificate:\n");
X509_print_fp(out, key->certificate);
# endif /* ifdef HAVE_GNUTLS */
#else /* ifdef HAVE_SIGNATURE */
key = NULL;
out = NULL;
ERR("You need to compile signature support in EET.");
#endif /* ifdef HAVE_SIGNATURE */
}
/* Creates an X509 certificate from a certificate request. */
EXPORT int IssueUserCertificate(unsigned char *certbuf, int *certlen, unsigned char *reqbuf, int reqlen)
{
X509_REQ *req = NULL;
EVP_PKEY *cakey = NULL, *rakey = NULL, *usrkey = NULL;
X509 *cacert = NULL, *racert = NULL, *usrcert = NULL;
X509_NAME *subject = NULL, *issuer = NULL;
unsigned char *p = NULL;
int ret = OPENSSLCA_NO_ERR, len;
if (certbuf == NULL || certlen == NULL || reqbuf == NULL || reqlen == 0)
return OPENSSLCA_ERR_ARGS;
/* Decode request */
if ((req = X509_REQ_new()) == NULL) {
ret = OPENSSLCA_ERR_REQ_NEW;
goto err;
}
p = reqbuf;
if (d2i_X509_REQ(&req, &p, reqlen) == NULL) {
ret = OPENSSLCA_ERR_REQ_DECODE;
goto err;
}
/* Get public key from request */
if ((usrkey = X509_REQ_get_pubkey(req)) == NULL) {
ret = OPENSSLCA_ERR_REQ_GET_PUBKEY;
goto err;
}
if (caIni.verifyRequests) {
/* Get RA's public key */
/* TODO: Validate RA certificate */
ret = read_cert(&racert, CA_PATH(caIni.raCertFile));
if (ret != OPENSSLCA_NO_ERR)
goto err;
if ((rakey = X509_get_pubkey(racert)) == NULL) {
ret = OPENSSLCA_ERR_CERT_GET_PUBKEY;
goto err;
}
/* Verify signature on request */
if (X509_REQ_verify(req, rakey) != 1) {
ret = OPENSSLCA_ERR_REQ_VERIFY;
goto err;
}
}
/* Get CA certificate */
/* TODO: Validate CA certificate */
ret = read_cert(&cacert, CA_PATH(caIni.caCertFile));
if (ret != OPENSSLCA_NO_ERR)
goto err;
/* Get CA private key */
ret = read_key(&cakey, CA_PATH(caIni.caKeyFile), caIni.caKeyPasswd);
if (ret != OPENSSLCA_NO_ERR)
goto err;
/* Create user certificate */
if ((usrcert = X509_new()) == NULL)
return OPENSSLCA_ERR_CERT_NEW;
/* Set version and serial number for certificate */
if (X509_set_version(usrcert, 2) != 1) { /* V3 */
ret = OPENSSLCA_ERR_CERT_SET_VERSION;
goto err;
}
if (ASN1_INTEGER_set(X509_get_serialNumber(usrcert), get_serial()) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_SERIAL;
goto err;
}
/* Set duration for certificate */
if (X509_gmtime_adj(X509_get_notBefore(usrcert), 0) == NULL) {
ret = OPENSSLCA_ERR_CERT_SET_NOTBEFORE;
goto err;
}
if (X509_gmtime_adj(X509_get_notAfter(usrcert), EXPIRE_SECS(caIni.daysTillExpire)) == NULL) {
ret = OPENSSLCA_ERR_CERT_SET_NOTAFTER;
goto err;
}
/* Set public key */
if (X509_set_pubkey(usrcert, usrkey) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_PUBKEY;
goto err;
}
/* Set subject name */
subject = X509_REQ_get_subject_name(req);
if (subject == NULL) {
ret = OPENSSLCA_ERR_REQ_GET_SUBJECT;
goto err;
}
if (X509_set_subject_name(usrcert, subject) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_SUBJECT;
goto err;
}
/* Set issuer name */
issuer = X509_get_issuer_name(cacert);
if (issuer == NULL) {
ret = OPENSSLCA_ERR_CERT_GET_ISSUER;
goto err;
}
if (X509_set_issuer_name(usrcert, issuer) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_ISSUER;
goto err;
}
/* Add extensions */
ret = add_ext(cacert, usrcert);
if (ret != OPENSSLCA_NO_ERR)
goto err;
/* Sign user certificate with CA's private key */
if (!X509_sign(usrcert, cakey, EVP_sha1()))
return OPENSSLCA_ERR_CERT_SIGN;
if (caIni.verifyAfterSign) {
if (X509_verify(usrcert, cakey) != 1) {
ret = OPENSSLCA_ERR_CERT_VERIFY;
goto err;
}
}
#ifdef _DEBUG /* Output certificate in DER and PEM format */
{
FILE *fp = fopen(DBG_PATH("usrcert.der"), "wb");
if (fp != NULL) {
i2d_X509_fp(fp, usrcert);
fclose(fp);
}
fp = fopen(DBG_PATH("usrcert.pem"), "w");
if (fp != NULL) {
X509_print_fp(fp, usrcert);
PEM_write_X509(fp, usrcert);
fclose(fp);
}
}
#endif
/* Encode user certificate into DER format */
len = i2d_X509(usrcert, NULL);
if (len < 0) {
ret = OPENSSLCA_ERR_CERT_ENCODE;
goto err;
}
if (len > *certlen) {
ret = OPENSSLCA_ERR_BUF_TOO_SMALL;
goto err;
}
*certlen = len;
p = certbuf;
i2d_X509(usrcert, &p);
if (caIni.addToIndex)
add_to_index(usrcert);
if (caIni.addToNewCerts)
write_cert(usrcert);
err:
print_err("IssueUserCertificate()", ret);
/* Clean up */
if (cacert)
X509_free(cacert);
if (cakey)
EVP_PKEY_free(cakey);
if (racert)
X509_free(racert);
if (rakey)
EVP_PKEY_free(rakey);
if (req)
X509_REQ_free(req);
if (usrcert != NULL)
X509_free(usrcert);
if (usrkey)
EVP_PKEY_free(usrkey);
return ret;
}
void Certificate::print(FILE *fp)
{
X509_print_fp(fp, x);
}
void __fastcall util_printcert(struct util_cert cert)
{
if (cert.x509 == NULL) return;
X509_print_fp(stdout,cert.x509);
}
int
ssl_cert_print_fp(FILE * fp, SSL_CERT * cert)
{
return X509_print_fp(fp, cert);
}
