1 /* 2 * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 /* 8 * X509 parser based on mbed TLS 9 * 10 * This module implements functions to check the integrity of a X509v3 11 * certificate ASN.1 structure and extract authentication parameters from the 12 * extensions field, such as an image hash or a public key. 13 */ 14 15 #include <assert.h> 16 #include <stddef.h> 17 #include <stdint.h> 18 #include <string.h> 19 20 /* mbed TLS headers */ 21 #include <mbedtls/asn1.h> 22 #include <mbedtls/oid.h> 23 #include <mbedtls/platform.h> 24 25 #include <arch_helpers.h> 26 #include <drivers/auth/img_parser_mod.h> 27 #include <drivers/auth/mbedtls/mbedtls_common.h> 28 #include <lib/utils.h> 29 30 /* Maximum OID string length ("a.b.c.d.e.f ...") */ 31 #define MAX_OID_STR_LEN 64 32 33 #define LIB_NAME "mbed TLS X509v3" 34 35 /* Temporary variables to speed up the authentication parameters search. These 36 * variables are assigned once during the integrity check and used any time an 37 * authentication parameter is requested, so we do not have to parse the image 38 * again */ 39 static mbedtls_asn1_buf tbs; 40 static mbedtls_asn1_buf v3_ext; 41 static mbedtls_asn1_buf pk; 42 static mbedtls_asn1_buf sig_alg; 43 static mbedtls_asn1_buf signature; 44 45 /* 46 * Clear all static temporary variables. 47 */ 48 static void clear_temp_vars(void) 49 { 50 #define ZERO_AND_CLEAN(x) \ 51 do { \ 52 zeromem(&x, sizeof(x)); \ 53 clean_dcache_range((uintptr_t)&x, sizeof(x)); \ 54 } while (0); 55 56 ZERO_AND_CLEAN(tbs) 57 ZERO_AND_CLEAN(v3_ext); 58 ZERO_AND_CLEAN(pk); 59 ZERO_AND_CLEAN(sig_alg); 60 ZERO_AND_CLEAN(signature); 61 62 #undef ZERO_AND_CLEAN 63 } 64 65 /* 66 * Get X509v3 extension 67 * 68 * Global variable 'v3_ext' must point to the extensions region 69 * in the certificate. No need to check for errors since the image has passed 70 * the integrity check. 71 */ 72 static int get_ext(const char *oid, void **ext, unsigned int *ext_len) 73 { 74 int oid_len; 75 size_t len; 76 unsigned char *end_ext_data, *end_ext_octet; 77 unsigned char *p; 78 const unsigned char *end; 79 char oid_str[MAX_OID_STR_LEN]; 80 mbedtls_asn1_buf extn_oid; 81 int is_critical; 82 83 assert(oid != NULL); 84 85 p = v3_ext.p; 86 end = v3_ext.p + v3_ext.len; 87 88 mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 89 MBEDTLS_ASN1_SEQUENCE); 90 91 while (p < end) { 92 zeromem(&extn_oid, sizeof(extn_oid)); 93 is_critical = 0; /* DEFAULT FALSE */ 94 95 mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 96 MBEDTLS_ASN1_SEQUENCE); 97 end_ext_data = p + len; 98 99 /* Get extension ID */ 100 extn_oid.tag = *p; 101 mbedtls_asn1_get_tag(&p, end, &extn_oid.len, MBEDTLS_ASN1_OID); 102 extn_oid.p = p; 103 p += extn_oid.len; 104 105 /* Get optional critical */ 106 mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical); 107 108 /* Extension data */ 109 mbedtls_asn1_get_tag(&p, end_ext_data, &len, 110 MBEDTLS_ASN1_OCTET_STRING); 111 end_ext_octet = p + len; 112 113 /* Detect requested extension */ 114 oid_len = mbedtls_oid_get_numeric_string(oid_str, 115 MAX_OID_STR_LEN, 116 &extn_oid); 117 if ((oid_len == MBEDTLS_ERR_OID_BUF_TOO_SMALL) || (oid_len < 0)) { 118 return IMG_PARSER_ERR; 119 } 120 if (((size_t)oid_len == strlen(oid_str)) && !strcmp(oid, oid_str)) { 121 *ext = (void *)p; 122 *ext_len = (unsigned int)len; 123 return IMG_PARSER_OK; 124 } 125 126 /* Next */ 127 p = end_ext_octet; 128 } 129 130 return IMG_PARSER_ERR_NOT_FOUND; 131 } 132 133 134 /* 135 * Check the integrity of the certificate ASN.1 structure. 136 * 137 * Extract the relevant data that will be used later during authentication. 138 * 139 * This function doesn't clear the static variables located on the top of this 140 * file in case of an error. It is only called from check_integrity(), which 141 * performs the cleanup if necessary. 142 */ 143 static int cert_parse(void *img, unsigned int img_len) 144 { 145 int ret, is_critical; 146 size_t len; 147 unsigned char *p, *end, *crt_end; 148 mbedtls_asn1_buf sig_alg1, sig_alg2; 149 /* 150 * The unique ASN.1 DER encoding of [0] EXPLICIT INTEGER { v3(2} }. 151 */ 152 static const char v3[] = { 153 /* The outer CONTEXT SPECIFIC 0 tag */ 154 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0, 155 /* The number bytes used to encode the inner INTEGER */ 156 3, 157 /* The tag of the inner INTEGER */ 158 MBEDTLS_ASN1_INTEGER, 159 /* The number of bytes needed to represent 2 */ 160 1, 161 /* The actual value 2 */ 162 2, 163 }; 164 165 p = (unsigned char *)img; 166 len = img_len; 167 end = p + len; 168 169 /* 170 * Certificate ::= SEQUENCE { 171 * tbsCertificate TBSCertificate, 172 * signatureAlgorithm AlgorithmIdentifier, 173 * signatureValue BIT STRING } 174 */ 175 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 176 MBEDTLS_ASN1_SEQUENCE); 177 if (ret != 0) { 178 return IMG_PARSER_ERR_FORMAT; 179 } 180 181 if (len > (size_t)(end - p)) { 182 return IMG_PARSER_ERR_FORMAT; 183 } 184 crt_end = p + len; 185 186 /* 187 * TBSCertificate ::= SEQUENCE { 188 */ 189 tbs.p = p; 190 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 191 MBEDTLS_ASN1_SEQUENCE); 192 if (ret != 0) { 193 return IMG_PARSER_ERR_FORMAT; 194 } 195 end = p + len; 196 tbs.len = end - tbs.p; 197 198 /* 199 * Version ::= [0] EXPLICIT INTEGER { v1(0), v2(1), v3(2) } 200 * -- only v3 accepted 201 */ 202 if (((end - p) <= (ptrdiff_t)sizeof(v3)) || 203 (memcmp(p, v3, sizeof(v3)) != 0)) { 204 return IMG_PARSER_ERR_FORMAT; 205 } 206 p += sizeof(v3); 207 208 /* 209 * CertificateSerialNumber ::= INTEGER 210 */ 211 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER); 212 if (ret != 0) { 213 return IMG_PARSER_ERR_FORMAT; 214 } 215 p += len; 216 217 /* 218 * signature AlgorithmIdentifier 219 */ 220 sig_alg1.p = p; 221 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 222 MBEDTLS_ASN1_SEQUENCE); 223 if (ret != 0) { 224 return IMG_PARSER_ERR_FORMAT; 225 } 226 if ((end - p) < 1) { 227 return IMG_PARSER_ERR_FORMAT; 228 } 229 sig_alg1.len = (p + len) - sig_alg1.p; 230 p += len; 231 232 /* 233 * issuer Name 234 */ 235 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 236 MBEDTLS_ASN1_SEQUENCE); 237 if (ret != 0) { 238 return IMG_PARSER_ERR_FORMAT; 239 } 240 p += len; 241 242 /* 243 * Validity ::= SEQUENCE { 244 * notBefore Time, 245 * notAfter Time } 246 * 247 */ 248 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 249 MBEDTLS_ASN1_SEQUENCE); 250 if (ret != 0) { 251 return IMG_PARSER_ERR_FORMAT; 252 } 253 p += len; 254 255 /* 256 * subject Name 257 */ 258 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 259 MBEDTLS_ASN1_SEQUENCE); 260 if (ret != 0) { 261 return IMG_PARSER_ERR_FORMAT; 262 } 263 p += len; 264 265 /* 266 * SubjectPublicKeyInfo 267 */ 268 pk.p = p; 269 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 270 MBEDTLS_ASN1_SEQUENCE); 271 if (ret != 0) { 272 return IMG_PARSER_ERR_FORMAT; 273 } 274 pk.len = (p + len) - pk.p; 275 p += len; 276 277 /* 278 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 279 */ 280 ret = mbedtls_asn1_get_tag(&p, end, &len, 281 MBEDTLS_ASN1_CONTEXT_SPECIFIC | 282 MBEDTLS_ASN1_CONSTRUCTED | 1); 283 if (ret != 0) { 284 if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 285 return IMG_PARSER_ERR_FORMAT; 286 } 287 } else { 288 p += len; 289 } 290 291 /* 292 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 293 */ 294 ret = mbedtls_asn1_get_tag(&p, end, &len, 295 MBEDTLS_ASN1_CONTEXT_SPECIFIC | 296 MBEDTLS_ASN1_CONSTRUCTED | 2); 297 if (ret != 0) { 298 if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 299 return IMG_PARSER_ERR_FORMAT; 300 } 301 } else { 302 p += len; 303 } 304 305 /* 306 * extensions [3] EXPLICIT Extensions OPTIONAL 307 * } 308 * 309 * X.509 and RFC5280 allow omitting the extensions entirely. 310 * However, in TF-A, a certificate with no extensions would 311 * always fail later on, as the extensions contain the 312 * information needed to authenticate the next stage in the 313 * boot chain. Furthermore, get_ext() assumes that the 314 * extensions have been parsed into v3_ext, and allowing 315 * there to be no extensions would pointlessly complicate 316 * the code. Therefore, just reject certificates without 317 * extensions. This is also why version 1 and 2 certificates 318 * are rejected above. 319 */ 320 ret = mbedtls_asn1_get_tag(&p, end, &len, 321 MBEDTLS_ASN1_CONTEXT_SPECIFIC | 322 MBEDTLS_ASN1_CONSTRUCTED | 3); 323 if ((ret != 0) || (len != (size_t)(end - p))) { 324 return IMG_PARSER_ERR_FORMAT; 325 } 326 327 /* 328 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension 329 * -- must use all remaining bytes in TBSCertificate 330 */ 331 v3_ext.p = p; 332 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 333 MBEDTLS_ASN1_SEQUENCE); 334 if ((ret != 0) || (len != (size_t)(end - p))) { 335 return IMG_PARSER_ERR_FORMAT; 336 } 337 v3_ext.len = end - v3_ext.p; 338 339 /* 340 * Check extensions integrity. At least one extension is 341 * required: the ASN.1 specifies a minimum size of 1, and at 342 * least one extension is needed to authenticate the next stage 343 * in the boot chain. 344 */ 345 do { 346 ret = mbedtls_asn1_get_tag(&p, end, &len, 347 MBEDTLS_ASN1_CONSTRUCTED | 348 MBEDTLS_ASN1_SEQUENCE); 349 if (ret != 0) { 350 return IMG_PARSER_ERR_FORMAT; 351 } 352 353 /* Get extension ID */ 354 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); 355 if (ret != 0) { 356 return IMG_PARSER_ERR_FORMAT; 357 } 358 p += len; 359 360 /* Get optional critical */ 361 ret = mbedtls_asn1_get_bool(&p, end, &is_critical); 362 if ((ret != 0) && (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) { 363 return IMG_PARSER_ERR_FORMAT; 364 } 365 366 /* Data should be octet string type */ 367 ret = mbedtls_asn1_get_tag(&p, end, &len, 368 MBEDTLS_ASN1_OCTET_STRING); 369 if (ret != 0) { 370 return IMG_PARSER_ERR_FORMAT; 371 } 372 p += len; 373 } while (p < end); 374 375 if (p != end) { 376 return IMG_PARSER_ERR_FORMAT; 377 } 378 379 end = crt_end; 380 381 /* 382 * } 383 * -- end of TBSCertificate 384 * 385 * signatureAlgorithm AlgorithmIdentifier 386 */ 387 sig_alg2.p = p; 388 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 389 MBEDTLS_ASN1_SEQUENCE); 390 if (ret != 0) { 391 return IMG_PARSER_ERR_FORMAT; 392 } 393 if ((end - p) < 1) { 394 return IMG_PARSER_ERR_FORMAT; 395 } 396 sig_alg2.len = (p + len) - sig_alg2.p; 397 p += len; 398 399 /* Compare both signature algorithms */ 400 if (sig_alg1.len != sig_alg2.len) { 401 return IMG_PARSER_ERR_FORMAT; 402 } 403 if (0 != memcmp(sig_alg1.p, sig_alg2.p, sig_alg1.len)) { 404 return IMG_PARSER_ERR_FORMAT; 405 } 406 memcpy(&sig_alg, &sig_alg1, sizeof(sig_alg)); 407 408 /* 409 * signatureValue BIT STRING 410 */ 411 signature.p = p; 412 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_BIT_STRING); 413 if (ret != 0) { 414 return IMG_PARSER_ERR_FORMAT; 415 } 416 signature.len = (p + len) - signature.p; 417 p += len; 418 419 /* Check certificate length */ 420 if (p != end) { 421 return IMG_PARSER_ERR_FORMAT; 422 } 423 424 return IMG_PARSER_OK; 425 } 426 427 428 /* Exported functions */ 429 430 static void init(void) 431 { 432 mbedtls_init(); 433 } 434 435 /* 436 * Wrapper for cert_parse() that clears the static variables used by it in case 437 * of an error. 438 */ 439 static int check_integrity(void *img, unsigned int img_len) 440 { 441 int rc = cert_parse(img, img_len); 442 443 if (rc != IMG_PARSER_OK) 444 clear_temp_vars(); 445 446 return rc; 447 } 448 449 /* 450 * Extract an authentication parameter from an X509v3 certificate 451 * 452 * This function returns a pointer to the extracted data and its length. 453 * Depending on the type of parameter, a pointer to the data stored in the 454 * certificate may be returned (i.e. an octet string containing a hash). Other 455 * data may need to be copied and formatted (i.e. integers). In the later case, 456 * a buffer of the correct type needs to be statically allocated, filled and 457 * returned. 458 */ 459 static int get_auth_param(const auth_param_type_desc_t *type_desc, 460 void *img, unsigned int img_len, 461 void **param, unsigned int *param_len) 462 { 463 int rc = IMG_PARSER_OK; 464 465 /* We do not use img because the check_integrity function has already 466 * extracted the relevant data (v3_ext, pk, sig_alg, etc) */ 467 468 switch (type_desc->type) { 469 case AUTH_PARAM_RAW_DATA: 470 /* Data to be signed */ 471 *param = (void *)tbs.p; 472 *param_len = (unsigned int)tbs.len; 473 break; 474 case AUTH_PARAM_HASH: 475 case AUTH_PARAM_NV_CTR: 476 /* All these parameters are included as X509v3 extensions */ 477 rc = get_ext(type_desc->cookie, param, param_len); 478 break; 479 case AUTH_PARAM_PUB_KEY: 480 if (type_desc->cookie != 0) { 481 /* Get public key from extension */ 482 rc = get_ext(type_desc->cookie, param, param_len); 483 } else { 484 /* Get the subject public key */ 485 *param = (void *)pk.p; 486 *param_len = (unsigned int)pk.len; 487 } 488 break; 489 case AUTH_PARAM_SIG_ALG: 490 /* Get the certificate signature algorithm */ 491 *param = (void *)sig_alg.p; 492 *param_len = (unsigned int)sig_alg.len; 493 break; 494 case AUTH_PARAM_SIG: 495 /* Get the certificate signature */ 496 *param = (void *)signature.p; 497 *param_len = (unsigned int)signature.len; 498 break; 499 default: 500 rc = IMG_PARSER_ERR_NOT_FOUND; 501 break; 502 } 503 504 return rc; 505 } 506 507 REGISTER_IMG_PARSER_LIB(IMG_CERT, LIB_NAME, init, \ 508 check_integrity, get_auth_param); 509