1 /* 2 * Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 /* 8 * X509 parser based on mbed TLS 9 * 10 * This module implements functions to check the integrity of a X509v3 11 * certificate ASN.1 structure and extract authentication parameters from the 12 * extensions field, such as an image hash or a public key. 13 */ 14 15 #include <assert.h> 16 #include <stddef.h> 17 #include <stdint.h> 18 #include <string.h> 19 20 /* mbed TLS headers */ 21 #include <mbedtls/asn1.h> 22 #include <mbedtls/oid.h> 23 #include <mbedtls/platform.h> 24 25 #include <arch_helpers.h> 26 #include <drivers/auth/img_parser_mod.h> 27 #include <drivers/auth/mbedtls/mbedtls_common.h> 28 #include <lib/utils.h> 29 30 /* Maximum OID string length ("a.b.c.d.e.f ...") */ 31 #define MAX_OID_STR_LEN 64 32 33 #define LIB_NAME "mbed TLS X509v3" 34 35 /* Temporary variables to speed up the authentication parameters search. These 36 * variables are assigned once during the integrity check and used any time an 37 * authentication parameter is requested, so we do not have to parse the image 38 * again */ 39 static mbedtls_asn1_buf tbs; 40 static mbedtls_asn1_buf v3_ext; 41 static mbedtls_asn1_buf pk; 42 static mbedtls_asn1_buf sig_alg; 43 static mbedtls_asn1_buf signature; 44 45 /* 46 * Clear all static temporary variables. 47 */ 48 static void clear_temp_vars(void) 49 { 50 #define ZERO_AND_CLEAN(x) \ 51 do { \ 52 zeromem(&x, sizeof(x)); \ 53 clean_dcache_range((uintptr_t)&x, sizeof(x)); \ 54 } while (0); 55 56 ZERO_AND_CLEAN(tbs) 57 ZERO_AND_CLEAN(v3_ext); 58 ZERO_AND_CLEAN(pk); 59 ZERO_AND_CLEAN(sig_alg); 60 ZERO_AND_CLEAN(signature); 61 62 #undef ZERO_AND_CLEAN 63 } 64 65 /* 66 * Get X509v3 extension 67 * 68 * Global variable 'v3_ext' must point to the extensions region 69 * in the certificate. No need to check for errors since the image has passed 70 * the integrity check. 71 */ 72 static int get_ext(const char *oid, void **ext, unsigned int *ext_len) 73 { 74 int oid_len; 75 size_t len; 76 unsigned char *end_ext_data, *end_ext_octet; 77 unsigned char *p; 78 const unsigned char *end; 79 char oid_str[MAX_OID_STR_LEN]; 80 mbedtls_asn1_buf extn_oid; 81 int is_critical; 82 83 assert(oid != NULL); 84 85 p = v3_ext.p; 86 end = v3_ext.p + v3_ext.len; 87 88 while (p < end) { 89 zeromem(&extn_oid, sizeof(extn_oid)); 90 is_critical = 0; /* DEFAULT FALSE */ 91 92 mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 93 MBEDTLS_ASN1_SEQUENCE); 94 end_ext_data = p + len; 95 96 /* Get extension ID */ 97 extn_oid.tag = *p; 98 mbedtls_asn1_get_tag(&p, end, &extn_oid.len, MBEDTLS_ASN1_OID); 99 extn_oid.p = p; 100 p += extn_oid.len; 101 102 /* Get optional critical */ 103 mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical); 104 105 /* Extension data */ 106 mbedtls_asn1_get_tag(&p, end_ext_data, &len, 107 MBEDTLS_ASN1_OCTET_STRING); 108 end_ext_octet = p + len; 109 110 /* Detect requested extension */ 111 oid_len = mbedtls_oid_get_numeric_string(oid_str, 112 MAX_OID_STR_LEN, 113 &extn_oid); 114 if ((oid_len == MBEDTLS_ERR_OID_BUF_TOO_SMALL) || (oid_len < 0)) { 115 return IMG_PARSER_ERR; 116 } 117 if (((size_t)oid_len == strlen(oid_str)) && !strcmp(oid, oid_str)) { 118 *ext = (void *)p; 119 *ext_len = (unsigned int)len; 120 return IMG_PARSER_OK; 121 } 122 123 /* Next */ 124 p = end_ext_octet; 125 } 126 127 return IMG_PARSER_ERR_NOT_FOUND; 128 } 129 130 131 /* 132 * Check the integrity of the certificate ASN.1 structure. 133 * 134 * Extract the relevant data that will be used later during authentication. 135 * 136 * This function doesn't clear the static variables located on the top of this 137 * file in case of an error. It is only called from check_integrity(), which 138 * performs the cleanup if necessary. 139 */ 140 static int cert_parse(void *img, unsigned int img_len) 141 { 142 int ret, is_critical; 143 size_t len; 144 unsigned char *p, *end, *crt_end, *pk_end; 145 mbedtls_asn1_buf sig_alg1; 146 /* 147 * The unique ASN.1 DER encoding of [0] EXPLICIT INTEGER { v3(2} }. 148 */ 149 static const char v3[] = { 150 /* The outer CONTEXT SPECIFIC 0 tag */ 151 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0, 152 /* The number bytes used to encode the inner INTEGER */ 153 3, 154 /* The tag of the inner INTEGER */ 155 MBEDTLS_ASN1_INTEGER, 156 /* The number of bytes needed to represent 2 */ 157 1, 158 /* The actual value 2 */ 159 2, 160 }; 161 162 p = (unsigned char *)img; 163 len = img_len; 164 crt_end = p + len; 165 end = crt_end; 166 167 /* 168 * Certificate ::= SEQUENCE { 169 * tbsCertificate TBSCertificate, 170 * signatureAlgorithm AlgorithmIdentifier, 171 * signatureValue BIT STRING } 172 */ 173 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 174 MBEDTLS_ASN1_SEQUENCE); 175 if ((ret != 0) || ((p + len) != end)) { 176 return IMG_PARSER_ERR_FORMAT; 177 } 178 179 /* 180 * TBSCertificate ::= SEQUENCE { 181 */ 182 tbs.p = p; 183 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 184 MBEDTLS_ASN1_SEQUENCE); 185 if (ret != 0) { 186 return IMG_PARSER_ERR_FORMAT; 187 } 188 end = p + len; 189 tbs.len = end - tbs.p; 190 191 /* 192 * Version ::= [0] EXPLICIT INTEGER { v1(0), v2(1), v3(2) } 193 * -- only v3 accepted 194 */ 195 if (((end - p) <= (ptrdiff_t)sizeof(v3)) || 196 (memcmp(p, v3, sizeof(v3)) != 0)) { 197 return IMG_PARSER_ERR_FORMAT; 198 } 199 p += sizeof(v3); 200 201 /* 202 * CertificateSerialNumber ::= INTEGER 203 */ 204 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER); 205 if (ret != 0) { 206 return IMG_PARSER_ERR_FORMAT; 207 } 208 p += len; 209 210 /* 211 * signature AlgorithmIdentifier 212 */ 213 sig_alg1.p = p; 214 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 215 MBEDTLS_ASN1_SEQUENCE); 216 if (ret != 0) { 217 return IMG_PARSER_ERR_FORMAT; 218 } 219 sig_alg1.len = (p + len) - sig_alg1.p; 220 p += len; 221 222 /* 223 * issuer Name 224 */ 225 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 226 MBEDTLS_ASN1_SEQUENCE); 227 if (ret != 0) { 228 return IMG_PARSER_ERR_FORMAT; 229 } 230 p += len; 231 232 /* 233 * Validity ::= SEQUENCE { 234 * notBefore Time, 235 * notAfter Time } 236 * 237 */ 238 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 239 MBEDTLS_ASN1_SEQUENCE); 240 if (ret != 0) { 241 return IMG_PARSER_ERR_FORMAT; 242 } 243 p += len; 244 245 /* 246 * subject Name 247 */ 248 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 249 MBEDTLS_ASN1_SEQUENCE); 250 if (ret != 0) { 251 return IMG_PARSER_ERR_FORMAT; 252 } 253 p += len; 254 255 /* 256 * SubjectPublicKeyInfo 257 */ 258 pk.p = p; 259 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 260 MBEDTLS_ASN1_SEQUENCE); 261 if (ret != 0) { 262 return IMG_PARSER_ERR_FORMAT; 263 } 264 pk_end = p + len; 265 pk.len = pk_end - pk.p; 266 267 /* algorithm */ 268 ret = mbedtls_asn1_get_tag(&p, pk_end, &len, MBEDTLS_ASN1_CONSTRUCTED | 269 MBEDTLS_ASN1_SEQUENCE); 270 if (ret != 0) { 271 return IMG_PARSER_ERR_FORMAT; 272 } 273 p += len; 274 275 /* Key is a BIT STRING and must use all bytes in SubjectPublicKeyInfo */ 276 ret = mbedtls_asn1_get_bitstring_null(&p, pk_end, &len); 277 if ((ret != 0) || (p + len != pk_end)) { 278 return IMG_PARSER_ERR_FORMAT; 279 } 280 p = pk_end; 281 282 /* 283 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 284 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 285 * -- technically these contain BIT STRINGs but that is not worth 286 * -- validating 287 */ 288 for (int i = 1; i < 3; i++) { 289 ret = mbedtls_asn1_get_tag(&p, end, &len, 290 MBEDTLS_ASN1_CONTEXT_SPECIFIC | 291 MBEDTLS_ASN1_CONSTRUCTED | i); 292 /* 293 * Unique IDs are obsolete, so MBEDTLS_ERR_ASN1_UNEXPECTED_TAG 294 * is the common case. 295 */ 296 if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 297 if (ret != 0) { 298 return IMG_PARSER_ERR_FORMAT; 299 } 300 p += len; 301 } 302 } 303 304 /* 305 * extensions [3] EXPLICIT Extensions OPTIONAL 306 * } 307 * 308 * X.509 and RFC5280 allow omitting the extensions entirely. 309 * However, in TF-A, a certificate with no extensions would 310 * always fail later on, as the extensions contain the 311 * information needed to authenticate the next stage in the 312 * boot chain. Furthermore, get_ext() assumes that the 313 * extensions have been parsed into v3_ext, and allowing 314 * there to be no extensions would pointlessly complicate 315 * the code. Therefore, just reject certificates without 316 * extensions. This is also why version 1 and 2 certificates 317 * are rejected above. 318 */ 319 ret = mbedtls_asn1_get_tag(&p, end, &len, 320 MBEDTLS_ASN1_CONTEXT_SPECIFIC | 321 MBEDTLS_ASN1_CONSTRUCTED | 3); 322 if ((ret != 0) || (len != (size_t)(end - p))) { 323 return IMG_PARSER_ERR_FORMAT; 324 } 325 326 /* 327 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension 328 * -- must use all remaining bytes in TBSCertificate 329 */ 330 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 331 MBEDTLS_ASN1_SEQUENCE); 332 if ((ret != 0) || (len != (size_t)(end - p))) { 333 return IMG_PARSER_ERR_FORMAT; 334 } 335 v3_ext.p = p; 336 v3_ext.len = len; 337 338 /* 339 * Check extensions integrity. At least one extension is 340 * required: the ASN.1 specifies a minimum size of 1, and at 341 * least one extension is needed to authenticate the next stage 342 * in the boot chain. 343 */ 344 do { 345 unsigned char *end_ext_data; 346 347 ret = mbedtls_asn1_get_tag(&p, end, &len, 348 MBEDTLS_ASN1_CONSTRUCTED | 349 MBEDTLS_ASN1_SEQUENCE); 350 if (ret != 0) { 351 return IMG_PARSER_ERR_FORMAT; 352 } 353 end_ext_data = p + len; 354 355 /* Get extension ID */ 356 ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len, MBEDTLS_ASN1_OID); 357 if (ret != 0) { 358 return IMG_PARSER_ERR_FORMAT; 359 } 360 p += len; 361 362 /* Get optional critical */ 363 ret = mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical); 364 if ((ret != 0) && (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) { 365 return IMG_PARSER_ERR_FORMAT; 366 } 367 368 /* 369 * Data should be octet string type and must use all bytes in 370 * the Extension. 371 */ 372 ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len, 373 MBEDTLS_ASN1_OCTET_STRING); 374 if ((ret != 0) || ((p + len) != end_ext_data)) { 375 return IMG_PARSER_ERR_FORMAT; 376 } 377 p = end_ext_data; 378 } while (p < end); 379 380 if (p != end) { 381 return IMG_PARSER_ERR_FORMAT; 382 } 383 384 end = crt_end; 385 386 /* 387 * } 388 * -- end of TBSCertificate 389 * 390 * signatureAlgorithm AlgorithmIdentifier 391 * -- Does not need to be parsed. Ensuring it is bitwise 392 * -- identical (including the tag!) with the first signature 393 * -- algorithm is sufficient. 394 */ 395 if ((sig_alg1.len >= (size_t)(end - p)) || 396 (0 != memcmp(sig_alg1.p, p, sig_alg1.len))) { 397 return IMG_PARSER_ERR_FORMAT; 398 } 399 p += sig_alg1.len; 400 memcpy(&sig_alg, &sig_alg1, sizeof(sig_alg)); 401 402 /* 403 * signatureValue BIT STRING 404 * } -- must consume all bytes 405 */ 406 signature.p = p; 407 ret = mbedtls_asn1_get_bitstring_null(&p, end, &len); 408 if ((ret != 0) || ((p + len) != end)) { 409 return IMG_PARSER_ERR_FORMAT; 410 } 411 signature.len = end - signature.p; 412 413 return IMG_PARSER_OK; 414 } 415 416 417 /* Exported functions */ 418 419 static void init(void) 420 { 421 mbedtls_init(); 422 } 423 424 /* 425 * Wrapper for cert_parse() that clears the static variables used by it in case 426 * of an error. 427 */ 428 static int check_integrity(void *img, unsigned int img_len) 429 { 430 int rc = cert_parse(img, img_len); 431 432 if (rc != IMG_PARSER_OK) 433 clear_temp_vars(); 434 435 return rc; 436 } 437 438 /* 439 * Extract an authentication parameter from an X509v3 certificate 440 * 441 * This function returns a pointer to the extracted data and its length. 442 * Depending on the type of parameter, a pointer to the data stored in the 443 * certificate may be returned (i.e. an octet string containing a hash). Other 444 * data may need to be copied and formatted (i.e. integers). In the later case, 445 * a buffer of the correct type needs to be statically allocated, filled and 446 * returned. 447 */ 448 static int get_auth_param(const auth_param_type_desc_t *type_desc, 449 void *img, unsigned int img_len, 450 void **param, unsigned int *param_len) 451 { 452 int rc = IMG_PARSER_OK; 453 454 /* We do not use img because the check_integrity function has already 455 * extracted the relevant data (v3_ext, pk, sig_alg, etc) */ 456 457 switch (type_desc->type) { 458 case AUTH_PARAM_RAW_DATA: 459 /* Data to be signed */ 460 *param = (void *)tbs.p; 461 *param_len = (unsigned int)tbs.len; 462 break; 463 case AUTH_PARAM_HASH: 464 case AUTH_PARAM_NV_CTR: 465 /* All these parameters are included as X509v3 extensions */ 466 rc = get_ext(type_desc->cookie, param, param_len); 467 break; 468 case AUTH_PARAM_PUB_KEY: 469 if (type_desc->cookie != NULL) { 470 /* Get public key from extension */ 471 rc = get_ext(type_desc->cookie, param, param_len); 472 } else { 473 /* Get the subject public key */ 474 *param = (void *)pk.p; 475 *param_len = (unsigned int)pk.len; 476 } 477 break; 478 case AUTH_PARAM_SIG_ALG: 479 /* Get the certificate signature algorithm */ 480 *param = (void *)sig_alg.p; 481 *param_len = (unsigned int)sig_alg.len; 482 break; 483 case AUTH_PARAM_SIG: 484 /* Get the certificate signature */ 485 *param = (void *)signature.p; 486 *param_len = (unsigned int)signature.len; 487 break; 488 default: 489 rc = IMG_PARSER_ERR_NOT_FOUND; 490 break; 491 } 492 493 return rc; 494 } 495 496 REGISTER_IMG_PARSER_LIB(IMG_CERT, LIB_NAME, init, \ 497 check_integrity, get_auth_param); 498