xref: /rk3399_ARM-atf/tools/cert_create/src/cert.c (revision 159807e2faa50a2940f09d57dfa6132220508cce) 
16f971622SJuan Castillo /*
26f971622SJuan Castillo  * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
36f971622SJuan Castillo  *
46f971622SJuan Castillo  * Redistribution and use in source and binary forms, with or without
56f971622SJuan Castillo  * modification, are permitted provided that the following conditions are met:
66f971622SJuan Castillo  *
76f971622SJuan Castillo  * Redistributions of source code must retain the above copyright notice, this
86f971622SJuan Castillo  * list of conditions and the following disclaimer.
96f971622SJuan Castillo  *
106f971622SJuan Castillo  * Redistributions in binary form must reproduce the above copyright notice,
116f971622SJuan Castillo  * this list of conditions and the following disclaimer in the documentation
126f971622SJuan Castillo  * and/or other materials provided with the distribution.
136f971622SJuan Castillo  *
146f971622SJuan Castillo  * Neither the name of ARM nor the names of its contributors may be used
156f971622SJuan Castillo  * to endorse or promote products derived from this software without specific
166f971622SJuan Castillo  * prior written permission.
176f971622SJuan Castillo  *
186f971622SJuan Castillo  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
196f971622SJuan Castillo  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
206f971622SJuan Castillo  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
216f971622SJuan Castillo  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
226f971622SJuan Castillo  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
236f971622SJuan Castillo  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
246f971622SJuan Castillo  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
256f971622SJuan Castillo  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
266f971622SJuan Castillo  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
276f971622SJuan Castillo  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
286f971622SJuan Castillo  * POSSIBILITY OF SUCH DAMAGE.
296f971622SJuan Castillo  */
306f971622SJuan Castillo 
316f971622SJuan Castillo #include <stdio.h>
326f971622SJuan Castillo #include <stdlib.h>
336f971622SJuan Castillo #include <string.h>
346f971622SJuan Castillo 
356f971622SJuan Castillo #include <openssl/conf.h>
366f971622SJuan Castillo #include <openssl/err.h>
376f971622SJuan Castillo #include <openssl/pem.h>
386f971622SJuan Castillo #include <openssl/sha.h>
396f971622SJuan Castillo #include <openssl/x509v3.h>
406f971622SJuan Castillo 
416f971622SJuan Castillo #include "cert.h"
42ad2c1a9aSJuan Castillo #include "cmd_opt.h"
436f971622SJuan Castillo #include "debug.h"
446f971622SJuan Castillo #include "key.h"
456f971622SJuan Castillo #include "platform_oid.h"
466f971622SJuan Castillo #include "sha.h"
476f971622SJuan Castillo 
486f971622SJuan Castillo #define SERIAL_RAND_BITS	64
496f971622SJuan Castillo 
506f971622SJuan Castillo int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
516f971622SJuan Castillo {
526f971622SJuan Castillo 	BIGNUM *btmp;
536f971622SJuan Castillo 	int ret = 0;
546f971622SJuan Castillo 	if (b)
556f971622SJuan Castillo 		btmp = b;
566f971622SJuan Castillo 	else
576f971622SJuan Castillo 		btmp = BN_new();
586f971622SJuan Castillo 
596f971622SJuan Castillo 	if (!btmp)
606f971622SJuan Castillo 		return 0;
616f971622SJuan Castillo 
626f971622SJuan Castillo 	if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
636f971622SJuan Castillo 		goto error;
646f971622SJuan Castillo 	if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
656f971622SJuan Castillo 		goto error;
666f971622SJuan Castillo 
676f971622SJuan Castillo 	ret = 1;
686f971622SJuan Castillo 
696f971622SJuan Castillo error:
706f971622SJuan Castillo 
716f971622SJuan Castillo 	if (!b)
726f971622SJuan Castillo 		BN_free(btmp);
736f971622SJuan Castillo 
746f971622SJuan Castillo 	return ret;
756f971622SJuan Castillo }
766f971622SJuan Castillo 
776f971622SJuan Castillo int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
786f971622SJuan Castillo {
796f971622SJuan Castillo 	X509_EXTENSION *ex;
806f971622SJuan Castillo 	X509V3_CTX ctx;
816f971622SJuan Castillo 
826f971622SJuan Castillo 	/* No configuration database */
836f971622SJuan Castillo 	X509V3_set_ctx_nodb(&ctx);
846f971622SJuan Castillo 
856f971622SJuan Castillo 	/* Set issuer and subject certificates in the context */
866f971622SJuan Castillo 	X509V3_set_ctx(&ctx, issuer, subject, NULL, NULL, 0);
876f971622SJuan Castillo 	ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
886f971622SJuan Castillo 	if (!ex) {
896f971622SJuan Castillo 		ERR_print_errors_fp(stdout);
906f971622SJuan Castillo 		return 0;
916f971622SJuan Castillo 	}
926f971622SJuan Castillo 
936f971622SJuan Castillo 	X509_add_ext(subject, ex, -1);
946f971622SJuan Castillo 	X509_EXTENSION_free(ex);
956f971622SJuan Castillo 
966f971622SJuan Castillo 	return 1;
976f971622SJuan Castillo }
986f971622SJuan Castillo 
996f971622SJuan Castillo 
1006f971622SJuan Castillo int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
1016f971622SJuan Castillo {
10255e291a4SJuan Castillo 	EVP_PKEY *pkey = keys[cert->key].key;
10355e291a4SJuan Castillo 	cert_t *issuer_cert = &certs[cert->issuer];
10455e291a4SJuan Castillo 	EVP_PKEY *ikey = keys[issuer_cert->key].key;
10555e291a4SJuan Castillo 	X509 *issuer = issuer_cert->x;
1066f971622SJuan Castillo 	X509 *x = NULL;
1076f971622SJuan Castillo 	X509_EXTENSION *ex = NULL;
1086f971622SJuan Castillo 	X509_NAME *name = NULL;
1096f971622SJuan Castillo 	ASN1_INTEGER *sno = NULL;
1106f971622SJuan Castillo 	int i, num;
1116f971622SJuan Castillo 
1126f971622SJuan Castillo 	/* Create the certificate structure */
1136f971622SJuan Castillo 	x = X509_new();
1146f971622SJuan Castillo 	if (!x) {
1156f971622SJuan Castillo 		return 0;
1166f971622SJuan Castillo 	}
1176f971622SJuan Castillo 
1186f971622SJuan Castillo 	/* If we do not have a key, use the issuer key (the certificate will
1196f971622SJuan Castillo 	 * become self signed). This happens in content certificates. */
1206f971622SJuan Castillo 	if (!pkey) {
1216f971622SJuan Castillo 		pkey = ikey;
1226f971622SJuan Castillo 	}
1236f971622SJuan Castillo 
1246f971622SJuan Castillo 	/* If we do not have an issuer certificate, use our own (the certificate
1256f971622SJuan Castillo 	 * will become self signed) */
1266f971622SJuan Castillo 	if (!issuer) {
1276f971622SJuan Castillo 		issuer = x;
1286f971622SJuan Castillo 	}
1296f971622SJuan Castillo 
1306f971622SJuan Castillo 	/* x509.v3 */
1316f971622SJuan Castillo 	X509_set_version(x, 2);
1326f971622SJuan Castillo 
1336f971622SJuan Castillo 	/* Random serial number */
1346f971622SJuan Castillo 	sno = ASN1_INTEGER_new();
1356f971622SJuan Castillo 	rand_serial(NULL, sno);
1366f971622SJuan Castillo 	X509_set_serialNumber(x, sno);
1376f971622SJuan Castillo 	ASN1_INTEGER_free(sno);
1386f971622SJuan Castillo 
1396f971622SJuan Castillo 	X509_gmtime_adj(X509_get_notBefore(x), 0);
1406f971622SJuan Castillo 	X509_gmtime_adj(X509_get_notAfter(x), (long)60*60*24*days);
1416f971622SJuan Castillo 	X509_set_pubkey(x, pkey);
1426f971622SJuan Castillo 
1436f971622SJuan Castillo 	/* Subject name */
1446f971622SJuan Castillo 	name = X509_get_subject_name(x);
1456f971622SJuan Castillo 	X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
1466f971622SJuan Castillo 			(const unsigned char *)cert->cn, -1, -1, 0);
1476f971622SJuan Castillo 	X509_set_subject_name(x, name);
1486f971622SJuan Castillo 
1496f971622SJuan Castillo 	/* Issuer name */
1506f971622SJuan Castillo 	name = X509_get_issuer_name(x);
1516f971622SJuan Castillo 	X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
15255e291a4SJuan Castillo 			(const unsigned char *)issuer_cert->cn, -1, -1, 0);
1536f971622SJuan Castillo 	X509_set_issuer_name(x, name);
1546f971622SJuan Castillo 
1556f971622SJuan Castillo 	/* Add various extensions: standard extensions */
1566f971622SJuan Castillo 	cert_add_ext(issuer, x, NID_subject_key_identifier, "hash");
1576f971622SJuan Castillo 	cert_add_ext(issuer, x, NID_authority_key_identifier, "keyid:always");
1586f971622SJuan Castillo 	if (ca) {
1596f971622SJuan Castillo 		cert_add_ext(issuer, x, NID_basic_constraints, "CA:TRUE");
1606f971622SJuan Castillo 		cert_add_ext(issuer, x, NID_key_usage, "keyCertSign");
1616f971622SJuan Castillo 	} else {
1626f971622SJuan Castillo 		cert_add_ext(issuer, x, NID_basic_constraints, "CA:FALSE");
1636f971622SJuan Castillo 	}
1646f971622SJuan Castillo 
1656f971622SJuan Castillo 	/* Add custom extensions */
1666f971622SJuan Castillo 	if (sk != NULL) {
1676f971622SJuan Castillo 		num = sk_X509_EXTENSION_num(sk);
1686f971622SJuan Castillo 		for (i = 0; i < num; i++) {
1696f971622SJuan Castillo 			ex = sk_X509_EXTENSION_value(sk, i);
1706f971622SJuan Castillo 			X509_add_ext(x, ex, -1);
1716f971622SJuan Castillo 		}
1726f971622SJuan Castillo 	}
1736f971622SJuan Castillo 
1746f971622SJuan Castillo 	/* Sign the certificate with the issuer key */
175ea4ec3aaSJuan Castillo 	if (!X509_sign(x, ikey, EVP_sha256())) {
1766f971622SJuan Castillo 		ERR_print_errors_fp(stdout);
1776f971622SJuan Castillo 		return 0;
1786f971622SJuan Castillo 	}
1796f971622SJuan Castillo 
1806f971622SJuan Castillo 	cert->x = x;
1816f971622SJuan Castillo 	return 1;
1826f971622SJuan Castillo }
183ad2c1a9aSJuan Castillo 
184ad2c1a9aSJuan Castillo int cert_init(void)
185ad2c1a9aSJuan Castillo {
186*159807e2SJuan Castillo 	cmd_opt_t cmd_opt;
187ad2c1a9aSJuan Castillo 	cert_t *cert;
188ad2c1a9aSJuan Castillo 	unsigned int i;
189ad2c1a9aSJuan Castillo 
190ad2c1a9aSJuan Castillo 	for (i = 0; i < num_certs; i++) {
191ad2c1a9aSJuan Castillo 		cert = &certs[i];
192*159807e2SJuan Castillo 		cmd_opt.long_opt.name = cert->opt;
193*159807e2SJuan Castillo 		cmd_opt.long_opt.has_arg = required_argument;
194*159807e2SJuan Castillo 		cmd_opt.long_opt.flag = NULL;
195*159807e2SJuan Castillo 		cmd_opt.long_opt.val = CMD_OPT_CERT;
196*159807e2SJuan Castillo 		cmd_opt.help_msg = cert->help_msg;
197*159807e2SJuan Castillo 		cmd_opt_add(&cmd_opt);
198ad2c1a9aSJuan Castillo 	}
199ad2c1a9aSJuan Castillo 
200*159807e2SJuan Castillo 	return 0;
201ad2c1a9aSJuan Castillo }
202ad2c1a9aSJuan Castillo 
203ad2c1a9aSJuan Castillo cert_t *cert_get_by_opt(const char *opt)
204ad2c1a9aSJuan Castillo {
205ad2c1a9aSJuan Castillo 	cert_t *cert = NULL;
206ad2c1a9aSJuan Castillo 	unsigned int i;
207ad2c1a9aSJuan Castillo 
208ad2c1a9aSJuan Castillo 	for (i = 0; i < num_certs; i++) {
209ad2c1a9aSJuan Castillo 		cert = &certs[i];
210ad2c1a9aSJuan Castillo 		if (0 == strcmp(cert->opt, opt)) {
211ad2c1a9aSJuan Castillo 			return cert;
212ad2c1a9aSJuan Castillo 		}
213ad2c1a9aSJuan Castillo 	}
214ad2c1a9aSJuan Castillo 
215ad2c1a9aSJuan Castillo 	return NULL;
216ad2c1a9aSJuan Castillo }
217