xref: /rk3399_ARM-atf/tools/cert_create/src/ext.c (revision 015240d9d35c88d4f5c2845e8b8bfceb6d25dd9d) 
1 /*
2  * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  */
6 
7 #include <stddef.h>
8 #include <stdio.h>
9 #include <string.h>
10 #include <openssl/asn1.h>
11 #include <openssl/asn1t.h>
12 #include <openssl/err.h>
13 #include <openssl/x509v3.h>
14 
15 #include "cmd_opt.h"
16 #include "ext.h"
17 
18 DECLARE_ASN1_ITEM(ASN1_INTEGER)
19 DECLARE_ASN1_ITEM(X509_ALGOR)
20 DECLARE_ASN1_ITEM(ASN1_OCTET_STRING)
21 
22 typedef struct {
23 	X509_ALGOR *hashAlgorithm;
24 	ASN1_OCTET_STRING *dataHash;
25 } HASH;
26 
27 ASN1_SEQUENCE(HASH) = {
28 	ASN1_SIMPLE(HASH, hashAlgorithm, X509_ALGOR),
29 	ASN1_SIMPLE(HASH, dataHash, ASN1_OCTET_STRING),
30 } ASN1_SEQUENCE_END(HASH)
31 
32 DECLARE_ASN1_FUNCTIONS(HASH)
33 IMPLEMENT_ASN1_FUNCTIONS(HASH)
34 
35 /*
36  * This function adds the CoT extensions to the internal extension list
37  * maintained by OpenSSL so they can be used later.
38  *
39  * It also initializes the methods to print the contents of the extension. If an
40  * alias is specified in the CoT extension, we reuse the methods of the alias.
41  * Otherwise, only methods for V_ASN1_INTEGER and V_ASN1_OCTET_STRING are
42  * provided. Any other type will be printed as a raw ascii string.
43  *
44  * Return: 0 = success, Otherwise: error
45  */
46 int ext_init(void)
47 {
48 	cmd_opt_t cmd_opt;
49 	ext_t *ext;
50 	X509V3_EXT_METHOD *m;
51 	int nid, ret;
52 	unsigned int i;
53 
54 	for (i = 0; i < num_extensions; i++) {
55 		ext = &extensions[i];
56 		/* Register command line option */
57 		if (ext->opt) {
58 			cmd_opt.long_opt.name = ext->opt;
59 			cmd_opt.long_opt.has_arg = required_argument;
60 			cmd_opt.long_opt.flag = NULL;
61 			cmd_opt.long_opt.val = CMD_OPT_EXT;
62 			cmd_opt.help_msg = ext->help_msg;
63 			cmd_opt_add(&cmd_opt);
64 		}
65 		/* Register the extension OID in OpenSSL */
66 		if (ext->oid == NULL) {
67 			continue;
68 		}
69 		nid = OBJ_create(ext->oid, ext->sn, ext->ln);
70 		if (ext->alias) {
71 			X509V3_EXT_add_alias(nid, ext->alias);
72 		} else {
73 			m = &ext->method;
74 			memset(m, 0x0, sizeof(X509V3_EXT_METHOD));
75 			switch (ext->asn1_type) {
76 			case V_ASN1_INTEGER:
77 				m->it = ASN1_ITEM_ref(ASN1_INTEGER);
78 				m->i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER;
79 				m->s2i = (X509V3_EXT_S2I)s2i_ASN1_INTEGER;
80 				break;
81 			case V_ASN1_OCTET_STRING:
82 				m->it = ASN1_ITEM_ref(ASN1_OCTET_STRING);
83 				m->i2s = (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING;
84 				m->s2i = (X509V3_EXT_S2I)s2i_ASN1_OCTET_STRING;
85 				break;
86 			default:
87 				continue;
88 			}
89 			m->ext_nid = nid;
90 			ret = X509V3_EXT_add(m);
91 			if (!ret) {
92 				ERR_print_errors_fp(stdout);
93 				return 1;
94 			}
95 		}
96 	}
97 	return 0;
98 }
99 
100 /*
101  * Create a new extension
102  *
103  * Extension  ::=  SEQUENCE  {
104  *      id          OBJECT IDENTIFIER,
105  *      critical    BOOLEAN DEFAULT FALSE,
106  *      value       OCTET STRING  }
107  *
108  * Parameters:
109  *   pex: OpenSSL extension pointer (output parameter)
110  *   nid: extension identifier
111  *   crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
112  *   data: extension data. This data will be encapsulated in an Octet String
113  *
114  * Return: Extension address, NULL if error
115  */
116 static
117 X509_EXTENSION *ext_new(int nid, int crit, unsigned char *data, int len)
118 {
119 	X509_EXTENSION *ex;
120 	ASN1_OCTET_STRING *ext_data;
121 
122 	/* Octet string containing the extension data */
123 	ext_data = ASN1_OCTET_STRING_new();
124 	ASN1_OCTET_STRING_set(ext_data, data, len);
125 
126 	/* Create the extension */
127 	ex = X509_EXTENSION_create_by_NID(NULL, nid, crit, ext_data);
128 
129 	/* The extension makes a copy of the data, so we can free this object */
130 	ASN1_OCTET_STRING_free(ext_data);
131 
132 	return ex;
133 }
134 
135 /*
136  * Creates a x509v3 extension containing a hash
137  *
138  * DigestInfo ::= SEQUENCE {
139  *     digestAlgorithm  AlgorithmIdentifier,
140  *     digest           OCTET STRING
141  * }
142  *
143  * AlgorithmIdentifier ::=  SEQUENCE  {
144  *     algorithm        OBJECT IDENTIFIER,
145  *     parameters       ANY DEFINED BY algorithm OPTIONAL
146  * }
147  *
148  * Parameters:
149  *   nid: extension identifier
150  *   crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
151  *   md: hash algorithm
152  *   buf: pointer to the buffer that contains the hash
153  *   len: size of the hash in bytes
154  *
155  * Return: Extension address, NULL if error
156  */
157 X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
158 		unsigned char *buf, size_t len)
159 {
160 	X509_EXTENSION *ex;
161 	HASH *hash;
162 	ASN1_OBJECT *algorithm;
163 	unsigned char *p = NULL;
164 	int sz;
165 
166 	/* HASH structure containing algorithm + hash */
167 	hash = HASH_new();
168 	if (hash == NULL) {
169 		return NULL;
170 	}
171 
172 	/* OBJECT_IDENTIFIER with hash algorithm */
173 	algorithm = OBJ_nid2obj(EVP_MD_type(md));
174 	if (algorithm == NULL) {
175 		HASH_free(hash);
176 		return NULL;
177 	}
178 
179 	/* Create X509_ALGOR */
180 	hash->hashAlgorithm->algorithm = algorithm;
181 	hash->hashAlgorithm->parameter = ASN1_TYPE_new();
182 	ASN1_TYPE_set(hash->hashAlgorithm->parameter, V_ASN1_NULL, NULL);
183 
184 	/* OCTET_STRING with the actual hash */
185 	ASN1_OCTET_STRING_set(hash->dataHash, buf, len);
186 
187 	/* DER encoded HASH */
188 	sz = i2d_HASH(hash, &p);
189 	if ((sz <= 0) || (p == NULL)) {
190 		HASH_free(hash);
191 		return NULL;
192 	}
193 
194 	/* Create the extension */
195 	ex = ext_new(nid, crit, p, sz);
196 
197 	/* Clean up */
198 	OPENSSL_free(p);
199 	HASH_free(hash);
200 
201 	return ex;
202 }
203 
204 /*
205  * Creates a x509v3 extension containing a nvcounter encapsulated in an ASN1
206  * Integer
207  *
208  * Parameters:
209  *   pex: OpenSSL extension pointer (output parameter)
210  *   nid: extension identifier
211  *   crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
212  *   value: nvcounter value
213  *
214  * Return: Extension address, NULL if error
215  */
216 X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value)
217 {
218 	X509_EXTENSION *ex;
219 	ASN1_INTEGER *counter;
220 	unsigned char *p = NULL;
221 	int sz;
222 
223 	/* Encode counter */
224 	counter = ASN1_INTEGER_new();
225 	ASN1_INTEGER_set(counter, value);
226 	sz = i2d_ASN1_INTEGER(counter, &p);
227 
228 	/* Create the extension */
229 	ex = ext_new(nid, crit, p, sz);
230 
231 	/* Free objects */
232 	OPENSSL_free(p);
233 	ASN1_INTEGER_free(counter);
234 
235 	return ex;
236 }
237 
238 /*
239  * Creates a x509v3 extension containing a public key in DER format:
240  *
241  *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
242  *       algorithm            AlgorithmIdentifier,
243  *       subjectPublicKey     BIT STRING }
244  *
245  * Parameters:
246  *   pex: OpenSSL extension pointer (output parameter)
247  *   nid: extension identifier
248  *   crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
249  *   k: key
250  *
251  * Return: Extension address, NULL if error
252  */
253 X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k)
254 {
255 	X509_EXTENSION *ex;
256 	unsigned char *p;
257 	int sz;
258 
259 	/* Encode key */
260 	BIO *mem = BIO_new(BIO_s_mem());
261 	if (i2d_PUBKEY_bio(mem, k) <= 0) {
262 		ERR_print_errors_fp(stderr);
263 		return NULL;
264 	}
265 	p = (unsigned char *)OPENSSL_malloc(4096);
266 	sz = BIO_read(mem, p, 4096);
267 
268 	/* Create the extension */
269 	ex = ext_new(nid, crit, p, sz);
270 
271 	/* Clean up */
272 	BIO_free(mem);
273 	OPENSSL_free(p);
274 
275 	return ex;
276 }
277 
278 ext_t *ext_get_by_opt(const char *opt)
279 {
280 	ext_t *ext;
281 	unsigned int i;
282 
283 	/* Sequential search. This is not a performance concern since the number
284 	 * of extensions is bounded and the code runs on a host machine */
285 	for (i = 0; i < num_extensions; i++) {
286 		ext = &extensions[i];
287 		if (ext->opt && !strcmp(ext->opt, opt)) {
288 			return ext;
289 		}
290 	}
291 
292 	return NULL;
293 }
294