xref: /rk3399_ARM-atf/tools/cert_create/src/key.c (revision ea6f8452f6eb561a0fa96a712da93fcdba40cd9c) 
1 /*
2  * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  */
6 
7 #include <getopt.h>
8 #include <stdio.h>
9 #include <stdlib.h>
10 #include <string.h>
11 
12 #include <openssl/conf.h>
13 #include <openssl/evp.h>
14 #include <openssl/pem.h>
15 
16 #include "cert.h"
17 #include "cmd_opt.h"
18 #include "debug.h"
19 #include "key.h"
20 #include "sha.h"
21 
22 #define MAX_FILENAME_LEN		1024
23 
24 key_t *keys;
25 unsigned int num_keys;
26 
27 #if !USING_OPENSSL3
28 /*
29  * Create a new key container
30  */
31 int key_new(key_t *key)
32 {
33 	/* Create key pair container */
34 	key->key = EVP_PKEY_new();
35 	if (key->key == NULL) {
36 		return 0;
37 	}
38 
39 	return 1;
40 }
41 #endif
42 
43 static int key_create_rsa(key_t *key, int key_bits)
44 {
45 #if USING_OPENSSL3
46 	EVP_PKEY *rsa = EVP_RSA_gen(key_bits);
47 	if (rsa == NULL) {
48 		printf("Cannot generate RSA key\n");
49 		return 0;
50 	}
51 	key->key = rsa;
52 	return 1;
53 #else
54 	BIGNUM *e;
55 	RSA *rsa = NULL;
56 
57 	e = BN_new();
58 	if (e == NULL) {
59 		printf("Cannot create RSA exponent\n");
60 		return 0;
61 	}
62 
63 	if (!BN_set_word(e, RSA_F4)) {
64 		printf("Cannot assign RSA exponent\n");
65 		goto err2;
66 	}
67 
68 	rsa = RSA_new();
69 	if (rsa == NULL) {
70 		printf("Cannot create RSA key\n");
71 		goto err2;
72 	}
73 
74 	if (!RSA_generate_key_ex(rsa, key_bits, e, NULL)) {
75 		printf("Cannot generate RSA key\n");
76 		goto err;
77 	}
78 
79 	if (!EVP_PKEY_assign_RSA(key->key, rsa)) {
80 		printf("Cannot assign RSA key\n");
81 		goto err;
82 	}
83 
84 	BN_free(e);
85 	return 1;
86 
87 err:
88 	RSA_free(rsa);
89 err2:
90 	BN_free(e);
91 	return 0;
92 #endif
93 }
94 
95 #ifndef OPENSSL_NO_EC
96 #if USING_OPENSSL3
97 static int key_create_ecdsa(key_t *key, int key_bits, const char *curve)
98 {
99 	EVP_PKEY *ec = EVP_EC_gen(curve);
100 	if (ec == NULL) {
101 		printf("Cannot generate EC key\n");
102 		return 0;
103 	}
104 
105 	key->key = ec;
106 	return 1;
107 }
108 
109 static int key_create_ecdsa_nist(key_t *key, int key_bits)
110 {
111 	return key_create_ecdsa(key, key_bits, "prime256v1");
112 }
113 
114 static int key_create_ecdsa_brainpool_r(key_t *key, int key_bits)
115 {
116 	return key_create_ecdsa(key, key_bits, "brainpoolP256r1");
117 }
118 
119 static int key_create_ecdsa_brainpool_t(key_t *key, int key_bits)
120 {
121 	return key_create_ecdsa(key, key_bits, "brainpoolP256t1");
122 }
123 #else
124 static int key_create_ecdsa(key_t *key, int key_bits, const int curve_id)
125 {
126 	EC_KEY *ec;
127 
128 	ec = EC_KEY_new_by_curve_name(curve_id);
129 	if (ec == NULL) {
130 		printf("Cannot create EC key\n");
131 		return 0;
132 	}
133 	if (!EC_KEY_generate_key(ec)) {
134 		printf("Cannot generate EC key\n");
135 		goto err;
136 	}
137 	EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS);
138 	EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
139 	if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) {
140 		printf("Cannot assign EC key\n");
141 		goto err;
142 	}
143 
144 	return 1;
145 
146 err:
147 	EC_KEY_free(ec);
148 	return 0;
149 }
150 
151 static int key_create_ecdsa_nist(key_t *key, int key_bits)
152 {
153 	return key_create_ecdsa(key, key_bits, NID_X9_62_prime256v1);
154 }
155 
156 static int key_create_ecdsa_brainpool_r(key_t *key, int key_bits)
157 {
158 	return key_create_ecdsa(key, key_bits, NID_brainpoolP256r1);
159 }
160 
161 static int key_create_ecdsa_brainpool_t(key_t *key, int key_bits)
162 {
163 	return key_create_ecdsa(key, key_bits, NID_brainpoolP256t1);
164 }
165 #endif /* USING_OPENSSL3 */
166 #endif /* OPENSSL_NO_EC */
167 
168 typedef int (*key_create_fn_t)(key_t *key, int key_bits);
169 static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = {
170 	[KEY_ALG_RSA] = key_create_rsa,
171 #ifndef OPENSSL_NO_EC
172 	[KEY_ALG_ECDSA_NIST] = key_create_ecdsa_nist,
173 	[KEY_ALG_ECDSA_BRAINPOOL_R] = key_create_ecdsa_brainpool_r,
174 	[KEY_ALG_ECDSA_BRAINPOOL_T] = key_create_ecdsa_brainpool_t,
175 #endif /* OPENSSL_NO_EC */
176 };
177 
178 int key_create(key_t *key, int type, int key_bits)
179 {
180 	if (type >= KEY_ALG_MAX_NUM) {
181 		printf("Invalid key type\n");
182 		return 0;
183 	}
184 
185 	if (key_create_fn[type]) {
186 		return key_create_fn[type](key, key_bits);
187 	}
188 
189 	return 0;
190 }
191 
192 int key_load(key_t *key, unsigned int *err_code)
193 {
194 	FILE *fp;
195 
196 	if (key->fn) {
197 		/* Load key from file */
198 		fp = fopen(key->fn, "r");
199 		if (fp) {
200 			key->key = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
201 			fclose(fp);
202 			if (key->key) {
203 				*err_code = KEY_ERR_NONE;
204 				return 1;
205 			} else {
206 				ERROR("Cannot load key from %s\n", key->fn);
207 				*err_code = KEY_ERR_LOAD;
208 			}
209 		} else {
210 			WARN("Cannot open file %s\n", key->fn);
211 			*err_code = KEY_ERR_OPEN;
212 		}
213 	} else {
214 		VERBOSE("Key filename not specified\n");
215 		*err_code = KEY_ERR_FILENAME;
216 	}
217 
218 	return 0;
219 }
220 
221 int key_store(key_t *key)
222 {
223 	FILE *fp;
224 
225 	if (key->fn) {
226 		fp = fopen(key->fn, "w");
227 		if (fp) {
228 			PEM_write_PrivateKey(fp, key->key,
229 					NULL, NULL, 0, NULL, NULL);
230 			fclose(fp);
231 			return 1;
232 		} else {
233 			ERROR("Cannot create file %s\n", key->fn);
234 		}
235 	} else {
236 		ERROR("Key filename not specified\n");
237 	}
238 
239 	return 0;
240 }
241 
242 int key_init(void)
243 {
244 	cmd_opt_t cmd_opt;
245 	key_t *key;
246 	unsigned int i;
247 
248 	keys = malloc((num_def_keys * sizeof(def_keys[0]))
249 #ifdef PDEF_KEYS
250 		      + (num_pdef_keys * sizeof(pdef_keys[0]))
251 #endif
252 		      );
253 
254 	if (keys == NULL) {
255 		ERROR("%s:%d Failed to allocate memory.\n", __func__, __LINE__);
256 		return 1;
257 	}
258 
259 	memcpy(&keys[0], &def_keys[0], (num_def_keys * sizeof(def_keys[0])));
260 #ifdef PDEF_KEYS
261 	memcpy(&keys[num_def_keys], &pdef_keys[0],
262 		(num_pdef_keys * sizeof(pdef_keys[0])));
263 
264 	num_keys = num_def_keys + num_pdef_keys;
265 #else
266 	num_keys = num_def_keys;
267 #endif
268 		   ;
269 
270 	for (i = 0; i < num_keys; i++) {
271 		key = &keys[i];
272 		if (key->opt != NULL) {
273 			cmd_opt.long_opt.name = key->opt;
274 			cmd_opt.long_opt.has_arg = required_argument;
275 			cmd_opt.long_opt.flag = NULL;
276 			cmd_opt.long_opt.val = CMD_OPT_KEY;
277 			cmd_opt.help_msg = key->help_msg;
278 			cmd_opt_add(&cmd_opt);
279 		}
280 	}
281 
282 	return 0;
283 }
284 
285 key_t *key_get_by_opt(const char *opt)
286 {
287 	key_t *key;
288 	unsigned int i;
289 
290 	/* Sequential search. This is not a performance concern since the number
291 	 * of keys is bounded and the code runs on a host machine */
292 	for (i = 0; i < num_keys; i++) {
293 		key = &keys[i];
294 		if (0 == strcmp(key->opt, opt)) {
295 			return key;
296 		}
297 	}
298 
299 	return NULL;
300 }
301 
302 void key_cleanup(void)
303 {
304 	unsigned int i;
305 
306 	for (i = 0; i < num_keys; i++) {
307 		EVP_PKEY_free(keys[i].key);
308 		if (keys[i].fn != NULL) {
309 			void *ptr = keys[i].fn;
310 
311 			free(ptr);
312 			keys[i].fn = NULL;
313 		}
314 	}
315 	free(keys);
316 }
317 
318