TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-A / trusted-firmware-a / 55e291a4058633300deafabe62db7e2885f0afb5 / . / tools / cert_create / src / cert.c
blob: e58b10e15e3b22cd6ed930b5af55dc2c51c3d42a [file] [log] [blame]
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]1/*
2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 *
7 * Redistributions of source code must retain the above copyright notice, this
8 * list of conditions and the following disclaimer.
9 *
10 * Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 *
14 * Neither the name of ARM nor the names of its contributors may be used
15 * to endorse or promote products derived from this software without specific
16 * prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <stdio.h>
32#include <stdlib.h>
33#include <string.h>
34
35#include <openssl/conf.h>
36#include <openssl/err.h>
37#include <openssl/pem.h>
38#include <openssl/sha.h>
39#include <openssl/x509v3.h>
40
41#include "cert.h"
42#include "debug.h"
43#include "key.h"
44#include "platform_oid.h"
45#include "sha.h"
46
47#define SERIAL_RAND_BITS 64
48
49int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
50{
51 BIGNUM *btmp;
52 int ret = 0;
53 if (b)
54 btmp = b;
55 else
56 btmp = BN_new();
57
58 if (!btmp)
59 return 0;
60
61 if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
62 goto error;
63 if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
64 goto error;
65
66 ret = 1;
67
68error:
69
70 if (!b)
71 BN_free(btmp);
72
73 return ret;
74}
75
76int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
77{
78 X509_EXTENSION *ex;
79 X509V3_CTX ctx;
80
81 /* No configuration database */
82 X509V3_set_ctx_nodb(&ctx);
83
84 /* Set issuer and subject certificates in the context */
85 X509V3_set_ctx(&ctx, issuer, subject, NULL, NULL, 0);
86 ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
87 if (!ex) {
88 ERR_print_errors_fp(stdout);
89 return 0;
90 }
91
92 X509_add_ext(subject, ex, -1);
93 X509_EXTENSION_free(ex);
94
95 return 1;
96}
97
98
99int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
100{
Juan Castillo55e291a2015-06-12 11:27:59 +0100[diff] [blame^]101 EVP_PKEY *pkey = keys[cert->key].key;
102 cert_t *issuer_cert = &certs[cert->issuer];
103 EVP_PKEY *ikey = keys[issuer_cert->key].key;
104 X509 *issuer = issuer_cert->x;
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]105 X509 *x = NULL;
106 X509_EXTENSION *ex = NULL;
107 X509_NAME *name = NULL;
108 ASN1_INTEGER *sno = NULL;
109 int i, num;
110
111 /* Create the certificate structure */
112 x = X509_new();
113 if (!x) {
114 return 0;
115 }
116
117 /* If we do not have a key, use the issuer key (the certificate will
118 * become self signed). This happens in content certificates. */
119 if (!pkey) {
120 pkey = ikey;
121 }
122
123 /* If we do not have an issuer certificate, use our own (the certificate
124 * will become self signed) */
125 if (!issuer) {
126 issuer = x;
127 }
128
129 /* x509.v3 */
130 X509_set_version(x, 2);
131
132 /* Random serial number */
133 sno = ASN1_INTEGER_new();
134 rand_serial(NULL, sno);
135 X509_set_serialNumber(x, sno);
136 ASN1_INTEGER_free(sno);
137
138 X509_gmtime_adj(X509_get_notBefore(x), 0);
139 X509_gmtime_adj(X509_get_notAfter(x), (long)60*60*24*days);
140 X509_set_pubkey(x, pkey);
141
142 /* Subject name */
143 name = X509_get_subject_name(x);
144 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
145 (const unsigned char *)cert->cn, -1, -1, 0);
146 X509_set_subject_name(x, name);
147
148 /* Issuer name */
149 name = X509_get_issuer_name(x);
150 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
Juan Castillo55e291a2015-06-12 11:27:59 +0100[diff] [blame^]151 (const unsigned char *)issuer_cert->cn, -1, -1, 0);
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]152 X509_set_issuer_name(x, name);
153
154 /* Add various extensions: standard extensions */
155 cert_add_ext(issuer, x, NID_subject_key_identifier, "hash");
156 cert_add_ext(issuer, x, NID_authority_key_identifier, "keyid:always");
157 if (ca) {
158 cert_add_ext(issuer, x, NID_basic_constraints, "CA:TRUE");
159 cert_add_ext(issuer, x, NID_key_usage, "keyCertSign");
160 } else {
161 cert_add_ext(issuer, x, NID_basic_constraints, "CA:FALSE");
162 }
163
164 /* Add custom extensions */
165 if (sk != NULL) {
166 num = sk_X509_EXTENSION_num(sk);
167 for (i = 0; i < num; i++) {
168 ex = sk_X509_EXTENSION_value(sk, i);
169 X509_add_ext(x, ex, -1);
170 }
171 }
172
173 /* Sign the certificate with the issuer key */
Juan Castilloea4ec3a2015-02-16 10:34:28 +0000[diff] [blame]174 if (!X509_sign(x, ikey, EVP_sha256())) {
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]175 ERR_print_errors_fp(stdout);
176 return 0;
177 }
178
179 cert->x = x;
180 return 1;
181}