TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-A / trusted-firmware-a / ccbf890e5e2fb75b4df30f50f06c505702a0e01c / . / tools / cert_create / src / main.c
blob: 77faf42e13608c18e667c7147dd90e5bb49d7aca [file] [log] [blame]
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]1/*
2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 *
7 * Redistributions of source code must retain the above copyright notice, this
8 * list of conditions and the following disclaimer.
9 *
10 * Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 *
14 * Neither the name of ARM nor the names of its contributors may be used
15 * to endorse or promote products derived from this software without specific
16 * prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <getopt.h>
32#include <stdio.h>
33#include <stdlib.h>
34#include <string.h>
35
36#include <openssl/conf.h>
37#include <openssl/engine.h>
38#include <openssl/err.h>
39#include <openssl/pem.h>
40#include <openssl/sha.h>
41#include <openssl/x509v3.h>
42
43#include "cert.h"
44#include "debug.h"
45#include "ext.h"
46#include "key.h"
47#include "platform_oid.h"
48#include "sha.h"
49#include "tbb_ext.h"
50#include "tbb_cert.h"
51#include "tbb_key.h"
52
53/*
54 * Helper macros to simplify the code. This macro assigns the return value of
55 * the 'fn' function to 'v' and exits if the value is NULL.
56 */
57#define CHECK_NULL(v, fn) \
58 do { \
59 v = fn; \
60 if (v == NULL) { \
61 ERROR("NULL object at %s:%d\n", __FILE__, __LINE__); \
62 exit(1); \
63 } \
64 } while (0)
65
66/*
67 * This macro assigns the NID corresponding to 'oid' to 'v' and exits if the
68 * NID is undefined.
69 */
70#define CHECK_OID(v, oid) \
71 do { \
72 v = OBJ_txt2nid(oid); \
73 if (v == NID_undef) { \
74 ERROR("Cannot find TBB extension %s\n", oid); \
75 exit(1); \
76 } \
77 } while (0)
78
79#define MAX_FILENAME_LEN 1024
80#define VAL_DAYS 7300
81#define ID_TO_BIT_MASK(id) (1 << id)
82#define NVCOUNTER_VALUE 0
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]83#define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0])))
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]84
85/* Files */
86enum {
87 /* Image file names (inputs) */
88 BL2_ID = 0,
89 BL30_ID,
90 BL31_ID,
91 BL32_ID,
92 BL33_ID,
93 /* Certificate file names (outputs) */
94 BL2_CERT_ID,
95 TRUSTED_KEY_CERT_ID,
96 BL30_KEY_CERT_ID,
97 BL30_CERT_ID,
98 BL31_KEY_CERT_ID,
99 BL31_CERT_ID,
100 BL32_KEY_CERT_ID,
101 BL32_CERT_ID,
102 BL33_KEY_CERT_ID,
103 BL33_CERT_ID,
104 /* Key file names (input/output) */
105 ROT_KEY_ID,
106 TRUSTED_WORLD_KEY_ID,
107 NON_TRUSTED_WORLD_KEY_ID,
108 BL30_KEY_ID,
109 BL31_KEY_ID,
110 BL32_KEY_ID,
111 BL33_KEY_ID,
112 NUM_OPTS
113};
114
115/* Global options */
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]116static int key_alg;
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]117static int new_keys;
118static int save_keys;
119static int print_cert;
120static int bl30_present;
121static int bl32_present;
122
123/* We are not checking nvcounters in TF. Include them in the certificates but
124 * the value will be set to 0 */
125static int tf_nvcounter;
126static int non_tf_nvcounter;
127
128/* Info messages created in the Makefile */
129extern const char build_msg[];
130extern const char platform_msg[];
131
132
133static char *strdup(const char *str)
134{
135 int n = strlen(str) + 1;
136 char *dup = malloc(n);
137 if (dup) {
138 strcpy(dup, str);
139 }
140 return dup;
141}
142
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]143static const char *key_algs_str[] = {
144 [KEY_ALG_RSA] = "rsa",
145 [KEY_ALG_ECDSA] = "ecdsa"
146};
147
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]148/* Command line options */
149static const struct option long_opt[] = {
150 /* Binary images */
151 {"bl2", required_argument, 0, BL2_ID},
152 {"bl30", required_argument, 0, BL30_ID},
153 {"bl31", required_argument, 0, BL31_ID},
154 {"bl32", required_argument, 0, BL32_ID},
155 {"bl33", required_argument, 0, BL33_ID},
156 /* Certificate files */
157 {"bl2-cert", required_argument, 0, BL2_CERT_ID},
158 {"trusted-key-cert", required_argument, 0, TRUSTED_KEY_CERT_ID},
159 {"bl30-key-cert", required_argument, 0, BL30_KEY_CERT_ID},
160 {"bl30-cert", required_argument, 0, BL30_CERT_ID},
161 {"bl31-key-cert", required_argument, 0, BL31_KEY_CERT_ID},
162 {"bl31-cert", required_argument, 0, BL31_CERT_ID},
163 {"bl32-key-cert", required_argument, 0, BL32_KEY_CERT_ID},
164 {"bl32-cert", required_argument, 0, BL32_CERT_ID},
165 {"bl33-key-cert", required_argument, 0, BL33_KEY_CERT_ID},
166 {"bl33-cert", required_argument, 0, BL33_CERT_ID},
167 /* Private key files */
168 {"rot-key", required_argument, 0, ROT_KEY_ID},
169 {"trusted-world-key", required_argument, 0, TRUSTED_WORLD_KEY_ID},
170 {"non-trusted-world-key", required_argument, 0, NON_TRUSTED_WORLD_KEY_ID},
171 {"bl30-key", required_argument, 0, BL30_KEY_ID},
172 {"bl31-key", required_argument, 0, BL31_KEY_ID},
173 {"bl32-key", required_argument, 0, BL32_KEY_ID},
174 {"bl33-key", required_argument, 0, BL33_KEY_ID},
175 /* Common options */
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]176 {"key-alg", required_argument, 0, 'a'},
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]177 {"help", no_argument, 0, 'h'},
178 {"save-keys", no_argument, 0, 'k'},
179 {"new-chain", no_argument, 0, 'n'},
180 {"print-cert", no_argument, 0, 'p'},
181 {0, 0, 0, 0}
182};
183
184static void print_help(const char *cmd)
185{
186 int i = 0;
187 printf("\n\n");
188 printf("The certificate generation tool loads the binary images and\n"
189 "optionally the RSA keys, and outputs the key and content\n"
190 "certificates properly signed to implement the chain of trust.\n"
191 "If keys are provided, they must be in PEM format.\n"
192 "Certificates are generated in DER format.\n");
193 printf("\n");
194 printf("Usage:\n\n");
195 printf(" %s [-hknp] \\\n", cmd);
196 for (i = 0; i < NUM_OPTS; i++) {
197 printf(" --%s <file> \\\n", long_opt[i].name);
198 }
199 printf("\n");
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]200 printf("-a Key algorithm: rsa (default), ecdsa\n");
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]201 printf("-h Print help and exit\n");
202 printf("-k Save key pairs into files. Filenames must be provided\n");
203 printf("-n Generate new key pairs if no key files are provided\n");
204 printf("-p Print the certificates in the standard output\n");
205 printf("\n");
206
207 exit(0);
208}
209
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]210static int get_key_alg(const char *key_alg_str)
211{
212 int i;
213
214 for (i = 0 ; i < NUM_ELEM(key_algs_str) ; i++) {
215 if (0 == strcmp(key_alg_str, key_algs_str[i])) {
216 return i;
217 }
218 }
219
220 return -1;
221}
222
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]223static void check_cmd_params(void)
224{
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]225 /* Only save new keys */
226 if (save_keys && !new_keys) {
227 ERROR("Only new keys can be saved to disk\n");
228 exit(1);
229 }
230
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]231 /* BL2, BL31 and BL33 are mandatory */
232 if (certs[BL2_CERT].bin == NULL) {
233 ERROR("BL2 image not specified\n");
234 exit(1);
235 }
236
237 if (certs[BL31_CERT].bin == NULL) {
238 ERROR("BL31 image not specified\n");
239 exit(1);
240 }
241
242 if (certs[BL33_CERT].bin == NULL) {
243 ERROR("BL33 image not specified\n");
244 exit(1);
245 }
246
247 /* BL30 and BL32 are optional */
248 if (certs[BL30_CERT].bin != NULL) {
249 bl30_present = 1;
250 }
251
252 if (certs[BL32_CERT].bin != NULL) {
253 bl32_present = 1;
254 }
255
256 /* TODO: Certificate filenames */
257
258 /* Filenames to store keys must be specified */
259 if (save_keys || !new_keys) {
260 if (keys[ROT_KEY].fn == NULL) {
261 ERROR("ROT key not specified\n");
262 exit(1);
263 }
264
265 if (keys[TRUSTED_WORLD_KEY].fn == NULL) {
266 ERROR("Trusted World key not specified\n");
267 exit(1);
268 }
269
270 if (keys[NON_TRUSTED_WORLD_KEY].fn == NULL) {
271 ERROR("Non-trusted World key not specified\n");
272 exit(1);
273 }
274
275 if (keys[BL31_KEY].fn == NULL) {
276 ERROR("BL31 key not specified\n");
277 exit(1);
278 }
279
280 if (keys[BL33_KEY].fn == NULL) {
281 ERROR("BL33 key not specified\n");
282 exit(1);
283 }
284
285 if (bl30_present && (keys[BL30_KEY].fn == NULL)) {
286 ERROR("BL30 key not specified\n");
287 exit(1);
288 }
289
290 if (bl32_present && (keys[BL32_KEY].fn == NULL)) {
291 ERROR("BL32 key not specified\n");
292 exit(1);
293 }
294 }
295}
296
297int main(int argc, char *argv[])
298{
299 STACK_OF(X509_EXTENSION) * sk = NULL;
300 X509_EXTENSION *hash_ext = NULL;
301 X509_EXTENSION *nvctr_ext = NULL;
302 X509_EXTENSION *trusted_key_ext = NULL;
303 X509_EXTENSION *non_trusted_key_ext = NULL;
304 FILE *file = NULL;
305 int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
306 int c, opt_idx = 0;
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]307 unsigned int err_code;
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]308 unsigned char md[SHA256_DIGEST_LENGTH];
Juan Castilloc3da66b2015-03-05 14:30:00 +0000[diff] [blame]309 const EVP_MD *md_info;
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]310
311 NOTICE("CoT Generation Tool: %s\n", build_msg);
312 NOTICE("Target platform: %s\n", platform_msg);
313
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]314 /* Set default options */
315 key_alg = KEY_ALG_RSA;
316
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]317 while (1) {
318 /* getopt_long stores the option index here. */
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]319 c = getopt_long(argc, argv, "ahknp", long_opt, &opt_idx);
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]320
321 /* Detect the end of the options. */
322 if (c == -1) {
323 break;
324 }
325
326 switch (c) {
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]327 case 'a':
328 key_alg = get_key_alg(optarg);
329 if (key_alg < 0) {
330 ERROR("Invalid key algorithm '%s'\n", optarg);
331 exit(1);
332 }
333 break;
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]334 case 'h':
335 print_help(argv[0]);
336 break;
337 case 'k':
338 save_keys = 1;
339 break;
340 case 'n':
341 new_keys = 1;
342 break;
343 case 'p':
344 print_cert = 1;
345 break;
346 case BL2_ID:
347 certs[BL2_CERT].bin = strdup(optarg);
348 break;
349 case BL30_ID:
350 certs[BL30_CERT].bin = strdup(optarg);
351 break;
352 case BL31_ID:
353 certs[BL31_CERT].bin = strdup(optarg);
354 break;
355 case BL32_ID:
356 certs[BL32_CERT].bin = strdup(optarg);
357 break;
358 case BL33_ID:
359 certs[BL33_CERT].bin = strdup(optarg);
360 break;
361 case BL2_CERT_ID:
362 certs[BL2_CERT].fn = strdup(optarg);
363 break;
364 case TRUSTED_KEY_CERT_ID:
365 certs[TRUSTED_KEY_CERT].fn = strdup(optarg);
366 break;
367 case BL30_KEY_CERT_ID:
368 certs[BL30_KEY_CERT].fn = strdup(optarg);
369 break;
370 case BL30_CERT_ID:
371 certs[BL30_CERT].fn = strdup(optarg);
372 break;
373 case BL31_KEY_CERT_ID:
374 certs[BL31_KEY_CERT].fn = strdup(optarg);
375 break;
376 case BL31_CERT_ID:
377 certs[BL31_CERT].fn = strdup(optarg);
378 break;
379 case BL32_KEY_CERT_ID:
380 certs[BL32_KEY_CERT].fn = strdup(optarg);
381 break;
382 case BL32_CERT_ID:
383 certs[BL32_CERT].fn = strdup(optarg);
384 break;
385 case BL33_KEY_CERT_ID:
386 certs[BL33_KEY_CERT].fn = strdup(optarg);
387 break;
388 case BL33_CERT_ID:
389 certs[BL33_CERT].fn = strdup(optarg);
390 break;
391 case ROT_KEY_ID:
392 keys[ROT_KEY].fn = strdup(optarg);
393 break;
394 case TRUSTED_WORLD_KEY_ID:
395 keys[TRUSTED_WORLD_KEY].fn = strdup(optarg);
396 break;
397 case NON_TRUSTED_WORLD_KEY_ID:
398 keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg);
399 break;
400 case BL30_KEY_ID:
401 keys[BL30_KEY].fn = strdup(optarg);
402 break;
403 case BL31_KEY_ID:
404 keys[BL31_KEY].fn = strdup(optarg);
405 break;
406 case BL32_KEY_ID:
407 keys[BL32_KEY].fn = strdup(optarg);
408 break;
409 case BL33_KEY_ID:
410 keys[BL33_KEY].fn = strdup(optarg);
411 break;
412 case '?':
413 default:
414 printf("%s\n", optarg);
415 exit(1);
416 }
417 }
418
419 /* Set the value of the NVCounters */
420 tf_nvcounter = NVCOUNTER_VALUE;
421 non_tf_nvcounter = NVCOUNTER_VALUE;
422
423 /* Check command line arguments */
424 check_cmd_params();
425
426 /* Register the new types and OIDs for the extensions */
427 if (ext_init(tbb_ext) != 0) {
428 ERROR("Cannot initialize TBB extensions\n");
429 exit(1);
430 }
431
Juan Castilloc3da66b2015-03-05 14:30:00 +0000[diff] [blame]432 /* Indicate SHA256 as image hash algorithm in the certificate
433 * extension */
434 md_info = EVP_sha256();
435
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]436 /* Get non-volatile counters NIDs */
437 CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
438 CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
439
440 /* Load private keys from files (or generate new ones) */
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]441 for (i = 0 ; i < NUM_KEYS ; i++) {
442 /* First try to load the key from disk */
443 if (key_load(&keys[i], &err_code)) {
444 /* Key loaded successfully */
445 continue;
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]446 }
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]447
448 /* Key not loaded. Check the error code */
449 if (err_code == KEY_ERR_MALLOC) {
450 /* Cannot allocate memory. Abort. */
451 ERROR("Malloc error while loading '%s'\n", keys[i].fn);
452 exit(1);
453 } else if (err_code == KEY_ERR_LOAD) {
454 /* File exists, but it does not contain a valid private
455 * key. Abort. */
456 ERROR("Error loading '%s'\n", keys[i].fn);
457 exit(1);
458 }
459
460 /* File does not exist, could not be opened or no filename was
461 * given */
462 if (new_keys) {
463 /* Try to create a new key */
464 NOTICE("Creating new key for '%s'\n", keys[i].desc);
465 if (!key_create(&keys[i], key_alg)) {
466 ERROR("Error creating key '%s'\n", keys[i].desc);
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]467 exit(1);
468 }
Juan Castilloccbf8902015-06-01 16:34:23 +0100[diff] [blame^]469 } else {
470 if (err_code == KEY_ERR_OPEN) {
471 ERROR("Error opening '%s'\n", keys[i].fn);
472 } else {
473 ERROR("Key '%s' not specified\n", keys[i].desc);
474 }
475 exit(1);
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]476 }
477 }
478
479 /* *********************************************************************
480 * BL2 certificate (Trusted Boot Firmware certificate):
481 * - Self-signed with OEM ROT private key
482 * - Extensions:
483 * - TrustedFirmwareNVCounter (TODO)
484 * - BL2 hash
485 **********************************************************************/
486 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
487
488 /* Add the NVCounter as a critical extension */
489 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
490 tf_nvcounter));
491 sk_X509_EXTENSION_push(sk, nvctr_ext);
492
493 /* Add hash of BL2 as an extension */
494 if (!sha_file(certs[BL2_CERT].bin, md)) {
495 ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin);
496 exit(1);
497 }
498 CHECK_OID(hash_nid, BL2_HASH_OID);
Juan Castilloc3da66b2015-03-05 14:30:00 +0000[diff] [blame]499 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]500 SHA256_DIGEST_LENGTH));
501 sk_X509_EXTENSION_push(sk, hash_ext);
502
503 /* Create certificate. Signed with ROT key */
504 if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) {
505 ERROR("Cannot create %s\n", certs[BL2_CERT].cn);
506 exit(1);
507 }
508 sk_X509_EXTENSION_free(sk);
509
510 /* *********************************************************************
511 * Trusted Key certificate:
512 * - Self-signed with OEM ROT private key
513 * - Extensions:
514 * - TrustedFirmwareNVCounter (TODO)
515 * - TrustedWorldPK
516 * - NonTrustedWorldPK
517 **********************************************************************/
518 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
519 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
520 tf_nvcounter));
521 sk_X509_EXTENSION_push(sk, nvctr_ext);
522 CHECK_OID(pk_nid, TZ_WORLD_PK_OID);
523 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
524 keys[TRUSTED_WORLD_KEY].key));
525 sk_X509_EXTENSION_push(sk, trusted_key_ext);
526 CHECK_OID(pk_nid, NTZ_WORLD_PK_OID);
527 CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
528 keys[NON_TRUSTED_WORLD_KEY].key));
529 sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
530 if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) {
531 ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn);
532 exit(1);
533 }
534 sk_X509_EXTENSION_free(sk);
535
536 /* *********************************************************************
537 * BL30 Key certificate (Trusted SCP Firmware Key certificate):
538 * - Self-signed with Trusted World key
539 * - Extensions:
540 * - TrustedFirmwareNVCounter (TODO)
541 * - SCPFirmwareContentCertPK
542 **********************************************************************/
543 if (bl30_present) {
544 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
545 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
546 tf_nvcounter));
547 sk_X509_EXTENSION_push(sk, nvctr_ext);
548 CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID);
549 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
550 keys[BL30_KEY].key));
551 sk_X509_EXTENSION_push(sk, trusted_key_ext);
552 if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) {
553 ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn);
554 exit(1);
555 }
556 sk_X509_EXTENSION_free(sk);
557 }
558
559 /* *********************************************************************
560 * BL30 certificate (SCP Firmware Content certificate):
561 * - Signed with Trusted World Key
562 * - Extensions:
563 * - TrustedFirmwareNVCounter (TODO)
564 * - SCPFirmwareHash
565 **********************************************************************/
566 if (bl30_present) {
567 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
568 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
569 tf_nvcounter));
570 sk_X509_EXTENSION_push(sk, nvctr_ext);
571
572 if (!sha_file(certs[BL30_CERT].bin, md)) {
573 ERROR("Cannot calculate the hash of %s\n",
574 certs[BL30_CERT].bin);
575 exit(1);
576 }
577 CHECK_OID(hash_nid, BL30_HASH_OID);
Juan Castilloc3da66b2015-03-05 14:30:00 +0000[diff] [blame]578 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
579 md, SHA256_DIGEST_LENGTH));
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]580 sk_X509_EXTENSION_push(sk, hash_ext);
581
582 if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
583 ERROR("Cannot create %s\n", certs[BL30_CERT].cn);
584 exit(1);
585 }
586
587 sk_X509_EXTENSION_free(sk);
588 }
589
590 /* *********************************************************************
591 * BL31 Key certificate (Trusted SoC Firmware Key certificate):
592 * - Self-signed with Trusted World key
593 * - Extensions:
594 * - TrustedFirmwareNVCounter (TODO)
595 * - SoCFirmwareContentCertPK
596 **********************************************************************/
597 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
598 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
599 tf_nvcounter));
600 sk_X509_EXTENSION_push(sk, nvctr_ext);
601 CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID);
602 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
603 keys[BL31_KEY].key));
604 sk_X509_EXTENSION_push(sk, trusted_key_ext);
605 if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) {
606 ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn);
607 exit(1);
608 }
609 sk_X509_EXTENSION_free(sk);
610
611 /* *********************************************************************
612 * BL31 certificate (SOC Firmware Content certificate):
613 * - Signed with Trusted World Key
614 * - Extensions:
615 * - TrustedFirmwareNVCounter (TODO)
616 * - BL31 hash
617 **********************************************************************/
618 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
619 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
620 tf_nvcounter));
621 sk_X509_EXTENSION_push(sk, nvctr_ext);
622
623 if (!sha_file(certs[BL31_CERT].bin, md)) {
624 ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin);
625 exit(1);
626 }
627 CHECK_OID(hash_nid, BL31_HASH_OID);
Juan Castilloc3da66b2015-03-05 14:30:00 +0000[diff] [blame]628 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]629 SHA256_DIGEST_LENGTH));
630 sk_X509_EXTENSION_push(sk, hash_ext);
631
632 if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) {
633 ERROR("Cannot create %s\n", certs[BL31_CERT].cn);
634 exit(1);
635 }
636
637 sk_X509_EXTENSION_free(sk);
638
639 /* *********************************************************************
640 * BL32 Key certificate (Trusted OS Firmware Key certificate):
641 * - Self-signed with Trusted World key
642 * - Extensions:
643 * - TrustedFirmwareNVCounter (TODO)
644 * - TrustedOSFirmwareContentCertPK
645 **********************************************************************/
646 if (bl32_present) {
647 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
648 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
649 tf_nvcounter));
650 sk_X509_EXTENSION_push(sk, nvctr_ext);
651 CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID);
652 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
653 keys[BL32_KEY].key));
654 sk_X509_EXTENSION_push(sk, trusted_key_ext);
655 if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) {
656 ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn);
657 exit(1);
658 }
659 sk_X509_EXTENSION_free(sk);
660 }
661
662 /* *********************************************************************
663 * BL32 certificate (TrustedOS Firmware Content certificate):
664 * - Signed with Trusted World Key
665 * - Extensions:
666 * - TrustedFirmwareNVCounter (TODO)
667 * - BL32 hash
668 **********************************************************************/
669 if (bl32_present) {
670 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
671 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
672 tf_nvcounter));
673 sk_X509_EXTENSION_push(sk, nvctr_ext);
674
675 if (!sha_file(certs[BL32_CERT].bin, md)) {
676 ERROR("Cannot calculate the hash of %s\n",
677 certs[BL32_CERT].bin);
678 exit(1);
679 }
680 CHECK_OID(hash_nid, BL32_HASH_OID);
Juan Castilloc3da66b2015-03-05 14:30:00 +0000[diff] [blame]681 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
682 md, SHA256_DIGEST_LENGTH));
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]683 sk_X509_EXTENSION_push(sk, hash_ext);
684
685 if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
686 ERROR("Cannot create %s\n", certs[BL32_CERT].cn);
687 exit(1);
688 }
689
690 sk_X509_EXTENSION_free(sk);
691 }
692
693 /* *********************************************************************
694 * BL33 Key certificate (Non Trusted Firmware Key certificate):
695 * - Self-signed with Non Trusted World key
696 * - Extensions:
697 * - NonTrustedFirmwareNVCounter (TODO)
698 * - NonTrustedFirmwareContentCertPK
699 **********************************************************************/
700 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
701 CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
702 non_tf_nvcounter));
703 sk_X509_EXTENSION_push(sk, nvctr_ext);
704 CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID);
705 CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
706 keys[BL33_KEY].key));
707 sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
708 if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) {
709 ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn);
710 exit(1);
711 }
712 sk_X509_EXTENSION_free(sk);
713
714 /* *********************************************************************
715 * BL33 certificate (Non-Trusted World Content certificate):
716 * - Signed with Non-Trusted World Key
717 * - Extensions:
718 * - NonTrustedFirmwareNVCounter (TODO)
719 * - BL33 hash
720 **********************************************************************/
721 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
722 CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
723 non_tf_nvcounter));
724 sk_X509_EXTENSION_push(sk, nvctr_ext);
725
726 if (!sha_file(certs[BL33_CERT].bin, md)) {
727 ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin);
728 exit(1);
729 }
730 CHECK_OID(hash_nid, BL33_HASH_OID);
Juan Castilloc3da66b2015-03-05 14:30:00 +0000[diff] [blame]731 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]732 SHA256_DIGEST_LENGTH));
733 sk_X509_EXTENSION_push(sk, hash_ext);
734
735 if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) {
736 ERROR("Cannot create %s\n", certs[BL33_CERT].cn);
737 exit(1);
738 }
739 sk_X509_EXTENSION_free(sk);
740
741 /* Print the certificates */
742 if (print_cert) {
743 for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
744 if (!certs[i].x) {
745 continue;
746 }
747 printf("\n\n=====================================\n\n");
748 X509_print_fp(stdout, certs[i].x);
749 }
750 }
751
752 /* Save created certificates to files */
753 for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
754 if (certs[i].x && certs[i].fn) {
755 file = fopen(certs[i].fn, "w");
756 if (file != NULL) {
757 i2d_X509_fp(file, certs[i].x);
758 fclose(file);
759 } else {
760 ERROR("Cannot create file %s\n", certs[i].fn);
761 }
762 }
763 }
764
765 /* Save keys */
766 if (save_keys) {
767 for (i = 0 ; i < NUM_KEYS ; i++) {
768 if (!key_store(&keys[i])) {
769 ERROR("Cannot save %s\n", keys[i].desc);
770 }
771 }
772 }
773
774 X509_EXTENSION_free(hash_ext);
775 X509_EXTENSION_free(nvctr_ext);
776 X509_EXTENSION_free(trusted_key_ext);
777 X509_EXTENSION_free(non_trusted_key_ext);
778
779#ifndef OPENSSL_NO_ENGINE
780 ENGINE_cleanup();
781#endif
782 CRYPTO_cleanup_all_ex_data();
783
784 return 0;
785}