TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-A / trusted-firmware-a / fd34e7ba7730b6538cfd18bddd877900c80e2a50 / . / tools / cert_create / src / main.c
blob: 6df367a244243ba14f876ff496373748762ad980 [file] [log] [blame]
Juan Castillo6f971622014-10-21 11:30:42 +0100[diff] [blame]1/*
2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 *
7 * Redistributions of source code must retain the above copyright notice, this
8 * list of conditions and the following disclaimer.
9 *
10 * Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 *
14 * Neither the name of ARM nor the names of its contributors may be used
15 * to endorse or promote products derived from this software without specific
16 * prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <getopt.h>
32#include <stdio.h>
33#include <stdlib.h>
34#include <string.h>
35
36#include <openssl/conf.h>
37#include <openssl/engine.h>
38#include <openssl/err.h>
39#include <openssl/pem.h>
40#include <openssl/sha.h>
41#include <openssl/x509v3.h>
42
43#include "cert.h"
44#include "debug.h"
45#include "ext.h"
46#include "key.h"
47#include "platform_oid.h"
48#include "sha.h"
49#include "tbb_ext.h"
50#include "tbb_cert.h"
51#include "tbb_key.h"
52
53/*
54 * Helper macros to simplify the code. This macro assigns the return value of
55 * the 'fn' function to 'v' and exits if the value is NULL.
56 */
57#define CHECK_NULL(v, fn) \
58 do { \
59 v = fn; \
60 if (v == NULL) { \
61 ERROR("NULL object at %s:%d\n", __FILE__, __LINE__); \
62 exit(1); \
63 } \
64 } while (0)
65
66/*
67 * This macro assigns the NID corresponding to 'oid' to 'v' and exits if the
68 * NID is undefined.
69 */
70#define CHECK_OID(v, oid) \
71 do { \
72 v = OBJ_txt2nid(oid); \
73 if (v == NID_undef) { \
74 ERROR("Cannot find TBB extension %s\n", oid); \
75 exit(1); \
76 } \
77 } while (0)
78
79#define MAX_FILENAME_LEN 1024
80#define VAL_DAYS 7300
81#define ID_TO_BIT_MASK(id) (1 << id)
82#define NVCOUNTER_VALUE 0
83
84/* Files */
85enum {
86 /* Image file names (inputs) */
87 BL2_ID = 0,
88 BL30_ID,
89 BL31_ID,
90 BL32_ID,
91 BL33_ID,
92 /* Certificate file names (outputs) */
93 BL2_CERT_ID,
94 TRUSTED_KEY_CERT_ID,
95 BL30_KEY_CERT_ID,
96 BL30_CERT_ID,
97 BL31_KEY_CERT_ID,
98 BL31_CERT_ID,
99 BL32_KEY_CERT_ID,
100 BL32_CERT_ID,
101 BL33_KEY_CERT_ID,
102 BL33_CERT_ID,
103 /* Key file names (input/output) */
104 ROT_KEY_ID,
105 TRUSTED_WORLD_KEY_ID,
106 NON_TRUSTED_WORLD_KEY_ID,
107 BL30_KEY_ID,
108 BL31_KEY_ID,
109 BL32_KEY_ID,
110 BL33_KEY_ID,
111 NUM_OPTS
112};
113
114/* Global options */
115static int new_keys;
116static int save_keys;
117static int print_cert;
118static int bl30_present;
119static int bl32_present;
120
121/* We are not checking nvcounters in TF. Include them in the certificates but
122 * the value will be set to 0 */
123static int tf_nvcounter;
124static int non_tf_nvcounter;
125
126/* Info messages created in the Makefile */
127extern const char build_msg[];
128extern const char platform_msg[];
129
130
131static char *strdup(const char *str)
132{
133 int n = strlen(str) + 1;
134 char *dup = malloc(n);
135 if (dup) {
136 strcpy(dup, str);
137 }
138 return dup;
139}
140
141/* Command line options */
142static const struct option long_opt[] = {
143 /* Binary images */
144 {"bl2", required_argument, 0, BL2_ID},
145 {"bl30", required_argument, 0, BL30_ID},
146 {"bl31", required_argument, 0, BL31_ID},
147 {"bl32", required_argument, 0, BL32_ID},
148 {"bl33", required_argument, 0, BL33_ID},
149 /* Certificate files */
150 {"bl2-cert", required_argument, 0, BL2_CERT_ID},
151 {"trusted-key-cert", required_argument, 0, TRUSTED_KEY_CERT_ID},
152 {"bl30-key-cert", required_argument, 0, BL30_KEY_CERT_ID},
153 {"bl30-cert", required_argument, 0, BL30_CERT_ID},
154 {"bl31-key-cert", required_argument, 0, BL31_KEY_CERT_ID},
155 {"bl31-cert", required_argument, 0, BL31_CERT_ID},
156 {"bl32-key-cert", required_argument, 0, BL32_KEY_CERT_ID},
157 {"bl32-cert", required_argument, 0, BL32_CERT_ID},
158 {"bl33-key-cert", required_argument, 0, BL33_KEY_CERT_ID},
159 {"bl33-cert", required_argument, 0, BL33_CERT_ID},
160 /* Private key files */
161 {"rot-key", required_argument, 0, ROT_KEY_ID},
162 {"trusted-world-key", required_argument, 0, TRUSTED_WORLD_KEY_ID},
163 {"non-trusted-world-key", required_argument, 0, NON_TRUSTED_WORLD_KEY_ID},
164 {"bl30-key", required_argument, 0, BL30_KEY_ID},
165 {"bl31-key", required_argument, 0, BL31_KEY_ID},
166 {"bl32-key", required_argument, 0, BL32_KEY_ID},
167 {"bl33-key", required_argument, 0, BL33_KEY_ID},
168 /* Common options */
169 {"help", no_argument, 0, 'h'},
170 {"save-keys", no_argument, 0, 'k'},
171 {"new-chain", no_argument, 0, 'n'},
172 {"print-cert", no_argument, 0, 'p'},
173 {0, 0, 0, 0}
174};
175
176static void print_help(const char *cmd)
177{
178 int i = 0;
179 printf("\n\n");
180 printf("The certificate generation tool loads the binary images and\n"
181 "optionally the RSA keys, and outputs the key and content\n"
182 "certificates properly signed to implement the chain of trust.\n"
183 "If keys are provided, they must be in PEM format.\n"
184 "Certificates are generated in DER format.\n");
185 printf("\n");
186 printf("Usage:\n\n");
187 printf(" %s [-hknp] \\\n", cmd);
188 for (i = 0; i < NUM_OPTS; i++) {
189 printf(" --%s <file> \\\n", long_opt[i].name);
190 }
191 printf("\n");
192 printf("-h Print help and exit\n");
193 printf("-k Save key pairs into files. Filenames must be provided\n");
194 printf("-n Generate new key pairs if no key files are provided\n");
195 printf("-p Print the certificates in the standard output\n");
196 printf("\n");
197
198 exit(0);
199}
200
201static void check_cmd_params(void)
202{
203 /* BL2, BL31 and BL33 are mandatory */
204 if (certs[BL2_CERT].bin == NULL) {
205 ERROR("BL2 image not specified\n");
206 exit(1);
207 }
208
209 if (certs[BL31_CERT].bin == NULL) {
210 ERROR("BL31 image not specified\n");
211 exit(1);
212 }
213
214 if (certs[BL33_CERT].bin == NULL) {
215 ERROR("BL33 image not specified\n");
216 exit(1);
217 }
218
219 /* BL30 and BL32 are optional */
220 if (certs[BL30_CERT].bin != NULL) {
221 bl30_present = 1;
222 }
223
224 if (certs[BL32_CERT].bin != NULL) {
225 bl32_present = 1;
226 }
227
228 /* TODO: Certificate filenames */
229
230 /* Filenames to store keys must be specified */
231 if (save_keys || !new_keys) {
232 if (keys[ROT_KEY].fn == NULL) {
233 ERROR("ROT key not specified\n");
234 exit(1);
235 }
236
237 if (keys[TRUSTED_WORLD_KEY].fn == NULL) {
238 ERROR("Trusted World key not specified\n");
239 exit(1);
240 }
241
242 if (keys[NON_TRUSTED_WORLD_KEY].fn == NULL) {
243 ERROR("Non-trusted World key not specified\n");
244 exit(1);
245 }
246
247 if (keys[BL31_KEY].fn == NULL) {
248 ERROR("BL31 key not specified\n");
249 exit(1);
250 }
251
252 if (keys[BL33_KEY].fn == NULL) {
253 ERROR("BL33 key not specified\n");
254 exit(1);
255 }
256
257 if (bl30_present && (keys[BL30_KEY].fn == NULL)) {
258 ERROR("BL30 key not specified\n");
259 exit(1);
260 }
261
262 if (bl32_present && (keys[BL32_KEY].fn == NULL)) {
263 ERROR("BL32 key not specified\n");
264 exit(1);
265 }
266 }
267}
268
269int main(int argc, char *argv[])
270{
271 STACK_OF(X509_EXTENSION) * sk = NULL;
272 X509_EXTENSION *hash_ext = NULL;
273 X509_EXTENSION *nvctr_ext = NULL;
274 X509_EXTENSION *trusted_key_ext = NULL;
275 X509_EXTENSION *non_trusted_key_ext = NULL;
276 FILE *file = NULL;
277 int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
278 int c, opt_idx = 0;
279 unsigned char md[SHA256_DIGEST_LENGTH];
280
281 NOTICE("CoT Generation Tool: %s\n", build_msg);
282 NOTICE("Target platform: %s\n", platform_msg);
283
284 while (1) {
285 /* getopt_long stores the option index here. */
286 c = getopt_long(argc, argv, "hknp", long_opt, &opt_idx);
287
288 /* Detect the end of the options. */
289 if (c == -1) {
290 break;
291 }
292
293 switch (c) {
294 case 'h':
295 print_help(argv[0]);
296 break;
297 case 'k':
298 save_keys = 1;
299 break;
300 case 'n':
301 new_keys = 1;
302 break;
303 case 'p':
304 print_cert = 1;
305 break;
306 case BL2_ID:
307 certs[BL2_CERT].bin = strdup(optarg);
308 break;
309 case BL30_ID:
310 certs[BL30_CERT].bin = strdup(optarg);
311 break;
312 case BL31_ID:
313 certs[BL31_CERT].bin = strdup(optarg);
314 break;
315 case BL32_ID:
316 certs[BL32_CERT].bin = strdup(optarg);
317 break;
318 case BL33_ID:
319 certs[BL33_CERT].bin = strdup(optarg);
320 break;
321 case BL2_CERT_ID:
322 certs[BL2_CERT].fn = strdup(optarg);
323 break;
324 case TRUSTED_KEY_CERT_ID:
325 certs[TRUSTED_KEY_CERT].fn = strdup(optarg);
326 break;
327 case BL30_KEY_CERT_ID:
328 certs[BL30_KEY_CERT].fn = strdup(optarg);
329 break;
330 case BL30_CERT_ID:
331 certs[BL30_CERT].fn = strdup(optarg);
332 break;
333 case BL31_KEY_CERT_ID:
334 certs[BL31_KEY_CERT].fn = strdup(optarg);
335 break;
336 case BL31_CERT_ID:
337 certs[BL31_CERT].fn = strdup(optarg);
338 break;
339 case BL32_KEY_CERT_ID:
340 certs[BL32_KEY_CERT].fn = strdup(optarg);
341 break;
342 case BL32_CERT_ID:
343 certs[BL32_CERT].fn = strdup(optarg);
344 break;
345 case BL33_KEY_CERT_ID:
346 certs[BL33_KEY_CERT].fn = strdup(optarg);
347 break;
348 case BL33_CERT_ID:
349 certs[BL33_CERT].fn = strdup(optarg);
350 break;
351 case ROT_KEY_ID:
352 keys[ROT_KEY].fn = strdup(optarg);
353 break;
354 case TRUSTED_WORLD_KEY_ID:
355 keys[TRUSTED_WORLD_KEY].fn = strdup(optarg);
356 break;
357 case NON_TRUSTED_WORLD_KEY_ID:
358 keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg);
359 break;
360 case BL30_KEY_ID:
361 keys[BL30_KEY].fn = strdup(optarg);
362 break;
363 case BL31_KEY_ID:
364 keys[BL31_KEY].fn = strdup(optarg);
365 break;
366 case BL32_KEY_ID:
367 keys[BL32_KEY].fn = strdup(optarg);
368 break;
369 case BL33_KEY_ID:
370 keys[BL33_KEY].fn = strdup(optarg);
371 break;
372 case '?':
373 default:
374 printf("%s\n", optarg);
375 exit(1);
376 }
377 }
378
379 /* Set the value of the NVCounters */
380 tf_nvcounter = NVCOUNTER_VALUE;
381 non_tf_nvcounter = NVCOUNTER_VALUE;
382
383 /* Check command line arguments */
384 check_cmd_params();
385
386 /* Register the new types and OIDs for the extensions */
387 if (ext_init(tbb_ext) != 0) {
388 ERROR("Cannot initialize TBB extensions\n");
389 exit(1);
390 }
391
392 /* Get non-volatile counters NIDs */
393 CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
394 CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
395
396 /* Load private keys from files (or generate new ones) */
397 if (new_keys) {
398 for (i = 0 ; i < NUM_KEYS ; i++) {
399 if (!key_new(&keys[i])) {
400 ERROR("Error creating %s\n", keys[i].desc);
401 exit(1);
402 }
403 }
404 } else {
405 for (i = 0 ; i < NUM_KEYS ; i++) {
406 if (!key_load(&keys[i])) {
407 ERROR("Error loading %s\n", keys[i].desc);
408 exit(1);
409 }
410 }
411 }
412
413 /* *********************************************************************
414 * BL2 certificate (Trusted Boot Firmware certificate):
415 * - Self-signed with OEM ROT private key
416 * - Extensions:
417 * - TrustedFirmwareNVCounter (TODO)
418 * - BL2 hash
419 **********************************************************************/
420 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
421
422 /* Add the NVCounter as a critical extension */
423 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
424 tf_nvcounter));
425 sk_X509_EXTENSION_push(sk, nvctr_ext);
426
427 /* Add hash of BL2 as an extension */
428 if (!sha_file(certs[BL2_CERT].bin, md)) {
429 ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin);
430 exit(1);
431 }
432 CHECK_OID(hash_nid, BL2_HASH_OID);
433 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
434 SHA256_DIGEST_LENGTH));
435 sk_X509_EXTENSION_push(sk, hash_ext);
436
437 /* Create certificate. Signed with ROT key */
438 if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) {
439 ERROR("Cannot create %s\n", certs[BL2_CERT].cn);
440 exit(1);
441 }
442 sk_X509_EXTENSION_free(sk);
443
444 /* *********************************************************************
445 * Trusted Key certificate:
446 * - Self-signed with OEM ROT private key
447 * - Extensions:
448 * - TrustedFirmwareNVCounter (TODO)
449 * - TrustedWorldPK
450 * - NonTrustedWorldPK
451 **********************************************************************/
452 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
453 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
454 tf_nvcounter));
455 sk_X509_EXTENSION_push(sk, nvctr_ext);
456 CHECK_OID(pk_nid, TZ_WORLD_PK_OID);
457 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
458 keys[TRUSTED_WORLD_KEY].key));
459 sk_X509_EXTENSION_push(sk, trusted_key_ext);
460 CHECK_OID(pk_nid, NTZ_WORLD_PK_OID);
461 CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
462 keys[NON_TRUSTED_WORLD_KEY].key));
463 sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
464 if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) {
465 ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn);
466 exit(1);
467 }
468 sk_X509_EXTENSION_free(sk);
469
470 /* *********************************************************************
471 * BL30 Key certificate (Trusted SCP Firmware Key certificate):
472 * - Self-signed with Trusted World key
473 * - Extensions:
474 * - TrustedFirmwareNVCounter (TODO)
475 * - SCPFirmwareContentCertPK
476 **********************************************************************/
477 if (bl30_present) {
478 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
479 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
480 tf_nvcounter));
481 sk_X509_EXTENSION_push(sk, nvctr_ext);
482 CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID);
483 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
484 keys[BL30_KEY].key));
485 sk_X509_EXTENSION_push(sk, trusted_key_ext);
486 if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) {
487 ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn);
488 exit(1);
489 }
490 sk_X509_EXTENSION_free(sk);
491 }
492
493 /* *********************************************************************
494 * BL30 certificate (SCP Firmware Content certificate):
495 * - Signed with Trusted World Key
496 * - Extensions:
497 * - TrustedFirmwareNVCounter (TODO)
498 * - SCPFirmwareHash
499 **********************************************************************/
500 if (bl30_present) {
501 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
502 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
503 tf_nvcounter));
504 sk_X509_EXTENSION_push(sk, nvctr_ext);
505
506 if (!sha_file(certs[BL30_CERT].bin, md)) {
507 ERROR("Cannot calculate the hash of %s\n",
508 certs[BL30_CERT].bin);
509 exit(1);
510 }
511 CHECK_OID(hash_nid, BL30_HASH_OID);
512 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
513 SHA256_DIGEST_LENGTH));
514 sk_X509_EXTENSION_push(sk, hash_ext);
515
516 if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
517 ERROR("Cannot create %s\n", certs[BL30_CERT].cn);
518 exit(1);
519 }
520
521 sk_X509_EXTENSION_free(sk);
522 }
523
524 /* *********************************************************************
525 * BL31 Key certificate (Trusted SoC Firmware Key certificate):
526 * - Self-signed with Trusted World key
527 * - Extensions:
528 * - TrustedFirmwareNVCounter (TODO)
529 * - SoCFirmwareContentCertPK
530 **********************************************************************/
531 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
532 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
533 tf_nvcounter));
534 sk_X509_EXTENSION_push(sk, nvctr_ext);
535 CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID);
536 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
537 keys[BL31_KEY].key));
538 sk_X509_EXTENSION_push(sk, trusted_key_ext);
539 if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) {
540 ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn);
541 exit(1);
542 }
543 sk_X509_EXTENSION_free(sk);
544
545 /* *********************************************************************
546 * BL31 certificate (SOC Firmware Content certificate):
547 * - Signed with Trusted World Key
548 * - Extensions:
549 * - TrustedFirmwareNVCounter (TODO)
550 * - BL31 hash
551 **********************************************************************/
552 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
553 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
554 tf_nvcounter));
555 sk_X509_EXTENSION_push(sk, nvctr_ext);
556
557 if (!sha_file(certs[BL31_CERT].bin, md)) {
558 ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin);
559 exit(1);
560 }
561 CHECK_OID(hash_nid, BL31_HASH_OID);
562 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
563 SHA256_DIGEST_LENGTH));
564 sk_X509_EXTENSION_push(sk, hash_ext);
565
566 if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) {
567 ERROR("Cannot create %s\n", certs[BL31_CERT].cn);
568 exit(1);
569 }
570
571 sk_X509_EXTENSION_free(sk);
572
573 /* *********************************************************************
574 * BL32 Key certificate (Trusted OS Firmware Key certificate):
575 * - Self-signed with Trusted World key
576 * - Extensions:
577 * - TrustedFirmwareNVCounter (TODO)
578 * - TrustedOSFirmwareContentCertPK
579 **********************************************************************/
580 if (bl32_present) {
581 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
582 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
583 tf_nvcounter));
584 sk_X509_EXTENSION_push(sk, nvctr_ext);
585 CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID);
586 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
587 keys[BL32_KEY].key));
588 sk_X509_EXTENSION_push(sk, trusted_key_ext);
589 if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) {
590 ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn);
591 exit(1);
592 }
593 sk_X509_EXTENSION_free(sk);
594 }
595
596 /* *********************************************************************
597 * BL32 certificate (TrustedOS Firmware Content certificate):
598 * - Signed with Trusted World Key
599 * - Extensions:
600 * - TrustedFirmwareNVCounter (TODO)
601 * - BL32 hash
602 **********************************************************************/
603 if (bl32_present) {
604 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
605 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
606 tf_nvcounter));
607 sk_X509_EXTENSION_push(sk, nvctr_ext);
608
609 if (!sha_file(certs[BL32_CERT].bin, md)) {
610 ERROR("Cannot calculate the hash of %s\n",
611 certs[BL32_CERT].bin);
612 exit(1);
613 }
614 CHECK_OID(hash_nid, BL32_HASH_OID);
615 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
616 SHA256_DIGEST_LENGTH));
617 sk_X509_EXTENSION_push(sk, hash_ext);
618
619 if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
620 ERROR("Cannot create %s\n", certs[BL32_CERT].cn);
621 exit(1);
622 }
623
624 sk_X509_EXTENSION_free(sk);
625 }
626
627 /* *********************************************************************
628 * BL33 Key certificate (Non Trusted Firmware Key certificate):
629 * - Self-signed with Non Trusted World key
630 * - Extensions:
631 * - NonTrustedFirmwareNVCounter (TODO)
632 * - NonTrustedFirmwareContentCertPK
633 **********************************************************************/
634 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
635 CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
636 non_tf_nvcounter));
637 sk_X509_EXTENSION_push(sk, nvctr_ext);
638 CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID);
639 CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
640 keys[BL33_KEY].key));
641 sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
642 if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) {
643 ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn);
644 exit(1);
645 }
646 sk_X509_EXTENSION_free(sk);
647
648 /* *********************************************************************
649 * BL33 certificate (Non-Trusted World Content certificate):
650 * - Signed with Non-Trusted World Key
651 * - Extensions:
652 * - NonTrustedFirmwareNVCounter (TODO)
653 * - BL33 hash
654 **********************************************************************/
655 CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
656 CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
657 non_tf_nvcounter));
658 sk_X509_EXTENSION_push(sk, nvctr_ext);
659
660 if (!sha_file(certs[BL33_CERT].bin, md)) {
661 ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin);
662 exit(1);
663 }
664 CHECK_OID(hash_nid, BL33_HASH_OID);
665 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
666 SHA256_DIGEST_LENGTH));
667 sk_X509_EXTENSION_push(sk, hash_ext);
668
669 if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) {
670 ERROR("Cannot create %s\n", certs[BL33_CERT].cn);
671 exit(1);
672 }
673 sk_X509_EXTENSION_free(sk);
674
675 /* Print the certificates */
676 if (print_cert) {
677 for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
678 if (!certs[i].x) {
679 continue;
680 }
681 printf("\n\n=====================================\n\n");
682 X509_print_fp(stdout, certs[i].x);
683 }
684 }
685
686 /* Save created certificates to files */
687 for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
688 if (certs[i].x && certs[i].fn) {
689 file = fopen(certs[i].fn, "w");
690 if (file != NULL) {
691 i2d_X509_fp(file, certs[i].x);
692 fclose(file);
693 } else {
694 ERROR("Cannot create file %s\n", certs[i].fn);
695 }
696 }
697 }
698
699 /* Save keys */
700 if (save_keys) {
701 for (i = 0 ; i < NUM_KEYS ; i++) {
702 if (!key_store(&keys[i])) {
703 ERROR("Cannot save %s\n", keys[i].desc);
704 }
705 }
706 }
707
708 X509_EXTENSION_free(hash_ext);
709 X509_EXTENSION_free(nvctr_ext);
710 X509_EXTENSION_free(trusted_key_ext);
711 X509_EXTENSION_free(non_trusted_key_ext);
712
713#ifndef OPENSSL_NO_ENGINE
714 ENGINE_cleanup();
715#endif
716 CRYPTO_cleanup_all_ex_data();
717
718 return 0;
719}