TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / sandbox / pfalcon / trusted-firmware-a / a89b1f19303add7971828546f922bb9f889dae87 / . / drivers / auth / mbedtls / mbedtls_x509_parser.c
blob: e923bb14ea44703859560b228107f345d9e49647 [file] [log] [blame]
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]1/*
Nicolas Toromanoffed383662020-12-23 16:01:25 +0100[diff] [blame]2 * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]3 *
dp-arm82cb2c12017-05-03 09:38:09 +0100[diff] [blame]4 * SPDX-License-Identifier: BSD-3-Clause
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]5 */
6
7/*
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]8 * X509 parser based on mbed TLS
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]9 *
10 * This module implements functions to check the integrity of a X509v3
11 * certificate ASN.1 structure and extract authentication parameters from the
12 * extensions field, such as an image hash or a public key.
13 */
14
15#include <assert.h>
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]16#include <stddef.h>
17#include <stdint.h>
18#include <string.h>
19
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]20/* mbed TLS headers */
21#include <mbedtls/asn1.h>
22#include <mbedtls/oid.h>
23#include <mbedtls/platform.h>
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]24
Antonio Nino Diaz09d40e02018-12-14 00:18:21 +0000[diff] [blame]25#include <arch_helpers.h>
26#include <drivers/auth/img_parser_mod.h>
27#include <drivers/auth/mbedtls/mbedtls_common.h>
28#include <lib/utils.h>
29
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]30/* Maximum OID string length ("a.b.c.d.e.f ...") */
31#define MAX_OID_STR_LEN 64
32
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]33#define LIB_NAME "mbed TLS X509v3"
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]34
35/* Temporary variables to speed up the authentication parameters search. These
36 * variables are assigned once during the integrity check and used any time an
37 * authentication parameter is requested, so we do not have to parse the image
38 * again */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]39static mbedtls_asn1_buf tbs;
40static mbedtls_asn1_buf v3_ext;
41static mbedtls_asn1_buf pk;
42static mbedtls_asn1_buf sig_alg;
43static mbedtls_asn1_buf signature;
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]44
45/*
Antonio Nino Diaz51c5e1a2017-01-13 15:03:19 +0000[diff] [blame]46 * Clear all static temporary variables.
47 */
48static void clear_temp_vars(void)
49{
50#define ZERO_AND_CLEAN(x) \
51 do { \
Douglas Raillard32f0d3c2017-01-26 15:54:44 +0000[diff] [blame]52 zeromem(&x, sizeof(x)); \
Antonio Nino Diaz51c5e1a2017-01-13 15:03:19 +0000[diff] [blame]53 clean_dcache_range((uintptr_t)&x, sizeof(x)); \
54 } while (0);
55
56 ZERO_AND_CLEAN(tbs)
57 ZERO_AND_CLEAN(v3_ext);
58 ZERO_AND_CLEAN(pk);
59 ZERO_AND_CLEAN(sig_alg);
60 ZERO_AND_CLEAN(signature);
61
62#undef ZERO_AND_CLEAN
63}
64
65/*
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]66 * Get X509v3 extension
67 *
68 * Global variable 'v3_ext' must point to the extensions region
69 * in the certificate. No need to check for errors since the image has passed
70 * the integrity check.
71 */
72static int get_ext(const char *oid, void **ext, unsigned int *ext_len)
73{
74 int oid_len;
75 size_t len;
76 unsigned char *end_ext_data, *end_ext_octet;
77 unsigned char *p;
78 const unsigned char *end;
79 char oid_str[MAX_OID_STR_LEN];
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]80 mbedtls_asn1_buf extn_oid;
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]81 int is_critical;
82
83 assert(oid != NULL);
84
85 p = v3_ext.p;
86 end = v3_ext.p + v3_ext.len;
87
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]88 mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
89 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]90
91 while (p < end) {
Douglas Raillard32f0d3c2017-01-26 15:54:44 +0000[diff] [blame]92 zeromem(&extn_oid, sizeof(extn_oid));
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]93 is_critical = 0; /* DEFAULT FALSE */
94
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]95 mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
96 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]97 end_ext_data = p + len;
98
99 /* Get extension ID */
100 extn_oid.tag = *p;
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]101 mbedtls_asn1_get_tag(&p, end, &extn_oid.len, MBEDTLS_ASN1_OID);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]102 extn_oid.p = p;
103 p += extn_oid.len;
104
105 /* Get optional critical */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]106 mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]107
108 /* Extension data */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]109 mbedtls_asn1_get_tag(&p, end_ext_data, &len,
110 MBEDTLS_ASN1_OCTET_STRING);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]111 end_ext_octet = p + len;
112
113 /* Detect requested extension */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]114 oid_len = mbedtls_oid_get_numeric_string(oid_str,
115 MAX_OID_STR_LEN,
116 &extn_oid);
Nicolas Toromanoffed383662020-12-23 16:01:25 +0100[diff] [blame]117 if ((oid_len == MBEDTLS_ERR_OID_BUF_TOO_SMALL) || (oid_len < 0)) {
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]118 return IMG_PARSER_ERR;
119 }
Nicolas Toromanoffed383662020-12-23 16:01:25 +0100[diff] [blame]120 if (((size_t)oid_len == strlen(oid_str)) && !strcmp(oid, oid_str)) {
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]121 *ext = (void *)p;
122 *ext_len = (unsigned int)len;
123 return IMG_PARSER_OK;
124 }
125
126 /* Next */
127 p = end_ext_octet;
128 }
129
130 return IMG_PARSER_ERR_NOT_FOUND;
131}
132
133
134/*
135 * Check the integrity of the certificate ASN.1 structure.
Antonio Nino Diaz51c5e1a2017-01-13 15:03:19 +0000[diff] [blame]136 *
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]137 * Extract the relevant data that will be used later during authentication.
Antonio Nino Diaz51c5e1a2017-01-13 15:03:19 +0000[diff] [blame]138 *
139 * This function doesn't clear the static variables located on the top of this
140 * file in case of an error. It is only called from check_integrity(), which
141 * performs the cleanup if necessary.
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]142 */
143static int cert_parse(void *img, unsigned int img_len)
144{
145 int ret, is_critical;
146 size_t len;
147 unsigned char *p, *end, *crt_end;
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]148 mbedtls_asn1_buf sig_alg1, sig_alg2;
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]149
150 p = (unsigned char *)img;
151 len = img_len;
152 end = p + len;
153
154 /*
155 * Certificate ::= SEQUENCE {
156 * tbsCertificate TBSCertificate,
157 * signatureAlgorithm AlgorithmIdentifier,
158 * signatureValue BIT STRING }
159 */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]160 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
161 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]162 if (ret != 0) {
163 return IMG_PARSER_ERR_FORMAT;
164 }
165
166 if (len > (size_t)(end - p)) {
167 return IMG_PARSER_ERR_FORMAT;
168 }
169 crt_end = p + len;
170
171 /*
172 * TBSCertificate ::= SEQUENCE {
173 */
174 tbs.p = p;
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]175 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
176 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]177 if (ret != 0) {
178 return IMG_PARSER_ERR_FORMAT;
179 }
180 end = p + len;
181 tbs.len = end - tbs.p;
182
183 /*
184 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
185 */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]186 ret = mbedtls_asn1_get_tag(&p, end, &len,
187 MBEDTLS_ASN1_CONTEXT_SPECIFIC |
188 MBEDTLS_ASN1_CONSTRUCTED | 0);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]189 if (ret != 0) {
190 return IMG_PARSER_ERR_FORMAT;
191 }
192 p += len;
193
194 /*
195 * CertificateSerialNumber ::= INTEGER
196 */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]197 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]198 if (ret != 0) {
199 return IMG_PARSER_ERR_FORMAT;
200 }
201 p += len;
202
203 /*
204 * signature AlgorithmIdentifier
205 */
206 sig_alg1.p = p;
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]207 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
208 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]209 if (ret != 0) {
210 return IMG_PARSER_ERR_FORMAT;
211 }
212 if ((end - p) < 1) {
213 return IMG_PARSER_ERR_FORMAT;
214 }
215 sig_alg1.len = (p + len) - sig_alg1.p;
216 p += len;
217
218 /*
219 * issuer Name
220 */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]221 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
222 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]223 if (ret != 0) {
224 return IMG_PARSER_ERR_FORMAT;
225 }
226 p += len;
227
228 /*
229 * Validity ::= SEQUENCE {
230 * notBefore Time,
231 * notAfter Time }
232 *
233 */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]234 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
235 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]236 if (ret != 0) {
237 return IMG_PARSER_ERR_FORMAT;
238 }
239 p += len;
240
241 /*
242 * subject Name
243 */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]244 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
245 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]246 if (ret != 0) {
247 return IMG_PARSER_ERR_FORMAT;
248 }
249 p += len;
250
251 /*
252 * SubjectPublicKeyInfo
253 */
254 pk.p = p;
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]255 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
256 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]257 if (ret != 0) {
258 return IMG_PARSER_ERR_FORMAT;
259 }
260 pk.len = (p + len) - pk.p;
261 p += len;
262
263 /*
264 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
265 */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]266 ret = mbedtls_asn1_get_tag(&p, end, &len,
267 MBEDTLS_ASN1_CONTEXT_SPECIFIC |
268 MBEDTLS_ASN1_CONSTRUCTED | 1);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]269 if (ret != 0) {
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]270 if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]271 return IMG_PARSER_ERR_FORMAT;
272 }
273 } else {
274 p += len;
275 }
276
277 /*
278 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
279 */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]280 ret = mbedtls_asn1_get_tag(&p, end, &len,
281 MBEDTLS_ASN1_CONTEXT_SPECIFIC |
282 MBEDTLS_ASN1_CONSTRUCTED | 2);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]283 if (ret != 0) {
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]284 if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]285 return IMG_PARSER_ERR_FORMAT;
286 }
287 } else {
288 p += len;
289 }
290
291 /*
292 * extensions [3] EXPLICIT Extensions OPTIONAL
Demi Marie Obenour379183e2022-12-08 15:23:58 -0500[diff] [blame]293 * }
294 *
295 * X.509 and RFC5280 allow omitting the extensions entirely.
296 * However, in TF-A, a certificate with no extensions would
297 * always fail later on, as the extensions contain the
298 * information needed to authenticate the next stage in the
299 * boot chain. Furthermore, get_ext() assumes that the
300 * extensions have been parsed into v3_ext, and allowing
301 * there to be no extensions would pointlessly complicate
302 * the code. Therefore, just reject certificates without
303 * extensions. This is also why version 1 and 2 certificates
304 * are rejected above.
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]305 */
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]306 ret = mbedtls_asn1_get_tag(&p, end, &len,
307 MBEDTLS_ASN1_CONTEXT_SPECIFIC |
308 MBEDTLS_ASN1_CONSTRUCTED | 3);
Demi Marie Obenour609437c2022-12-08 15:23:56 -0500[diff] [blame]309 if ((ret != 0) || (len != (size_t)(end - p))) {
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]310 return IMG_PARSER_ERR_FORMAT;
311 }
312
313 /*
314 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Demi Marie Obenour609437c2022-12-08 15:23:56 -0500[diff] [blame]315 * -- must use all remaining bytes in TBSCertificate
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]316 */
317 v3_ext.p = p;
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]318 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
319 MBEDTLS_ASN1_SEQUENCE);
Demi Marie Obenour609437c2022-12-08 15:23:56 -0500[diff] [blame]320 if ((ret != 0) || (len != (size_t)(end - p))) {
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]321 return IMG_PARSER_ERR_FORMAT;
322 }
Demi Marie Obenour609437c2022-12-08 15:23:56 -0500[diff] [blame]323 v3_ext.len = end - v3_ext.p;
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]324
325 /*
Demi Marie Obenour379183e2022-12-08 15:23:58 -0500[diff] [blame]326 * Check extensions integrity. At least one extension is
327 * required: the ASN.1 specifies a minimum size of 1, and at
328 * least one extension is needed to authenticate the next stage
329 * in the boot chain.
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]330 */
Demi Marie Obenour379183e2022-12-08 15:23:58 -0500[diff] [blame]331 do {
Demi Marie Obenoura89b1f12022-12-09 17:19:08 -0500[diff] [blame^]332 unsigned char *end_ext_data;
333
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]334 ret = mbedtls_asn1_get_tag(&p, end, &len,
335 MBEDTLS_ASN1_CONSTRUCTED |
336 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]337 if (ret != 0) {
338 return IMG_PARSER_ERR_FORMAT;
339 }
Demi Marie Obenoura89b1f12022-12-09 17:19:08 -0500[diff] [blame^]340 end_ext_data = p + len;
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]341
342 /* Get extension ID */
Demi Marie Obenoura89b1f12022-12-09 17:19:08 -0500[diff] [blame^]343 ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len, MBEDTLS_ASN1_OID);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]344 if (ret != 0) {
345 return IMG_PARSER_ERR_FORMAT;
346 }
347 p += len;
348
349 /* Get optional critical */
Demi Marie Obenoura89b1f12022-12-09 17:19:08 -0500[diff] [blame^]350 ret = mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical);
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]351 if ((ret != 0) && (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]352 return IMG_PARSER_ERR_FORMAT;
353 }
354
Demi Marie Obenoura89b1f12022-12-09 17:19:08 -0500[diff] [blame^]355 /*
356 * Data should be octet string type and must use all bytes in
357 * the Extension.
358 */
359 ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len,
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]360 MBEDTLS_ASN1_OCTET_STRING);
Demi Marie Obenoura89b1f12022-12-09 17:19:08 -0500[diff] [blame^]361 if ((ret != 0) || ((p + len) != end_ext_data)) {
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]362 return IMG_PARSER_ERR_FORMAT;
363 }
Demi Marie Obenoura89b1f12022-12-09 17:19:08 -0500[diff] [blame^]364 p = end_ext_data;
Demi Marie Obenour379183e2022-12-08 15:23:58 -0500[diff] [blame]365 } while (p < end);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]366
367 if (p != end) {
368 return IMG_PARSER_ERR_FORMAT;
369 }
370
371 end = crt_end;
372
373 /*
374 * }
375 * -- end of TBSCertificate
376 *
377 * signatureAlgorithm AlgorithmIdentifier
378 */
379 sig_alg2.p = p;
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]380 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
381 MBEDTLS_ASN1_SEQUENCE);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]382 if (ret != 0) {
383 return IMG_PARSER_ERR_FORMAT;
384 }
385 if ((end - p) < 1) {
386 return IMG_PARSER_ERR_FORMAT;
387 }
388 sig_alg2.len = (p + len) - sig_alg2.p;
389 p += len;
390
391 /* Compare both signature algorithms */
392 if (sig_alg1.len != sig_alg2.len) {
393 return IMG_PARSER_ERR_FORMAT;
394 }
Antonio Nino Diazfabd21a2017-02-09 10:26:54 +0000[diff] [blame]395 if (0 != memcmp(sig_alg1.p, sig_alg2.p, sig_alg1.len)) {
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]396 return IMG_PARSER_ERR_FORMAT;
397 }
398 memcpy(&sig_alg, &sig_alg1, sizeof(sig_alg));
399
400 /*
401 * signatureValue BIT STRING
402 */
403 signature.p = p;
Juan Castillo649dbf62015-11-05 09:24:53 +0000[diff] [blame]404 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_BIT_STRING);
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]405 if (ret != 0) {
406 return IMG_PARSER_ERR_FORMAT;
407 }
408 signature.len = (p + len) - signature.p;
409 p += len;
410
411 /* Check certificate length */
412 if (p != end) {
413 return IMG_PARSER_ERR_FORMAT;
414 }
415
416 return IMG_PARSER_OK;
417}
418
419
420/* Exported functions */
421
422static void init(void)
423{
424 mbedtls_init();
425}
426
Antonio Nino Diaz51c5e1a2017-01-13 15:03:19 +0000[diff] [blame]427/*
428 * Wrapper for cert_parse() that clears the static variables used by it in case
429 * of an error.
430 */
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]431static int check_integrity(void *img, unsigned int img_len)
432{
Antonio Nino Diaz51c5e1a2017-01-13 15:03:19 +0000[diff] [blame]433 int rc = cert_parse(img, img_len);
434
435 if (rc != IMG_PARSER_OK)
436 clear_temp_vars();
437
438 return rc;
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]439}
440
441/*
442 * Extract an authentication parameter from an X509v3 certificate
Juan Castillo48279d52016-01-22 11:05:57 +0000[diff] [blame]443 *
444 * This function returns a pointer to the extracted data and its length.
445 * Depending on the type of parameter, a pointer to the data stored in the
446 * certificate may be returned (i.e. an octet string containing a hash). Other
447 * data may need to be copied and formatted (i.e. integers). In the later case,
448 * a buffer of the correct type needs to be statically allocated, filled and
449 * returned.
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]450 */
451static int get_auth_param(const auth_param_type_desc_t *type_desc,
452 void *img, unsigned int img_len,
453 void **param, unsigned int *param_len)
454{
455 int rc = IMG_PARSER_OK;
456
457 /* We do not use img because the check_integrity function has already
458 * extracted the relevant data (v3_ext, pk, sig_alg, etc) */
459
460 switch (type_desc->type) {
461 case AUTH_PARAM_RAW_DATA:
462 /* Data to be signed */
463 *param = (void *)tbs.p;
464 *param_len = (unsigned int)tbs.len;
465 break;
466 case AUTH_PARAM_HASH:
Juan Castillo48279d52016-01-22 11:05:57 +0000[diff] [blame]467 case AUTH_PARAM_NV_CTR:
Juan Castillo7d37aa12015-04-02 15:44:20 +0100[diff] [blame]468 /* All these parameters are included as X509v3 extensions */
469 rc = get_ext(type_desc->cookie, param, param_len);
470 break;
471 case AUTH_PARAM_PUB_KEY:
472 if (type_desc->cookie != 0) {
473 /* Get public key from extension */
474 rc = get_ext(type_desc->cookie, param, param_len);
475 } else {
476 /* Get the subject public key */
477 *param = (void *)pk.p;
478 *param_len = (unsigned int)pk.len;
479 }
480 break;
481 case AUTH_PARAM_SIG_ALG:
482 /* Get the certificate signature algorithm */
483 *param = (void *)sig_alg.p;
484 *param_len = (unsigned int)sig_alg.len;
485 break;
486 case AUTH_PARAM_SIG:
487 /* Get the certificate signature */
488 *param = (void *)signature.p;
489 *param_len = (unsigned int)signature.len;
490 break;
491 default:
492 rc = IMG_PARSER_ERR_NOT_FOUND;
493 break;
494 }
495
496 return rc;
497}
498
499REGISTER_IMG_PARSER_LIB(IMG_CERT, LIB_NAME, init, \
500 check_integrity, get_auth_param);