diff options
Diffstat (limited to 'tools')
-rw-r--r-- | tools/cert_create/include/ext.h | 3 | ||||
-rw-r--r-- | tools/cert_create/src/ext.c | 86 | ||||
-rw-r--r-- | tools/cert_create/src/main.c | 19 |
3 files changed, 89 insertions, 19 deletions
diff --git a/tools/cert_create/include/ext.h b/tools/cert_create/include/ext.h index d73f5734..57bb65f3 100644 --- a/tools/cert_create/include/ext.h +++ b/tools/cert_create/include/ext.h @@ -63,7 +63,8 @@ enum { }; int ext_init(ext_t *tbb_ext); -X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len); +X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md, + unsigned char *buf, size_t len); X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value); X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k); diff --git a/tools/cert_create/src/ext.c b/tools/cert_create/src/ext.c index 31f84a86..21b90db1 100644 --- a/tools/cert_create/src/ext.c +++ b/tools/cert_create/src/ext.c @@ -31,13 +31,29 @@ #include <stddef.h> #include <stdio.h> #include <string.h> +#include <openssl/asn1.h> +#include <openssl/asn1t.h> #include <openssl/err.h> #include <openssl/x509v3.h> #include "ext.h" DECLARE_ASN1_ITEM(ASN1_INTEGER) +DECLARE_ASN1_ITEM(X509_ALGOR) DECLARE_ASN1_ITEM(ASN1_OCTET_STRING) +typedef struct { + X509_ALGOR *hashAlgorithm; + ASN1_OCTET_STRING *dataHash; +} HASH; + +ASN1_SEQUENCE(HASH) = { + ASN1_SIMPLE(HASH, hashAlgorithm, X509_ALGOR), + ASN1_SIMPLE(HASH, dataHash, ASN1_OCTET_STRING), +} ASN1_SEQUENCE_END(HASH) + +DECLARE_ASN1_FUNCTIONS(HASH) +IMPLEMENT_ASN1_FUNCTIONS(HASH) + /* * This function adds the TBB extensions to the internal extension list * maintained by OpenSSL so they can be used later. @@ -123,37 +139,85 @@ X509_EXTENSION *ext_new(int nid, int crit, unsigned char *data, int len) } /* - * Creates a x509v3 extension containing a hash encapsulated in an ASN1 Octet - * String + * Creates a x509v3 extension containing a hash + * + * DigestInfo ::= SEQUENCE { + * digestAlgorithm AlgorithmIdentifier, + * digest OCTET STRING + * } + * + * AlgorithmIdentifier ::= SEQUENCE { + * algorithm OBJECT IDENTIFIER, + * parameters ANY DEFINED BY algorithm OPTIONAL + * } * * Parameters: - * pex: OpenSSL extension pointer (output parameter) * nid: extension identifier * crit: extension critical (EXT_NON_CRIT, EXT_CRIT) + * md: hash algorithm * buf: pointer to the buffer that contains the hash * len: size of the hash in bytes * * Return: Extension address, NULL if error */ -X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len) +X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md, + unsigned char *buf, size_t len) { X509_EXTENSION *ex = NULL; - ASN1_OCTET_STRING *hash = NULL; + ASN1_OCTET_STRING *octet = NULL; + HASH *hash = NULL; + ASN1_OBJECT *algorithm = NULL; + X509_ALGOR *x509_algor = NULL; unsigned char *p = NULL; int sz = -1; - /* Encode Hash */ - hash = ASN1_OCTET_STRING_new(); - ASN1_OCTET_STRING_set(hash, buf, len); - sz = i2d_ASN1_OCTET_STRING(hash, NULL); - i2d_ASN1_OCTET_STRING(hash, &p); + /* OBJECT_IDENTIFIER with hash algorithm */ + algorithm = OBJ_nid2obj(md->type); + if (algorithm == NULL) { + return NULL; + } + + /* Create X509_ALGOR */ + x509_algor = X509_ALGOR_new(); + if (x509_algor == NULL) { + return NULL; + } + x509_algor->algorithm = algorithm; + x509_algor->parameter = ASN1_TYPE_new(); + ASN1_TYPE_set(x509_algor->parameter, V_ASN1_NULL, NULL); + + /* OCTET_STRING with the actual hash */ + octet = ASN1_OCTET_STRING_new(); + if (octet == NULL) { + X509_ALGOR_free(x509_algor); + return NULL; + } + ASN1_OCTET_STRING_set(octet, buf, len); + + /* HASH structure containing algorithm + hash */ + hash = HASH_new(); + if (hash == NULL) { + ASN1_OCTET_STRING_free(octet); + X509_ALGOR_free(x509_algor); + return NULL; + } + hash->hashAlgorithm = x509_algor; + hash->dataHash = octet; + + /* DER encoded HASH */ + sz = i2d_HASH(hash, &p); + if ((sz <= 0) || (p == NULL)) { + HASH_free(hash); + X509_ALGOR_free(x509_algor); + return NULL; + } /* Create the extension */ ex = ext_new(nid, crit, p, sz); /* Clean up */ OPENSSL_free(p); - ASN1_OCTET_STRING_free(hash); + HASH_free(hash); return ex; } diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index 6df367a2..2af5247f 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -277,6 +277,7 @@ int main(int argc, char *argv[]) int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid; int c, opt_idx = 0; unsigned char md[SHA256_DIGEST_LENGTH]; + const EVP_MD *md_info; NOTICE("CoT Generation Tool: %s\n", build_msg); NOTICE("Target platform: %s\n", platform_msg); @@ -389,6 +390,10 @@ int main(int argc, char *argv[]) exit(1); } + /* Indicate SHA256 as image hash algorithm in the certificate + * extension */ + md_info = EVP_sha256(); + /* Get non-volatile counters NIDs */ CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID); CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID); @@ -430,7 +435,7 @@ int main(int argc, char *argv[]) exit(1); } CHECK_OID(hash_nid, BL2_HASH_OID); - CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, + CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, SHA256_DIGEST_LENGTH)); sk_X509_EXTENSION_push(sk, hash_ext); @@ -509,8 +514,8 @@ int main(int argc, char *argv[]) exit(1); } CHECK_OID(hash_nid, BL30_HASH_OID); - CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, - SHA256_DIGEST_LENGTH)); + CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, + md, SHA256_DIGEST_LENGTH)); sk_X509_EXTENSION_push(sk, hash_ext); if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) { @@ -559,7 +564,7 @@ int main(int argc, char *argv[]) exit(1); } CHECK_OID(hash_nid, BL31_HASH_OID); - CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, + CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, SHA256_DIGEST_LENGTH)); sk_X509_EXTENSION_push(sk, hash_ext); @@ -612,8 +617,8 @@ int main(int argc, char *argv[]) exit(1); } CHECK_OID(hash_nid, BL32_HASH_OID); - CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, - SHA256_DIGEST_LENGTH)); + CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, + md, SHA256_DIGEST_LENGTH)); sk_X509_EXTENSION_push(sk, hash_ext); if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) { @@ -662,7 +667,7 @@ int main(int argc, char *argv[]) exit(1); } CHECK_OID(hash_nid, BL33_HASH_OID); - CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, + CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, SHA256_DIGEST_LENGTH)); sk_X509_EXTENSION_push(sk, hash_ext); |