|
|
@ -46,9 +46,9 @@ |
|
|
|
#include "key.h" |
|
|
|
#include "platform_oid.h" |
|
|
|
#include "sha.h" |
|
|
|
#include "tbb_ext.h" |
|
|
|
#include "tbb_cert.h" |
|
|
|
#include "tbb_key.h" |
|
|
|
#include "tbbr/tbb_ext.h" |
|
|
|
#include "tbbr/tbb_cert.h" |
|
|
|
#include "tbbr/tbb_key.h" |
|
|
|
|
|
|
|
/*
|
|
|
|
* Helper macros to simplify the code. This macro assigns the return value of |
|
|
@ -79,7 +79,6 @@ |
|
|
|
#define MAX_FILENAME_LEN 1024 |
|
|
|
#define VAL_DAYS 7300 |
|
|
|
#define ID_TO_BIT_MASK(id) (1 << id) |
|
|
|
#define NVCOUNTER_VALUE 0 |
|
|
|
#define NUM_ELEM(x) ((sizeof(x)) / (sizeof(x[0]))) |
|
|
|
|
|
|
|
/* Files */ |
|
|
@ -120,11 +119,6 @@ static int print_cert; |
|
|
|
static int bl30_present; |
|
|
|
static int bl32_present; |
|
|
|
|
|
|
|
/* We are not checking nvcounters in TF. Include them in the certificates but
|
|
|
|
* the value will be set to 0 */ |
|
|
|
static int tf_nvcounter; |
|
|
|
static int non_tf_nvcounter; |
|
|
|
|
|
|
|
/* Info messages created in the Makefile */ |
|
|
|
extern const char build_msg[]; |
|
|
|
extern const char platform_msg[]; |
|
|
@ -231,27 +225,27 @@ static void check_cmd_params(void) |
|
|
|
} |
|
|
|
|
|
|
|
/* BL2, BL31 and BL33 are mandatory */ |
|
|
|
if (certs[BL2_CERT].bin == NULL) { |
|
|
|
if (extensions[BL2_HASH_EXT].data.fn == NULL) { |
|
|
|
ERROR("BL2 image not specified\n"); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
|
|
|
|
if (certs[BL31_CERT].bin == NULL) { |
|
|
|
if (extensions[BL31_HASH_EXT].data.fn == NULL) { |
|
|
|
ERROR("BL31 image not specified\n"); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
|
|
|
|
if (certs[BL33_CERT].bin == NULL) { |
|
|
|
if (extensions[BL33_HASH_EXT].data.fn == NULL) { |
|
|
|
ERROR("BL33 image not specified\n"); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
|
|
|
|
/* BL30 and BL32 are optional */ |
|
|
|
if (certs[BL30_CERT].bin != NULL) { |
|
|
|
if (extensions[BL30_HASH_EXT].data.fn != NULL) { |
|
|
|
bl30_present = 1; |
|
|
|
} |
|
|
|
|
|
|
|
if (certs[BL32_CERT].bin != NULL) { |
|
|
|
if (extensions[BL32_HASH_EXT].data.fn != NULL) { |
|
|
|
bl32_present = 1; |
|
|
|
} |
|
|
|
|
|
|
@ -299,12 +293,11 @@ static void check_cmd_params(void) |
|
|
|
int main(int argc, char *argv[]) |
|
|
|
{ |
|
|
|
STACK_OF(X509_EXTENSION) * sk = NULL; |
|
|
|
X509_EXTENSION *hash_ext = NULL; |
|
|
|
X509_EXTENSION *nvctr_ext = NULL; |
|
|
|
X509_EXTENSION *trusted_key_ext = NULL; |
|
|
|
X509_EXTENSION *non_trusted_key_ext = NULL; |
|
|
|
X509_EXTENSION *cert_ext = NULL; |
|
|
|
ext_t *ext = NULL; |
|
|
|
cert_t *cert; |
|
|
|
FILE *file = NULL; |
|
|
|
int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid; |
|
|
|
int i, j, ext_nid; |
|
|
|
int c, opt_idx = 0; |
|
|
|
unsigned int err_code; |
|
|
|
unsigned char md[SHA256_DIGEST_LENGTH]; |
|
|
@ -346,19 +339,19 @@ int main(int argc, char *argv[]) |
|
|
|
print_cert = 1; |
|
|
|
break; |
|
|
|
case BL2_ID: |
|
|
|
certs[BL2_CERT].bin = strdup(optarg); |
|
|
|
extensions[BL2_HASH_EXT].data.fn = strdup(optarg); |
|
|
|
break; |
|
|
|
case BL30_ID: |
|
|
|
certs[BL30_CERT].bin = strdup(optarg); |
|
|
|
extensions[BL30_HASH_EXT].data.fn = strdup(optarg); |
|
|
|
break; |
|
|
|
case BL31_ID: |
|
|
|
certs[BL31_CERT].bin = strdup(optarg); |
|
|
|
extensions[BL31_HASH_EXT].data.fn = strdup(optarg); |
|
|
|
break; |
|
|
|
case BL32_ID: |
|
|
|
certs[BL32_CERT].bin = strdup(optarg); |
|
|
|
extensions[BL32_HASH_EXT].data.fn = strdup(optarg); |
|
|
|
break; |
|
|
|
case BL33_ID: |
|
|
|
certs[BL33_CERT].bin = strdup(optarg); |
|
|
|
extensions[BL33_HASH_EXT].data.fn = strdup(optarg); |
|
|
|
break; |
|
|
|
case BL2_CERT_ID: |
|
|
|
certs[BL2_CERT].fn = strdup(optarg); |
|
|
@ -418,16 +411,12 @@ int main(int argc, char *argv[]) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
/* Set the value of the NVCounters */ |
|
|
|
tf_nvcounter = NVCOUNTER_VALUE; |
|
|
|
non_tf_nvcounter = NVCOUNTER_VALUE; |
|
|
|
|
|
|
|
/* Check command line arguments */ |
|
|
|
check_cmd_params(); |
|
|
|
|
|
|
|
/* Register the new types and OIDs for the extensions */ |
|
|
|
if (ext_init(tbb_ext) != 0) { |
|
|
|
ERROR("Cannot initialize TBB extensions\n"); |
|
|
|
if (ext_register(extensions) != 0) { |
|
|
|
ERROR("Cannot register TBB extensions\n"); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
|
|
|
@ -435,12 +424,8 @@ int main(int argc, char *argv[]) |
|
|
|
* extension */ |
|
|
|
md_info = EVP_sha256(); |
|
|
|
|
|
|
|
/* Get non-volatile counters NIDs */ |
|
|
|
CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID); |
|
|
|
CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID); |
|
|
|
|
|
|
|
/* Load private keys from files (or generate new ones) */ |
|
|
|
for (i = 0 ; i < NUM_KEYS ; i++) { |
|
|
|
for (i = 0 ; i < num_keys ; i++) { |
|
|
|
/* First try to load the key from disk */ |
|
|
|
if (key_load(&keys[i], &err_code)) { |
|
|
|
/* Key loaded successfully */ |
|
|
@ -478,271 +463,73 @@ int main(int argc, char *argv[]) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
/* *********************************************************************
|
|
|
|
* BL2 certificate (Trusted Boot Firmware certificate): |
|
|
|
* - Self-signed with OEM ROT private key |
|
|
|
* - Extensions: |
|
|
|
* - TrustedFirmwareNVCounter (TODO) |
|
|
|
* - BL2 hash |
|
|
|
**********************************************************************/ |
|
|
|
CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
|
|
|
|
|
|
|
/* Add the NVCounter as a critical extension */ |
|
|
|
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, |
|
|
|
tf_nvcounter)); |
|
|
|
sk_X509_EXTENSION_push(sk, nvctr_ext); |
|
|
|
|
|
|
|
/* Add hash of BL2 as an extension */ |
|
|
|
if (!sha_file(certs[BL2_CERT].bin, md)) { |
|
|
|
ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
CHECK_OID(hash_nid, BL2_HASH_OID); |
|
|
|
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, |
|
|
|
SHA256_DIGEST_LENGTH)); |
|
|
|
sk_X509_EXTENSION_push(sk, hash_ext); |
|
|
|
|
|
|
|
/* Create certificate. Signed with ROT key */ |
|
|
|
if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", certs[BL2_CERT].cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
sk_X509_EXTENSION_free(sk); |
|
|
|
|
|
|
|
/* *********************************************************************
|
|
|
|
* Trusted Key certificate: |
|
|
|
* - Self-signed with OEM ROT private key |
|
|
|
* - Extensions: |
|
|
|
* - TrustedFirmwareNVCounter (TODO) |
|
|
|
* - TrustedWorldPK |
|
|
|
* - NonTrustedWorldPK |
|
|
|
**********************************************************************/ |
|
|
|
CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
|
|
|
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, |
|
|
|
tf_nvcounter)); |
|
|
|
sk_X509_EXTENSION_push(sk, nvctr_ext); |
|
|
|
CHECK_OID(pk_nid, TZ_WORLD_PK_OID); |
|
|
|
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, |
|
|
|
keys[TRUSTED_WORLD_KEY].key)); |
|
|
|
sk_X509_EXTENSION_push(sk, trusted_key_ext); |
|
|
|
CHECK_OID(pk_nid, NTZ_WORLD_PK_OID); |
|
|
|
CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, |
|
|
|
keys[NON_TRUSTED_WORLD_KEY].key)); |
|
|
|
sk_X509_EXTENSION_push(sk, non_trusted_key_ext); |
|
|
|
if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
sk_X509_EXTENSION_free(sk); |
|
|
|
|
|
|
|
/* *********************************************************************
|
|
|
|
* BL30 Key certificate (Trusted SCP Firmware Key certificate): |
|
|
|
* - Self-signed with Trusted World key |
|
|
|
* - Extensions: |
|
|
|
* - TrustedFirmwareNVCounter (TODO) |
|
|
|
* - SCPFirmwareContentCertPK |
|
|
|
**********************************************************************/ |
|
|
|
if (bl30_present) { |
|
|
|
CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
|
|
|
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, |
|
|
|
tf_nvcounter)); |
|
|
|
sk_X509_EXTENSION_push(sk, nvctr_ext); |
|
|
|
CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID); |
|
|
|
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, |
|
|
|
keys[BL30_KEY].key)); |
|
|
|
sk_X509_EXTENSION_push(sk, trusted_key_ext); |
|
|
|
if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
sk_X509_EXTENSION_free(sk); |
|
|
|
} |
|
|
|
|
|
|
|
/* *********************************************************************
|
|
|
|
* BL30 certificate (SCP Firmware Content certificate): |
|
|
|
* - Signed with Trusted World Key |
|
|
|
* - Extensions: |
|
|
|
* - TrustedFirmwareNVCounter (TODO) |
|
|
|
* - SCPFirmwareHash |
|
|
|
**********************************************************************/ |
|
|
|
if (bl30_present) { |
|
|
|
CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
|
|
|
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, |
|
|
|
tf_nvcounter)); |
|
|
|
sk_X509_EXTENSION_push(sk, nvctr_ext); |
|
|
|
|
|
|
|
if (!sha_file(certs[BL30_CERT].bin, md)) { |
|
|
|
ERROR("Cannot calculate the hash of %s\n", |
|
|
|
certs[BL30_CERT].bin); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
CHECK_OID(hash_nid, BL30_HASH_OID); |
|
|
|
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, |
|
|
|
md, SHA256_DIGEST_LENGTH)); |
|
|
|
sk_X509_EXTENSION_push(sk, hash_ext); |
|
|
|
/* Create the certificates */ |
|
|
|
for (i = 0 ; i < num_certs ; i++) { |
|
|
|
|
|
|
|
if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", certs[BL30_CERT].cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
|
|
|
|
sk_X509_EXTENSION_free(sk); |
|
|
|
} |
|
|
|
cert = &certs[i]; |
|
|
|
|
|
|
|
/* *********************************************************************
|
|
|
|
* BL31 Key certificate (Trusted SoC Firmware Key certificate): |
|
|
|
* - Self-signed with Trusted World key |
|
|
|
* - Extensions: |
|
|
|
* - TrustedFirmwareNVCounter (TODO) |
|
|
|
* - SoCFirmwareContentCertPK |
|
|
|
**********************************************************************/ |
|
|
|
CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
|
|
|
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, |
|
|
|
tf_nvcounter)); |
|
|
|
sk_X509_EXTENSION_push(sk, nvctr_ext); |
|
|
|
CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID); |
|
|
|
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, |
|
|
|
keys[BL31_KEY].key)); |
|
|
|
sk_X509_EXTENSION_push(sk, trusted_key_ext); |
|
|
|
if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
sk_X509_EXTENSION_free(sk); |
|
|
|
|
|
|
|
/* *********************************************************************
|
|
|
|
* BL31 certificate (SOC Firmware Content certificate): |
|
|
|
* - Signed with Trusted World Key |
|
|
|
* - Extensions: |
|
|
|
* - TrustedFirmwareNVCounter (TODO) |
|
|
|
* - BL31 hash |
|
|
|
**********************************************************************/ |
|
|
|
CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
|
|
|
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, |
|
|
|
tf_nvcounter)); |
|
|
|
sk_X509_EXTENSION_push(sk, nvctr_ext); |
|
|
|
|
|
|
|
if (!sha_file(certs[BL31_CERT].bin, md)) { |
|
|
|
ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
CHECK_OID(hash_nid, BL31_HASH_OID); |
|
|
|
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, |
|
|
|
SHA256_DIGEST_LENGTH)); |
|
|
|
sk_X509_EXTENSION_push(sk, hash_ext); |
|
|
|
|
|
|
|
if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", certs[BL31_CERT].cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
|
|
|
|
sk_X509_EXTENSION_free(sk); |
|
|
|
|
|
|
|
/* *********************************************************************
|
|
|
|
* BL32 Key certificate (Trusted OS Firmware Key certificate): |
|
|
|
* - Self-signed with Trusted World key |
|
|
|
* - Extensions: |
|
|
|
* - TrustedFirmwareNVCounter (TODO) |
|
|
|
* - TrustedOSFirmwareContentCertPK |
|
|
|
**********************************************************************/ |
|
|
|
if (bl32_present) { |
|
|
|
/* Create a new stack of extensions. This stack will be used
|
|
|
|
* to create the certificate */ |
|
|
|
CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
|
|
|
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, |
|
|
|
tf_nvcounter)); |
|
|
|
sk_X509_EXTENSION_push(sk, nvctr_ext); |
|
|
|
CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID); |
|
|
|
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, |
|
|
|
keys[BL32_KEY].key)); |
|
|
|
sk_X509_EXTENSION_push(sk, trusted_key_ext); |
|
|
|
if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
sk_X509_EXTENSION_free(sk); |
|
|
|
} |
|
|
|
|
|
|
|
/* *********************************************************************
|
|
|
|
* BL32 certificate (TrustedOS Firmware Content certificate): |
|
|
|
* - Signed with Trusted World Key |
|
|
|
* - Extensions: |
|
|
|
* - TrustedFirmwareNVCounter (TODO) |
|
|
|
* - BL32 hash |
|
|
|
**********************************************************************/ |
|
|
|
if (bl32_present) { |
|
|
|
CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
|
|
|
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, |
|
|
|
tf_nvcounter)); |
|
|
|
sk_X509_EXTENSION_push(sk, nvctr_ext); |
|
|
|
for (j = 0 ; j < cert->num_ext ; j++) { |
|
|
|
|
|
|
|
ext = &extensions[cert->ext[j]]; |
|
|
|
|
|
|
|
/* Get OpenSSL internal ID for this extension */ |
|
|
|
CHECK_OID(ext_nid, ext->oid); |
|
|
|
|
|
|
|
/*
|
|
|
|
* Three types of extensions are currently supported: |
|
|
|
* - EXT_TYPE_NVCOUNTER |
|
|
|
* - EXT_TYPE_HASH |
|
|
|
* - EXT_TYPE_PKEY |
|
|
|
*/ |
|
|
|
switch (ext->type) { |
|
|
|
case EXT_TYPE_NVCOUNTER: |
|
|
|
CHECK_NULL(cert_ext, ext_new_nvcounter(ext_nid, |
|
|
|
EXT_CRIT, ext->data.nvcounter)); |
|
|
|
break; |
|
|
|
case EXT_TYPE_HASH: |
|
|
|
if (ext->data.fn == NULL) { |
|
|
|
break; |
|
|
|
} |
|
|
|
if (!sha_file(ext->data.fn, md)) { |
|
|
|
ERROR("Cannot calculate hash of %s\n", |
|
|
|
ext->data.fn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
CHECK_NULL(cert_ext, ext_new_hash(ext_nid, |
|
|
|
EXT_CRIT, md_info, md, |
|
|
|
SHA256_DIGEST_LENGTH)); |
|
|
|
break; |
|
|
|
case EXT_TYPE_PKEY: |
|
|
|
CHECK_NULL(cert_ext, ext_new_key(ext_nid, |
|
|
|
EXT_CRIT, keys[ext->data.key].key)); |
|
|
|
break; |
|
|
|
default: |
|
|
|
ERROR("Unknown extension type in %s\n", |
|
|
|
cert->cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
|
|
|
|
if (!sha_file(certs[BL32_CERT].bin, md)) { |
|
|
|
ERROR("Cannot calculate the hash of %s\n", |
|
|
|
certs[BL32_CERT].bin); |
|
|
|
exit(1); |
|
|
|
/* Push the extension into the stack */ |
|
|
|
sk_X509_EXTENSION_push(sk, cert_ext); |
|
|
|
} |
|
|
|
CHECK_OID(hash_nid, BL32_HASH_OID); |
|
|
|
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, |
|
|
|
md, SHA256_DIGEST_LENGTH)); |
|
|
|
sk_X509_EXTENSION_push(sk, hash_ext); |
|
|
|
|
|
|
|
if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", certs[BL32_CERT].cn); |
|
|
|
/* Create certificate. Signed with ROT key */ |
|
|
|
if (!cert_new(cert, VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", cert->cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
|
|
|
|
sk_X509_EXTENSION_free(sk); |
|
|
|
} |
|
|
|
|
|
|
|
/* *********************************************************************
|
|
|
|
* BL33 Key certificate (Non Trusted Firmware Key certificate): |
|
|
|
* - Self-signed with Non Trusted World key |
|
|
|
* - Extensions: |
|
|
|
* - NonTrustedFirmwareNVCounter (TODO) |
|
|
|
* - NonTrustedFirmwareContentCertPK |
|
|
|
**********************************************************************/ |
|
|
|
CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
|
|
|
CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT, |
|
|
|
non_tf_nvcounter)); |
|
|
|
sk_X509_EXTENSION_push(sk, nvctr_ext); |
|
|
|
CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID); |
|
|
|
CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, |
|
|
|
keys[BL33_KEY].key)); |
|
|
|
sk_X509_EXTENSION_push(sk, non_trusted_key_ext); |
|
|
|
if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
sk_X509_EXTENSION_free(sk); |
|
|
|
|
|
|
|
/* *********************************************************************
|
|
|
|
* BL33 certificate (Non-Trusted World Content certificate): |
|
|
|
* - Signed with Non-Trusted World Key |
|
|
|
* - Extensions: |
|
|
|
* - NonTrustedFirmwareNVCounter (TODO) |
|
|
|
* - BL33 hash |
|
|
|
**********************************************************************/ |
|
|
|
CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); |
|
|
|
CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT, |
|
|
|
non_tf_nvcounter)); |
|
|
|
sk_X509_EXTENSION_push(sk, nvctr_ext); |
|
|
|
|
|
|
|
if (!sha_file(certs[BL33_CERT].bin, md)) { |
|
|
|
ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
CHECK_OID(hash_nid, BL33_HASH_OID); |
|
|
|
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, |
|
|
|
SHA256_DIGEST_LENGTH)); |
|
|
|
sk_X509_EXTENSION_push(sk, hash_ext); |
|
|
|
|
|
|
|
if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) { |
|
|
|
ERROR("Cannot create %s\n", certs[BL33_CERT].cn); |
|
|
|
exit(1); |
|
|
|
} |
|
|
|
sk_X509_EXTENSION_free(sk); |
|
|
|
|
|
|
|
/* Print the certificates */ |
|
|
|
if (print_cert) { |
|
|
|
for (i = 0 ; i < NUM_CERTIFICATES ; i++) { |
|
|
|
for (i = 0 ; i < num_certs ; i++) { |
|
|
|
if (!certs[i].x) { |
|
|
|
continue; |
|
|
|
} |
|
|
@ -752,7 +539,7 @@ int main(int argc, char *argv[]) |
|
|
|
} |
|
|
|
|
|
|
|
/* Save created certificates to files */ |
|
|
|
for (i = 0 ; i < NUM_CERTIFICATES ; i++) { |
|
|
|
for (i = 0 ; i < num_certs ; i++) { |
|
|
|
if (certs[i].x && certs[i].fn) { |
|
|
|
file = fopen(certs[i].fn, "w"); |
|
|
|
if (file != NULL) { |
|
|
@ -766,18 +553,13 @@ int main(int argc, char *argv[]) |
|
|
|
|
|
|
|
/* Save keys */ |
|
|
|
if (save_keys) { |
|
|
|
for (i = 0 ; i < NUM_KEYS ; i++) { |
|
|
|
for (i = 0 ; i < num_keys ; i++) { |
|
|
|
if (!key_store(&keys[i])) { |
|
|
|
ERROR("Cannot save %s\n", keys[i].desc); |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
X509_EXTENSION_free(hash_ext); |
|
|
|
X509_EXTENSION_free(nvctr_ext); |
|
|
|
X509_EXTENSION_free(trusted_key_ext); |
|
|
|
X509_EXTENSION_free(non_trusted_key_ext); |
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_ENGINE |
|
|
|
ENGINE_cleanup(); |
|
|
|
#endif |
|
|
|