1 /* 2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * Redistributions of source code must retain the above copyright notice, this 8 * list of conditions and the following disclaimer. 9 * 10 * Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * Neither the name of ARM nor the names of its contributors may be used 15 * to endorse or promote products derived from this software without specific 16 * prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 #include <getopt.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 36 #include <openssl/conf.h> 37 #include <openssl/engine.h> 38 #include <openssl/err.h> 39 #include <openssl/pem.h> 40 #include <openssl/sha.h> 41 #include <openssl/x509v3.h> 42 43 #include "cert.h" 44 #include "debug.h" 45 #include "ext.h" 46 #include "key.h" 47 #include "platform_oid.h" 48 #include "sha.h" 49 #include "tbb_ext.h" 50 #include "tbb_cert.h" 51 #include "tbb_key.h" 52 53 /* 54 * Helper macros to simplify the code. This macro assigns the return value of 55 * the 'fn' function to 'v' and exits if the value is NULL. 56 */ 57 #define CHECK_NULL(v, fn) \ 58 do { \ 59 v = fn; \ 60 if (v == NULL) { \ 61 ERROR("NULL object at %s:%d\n", __FILE__, __LINE__); \ 62 exit(1); \ 63 } \ 64 } while (0) 65 66 /* 67 * This macro assigns the NID corresponding to 'oid' to 'v' and exits if the 68 * NID is undefined. 69 */ 70 #define CHECK_OID(v, oid) \ 71 do { \ 72 v = OBJ_txt2nid(oid); \ 73 if (v == NID_undef) { \ 74 ERROR("Cannot find TBB extension %s\n", oid); \ 75 exit(1); \ 76 } \ 77 } while (0) 78 79 #define MAX_FILENAME_LEN 1024 80 #define VAL_DAYS 7300 81 #define ID_TO_BIT_MASK(id) (1 << id) 82 #define NVCOUNTER_VALUE 0 83 84 /* Files */ 85 enum { 86 /* Image file names (inputs) */ 87 BL2_ID = 0, 88 BL30_ID, 89 BL31_ID, 90 BL32_ID, 91 BL33_ID, 92 /* Certificate file names (outputs) */ 93 BL2_CERT_ID, 94 TRUSTED_KEY_CERT_ID, 95 BL30_KEY_CERT_ID, 96 BL30_CERT_ID, 97 BL31_KEY_CERT_ID, 98 BL31_CERT_ID, 99 BL32_KEY_CERT_ID, 100 BL32_CERT_ID, 101 BL33_KEY_CERT_ID, 102 BL33_CERT_ID, 103 /* Key file names (input/output) */ 104 ROT_KEY_ID, 105 TRUSTED_WORLD_KEY_ID, 106 NON_TRUSTED_WORLD_KEY_ID, 107 BL30_KEY_ID, 108 BL31_KEY_ID, 109 BL32_KEY_ID, 110 BL33_KEY_ID, 111 NUM_OPTS 112 }; 113 114 /* Global options */ 115 static int new_keys; 116 static int save_keys; 117 static int print_cert; 118 static int bl30_present; 119 static int bl32_present; 120 121 /* We are not checking nvcounters in TF. Include them in the certificates but 122 * the value will be set to 0 */ 123 static int tf_nvcounter; 124 static int non_tf_nvcounter; 125 126 /* Info messages created in the Makefile */ 127 extern const char build_msg[]; 128 extern const char platform_msg[]; 129 130 131 static char *strdup(const char *str) 132 { 133 int n = strlen(str) + 1; 134 char *dup = malloc(n); 135 if (dup) { 136 strcpy(dup, str); 137 } 138 return dup; 139 } 140 141 /* Command line options */ 142 static const struct option long_opt[] = { 143 /* Binary images */ 144 {"bl2", required_argument, 0, BL2_ID}, 145 {"bl30", required_argument, 0, BL30_ID}, 146 {"bl31", required_argument, 0, BL31_ID}, 147 {"bl32", required_argument, 0, BL32_ID}, 148 {"bl33", required_argument, 0, BL33_ID}, 149 /* Certificate files */ 150 {"bl2-cert", required_argument, 0, BL2_CERT_ID}, 151 {"trusted-key-cert", required_argument, 0, TRUSTED_KEY_CERT_ID}, 152 {"bl30-key-cert", required_argument, 0, BL30_KEY_CERT_ID}, 153 {"bl30-cert", required_argument, 0, BL30_CERT_ID}, 154 {"bl31-key-cert", required_argument, 0, BL31_KEY_CERT_ID}, 155 {"bl31-cert", required_argument, 0, BL31_CERT_ID}, 156 {"bl32-key-cert", required_argument, 0, BL32_KEY_CERT_ID}, 157 {"bl32-cert", required_argument, 0, BL32_CERT_ID}, 158 {"bl33-key-cert", required_argument, 0, BL33_KEY_CERT_ID}, 159 {"bl33-cert", required_argument, 0, BL33_CERT_ID}, 160 /* Private key files */ 161 {"rot-key", required_argument, 0, ROT_KEY_ID}, 162 {"trusted-world-key", required_argument, 0, TRUSTED_WORLD_KEY_ID}, 163 {"non-trusted-world-key", required_argument, 0, NON_TRUSTED_WORLD_KEY_ID}, 164 {"bl30-key", required_argument, 0, BL30_KEY_ID}, 165 {"bl31-key", required_argument, 0, BL31_KEY_ID}, 166 {"bl32-key", required_argument, 0, BL32_KEY_ID}, 167 {"bl33-key", required_argument, 0, BL33_KEY_ID}, 168 /* Common options */ 169 {"help", no_argument, 0, 'h'}, 170 {"save-keys", no_argument, 0, 'k'}, 171 {"new-chain", no_argument, 0, 'n'}, 172 {"print-cert", no_argument, 0, 'p'}, 173 {0, 0, 0, 0} 174 }; 175 176 static void print_help(const char *cmd) 177 { 178 int i = 0; 179 printf("\n\n"); 180 printf("The certificate generation tool loads the binary images and\n" 181 "optionally the RSA keys, and outputs the key and content\n" 182 "certificates properly signed to implement the chain of trust.\n" 183 "If keys are provided, they must be in PEM format.\n" 184 "Certificates are generated in DER format.\n"); 185 printf("\n"); 186 printf("Usage:\n\n"); 187 printf(" %s [-hknp] \\\n", cmd); 188 for (i = 0; i < NUM_OPTS; i++) { 189 printf(" --%s <file> \\\n", long_opt[i].name); 190 } 191 printf("\n"); 192 printf("-h Print help and exit\n"); 193 printf("-k Save key pairs into files. Filenames must be provided\n"); 194 printf("-n Generate new key pairs if no key files are provided\n"); 195 printf("-p Print the certificates in the standard output\n"); 196 printf("\n"); 197 198 exit(0); 199 } 200 201 static void check_cmd_params(void) 202 { 203 /* BL2, BL31 and BL33 are mandatory */ 204 if (certs[BL2_CERT].bin == NULL) { 205 ERROR("BL2 image not specified\n"); 206 exit(1); 207 } 208 209 if (certs[BL31_CERT].bin == NULL) { 210 ERROR("BL31 image not specified\n"); 211 exit(1); 212 } 213 214 if (certs[BL33_CERT].bin == NULL) { 215 ERROR("BL33 image not specified\n"); 216 exit(1); 217 } 218 219 /* BL30 and BL32 are optional */ 220 if (certs[BL30_CERT].bin != NULL) { 221 bl30_present = 1; 222 } 223 224 if (certs[BL32_CERT].bin != NULL) { 225 bl32_present = 1; 226 } 227 228 /* TODO: Certificate filenames */ 229 230 /* Filenames to store keys must be specified */ 231 if (save_keys || !new_keys) { 232 if (keys[ROT_KEY].fn == NULL) { 233 ERROR("ROT key not specified\n"); 234 exit(1); 235 } 236 237 if (keys[TRUSTED_WORLD_KEY].fn == NULL) { 238 ERROR("Trusted World key not specified\n"); 239 exit(1); 240 } 241 242 if (keys[NON_TRUSTED_WORLD_KEY].fn == NULL) { 243 ERROR("Non-trusted World key not specified\n"); 244 exit(1); 245 } 246 247 if (keys[BL31_KEY].fn == NULL) { 248 ERROR("BL31 key not specified\n"); 249 exit(1); 250 } 251 252 if (keys[BL33_KEY].fn == NULL) { 253 ERROR("BL33 key not specified\n"); 254 exit(1); 255 } 256 257 if (bl30_present && (keys[BL30_KEY].fn == NULL)) { 258 ERROR("BL30 key not specified\n"); 259 exit(1); 260 } 261 262 if (bl32_present && (keys[BL32_KEY].fn == NULL)) { 263 ERROR("BL32 key not specified\n"); 264 exit(1); 265 } 266 } 267 } 268 269 int main(int argc, char *argv[]) 270 { 271 STACK_OF(X509_EXTENSION) * sk = NULL; 272 X509_EXTENSION *hash_ext = NULL; 273 X509_EXTENSION *nvctr_ext = NULL; 274 X509_EXTENSION *trusted_key_ext = NULL; 275 X509_EXTENSION *non_trusted_key_ext = NULL; 276 FILE *file = NULL; 277 int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid; 278 int c, opt_idx = 0; 279 unsigned char md[SHA256_DIGEST_LENGTH]; 280 281 NOTICE("CoT Generation Tool: %s\n", build_msg); 282 NOTICE("Target platform: %s\n", platform_msg); 283 284 while (1) { 285 /* getopt_long stores the option index here. */ 286 c = getopt_long(argc, argv, "hknp", long_opt, &opt_idx); 287 288 /* Detect the end of the options. */ 289 if (c == -1) { 290 break; 291 } 292 293 switch (c) { 294 case 'h': 295 print_help(argv[0]); 296 break; 297 case 'k': 298 save_keys = 1; 299 break; 300 case 'n': 301 new_keys = 1; 302 break; 303 case 'p': 304 print_cert = 1; 305 break; 306 case BL2_ID: 307 certs[BL2_CERT].bin = strdup(optarg); 308 break; 309 case BL30_ID: 310 certs[BL30_CERT].bin = strdup(optarg); 311 break; 312 case BL31_ID: 313 certs[BL31_CERT].bin = strdup(optarg); 314 break; 315 case BL32_ID: 316 certs[BL32_CERT].bin = strdup(optarg); 317 break; 318 case BL33_ID: 319 certs[BL33_CERT].bin = strdup(optarg); 320 break; 321 case BL2_CERT_ID: 322 certs[BL2_CERT].fn = strdup(optarg); 323 break; 324 case TRUSTED_KEY_CERT_ID: 325 certs[TRUSTED_KEY_CERT].fn = strdup(optarg); 326 break; 327 case BL30_KEY_CERT_ID: 328 certs[BL30_KEY_CERT].fn = strdup(optarg); 329 break; 330 case BL30_CERT_ID: 331 certs[BL30_CERT].fn = strdup(optarg); 332 break; 333 case BL31_KEY_CERT_ID: 334 certs[BL31_KEY_CERT].fn = strdup(optarg); 335 break; 336 case BL31_CERT_ID: 337 certs[BL31_CERT].fn = strdup(optarg); 338 break; 339 case BL32_KEY_CERT_ID: 340 certs[BL32_KEY_CERT].fn = strdup(optarg); 341 break; 342 case BL32_CERT_ID: 343 certs[BL32_CERT].fn = strdup(optarg); 344 break; 345 case BL33_KEY_CERT_ID: 346 certs[BL33_KEY_CERT].fn = strdup(optarg); 347 break; 348 case BL33_CERT_ID: 349 certs[BL33_CERT].fn = strdup(optarg); 350 break; 351 case ROT_KEY_ID: 352 keys[ROT_KEY].fn = strdup(optarg); 353 break; 354 case TRUSTED_WORLD_KEY_ID: 355 keys[TRUSTED_WORLD_KEY].fn = strdup(optarg); 356 break; 357 case NON_TRUSTED_WORLD_KEY_ID: 358 keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg); 359 break; 360 case BL30_KEY_ID: 361 keys[BL30_KEY].fn = strdup(optarg); 362 break; 363 case BL31_KEY_ID: 364 keys[BL31_KEY].fn = strdup(optarg); 365 break; 366 case BL32_KEY_ID: 367 keys[BL32_KEY].fn = strdup(optarg); 368 break; 369 case BL33_KEY_ID: 370 keys[BL33_KEY].fn = strdup(optarg); 371 break; 372 case '?': 373 default: 374 printf("%s\n", optarg); 375 exit(1); 376 } 377 } 378 379 /* Set the value of the NVCounters */ 380 tf_nvcounter = NVCOUNTER_VALUE; 381 non_tf_nvcounter = NVCOUNTER_VALUE; 382 383 /* Check command line arguments */ 384 check_cmd_params(); 385 386 /* Register the new types and OIDs for the extensions */ 387 if (ext_init(tbb_ext) != 0) { 388 ERROR("Cannot initialize TBB extensions\n"); 389 exit(1); 390 } 391 392 /* Get non-volatile counters NIDs */ 393 CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID); 394 CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID); 395 396 /* Load private keys from files (or generate new ones) */ 397 if (new_keys) { 398 for (i = 0 ; i < NUM_KEYS ; i++) { 399 if (!key_new(&keys[i])) { 400 ERROR("Error creating %s\n", keys[i].desc); 401 exit(1); 402 } 403 } 404 } else { 405 for (i = 0 ; i < NUM_KEYS ; i++) { 406 if (!key_load(&keys[i])) { 407 ERROR("Error loading %s\n", keys[i].desc); 408 exit(1); 409 } 410 } 411 } 412 413 /* ********************************************************************* 414 * BL2 certificate (Trusted Boot Firmware certificate): 415 * - Self-signed with OEM ROT private key 416 * - Extensions: 417 * - TrustedFirmwareNVCounter (TODO) 418 * - BL2 hash 419 **********************************************************************/ 420 CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 421 422 /* Add the NVCounter as a critical extension */ 423 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 424 tf_nvcounter)); 425 sk_X509_EXTENSION_push(sk, nvctr_ext); 426 427 /* Add hash of BL2 as an extension */ 428 if (!sha_file(certs[BL2_CERT].bin, md)) { 429 ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin); 430 exit(1); 431 } 432 CHECK_OID(hash_nid, BL2_HASH_OID); 433 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, 434 SHA256_DIGEST_LENGTH)); 435 sk_X509_EXTENSION_push(sk, hash_ext); 436 437 /* Create certificate. Signed with ROT key */ 438 if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) { 439 ERROR("Cannot create %s\n", certs[BL2_CERT].cn); 440 exit(1); 441 } 442 sk_X509_EXTENSION_free(sk); 443 444 /* ********************************************************************* 445 * Trusted Key certificate: 446 * - Self-signed with OEM ROT private key 447 * - Extensions: 448 * - TrustedFirmwareNVCounter (TODO) 449 * - TrustedWorldPK 450 * - NonTrustedWorldPK 451 **********************************************************************/ 452 CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 453 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 454 tf_nvcounter)); 455 sk_X509_EXTENSION_push(sk, nvctr_ext); 456 CHECK_OID(pk_nid, TZ_WORLD_PK_OID); 457 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 458 keys[TRUSTED_WORLD_KEY].key)); 459 sk_X509_EXTENSION_push(sk, trusted_key_ext); 460 CHECK_OID(pk_nid, NTZ_WORLD_PK_OID); 461 CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 462 keys[NON_TRUSTED_WORLD_KEY].key)); 463 sk_X509_EXTENSION_push(sk, non_trusted_key_ext); 464 if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) { 465 ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn); 466 exit(1); 467 } 468 sk_X509_EXTENSION_free(sk); 469 470 /* ********************************************************************* 471 * BL30 Key certificate (Trusted SCP Firmware Key certificate): 472 * - Self-signed with Trusted World key 473 * - Extensions: 474 * - TrustedFirmwareNVCounter (TODO) 475 * - SCPFirmwareContentCertPK 476 **********************************************************************/ 477 if (bl30_present) { 478 CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 479 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 480 tf_nvcounter)); 481 sk_X509_EXTENSION_push(sk, nvctr_ext); 482 CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID); 483 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 484 keys[BL30_KEY].key)); 485 sk_X509_EXTENSION_push(sk, trusted_key_ext); 486 if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) { 487 ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn); 488 exit(1); 489 } 490 sk_X509_EXTENSION_free(sk); 491 } 492 493 /* ********************************************************************* 494 * BL30 certificate (SCP Firmware Content certificate): 495 * - Signed with Trusted World Key 496 * - Extensions: 497 * - TrustedFirmwareNVCounter (TODO) 498 * - SCPFirmwareHash 499 **********************************************************************/ 500 if (bl30_present) { 501 CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 502 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 503 tf_nvcounter)); 504 sk_X509_EXTENSION_push(sk, nvctr_ext); 505 506 if (!sha_file(certs[BL30_CERT].bin, md)) { 507 ERROR("Cannot calculate the hash of %s\n", 508 certs[BL30_CERT].bin); 509 exit(1); 510 } 511 CHECK_OID(hash_nid, BL30_HASH_OID); 512 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, 513 SHA256_DIGEST_LENGTH)); 514 sk_X509_EXTENSION_push(sk, hash_ext); 515 516 if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) { 517 ERROR("Cannot create %s\n", certs[BL30_CERT].cn); 518 exit(1); 519 } 520 521 sk_X509_EXTENSION_free(sk); 522 } 523 524 /* ********************************************************************* 525 * BL31 Key certificate (Trusted SoC Firmware Key certificate): 526 * - Self-signed with Trusted World key 527 * - Extensions: 528 * - TrustedFirmwareNVCounter (TODO) 529 * - SoCFirmwareContentCertPK 530 **********************************************************************/ 531 CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 532 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 533 tf_nvcounter)); 534 sk_X509_EXTENSION_push(sk, nvctr_ext); 535 CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID); 536 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 537 keys[BL31_KEY].key)); 538 sk_X509_EXTENSION_push(sk, trusted_key_ext); 539 if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) { 540 ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn); 541 exit(1); 542 } 543 sk_X509_EXTENSION_free(sk); 544 545 /* ********************************************************************* 546 * BL31 certificate (SOC Firmware Content certificate): 547 * - Signed with Trusted World Key 548 * - Extensions: 549 * - TrustedFirmwareNVCounter (TODO) 550 * - BL31 hash 551 **********************************************************************/ 552 CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 553 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 554 tf_nvcounter)); 555 sk_X509_EXTENSION_push(sk, nvctr_ext); 556 557 if (!sha_file(certs[BL31_CERT].bin, md)) { 558 ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin); 559 exit(1); 560 } 561 CHECK_OID(hash_nid, BL31_HASH_OID); 562 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, 563 SHA256_DIGEST_LENGTH)); 564 sk_X509_EXTENSION_push(sk, hash_ext); 565 566 if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) { 567 ERROR("Cannot create %s\n", certs[BL31_CERT].cn); 568 exit(1); 569 } 570 571 sk_X509_EXTENSION_free(sk); 572 573 /* ********************************************************************* 574 * BL32 Key certificate (Trusted OS Firmware Key certificate): 575 * - Self-signed with Trusted World key 576 * - Extensions: 577 * - TrustedFirmwareNVCounter (TODO) 578 * - TrustedOSFirmwareContentCertPK 579 **********************************************************************/ 580 if (bl32_present) { 581 CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 582 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 583 tf_nvcounter)); 584 sk_X509_EXTENSION_push(sk, nvctr_ext); 585 CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID); 586 CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 587 keys[BL32_KEY].key)); 588 sk_X509_EXTENSION_push(sk, trusted_key_ext); 589 if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) { 590 ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn); 591 exit(1); 592 } 593 sk_X509_EXTENSION_free(sk); 594 } 595 596 /* ********************************************************************* 597 * BL32 certificate (TrustedOS Firmware Content certificate): 598 * - Signed with Trusted World Key 599 * - Extensions: 600 * - TrustedFirmwareNVCounter (TODO) 601 * - BL32 hash 602 **********************************************************************/ 603 if (bl32_present) { 604 CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 605 CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, 606 tf_nvcounter)); 607 sk_X509_EXTENSION_push(sk, nvctr_ext); 608 609 if (!sha_file(certs[BL32_CERT].bin, md)) { 610 ERROR("Cannot calculate the hash of %s\n", 611 certs[BL32_CERT].bin); 612 exit(1); 613 } 614 CHECK_OID(hash_nid, BL32_HASH_OID); 615 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, 616 SHA256_DIGEST_LENGTH)); 617 sk_X509_EXTENSION_push(sk, hash_ext); 618 619 if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) { 620 ERROR("Cannot create %s\n", certs[BL32_CERT].cn); 621 exit(1); 622 } 623 624 sk_X509_EXTENSION_free(sk); 625 } 626 627 /* ********************************************************************* 628 * BL33 Key certificate (Non Trusted Firmware Key certificate): 629 * - Self-signed with Non Trusted World key 630 * - Extensions: 631 * - NonTrustedFirmwareNVCounter (TODO) 632 * - NonTrustedFirmwareContentCertPK 633 **********************************************************************/ 634 CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 635 CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT, 636 non_tf_nvcounter)); 637 sk_X509_EXTENSION_push(sk, nvctr_ext); 638 CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID); 639 CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, 640 keys[BL33_KEY].key)); 641 sk_X509_EXTENSION_push(sk, non_trusted_key_ext); 642 if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) { 643 ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn); 644 exit(1); 645 } 646 sk_X509_EXTENSION_free(sk); 647 648 /* ********************************************************************* 649 * BL33 certificate (Non-Trusted World Content certificate): 650 * - Signed with Non-Trusted World Key 651 * - Extensions: 652 * - NonTrustedFirmwareNVCounter (TODO) 653 * - BL33 hash 654 **********************************************************************/ 655 CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); 656 CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT, 657 non_tf_nvcounter)); 658 sk_X509_EXTENSION_push(sk, nvctr_ext); 659 660 if (!sha_file(certs[BL33_CERT].bin, md)) { 661 ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin); 662 exit(1); 663 } 664 CHECK_OID(hash_nid, BL33_HASH_OID); 665 CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md, 666 SHA256_DIGEST_LENGTH)); 667 sk_X509_EXTENSION_push(sk, hash_ext); 668 669 if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) { 670 ERROR("Cannot create %s\n", certs[BL33_CERT].cn); 671 exit(1); 672 } 673 sk_X509_EXTENSION_free(sk); 674 675 /* Print the certificates */ 676 if (print_cert) { 677 for (i = 0 ; i < NUM_CERTIFICATES ; i++) { 678 if (!certs[i].x) { 679 continue; 680 } 681 printf("\n\n=====================================\n\n"); 682 X509_print_fp(stdout, certs[i].x); 683 } 684 } 685 686 /* Save created certificates to files */ 687 for (i = 0 ; i < NUM_CERTIFICATES ; i++) { 688 if (certs[i].x && certs[i].fn) { 689 file = fopen(certs[i].fn, "w"); 690 if (file != NULL) { 691 i2d_X509_fp(file, certs[i].x); 692 fclose(file); 693 } else { 694 ERROR("Cannot create file %s\n", certs[i].fn); 695 } 696 } 697 } 698 699 /* Save keys */ 700 if (save_keys) { 701 for (i = 0 ; i < NUM_KEYS ; i++) { 702 if (!key_store(&keys[i])) { 703 ERROR("Cannot save %s\n", keys[i].desc); 704 } 705 } 706 } 707 708 X509_EXTENSION_free(hash_ext); 709 X509_EXTENSION_free(nvctr_ext); 710 X509_EXTENSION_free(trusted_key_ext); 711 X509_EXTENSION_free(non_trusted_key_ext); 712 713 #ifndef OPENSSL_NO_ENGINE 714 ENGINE_cleanup(); 715 #endif 716 CRYPTO_cleanup_all_ex_data(); 717 718 return 0; 719 } 720