Home Explore Help
Sign In
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
tpm2-tools-5.1
/
tools
/
misc
/
tpm2_certifyX509certutil.c

tpm2_certifyX509certutil.c 8.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338 
  1. /* SPDX-License-Identifier: BSD-3-Clause */
    2. 

  2. 

  3. #include <fcntl.h>
    4. 

  4. #include <stdbool.h>
    5. 

  5. #include <string.h>
    6. 

  6. #include <stdlib.h>
    7. 

  7. #include <sys/types.h>
    8. 

  8. #include <sys/stat.h>
    9. 

  9. #include <unistd.h>
    10. 

  10. 

  11. #include <openssl/x509.h>
    12. 

  12. #include <openssl/x509v3.h>
    13. 

  13. #include <openssl/bio.h>
    14. 

  14. 

  15. #include "log.h"
    16. 

  16. #include "tpm2_tool.h"
    17. 

  17. 

  18. struct tpm_gen_partial_cert {
    19. 

  19.     const char *out_path;
    20. 

  20.     const char *valid_str;
    21. 

  21.     const char *subject;
    22. 

  22.     const char *issuer;
    23. 

  23. };
    24. 

  24. 

  25. #define CERT_FILE "partial_cert.der"
    26. 

  26. #define VALID_DAYS "3560"
    27. 

  27. #define SUBJ "C=US;O=CA org;OU=CA unit;CN=example"
    28. 

  28. #define ISSUER "C=US;O=CA org;OU=CA unit;CN=example"
    29. 

  29. 

  30. static struct tpm_gen_partial_cert ctx = {
    31. 

  31.     .out_path = CERT_FILE,
    32. 

  32.     .valid_str = VALID_DAYS,
    33. 

  33.     .subject = SUBJ,
    34. 

  34.     .issuer = ISSUER
    35. 

  35. };
    36. 

  36. 

  37. static bool on_option(char key, char *value) {
    38. 

  38. 

  39.     switch (key) {
    40. 

  40.     case 'o':
    41. 

  41.         ctx.out_path = value;
    42. 

  42.         break;
    43. 

  43.     case 'd':
    44. 

  44.         ctx.valid_str = value;
    45. 

  45.         break;
    46. 

  46.     case 's':
    47. 

  47.         ctx.subject = value;
    48. 

  48.         break;
    49. 

  49.     case 'i':
    50. 

  50.         ctx.issuer = value;
    51. 

  51.         break;
    52. 

  52.     }
    53. 

  53. 

  54.     return true;
    55. 

  55. }
    56. 

  56. 

  57. static bool tpm2_tool_onstart(tpm2_options **opts) {
    58. 

  58. 

  59.     const struct option topts[] = {
    60. 

  60.       { "outcert", optional_argument, NULL, 'o' },
    61. 

  61.       { "days",    optional_argument, NULL, 'd' },
    62. 

  62.       { "subject", optional_argument, NULL, 's' },
    63. 

  63.       { "issuer", optional_argument, NULL, 'i' }
    64. 

  64.     };
    65. 

  65. 

  66.     *opts = tpm2_options_new("o:d:s:i:", ARRAY_LEN(topts), topts, on_option,
    67. 

  67.                              NULL, TPM2_OPTIONS_NO_SAPI);
    68. 

  68. 

  69.     return *opts != NULL;
    70. 

  70. }
    71. 

  71. 

  72. struct name_fields {
    73. 

  73.     const char *field;
    74. 

  74.     const char *del;
    75. 

  75.     const char *def;
    76. 

  76.     int maxlen;
    77. 

  77. };
    78. 

  78. 

  79. static struct name_fields names[] = {
    80. 

  80.     { .field = "CN",
    81. 

  81.       .del = "CN=",
    82. 

  82.       .maxlen = 8,
    83. 

  83.       .def = "default" },
    84. 

  84.     { .field = "C",
    85. 

  85.       .del = "C=",
    86. 

  86.       .maxlen = 2,
    87. 

  87.       .def = "US" },
    88. 

  88.     { .field = "O",
    89. 

  89.       .del = "O=",
    90. 

  90.       .maxlen = 8,
    91. 

  91.       .def = "CA Org" },
    92. 

  92.     { .field = "OU",
    93. 

  93.       .del = "OU=",
    94. 

  94.       .maxlen = 8,
    95. 

  95.       .def = "CA Unit" },
    96. 

  96. };
    97. 

  97. 

  98. static tool_rc fixup_cert(const char *cert) {
    99. 

  99. 

  100.     int fd = open(cert, O_RDONLY);
    101. 

  101.     if (fd < 0) {
    102. 

  102.         LOG_ERR("open failed");
    103. 

  103.         return tool_rc_general_error;
    104. 

  104.     }
    105. 

  105. 

  106.     struct stat fs;
    107. 

  107.     int ret = fstat(fd, &fs);
    108. 

  108.     if (ret < 0) {
    109. 

  109.         close(fd);
    110. 

  110.         return tool_rc_general_error;
    111. 

  111.     }
    112. 

  112. 

  113.     ssize_t size = fs.st_size;
    114. 

  114.     if (size < 100 || size > 255) {
    115. 

  115.         LOG_ERR("Wrong cert size %zd", size);
    116. 

  116.         close(fd);
    117. 

  117.         return tool_rc_general_error; /* there is something wrong with this cert */
    118. 

  118.     }
    119. 

  119. 

  120.     char* buf = calloc(1, size);
    121. 

  121.     if (!buf) {
    122. 

  122.         LOG_ERR("Alloc failed");
    123. 

  123.         close(fd);
    124. 

  124.         return tool_rc_general_error;
    125. 

  125.     }
    126. 

  126. 

  127.     tool_rc rc = tool_rc_success;
    128. 

  128.     ret = read(fd, buf, size);
    129. 

  129.     close(fd);
    130. 

  130.     if (ret != size) {
    131. 

  131.         LOG_ERR("read failed");
    132. 

  132.         rc = tool_rc_general_error;
    133. 

  133.         goto out;
    134. 

  134.     }
    135. 

  135. 

  136.     fd = open(cert, O_WRONLY | O_TRUNC);
    137. 

  137.     if (fd < 0) {
    138. 

  138.         LOG_ERR("second open failed");
    139. 

  139.         rc = tool_rc_general_error;
    140. 

  140.         goto out;
    141. 

  141.     }
    142. 

  142. 

  143.     /* We need to skip one wrapping sequence (8 bytes) and one
    144. 

  144.      * sequence with one empty byte field at the end (5 bytes).
    145. 

  145.      * Fix the size here */
    146. 

  146.     buf[2] = size - 16;
    147. 

  147. 

  148.     /* Write the external sequence with the fixed size */
    149. 

  149.     ret = write(fd, buf, 3);
    150. 

  150.     if (ret != 3) {
    151. 

  151.         LOG_ERR("write failed");
    152. 

  152.         rc = tool_rc_general_error;
    153. 

  153.         close(fd);
    154. 

  154.         goto out;
    155. 

  155.     }
    156. 

  156. 

  157.     /* skip the wrapping sequence the write the rest
    158. 

  158.      * without the 5 bytes at the end */
    159. 

  159.     ret = write(fd, buf + 11, size - 16);
    160. 

  160.     close(fd);
    161. 

  161.     if (ret != size - 16) {
    162. 

  162.         LOG_ERR("second write failed");
    163. 

  163.         rc = tool_rc_general_error;
    164. 

  164.     }
    165. 

  165. 

  166. out:
    167. 

  167.     free(buf);
    168. 

  168. 

  169.     return rc;
    170. 

  170. }
    171. 

  171. 

  172. static int populate_fields(X509_NAME *name, const char *opt) {
    173. 

  173. 

  174.     char *name_opt = strdup(opt);
    175. 

  175.     if (!name_opt) {
    176. 

  176.         LOG_ERR("Alloc failed");
    177. 

  177.         return -1;
    178. 

  178.     }
    179. 

  179. 

  180.     const char *tok = strtok(name_opt, ";");
    181. 

  181. 

  182.     unsigned i = 0;
    183. 

  183.     int fields_added = 0;
    184. 

  184.     while (tok != NULL) {
    185. 

  185.         LOG_INFO("Parsing token %s", tok);
    186. 

  186. 

  187.         /* Loop through supported fields and add them if found */
    188. 

  188.         for (i = 0; i < ARRAY_LEN(names); i++) {
    189. 

  189.             const char *del = names[i].del;
    190. 

  190.             const char *fld =  names[i].field;
    191. 

  191.             unsigned int maxlen =  names[i].maxlen;
    192. 

  192.             size_t len = strlen(del);
    193. 

  193.             const char *ptr;
    194. 

  194. 

  195.             if (strncmp(tok, del, len) == 0) {
    196. 

  196.                 if (strlen(tok + len) > maxlen || strlen(tok + len) == 0) {
    197. 

  197.                     LOG_WARN("Field %s too long or empty. Using default", fld);
    198. 

  198.                     ptr = names[i].def;
    199. 

  199.                 } else {
    200. 

  200.                     ptr = tok + len;
    201. 

  201.                 }
    202. 

  202.                 LOG_INFO("Adding name field %s%s", del, ptr);
    203. 

  203.                 int ret = X509_NAME_add_entry_by_txt(name, fld, MBSTRING_ASC,
    204. 

  204.                                                (const unsigned char *) ptr,
    205. 

  205.                                                -1, -1, 0);
    206. 

  206.                 if (ret != 1) {
    207. 

  207.                     free(name_opt);
    208. 

  208.                     LOG_ERR("X509_NAME_add_entry_by_txt");
    209. 

  209.                     return -1;
    210. 

  210.                 }
    211. 

  211.                 fields_added++;
    212. 

  212.             }
    213. 

  213.         }
    214. 

  214.         tok = strtok(NULL, ";");
    215. 

  215.     }
    216. 

  216. 

  217.     free(name_opt);
    218. 

  218. 

  219.     return fields_added;
    220. 

  220. }
    221. 

  221. 

  222. static tool_rc generate_partial_X509() {
    223. 

  223. 

  224.     BIO *cert_out = BIO_new_file(ctx.out_path, "wb");
    225. 

  225.     if (!cert_out) {
    226. 

  226.         LOG_ERR("Can not create file %s", ctx.out_path);
    227. 

  227.         return -1;
    228. 

  228.     }
    229. 

  229. 

  230.     X509_EXTENSION *extv3 = NULL;
    231. 

  231.     X509 *cert = X509_new();
    232. 

  232.     if (!cert) {
    233. 

  233.         LOG_ERR("X509_new");
    234. 

  234.         goto out_err;
    235. 

  235.     }
    236. 

  236. 

  237.     X509_NAME *issuer = X509_get_issuer_name(cert);
    238. 

  238.     if (!issuer) {
    239. 

  239.         LOG_ERR("X509_get_issuer_name");
    240. 

  240.         goto out_err;
    241. 

  241.     }
    242. 

  242. 

  243.     int fields_added = populate_fields(issuer, ctx.issuer);
    244. 

  244.     if (fields_added <= 0) {
    245. 

  245.         LOG_ERR("Could not parse any issuer fields");
    246. 

  246.         goto out_err;
    247. 

  247.     } else {
    248. 

  248.         LOG_INFO("Added %d issuer fields", fields_added);
    249. 

  249.     }
    250. 

  250. 

  251.     int ret = X509_set_issuer_name(cert, issuer); // add issuer
    252. 

  252.     if (ret != 1) {
    253. 

  253.         LOG_ERR("X509_set_issuer_name");
    254. 

  254.         goto out_err;
    255. 

  255.     }
    256. 

  256. 

  257.     unsigned int valid_days;
    258. 

  258.     if (!tpm2_util_string_to_uint32(ctx.valid_str, &valid_days)) {
    259. 

  259.         LOG_ERR("string_to_uint32");
    260. 

  260.         goto out_err;
    261. 

  261.     }
    262. 

  262. 

  263.     X509_gmtime_adj(X509_get_notBefore(cert), 0); // add valid not before
    264. 

  264.     X509_gmtime_adj(X509_get_notAfter(cert), valid_days * 86400); // add valid not after
    265. 

  265. 

  266.     X509_NAME *subject = X509_get_subject_name(cert);
    267. 

  267.     if (!subject) {
    268. 

  268.         LOG_ERR("X509_get_subject_name");
    269. 

  269.         goto out_err;
    270. 

  270.     }
    271. 

  271. 

  272.     fields_added = populate_fields(subject, ctx.subject);
    273. 

  273.     if (fields_added <= 0) {
    274. 

  274.         LOG_ERR("Could not parse any subject fields");
    275. 

  275.         goto out_err;
    276. 

  276.     } else {
    277. 

  277.         LOG_INFO("Added %d subject fields", fields_added);
    278. 

  278.     }
    279. 

  279. 

  280.     ret = X509_set_subject_name(cert, subject);  // add subject
    281. 

  281.     if (ret != 1) {
    282. 

  282.         LOG_ERR("X509_NAME_add_entry_by_txt");
    283. 

  283.         goto out_err;
    284. 

  284.     }
    285. 

  285. 

  286.     extv3 = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage,
    287. 

  287.     "critical,digitalSignature,keyCertSign,cRLSign");
    288. 

  288.     if (!extv3) {
    289. 

  289.         LOG_ERR("X509V3_EXT_conf_nid");
    290. 

  290.         goto out_err;
    291. 

  291.     }
    292. 

  292. 

  293.     ret = X509_add_ext(cert, extv3, -1); // add required v3 extention: key usage
    294. 

  294.     if (ret != 1) {
    295. 

  295.         LOG_ERR("X509_add_ext");
    296. 

  296.         goto out_err;
    297. 

  297.     }
    298. 

  298. 

  299.     ret = i2d_X509_bio(cert_out, cert); // print cert in DER format
    300. 

  300.     if (ret != 1) {
    301. 

  301.         LOG_ERR("i2d_X509_bio");
    302. 

  302.         goto out_err;
    303. 

  303.     }
    304. 

  304. 

  305.     X509_EXTENSION_free(extv3);
    306. 

  306.     X509_free(cert);
    307. 

  307.     BIO_free_all(cert_out);
    308. 

  308. 

  309.     ret = fixup_cert(ctx.out_path);
    310. 

  310.     if (ret) {
    311. 

  311.         LOG_ERR("fixup_cert");
    312. 

  312.         return tool_rc_general_error;
    313. 

  313.     }
    314. 

  314. 

  315.     return tool_rc_success;
    316. 

  316. 

  317. out_err:
    318. 

  318.     BIO_free_all(cert_out);
    319. 

  319.     if (cert) {
    320. 

  320.         X509_free(cert);
    321. 

  321.     }
    322. 

  322.     if (extv3) {
    323. 

  323.         X509_EXTENSION_free(extv3);
    324. 

  324.     }
    325. 

  325. 

  326.     return tool_rc_general_error;
    327. 

  327. }
    328. 

  328. 

  329. 

  330. static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
    331. 

  331. 

  332.     UNUSED(flags);
    333. 

  333.     UNUSED(ectx);
    334. 

  334. 

  335.     return generate_partial_X509();
    336. 

  336. }
    337. 

  337. 

  338. TPM2_TOOL_REGISTER("certifyX509certutil", tpm2_tool_onstart, tpm2_tool_onrun, NULL, NULL)
    339.