1 /*
2 * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7 #include <getopt.h>
8 #include <stdio.h>
9 #include <stdlib.h>
10 #include <string.h>
11
12 #include <openssl/conf.h>
13 #include <openssl/evp.h>
14 #include <openssl/pem.h>
15
16 #include "cert.h"
17 #include "cmd_opt.h"
18 #include "debug.h"
19 #include "key.h"
20 #include "sha.h"
21
22 #define MAX_FILENAME_LEN 1024
23
24 key_t *keys;
25 unsigned int num_keys;
26
27 #if !USING_OPENSSL3
28 /*
29 * Create a new key container
30 */
key_new(key_t * key)31 int key_new(key_t *key)
32 {
33 /* Create key pair container */
34 key->key = EVP_PKEY_new();
35 if (key->key == NULL) {
36 return 0;
37 }
38
39 return 1;
40 }
41 #endif
42
key_create_rsa(key_t * key,int key_bits)43 static int key_create_rsa(key_t *key, int key_bits)
44 {
45 #if USING_OPENSSL3
46 EVP_PKEY *rsa = EVP_RSA_gen(key_bits);
47 if (rsa == NULL) {
48 printf("Cannot generate RSA key\n");
49 return 0;
50 }
51 key->key = rsa;
52 return 1;
53 #else
54 BIGNUM *e;
55 RSA *rsa = NULL;
56
57 e = BN_new();
58 if (e == NULL) {
59 printf("Cannot create RSA exponent\n");
60 return 0;
61 }
62
63 if (!BN_set_word(e, RSA_F4)) {
64 printf("Cannot assign RSA exponent\n");
65 goto err2;
66 }
67
68 rsa = RSA_new();
69 if (rsa == NULL) {
70 printf("Cannot create RSA key\n");
71 goto err2;
72 }
73
74 if (!RSA_generate_key_ex(rsa, key_bits, e, NULL)) {
75 printf("Cannot generate RSA key\n");
76 goto err;
77 }
78
79 if (!EVP_PKEY_assign_RSA(key->key, rsa)) {
80 printf("Cannot assign RSA key\n");
81 goto err;
82 }
83
84 BN_free(e);
85 return 1;
86
87 err:
88 RSA_free(rsa);
89 err2:
90 BN_free(e);
91 return 0;
92 #endif
93 }
94
95 #ifndef OPENSSL_NO_EC
96 #if USING_OPENSSL3
key_create_ecdsa(key_t * key,int key_bits,const char * curve)97 static int key_create_ecdsa(key_t *key, int key_bits, const char *curve)
98 {
99 EVP_PKEY *ec = EVP_EC_gen(curve);
100 if (ec == NULL) {
101 printf("Cannot generate EC key\n");
102 return 0;
103 }
104
105 key->key = ec;
106 return 1;
107 }
108
key_create_ecdsa_nist(key_t * key,int key_bits)109 static int key_create_ecdsa_nist(key_t *key, int key_bits)
110 {
111 return key_create_ecdsa(key, key_bits, "prime256v1");
112 }
113
key_create_ecdsa_brainpool_r(key_t * key,int key_bits)114 static int key_create_ecdsa_brainpool_r(key_t *key, int key_bits)
115 {
116 return key_create_ecdsa(key, key_bits, "brainpoolP256r1");
117 }
118
key_create_ecdsa_brainpool_t(key_t * key,int key_bits)119 static int key_create_ecdsa_brainpool_t(key_t *key, int key_bits)
120 {
121 return key_create_ecdsa(key, key_bits, "brainpoolP256t1");
122 }
123 #else
key_create_ecdsa(key_t * key,int key_bits,const int curve_id)124 static int key_create_ecdsa(key_t *key, int key_bits, const int curve_id)
125 {
126 EC_KEY *ec;
127
128 ec = EC_KEY_new_by_curve_name(curve_id);
129 if (ec == NULL) {
130 printf("Cannot create EC key\n");
131 return 0;
132 }
133 if (!EC_KEY_generate_key(ec)) {
134 printf("Cannot generate EC key\n");
135 goto err;
136 }
137 EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS);
138 EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
139 if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) {
140 printf("Cannot assign EC key\n");
141 goto err;
142 }
143
144 return 1;
145
146 err:
147 EC_KEY_free(ec);
148 return 0;
149 }
150
key_create_ecdsa_nist(key_t * key,int key_bits)151 static int key_create_ecdsa_nist(key_t *key, int key_bits)
152 {
153 return key_create_ecdsa(key, key_bits, NID_X9_62_prime256v1);
154 }
155
key_create_ecdsa_brainpool_r(key_t * key,int key_bits)156 static int key_create_ecdsa_brainpool_r(key_t *key, int key_bits)
157 {
158 return key_create_ecdsa(key, key_bits, NID_brainpoolP256r1);
159 }
160
key_create_ecdsa_brainpool_t(key_t * key,int key_bits)161 static int key_create_ecdsa_brainpool_t(key_t *key, int key_bits)
162 {
163 return key_create_ecdsa(key, key_bits, NID_brainpoolP256t1);
164 }
165 #endif /* USING_OPENSSL3 */
166 #endif /* OPENSSL_NO_EC */
167
168 typedef int (*key_create_fn_t)(key_t *key, int key_bits);
169 static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = {
170 [KEY_ALG_RSA] = key_create_rsa,
171 #ifndef OPENSSL_NO_EC
172 [KEY_ALG_ECDSA_NIST] = key_create_ecdsa_nist,
173 [KEY_ALG_ECDSA_BRAINPOOL_R] = key_create_ecdsa_brainpool_r,
174 [KEY_ALG_ECDSA_BRAINPOOL_T] = key_create_ecdsa_brainpool_t,
175 #endif /* OPENSSL_NO_EC */
176 };
177
key_create(key_t * key,int type,int key_bits)178 int key_create(key_t *key, int type, int key_bits)
179 {
180 if (type >= KEY_ALG_MAX_NUM) {
181 printf("Invalid key type\n");
182 return 0;
183 }
184
185 if (key_create_fn[type]) {
186 return key_create_fn[type](key, key_bits);
187 }
188
189 return 0;
190 }
191
key_load(key_t * key,unsigned int * err_code)192 int key_load(key_t *key, unsigned int *err_code)
193 {
194 FILE *fp;
195 EVP_PKEY *k;
196
197 if (key->fn) {
198 /* Load key from file */
199 fp = fopen(key->fn, "r");
200 if (fp) {
201 k = PEM_read_PrivateKey(fp, &key->key, NULL, NULL);
202 fclose(fp);
203 if (k) {
204 *err_code = KEY_ERR_NONE;
205 return 1;
206 } else {
207 ERROR("Cannot load key from %s\n", key->fn);
208 *err_code = KEY_ERR_LOAD;
209 }
210 } else {
211 WARN("Cannot open file %s\n", key->fn);
212 *err_code = KEY_ERR_OPEN;
213 }
214 } else {
215 WARN("Key filename not specified\n");
216 *err_code = KEY_ERR_FILENAME;
217 }
218
219 return 0;
220 }
221
key_store(key_t * key)222 int key_store(key_t *key)
223 {
224 FILE *fp;
225
226 if (key->fn) {
227 fp = fopen(key->fn, "w");
228 if (fp) {
229 PEM_write_PrivateKey(fp, key->key,
230 NULL, NULL, 0, NULL, NULL);
231 fclose(fp);
232 return 1;
233 } else {
234 ERROR("Cannot create file %s\n", key->fn);
235 }
236 } else {
237 ERROR("Key filename not specified\n");
238 }
239
240 return 0;
241 }
242
key_init(void)243 int key_init(void)
244 {
245 cmd_opt_t cmd_opt;
246 key_t *key;
247 unsigned int i;
248
249 keys = malloc((num_def_keys * sizeof(def_keys[0]))
250 #ifdef PDEF_KEYS
251 + (num_pdef_keys * sizeof(pdef_keys[0]))
252 #endif
253 );
254
255 if (keys == NULL) {
256 ERROR("%s:%d Failed to allocate memory.\n", __func__, __LINE__);
257 return 1;
258 }
259
260 memcpy(&keys[0], &def_keys[0], (num_def_keys * sizeof(def_keys[0])));
261 #ifdef PDEF_KEYS
262 memcpy(&keys[num_def_keys], &pdef_keys[0],
263 (num_pdef_keys * sizeof(pdef_keys[0])));
264
265 num_keys = num_def_keys + num_pdef_keys;
266 #else
267 num_keys = num_def_keys;
268 #endif
269 ;
270
271 for (i = 0; i < num_keys; i++) {
272 key = &keys[i];
273 if (key->opt != NULL) {
274 cmd_opt.long_opt.name = key->opt;
275 cmd_opt.long_opt.has_arg = required_argument;
276 cmd_opt.long_opt.flag = NULL;
277 cmd_opt.long_opt.val = CMD_OPT_KEY;
278 cmd_opt.help_msg = key->help_msg;
279 cmd_opt_add(&cmd_opt);
280 }
281 }
282
283 return 0;
284 }
285
key_get_by_opt(const char * opt)286 key_t *key_get_by_opt(const char *opt)
287 {
288 key_t *key;
289 unsigned int i;
290
291 /* Sequential search. This is not a performance concern since the number
292 * of keys is bounded and the code runs on a host machine */
293 for (i = 0; i < num_keys; i++) {
294 key = &keys[i];
295 if (0 == strcmp(key->opt, opt)) {
296 return key;
297 }
298 }
299
300 return NULL;
301 }
302
key_cleanup(void)303 void key_cleanup(void)
304 {
305 unsigned int i;
306
307 for (i = 0; i < num_keys; i++) {
308 EVP_PKEY_free(keys[i].key);
309 if (keys[i].fn != NULL) {
310 void *ptr = keys[i].fn;
311
312 free(ptr);
313 keys[i].fn = NULL;
314 }
315 }
316 free(keys);
317 }
318
319