| // Copyright 2020 Google LLC |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| // use this file except in compliance with the License. You may obtain a copy of |
| // the License at |
| // |
| // https://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| // License for the specific language governing permissions and limitations under |
| // the License. |
| |
| // This is a DiceGenerateCertificate implementation that uses boringssl for |
| // crypto and certificate generation. The algorithms used are SHA512, |
| // HKDF-SHA512, and Ed25519-SHA512. |
| |
| #include <stdint.h> |
| |
| #include "dice/dice.h" |
| #include "dice/ops.h" |
| #include "dice/utils.h" |
| #include "openssl/asn1.h" |
| #include "openssl/asn1t.h" |
| #include "openssl/bn.h" |
| #include "openssl/curve25519.h" |
| #include "openssl/evp.h" |
| #include "openssl/is_boringssl.h" |
| #include "openssl/objects.h" |
| #include "openssl/x509.h" |
| #include "openssl/x509v3.h" |
| |
| #define DICE_MAX_EXTENSION_SIZE 2048 |
| |
| typedef struct DiceExtensionAsn1 { |
| ASN1_OCTET_STRING* code_hash; |
| ASN1_OCTET_STRING* code_descriptor; |
| ASN1_OCTET_STRING* config_hash; |
| ASN1_OCTET_STRING* config_descriptor; |
| ASN1_OCTET_STRING* authority_hash; |
| ASN1_OCTET_STRING* authority_descriptor; |
| ASN1_ENUMERATED* mode; |
| } DiceExtensionAsn1; |
| |
| // clang-format off |
| ASN1_SEQUENCE(DiceExtensionAsn1) = { |
| ASN1_EXP_OPT(DiceExtensionAsn1, code_hash, ASN1_OCTET_STRING, 0), |
| ASN1_EXP_OPT(DiceExtensionAsn1, code_descriptor, ASN1_OCTET_STRING, 1), |
| ASN1_EXP_OPT(DiceExtensionAsn1, config_hash, ASN1_OCTET_STRING, 2), |
| ASN1_EXP_OPT(DiceExtensionAsn1, config_descriptor, ASN1_OCTET_STRING, 3), |
| ASN1_EXP_OPT(DiceExtensionAsn1, authority_hash, ASN1_OCTET_STRING, 4), |
| ASN1_EXP_OPT(DiceExtensionAsn1, authority_descriptor, ASN1_OCTET_STRING, 5), |
| ASN1_EXP_OPT(DiceExtensionAsn1, mode, ASN1_ENUMERATED, 6), |
| } ASN1_SEQUENCE_END(DiceExtensionAsn1) |
| DECLARE_ASN1_FUNCTIONS(DiceExtensionAsn1) |
| IMPLEMENT_ASN1_FUNCTIONS(DiceExtensionAsn1) |
| |
| static DiceResult AddStandardFields(X509* x509, const uint8_t subject_id[DICE_ID_SIZE], |
| const uint8_t authority_id[DICE_ID_SIZE]) { |
| // clang-format on |
| DiceResult result = kDiceResultOk; |
| |
| // Initialize variables that are cleaned up on 'goto out'. |
| ASN1_INTEGER* serial = NULL; |
| BIGNUM* serial_bn = NULL; |
| X509_NAME* issuer_name = NULL; |
| X509_NAME* subject_name = NULL; |
| ASN1_TIME* not_before = NULL; |
| ASN1_TIME* not_after = NULL; |
| |
| serial = ASN1_INTEGER_new(); |
| if (!serial) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| issuer_name = X509_NAME_new(); |
| if (!issuer_name) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| subject_name = X509_NAME_new(); |
| if (!subject_name) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| not_before = ASN1_TIME_new(); |
| if (!not_before) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| not_after = ASN1_TIME_new(); |
| if (!not_after) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| if (!X509_set_version(x509, 2)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| serial_bn = BN_bin2bn(subject_id, DICE_ID_SIZE, NULL); |
| if (!serial_bn) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| BN_to_ASN1_INTEGER(serial_bn, serial); |
| if (!X509_set_serialNumber(x509, serial)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| uint8_t id_hex[40]; |
| DiceHexEncode(authority_id, DICE_ID_SIZE, id_hex, sizeof(id_hex)); |
| if (!X509_NAME_add_entry_by_NID(issuer_name, NID_serialNumber, MBSTRING_UTF8, |
| id_hex, sizeof(id_hex), 0, 0)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!X509_set_issuer_name(x509, issuer_name)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| DiceHexEncode(subject_id, DICE_ID_SIZE, id_hex, sizeof(id_hex)); |
| if (!X509_NAME_add_entry_by_NID(subject_name, NID_serialNumber, MBSTRING_UTF8, |
| id_hex, sizeof(id_hex), 0, 0)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!X509_set_subject_name(x509, subject_name)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| // '180322235959Z' is the date of publication of the DICE specification. Here |
| // it's used as a somewhat arbitrary backstop. |
| if (!ASN1_TIME_set_string(not_before, "180322235959Z")) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!X509_set_notBefore(x509, not_before)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| // '99991231235959Z' is suggested by RFC 5280 in cases where expiry is not |
| // meaningful. Basically, the certificate never expires. |
| if (!ASN1_TIME_set_string(not_after, "99991231235959Z")) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!X509_set_notAfter(x509, not_after)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| out: |
| if (serial) { |
| ASN1_INTEGER_free(serial); |
| } |
| if (serial_bn) { |
| BN_free(serial_bn); |
| } |
| if (issuer_name) { |
| X509_NAME_free(issuer_name); |
| } |
| if (subject_name) { |
| X509_NAME_free(subject_name); |
| } |
| if (not_before) { |
| ASN1_TIME_free(not_before); |
| } |
| if (not_after) { |
| ASN1_TIME_free(not_after); |
| } |
| return result; |
| } |
| |
| static DiceResult AddStandardExtensions( |
| X509* x509, const uint8_t subject_id[DICE_ID_SIZE], |
| const uint8_t authority_id[DICE_ID_SIZE]) { |
| DiceResult result = kDiceResultOk; |
| |
| // Initialize variables that are cleaned up on 'goto out'. |
| AUTHORITY_KEYID* authority_key_id = NULL; |
| ASN1_OCTET_STRING* subject_key_id = NULL; |
| ASN1_BIT_STRING* key_usage = NULL; |
| BASIC_CONSTRAINTS* basic_constraints = NULL; |
| X509_EXTENSION* authority_key_id_ext = NULL; |
| X509_EXTENSION* subject_key_id_ext = NULL; |
| X509_EXTENSION* key_usage_ext = NULL; |
| X509_EXTENSION* basic_constraints_ext = NULL; |
| |
| // The authority key identifier extension contains the same raw authority id |
| // that appears in the issuer name. |
| authority_key_id = AUTHORITY_KEYID_new(); |
| if (!authority_key_id) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| authority_key_id->keyid = ASN1_OCTET_STRING_new(); |
| if (!authority_key_id->keyid) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!ASN1_OCTET_STRING_set(authority_key_id->keyid, authority_id, |
| DICE_ID_SIZE)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| // The subject key identifier extension contains the same raw subject id that |
| // appears in the serial number and the subject name. |
| subject_key_id = ASN1_OCTET_STRING_new(); |
| if (!subject_key_id) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!ASN1_OCTET_STRING_set(subject_key_id, subject_id, DICE_ID_SIZE)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| // The key usage extension contains only "keyCertSign". |
| key_usage = ASN1_BIT_STRING_new(); |
| if (!key_usage) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| ASN1_BIT_STRING_set_bit(key_usage, 5 /*keyCertSign*/, 1); |
| |
| // The basic constraints specify this is a CA with unspecified pathlen. |
| basic_constraints = BASIC_CONSTRAINTS_new(); |
| if (!basic_constraints) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| basic_constraints->ca = 1; |
| |
| // Encode all the extension objects. |
| authority_key_id_ext = X509V3_EXT_i2d(NID_authority_key_identifier, |
| /*crit=*/0, authority_key_id); |
| if (!authority_key_id_ext) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| subject_key_id_ext = X509V3_EXT_i2d(NID_subject_key_identifier, |
| /*crit=*/0, subject_key_id); |
| if (!subject_key_id_ext) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| key_usage_ext = X509V3_EXT_i2d(NID_key_usage, /*crit=*/1, key_usage); |
| if (!key_usage_ext) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| basic_constraints_ext = X509V3_EXT_i2d(NID_basic_constraints, |
| /*crit=*/1, basic_constraints); |
| if (!basic_constraints_ext) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| // Add all the extensions to the given X509 object. |
| if (!X509_add_ext(x509, authority_key_id_ext, -1)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!X509_add_ext(x509, subject_key_id_ext, -1)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!X509_add_ext(x509, key_usage_ext, -1)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!X509_add_ext(x509, basic_constraints_ext, -1)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| out: |
| if (authority_key_id) { |
| AUTHORITY_KEYID_free(authority_key_id); |
| } |
| if (subject_key_id) { |
| ASN1_OCTET_STRING_free(subject_key_id); |
| } |
| if (key_usage) { |
| ASN1_BIT_STRING_free(key_usage); |
| } |
| if (basic_constraints) { |
| BASIC_CONSTRAINTS_free(basic_constraints); |
| } |
| if (authority_key_id_ext) { |
| X509_EXTENSION_free(authority_key_id_ext); |
| } |
| if (subject_key_id_ext) { |
| X509_EXTENSION_free(subject_key_id_ext); |
| } |
| if (key_usage_ext) { |
| X509_EXTENSION_free(key_usage_ext); |
| } |
| if (basic_constraints_ext) { |
| X509_EXTENSION_free(basic_constraints_ext); |
| } |
| return result; |
| } |
| |
| static DiceResult GetDiceExtensionData(const DiceInputValues* input_values, |
| size_t buffer_size, uint8_t* buffer, |
| size_t* actual_size) { |
| DiceResult result = kDiceResultOk; |
| |
| DiceExtensionAsn1* asn1 = DiceExtensionAsn1_new(); |
| if (!asn1) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| // Allocate required fields. Optional fields will be allocated as needed. |
| asn1->code_hash = ASN1_OCTET_STRING_new(); |
| if (!asn1->code_hash) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| asn1->config_descriptor = ASN1_OCTET_STRING_new(); |
| if (!asn1->config_descriptor) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| asn1->authority_hash = ASN1_OCTET_STRING_new(); |
| if (!asn1->authority_hash) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| asn1->mode = ASN1_ENUMERATED_new(); |
| if (!asn1->mode) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| // Encode code input. |
| if (!ASN1_OCTET_STRING_set(asn1->code_hash, input_values->code_hash, |
| DICE_HASH_SIZE)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (input_values->code_descriptor_size > 0) { |
| asn1->code_descriptor = ASN1_OCTET_STRING_new(); |
| if (!asn1->code_descriptor) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!ASN1_OCTET_STRING_set(asn1->code_descriptor, |
| input_values->code_descriptor, |
| input_values->code_descriptor_size)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| } |
| |
| // Encode configuration inputs. |
| if (input_values->config_type == kDiceConfigTypeDescriptor) { |
| // The 'descriptor' type means the configuration input is in the descriptor |
| // field and the hash of this was used as the DICE input. In the extension |
| // both are stored. |
| uint8_t hash_buffer[DICE_HASH_SIZE]; |
| asn1->config_hash = ASN1_OCTET_STRING_new(); |
| if (!asn1->config_hash) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!ASN1_OCTET_STRING_set(asn1->config_descriptor, |
| input_values->config_descriptor, |
| input_values->config_descriptor_size)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!ASN1_OCTET_STRING_set( |
| asn1->config_hash, |
| SHA512(input_values->config_descriptor, |
| input_values->config_descriptor_size, hash_buffer), |
| DICE_HASH_SIZE)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| } else if (input_values->config_type == kDiceConfigTypeInline) { |
| // The 'inline' type means the configuration value is 64 bytes and was used |
| // directly as the DICE input. In the extension this value is stored in the |
| // descriptor and the hash is omitted. |
| if (!ASN1_OCTET_STRING_set(asn1->config_descriptor, |
| input_values->config_value, |
| DICE_INLINE_CONFIG_SIZE)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| } else { |
| result = kDiceResultInvalidInput; |
| goto out; |
| } |
| |
| // Encode authority input. |
| if (!ASN1_OCTET_STRING_set(asn1->authority_hash, input_values->authority_hash, |
| DICE_HASH_SIZE)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (input_values->authority_descriptor_size > 0) { |
| asn1->authority_descriptor = ASN1_OCTET_STRING_new(); |
| if (!asn1->authority_descriptor) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!ASN1_OCTET_STRING_set(asn1->authority_descriptor, |
| input_values->authority_descriptor, |
| input_values->authority_descriptor_size)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| } |
| |
| // Encode mode input. |
| if (!ASN1_ENUMERATED_set(asn1->mode, input_values->mode)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| *actual_size = i2d_DiceExtensionAsn1(asn1, NULL); |
| if (buffer_size < *actual_size) { |
| result = kDiceResultBufferTooSmall; |
| goto out; |
| } |
| i2d_DiceExtensionAsn1(asn1, &buffer); |
| |
| out: |
| if (asn1) { |
| DiceExtensionAsn1_free(asn1); |
| } |
| return result; |
| } |
| |
| static DiceResult AddDiceExtension(const DiceInputValues* input_values, |
| X509* x509) { |
| const char* kDiceExtensionOid = "1.3.6.1.4.1.11129.2.1.24"; |
| |
| // Initialize variables that are cleaned up on 'goto out'. |
| ASN1_OBJECT* oid = NULL; |
| ASN1_OCTET_STRING* octets = NULL; |
| X509_EXTENSION* extension = NULL; |
| |
| uint8_t extension_buffer[DICE_MAX_EXTENSION_SIZE]; |
| size_t extension_size = 0; |
| DiceResult result = |
| GetDiceExtensionData(input_values, sizeof(extension_buffer), |
| extension_buffer, &extension_size); |
| if (result != kDiceResultOk) { |
| goto out; |
| } |
| |
| oid = OBJ_txt2obj(kDiceExtensionOid, 1); |
| if (!oid) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| octets = ASN1_OCTET_STRING_new(); |
| if (!octets) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!ASN1_OCTET_STRING_set(octets, extension_buffer, extension_size)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| extension = |
| X509_EXTENSION_create_by_OBJ(/*ex=*/NULL, oid, /*crit=*/0, octets); |
| if (!extension) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| if (!X509_add_ext(x509, extension, -1)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| out: |
| if (oid) { |
| ASN1_OBJECT_free(oid); |
| } |
| if (octets) { |
| ASN1_OCTET_STRING_free(octets); |
| } |
| if (extension) { |
| X509_EXTENSION_free(extension); |
| } |
| return result; |
| } |
| |
| static DiceResult GetIdFromKey(void* context, const EVP_PKEY* key, |
| uint8_t id[DICE_ID_SIZE]) { |
| uint8_t raw_public_key[32]; |
| size_t raw_public_key_size = sizeof(raw_public_key); |
| if (!EVP_PKEY_get_raw_public_key(key, raw_public_key, &raw_public_key_size)) { |
| return kDiceResultPlatformError; |
| } |
| return DiceDeriveCdiCertificateId(context, raw_public_key, |
| raw_public_key_size, id); |
| } |
| |
| DiceResult DiceGenerateCertificate( |
| void* context, |
| const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE], |
| const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE], |
| const DiceInputValues* input_values, size_t certificate_buffer_size, |
| uint8_t* certificate, size_t* certificate_actual_size) { |
| DiceResult result = kDiceResultOk; |
| |
| // Initialize variables that are cleaned up on 'goto out'. |
| X509* x509 = NULL; |
| EVP_PKEY* authority_key = NULL; |
| EVP_PKEY* subject_key = NULL; |
| |
| x509 = X509_new(); |
| if (!x509) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| authority_key = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL, |
| authority_private_key_seed, |
| DICE_PRIVATE_KEY_SEED_SIZE); |
| if (!authority_key) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| subject_key = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL, |
| subject_private_key_seed, |
| DICE_PRIVATE_KEY_SEED_SIZE); |
| if (!subject_key) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| if (!X509_set_pubkey(x509, subject_key)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| |
| uint8_t authority_id[DICE_ID_SIZE]; |
| result = GetIdFromKey(context, authority_key, authority_id); |
| if (result != kDiceResultOk) { |
| goto out; |
| } |
| uint8_t subject_id[DICE_ID_SIZE]; |
| result = GetIdFromKey(context, subject_key, subject_id); |
| if (result != kDiceResultOk) { |
| goto out; |
| } |
| |
| result = AddStandardFields(x509, subject_id, authority_id); |
| if (result != kDiceResultOk) { |
| goto out; |
| } |
| result = AddStandardExtensions(x509, subject_id, authority_id); |
| if (result != kDiceResultOk) { |
| goto out; |
| } |
| result = AddDiceExtension(input_values, x509); |
| if (result != kDiceResultOk) { |
| goto out; |
| } |
| if (!X509_sign(x509, authority_key, NULL /*ED25519 always uses SHA-512*/)) { |
| result = kDiceResultPlatformError; |
| goto out; |
| } |
| *certificate_actual_size = i2d_X509(x509, NULL); |
| if (*certificate_actual_size > certificate_buffer_size) { |
| result = kDiceResultBufferTooSmall; |
| goto out; |
| } |
| *certificate_actual_size = i2d_X509(x509, &certificate); |
| out: |
| if (x509) { |
| X509_free(x509); |
| } |
| if (authority_key) { |
| EVP_PKEY_free(authority_key); |
| } |
| if (subject_key) { |
| EVP_PKEY_free(subject_key); |
| } |
| return result; |
| } |