Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-05-06 19:39:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
arm-trusted-firmware/tools/cert_create/include/key.h
Sandrine Bailleux bb3b0c0b09 fix(cert-create): fix key loading logic 
When key_load() attempts to load the key from a file and it fails to
open this file, the 'err_code' output argument is set to
'KEY_ERR_OPEN' error code. However, it is incorrectly overwritten
later on with 'KEY_ERR_NONE' or 'KEY_ERR_LOAD'.

The latter case messes up with the key creation scenario. The
'KEY_ERR_LOAD' error leads the tool to exit, when it should attempt to
create the said key file if invoked with the --new-keys/-n option.

Note that, to complicate matters further, which of 'KEY_ERR_OPEN' or
'KEY_ERR_NONE' values is returned by key_load() depends on the version
of OpenSSL in use:

 - If using v3+, KEY_ERROR_LOAD is returned.

 - If using <v3, KEY_ERROR_NONE is returned as a result of the key
   pair container being initialized by key_new().

This patch fixes this bug and also takes the opportunity to refactor
key_load() implementation to (hopefully) make it more straight-forward
and easier to reason about.

Fixes: 616b3ce27d "feat(cert-create): add pkcs11 engine support"
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Reported-by: Wenchen Tan <xtaens@qq.com>
Change-Id: Ia78ff442e04c5ff98e6ced8d26becbd817a8ccb7
2023-10-19 11:34:55 +02:00

99 lines
2.5 KiB
C
Raw Blame History

/*
* Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#ifndef KEY_H
#define KEY_H
#include <openssl/ossl_typ.h>
/* Error codes */
enum {
KEY_ERR_NONE,
KEY_ERR_MALLOC,
KEY_ERR_FILENAME,
KEY_ERR_OPEN,
KEY_ERR_LOAD
};
/* Supported key algorithms */
enum {
KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */
#ifndef OPENSSL_NO_EC
KEY_ALG_ECDSA_NIST,
KEY_ALG_ECDSA_BRAINPOOL_R,
KEY_ALG_ECDSA_BRAINPOOL_T,
#endif /* OPENSSL_NO_EC */
KEY_ALG_MAX_NUM
};
/* Maximum number of valid key sizes per algorithm */
#define KEY_SIZE_MAX_NUM 4
/* Supported hash algorithms */
enum{
HASH_ALG_SHA256,
HASH_ALG_SHA384,
HASH_ALG_SHA512,
};
/* Supported key sizes */
/* NOTE: the first item in each array is the default key size */
static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = {
{ 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */
#ifndef OPENSSL_NO_EC
{ 256, 384 }, /* KEY_ALG_ECDSA_NIST */
{}, /* KEY_ALG_ECDSA_BRAINPOOL_R */
{} /* KEY_ALG_ECDSA_BRAINPOOL_T */
#endif /* OPENSSL_NO_EC */
};
/*
* This structure contains the relevant information to create the keys
* required to sign the certificates.
*
* One instance of this structure must be created for each key, usually in an
* array fashion. The filename is obtained at run time from the command line
* parameters
*/
typedef struct key_s {
int id; /* Key id */
const char *opt; /* Command line option to specify a key */
const char *help_msg; /* Help message */
const char *desc; /* Key description (debug purposes) */
char *fn; /* Filename to load/store the key */
EVP_PKEY *key; /* Key container */
} key_t;
/* Exported API */
int key_init(void);
key_t *key_get_by_opt(const char *opt);
#if !USING_OPENSSL3
int key_new(key_t *key);
#endif
int key_create(key_t *key, int type, int key_bits);
unsigned int key_load(key_t *key);
int key_store(key_t *key);
void key_cleanup(void);
/* Macro to register the keys used in the CoT */
#define REGISTER_KEYS(_keys) \
key_t *def_keys = &_keys[0]; \
const unsigned int num_def_keys = sizeof(_keys)/sizeof(_keys[0])
/* Macro to register the platform defined keys used in the CoT */
#define PLAT_REGISTER_KEYS(_pdef_keys) \
key_t *pdef_keys = &_pdef_keys[0]; \
const unsigned int num_pdef_keys = sizeof(_pdef_keys)/sizeof(_pdef_keys[0])
/* Exported variables */
extern key_t *def_keys;
extern const unsigned int num_def_keys;
extern key_t *pdef_keys;
extern const unsigned int num_pdef_keys;
extern key_t *keys;
extern unsigned int num_keys;
#endif /* KEY_H */
Reference in a new issue View git blame Copy permalink