1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
|
/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*
* Host functions for keys.
*/
/* TODO: change all 'return 0', 'return 1' into meaningful return codes */
#include <openssl/pem.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include "2common.h"
#include "2rsa.h"
#include "2sha.h"
#include "2sysincludes.h"
#include "host_common.h"
#include "host_key2.h"
#include "host_key.h"
#include "host_misc.h"
#include "vb2_common.h"
enum vb2_crypto_algorithm vb2_get_crypto_algorithm(
enum vb2_hash_algorithm hash_alg,
enum vb2_signature_algorithm sig_alg)
{
/* Make sure algorithms are in the range supported by crypto alg */
if (sig_alg < VB2_SIG_RSA1024 || sig_alg >= VB2_SIG_ALG_COUNT)
return VB2_ALG_COUNT;
if (hash_alg < VB2_HASH_SHA1 || hash_alg > VB2_HASH_SHA512)
return VB2_ALG_COUNT;
return (sig_alg - VB2_SIG_RSA1024)
* (VB2_HASH_SHA512 - VB2_HASH_SHA1 + 1)
+ (hash_alg - VB2_HASH_SHA1);
};
struct vb2_private_key *vb2_read_private_key(const char *filename)
{
uint8_t *buf = NULL;
uint32_t bufsize = 0;
if (VB2_SUCCESS != vb2_read_file(filename, &buf, &bufsize)) {
VB2_DEBUG("unable to read from file %s\n", filename);
return NULL;
}
struct vb2_private_key *key =
(struct vb2_private_key *)calloc(sizeof(*key), 1);
if (!key) {
VB2_DEBUG("Unable to allocate private key\n");
free(buf);
return NULL;
}
uint64_t alg = *(uint64_t *)buf;
key->hash_alg = vb2_crypto_to_hash(alg);
key->sig_alg = vb2_crypto_to_signature(alg);
const unsigned char *start = buf + sizeof(alg);
key->rsa_private_key =
d2i_RSAPrivateKey(0, &start, bufsize - sizeof(alg));
if (!key->rsa_private_key) {
VB2_DEBUG("Unable to parse RSA private key\n");
free(buf);
free(key);
return NULL;
}
free(buf);
return key;
}
struct vb2_private_key *vb2_read_private_key_pem(
const char* filename,
enum vb2_crypto_algorithm algorithm)
{
if (algorithm >= VB2_ALG_COUNT) {
VB2_DEBUG("%s() called with invalid algorithm!\n",
__FUNCTION__);
return NULL;
}
/* Read private key */
FILE *f = fopen(filename, "r");
if (!f) {
VB2_DEBUG("%s(): Couldn't open key file: %s\n",
__FUNCTION__, filename);
return NULL;
}
struct rsa_st *rsa_key = PEM_read_RSAPrivateKey(f, NULL, NULL, NULL);
fclose(f);
if (!rsa_key) {
VB2_DEBUG("%s(): Couldn't read private key from file: %s\n",
__FUNCTION__, filename);
return NULL;
}
/* Store key and algorithm in our struct */
struct vb2_private_key *key =
(struct vb2_private_key *)calloc(sizeof(*key), 1);
if (!key) {
RSA_free(rsa_key);
return NULL;
}
key->rsa_private_key = rsa_key;
key->hash_alg = vb2_crypto_to_hash(algorithm);
key->sig_alg = vb2_crypto_to_signature(algorithm);
/* Return the key */
return key;
}
void vb2_free_private_key(struct vb2_private_key *key)
{
if (!key)
return;
if (key->rsa_private_key)
RSA_free(key->rsa_private_key);
free(key);
}
vb2_error_t vb2_write_private_key(const char *filename,
const struct vb2_private_key *key)
{
/* Convert back to legacy vb1 algorithm enum */
uint64_t alg = vb2_get_crypto_algorithm(key->hash_alg, key->sig_alg);
if (alg == VB2_ALG_COUNT) {
fprintf(stderr, "Can't find crypto algorithm\n");
return VB2_ERROR_VB1_CRYPTO_ALGORITHM;
}
uint8_t *outbuf = NULL;
int buflen = i2d_RSAPrivateKey(key->rsa_private_key, &outbuf);
if (buflen <= 0) {
fprintf(stderr, "Unable to write private key buffer\n");
return VB2_ERROR_PRIVATE_KEY_WRITE_RSA;
}
FILE *f = fopen(filename, "wb");
if (!f) {
fprintf(stderr, "Unable to open file %s\n", filename);
free(outbuf);
return VB2_ERROR_PRIVATE_KEY_WRITE_FILE;
}
if (1 != fwrite(&alg, sizeof(alg), 1, f) ||
1 != fwrite(outbuf, buflen, 1, f)) {
fprintf(stderr, "Unable to write to file %s\n", filename);
fclose(f);
unlink(filename); /* Delete any partial file */
free(outbuf);
return VB2_ERROR_PRIVATE_KEY_WRITE_FILE;
}
fclose(f);
free(outbuf);
return VB2_SUCCESS;
}
void vb2_init_packed_key(struct vb2_packed_key *key, uint8_t *key_data,
uint32_t key_size)
{
memset(key, 0, sizeof(*key));
key->key_offset = vb2_offset_of(key, key_data);
key->key_size = key_size;
key->algorithm = VB2_ALG_COUNT; /* Key not present yet */
}
struct vb2_packed_key *vb2_alloc_packed_key(uint32_t key_size,
uint32_t algorithm,
uint32_t version)
{
struct vb2_packed_key *key =
(struct vb2_packed_key *)calloc(sizeof(*key) + key_size, 1);
if (!key)
return NULL;
key->algorithm = algorithm;
key->key_version = version;
key->key_size = key_size;
key->key_offset = sizeof(*key);
return key;
}
vb2_error_t vb2_copy_packed_key(struct vb2_packed_key *dest,
const struct vb2_packed_key *src)
{
if (dest->key_size < src->key_size)
return VB2_ERROR_COPY_KEY_SIZE;
dest->key_size = src->key_size;
dest->algorithm = src->algorithm;
dest->key_version = src->key_version;
memcpy(vb2_packed_key_data_mutable(dest),
vb2_packed_key_data(src),
src->key_size);
return VB2_SUCCESS;
}
struct vb2_packed_key *vb2_read_packed_key(const char *filename)
{
struct vb2_packed_key *key = NULL;
uint32_t file_size = 0;
if (VB2_SUCCESS !=
vb2_read_file(filename, (uint8_t **)&key, &file_size)) {
return NULL;
}
if (packed_key_looks_ok(key, file_size))
return key;
/* Error */
free(key);
return NULL;
}
struct vb2_packed_key *vb2_read_packed_keyb(const char *filename,
uint32_t algorithm,
uint32_t version)
{
if (algorithm >= VB2_ALG_COUNT) {
fprintf(stderr, "%s() - invalid algorithm\n", __func__);
return NULL;
}
if (version > VB2_MAX_KEY_VERSION) {
/* Currently, TPM only supports 16-bit version */
fprintf(stderr, "%s() - invalid version %#x\n", __func__,
version);
return NULL;
}
uint8_t *key_data = NULL;
uint32_t key_size = 0;
if (VB2_SUCCESS != vb2_read_file(filename, &key_data, &key_size))
return NULL;
uint32_t expected_key_size =
vb2_packed_key_size(vb2_crypto_to_signature(algorithm));
if (!expected_key_size || expected_key_size != key_size) {
fprintf(stderr, "%s() - wrong key size %u for algorithm %u\n",
__func__, key_size, algorithm);
free(key_data);
return NULL;
}
struct vb2_packed_key *key =
vb2_alloc_packed_key(key_size, algorithm, version);
if (!key) {
free(key_data);
return NULL;
}
memcpy(vb2_packed_key_data_mutable(key), key_data, key_size);
free(key_data);
return key;
}
vb2_error_t vb2_write_packed_key(const char *filename,
const struct vb2_packed_key *key)
{
/* Copy the key, so its data is contiguous with the header */
struct vb2_packed_key *kcopy =
vb2_alloc_packed_key(key->key_size, 0, 0);
if (!kcopy)
return VB2_ERROR_PACKED_KEY_ALLOC;
if (VB2_SUCCESS != vb2_copy_packed_key(kcopy, key)) {
free(kcopy);
return VB2_ERROR_PACKED_KEY_COPY;
}
/* Write the copy, then free it */
vb2_error_t rv = vb2_write_file(filename, kcopy,
kcopy->key_offset + kcopy->key_size);
free(kcopy);
return rv;
}
|
