1 // Copyright 2020 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4 // use this file except in compliance with the License. You may obtain a copy of
5 // the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 // License for the specific language governing permissions and limitations under
13 // the License.
14
15 // This is a DiceGenerateCertificate implementation that uses boringssl for
16 // crypto and certificate generation. The algorithms used are SHA512,
17 // HKDF-SHA512, and Ed25519-SHA512.
18
19 #include <stdint.h>
20 #include <string.h>
21
22 #include "dice/dice.h"
23 #include "dice/ops.h"
24 #include "dice/utils.h"
25 #include "openssl/asn1.h"
26 #include "openssl/asn1t.h"
27 #include "openssl/bn.h"
28 #include "openssl/curve25519.h"
29 #include "openssl/evp.h"
30 #include "openssl/is_boringssl.h"
31 #include "openssl/objects.h"
32 #include "openssl/x509.h"
33 #include "openssl/x509v3.h"
34
35 #define DICE_MAX_EXTENSION_SIZE 2048
36
37 typedef struct DiceExtensionAsn1 {
38 ASN1_OCTET_STRING* code_hash;
39 ASN1_OCTET_STRING* code_descriptor;
40 ASN1_OCTET_STRING* config_hash;
41 ASN1_OCTET_STRING* config_descriptor;
42 ASN1_OCTET_STRING* authority_hash;
43 ASN1_OCTET_STRING* authority_descriptor;
44 ASN1_ENUMERATED* mode;
45 ASN1_UTF8STRING* profile_name;
46 } DiceExtensionAsn1;
47
48 // clang-format off
49 ASN1_SEQUENCE(DiceExtensionAsn1) = {
50 ASN1_EXP_OPT(DiceExtensionAsn1, code_hash, ASN1_OCTET_STRING, 0),
51 ASN1_EXP_OPT(DiceExtensionAsn1, code_descriptor, ASN1_OCTET_STRING, 1),
52 ASN1_EXP_OPT(DiceExtensionAsn1, config_hash, ASN1_OCTET_STRING, 2),
53 ASN1_EXP_OPT(DiceExtensionAsn1, config_descriptor, ASN1_OCTET_STRING, 3),
54 ASN1_EXP_OPT(DiceExtensionAsn1, authority_hash, ASN1_OCTET_STRING, 4),
55 ASN1_EXP_OPT(DiceExtensionAsn1, authority_descriptor, ASN1_OCTET_STRING, 5),
56 ASN1_EXP_OPT(DiceExtensionAsn1, mode, ASN1_ENUMERATED, 6),
57 ASN1_EXP_OPT(DiceExtensionAsn1, profile_name, ASN1_UTF8STRING, 7),
58 } ASN1_SEQUENCE_END(DiceExtensionAsn1)
59 DECLARE_ASN1_FUNCTIONS(DiceExtensionAsn1)
60 IMPLEMENT_ASN1_FUNCTIONS(DiceExtensionAsn1)
61
62 static DiceResult AddStandardFields(X509* x509, const uint8_t subject_id[DICE_ID_SIZE],
63 const uint8_t authority_id[DICE_ID_SIZE]) {
64 // clang-format on
65 DiceResult result = kDiceResultOk;
66
67 // Initialize variables that are cleaned up on 'goto out'.
68 ASN1_INTEGER* serial = NULL;
69 BIGNUM* serial_bn = NULL;
70 X509_NAME* issuer_name = NULL;
71 X509_NAME* subject_name = NULL;
72 ASN1_TIME* not_before = NULL;
73 ASN1_TIME* not_after = NULL;
74
75 serial = ASN1_INTEGER_new();
76 if (!serial) {
77 result = kDiceResultPlatformError;
78 goto out;
79 }
80 issuer_name = X509_NAME_new();
81 if (!issuer_name) {
82 result = kDiceResultPlatformError;
83 goto out;
84 }
85 subject_name = X509_NAME_new();
86 if (!subject_name) {
87 result = kDiceResultPlatformError;
88 goto out;
89 }
90 not_before = ASN1_TIME_new();
91 if (!not_before) {
92 result = kDiceResultPlatformError;
93 goto out;
94 }
95 not_after = ASN1_TIME_new();
96 if (!not_after) {
97 result = kDiceResultPlatformError;
98 goto out;
99 }
100
101 if (!X509_set_version(x509, 2)) {
102 result = kDiceResultPlatformError;
103 goto out;
104 }
105
106 serial_bn = BN_bin2bn(subject_id, DICE_ID_SIZE, NULL);
107 if (!serial_bn) {
108 result = kDiceResultPlatformError;
109 goto out;
110 }
111 BN_to_ASN1_INTEGER(serial_bn, serial);
112 if (!X509_set_serialNumber(x509, serial)) {
113 result = kDiceResultPlatformError;
114 goto out;
115 }
116
117 uint8_t id_hex[40];
118 DiceHexEncode(authority_id, DICE_ID_SIZE, id_hex, sizeof(id_hex));
119 if (!X509_NAME_add_entry_by_NID(issuer_name, NID_serialNumber, MBSTRING_UTF8,
120 id_hex, sizeof(id_hex), 0, 0)) {
121 result = kDiceResultPlatformError;
122 goto out;
123 }
124 if (!X509_set_issuer_name(x509, issuer_name)) {
125 result = kDiceResultPlatformError;
126 goto out;
127 }
128
129 DiceHexEncode(subject_id, DICE_ID_SIZE, id_hex, sizeof(id_hex));
130 if (!X509_NAME_add_entry_by_NID(subject_name, NID_serialNumber, MBSTRING_UTF8,
131 id_hex, sizeof(id_hex), 0, 0)) {
132 result = kDiceResultPlatformError;
133 goto out;
134 }
135 if (!X509_set_subject_name(x509, subject_name)) {
136 result = kDiceResultPlatformError;
137 goto out;
138 }
139
140 // '180322235959Z' is the date of publication of the DICE specification. Here
141 // it's used as a somewhat arbitrary backstop.
142 if (!ASN1_TIME_set_string(not_before, "180322235959Z")) {
143 result = kDiceResultPlatformError;
144 goto out;
145 }
146 if (!X509_set_notBefore(x509, not_before)) {
147 result = kDiceResultPlatformError;
148 goto out;
149 }
150 // '99991231235959Z' is suggested by RFC 5280 in cases where expiry is not
151 // meaningful. Basically, the certificate never expires.
152 if (!ASN1_TIME_set_string(not_after, "99991231235959Z")) {
153 result = kDiceResultPlatformError;
154 goto out;
155 }
156 if (!X509_set_notAfter(x509, not_after)) {
157 result = kDiceResultPlatformError;
158 goto out;
159 }
160 out:
161 if (serial) {
162 ASN1_INTEGER_free(serial);
163 }
164 if (serial_bn) {
165 BN_free(serial_bn);
166 }
167 if (issuer_name) {
168 X509_NAME_free(issuer_name);
169 }
170 if (subject_name) {
171 X509_NAME_free(subject_name);
172 }
173 if (not_before) {
174 ASN1_TIME_free(not_before);
175 }
176 if (not_after) {
177 ASN1_TIME_free(not_after);
178 }
179 return result;
180 }
181
AddStandardExtensions(X509 * x509,const uint8_t subject_id[DICE_ID_SIZE],const uint8_t authority_id[DICE_ID_SIZE])182 static DiceResult AddStandardExtensions(
183 X509* x509, const uint8_t subject_id[DICE_ID_SIZE],
184 const uint8_t authority_id[DICE_ID_SIZE]) {
185 DiceResult result = kDiceResultOk;
186
187 // Initialize variables that are cleaned up on 'goto out'.
188 AUTHORITY_KEYID* authority_key_id = NULL;
189 ASN1_OCTET_STRING* subject_key_id = NULL;
190 ASN1_BIT_STRING* key_usage = NULL;
191 BASIC_CONSTRAINTS* basic_constraints = NULL;
192 X509_EXTENSION* authority_key_id_ext = NULL;
193 X509_EXTENSION* subject_key_id_ext = NULL;
194 X509_EXTENSION* key_usage_ext = NULL;
195 X509_EXTENSION* basic_constraints_ext = NULL;
196
197 // The authority key identifier extension contains the same raw authority id
198 // that appears in the issuer name.
199 authority_key_id = AUTHORITY_KEYID_new();
200 if (!authority_key_id) {
201 result = kDiceResultPlatformError;
202 goto out;
203 }
204 authority_key_id->keyid = ASN1_OCTET_STRING_new();
205 if (!authority_key_id->keyid) {
206 result = kDiceResultPlatformError;
207 goto out;
208 }
209 if (!ASN1_OCTET_STRING_set(authority_key_id->keyid, authority_id,
210 DICE_ID_SIZE)) {
211 result = kDiceResultPlatformError;
212 goto out;
213 }
214
215 // The subject key identifier extension contains the same raw subject id that
216 // appears in the serial number and the subject name.
217 subject_key_id = ASN1_OCTET_STRING_new();
218 if (!subject_key_id) {
219 result = kDiceResultPlatformError;
220 goto out;
221 }
222 if (!ASN1_OCTET_STRING_set(subject_key_id, subject_id, DICE_ID_SIZE)) {
223 result = kDiceResultPlatformError;
224 goto out;
225 }
226
227 // The key usage extension contains only "keyCertSign".
228 key_usage = ASN1_BIT_STRING_new();
229 if (!key_usage) {
230 result = kDiceResultPlatformError;
231 goto out;
232 }
233 ASN1_BIT_STRING_set_bit(key_usage, 5 /*keyCertSign*/, 1);
234
235 // The basic constraints specify this is a CA with unspecified pathlen.
236 basic_constraints = BASIC_CONSTRAINTS_new();
237 if (!basic_constraints) {
238 result = kDiceResultPlatformError;
239 goto out;
240 }
241 basic_constraints->ca = 1;
242
243 // Encode all the extension objects.
244 authority_key_id_ext = X509V3_EXT_i2d(NID_authority_key_identifier,
245 /*crit=*/0, authority_key_id);
246 if (!authority_key_id_ext) {
247 result = kDiceResultPlatformError;
248 goto out;
249 }
250 subject_key_id_ext = X509V3_EXT_i2d(NID_subject_key_identifier,
251 /*crit=*/0, subject_key_id);
252 if (!subject_key_id_ext) {
253 result = kDiceResultPlatformError;
254 goto out;
255 }
256 key_usage_ext = X509V3_EXT_i2d(NID_key_usage, /*crit=*/1, key_usage);
257 if (!key_usage_ext) {
258 result = kDiceResultPlatformError;
259 goto out;
260 }
261 basic_constraints_ext = X509V3_EXT_i2d(NID_basic_constraints,
262 /*crit=*/1, basic_constraints);
263 if (!basic_constraints_ext) {
264 result = kDiceResultPlatformError;
265 goto out;
266 }
267
268 // Add all the extensions to the given X509 object.
269 if (!X509_add_ext(x509, authority_key_id_ext, -1)) {
270 result = kDiceResultPlatformError;
271 goto out;
272 }
273 if (!X509_add_ext(x509, subject_key_id_ext, -1)) {
274 result = kDiceResultPlatformError;
275 goto out;
276 }
277 if (!X509_add_ext(x509, key_usage_ext, -1)) {
278 result = kDiceResultPlatformError;
279 goto out;
280 }
281 if (!X509_add_ext(x509, basic_constraints_ext, -1)) {
282 result = kDiceResultPlatformError;
283 goto out;
284 }
285 out:
286 if (authority_key_id) {
287 AUTHORITY_KEYID_free(authority_key_id);
288 }
289 if (subject_key_id) {
290 ASN1_OCTET_STRING_free(subject_key_id);
291 }
292 if (key_usage) {
293 ASN1_BIT_STRING_free(key_usage);
294 }
295 if (basic_constraints) {
296 BASIC_CONSTRAINTS_free(basic_constraints);
297 }
298 if (authority_key_id_ext) {
299 X509_EXTENSION_free(authority_key_id_ext);
300 }
301 if (subject_key_id_ext) {
302 X509_EXTENSION_free(subject_key_id_ext);
303 }
304 if (key_usage_ext) {
305 X509_EXTENSION_free(key_usage_ext);
306 }
307 if (basic_constraints_ext) {
308 X509_EXTENSION_free(basic_constraints_ext);
309 }
310 return result;
311 }
312
GetDiceExtensionData(const char * profile_name,const DiceInputValues * input_values,size_t buffer_size,uint8_t * buffer,size_t * actual_size)313 static DiceResult GetDiceExtensionData(const char* profile_name,
314 const DiceInputValues* input_values,
315 size_t buffer_size, uint8_t* buffer,
316 size_t* actual_size) {
317 DiceResult result = kDiceResultOk;
318
319 DiceExtensionAsn1* asn1 = DiceExtensionAsn1_new();
320 if (!asn1) {
321 result = kDiceResultPlatformError;
322 goto out;
323 }
324
325 // Allocate required fields. Optional fields will be allocated as needed.
326 asn1->code_hash = ASN1_OCTET_STRING_new();
327 if (!asn1->code_hash) {
328 result = kDiceResultPlatformError;
329 goto out;
330 }
331 asn1->config_descriptor = ASN1_OCTET_STRING_new();
332 if (!asn1->config_descriptor) {
333 result = kDiceResultPlatformError;
334 goto out;
335 }
336 asn1->authority_hash = ASN1_OCTET_STRING_new();
337 if (!asn1->authority_hash) {
338 result = kDiceResultPlatformError;
339 goto out;
340 }
341 asn1->mode = ASN1_ENUMERATED_new();
342 if (!asn1->mode) {
343 result = kDiceResultPlatformError;
344 goto out;
345 }
346
347 // Encode code input.
348 if (!ASN1_OCTET_STRING_set(asn1->code_hash, input_values->code_hash,
349 DICE_HASH_SIZE)) {
350 result = kDiceResultPlatformError;
351 goto out;
352 }
353 if (input_values->code_descriptor_size > 0) {
354 asn1->code_descriptor = ASN1_OCTET_STRING_new();
355 if (!asn1->code_descriptor) {
356 result = kDiceResultPlatformError;
357 goto out;
358 }
359 if (!ASN1_OCTET_STRING_set(asn1->code_descriptor,
360 input_values->code_descriptor,
361 input_values->code_descriptor_size)) {
362 result = kDiceResultPlatformError;
363 goto out;
364 }
365 }
366
367 // Encode configuration inputs.
368 if (input_values->config_type == kDiceConfigTypeDescriptor) {
369 // The 'descriptor' type means the configuration input is in the descriptor
370 // field and the hash of this was used as the DICE input. In the extension
371 // both are stored.
372 uint8_t hash_buffer[DICE_HASH_SIZE];
373 asn1->config_hash = ASN1_OCTET_STRING_new();
374 if (!asn1->config_hash) {
375 result = kDiceResultPlatformError;
376 goto out;
377 }
378 if (!ASN1_OCTET_STRING_set(asn1->config_descriptor,
379 input_values->config_descriptor,
380 input_values->config_descriptor_size)) {
381 result = kDiceResultPlatformError;
382 goto out;
383 }
384 if (!ASN1_OCTET_STRING_set(
385 asn1->config_hash,
386 SHA512(input_values->config_descriptor,
387 input_values->config_descriptor_size, hash_buffer),
388 DICE_HASH_SIZE)) {
389 result = kDiceResultPlatformError;
390 goto out;
391 }
392 } else if (input_values->config_type == kDiceConfigTypeInline) {
393 // The 'inline' type means the configuration value is 64 bytes and was used
394 // directly as the DICE input. In the extension this value is stored in the
395 // descriptor and the hash is omitted.
396 if (!ASN1_OCTET_STRING_set(asn1->config_descriptor,
397 input_values->config_value,
398 DICE_INLINE_CONFIG_SIZE)) {
399 result = kDiceResultPlatformError;
400 goto out;
401 }
402 } else {
403 result = kDiceResultInvalidInput;
404 goto out;
405 }
406
407 // Encode authority input.
408 if (!ASN1_OCTET_STRING_set(asn1->authority_hash, input_values->authority_hash,
409 DICE_HASH_SIZE)) {
410 result = kDiceResultPlatformError;
411 goto out;
412 }
413 if (input_values->authority_descriptor_size > 0) {
414 asn1->authority_descriptor = ASN1_OCTET_STRING_new();
415 if (!asn1->authority_descriptor) {
416 result = kDiceResultPlatformError;
417 goto out;
418 }
419 if (!ASN1_OCTET_STRING_set(asn1->authority_descriptor,
420 input_values->authority_descriptor,
421 input_values->authority_descriptor_size)) {
422 result = kDiceResultPlatformError;
423 goto out;
424 }
425 }
426
427 // Encode mode input.
428 if (!ASN1_ENUMERATED_set(asn1->mode, input_values->mode)) {
429 result = kDiceResultPlatformError;
430 goto out;
431 }
432
433 // Encode profile name.
434 if (profile_name) {
435 asn1->profile_name = ASN1_UTF8STRING_new();
436 if (!asn1->profile_name) {
437 result = kDiceResultPlatformError;
438 goto out;
439 }
440 if (!ASN1_STRING_set(asn1->profile_name, profile_name,
441 strlen(profile_name))) {
442 result = kDiceResultPlatformError;
443 goto out;
444 }
445 }
446
447 *actual_size = i2d_DiceExtensionAsn1(asn1, NULL);
448 if (buffer_size < *actual_size) {
449 result = kDiceResultBufferTooSmall;
450 goto out;
451 }
452 i2d_DiceExtensionAsn1(asn1, &buffer);
453
454 out:
455 if (asn1) {
456 DiceExtensionAsn1_free(asn1);
457 }
458 return result;
459 }
460
AddDiceExtension(const char * profile_name,const DiceInputValues * input_values,X509 * x509)461 static DiceResult AddDiceExtension(const char* profile_name,
462 const DiceInputValues* input_values,
463 X509* x509) {
464 const char* kDiceExtensionOid = "1.3.6.1.4.1.11129.2.1.24";
465
466 // Initialize variables that are cleaned up on 'goto out'.
467 ASN1_OBJECT* oid = NULL;
468 ASN1_OCTET_STRING* octets = NULL;
469 X509_EXTENSION* extension = NULL;
470
471 uint8_t extension_buffer[DICE_MAX_EXTENSION_SIZE];
472 size_t extension_size = 0;
473 DiceResult result =
474 GetDiceExtensionData(profile_name, input_values, sizeof(extension_buffer),
475 extension_buffer, &extension_size);
476 if (result != kDiceResultOk) {
477 goto out;
478 }
479
480 oid = OBJ_txt2obj(kDiceExtensionOid, 1);
481 if (!oid) {
482 result = kDiceResultPlatformError;
483 goto out;
484 }
485
486 octets = ASN1_OCTET_STRING_new();
487 if (!octets) {
488 result = kDiceResultPlatformError;
489 goto out;
490 }
491 if (!ASN1_OCTET_STRING_set(octets, extension_buffer, extension_size)) {
492 result = kDiceResultPlatformError;
493 goto out;
494 }
495
496 extension =
497 X509_EXTENSION_create_by_OBJ(/*ex=*/NULL, oid, /*crit=*/1, octets);
498 if (!extension) {
499 result = kDiceResultPlatformError;
500 goto out;
501 }
502
503 if (!X509_add_ext(x509, extension, -1)) {
504 result = kDiceResultPlatformError;
505 goto out;
506 }
507 out:
508 if (oid) {
509 ASN1_OBJECT_free(oid);
510 }
511 if (octets) {
512 ASN1_OCTET_STRING_free(octets);
513 }
514 if (extension) {
515 X509_EXTENSION_free(extension);
516 }
517 return result;
518 }
519
GetIdFromKey(void * context,const EVP_PKEY * key,uint8_t id[DICE_ID_SIZE])520 static DiceResult GetIdFromKey(void* context, const EVP_PKEY* key,
521 uint8_t id[DICE_ID_SIZE]) {
522 uint8_t raw_public_key[32];
523 size_t raw_public_key_size = sizeof(raw_public_key);
524 if (!EVP_PKEY_get_raw_public_key(key, raw_public_key, &raw_public_key_size)) {
525 return kDiceResultPlatformError;
526 }
527 return DiceDeriveCdiCertificateId(context, raw_public_key,
528 raw_public_key_size, id);
529 }
530
DiceGenerateCertificate(void * context,const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],const DiceInputValues * input_values,size_t certificate_buffer_size,uint8_t * certificate,size_t * certificate_actual_size)531 DiceResult DiceGenerateCertificate(
532 void* context,
533 const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
534 const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
535 const DiceInputValues* input_values, size_t certificate_buffer_size,
536 uint8_t* certificate, size_t* certificate_actual_size) {
537 DiceResult result = kDiceResultOk;
538
539 // Initialize variables that are cleaned up on 'goto out'.
540 X509* x509 = NULL;
541 EVP_PKEY* authority_key = NULL;
542 EVP_PKEY* subject_key = NULL;
543
544 x509 = X509_new();
545 if (!x509) {
546 result = kDiceResultPlatformError;
547 goto out;
548 }
549 authority_key = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL,
550 authority_private_key_seed,
551 DICE_PRIVATE_KEY_SEED_SIZE);
552 if (!authority_key) {
553 result = kDiceResultPlatformError;
554 goto out;
555 }
556 subject_key = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL,
557 subject_private_key_seed,
558 DICE_PRIVATE_KEY_SEED_SIZE);
559 if (!subject_key) {
560 result = kDiceResultPlatformError;
561 goto out;
562 }
563 if (!X509_set_pubkey(x509, subject_key)) {
564 result = kDiceResultPlatformError;
565 goto out;
566 }
567
568 uint8_t authority_id[DICE_ID_SIZE];
569 result = GetIdFromKey(context, authority_key, authority_id);
570 if (result != kDiceResultOk) {
571 goto out;
572 }
573 uint8_t subject_id[DICE_ID_SIZE];
574 result = GetIdFromKey(context, subject_key, subject_id);
575 if (result != kDiceResultOk) {
576 goto out;
577 }
578
579 result = AddStandardFields(x509, subject_id, authority_id);
580 if (result != kDiceResultOk) {
581 goto out;
582 }
583 result = AddStandardExtensions(x509, subject_id, authority_id);
584 if (result != kDiceResultOk) {
585 goto out;
586 }
587 DiceKeyParam key_param;
588 result = DiceGetKeyParam(context, kDicePrincipalSubject, &key_param);
589 if (result != kDiceResultOk) {
590 goto out;
591 }
592 result = AddDiceExtension(key_param.profile_name, input_values, x509);
593 if (result != kDiceResultOk) {
594 goto out;
595 }
596 if (!X509_sign(x509, authority_key, NULL /*ED25519 always uses SHA-512*/)) {
597 result = kDiceResultPlatformError;
598 goto out;
599 }
600 *certificate_actual_size = i2d_X509(x509, NULL);
601 if (*certificate_actual_size > certificate_buffer_size) {
602 result = kDiceResultBufferTooSmall;
603 goto out;
604 }
605 *certificate_actual_size = i2d_X509(x509, &certificate);
606 out:
607 if (x509) {
608 X509_free(x509);
609 }
610 if (authority_key) {
611 EVP_PKEY_free(authority_key);
612 }
613 if (subject_key) {
614 EVP_PKEY_free(subject_key);
615 }
616 return result;
617 }
618