blob: 9996449b3d91ba7ef0b5c50fe5ae8cd35a50175d [file] [log] [blame]
/* Copyright 2015 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#include <getopt.h>
#include <stdio.h>
#include <unistd.h>
#include <openssl/pem.h>
#include "2sysincludes.h"
#include "2common.h"
#include "2id.h"
#include "2rsa.h"
#include "2sha.h"
#include "openssl_compat.h"
#include "util_misc.h"
#include "vb2_common.h"
#include "vb21_common.h"
#include "host_key.h"
#include "host_key2.h"
#include "host_misc2.h"
#include "futility.h"
#include "futility_options.h"
/* Command line options */
enum {
OPT_OUTFILE = 1000,
OPT_VERSION,
OPT_DESC,
OPT_ID,
OPT_HASH_ALG,
OPT_HELP,
};
#define DEFAULT_VERSION 1
#define DEFAULT_HASH VB2_HASH_SHA256;
static char *infile, *outfile, *outext;
static uint32_t opt_version = DEFAULT_VERSION;
enum vb2_hash_algorithm opt_hash_alg = DEFAULT_HASH;
static char *opt_desc;
static struct vb2_id opt_id;
static int force_id;
static const struct option long_opts[] = {
{"version", 1, 0, OPT_VERSION},
{"desc", 1, 0, OPT_DESC},
{"id", 1, 0, OPT_ID},
{"hash_alg", 1, 0, OPT_HASH_ALG},
{"help", 0, 0, OPT_HELP},
{NULL, 0, 0, 0}
};
static void print_help(int argc, char *argv[])
{
const struct vb2_text_vs_enum *entry;
printf("\n"
"Usage: " MYNAME " %s [options] <INFILE> [<BASENAME>]\n", argv[0]);
printf("\n"
"Create a keypair from an RSA key (.pem file).\n"
"\n"
"Options:\n"
"\n"
" --version <number> Key version (default %d)\n"
" --hash_alg <number> Hashing algorithm to use:\n",
DEFAULT_VERSION);
for (entry = vb2_text_vs_hash; entry->name; entry++)
printf(" %d / %s%s\n",
entry->num, entry->name,
entry->num == VB2_HASH_SHA256 ? " (default)" : "");
printf(
" --id <id> Identifier for this keypair (vb21 only)\n"
" --desc <text> Human-readable description (vb21 only)\n"
"\n");
}
static int vb1_make_keypair()
{
struct vb2_private_key *privkey = NULL;
struct vb2_packed_key *pubkey = NULL;
struct rsa_st *rsa_key = NULL;
uint8_t *keyb_data = 0;
uint32_t keyb_size;
int ret = 1;
FILE *fp = fopen(infile, "rb");
if (!fp) {
fprintf(stderr, "Unable to open %s\n", infile);
goto done;
}
/* TODO: this is very similar to vb2_read_private_key_pem() */
rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
fclose(fp);
if (!rsa_key) {
fprintf(stderr, "Unable to read RSA key from %s\n", infile);
goto done;
}
enum vb2_signature_algorithm sig_alg = vb2_rsa_sig_alg(rsa_key);
if (sig_alg == VB2_SIG_INVALID) {
fprintf(stderr, "Unsupported sig algorithm in RSA key\n");
goto done;
}
/* Combine the sig_alg with the hash_alg to get the vb1 algorithm */
uint64_t vb1_algorithm =
vb2_get_crypto_algorithm(opt_hash_alg, sig_alg);
/* Create the private key */
privkey = (struct vb2_private_key *)calloc(sizeof(*privkey), 1);
if (!privkey)
goto done;
privkey->rsa_private_key = rsa_key;
privkey->sig_alg = sig_alg;
privkey->hash_alg = opt_hash_alg;
/* Write it out */
strcpy(outext, ".vbprivk");
if (0 != vb2_write_private_key(outfile, privkey)) {
fprintf(stderr, "unable to write private key\n");
goto done;
}
printf("wrote %s\n", outfile);
/* Create the public key */
ret = vb_keyb_from_rsa(rsa_key, &keyb_data, &keyb_size);
if (ret) {
fprintf(stderr, "couldn't extract the public key\n");
goto done;
}
pubkey = vb2_alloc_packed_key(keyb_size, vb1_algorithm, opt_version);
if (!pubkey)
goto done;
memcpy((uint8_t *)vb2_packed_key_data(pubkey), keyb_data, keyb_size);
/* Write it out */
strcpy(outext, ".vbpubk");
if (VB2_SUCCESS != vb2_write_packed_key(outfile, pubkey)) {
fprintf(stderr, "unable to write public key\n");
goto done;
}
printf("wrote %s\n", outfile);
ret = 0;
done:
free(privkey);
free(pubkey);
free(keyb_data);
RSA_free(rsa_key);
return ret;
}
static int vb2_make_keypair()
{
struct vb2_private_key *privkey = 0;
struct vb2_public_key *pubkey = 0;
RSA *rsa_key = 0;
uint8_t *keyb_data = 0;
uint32_t keyb_size;
enum vb2_signature_algorithm sig_alg;
uint8_t *pubkey_buf = 0;
int has_priv = 0;
const BIGNUM *rsa_d;
FILE *fp;
int ret = 1;
fp = fopen(infile, "rb");
if (!fp) {
fprintf(stderr, "Unable to open %s\n", infile);
goto done;
}
rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
if (!rsa_key) {
/* Check if the PEM contains only a public key */
if (0 != fseek(fp, 0, SEEK_SET)) {
fprintf(stderr, "Error seeking in %s\n", infile);
goto done;
}
rsa_key = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL);
}
fclose(fp);
if (!rsa_key) {
fprintf(stderr, "Unable to read RSA key from %s\n", infile);
goto done;
}
/* Public keys doesn't have the private exponent */
RSA_get0_key(rsa_key, NULL, NULL, &rsa_d);
has_priv = !!rsa_d;
if (!has_priv)
fprintf(stderr, "%s has a public key only.\n", infile);
sig_alg = vb2_rsa_sig_alg(rsa_key);
if (sig_alg == VB2_SIG_INVALID) {
fprintf(stderr, "Unsupported sig algorithm in RSA key\n");
goto done;
}
if (has_priv) {
/* Create the private key */
privkey = calloc(1, sizeof(*privkey));
if (!privkey) {
fprintf(stderr, "Unable to allocate the private key\n");
goto done;
}
privkey->rsa_private_key = rsa_key;
privkey->sig_alg = sig_alg;
privkey->hash_alg = opt_hash_alg;
if (opt_desc && vb2_private_key_set_desc(privkey, opt_desc)) {
fprintf(stderr,
"Unable to set the private key description\n");
goto done;
}
}
/* Create the public key */
if (vb2_public_key_alloc(&pubkey, sig_alg)) {
fprintf(stderr, "Unable to allocate the public key\n");
goto done;
}
/* Extract the keyb blob */
if (vb_keyb_from_rsa(rsa_key, &keyb_data, &keyb_size)) {
fprintf(stderr, "Couldn't extract the public key\n");
goto done;
}
/*
* Copy the keyb blob to the public key's buffer, because that's where
* vb2_unpack_key_data() and vb2_public_key_pack() expect to find it.
*/
pubkey_buf = vb2_public_key_packed_data(pubkey);
memcpy(pubkey_buf, keyb_data, keyb_size);
/* Fill in the internal struct pointers */
if (vb2_unpack_key_data(pubkey, pubkey_buf, keyb_size)) {
fprintf(stderr, "Unable to unpack the public key blob\n");
goto done;
}
pubkey->hash_alg = opt_hash_alg;
pubkey->version = opt_version;
if (opt_desc && vb2_public_key_set_desc(pubkey, opt_desc)) {
fprintf(stderr, "Unable to set pubkey description\n");
goto done;
}
/* Update the IDs */
if (!force_id) {
vb2_digest_buffer(keyb_data, keyb_size, VB2_HASH_SHA1,
opt_id.raw, sizeof(opt_id.raw));
}
memcpy((struct vb2_id *)pubkey->id, &opt_id, sizeof(opt_id));
/* Write them out */
if (has_priv) {
privkey->id = opt_id;
strcpy(outext, ".vbprik2");
if (vb21_private_key_write(privkey, outfile)) {
fprintf(stderr, "unable to write private key\n");
goto done;
}
printf("wrote %s\n", outfile);
}
strcpy(outext, ".vbpubk2");
if (vb21_public_key_write(pubkey, outfile)) {
fprintf(stderr, "unable to write public key\n");
goto done;
}
printf("wrote %s\n", outfile);
ret = 0;
done:
RSA_free(rsa_key);
if (privkey) /* prevent double-free */
privkey->rsa_private_key = 0;
vb2_private_key_free(privkey);
vb2_public_key_free(pubkey);
free(keyb_data);
return ret;
}
static int do_create(int argc, char *argv[])
{
int errorcnt = 0;
char *e, *s;
int i, r, len, remove_ext = 0;
while ((i = getopt_long(argc, argv, "", long_opts, NULL)) != -1) {
switch (i) {
case OPT_VERSION:
opt_version = strtoul(optarg, &e, 0);
if (!*optarg || (e && *e)) {
fprintf(stderr,
"invalid version \"%s\"\n", optarg);
errorcnt = 1;
}
break;
case OPT_DESC:
opt_desc = optarg;
break;
case OPT_ID:
if (VB2_SUCCESS != vb2_str_to_id(optarg, &opt_id)) {
fprintf(stderr, "invalid id \"%s\"\n",
optarg);
errorcnt = 1;
}
force_id = 1;
break;
case OPT_HASH_ALG:
if (!vb2_lookup_hash_alg(optarg, &opt_hash_alg)) {
fprintf(stderr,
"invalid hash_alg \"%s\"\n", optarg);
errorcnt++;
}
break;
case OPT_HELP:
print_help(argc, argv);
return !!errorcnt;
case '?':
if (optopt)
fprintf(stderr, "Unrecognized option: -%c\n",
optopt);
else
fprintf(stderr, "Unrecognized option\n");
errorcnt++;
break;
case ':':
fprintf(stderr, "Missing argument to -%c\n", optopt);
errorcnt++;
break;
case 0: /* handled option */
break;
default:
DIE;
}
}
/* If we don't have an input file already, we need one */
if (!infile) {
if (argc - optind <= 0) {
fprintf(stderr, "ERROR: missing input filename\n");
errorcnt++;
} else {
infile = argv[optind++];
}
}
if (errorcnt) {
print_help(argc, argv);
return 1;
}
/* Decide how to determine the output filenames. */
if (argc > optind) {
s = argv[optind++]; /* just use this */
} else {
s = infile; /* based on pem file name */
remove_ext = 1;
}
/* Make an extra-large copy to leave room for filename extensions */
len = strlen(s) + 20;
outfile = (char *)malloc(len);
if (!outfile) {
fprintf(stderr, "ERROR: malloc() failed\n");
return 1;
}
strcpy(outfile, s);
if (remove_ext) {
/* Find the last '/' if any, then the last '.' before that. */
s = strrchr(outfile, '/');
if (!s)
s = outfile;
s = strrchr(s, '.');
/* Cut off the extension */
if (s)
*s = '\0';
}
/* Remember that spot for later */
outext = outfile + strlen(outfile);
/* Okay, do it */
if (vboot_version == VBOOT_VERSION_1_0)
r = vb1_make_keypair();
else
r = vb2_make_keypair();
free(outfile);
return r;
}
DECLARE_FUTIL_COMMAND(create, do_create, VBOOT_VERSION_ALL,
"Create a keypair from an RSA .pem file");