From 204cde3bd45f634e3699a42ed8f865a8385743a5 Mon Sep 17 00:00:00 2001 From: Christophe Priouzeau Date: Mon, 28 Nov 2022 12:16:38 +0100 Subject: [PATCH] tools: allow to use a root key password from command line By defining the ROT_KEY_PWD, user is able to define the private root key password. Useful for build system management. Signed-off-by: Lionel Debieve --- make_helpers/tbbr/tbbr_tools.mk | 2 ++ tools/cert_create/include/key.h | 2 +- tools/cert_create/src/key.c | 4 ++-- tools/cert_create/src/main.c | 13 +++++++++++-- 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk index 5ef2d852e..147159b1a 100644 --- a/make_helpers/tbbr/tbbr_tools.mk +++ b/make_helpers/tbbr/tbbr_tools.mk @@ -25,6 +25,7 @@ # KEY_SIZE # ROT_KEY # PROT_KEY +# ROT_KEY_PWD # PLAT_KEY # SWD_ROT_KEY # CORE_SWD_KEY @@ -74,6 +75,7 @@ $(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg,FWU_))) $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key))) $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key,FWU_))) $(if ${PROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${PROT_KEY},--prot-key))) +$(if ${ROT_KEY_PWD},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY_PWD},--rot-key-pwd))) $(if ${PLAT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${PLAT_KEY},--plat-key))) $(if ${SWD_ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${SWD_ROT_KEY},--swd-rot-key))) $(if ${CORE_SWD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${CORE_SWD_KEY},--core-swd-key))) diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h index 312575b44..ed3654b08 100644 --- a/tools/cert_create/include/key.h +++ b/tools/cert_create/include/key.h @@ -74,7 +74,7 @@ key_t *key_get_by_opt(const char *opt); int key_new(key_t *key); #endif int key_create(key_t *key, int type, int key_bits); -int key_load(key_t *key, unsigned int *err_code); +int key_load(key_t *key, char *rot_key_pwd, unsigned int *err_code); int key_store(key_t *key); void key_cleanup(void); diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c index 487777b67..c8f5357be 100644 --- a/tools/cert_create/src/key.c +++ b/tools/cert_create/src/key.c @@ -189,7 +189,7 @@ int key_create(key_t *key, int type, int key_bits) return 0; } -int key_load(key_t *key, unsigned int *err_code) +int key_load(key_t *key, char *rot_key_pwd, unsigned int *err_code) { FILE *fp; EVP_PKEY *k; @@ -198,7 +198,7 @@ int key_load(key_t *key, unsigned int *err_code) /* Load key from file */ fp = fopen(key->fn, "r"); if (fp) { - k = PEM_read_PrivateKey(fp, &key->key, NULL, NULL); + k = PEM_read_PrivateKey(fp, &key->key, NULL, rot_key_pwd); fclose(fp); if (k) { *err_code = KEY_ERR_NONE; diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index 2ab6bcfd9..90bb82ba8 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -292,6 +292,10 @@ static const cmd_opt_t common_cmd_opt[] = { { "print-cert", no_argument, NULL, 'p' }, "Print the certificates in the standard output" } + ,{ + { "rot-key-pwd", required_argument, NULL, 'r' }, + "Password for the root key" + }, }; int main(int argc, char *argv[]) @@ -310,6 +314,7 @@ int main(int argc, char *argv[]) unsigned char md[SHA512_DIGEST_LENGTH]; unsigned int md_len; const EVP_MD *md_info; + char *rot_key_pw = NULL; NOTICE("CoT Generation Tool: %s\n", build_msg); NOTICE("Target platform: %s\n", platform_msg); @@ -347,7 +352,7 @@ int main(int argc, char *argv[]) while (1) { /* getopt_long stores the option index here. */ - c = getopt_long(argc, argv, "a:b:hknps:", cmd_opt, &opt_idx); + c = getopt_long(argc, argv, "a:b:hknpr:s:", cmd_opt, &opt_idx); /* Detect the end of the options. */ if (c == -1) { @@ -381,6 +386,10 @@ int main(int argc, char *argv[]) case 'p': print_cert = 1; break; + case 'r': + rot_key_pw = malloc(sizeof(char) * strlen(optarg)); + strncpy(rot_key_pw, optarg, strlen(optarg)); + break; case 's': hash_alg = get_hash_alg(optarg); if (hash_alg < 0) { @@ -441,7 +450,7 @@ int main(int argc, char *argv[]) #endif /* First try to load the key from disk */ - if (key_load(&keys[i], &err_code)) { + if (key_load(&keys[i], rot_key_pw, &err_code)) { /* Key loaded successfully */ continue; } -- 2.25.1