Software APIs
cert.h
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_CERT_CERT_H_
6 #define OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_CERT_CERT_H_
7 
8 #include "sw/device/lib/base/hardened.h"
9 #include "sw/device/silicon_creator/lib/drivers/flash_ctrl.h"
10 #include "sw/device/silicon_creator/lib/drivers/hmac.h"
11 #include "sw/device/silicon_creator/lib/error.h"
12 
13 #ifdef __cplusplus
14 extern "C" {
15 #endif
16 
17 enum {
18  /**
19  * Offsets to the ASN.1 DER encoded serial number of an X.509 certificate.
20  */
21  kCertX509Asn1SerialNumberFieldByteOffset = 13,
22  kCertX509Asn1SerialNumberTagByteOffset =
23  kCertX509Asn1SerialNumberFieldByteOffset,
24  kCertX509Asn1SerialNumberLengthByteOffset =
25  kCertX509Asn1SerialNumberTagByteOffset + 1,
26 
27  /**
28  * Sizes of the ASN.1 DER encoded serial number of an X.509 certificate.
29  */
30  kCertX509Asn1SerialNumberSizeInBytes = 20,
31 
32  /**
33  * Cert key ID size (used for the serial number and auth key ID fields).
34  */
35  kCertKeyIdSizeInBytes = kCertX509Asn1SerialNumberSizeInBytes,
36 };
37 
38 enum dice_x509_cert_expectations {
39  /**
40  * Size of the SerialNumber region header.
41  * Expects 1B tag + 1B len + 1B 0x00
42  */
43  kDiceX509SerialHeaderSizeBytes = 3,
44 
45  /**
46  * Total size in bytes of the SerialNumber region.
47  * Expects header + 20B key id with MSb set.
48  */
49  kDiceX509SerialSizeBytes =
50  kDiceX509SerialHeaderSizeBytes + kCertKeyIdSizeInBytes,
51 
52  /**
53  * Offset to the SerialNumber region including header.
54  * This offset is relative to the *begin* of signed cert.
55  */
56  kDiceX509SerialOffsetBytes = 13,
57 
58  /**
59  * All valid X509 cert should be longer than this size.
60  */
61  kDiceX509MinSizeBytes = kDiceX509SerialOffsetBytes + kDiceX509SerialSizeBytes,
62 };
63 
64 typedef uint8_t cert_key_id_t[kCertKeyIdSizeInBytes];
65 
66 /**
67  * DICE certificate format. It supports 2 types currently.
68  * Each DICE implementation declares one of those specifically.
69  */
70 typedef enum dice_cert_format {
71  kDiceCertFormatX509TcbInfo = 0,
72  kDiceCertFormatCWTAndroid = 1,
73 } dice_cert_format_t;
74 
75 /**
76  * Defines a grouping of certificates onto a single flash info page.
77  */
78 typedef struct cert_flash_info_layout {
79  /**
80  * Boolean to indicate if this layout configuration is used by the
81  * personalization firmware. This enables supporting personalization firmware
82  * extensions.
83  */
84  bool used;
85  /**
86  * A name string for the group of certificates (e.g., "DICE").
87  */
88  char *group_name;
89  /**
90  * The flash info page a set of certificates will be written too.
91  */
92  const flash_ctrl_info_page_t *info_page;
93  /**
94  * The number of certificates that will be written to the flash info page.
95  */
96  size_t num_certs;
97 
98 } cert_flash_info_layout_t;
99 
100 /**
101  * A set of public key IDs required to generate an X.509 certificate.
102  */
103 typedef struct cert_key_id_pair {
104  /**
105  * Pointer to SHA256 digest of the public key matching the private key used to
106  * endorse the certificate.
107  */
108  hmac_digest_t *endorsement;
109  /**
110  * Pointer to SHA256 digest of the public key the certificate is created for.
111  */
112  hmac_digest_t *cert;
113 } cert_key_id_pair_t;
114 
115 /**
116  * Decodes the ASN1 size header word to extract the number of bytes contained in
117  * the ASN1 blob.
118  *
119  * @param header Buffer of four bytes that represents the ASN1 header.
120  * @return Size (in bytes) of the ASN1 blob.
121  */
122 uint32_t cert_x509_asn1_decode_size_header(const uint8_t *header);
123 
124 /**
125  * Check if the serial number field from an ASN.1 DER encoded X.509
126  * certificate is expected.
127  *
128  * This function expects a certificate with a serial number encoded using the
129  * MSb tweak. If the certificate does not have the MSb set for the serial int,
130  * the function may return unmatched.
131  *
132  * @param cert Pointer to the buffer holding the certificate blob.
133  * @param size Size of the `cert` buffer in bytes.
134  * @param expected_sn_bytes Expected serial number bytes (in big endian order).
135  * @param[out] matches True if expected serial number found. False otherwise.
136  * @return The result of the operation.
137  */
138 OT_WARN_UNUSED_RESULT
139 rom_error_t cert_x509_asn1_check_serial_number(const uint8_t *cert, size_t size,
140  cert_key_id_t *expected_sn_bytes,
141  hardened_bool_t *matches);
142 
143 #ifdef __cplusplus
144 }
145 #endif
146 
147 #endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_CERT_CERT_H_
Return to OpenTitan Documentation