-
Notifications
You must be signed in to change notification settings - Fork 0
/
TLS_signature.c
224 lines (203 loc) · 7.72 KB
/
TLS_signature.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
#include <stdio.h>
#include <string.h>
#include <tee_internal_api.h>
#include <tee_internal_api_extensions.h>
#include <user_ta_header_defines.h>
/*
* Called when the instance of the TA is created. This is the first call in the
* TA.
*/
TEE_Result TA_CreateEntryPoint(void) {
DMSG("has been called");
return TEE_SUCCESS;
}
/*
* Called when the instance of the TA is destroyed if the TA has not
* crashed or panicked. This is the last call in the TA.
*/
void TA_DestroyEntryPoint(void) { DMSG("has been called"); }
/*
* Called when a new session is opened to the TA. *sess_ctx can be updated
* with a value to be able to identify this session in subsequent calls to the
* TA. In this function you will normally do the global initialization for the
* TA.
*/
TEE_Result TA_OpenSessionEntryPoint(uint32_t __unused param_types,
TEE_Param __maybe_unused params[4],
void __maybe_unused **sess_ctx) {
DMSG("has been called");
return TEE_SUCCESS;
}
/*
* Called when a session is closed, sess_ctx hold the value that was
* assigned by TA_OpenSessionEntryPoint().
*/
void TA_CloseSessionEntryPoint(void __maybe_unused *sess_ctx) {
DMSG("has been called");
}
// Creates new RSA key
static TEE_ObjectHandle create_rsa_key(rsa_pkey_t *key) {
TEE_ObjectHandle obj = TEE_HANDLE_NULL;
TEE_Result res =
TEE_AllocateTransientObject(TEE_TYPE_RSA_KEYPAIR, key->n_s * 8, &obj);
if (res != TEE_SUCCESS) {
EMSG("E: TEE_AllocateTransientObject failed");
TEE_FreeTransientObject(obj);
return TEE_HANDLE_NULL;
}
TEE_Attribute attrs[3];
TEE_InitRefAttribute(&attrs[0], TEE_ATTR_RSA_MODULUS, key->n,
key->n_s); // n
TEE_InitRefAttribute(&attrs[1], TEE_ATTR_RSA_PUBLIC_EXPONENT, key->e,
key->e_s); // e
TEE_InitRefAttribute(&attrs[2], TEE_ATTR_RSA_PRIVATE_EXPONENT, key->d,
key->d_s); // d
res = TEE_PopulateTransientObject(obj, attrs, 3);
if (res != TEE_SUCCESS) {
EMSG("E: TEE_PopulateTransientObject failed");
TEE_FreeTransientObject(obj);
return TEE_HANDLE_NULL;
}
return obj;
}
// Puts the key to the storage
static TEE_Result install_key(uint32_t param_types, TEE_Param params[4]) {
TEE_ObjectHandle transient_obj = TEE_HANDLE_NULL;
TEE_ObjectHandle persistant_obj = TEE_HANDLE_NULL;
IMSG("Storing a key");
uint32_t exp_param_types = TEE_PARAM_TYPES(
TEE_PARAM_TYPE_MEMREF_INPUT, TEE_PARAM_TYPE_MEMREF_INPUT,
TEE_PARAM_TYPE_NONE, TEE_PARAM_TYPE_NONE);
if (param_types != exp_param_types) {
EMSG("E: bad parameters");
return TEE_ERROR_BAD_PARAMETERS;
}
rsa_pkey_t *key = (rsa_pkey_t *)params[1].memref.buffer;
if (sizeof(*key) != params[1].memref.size) {
EMSG("E: wrong size of rsa_pkey_t struct");
return TEE_ERROR_BAD_PARAMETERS;
}
transient_obj = create_rsa_key(key);
if (transient_obj == TEE_HANDLE_NULL) {
EMSG("E: Can't create transient object");
return TEE_ERROR_BAD_PARAMETERS;
}
// Create object
uint8_t client_id[32]; // SHA256
memcpy(client_id, params[0].memref.buffer,
params[0].memref.size); // must be local
TEE_Result ret = TEE_CreatePersistentObject(
TEE_STORAGE_PRIVATE, // Private storage
client_id, sizeof(client_id), // Object ID and ID length
TEE_DATA_FLAG_ACCESS_WRITE, // flags
transient_obj, // RSA key
NULL, 0, // data
&persistant_obj // handle
);
if (ret) {
EMSG("E: Create");
return ret;
}
TEE_FreeTransientObject(transient_obj);
TEE_CloseObject(persistant_obj);
return TEE_SUCCESS;
}
// Checks if key exists in the storage
static TEE_Result has_key(uint32_t param_types, TEE_Param params[4]) {
uint32_t exp_param_types =
TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT, TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_NONE, TEE_PARAM_TYPE_NONE);
if (param_types != exp_param_types) return TEE_ERROR_BAD_PARAMETERS;
TEE_ObjectHandle obj = TEE_HANDLE_NULL;
uint8_t client_id[32]; // SHA256
memcpy(client_id, params[0].memref.buffer,
params[0].memref.size); // must be local
TEE_Result res = TEE_OpenPersistentObject(TEE_STORAGE_PRIVATE, client_id,
params[0].memref.size,
TEE_DATA_FLAG_ACCESS_READ, &obj);
if (res) {
EMSG("E: Open 0x%X", res);
return res;
}
TEE_CloseObject(obj);
return TEE_SUCCESS;
}
// Performs key deletion from the secure storage
static TEE_Result del_key(uint32_t param_types, TEE_Param params[4]) {
uint32_t exp_param_types =
TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT, TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_NONE, TEE_PARAM_TYPE_NONE);
if (param_types != exp_param_types) return TEE_ERROR_BAD_PARAMETERS;
TEE_ObjectHandle obj = TEE_HANDLE_NULL;
uint8_t client_id[32]; // SHA256
memcpy(client_id, params[0].memref.buffer,
params[0].memref.size); // must be local
TEE_Result res = TEE_OpenPersistentObject(
TEE_STORAGE_PRIVATE, client_id, params[0].memref.size,
TEE_DATA_FLAG_ACCESS_WRITE_META, &obj);
if (res) {
EMSG("E: Can't open");
return res;
}
TEE_CloseAndDeletePersistentObject(obj);
return TEE_SUCCESS;
}
// Performs RSA signing with a key from secure storage
static TEE_Result sign_rsa(uint32_t param_types, TEE_Param params[4]) {
TEE_OperationHandle op = TEE_HANDLE_NULL;
TEE_ObjectHandle key = TEE_HANDLE_NULL;
uint32_t exp_param_types = TEE_PARAM_TYPES(
TEE_PARAM_TYPE_MEMREF_INPUT, TEE_PARAM_TYPE_MEMREF_INPUT,
TEE_PARAM_TYPE_MEMREF_INOUT, TEE_PARAM_TYPE_NONE);
if (param_types != exp_param_types) return TEE_ERROR_BAD_PARAMETERS;
uint8_t client_id[32]; // SHA256
memcpy(client_id, params[0].memref.buffer,
params[0].memref.size); // must be local
TEE_Result res = TEE_OpenPersistentObject(
TEE_STORAGE_PRIVATE, client_id, 32, TEE_DATA_FLAG_ACCESS_READ, &key);
if (res) {
EMSG("E: Can't open");
return res;
}
// perform RSA sigining
IMSG("RSA signing");
res = TEE_AllocateOperation(&op, TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256,
TEE_MODE_SIGN, MAX_RSA_KEY_SIZE * 8);
if (res) {
EMSG("E: Can't allocate signature operation");
return res;
}
TEE_SetOperationKey(op, key);
res = TEE_AsymmetricSignDigest(
op, NULL, 0, params[1].memref.buffer, params[1].memref.size,
params[2].memref.buffer, ¶ms[2].memref.size);
if (res) {
EMSG("E: Can't sign with RSA key");
return res;
}
TEE_CloseObject(key);
TEE_FreeOperation(op);
return TEE_SUCCESS;
}
/*
* Called when a TA is invoked. sess_ctx hold that value that was
* assigned by TA_OpenSessionEntryPoint(). The rest of the paramters
* comes from normal world.
*/
TEE_Result TA_InvokeCommandEntryPoint(void __maybe_unused *sess_ctx,
uint32_t cmd_id, uint32_t param_types,
TEE_Param params[4]) {
(void)&sess_ctx; /* Unused parameter */
switch (cmd_id) {
case TA_INSTALL_KEYS:
return install_key(param_types, params);
case TA_HAS_KEYS:
return has_key(param_types, params);
case TA_DEL_KEYS:
return del_key(param_types, params);
case TA_SIGN_RSA:
return sign_rsa(param_types, params);
default:
return TEE_ERROR_BAD_PARAMETERS;
}
}