# =============================================================================== # # Copyright (c) 2013-2016 Qualcomm Technologies, Inc. # All Rights Reserved. # Confidential and Proprietary - Qualcomm Technologies, Inc. # # =============================================================================== import os from plugin.signer import HSMSigner from plugin.signer.example import CUR_DIR, launch_command, \ save_file_contents class HSMDataProvSigner(HSMSigner): """Example signer class that uses openssl to simulate HSM behavior. The class simulates following usecase: 1. OEM puts the root and the ca certs under: resources/data_prov_assets/Signing/Local 2. OEM uses the HSM to dynamically generate the attestation cert. 3. OEM uses the HSM to generate the signature using the attestation cert generated in #2. The class provides all following secure assets: attestation cert, signature. """ @classmethod def is_plugin(cls): """Registers the class with the signer plugin manager. This allows the signer to be selected by the user from config/command line. Returns: is_plugin (bool): True if the signer should be enabled, False if the signer should be disabled. """ return True @classmethod def signer_id(cls): """Specifies the unique id of the signer. This is the id that the user will use to select the signer from config/command line. Returns: signer_id (str): ID of the signer. """ return 'example_hsm_dataprov' def sign_req(self, signing_attrs, attest_cert_dict, image_hash): """Signs the image_hash, generates the attestation certificate using the attest_cert_dict and signing_attrs and optionally returns the root certificate and the ca certificate. Args: signing_attrs (object): An object containing the following signing attributes: - key_size: Size of the key for attestation key. - exponent: Exponent for attestation key. attest_cert_dict (dict): Dictionary containing the parameters to be put in the attestation certificate. image_hash (str): The image hash binary blob to be signed. Returns: A tuple containing the root certificate, ca certificate, attestation certificate and the signature corresponsding to the image hash. root_cert (str): - Binary blob of the root certificate. - None if root certificate is provided under: resources/data_prov_assets/Signing/Local ca_cert (str): - Binary blob of the ca certificate. - None if ca certificate is provided under: resources/data_prov_assets/Signing/Local attest_cert (str): Binary blob of the attestation certificate. signature (str): Binary blob of the signature. """ # Set the paths for the resources directory. resources = os.path.join(CUR_DIR, 'resources') openssl_config_path = os.path.join(resources, 'openssl.cfg') extfile_path = os.path.join(resources, 'v3_attest.ext') # Temporary scratch work directory. tmp = os.path.join(CUR_DIR, 'tmp') if not os.path.exists(tmp): os.makedirs(tmp) #----------------------------------------------------------------- # 1. Simulate the creation of attestation key by the HSM. #----------------------------------------------------------------- # Create the openssl command for generation of the attestation key command = [self.openssl_path, 'genrsa'] if signing_attrs.exponent == 3: command.append('-3') elif signing_attrs.exponent == 65537: command.append('-f4') else: raise RuntimeError('Invalid exponent value: ' + str(signing_attrs.exponent)) command.append(str(signing_attrs.key_size)) # Generate the attestation key attest_priv_key = launch_command(command) #----------------------------------------------------------------- # 2. Simulate the creation of attestation certificate request by HSM. #----------------------------------------------------------------- # Generate new certificate subject_params = self.get_openssl_subject_params(attest_cert_dict) attest_priv_key_path = os.path.join(tmp, 'attest.key') save_file_contents(attest_priv_key_path, attest_priv_key) command = [self.openssl_path, 'req', '-new', '-sha256', '-key', attest_priv_key_path, '-subj', subject_params, '-config', openssl_config_path, '-set_serial', str(self.CERT_SERIAL), '-days', str(self.CERT_DAYS)] attest_req = launch_command(command) #----------------------------------------------------------------- # 3. Simulate the signing of attestation certificate request by the # ca certificate / key using HSM. #----------------------------------------------------------------- # Sign the attestation certificate attest_req_path = os.path.join(tmp, 'attest_req.cer') attestca_path = os.path.join(tmp, 'attestca.cer') attestpriv_path = os.path.join(tmp, 'attestpriv.key') save_file_contents(attest_req_path, attest_req) save_file_contents(attestca_path, self.certs[self.CA].cert) save_file_contents(attestpriv_path, self.certs[self.CA].priv_key) command = [self.openssl_path, 'x509', '-req', '-sha256', '-in', attest_req_path, '-CA', attestca_path, '-CAkey', attestpriv_path, '-set_serial', str(self.CERT_SERIAL), '-extfile', extfile_path, '-days', str(self.CERT_DAYS)] attest_cert = launch_command(command) #----------------------------------------------------------------- # 4. Simulate the generation of the signature by HSM. #----------------------------------------------------------------- # Generate signature image_hash_path = os.path.join(tmp, 'hash.bin') save_file_contents(image_hash_path, image_hash) command = [self.openssl_path, 'pkeyutl', '-sign', '-inkey', attest_priv_key_path, '-in', image_hash_path, '-pkeyopt', 'rsa_padding_mode:pkcs1'] signature = launch_command(command) # Return the required secure assets return None, None, attest_cert, signature