1 /*############################################################################
2   # Copyright 2016-2017 Intel Corporation
3   #
4   # Licensed under the Apache License, Version 2.0 (the "License");
5   # you may not use this file except in compliance with the License.
6   # You may obtain a copy of the License at
7   #
8   #     http://www.apache.org/licenses/LICENSE-2.0
9   #
10   # Unless required by applicable law or agreed to in writing, software
11   # distributed under the License is distributed on an "AS IS" BASIS,
12   # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   # See the License for the specific language governing permissions and
14   # limitations under the License.
15   ############################################################################*/
16 
17 /*!
18  * \file
19  *
20  * \brief Create signature based revocation list request
21  *
22  */
23 
24 #include <argtable3.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include "epid/common/file_parser.h"
28 #include "util/buffutil.h"
29 #include "util/envutil.h"
30 #include "util/stdtypes.h"
31 
32 // Defaults
33 #define PROGRAM_NAME "revokesig"
34 #define PUBKEYFILE_DEFAULT "pubkey.bin"
35 #define REQFILE_DEFAULT "sigrlreq.dat"
36 #define SIG_DEFAULT "sig.dat"
37 #define GROUP_PUB_KEY_SIZE \
38   (sizeof(EpidFileHeader) + sizeof(GroupPubKey) + sizeof(EcdsaSignature))
39 #define ARGPARSE_ERROR_MAX 20
40 #define ARGTABLE_SIZE 9
41 
42 #pragma pack(1)
43 /// Partial signature request, includes components through sig.
44 typedef struct SigRlRequestTop {
45   EpidFileHeader header;  ///< Intel(R) EPID File Header
46   GroupId gid;            ///< Intel(R) EPID Group ID
47   EpidSignature sig;      ///< Intel(R) EPID Signature
48 } SigRlRequestTop;
49 
50 /// Partial signature request, includes components after.
51 typedef struct SigRlRequestMid {
52   uint32_t be_msg_size;  ///< size of message in bytes (big endian)
53   uint8_t msg[1];        ///< message used to create signature (flexible array)
54 } SigRlRequestMid;
55 #pragma pack()
56 
57 /// convert host to network byte order
htonl(uint32_t hostlong)58 static uint32_t htonl(uint32_t hostlong) {
59   return (((hostlong & 0xFF) << 24) | ((hostlong & 0xFF00) << 8) |
60           ((hostlong & 0xFF0000) >> 8) | ((hostlong & 0xFF000000) >> 24));
61 }
62 
63 /// Fill a single SigRlRequest structure
64 /*!
65 \param[in] pubkey
66 Group public key.
67 \param[in] sig
68 Signature to append to request.
69 \param[in] sig_size
70 Size of the signature.
71 \param[in] msg_str
72 Message used to generate signature to revoke.
73 \param[in] msg_size
74 Length of the message.
75 \param[in out] req_buf
76 Pointer to request buffer.
77 \param[in] req_size
78 Size of request buffer.
79 \param[in out] req_top
80 Pointer to top structure of request.
81 */
82 void FillRequest(GroupPubKey const* pubkey, EpidSignature const* sig,
83                  size_t sig_size, char const* msg_str, size_t msg_size,
84                  uint8_t* req_buf, size_t req_size, SigRlRequestTop* req_top);
85 
86 /// Makes a request and appends it to file.
87 /*!
88 \param[in] cacert_file
89 Issuing CA certificate used to sign group public key file.
90 \param[in] sig_file
91 File containing signature to add to request.
92 \param[in] pubkey_file
93 File containing group public key.
94 \param[in] req_file
95 File to write a request.
96 \param[in] msg_str
97 Message used to generate signature to revoke.
98 \param[in] msg_size
99 Length of the message.
100 \param[in] verbose
101 If true function would print debug information to stdout.
102 */
103 int MakeRequest(char const* cacert_file, char const* sig_file,
104                 char const* pubkey_file, char const* req_file,
105                 char const* msg_str, size_t msg_size, bool verbose);
106 
107 /// Main entrypoint
main(int argc,char * argv[])108 int main(int argc, char* argv[]) {
109   // intermediate return value for C style functions
110   int ret_value = EXIT_FAILURE;
111 
112   // Message string parameter
113   static char* msg_str = NULL;
114   size_t msg_size = 0;
115   char* msg_buf = NULL;  // message loaded from msg_file
116 
117   // Verbose flag parameter
118   static bool verbose_flag = false;
119 
120   struct arg_file* sig_file = arg_file0(
121       NULL, "sig", "FILE",
122       "load signature to revoke from FILE (default: " SIG_DEFAULT ")");
123   struct arg_str* msg =
124       arg_str0(NULL, "msg", "MESSAGE",
125                "MESSAGE used to generate signature to revoke (default: empty)");
126   struct arg_file* msg_file =
127       arg_file0(NULL, "msgfile", "FILE",
128                 "FILE containing message used to generate signature to revoke");
129   struct arg_file* pubkey_file = arg_file0(
130       NULL, "gpubkey", "FILE",
131       "load group public key from FILE (default: " PUBKEYFILE_DEFAULT ")");
132   struct arg_file* cacert_file = arg_file1(
133       NULL, "capubkey", "FILE", "load IoT Issuing CA public key from FILE");
134   struct arg_file* req_file = arg_file0(
135       NULL, "req", "FILE",
136       "append signature revocation request to FILE (default: " REQFILE_DEFAULT
137       ")");
138   struct arg_lit* help = arg_lit0(NULL, "help", "display this help and exit");
139   struct arg_lit* verbose =
140       arg_lit0("v", "verbose", "print status messages to stdout");
141   struct arg_end* end = arg_end(ARGPARSE_ERROR_MAX);
142   void* argtable[ARGTABLE_SIZE];
143   int nerrors;
144 
145   /* initialize the argtable array with ptrs to the arg_xxx structures
146    * constructed above */
147   argtable[0] = sig_file;
148   argtable[1] = msg;
149   argtable[2] = msg_file;
150   argtable[3] = pubkey_file;
151   argtable[4] = cacert_file;
152   argtable[5] = req_file;
153   argtable[6] = help;
154   argtable[7] = verbose;
155   argtable[8] = end;
156 
157   // set program name for logging
158   set_prog_name(PROGRAM_NAME);
159   do {
160     /* verify the argtable[] entries were allocated sucessfully */
161     if (arg_nullcheck(argtable) != 0) {
162       /* NULL entries were detected, some allocations must have failed */
163       printf("%s: insufficient memory\n", PROGRAM_NAME);
164       ret_value = EXIT_FAILURE;
165       break;
166     }
167 
168     /* set any command line default values prior to parsing */
169     sig_file->filename[0] = SIG_DEFAULT;
170     pubkey_file->filename[0] = PUBKEYFILE_DEFAULT;
171     req_file->filename[0] = REQFILE_DEFAULT;
172 
173     /* Parse the command line as defined by argtable[] */
174     nerrors = arg_parse(argc, argv, argtable);
175 
176     if (help->count > 0) {
177       log_fmt(
178           "Usage: %s [OPTION]...\n"
179           "Revoke Intel(R) EPID signature\n"
180           "\n"
181           "Options:\n",
182           PROGRAM_NAME);
183       arg_print_glossary(stdout, argtable, "  %-25s %s\n");
184       ret_value = EXIT_SUCCESS;
185       break;
186     }
187     if (verbose->count > 0) {
188       verbose_flag = ToggleVerbosity();
189     }
190     /* If the parser returned any errors then display them and exit */
191     if (nerrors > 0) {
192       /* Display the error details contained in the arg_end struct.*/
193       arg_print_errors(stderr, end, PROGRAM_NAME);
194       fprintf(stderr, "Try '%s --help' for more information.\n", PROGRAM_NAME);
195       ret_value = EXIT_FAILURE;
196       break;
197     }
198 
199     if (msg->count > 0 && msg_file->count > 0) {
200       log_error("options --msg and --msgfile cannot be used together");
201       ret_value = EXIT_FAILURE;
202       break;
203     } else if (msg->count > 0) {
204       msg_str = (char*)msg->sval[0];
205       msg_size = strlen(msg_str);
206     } else if (msg_file->count > 0) {
207       msg_buf = NewBufferFromFile(msg_file->filename[0], &msg_size);
208       if (!msg_buf) {
209         ret_value = EXIT_FAILURE;
210         break;
211       }
212       msg_str = msg_buf;
213     } else {
214       msg_size = 0;
215     }
216 
217     if (verbose_flag) {
218       log_msg("\nOption values:");
219       log_msg(" sig_file      : %s", sig_file->filename[0]);
220       log_msg(" msg_str       : %s", msg_str);
221       log_msg(" pubkey_file   : %s", pubkey_file->filename[0]);
222       log_msg(" cacert_file   : %s", cacert_file->filename[0]);
223       log_msg(" req_file      : %s", req_file->filename[0]);
224       log_msg("");
225     }
226 
227     ret_value = MakeRequest(cacert_file->filename[0], sig_file->filename[0],
228                             pubkey_file->filename[0], req_file->filename[0],
229                             msg_str, msg_size, verbose_flag);
230   } while (0);
231 
232   if (msg_buf) {
233     free(msg_buf);
234     msg_buf = NULL;
235   }
236 
237   arg_freetable(argtable, sizeof(argtable) / sizeof(argtable[0]));
238 
239   return ret_value;
240 }
241 
242 /// Fill a single SigRlRequest structure
243 /*!
244 
245   | Field                           | Size          |
246   |:--------------------------------|--------------:|
247   | Intel(R) EPID Version (0x0200)  |       2 bytes |
248   | File Type (0x000B)              |       2 bytes |
249   | Group ID Number                 |      16 bytes |
250   | Basic Signature                 |      52 bytes |
251   | SigRL Version                   |       4 bytes |
252   | Number of Non-Revoked Proofs    |       4 bytes |
253   | nNRP * Non-Revoked Proofs       |    160 * nNRP |
254   | Message Size in Bytes (msgSize) |       4 bytes |
255   | Message                         | msgSize bytes |
256 
257  */
FillRequest(GroupPubKey const * pubkey,EpidSignature const * sig,size_t sig_size,char const * msg_str,size_t msg_size,uint8_t * req_buf,size_t req_size,SigRlRequestTop * req_top)258 void FillRequest(GroupPubKey const* pubkey, EpidSignature const* sig,
259                  size_t sig_size, char const* msg_str, size_t msg_size,
260                  uint8_t* req_buf, size_t req_size, SigRlRequestTop* req_top) {
261   const OctStr16 kEpidFileVersion = {2, 0};
262   size_t i = 0;
263   size_t req_mid_size = sizeof(((SigRlRequestMid*)0)->be_msg_size) + msg_size;
264   SigRlRequestMid* req_mid =
265       (SigRlRequestMid*)(req_buf + req_size - req_mid_size);
266 
267   if (!pubkey || !sig || !req_buf || !req_top || (!msg_str && 0 != msg_size)) {
268     log_error("internal error: badarg to FillRequest()");
269     return;
270   }
271 
272   req_top->header.epid_version = kEpidFileVersion;
273   req_top->header.file_type = kEpidFileTypeCode[kSigRlRequestFile];
274   req_top->gid = pubkey->gid;
275   // copy signature
276   for (i = 0; i < sig_size; i++) {
277     ((uint8_t*)&req_top->sig)[i] = ((uint8_t*)sig)[i];
278   }
279   req_mid->be_msg_size = htonl((uint32_t)msg_size);
280   // copy msg
281   for (i = 0; i < msg_size; i++) {
282     req_mid->msg[i] = msg_str[i];
283   }
284 }
285 
MakeRequest(char const * cacert_file,char const * sig_file,char const * pubkey_file,char const * req_file,char const * msg_str,size_t msg_size,bool verbose)286 int MakeRequest(char const* cacert_file, char const* sig_file,
287                 char const* pubkey_file, char const* req_file,
288                 char const* msg_str, size_t msg_size, bool verbose) {
289   // Buffers and computed values
290   // Signature buffer
291   EpidSignature* sig = NULL;
292   size_t sig_size = 0;
293 
294   // Group public key file
295   unsigned char* pubkey_file_data = NULL;
296   size_t pubkey_file_size = 0;
297 
298   // CA certificate
299   EpidCaCertificate cacert = {0};
300 
301   // Group public key buffer
302   GroupPubKey pubkey = {0};
303 
304   // Request buffer
305   uint8_t* req_buf = NULL;
306   size_t req_size = 0;
307 
308   size_t req_extra_space = (sizeof(EpidFileHeader) + sizeof(GroupId));
309 
310   int ret_value = EXIT_FAILURE;
311   do {
312     SigRlRequestTop* req_top = NULL;
313     size_t req_file_size = 0;
314     const size_t kMsgSizeSize = sizeof(((SigRlRequestMid*)0)->be_msg_size);
315 
316     if (!cacert_file || !sig_file || !pubkey_file || !req_file ||
317         (!msg_str && 0 != msg_size)) {
318       log_error("internal error: badarg to MakeRequest()");
319       ret_value = EXIT_FAILURE;
320       break;
321     }
322 
323     // convert command line args to usable formats
324     // CA certificate
325     if (0 != ReadLoud(cacert_file, &cacert, sizeof(cacert))) {
326       ret_value = EXIT_FAILURE;
327       break;
328     }
329 
330     // Signature
331     sig = NewBufferFromFile(sig_file, &sig_size);
332     if (!sig) {
333       ret_value = EXIT_FAILURE;
334       break;
335     }
336 
337     // Group public key file
338     pubkey_file_data = NewBufferFromFile(pubkey_file, &pubkey_file_size);
339     if (!pubkey_file_data) {
340       ret_value = EXIT_FAILURE;
341       break;
342     }
343 
344     // Security note:
345     // Application must confirm group public key is
346     // authorized by the issuer, e.g., signed by the issuer.
347     if (GROUP_PUB_KEY_SIZE != pubkey_file_size) {
348       log_error("unexpected file size for '%s'. Expected: %d; got: %d",
349                 pubkey_file, (int)GROUP_PUB_KEY_SIZE, (int)pubkey_file_size);
350       ret_value = EXIT_FAILURE;
351       break;
352     }
353     if (kEpidNoErr != EpidParseGroupPubKeyFile(pubkey_file_data,
354                                                pubkey_file_size, &cacert,
355                                                &pubkey)) {
356       log_error("group public key is not authorized");
357       ret_value = EXIT_FAILURE;
358       break;
359     }
360 
361     // Report Settings
362     if (verbose) {
363       log_msg("==============================================");
364       log_msg("Creating SigRL revocation request:");
365       log_msg("");
366       log_msg(" [in]  Group ID: ");
367       PrintBuffer(&pubkey.gid, sizeof(pubkey.gid));
368       log_msg("");
369       log_msg(" [in]  Signature Len: %d", (int)sig_size);
370       log_msg(" [in]  Signature: ");
371       PrintBuffer(sig, sig_size);
372       log_msg("");
373       log_msg(" [in]  Message Len: %d", (int)msg_size);
374       log_msg(" [in]  Message: ");
375       PrintBuffer(msg_str, msg_size);
376       log_msg("==============================================");
377     }
378 
379     req_extra_space += sig_size + kMsgSizeSize + msg_size;
380 
381     if (FileExists(req_file)) {
382       req_file_size = GetFileSize_S(req_file, SIZE_MAX - req_extra_space);
383     } else {
384       log_msg("request file does not exsist, create new");
385     }
386 
387     req_size = req_file_size + req_extra_space;
388 
389     req_buf = AllocBuffer(req_size);
390     if (!req_buf) {
391       ret_value = EXIT_FAILURE;
392       break;
393     }
394 
395     if (req_file_size > 0) {
396       if (0 != ReadLoud(req_file, req_buf, req_file_size)) {
397         ret_value = EXIT_FAILURE;
398         break;
399       }
400     }
401 
402     req_top = (SigRlRequestTop*)(req_buf + req_file_size);
403 
404     FillRequest(&pubkey, sig, sig_size, msg_str, msg_size, req_buf, req_size,
405                 req_top);
406 
407     // Report Settings
408     if (verbose) {
409       log_msg("==============================================");
410       log_msg("Reqest generated:");
411       log_msg("");
412       log_msg(" [in]  Request Len: %d", sizeof(SigRlRequestTop));
413       log_msg(" [in]  Request: ");
414       PrintBuffer(req_top, sizeof(SigRlRequestTop));
415       log_msg("==============================================");
416     }
417 
418     // Store request
419     if (0 != WriteLoud(req_buf, req_size, req_file)) {
420       ret_value = EXIT_FAILURE;
421       break;
422     }
423 
424     // Success
425     ret_value = EXIT_SUCCESS;
426   } while (0);
427 
428   // Free allocated buffers
429   if (pubkey_file_data) free(pubkey_file_data);
430   if (sig) free(sig);
431   if (req_buf) free(req_buf);
432 
433   return ret_value;
434 }
435