139  * makeCertChain creates a new keymaster_cert_chain_t from all the certs that get thrown at it
157     if (!result.get()) return {};
176     if (!oid.get())
187     if (!attest_str.get() ||
188         !ASN1_OCTET_STRING_set(attest_str.get(), attest_bytes.get(), attest_bytes_len))
192         X509_EXTENSION_create_by_OBJ(nullptr, oid.get(), 0 /* not critical */, attest_str.get()));
193     if (!extension->get())
206         if (!ASN1_BIT_STRING_set_bit(key_usage.get(), i, 0)) {
215         if (!ASN1_BIT_STRING_set_bit(key_usage.get(), kDigitalSignatureKeyUsageBit, 1)) {
224         if (!ASN1_BIT_STRING_set_bit(key_usage.get(), kKeyEnciphermentKeyUsageBit, 1) ||
225             !ASN1_BIT_STRING_set_bit(key_usage.get(), kDataEnciphermentKeyUsageBit, 1)) {
231     int len = i2d_ASN1_BIT_STRING(key_usage.get(), nullptr);
236     if (!asn1_key_usage.get()) {
239     uint8_t* p = asn1_key_usage.get();
240     len = i2d_ASN1_BIT_STRING(key_usage.get(), &p);
247     if (!key_usage_str.get() ||
248         !ASN1_OCTET_STRING_set(key_usage_str.get(), asn1_key_usage.get(), len)) {
255                                                                         key_usage_str.get()));
256     if (!key_usage_extension.get()) {
260     if (!X509_add_ext(certificate, key_usage_extension.get() /* Don't release; copied */,
288     if (!X509_add_ext(certificate, attest_extension.get() /* Don't release; copied */,
313     if (!key.InternalToEvp(pkey.get()))
317     if (!certificate.get())
320     if (!X509_set_version(certificate.get(), 2 /* version 3, but zero-based */))
324     if (!serialNumber.get() || !ASN1_INTEGER_set(serialNumber.get(), 1) ||
325         !X509_set_serialNumber(certificate.get(), serialNumber.get() /* Don't release; copied */))
329     if (!subjectName.get() ||
330         !X509_NAME_add_entry_by_txt(subjectName.get(), "CN", MBSTRING_ASC,
333         !X509_set_subject_name(certificate.get(), subjectName.get() /* Don't release; copied */))
339     if (!notBefore.get() || !ASN1_TIME_set(notBefore.get(), activeDateTime / 1000) ||
340         !X509_set_notBefore(certificate.get(), notBefore.get() /* Don't release; copied */))
350     if (!notAfter.get() || !ASN1_TIME_set(notAfter.get(), notAfterTime) ||
351         !X509_set_notAfter(certificate.get(), notAfter.get() /* Don't release; copied */))
354     keymaster_error_t error = add_key_usage_extension(key.hw_enforced(), key.sw_enforced(), certificate.get());
367     if (!sign_key.get()) return TranslateLastOpenSslError();
369     if (!add_public_key(pkey.get(), certificate.get(), &error) ||
371                                    context, certificate.get(), &error))
381     if (!signing_cert.get()) {
386     X509_NAME* issuerSubject = X509_get_subject_name(signing_cert.get());
390     if (!X509_set_issuer_name(certificate.get(), issuerSubject)) {
395     if (!x509v3_ctx.get())
398     X509V3_set_ctx(x509v3_ctx.get(), signing_cert.get(), certificate.get(), nullptr /* req */,
401     X509_EXTENSION_Ptr auth_key_id(X509V3_EXT_nconf_nid(nullptr /* conf */, x509v3_ctx.get(),
404     if (!auth_key_id.get() ||
405         !X509_add_ext(certificate.get(), auth_key_id.get() /* Don't release; copied */,
410     if (!X509_sign(certificate.get(), sign_key.get(), EVP_sha256()))
413     *cert_chain_out = makeCertChain(certificate.get(), attestation_chain);
414     if (!cert_chain_out->get())

Indexes created Sun Aug 12 02:23:12 CEST 2018