diff --git a/reference/README.md b/reference/README.md index fee5b9c6..7fc41b82 100644 --- a/reference/README.md +++ b/reference/README.md @@ -71,16 +71,16 @@ the OpenSSL cryptographic implementation with a SoC specific cryptographic imple ### 'util' This directory contains common functions that are used by both the REE client as well as the TA -implementation. This directory contains code to read a secret symmetric root key from a PKCS 12 -key store. This code is only used by the reference implementation and allows the reference -implementation to be used for testing purposes with a key that is delivered by a keying provider. -The reference implementation provides a default test root key in the file root_keystore.p12 that is -encrypted with a default password. This default password is embedded in the common.h file to -facilitate ease of testing. If a test root key is provided by a keying provider, the keying provider -should use a different password to the PKCS 12 key store. To change the default test PKCS 12 key -store and password for the reference implementation and for executing the tests, set the -ROOT_KEYSTORE environment variable with the location of the PKCS 12 key store file and the -ROOT_KEYSTORE_PASSWORD environment variable with the password. +implementation. This directory contains code to read a secret symmetric root key from a PKCS 12 key +store. This code is only used by the reference implementation and allows the reference implementation to +be used for testing purposes with a key that is delivered by a keying provider. The reference +implementation provides a default test root key embedded in include/root_keystore.h that is encrypted +with a default password. This default password is also embedded in include/root_keystore.h so the key can +be easily decrypted in tests. If a test root key is provided by a keying provider, the keying provider +should use a different password to the PKCS 12 key store. To change the default test PKCS 12 key store +and password for the reference implementation and for executing the tests, set the ROOT_KEYSTORE +environment variable with the location of the PKCS 12 key store file and the ROOT_KEYSTORE_PASSWORD +environment variable with the password. NOTE - OpenSSL does not support PKCS 12 Secret Bags since there is no industry specification for the contents of a Secret Bag. This implementation reads a PKCS 12 key store that is created by Java's diff --git a/reference/src/client/CMakeLists.txt b/reference/src/client/CMakeLists.txt index aaa1d630..b7abb333 100644 --- a/reference/src/client/CMakeLists.txt +++ b/reference/src/client/CMakeLists.txt @@ -335,6 +335,7 @@ if (BUILD_TESTS) add_custom_command( TARGET saclienttest POST_BUILD + BYPRODUCTS root_keystore.p12 COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_SOURCE_DIR}/test/root_keystore.p12 ${CMAKE_CURRENT_BINARY_DIR}/root_keystore.p12) diff --git a/reference/src/client/test/sa_key_common.cpp b/reference/src/client/test/sa_key_common.cpp index cc0e1a6f..3d13c880 100644 --- a/reference/src/client/test/sa_key_common.cpp +++ b/reference/src/client/test/sa_key_common.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 Comcast Cable Communications Management, LLC + * Copyright 2020-2025 Comcast Cable Communications Management, LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,6 +17,7 @@ */ #include "common.h" +#include "root_keystore.h" #include #include #include diff --git a/reference/src/taimpl/CMakeLists.txt b/reference/src/taimpl/CMakeLists.txt index b32073b1..2c164395 100644 --- a/reference/src/taimpl/CMakeLists.txt +++ b/reference/src/taimpl/CMakeLists.txt @@ -261,6 +261,7 @@ if (BUILD_TESTS) add_custom_command( TARGET taimpltest POST_BUILD + BYPRODUCTS root_keystore.p12 COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_SOURCE_DIR}/test/root_keystore.p12 ${CMAKE_CURRENT_BINARY_DIR}/root_keystore.p12) diff --git a/reference/src/taimpl/src/porting/otp.c b/reference/src/taimpl/src/porting/otp.c index 98a283dc..5ae14b83 100644 --- a/reference/src/taimpl/src/porting/otp.c +++ b/reference/src/taimpl/src/porting/otp.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 Comcast Cable Communications Management, LLC + * Copyright 2020-2025 Comcast Cable Communications Management, LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,6 +23,7 @@ #include "pkcs12.h" #include "porting/memory.h" #include "porting/otp_internal.h" +#include "root_keystore.h" #include "stored_key_internal.h" #include #include diff --git a/reference/src/util/CMakeLists.txt b/reference/src/util/CMakeLists.txt index 651be175..9c1358a6 100644 --- a/reference/src/util/CMakeLists.txt +++ b/reference/src/util/CMakeLists.txt @@ -1,5 +1,5 @@ # -# Copyright 2020-2025 Comcast Cable Communications Management, LLC +# Copyright 2020-2026 Comcast Cable Communications Management, LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,6 +45,7 @@ add_library(util STATIC include/sa_rights.h include/test_helpers.h include/test_process_common_encryption.h + include/root_keystore.h src/digest_util.c src/log.c @@ -53,6 +54,7 @@ add_library(util STATIC src/sa_rights.c src/test_helpers.cpp src/test_process_common_encryption.cpp + src/root_keystore.c ) target_include_directories(util @@ -98,10 +100,10 @@ if (BUILD_TESTS) add_custom_command( TARGET utiltest POST_BUILD + BYPRODUCTS root_keystore.p12 COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_SOURCE_DIR}/test/root_keystore.p12 ${CMAKE_CURRENT_BINARY_DIR}/root_keystore.p12) gtest_discover_tests(utiltest) endif () - diff --git a/reference/src/util/include/common.h b/reference/src/util/include/common.h index 93091205..e1d5d928 100644 --- a/reference/src/util/include/common.h +++ b/reference/src/util/include/common.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2023 Comcast Cable Communications Management, LLC + * Copyright 2019-2025 Comcast Cable Communications Management, LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -67,7 +67,4 @@ #define RSA_PSS_SALTLEN_MAX (-3) #endif -#define DEFAULT_ROOT_KEYSTORE_PASSWORD "password01234567" -#define COMMON_ROOT_NAME "commonroot" - #endif // COMMON_H diff --git a/reference/src/util/include/pkcs12.h b/reference/src/util/include/pkcs12.h index a1972231..3077039c 100644 --- a/reference/src/util/include/pkcs12.h +++ b/reference/src/util/include/pkcs12.h @@ -1,5 +1,5 @@ /* - * Copyright 2022-2023 Comcast Cable Communications Management, LLC + * Copyright 2022-2025 Comcast Cable Communications Management, LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,8 +36,8 @@ extern "C" { /** * Loads a secret key from a PKCS12 file identified at the ROOT_KEYSTORE environment variable. The password to the - * keystore is in the ROOT_KEYSTORE_PASSWORD environment variable. If neither is defined, it looks for the file - * root_keystore.p12 in the working directory with a default password. + * keystore is in the ROOT_KEYSTORE_PASSWORD environment variable. If neither is defined, a default + * keystore and password are used. * * @param[out] key the key to load. * @param[in,out] key_length the length of the loaded key. diff --git a/reference/src/util/include/root_keystore.h b/reference/src/util/include/root_keystore.h new file mode 100644 index 00000000..81a35e51 --- /dev/null +++ b/reference/src/util/include/root_keystore.h @@ -0,0 +1,35 @@ +/* + * Copyright 2025-2026 Comcast Cable Communications Management, LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#ifndef ROOT_KEYSTORE_H +#define ROOT_KEYSTORE_H + +#include +#include + +#define DEFAULT_ROOT_KEYSTORE_PASSWORD "password01234567" +#define COMMON_ROOT_NAME "commonroot" + +/// A PKCS#12 container containing a secret key encrypted with the +/// `DEFAULT_ROOT_KEYSTORE_PASSWORD`. +extern const uint8_t default_root_keystore[]; + +/// Size of the `default_root_keystore` +extern const size_t default_root_keystore_size; + +#endif /* ROOT_KEYSTORE_H */ diff --git a/reference/src/util/src/pkcs12.c b/reference/src/util/src/pkcs12.c index f71d4a1b..90b0ef4d 100644 --- a/reference/src/util/src/pkcs12.c +++ b/reference/src/util/src/pkcs12.c @@ -1,5 +1,5 @@ /* - * Copyright 2022-2023 Comcast Cable Communications Management, LLC + * Copyright 2022-2026 Comcast Cable Communications Management, LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,8 +16,8 @@ * SPDX-License-Identifier: Apache-2.0 */ -#include "common.h" #include "log.h" +#include "root_keystore.h" #include #include #include @@ -186,10 +186,6 @@ bool load_pkcs12_secret_key( char* name, size_t* name_length) { - const char* filename = getenv("ROOT_KEYSTORE"); - if (filename == NULL) - filename = "root_keystore.p12"; - const char* password = getenv("ROOT_KEYSTORE_PASSWORD"); if (password == NULL) password = DEFAULT_ROOT_KEYSTORE_PASSWORD; @@ -201,16 +197,26 @@ bool load_pkcs12_secret_key( PKCS12* pkcs12 = NULL; STACK_OF(PKCS7)* auth_safes = NULL; do { - file = fopen(filename, "re"); - if (file == NULL) { - ERROR("NULL file"); - break; - } + const char* filename = getenv("ROOT_KEYSTORE"); + if (filename != NULL) { + file = fopen(filename, "re"); + if (file == NULL) { + ERROR("NULL file"); + break; + } - pkcs12 = d2i_PKCS12_fp(file, NULL); - if (pkcs12 == NULL) { - ERROR("NULL pkcs12"); - break; + pkcs12 = d2i_PKCS12_fp(file, NULL); + if (pkcs12 == NULL) { + ERROR("NULL pkcs12"); + break; + } + } else { + const uint8_t *keystore = default_root_keystore; + pkcs12 = d2i_PKCS12(NULL, &keystore, default_root_keystore_size); + if (pkcs12 == NULL) { + ERROR("NULL pkcs12"); + break; + } } if (PKCS12_verify_mac(pkcs12, password, -1) != 1) { diff --git a/reference/src/util/src/root_keystore.c b/reference/src/util/src/root_keystore.c new file mode 100644 index 00000000..d61b882c --- /dev/null +++ b/reference/src/util/src/root_keystore.c @@ -0,0 +1,85 @@ +/* + * Copyright 2026 Comcast Cable Communications Management, LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include "root_keystore.h" + +#include +#include + +const uint8_t default_root_keystore[] = { + 0x30, 0x82, 0x02, 0xb6, 0x02, 0x01, 0x03, 0x30, 0x82, 0x02, 0x60, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, + 0x02, 0x51, 0x04, 0x82, 0x02, 0x4d, 0x30, 0x82, 0x02, 0x49, 0x30, 0x82, + 0x02, 0x45, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, + 0x01, 0xa0, 0x82, 0x02, 0x36, 0x04, 0x82, 0x02, 0x32, 0x30, 0x82, 0x02, + 0x2e, 0x30, 0x82, 0x01, 0x19, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x05, 0xa0, 0x81, 0xb3, 0x30, 0x81, 0xb0, + 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, + 0x02, 0xa0, 0x81, 0xa0, 0x04, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30, 0x66, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0d, 0x30, + 0x59, 0x30, 0x38, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x05, 0x0c, 0x30, 0x2b, 0x04, 0x14, 0x2d, 0x53, 0x8e, 0x7a, 0xe6, 0x40, + 0x6b, 0x2c, 0x16, 0x91, 0x5c, 0x58, 0xfe, 0x63, 0x06, 0x86, 0x2d, 0xdf, + 0xad, 0x13, 0x02, 0x02, 0x27, 0x10, 0x02, 0x01, 0x20, 0x30, 0x0c, 0x06, + 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x09, 0x05, 0x00, 0x30, + 0x1d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a, + 0x04, 0x10, 0xf8, 0xf4, 0x48, 0xc5, 0x18, 0x05, 0x91, 0xb4, 0xc1, 0x4c, + 0xe9, 0x70, 0xc6, 0x7e, 0x93, 0x8d, 0x04, 0x30, 0xfc, 0x30, 0xf9, 0xea, + 0x39, 0x8e, 0xb7, 0xc6, 0xb3, 0x7d, 0xe6, 0xdf, 0xce, 0xf4, 0xdf, 0x91, + 0x81, 0x44, 0x1e, 0x42, 0x12, 0xc3, 0xc2, 0x59, 0xd8, 0xe1, 0xa5, 0x93, + 0x79, 0xfe, 0xa4, 0xbb, 0x9d, 0xc4, 0xf4, 0xe9, 0x14, 0xaa, 0x47, 0x87, + 0x82, 0x96, 0xaf, 0x65, 0x02, 0x1a, 0x3e, 0x48, 0x31, 0x54, 0x30, 0x2f, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, + 0x22, 0x1e, 0x20, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, + 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, + 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x65, 0x30, + 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15, + 0x31, 0x14, 0x04, 0x12, 0x54, 0x69, 0x6d, 0x65, 0x20, 0x31, 0x36, 0x35, + 0x35, 0x31, 0x36, 0x32, 0x33, 0x39, 0x30, 0x39, 0x37, 0x30, 0x30, 0x82, + 0x01, 0x0d, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, + 0x0a, 0x01, 0x05, 0xa0, 0x81, 0xb3, 0x30, 0x81, 0xb0, 0x06, 0x0b, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x81, + 0xa0, 0x04, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30, 0x66, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0d, 0x30, 0x59, 0x30, 0x38, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0c, 0x30, + 0x2b, 0x04, 0x14, 0x7b, 0xc8, 0x89, 0xce, 0x75, 0xcf, 0x2e, 0xca, 0x1a, + 0x5b, 0xf1, 0xa6, 0xac, 0xe6, 0x35, 0x56, 0x20, 0xfb, 0xaf, 0xe3, 0x02, + 0x02, 0x27, 0x10, 0x02, 0x01, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x09, 0x05, 0x00, 0x30, 0x1d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a, 0x04, 0x10, 0x72, + 0x4b, 0x8d, 0x97, 0x79, 0xb0, 0x6c, 0xa9, 0x09, 0x0c, 0xff, 0xc1, 0x19, + 0xf2, 0x87, 0xf1, 0x04, 0x30, 0x55, 0xc0, 0x29, 0x40, 0x9a, 0x6d, 0x25, + 0x9f, 0xd6, 0x92, 0xf8, 0x7f, 0x8c, 0xc6, 0x11, 0x70, 0xf8, 0x7b, 0x98, + 0xd4, 0x81, 0xa8, 0x1a, 0x90, 0xeb, 0x17, 0x14, 0x80, 0x42, 0x68, 0xc0, + 0xc6, 0xe4, 0x27, 0x47, 0x96, 0x6d, 0x8a, 0xed, 0x6e, 0x37, 0x26, 0xf7, + 0x4a, 0xa9, 0x95, 0xfb, 0x04, 0x31, 0x48, 0x30, 0x23, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, 0x16, 0x1e, 0x14, + 0x00, 0x63, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x6d, 0x00, 0x6f, 0x00, 0x6e, + 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f, 0x00, 0x74, 0x30, 0x21, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15, 0x31, 0x14, 0x04, + 0x12, 0x54, 0x69, 0x6d, 0x65, 0x20, 0x31, 0x36, 0x38, 0x30, 0x33, 0x30, + 0x35, 0x32, 0x37, 0x33, 0x35, 0x38, 0x37, 0x30, 0x4d, 0x30, 0x31, 0x30, + 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, + 0x05, 0x00, 0x04, 0x20, 0xad, 0x5a, 0xfd, 0x11, 0xe8, 0x5c, 0x99, 0x7d, + 0xea, 0x31, 0x9c, 0x09, 0x35, 0xbc, 0xc8, 0x76, 0x98, 0xef, 0x3f, 0x19, + 0x82, 0x3e, 0x58, 0xd4, 0x94, 0x1c, 0x4d, 0x13, 0x95, 0x97, 0x5e, 0x43, + 0x04, 0x14, 0xfa, 0xaf, 0x44, 0xa6, 0x04, 0x8e, 0x3f, 0xc2, 0xb6, 0x0a, + 0x54, 0x8a, 0xde, 0x84, 0x5a, 0x96, 0xdc, 0xbd, 0x51, 0x76, 0x02, 0x02, + 0x27, 0x10, +}; +const size_t default_root_keystore_size = sizeof(default_root_keystore); diff --git a/reference/src/util/test/pkcs12test.cpp b/reference/src/util/test/pkcs12test.cpp index 994efb69..1f0827e8 100644 --- a/reference/src/util/test/pkcs12test.cpp +++ b/reference/src/util/test/pkcs12test.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 Comcast Cable Communications Management, LLC + * Copyright 2020-2026 Comcast Cable Communications Management, LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ #include "pkcs12.h" // NOLINT #include "common.h" +#include "root_keystore.h" #include "gtest/gtest.h" #include @@ -37,6 +38,23 @@ namespace { ASSERT_EQ(memcmp(name, "fffffffffffffffe", 16), 0); } + TEST(Pkcs12Test, parseEmbeddedPkcs12) { + // This code tests whether the embedded keystore is loaded and therefore + // requires these environment variables to be unset. + unsetenv("ROOT_KEYSTORE_PASSWORD"); + unsetenv("ROOT_KEYSTORE"); + + uint8_t key[SYM_256_KEY_SIZE]; + size_t key_length = SYM_256_KEY_SIZE; + char name[MAX_NAME_SIZE]; + size_t name_length = MAX_NAME_SIZE; + name[0] = '\0'; + ASSERT_EQ(load_pkcs12_secret_key(key, &key_length, name, &name_length), true); + ASSERT_EQ(key_length, SYM_128_KEY_SIZE); + ASSERT_EQ(name_length, 16); + ASSERT_EQ(memcmp(name, "fffffffffffffffe", 16), 0); + } + TEST(Pkcs12Test, parsePkcs12Common) { setenv("ROOT_KEYSTORE_PASSWORD", DEFAULT_ROOT_KEYSTORE_PASSWORD, 1); setenv("ROOT_KEYSTORE", "root_keystore.p12", 1); @@ -51,4 +69,21 @@ namespace { ASSERT_EQ(name_length, 10); ASSERT_EQ(memcmp(name, "commonroot", 10), 0); } + + TEST(Pkcs12Test, parseEmbeddedPkcs12Common) { + // This code tests whether the embedded keystore is loaded and therefore + // requires these environment variables to be unset. + unsetenv("ROOT_KEYSTORE_PASSWORD"); + unsetenv("ROOT_KEYSTORE"); + + uint8_t key[SYM_256_KEY_SIZE]; + size_t key_length = SYM_256_KEY_SIZE; + char name[MAX_NAME_SIZE]; + size_t name_length = MAX_NAME_SIZE; + strcpy(name, COMMON_ROOT_NAME); + ASSERT_EQ(load_pkcs12_secret_key(key, &key_length, name, &name_length), true); + ASSERT_EQ(key_length, SYM_128_KEY_SIZE); + ASSERT_EQ(name_length, 10); + ASSERT_EQ(memcmp(name, "commonroot", 10), 0); + } } // namespace