Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Feature Usage

Table 1 Firmware version

Firmware

Version

TEE OS

1.2.0 or later
Table 2 Software packages

Software Name

Description

How to Obtain

cert manager CA

CA source code of the certificate import tool

https://gitee.com/openeuler/itrustee_sdk.git

cert manager TA

TA source code of the certificate import tool

https://gitee.com/openeuler/itrustee_sdk.git

In the current version, the CA (cert manager CA) and TA (cert manager TA) of the TA certificate import tool are open-sourced in the openEuler community. To obtain, compile, and use the TA certificate import tool, perform the following operations.

  1. Download the iTrustee SDK, which contains the source code of cert manager CA and cert manager TA.

    https://gitee.com/openeuler/itrustee_sdk.git

    Code branch: master

    The iTrustee SDK contains the source code of cert manager CA and cert manager TA. The relative paths of the code are as follows:

    cert manager CA: itrustee_sdk/test/CA/certmanager

    cert manager TA: itrustee_sdk/test/TA/certmanager

  2. Set the root public key of cert manager TA.
    vim itrustee_sdk/test/TA/certmanager/include/cert_config.h   # Replace the path with the actual one.

    Replace the root public key information, that is, the content of the g_root_public_key array.

    If the root public key certificate has been generated, run the following command to extract the public key information from the root certificate:

    openssl x509 -in {rootca.der} -inform DER -pubkey -noout -C

    {rootca.der} is the root certificate in DER format.

  3. Compile cert manager CA and cert manager TA.
    1. Compile cert manager CA.
      cd itrustee_sdk/test/CA/certmanager   # Replace the path with the actual one.
make
cp certmanager /vendor/bin

      If the compilation is successful, a cert manager binary file is generated in the current directory and needs to be deployed into the /vendor/bin directory. The directory is specified by cert manager TA code and can be replaced with the actual one.

    1. Compile cert manager TA.

      Similar to common TAs, cert manager TA requires a TA developer certificate issued by Huawei. For details, see Applying for a TA Developer Certificate in a Debugging Environment.

      Note that cert manager, as a privileged TA, has the certificate import capability. When applying for a TA developer certificate, add the <sys_verify_ta> and <CERT_Permission> fields in the configs.xml file. An example of the configs.xml file:

      <?xml version="1.0" encoding="utf-8"?> 
<ConfigInfo> 
  <TA_Basic_Info> 
      <service_name>rsa-demo</service_name> 
    <uuid>f68fd704-6eb1-4d14-b218-722850eb3ef0</uuid> 
  </TA_Basic_Info> 
  <TA_Manifest_Info> 
    <instance_keep_alive>false</instance_keep_alive> 
    <stack_size>40960</stack_size> 
    <heap_size>67928064</heap_size> 
    <multi_command>false</multi_command> 
    <multi_session>false</multi_session>
    <single_instance>true</single_instance>
    <sys_verify_ta>true</sys_verify_ta>
  </TA_Manifest_Info>
  <TA_Control_Info>
	<CERT_Info>
		<CERT_Permission>true</CERT_Permission>
	</CERT_Info>
  </TA_Control_Info>
</ConfigInfo>

      After obtaining the TA developer certificate and the config binary file, deploy the TA private key and config binary file of the cert manager to a path, for example:

      itrustee_sdk/test/TA/certmanager/cloud/signed_config/config

      itrustee_sdk/test/TA/certmanager/cloud/TA_cert/private_key.pem

      cd itrustee_sdk/test/TA/certmanager/cloud
make
cp *.sec /data

      After cert manager TA is compiled successfully, a {uuid}.sec file is generated and needs to be deployed into the /data directory. This directory is specified by cert manager CA code and can be replaced with the actual one.

  4. Run cert manager CA and cert manager TA to import the third-party level-2 certificate.
    cd /vendor/bin/
/vendor/bin/certmanager import {second.der}

    {second.der} is the level-2 certificate issued from the root certificate described in 2. The certificate must be in DER format. After the import is successful, a success message is displayed.

    Developers can issue TA certificates and configuration files based on the level-2 certificate, and then participate in TA compilation to form third-party TAs. In this case, the secure OS allows loading only third-party TAs (TA certificates issued from developers' level-2 certificates) and system TAs (specified by the <sys_verify_ta> tag in the configs.xml file). The TAs with the certificates issued by Huawei fail to be loaded.

The cert manager supports certificate import, certificate import log query, certificate destruction, certificate export, and CRL import.

  • Certificate import: certmanager import {cert.der}
  • Certificate destruction: certmanager destroy
  • Certificate import log query: certmanager export log
  • Certificate export: certmanager export cert {cert.der}. This function requires the {cert.der} file, which saves the certificate information that has been imported to the secure OS.
  • CRL import: certmanager import_crl {cert.crl}. If no third-party level-2 certificate has been imported, you can directly import a CRL issued by Huawei. Before importing a third-party CRL, ensure that the corresponding third-party level-2 certificate has been imported.