文档
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Examples

The cert manager CA and cert manager TA of the TA certificate import tool are open-sourced to the openEuler community. To use this tool, you need to prepare the root public key (used to verify the level-2 certificate), level-2 certificate (used for the import), TA certificate (used for the service TA), and config certificate (used to verify the config binary of the service TA). Figure 1 shows the certificate hierarchy.

Figure 1 Certificate hierarchy
  • The root public key is used to verify the level-2 certificate and must be fixed in the cert manager TA code.
  • The level-2 certificate is imported to the TEE and is used to verify the TA certificate and config certificate of the service TA.
  • The TA certificate and config certificate are issued based on the level-2 certificate. The TA certificate protects the code integrity of the service TA. The config certificate protects the integrity of the config binary. The config binary controls the TEE resource usage of the TA.

Obtaining and Using the TA Certificate Import Tool

  1. Download the iTrustee SDK, which contains the source code of cert manager CA and cert manager TA.
    1. Obtain the iTrustee SDK.

      https://gitee.com/openeuler/itrustee_sdk.git

      Code branch: master

      Code committing point: 22c68de6cac1810c927a91bf86a40cc07b5005a2

      The iTrustee SDK contains the source code of cert manager CA and cert manager TA. The relative paths of the code are as follows:

      • cert manager CA: itrustee_sdk/test/CA/certmanager
      • cert manager TA: itrustee_sdk/test/TA/certmanager
    2. Integrate the security function library into the iTrustee SDK.
      cd itrustee_sdk/thirdparty/open_source  
git clone https://gitee.com/openeuler/libboundscheck.git
cd libboundscheck
make
cp lib/libboundscheck.so /usr/lib64
      • Replace the paths in the preceding commands with the actual ones.
      • Store the security function library to the search path of the system dynamic library.
  2. Set the root public key of cert manager TA.
    1. Generate a root certificate.
      openssl genrsa -out root.key 4096
openssl req -new -x509 -key root.key -out root.crt -subj "/C=CN/L=F/O=testRootCA/OU=ACS/CN=Root CA" -days 3650
    2. Extract the generated root public key.
      openssl x509 -in root.crt -pubkey -noout -C
      Figure 2 Example of a root public key
    3. Open the cert_config.h file. Replace the path with the actual one.
      vim itrustee_sdk/test/TA/cert_manager/include/cert_config.h
    4. Press i to enter the insert mode and replace the root public key information in cert manager TA, that is, the content of the g_root_public_key array.

    5. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
  3. Compile cert manager CA.
    cd itrustee_sdk/test/CA/cert_manager
make
cp certmanager /usr/bin

    After the compilation is complete, a cert manager binary file is generated in the current directory and needs to be moved into the /usr/bin directory. The directory is specified in the cert manager TA code and can be replaced with the actual one.

  4. Compile cert manager TA.

    Similar to common TAs, cert manager TA requires a TA developer certificate issued by Huawei. For details, see Applying for a TA Developer Certificate in a Debugging Environment.

    1. The cert manager, as a privileged TA, has the certificate import capability. When applying for a TA developer certificate, add the <sys_verify_ta> and <CERT_Permission> fields in the configs.xml file. An example of the configs.xml file:
      <?xml version="1.0" encoding="utf-8"?> 
<ConfigInfo> 
  <TA_Basic_Info> 
      <service_name>rsa-demo</service_name> 
    <uuid>f68fd704-6eb1-4d14-b218-722850eb3ef0</uuid> 
  </TA_Basic_Info> 
  <TA_Manifest_Info> 
    <instance_keep_alive>false</instance_keep_alive> 
    <stack_size>40960</stack_size> 
    <heap_size>67928064</heap_size> 
    <multi_command>false</multi_command> 
    <multi_session>false</multi_session>
    <single_instance>true</single_instance>
    <sys_verify_ta>true</sys_verify_ta>
  </TA_Manifest_Info>
  <TA_Control_Info>
 <CERT_Info>
  <CERT_Permission>true</CERT_Permission>
 </CERT_Info>
  </TA_Control_Info>
</ConfigInfo>
    2. After obtaining the TA developer certificate and the config binary file, deploy the TA private key and config binary file of the cert manager to a path, for example:

      itrustee_sdk/test/TA/certmanager/cloud/signed_config/config

      itrustee_sdk/test/TA/certmanager/cloud/TA_cert/private_key.pem

    3. Go to the deployment path and perform compilation.
      cd itrustee_sdk/test/TA/certmanager/cloud
make
cp *.sec /usr/bin

      After cert manager TA is compiled successfully, a {uuid}.sec file is generated and needs to be deployed into the /usr/bin directory. This directory is specified in the cert manager CA code and can be replaced with the actual one.

      If the <sys_verify_ta> tag is added to the configs.xml file, add the following field to the manifest.txt file:

      gpd.ta.sys_verify_ta:           true
  5. Generate a level-2 certificate for import based on the root certificate generated in 2.
    1. Generate a CSR file for the level-2 certificate.
      openssl genrsa -out second.key 4096
openssl req -new -key second.key -out second.csr -subj "/C=CN/L=F/O=testRootCA/OU=ACS/CN=Secondary CA"
    2. Prepare the certificate issuing configuration file openssl.cnf. See the following example for the configuration file:
      [ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
subjectAltName=DNS:localhost,DNS:*.localhost
basicConstraints = critical,CA:true
keyUsage = cRLSign,keyCertSign
    3. Generate a level-2 certificate file. -CA indicates the root certificate path, -CAkey indicates the root key path, and -extfile indicates the path to the configuration file specified by the certificate.
      openssl x509 -req -CA root.crt -CAkey root.key -CAcreateserial -in second.csr -out second.crt -sha256 -extfile openssl.cnf -extensions v3_ca -days 3650
    4. Convert the format of the level-2 certificate to DER.
      openssl x509 -in second.crt -outform der -out second.der
  6. Run cert manager CA and cert manager TA to import the third-party level-2 certificate.
    /usr/bin/certmanager import second.der

    You can issue TA certificates and configuration files based on the level-2 certificate, and then participate in TA compilation to form service TAs. In this case, the secure OS allows loading only third-party TAs (TA certificates issued from your level-2 certificates) and system TAs (specified by the <sys_verify_ta> tag in the configs.xml file). The TAs with the certificates issued by Huawei fail to be loaded.

Generate a service TA certificate.

After you import the level-2 certificate, the secure OS uses the imported level-2 certificate to verify the service TA that is loaded later. Perform the following steps to generate a service TA certificate, a config certificate, and a config binary file, and finally form an available service TA.

  1. Generate a config certificate based on the imported level-2 certificate.
    1. Generate a CSR file for the config certificate.

      When generating a CSR file for the config certificate, note that the CN field of the certificate subject must be iTrustee_Config.

      openssl genrsa -out taconfig.key 4096
openssl req -new -key taconfig.key -out cert_req_01.csr -subj "/C=CN/L=F/O=testRootCA/OU=ACS/CN=iTrustee_Config"
    2. Generate a config certificate file. -CA indicates the root certificate path and -CAkey indicates the root key path.
      openssl x509 -req -in cert_req_01.csr -CA ../second/second.crt -CAkey../second/second.key -CAcreateserial -out taconfig.crt -sha256 -days 3650
    3. Convert the format of the config certificate to DER.
      openssl x509 -in taconfig.crt -outform der -out taconfig.der
  2. Generate a service TA certificate based on the imported level-2 certificate.
    1. Generate a CSR file for the service TA certificate.

      Generate a CSR file for the service TA certificate. The CN field is in the format of {service TA uuid}_{service TA server name}. Replace it with the actual value.

      openssl genrsa -out private_key.pem 4096
openssl req -new -key private_key.pem -out cert_req_01.csr -subj "/C=CN/L=F/O=testRootCA/OU=ACS/CN=87709191-1633-4d4e-b39a-951a59d82fb2_third-demo"
    2. Generate a service TA certificate file. -CA indicates the root certificate path and -CAkey indicates the root key path.
      openssl x509 -req -in cert_req_01.csr -CA ../second/second.crt -CAkey../second/second.key -CAcreateserial -out tacert.crt -sha256 -days 3650
    3. Convert the format of the config certificate to DER.
      openssl x509 -in tacert.crt -outform der -out ta_cert.der
  3. Prepare the TEE resource configuration file configs.xml for the service TA.
    1. Create a file.
      vim configs.xml
    2. Press i to enter the insert mode and add the following content:
      <?xml version="1.0" encoding="utf-8"?> 
<ConfigInfo> 
  <TA_Basic_Info> 
      <service_name>third-demo</service_name> 
      <uuid>87709191-1633-4d4e-b39a-951a59d82fb2</uuid> 
  </TA_Basic_Info>
  <TA_Manifest_Info> 
    <instance_keep_alive>false</instance_keep_alive> 
    <stack_size>40960</stack_size> 
    <heap_size>67928064</heap_size> 
    <multi_command>false</multi_command> 
    <multi_session>false</multi_session>
    <single_instance>true</single_instance>
  </TA_Manifest_Info>
</ConfigInfo>
    3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
  4. Compile the config binary of the service TA based on the iTrustee SDK.
    1. Create a csv directory.
      mkdir -p itrustee_sdk/build/pack-Config/xml2tlv_tools/csv
cp itrustee_sdk/build/signtools/tag_parse_dict.csv itrustee_sdk/build/pack-Config/xml2tlv_tools/csv
    2. Store the configs.xml file of the service TA.
      mv configs.xml itrustee_sdk/build/pack-Config/input
    3. Store the config signature private key and config certificate.
      mv taconfig.key itrustee_sdk/build/pack-Config/config_cert/config_cert_private.key
mv taconfig.der itrustee_sdk/build/pack-Config/config_cert/
    4. Store the service TA certificate.
      mv ta_cert.der itrustee_sdk/build/pack-Config/ta_cert/
    5. Compile the config binary of the service TA.
      cd itrustee_sdk/build/pack-Config
bash local_sign.sh

      After the config binary is compiled, it is stored in the itrustee_sdk/build/pack-Config/output/ directory.

  5. Compile the service TA based on its public-private key pair and the previous config binary. The service TA is protected by the user's level-2 certificate signature.
    The methods for compiling and signing a service TA protected by the user's level-2 certificate are the same as those for a TA protected by the Huawei signature. For details about how to use the public-private key pair and config binary to compile the TA binary, see Setting Up the TA and CA Development Environment.

    The private keys and certificates involved in the preceding steps are used for demonstration only. For security purposes, you are not advised to generate private keys and certificates in the production environment following the preceding steps. You should design your own methods and steps of using your private keys and certificates.

certmanager Command Reference

The cert manager supports certificate import, certificate import log query, certificate destruction, certificate export, and CRL import.

  • certmanager import {cert.der}

    Used to import a certificate.

  • certmanager destroy

    Used to destroy a certificate.

  • certmanager export log

    Used to query certificate import logs.

  • certmanager export cert {cert.der}

    Used to export a certificate.

    When using this command, ensure that the {cert.der} file exists. The {cert.der} file saves the information about the certificate that has been imported to the secure OS.

  • certmanager import_crl {cert.crl}

    Used to import a CRL.

    If no third-party level-2 certificate has been imported, you can import a CRL issued by Huawei. Before importing a third-party CRL, ensure that the corresponding third-party level-2 certificate has been imported.