Tcps cbor update, x509 CSR OID extension, and CyReP bug fixes (#5)

* Fixed key usage for device certificates.

* Changes to allow TCPS Agent to build. Added application datasheet to BarT

* Add support to embed custom OIDs into CSR and generate a cert out of CSR

* Fix emulator release

* Switch to memcpy as = was crashing due to memory alignment in TAs.

* Removed references to internal functionality not exposed from tinycbor, updated to latest reference.

.gitmodules

@@ -1,3 +1,4 @@
 [submodule "External/tinycbor"]
 	path = External/tinycbor
 	url = https://github.com/intel/tinycbor.git
+	branch = dev

CyReP/RiotDerEnc.c

@@ -409,7 +409,6 @@ DERAddOctetString(
     return -1;
 }
 
-
 int
 DERStartSequenceOrSet(
     DERBuilderContext   *Context,
@@ -446,6 +445,7 @@ DERStartExplicit(
 Error:
     return -1;
 }
+
 int
 DERStartEnvelopingOctetString(
     DERBuilderContext   *Context

CyReP/RiotEcc.c

@@ -1023,7 +1023,10 @@ big_divide(bigval_t *tgt, bigval_t const *num, bigval_t const *den,
 {
     bigval_t u, v, x1, x2;
 
-    u = *den;
+    // using memcpy instead of dereference with assignment, as the latter
+    // is crashing OPTEE TAs (issues with alignment)
+    // u = *den;
+    memcpy(&u, den, sizeof(u));
     v = *modulus;
     x1 = *num;
     x2 = big_zero;

CyReP/RiotKdf.c

@@ -56,6 +56,7 @@ size_t RIOT_KDF_FIXED(
 {
     size_t          total = (((label) ? labelSize : 0) + ((context) ? contextSize : 0) + 5);
 
+    fixedSize; // unreferenced parameter
     assert(fixedSize >= total);
 
     if (label) {

CyReP/RiotX509Bldr.c

@@ -23,6 +23,7 @@ static int tcpsOID[] = { 2,23,133,5,4,2,-1 };
 static int ecdsaWithSHA256OID[] = { 1,2,840,10045,4,3,2,-1 };
 static int ecPublicKeyOID[] = { 1,2,840,10045, 2,1,-1 };
 static int prime256v1OID[] = { 1,2,840,10045, 3,1,7,-1 };
+static int extensionRequestOID[] = { 1,2,840,113549,1,9,14,-1 };
 static int keyUsageOID[] = { 2,5,29,15,-1 };
 static int extKeyUsageOID[] = { 2,5,29,37,-1 };
 //static int subjectAltNameOID[] = { 2,5,29,17,-1 };
@@ -34,7 +35,7 @@ static int countryNameOID[] = { 2,5,4,6,-1 };
 static int orgNameOID[] = { 2,5,4,10,-1 };
 static int basicConstraintsOID[] = { 2,5,29,19,-1 };
 static int subjectKeyIdentifierOID[] = { 2,5,29,14,-1 };
-static int authorityKeyIdentifierOID[] = { 2,5,29,1,-1 };
+static int authorityKeyIdentifierOID[] = { 2,5,29,35,-1 };
 
 #ifdef __GNUC__
 #pragma GCC diagnostic push
@@ -56,7 +57,9 @@ X509AddExtensions(
     uint32_t             FwidLen,
     uint8_t             *Tcps,
     uint32_t             TcpsLen,
-    int32_t              PathLen
+    int32_t              PathLen,
+    const uint8_t*       ExtensionBuffer,
+    uint32_t             ExtensionBufferSize
 )
 // Create the RIoT extensions.  The RIoT subject altName + extended key usage.
 {
@@ -87,7 +90,7 @@ X509AddExtensions(
         CHK(            DERAddBoolean(Tbs, true));
         CHK(            DERStartEnvelopingOctetString(Tbs));
         CHK(                DERStartSequenceOrSet(Tbs, true));
-        if(PathLen > 0)
+        if (PathLen > 0)
         {
             CHK(                DERAddBoolean(Tbs, true));
             CHK(                DERAddInteger(Tbs, PathLen));
@@ -122,7 +125,7 @@ X509AddExtensions(
         CHK(            DERPopNesting(Tbs));
         CHK(        DERPopNesting(Tbs));
     }
-    if (TcpsLen == 0)
+    if (TcpsLen == 0 && ExtensionBufferSize == 0) // riotOID
     {
         CHK(        DERStartSequenceOrSet(Tbs, true));
         CHK(            DERAddOID(Tbs, riotOID));
@@ -144,7 +147,7 @@ X509AddExtensions(
         CHK(            DERPopNesting(Tbs));
         CHK(        DERPopNesting(Tbs));
     }
-    else
+    else if (ExtensionBufferSize == 0) // tcpsOID
     {
         CHK(    DERStartSequenceOrSet(Tbs, true));
         CHK(        DERAddOID(Tbs, tcpsOID));
@@ -153,6 +156,15 @@ X509AddExtensions(
         CHK(        DERPopNesting(Tbs));
         CHK(    DERPopNesting(Tbs));
     }
+    else // OID buffer
+    {
+        if (Tbs->Length - Tbs->Position < ExtensionBufferSize)
+        {
+            goto Error;
+        }
+        memcpy(Tbs->Buffer + Tbs->Position, ExtensionBuffer, ExtensionBufferSize);
+        Tbs->Position += ExtensionBufferSize;
+    }
     CHK(    DERPopNesting(Tbs));
     CHK(DERPopNesting(Tbs));
 
@@ -177,7 +189,7 @@ X509AddX501Name(
     CHK(                DERAddUTF8String(Context, CommonName));
     CHK(            DERPopNesting(Context));
     CHK(        DERPopNesting(Context));
-    if(CountryName != NULL)
+    if (CountryName != NULL)
     {
         CHK(        DERStartSequenceOrSet(Context, false));
         CHK(            DERStartSequenceOrSet(Context, true));
@@ -186,7 +198,7 @@ X509AddX501Name(
         CHK(            DERPopNesting(Context));
         CHK(        DERPopNesting(Context));
     }
-    if(OrgName != NULL)
+    if (OrgName != NULL)
     {
         CHK(        DERStartSequenceOrSet(Context, false));
         CHK(            DERStartSequenceOrSet(Context, true));
@@ -263,7 +275,7 @@ X509GetDeviceCertTBS(
     CHK(                    DERPopNesting(Tbs));
     CHK(                DERPopNesting(Tbs));
     CHK(            DERPopNesting(Tbs));
-    if(PathLength >= 0)
+    if (PathLength >= 0)
     {
         CHK(            DERStartSequenceOrSet(Tbs, true));
         CHK(                DERAddOID(Tbs, basicConstraintsOID));
@@ -283,7 +295,7 @@ X509GetDeviceCertTBS(
         CHK(                DERPopNesting(Tbs));
         CHK(            DERPopNesting(Tbs));
     }
-    if(PathLength > 0)
+    if (PathLength > 0)
     {
         CHK(        DERStartSequenceOrSet(Tbs, true));
         CHK(            DERAddOID(Tbs, keyUsageOID));
@@ -419,7 +431,7 @@ X509GetAliasCertTBS(
     CHK(        DERAddBitString(Tbs, encBuffer, encBufferLen));
     CHK(    DERPopNesting(Tbs));
             RiotCrypt_ExportEccPub(DevIdKeyPub, encBuffer, &encBufferLen);
-    CHK(    X509AddExtensions(Tbs, encBuffer, encBufferLen, subjectKeyId, sizeof(subjectKeyId), Fwid, FwidLen, Tcps, TcpsLen, PathLen));
+    CHK(    X509AddExtensions(Tbs, encBuffer, encBufferLen, subjectKeyId, sizeof(subjectKeyId), Fwid, FwidLen, Tcps, TcpsLen, PathLen, NULL, 0));
     CHK(DERPopNesting(Tbs));
 
     ASRT(DERGetNestingDepth(Tbs) == 0);
@@ -429,6 +441,57 @@ X509GetAliasCertTBS(
     return -1;
 }
 
+int
+X509GetCSRCertTBS(
+    DERBuilderContext           *Tbs,
+    RIOT_X509_TBS_DATA          *TbsData,
+    const RIOT_ECC_PUBLIC       *CsrKeyPub,
+    const RIOT_ECC_PUBLIC       *AuthorityKeyPub,
+    int32_t                     PathLen,
+    const uint8_t               *SubjectKeyDerBuffer,
+    uint32_t                    SubjectKeyDerBufferSize,
+    const uint8_t               *ExtensionDerBuffer,
+    uint32_t                    ExtensionDerBufferSize
+)
+{
+    uint8_t     encBuffer[65];
+    uint32_t    encBufferLen;
+    uint8_t     subjectKeyId[RIOT_DIGEST_LENGTH];
+
+    CHK(DERStartSequenceOrSet(Tbs, true));
+    CHK(    DERAddShortExplicitInteger(Tbs, 2));
+    CHK(    DERAddIntegerFromArray(Tbs, TbsData->SerialNum, RIOT_X509_SNUM_LEN));
+    CHK(    DERStartSequenceOrSet(Tbs, true));
+    CHK(        DERAddOID(Tbs, ecdsaWithSHA256OID));
+    CHK(    DERPopNesting(Tbs));
+    CHK(    X509AddX501Name(Tbs, TbsData->IssuerCommon, TbsData->IssuerOrg, TbsData->IssuerCountry));
+    CHK(    DERStartSequenceOrSet(Tbs, true));
+    CHK(        DERAddUTCTime(Tbs, TbsData->ValidFrom));
+    CHK(        DERAddUTCTime(Tbs, TbsData->ValidTo));
+    CHK(    DERPopNesting(Tbs));
+
+    if (Tbs->Length - Tbs->Position < SubjectKeyDerBufferSize)
+    {
+        goto Error;
+    }
+
+    memcpy(Tbs->Buffer + Tbs->Position, SubjectKeyDerBuffer, SubjectKeyDerBufferSize);
+    Tbs->Position += SubjectKeyDerBufferSize;
+
+    RiotCrypt_ExportEccPub(CsrKeyPub, encBuffer, &encBufferLen);
+    RiotCrypt_Hash(subjectKeyId, sizeof(subjectKeyId), encBuffer, encBufferLen);
+
+    RiotCrypt_ExportEccPub(AuthorityKeyPub, encBuffer, &encBufferLen);
+    CHK(    X509AddExtensions(Tbs, encBuffer, encBufferLen, subjectKeyId, sizeof(subjectKeyId), NULL, 0, NULL, 0, PathLen, ExtensionDerBuffer, ExtensionDerBufferSize));
+    CHK(DERPopNesting(Tbs));
+
+    ASRT(DERGetNestingDepth(Tbs) == 0);
+    return 0;
+
+Error:
+    return -1;
+}
+
 int 
 X509MakeAliasCert(
     DERBuilderContext   *AliasCert,
@@ -518,10 +581,12 @@ X509GetDEREcc(
 }
 
 int
-X509GetDERCsrTbs(
+X509GetDERCsrTBS(
     DERBuilderContext       *Context,
     RIOT_X509_TBS_DATA      *TbsData,
-    const RIOT_ECC_PUBLIC   *DeviceIDPub
+    const RIOT_ECC_PUBLIC   *DeviceIDPub,
+    RIOT_X509_OID           *OidExtensions,
+    const size_t            OidExtensionsCount
 )
 {
     uint8_t     encBuffer[65];
@@ -538,8 +603,28 @@ X509GetDERCsrTbs(
                 RiotCrypt_ExportEccPub(DeviceIDPub, encBuffer, &encBufferLen);
     CHK(        DERAddBitString(Context, encBuffer, encBufferLen));
     CHK(    DERPopNesting(Context));
-    CHK(DERStartExplicit(Context,0));
-    CHK(DERPopNesting(Context));
+
+    CHK(    DERStartExplicit(Context, 0));
+    CHK(        DERStartSequenceOrSet(Context, true));
+    CHK(            DERAddOID(Context, extensionRequestOID));
+    CHK(            DERStartSequenceOrSet(Context, false));
+    CHK(                DERStartSequenceOrSet(Context, true));
+
+    for (size_t i = 0; i < OidExtensionsCount; i++)
+    {
+        CHK(                DERStartSequenceOrSet(Context, true));
+        CHK(                    DERAddOID(Context, OidExtensions[i].Oid));
+        CHK(                    DERStartEnvelopingOctetString(Context));
+        CHK(                        DERAddOctetString(Context, OidExtensions[i].DerBuffer, OidExtensions[i].DerBufferSize));
+        CHK(                    DERPopNesting(Context));
+        CHK(                DERPopNesting(Context));
+    }
+
+    CHK(                DERPopNesting(Context));
+    CHK(            DERPopNesting(Context));
+    CHK(        DERPopNesting(Context));
+
+    CHK(    DERPopNesting(Context));
     CHK(DERPopNesting(Context));
 
     ASRT(DERGetNestingDepth(Context) == 0);
@@ -638,7 +723,7 @@ X509GetRootCertTBS(
     CHK(                    DERAddBitString(Tbs, keyUsageCA, sizeof(keyUsageCA)));
     CHK(                DERPopNesting(Tbs));
     CHK(            DERPopNesting(Tbs));
-    if(PathLength >= 0)
+    if (PathLength >= 0)
     {
         CHK(            DERStartSequenceOrSet(Tbs, true));
         CHK(                DERAddOID(Tbs, basicConstraintsOID));

CyReP/cyrep/RiotX509Bldr.h

@@ -33,6 +33,14 @@ typedef struct
     const char *SubjectCountry;
 } RIOT_X509_TBS_DATA;
 
+
+typedef struct
+{
+    int* Oid;
+    uint8_t* DerBuffer;
+    uint32_t DerBufferSize;
+} RIOT_X509_OID;
+
 int
 X509GetDeviceCertTBS(
     DERBuilderContext   *Tbs,
@@ -83,10 +91,25 @@ X509GetDEREcc(
 );
 
 int
-X509GetDERCsrTbs(
+X509GetDERCsrTBS(
     DERBuilderContext       *Context,
     RIOT_X509_TBS_DATA      *TbsData,
-    const RIOT_ECC_PUBLIC   *DeviceIDPub
+    const RIOT_ECC_PUBLIC   *DeviceIDPub,
+    RIOT_X509_OID           *OidExtensions,
+    const size_t            OidExtensionsCount
+);
+
+int
+X509GetCSRCertTBS(
+    DERBuilderContext           *Tbs,
+    RIOT_X509_TBS_DATA          *TbsData,
+    const RIOT_ECC_PUBLIC       *CsrKeyPub,
+    const RIOT_ECC_PUBLIC       *AuthorityKeyPub,
+    int32_t                     PathLen,
+    const uint8_t               *SubjectKeyDerBuffer,
+    uint32_t                    SubjectKeyDerBufferSize,
+    const uint8_t               *ExtensionDerBuffer,
+    uint32_t                    ExtensionDerBufferSize
 );
 
 int