Add logic to flash certificates

Author: silvanocerza

flasher/certificate.go

@@ -0,0 +1,85 @@
+/*
+  FirmwareUploader
+  Copyright (c) 2021 Arduino LLC.  All right reserved.
+
+  This library is free software; you can redistribute it and/or
+  modify it under the terms of the GNU Lesser General Public
+  License as published by the Free Software Foundation; either
+  version 2.1 of the License, or (at your option) any later version.
+
+  This library is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public
+  License along with this library; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+package flasher
+
+import (
+	"bytes"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/binary"
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
+
+func calculateNameSha1(cert *x509.Certificate) (b []byte, err error) {
+	nameSha1 := sha1.New()
+
+	var subjectDistinguishedNameSequence pkix.RDNSequence
+
+	if _, err = asn1.Unmarshal(cert.RawSubject, &subjectDistinguishedNameSequence); err != nil {
+		logrus.Error(err)
+		return nil, err
+	}
+
+	for _, dn := range subjectDistinguishedNameSequence {
+		nameSha1.Write([]byte(dn[0].Value.(string)))
+	}
+
+	b = nameSha1.Sum(nil)
+
+	return
+}
+
+func convertTime(time time.Time) (b []byte, err error) {
+	asn1Bytes, err := asn1.Marshal(time)
+	if err != nil {
+		logrus.Error(err)
+		return nil, err
+	}
+
+	b = bytes.Repeat([]byte{0x00}, 20) // value must be zero bytes
+	copy(b, asn1Bytes[2:])             // copy but drop the first two bytes
+
+	return
+}
+
+func modulusN(publicKey rsa.PublicKey) []byte {
+	return publicKey.N.Bytes()
+}
+
+func publicExponent(publicKey rsa.PublicKey) (b []byte) {
+	b = make([]byte, 4)
+	binary.BigEndian.PutUint32(b, uint32(publicKey.E))
+	// strip leading zeros
+	for b[0] == 0 {
+		b = b[1:]
+	}
+	return
+}
+
+func uint16ToBytes(i int) (b []byte) {
+	b = make([]byte, 2)
+	binary.LittleEndian.PutUint16(b, uint16(i))
+	return
+}

flasher/flasher.go

@@ -45,7 +45,7 @@ func (e FlasherError) Error() string {
 
 type Flasher interface {
 	FlashFirmware(firmwareFile *paths.Path) error
-	FlashCertificates(certificatePaths *paths.PathList) error
+	FlashCertificates(certificatePaths *paths.PathList, URLs []string) error
 	Close() error
 
 	hello() error

flasher/nina.go

@@ -22,7 +22,10 @@ package flasher
 import (
 	"bytes"
 	"crypto/md5"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/binary"
+	"encoding/pem"
 	"fmt"
 	"strconv"
 	"time"
@@ -82,9 +85,85 @@ func (f *NinaFlasher) FlashFirmware(firmwareFile *paths.Path) error {
 	return f.md5sum(data)
 }
 
-func (f *NinaFlasher) FlashCertificates(certificatePaths *paths.PathList) error {
-	// TODO
-	return nil
+func (f *NinaFlasher) FlashCertificates(certificatePaths *paths.PathList, URLs []string) error {
+	var certificatesData []byte
+	for _, certPath := range *certificatePaths {
+		logrus.Infof("Converting and flashing certificate %s", certPath)
+
+		data, err := f.certificateFromFile(certPath)
+		if err != nil {
+			return err
+		}
+		certificatesData = append(certificatesData, data...)
+	}
+
+	for _, URL := range URLs {
+		logrus.Infof("Converting and flashing certificate from %s", URL)
+		data, err := f.certificateFromURL(URL)
+		if err != nil {
+			return err
+		}
+		certificatesData = append(certificatesData, data...)
+	}
+
+	certificatesDataLimit := 0x20000
+	if len(certificatesData) > certificatesDataLimit {
+		err := fmt.Errorf("certificates data %d exceeds limit of %d bytes", len(certificatesData), certificatesDataLimit)
+		logrus.Error(err)
+		return err
+	}
+
+	// Pad certificatesData to flash page
+	for len(certificatesData)%int(f.payloadSize) != 0 {
+		certificatesData = append(certificatesData, 0)
+	}
+
+	certificatesOffset := 0x10000
+	return f.flashChunk(certificatesOffset, certificatesData)
+}
+
+func (f *NinaFlasher) certificateFromFile(certificateFile *paths.Path) ([]byte, error) {
+	data, err := certificateFile.ReadFile()
+	if err != nil {
+		logrus.Error(err)
+		return nil, err
+	}
+
+	cert, err := x509.ParseCertificate(data)
+	if err != nil {
+		logrus.Error(err)
+		return nil, err
+	}
+
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}), nil
+}
+
+func (f *NinaFlasher) certificateFromURL(URL string) ([]byte, error) {
+	config := &tls.Config{
+		InsecureSkipVerify: true,
+	}
+
+	conn, err := tls.Dial("tcp", URL, config)
+	if err != nil {
+		logrus.Error(err)
+		return nil, err
+	}
+	defer conn.Close()
+
+	if err := conn.Handshake(); err != nil {
+		logrus.Error(err)
+		return nil, err
+	}
+
+	peerCertificates := conn.ConnectionState().PeerCertificates
+	if len(peerCertificates) == 0 {
+		err = fmt.Errorf("no peer certificates found at %s", URL)
+		logrus.Error(err)
+		return nil, err
+	}
+
+	rootCertificate := peerCertificates[len(peerCertificates)-1]
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCertificate.Raw}), nil
 }
 
 // Close the port used by this flasher

flasher/sara.go

@@ -104,9 +104,8 @@ func (f *SaraFlasher) FlashFirmware(firmwareFile *paths.Path) error {
 	return err
 }
 
-func (f *SaraFlasher) FlashCertificates(certificatePaths *paths.PathList) error {
-	// TODO
-	return nil
+func (f *SaraFlasher) FlashCertificates(certificatePaths *paths.PathList, URLs []string) error {
+	return fmt.Errorf("not supported by SaraFlasher")
 }
 
 func (f *SaraFlasher) Close() error {

flasher/winc.go

@@ -21,6 +21,9 @@ package flasher
 
 import (
 	"bytes"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -68,9 +71,113 @@ func (f *WincFlasher) FlashFirmware(firmwareFile *paths.Path) error {
 	return f.flashChunk(firmwareOffset, data)
 }
 
-func (f *WincFlasher) FlashCertificates(certificatePaths *paths.PathList) error {
-	// TODO
-	return nil
+func (f *WincFlasher) FlashCertificates(certificatePaths *paths.PathList, URLs []string) error {
+	var certificatesData []byte
+	certificatesNumber := 0
+	for _, certPath := range *certificatePaths {
+		logrus.Infof("Converting and flashing certificate %s", certPath)
+
+		data, err := f.certificateFromFile(certPath)
+		if err != nil {
+			return err
+		}
+		certificatesData = append(certificatesData, data...)
+		certificatesNumber++
+	}
+
+	for _, URL := range URLs {
+		logrus.Infof("Converting and flashing certificate from %s", URL)
+		data, err := f.certificateFromURL(URL)
+		if err != nil {
+			return err
+		}
+		certificatesData = append(certificatesData, data...)
+		certificatesNumber++
+	}
+
+	certificatesOffset := 0x4000
+	return f.flashChunk(certificatesOffset, certificatesData)
+}
+
+func (f *WincFlasher) certificateFromFile(certificateFile *paths.Path) ([]byte, error) {
+	data, err := certificateFile.ReadFile()
+	if err != nil {
+		logrus.Error(err)
+		return nil, err
+	}
+
+	cert, err := x509.ParseCertificate(data)
+	if err != nil {
+		logrus.Error(err)
+		return nil, err
+	}
+
+	return f.getCertificateData(cert)
+}
+
+func (f *WincFlasher) certificateFromURL(URL string) ([]byte, error) {
+	config := &tls.Config{
+		InsecureSkipVerify: true,
+	}
+
+	conn, err := tls.Dial("tcp", URL, config)
+	if err != nil {
+		logrus.Error(err)
+		return nil, err
+	}
+	defer conn.Close()
+
+	if err := conn.Handshake(); err != nil {
+		logrus.Error(err)
+		return nil, err
+	}
+
+	peerCertificates := conn.ConnectionState().PeerCertificates
+	if len(peerCertificates) == 0 {
+		err = fmt.Errorf("no peer certificates found at %s", URL)
+		logrus.Error(err)
+		return nil, err
+	}
+	rootCertificate := peerCertificates[len(peerCertificates)-1]
+	return f.getCertificateData(rootCertificate)
+}
+
+func (f *WincFlasher) getCertificateData(cert *x509.Certificate) ([]byte, error) {
+	b := []byte{}
+	nameSHA1Bytes, err := calculateNameSha1(cert)
+	if err != nil {
+		return nil, err
+	}
+
+	notBeforeBytes, err := convertTime(cert.NotBefore)
+	if err != nil {
+		return nil, err
+	}
+
+	notAfterBytes, err := convertTime(cert.NotAfter)
+	if err != nil {
+		return nil, err
+	}
+
+	rsaPublicKey := *cert.PublicKey.(*rsa.PublicKey)
+
+	rsaModulusNBytes := modulusN(rsaPublicKey)
+	rsaPublicExponentBytes := publicExponent(rsaPublicKey)
+
+	rsaModulusNLenBytes := uint16ToBytes(len(rsaModulusNBytes))
+	rsaPublicExponentLenBytes := uint16ToBytes(len(rsaPublicExponentBytes))
+
+	b = append(b, nameSHA1Bytes...)
+	b = append(b, rsaModulusNLenBytes...)
+	b = append(b, rsaPublicExponentLenBytes...)
+	b = append(b, notBeforeBytes...)
+	b = append(b, notAfterBytes...)
+	b = append(b, rsaModulusNBytes...)
+	b = append(b, rsaPublicExponentBytes...)
+	for (len(b) & 3) != 0 {
+		b = append(b, 0xff) // padding
+	}
+	return b, nil
 }
 
 func (f *WincFlasher) Close() error {