diff options
author | Soby Mathew <soby.mathew@arm.com> | 2017-08-31 11:50:29 +0100 |
---|---|---|
committer | Soby Mathew <soby.mathew@arm.com> | 2017-08-31 16:42:11 +0100 |
commit | a8eb286adaa73e86305317b9cae15d41c57de8e7 (patch) | |
tree | dfb4cbd2168a73d0dabf2e2472e9a414a40dc916 /tools | |
parent | 2091755c5e3b8d94333b9aad742e61db9d754cc5 (diff) |
cert_tool: Support for legacy RSA PKCS#1 v1.5
This patch enables choice of RSA version at run time to be used for
generating signatures by the cert_tool. The RSA PSS as defined in
PKCS#1 v2.1 becomes the default version and this patch enables to specify
the RSA PKCS#1 v1.5 algorithm to `cert_create` through the command line
-a option. Also, the build option `KEY_ALG` can be used to pass this
option from the build system. Please note that RSA PSS is mandated
by Trusted Board Boot requirements (TBBR) and legacy RSA support is
being added for compatibility reasons.
Fixes ARM-Software/tf-issues#499
Change-Id: Ifaa3f2f7c9b43f3d7b3effe2cde76bf6745a5d73
Co-Authored-By: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/cert_create/include/cert.h | 2 | ||||
-rw-r--r-- | tools/cert_create/include/key.h | 3 | ||||
-rw-r--r-- | tools/cert_create/src/cert.c | 34 | ||||
-rw-r--r-- | tools/cert_create/src/main.c | 8 |
4 files changed, 29 insertions, 18 deletions
diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h index 543f1223..256e7afd 100644 --- a/tools/cert_create/include/cert.h +++ b/tools/cert_create/include/cert.h @@ -48,7 +48,7 @@ struct cert_s { int cert_init(void); cert_t *cert_get_by_opt(const char *opt); int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value); -int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk); +int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk); /* Macro to register the certificates used in the CoT */ #define REGISTER_COT(_certs) \ diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h index 4b9e8825..304fa615 100644 --- a/tools/cert_create/include/key.h +++ b/tools/cert_create/include/key.h @@ -22,7 +22,8 @@ enum { /* Supported key algorithms */ enum { - KEY_ALG_RSA, + KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */ + KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */ #ifndef OPENSSL_NO_EC KEY_ALG_ECDSA, #endif /* OPENSSL_NO_EC */ diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c index 9775664a..1b84e36d 100644 --- a/tools/cert_create/src/cert.c +++ b/tools/cert_create/src/cert.c @@ -79,7 +79,7 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value) return 1; } -int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) +int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) { EVP_PKEY *pkey = keys[cert->key].key; cert_t *issuer_cert = &certs[cert->issuer]; @@ -90,7 +90,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) X509_NAME *name; ASN1_INTEGER *sno; int i, num, rc = 0; - EVP_MD_CTX mdCtx; + EVP_MD_CTX mdCtx; EVP_PKEY_CTX *pKeyCtx = NULL; /* Create the certificate structure */ @@ -112,24 +112,32 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) } EVP_MD_CTX_init(&mdCtx); + + /* Sign the certificate with the issuer key */ if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) { ERR_print_errors_fp(stdout); goto END; } - if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) { - ERR_print_errors_fp(stdout); - goto END; - } + /* + * Set additional parameters if algorithm is RSA PSS. This is not + * required for RSA 1.5 or ECDSA. + */ + if (key_alg == KEY_ALG_RSA) { + if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) { + ERR_print_errors_fp(stdout); + goto END; + } - if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) { - ERR_print_errors_fp(stdout); - goto END; - } + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) { + ERR_print_errors_fp(stdout); + goto END; + } - if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) { - ERR_print_errors_fp(stdout); - goto END; + if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) { + ERR_print_errors_fp(stdout); + goto END; + } } /* x509.v3 */ diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index f14601c8..df59961b 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -89,6 +89,7 @@ static char *strdup(const char *str) static const char *key_algs_str[] = { [KEY_ALG_RSA] = "rsa", + [KEY_ALG_RSA_1_5] = "rsa_1_5", #ifndef OPENSSL_NO_EC [KEY_ALG_ECDSA] = "ecdsa" #endif /* OPENSSL_NO_EC */ @@ -223,7 +224,8 @@ static const cmd_opt_t common_cmd_opt[] = { }, { { "key-alg", required_argument, NULL, 'a' }, - "Key algorithm: 'rsa' (default), 'ecdsa'" + "Key algorithm: 'rsa' (default) - RSAPSS scheme as per \ +PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'" }, { { "save-keys", no_argument, NULL, 'k' }, @@ -450,8 +452,8 @@ int main(int argc, char *argv[]) sk_X509_EXTENSION_push(sk, cert_ext); } - /* Create certificate. Signed with ROT key */ - if (cert->fn && !cert_new(cert, VAL_DAYS, 0, sk)) { + /* Create certificate. Signed with corresponding key */ + if (cert->fn && !cert_new(key_alg, cert, VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", cert->cn); exit(1); } |