diff options
author | Justin Chadwell <justin.chadwell@arm.com> | 2019-09-09 15:24:31 +0100 |
---|---|---|
committer | Justin Chadwell <justin.chadwell@arm.com> | 2019-09-12 15:27:41 +0100 |
commit | 6a415a508ea6acec321e4609d3f8e5c03ba67664 (patch) | |
tree | 611f85b28280488052a30368bc28bbd5b2198716 /drivers | |
parent | f29213d9e3c82f8b43e42023d5b39e097d86ff18 (diff) |
Remove RSA PKCS#1 v1.5 support from cert_tool
Support for PKCS#1 v1.5 was deprecated in SHA 1001202 and fully removed
in SHA fe199e3, however, cert_tool is still able to generate
certificates in that form. This patch fully removes the ability for
cert_tool to generate these certificates.
Additionally, this patch also fixes a bug where the issuing certificate
was a RSA and the issued certificate was EcDSA. In this case, the issued
certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per
PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now
that PKCS#1 v1.5 support is removed, all certificates that are signed
with RSA now use the more modern padding scheme.
Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/auth/mbedtls/mbedtls_common.mk | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk index f34d3d00..4b830154 100644 --- a/drivers/auth/mbedtls/mbedtls_common.mk +++ b/drivers/auth/mbedtls/mbedtls_common.mk @@ -48,9 +48,9 @@ LIBMBEDTLS_SRCS := $(addprefix ${MBEDTLS_DIR}/library/, \ ) # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key -# algorithm to use. If the variable is not defined, select it based on algorithm -# used for key generation `KEY_ALG`. If `KEY_ALG` is not defined or is -# defined to `rsa`/`rsa_1_5`, then set the variable to `rsa`. +# algorithm to use. If the variable is not defined, select it based on +# algorithm used for key generation `KEY_ALG`. If `KEY_ALG` is not defined, +# then it is set to `rsa`. ifeq (${TF_MBEDTLS_KEY_ALG},) ifeq (${KEY_ALG}, ecdsa) TF_MBEDTLS_KEY_ALG := ecdsa |