diff options
| author | Soby Mathew <soby.mathew@arm.com> | 2017-05-22 16:12:33 +0100 |
|---|---|---|
| committer | Soby Mathew <soby.mathew@arm.com> | 2017-06-05 12:25:27 +0100 |
| commit | 1f33ad4e9f86f2d72eb9640a834708e1a13496db (patch) | |
| tree | c592eadad3bbf62064ac704aa520f5645b1fa931 /tools | |
| parent | 1001202d24db95b4b812abee62ebeb9351710c1e (diff) | |
cert_create: Use RSASSA-PSS signature scheme for certificates
This patch modifies the `cert_create` tool to use RSASSA-PSS scheme for
signing the certificates. This is compliant with RSA PKCS_2_1 standard as
mandated by TBBR.
Note that the certificates generated by using cert_create tool after this
patch can be authenticated during TBB only if the corresponding mbedtls
driver in ARM Trusted Firmware has the corresponding support.
Change-Id: If224f41c76b3c4765ae2af5259e67f73602818a4
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/cert_create/src/cert.c | 40 |
1 files changed, 34 insertions, 6 deletions
diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c index 80ccfe93..9775664a 100644 --- a/tools/cert_create/src/cert.c +++ b/tools/cert_create/src/cert.c @@ -10,6 +10,7 @@ #include <openssl/conf.h> #include <openssl/err.h> +#include <openssl/opensslv.h> #include <openssl/pem.h> #include <openssl/sha.h> #include <openssl/x509v3.h> @@ -27,6 +28,7 @@ #include "sha.h" #define SERIAL_RAND_BITS 64 +#define RSA_SALT_LEN 32 int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) { @@ -77,7 +79,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value) return 1; } - int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) { EVP_PKEY *pkey = keys[cert->key].key; @@ -88,7 +89,9 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) X509_EXTENSION *ex; X509_NAME *name; ASN1_INTEGER *sno; - int i, num; + int i, num, rc = 0; + EVP_MD_CTX mdCtx; + EVP_PKEY_CTX *pKeyCtx = NULL; /* Create the certificate structure */ x = X509_new(); @@ -108,6 +111,27 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) issuer = x; } + EVP_MD_CTX_init(&mdCtx); + if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) { + ERR_print_errors_fp(stdout); + goto END; + } + + if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) { + ERR_print_errors_fp(stdout); + goto END; + } + + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) { + ERR_print_errors_fp(stdout); + goto END; + } + + if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) { + ERR_print_errors_fp(stdout); + goto END; + } + /* x509.v3 */ X509_set_version(x, 2); @@ -152,14 +176,18 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) } } - /* Sign the certificate with the issuer key */ - if (!X509_sign(x, ikey, EVP_sha256())) { + if (!X509_sign_ctx(x, &mdCtx)) { ERR_print_errors_fp(stdout); - return 0; + goto END; } + /* X509 certificate signed successfully */ + rc = 1; cert->x = x; - return 1; + +END: + EVP_MD_CTX_cleanup(&mdCtx); + return rc; } int cert_init(void) |