diff options
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/cert_create/include/cert.h | 2 | ||||
| -rw-r--r-- | tools/cert_create/include/key.h | 3 | ||||
| -rw-r--r-- | tools/cert_create/src/cert.c | 34 | ||||
| -rw-r--r-- | tools/cert_create/src/main.c | 8 |
4 files changed, 29 insertions, 18 deletions
diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h index 543f1223..256e7afd 100644 --- a/tools/cert_create/include/cert.h +++ b/tools/cert_create/include/cert.h @@ -48,7 +48,7 @@ struct cert_s { int cert_init(void); cert_t *cert_get_by_opt(const char *opt); int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value); -int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk); +int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk); /* Macro to register the certificates used in the CoT */ #define REGISTER_COT(_certs) \ diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h index 4b9e8825..304fa615 100644 --- a/tools/cert_create/include/key.h +++ b/tools/cert_create/include/key.h @@ -22,7 +22,8 @@ enum { /* Supported key algorithms */ enum { - KEY_ALG_RSA, + KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */ + KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */ #ifndef OPENSSL_NO_EC KEY_ALG_ECDSA, #endif /* OPENSSL_NO_EC */ diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c index 9775664a..1b84e36d 100644 --- a/tools/cert_create/src/cert.c +++ b/tools/cert_create/src/cert.c @@ -79,7 +79,7 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value) return 1; } -int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) +int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) { EVP_PKEY *pkey = keys[cert->key].key; cert_t *issuer_cert = &certs[cert->issuer]; @@ -90,7 +90,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) X509_NAME *name; ASN1_INTEGER *sno; int i, num, rc = 0; - EVP_MD_CTX mdCtx; + EVP_MD_CTX mdCtx; EVP_PKEY_CTX *pKeyCtx = NULL; /* Create the certificate structure */ @@ -112,24 +112,32 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) } EVP_MD_CTX_init(&mdCtx); + + /* Sign the certificate with the issuer key */ if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) { ERR_print_errors_fp(stdout); goto END; } - if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) { - ERR_print_errors_fp(stdout); - goto END; - } + /* + * Set additional parameters if algorithm is RSA PSS. This is not + * required for RSA 1.5 or ECDSA. + */ + if (key_alg == KEY_ALG_RSA) { + if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) { + ERR_print_errors_fp(stdout); + goto END; + } - if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) { - ERR_print_errors_fp(stdout); - goto END; - } + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) { + ERR_print_errors_fp(stdout); + goto END; + } - if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) { - ERR_print_errors_fp(stdout); - goto END; + if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) { + ERR_print_errors_fp(stdout); + goto END; + } } /* x509.v3 */ diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index f14601c8..df59961b 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -89,6 +89,7 @@ static char *strdup(const char *str) static const char *key_algs_str[] = { [KEY_ALG_RSA] = "rsa", + [KEY_ALG_RSA_1_5] = "rsa_1_5", #ifndef OPENSSL_NO_EC [KEY_ALG_ECDSA] = "ecdsa" #endif /* OPENSSL_NO_EC */ @@ -223,7 +224,8 @@ static const cmd_opt_t common_cmd_opt[] = { }, { { "key-alg", required_argument, NULL, 'a' }, - "Key algorithm: 'rsa' (default), 'ecdsa'" + "Key algorithm: 'rsa' (default) - RSAPSS scheme as per \ +PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'" }, { { "save-keys", no_argument, NULL, 'k' }, @@ -450,8 +452,8 @@ int main(int argc, char *argv[]) sk_X509_EXTENSION_push(sk, cert_ext); } - /* Create certificate. Signed with ROT key */ - if (cert->fn && !cert_new(cert, VAL_DAYS, 0, sk)) { + /* Create certificate. Signed with corresponding key */ + if (cert->fn && !cert_new(key_alg, cert, VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", cert->cn); exit(1); } |