From 6a415a508ea6acec321e4609d3f8e5c03ba67664 Mon Sep 17 00:00:00 2001 From: Justin Chadwell Date: Mon, 9 Sep 2019 15:24:31 +0100 Subject: Remove RSA PKCS#1 v1.5 support from cert_tool Support for PKCS#1 v1.5 was deprecated in SHA 1001202 and fully removed in SHA fe199e3, however, cert_tool is still able to generate certificates in that form. This patch fully removes the ability for cert_tool to generate these certificates. Additionally, this patch also fixes a bug where the issuing certificate was a RSA and the issued certificate was EcDSA. In this case, the issued certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now that PKCS#1 v1.5 support is removed, all certificates that are signed with RSA now use the more modern padding scheme. Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a Signed-off-by: Justin Chadwell --- tools/cert_create/include/cert.h | 3 +-- tools/cert_create/include/key.h | 2 -- tools/cert_create/src/cert.c | 9 ++++----- tools/cert_create/src/key.c | 1 - tools/cert_create/src/main.c | 6 ++---- 5 files changed, 7 insertions(+), 14 deletions(-) (limited to 'tools') diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h index 39b45b58..6db9b579 100644 --- a/tools/cert_create/include/cert.h +++ b/tools/cert_create/include/cert.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -49,7 +49,6 @@ int cert_init(void); cert_t *cert_get_by_opt(const char *opt); int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value); int cert_new( - int key_alg, int md_alg, cert_t *cert, int days, diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h index c08beb8b..d96d9839 100644 --- a/tools/cert_create/include/key.h +++ b/tools/cert_create/include/key.h @@ -21,7 +21,6 @@ enum { /* Supported key algorithms */ enum { KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */ - KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */ #ifndef OPENSSL_NO_EC KEY_ALG_ECDSA, #endif /* OPENSSL_NO_EC */ @@ -42,7 +41,6 @@ enum{ /* NOTE: the first item in each array is the default key size */ static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = { { 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */ - { 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA_1_5 */ #ifndef OPENSSL_NO_EC {} /* KEY_ALG_ECDSA */ #endif /* OPENSSL_NO_EC */ diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c index 8e8aee69..c68a265b 100644 --- a/tools/cert_create/src/cert.c +++ b/tools/cert_create/src/cert.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -93,7 +93,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value) } int cert_new( - int key_alg, int md_alg, cert_t *cert, int days, @@ -143,10 +142,10 @@ int cert_new( } /* - * Set additional parameters if algorithm is RSA PSS. This is not - * required for RSA 1.5 or ECDSA. + * Set additional parameters if issuing public key algorithm is RSA. + * This is not required for ECDSA. */ - if (key_alg == KEY_ALG_RSA) { + if (EVP_PKEY_base_id(ikey) == EVP_PKEY_RSA) { if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) { ERR_print_errors_fp(stdout); goto END; diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c index 93d31f7c..0f80cce9 100644 --- a/tools/cert_create/src/key.c +++ b/tools/cert_create/src/key.c @@ -112,7 +112,6 @@ err: typedef int (*key_create_fn_t)(key_t *key, int key_bits); static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = { key_create_rsa, /* KEY_ALG_RSA */ - key_create_rsa, /* KEY_ALG_RSA_1_5 */ #ifndef OPENSSL_NO_EC key_create_ecdsa, /* KEY_ALG_ECDSA */ #endif /* OPENSSL_NO_EC */ diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index 44a65eb9..0cbd2196 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -92,7 +92,6 @@ static char *strdup(const char *str) static const char *key_algs_str[] = { [KEY_ALG_RSA] = "rsa", - [KEY_ALG_RSA_1_5] = "rsa_1_5", #ifndef OPENSSL_NO_EC [KEY_ALG_ECDSA] = "ecdsa" #endif /* OPENSSL_NO_EC */ @@ -277,8 +276,7 @@ static const cmd_opt_t common_cmd_opt[] = { }, { { "key-alg", required_argument, NULL, 'a' }, - "Key algorithm: 'rsa' (default) - RSAPSS scheme as per \ -PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'" + "Key algorithm: 'rsa' (default)- RSAPSS scheme as per PKCS#1 v2.1, 'ecdsa'" }, { { "key-size", required_argument, NULL, 'b' }, @@ -545,7 +543,7 @@ int main(int argc, char *argv[]) } /* Create certificate. Signed with corresponding key */ - if (cert->fn && !cert_new(key_alg, hash_alg, cert, VAL_DAYS, 0, sk)) { + if (cert->fn && !cert_new(hash_alg, cert, VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", cert->cn); exit(1); } -- cgit v1.2.3