From 742c4e1433162efd625bbecada2106a10ed7f46b Mon Sep 17 00:00:00 2001 From: Michalis Pappas Date: Fri, 6 Oct 2017 16:11:44 +0800 Subject: cert_tool: update for compatibility with OpenSSL v1.1 This patch fixes incompatibility issues that prevent building the cert_tool with OpenSSL >= v1.1.0. The changes introduced are still backwards compatible with OpenSSL v1.0.2. Fixes arm-software/trusted-fw#521 Signed-off-by: Michalis Pappas --- tools/cert_create/src/cert.c | 14 +++++++++----- tools/cert_create/src/ext.c | 2 +- tools/cert_create/src/key.c | 23 +++++++++++++++++++++-- tools/cert_create/src/main.c | 2 +- 4 files changed, 32 insertions(+), 9 deletions(-) (limited to 'tools') diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c index 1b84e36d..3f0b4d36 100644 --- a/tools/cert_create/src/cert.c +++ b/tools/cert_create/src/cert.c @@ -90,7 +90,7 @@ int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSIO X509_NAME *name; ASN1_INTEGER *sno; int i, num, rc = 0; - EVP_MD_CTX mdCtx; + EVP_MD_CTX *mdCtx; EVP_PKEY_CTX *pKeyCtx = NULL; /* Create the certificate structure */ @@ -111,10 +111,14 @@ int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSIO issuer = x; } - EVP_MD_CTX_init(&mdCtx); + mdCtx = EVP_MD_CTX_create(); + if (mdCtx == NULL) { + ERR_print_errors_fp(stdout); + goto END; + } /* Sign the certificate with the issuer key */ - if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) { + if (!EVP_DigestSignInit(mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) { ERR_print_errors_fp(stdout); goto END; } @@ -184,7 +188,7 @@ int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSIO } } - if (!X509_sign_ctx(x, &mdCtx)) { + if (!X509_sign_ctx(x, mdCtx)) { ERR_print_errors_fp(stdout); goto END; } @@ -194,7 +198,7 @@ int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSIO cert->x = x; END: - EVP_MD_CTX_cleanup(&mdCtx); + EVP_MD_CTX_destroy(mdCtx); return rc; } diff --git a/tools/cert_create/src/ext.c b/tools/cert_create/src/ext.c index 8ae6640d..055ddbfd 100644 --- a/tools/cert_create/src/ext.c +++ b/tools/cert_create/src/ext.c @@ -166,7 +166,7 @@ X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md, int sz; /* OBJECT_IDENTIFIER with hash algorithm */ - algorithm = OBJ_nid2obj(md->type); + algorithm = OBJ_nid2obj(EVP_MD_type(md)); if (algorithm == NULL) { return NULL; } diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c index c1bde5de..b7f21a26 100644 --- a/tools/cert_create/src/key.c +++ b/tools/cert_create/src/key.c @@ -43,13 +43,31 @@ int key_new(key_t *key) static int key_create_rsa(key_t *key) { - RSA *rsa; + BIGNUM *e; + RSA *rsa = NULL; - rsa = RSA_generate_key(RSA_KEY_BITS, RSA_F4, NULL, NULL); + e = BN_new(); + if (e == NULL) { + printf("Cannot create RSA exponent\n"); + goto err; + } + + if (!BN_set_word(e, RSA_F4)) { + printf("Cannot assign RSA exponent\n"); + goto err; + } + + rsa = RSA_new(); if (rsa == NULL) { printf("Cannot create RSA key\n"); goto err; } + + if (!RSA_generate_key_ex(rsa, RSA_KEY_BITS, e, NULL)) { + printf("Cannot generate RSA key\n"); + goto err; + } + if (!EVP_PKEY_assign_RSA(key->key, rsa)) { printf("Cannot assign RSA key\n"); goto err; @@ -58,6 +76,7 @@ static int key_create_rsa(key_t *key) return 1; err: RSA_free(rsa); + BN_free(e); return 0; } diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index df59961b..741242f5 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -244,7 +244,7 @@ PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'" int main(int argc, char *argv[]) { STACK_OF(X509_EXTENSION) * sk; - X509_EXTENSION *cert_ext; + X509_EXTENSION *cert_ext = NULL; ext_t *ext; key_t *key; cert_t *cert; -- cgit v1.2.3