Merge pull request #964 from soby-mathew/sm/rsapss_sup
Add support for RSASSAPSS algorithm
This commit is contained in:
commit
47fd7cb0ac
|
@ -16,7 +16,7 @@
|
||||||
#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA)
|
#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA)
|
||||||
#define MBEDTLS_HEAP_SIZE (14*1024)
|
#define MBEDTLS_HEAP_SIZE (14*1024)
|
||||||
#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
|
#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
|
||||||
#define MBEDTLS_HEAP_SIZE (6*1024)
|
#define MBEDTLS_HEAP_SIZE (7*1024)
|
||||||
#endif
|
#endif
|
||||||
static unsigned char heap[MBEDTLS_HEAP_SIZE];
|
static unsigned char heap[MBEDTLS_HEAP_SIZE];
|
||||||
|
|
||||||
|
|
|
@ -60,7 +60,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
|
||||||
mbedtls_asn1_buf signature;
|
mbedtls_asn1_buf signature;
|
||||||
mbedtls_md_type_t md_alg;
|
mbedtls_md_type_t md_alg;
|
||||||
mbedtls_pk_type_t pk_alg;
|
mbedtls_pk_type_t pk_alg;
|
||||||
mbedtls_pk_context pk;
|
mbedtls_pk_context pk = {0};
|
||||||
int rc;
|
int rc;
|
||||||
void *sig_opts = NULL;
|
void *sig_opts = NULL;
|
||||||
const mbedtls_md_info_t *md_info;
|
const mbedtls_md_info_t *md_info;
|
||||||
|
@ -76,7 +76,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Get the actual signature algorithm (MD + PK) */
|
/* Get the actual signature algorithm (MD + PK) */
|
||||||
rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
|
rc = mbedtls_x509_get_sig_alg(&sig_oid, &sig_params, &md_alg, &pk_alg, &sig_opts);
|
||||||
if (rc != 0) {
|
if (rc != 0) {
|
||||||
return CRYPTO_ERR_SIGNATURE;
|
return CRYPTO_ERR_SIGNATURE;
|
||||||
}
|
}
|
||||||
|
@ -87,7 +87,8 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
|
||||||
end = (unsigned char *)(p + pk_len);
|
end = (unsigned char *)(p + pk_len);
|
||||||
rc = mbedtls_pk_parse_subpubkey(&p, end, &pk);
|
rc = mbedtls_pk_parse_subpubkey(&p, end, &pk);
|
||||||
if (rc != 0) {
|
if (rc != 0) {
|
||||||
return CRYPTO_ERR_SIGNATURE;
|
rc = CRYPTO_ERR_SIGNATURE;
|
||||||
|
goto end2;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Get the signature (bitstring) */
|
/* Get the signature (bitstring) */
|
||||||
|
@ -97,7 +98,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
|
||||||
rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len);
|
rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len);
|
||||||
if (rc != 0) {
|
if (rc != 0) {
|
||||||
rc = CRYPTO_ERR_SIGNATURE;
|
rc = CRYPTO_ERR_SIGNATURE;
|
||||||
goto end;
|
goto end1;
|
||||||
}
|
}
|
||||||
signature.p = p;
|
signature.p = p;
|
||||||
|
|
||||||
|
@ -105,13 +106,13 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
|
||||||
md_info = mbedtls_md_info_from_type(md_alg);
|
md_info = mbedtls_md_info_from_type(md_alg);
|
||||||
if (md_info == NULL) {
|
if (md_info == NULL) {
|
||||||
rc = CRYPTO_ERR_SIGNATURE;
|
rc = CRYPTO_ERR_SIGNATURE;
|
||||||
goto end;
|
goto end1;
|
||||||
}
|
}
|
||||||
p = (unsigned char *)data_ptr;
|
p = (unsigned char *)data_ptr;
|
||||||
rc = mbedtls_md(md_info, p, data_len, hash);
|
rc = mbedtls_md(md_info, p, data_len, hash);
|
||||||
if (rc != 0) {
|
if (rc != 0) {
|
||||||
rc = CRYPTO_ERR_SIGNATURE;
|
rc = CRYPTO_ERR_SIGNATURE;
|
||||||
goto end;
|
goto end1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Verify the signature */
|
/* Verify the signature */
|
||||||
|
@ -120,14 +121,16 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
|
||||||
signature.p, signature.len);
|
signature.p, signature.len);
|
||||||
if (rc != 0) {
|
if (rc != 0) {
|
||||||
rc = CRYPTO_ERR_SIGNATURE;
|
rc = CRYPTO_ERR_SIGNATURE;
|
||||||
goto end;
|
goto end1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Signature verification success */
|
/* Signature verification success */
|
||||||
rc = CRYPTO_SUCCESS;
|
rc = CRYPTO_SUCCESS;
|
||||||
|
|
||||||
end:
|
end1:
|
||||||
mbedtls_pk_free(&pk);
|
mbedtls_pk_free(&pk);
|
||||||
|
end2:
|
||||||
|
mbedtls_free(sig_opts);
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -22,12 +22,15 @@
|
||||||
/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
|
/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
|
||||||
#define MBEDTLS_PLATFORM_SNPRINTF_ALT
|
#define MBEDTLS_PLATFORM_SNPRINTF_ALT
|
||||||
|
|
||||||
|
#if !ERROR_DEPRECATED
|
||||||
#define MBEDTLS_PKCS1_V15
|
#define MBEDTLS_PKCS1_V15
|
||||||
|
#endif
|
||||||
#define MBEDTLS_PKCS1_V21
|
#define MBEDTLS_PKCS1_V21
|
||||||
|
|
||||||
#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
||||||
#define MBEDTLS_X509_CHECK_KEY_USAGE
|
#define MBEDTLS_X509_CHECK_KEY_USAGE
|
||||||
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
|
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
|
||||||
|
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||||
|
|
||||||
#define MBEDTLS_ASN1_PARSE_C
|
#define MBEDTLS_ASN1_PARSE_C
|
||||||
#define MBEDTLS_ASN1_WRITE_C
|
#define MBEDTLS_ASN1_WRITE_C
|
||||||
|
|
|
@ -10,6 +10,7 @@
|
||||||
|
|
||||||
#include <openssl/conf.h>
|
#include <openssl/conf.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/opensslv.h>
|
||||||
#include <openssl/pem.h>
|
#include <openssl/pem.h>
|
||||||
#include <openssl/sha.h>
|
#include <openssl/sha.h>
|
||||||
#include <openssl/x509v3.h>
|
#include <openssl/x509v3.h>
|
||||||
|
@ -27,6 +28,7 @@
|
||||||
#include "sha.h"
|
#include "sha.h"
|
||||||
|
|
||||||
#define SERIAL_RAND_BITS 64
|
#define SERIAL_RAND_BITS 64
|
||||||
|
#define RSA_SALT_LEN 32
|
||||||
|
|
||||||
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
|
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
|
||||||
{
|
{
|
||||||
|
@ -77,7 +79,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
|
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
|
||||||
{
|
{
|
||||||
EVP_PKEY *pkey = keys[cert->key].key;
|
EVP_PKEY *pkey = keys[cert->key].key;
|
||||||
|
@ -88,7 +89,9 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
|
||||||
X509_EXTENSION *ex;
|
X509_EXTENSION *ex;
|
||||||
X509_NAME *name;
|
X509_NAME *name;
|
||||||
ASN1_INTEGER *sno;
|
ASN1_INTEGER *sno;
|
||||||
int i, num;
|
int i, num, rc = 0;
|
||||||
|
EVP_MD_CTX mdCtx;
|
||||||
|
EVP_PKEY_CTX *pKeyCtx = NULL;
|
||||||
|
|
||||||
/* Create the certificate structure */
|
/* Create the certificate structure */
|
||||||
x = X509_new();
|
x = X509_new();
|
||||||
|
@ -108,6 +111,27 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
|
||||||
issuer = x;
|
issuer = x;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
EVP_MD_CTX_init(&mdCtx);
|
||||||
|
if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
|
||||||
|
ERR_print_errors_fp(stdout);
|
||||||
|
goto END;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
|
||||||
|
ERR_print_errors_fp(stdout);
|
||||||
|
goto END;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) {
|
||||||
|
ERR_print_errors_fp(stdout);
|
||||||
|
goto END;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) {
|
||||||
|
ERR_print_errors_fp(stdout);
|
||||||
|
goto END;
|
||||||
|
}
|
||||||
|
|
||||||
/* x509.v3 */
|
/* x509.v3 */
|
||||||
X509_set_version(x, 2);
|
X509_set_version(x, 2);
|
||||||
|
|
||||||
|
@ -152,14 +176,18 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Sign the certificate with the issuer key */
|
if (!X509_sign_ctx(x, &mdCtx)) {
|
||||||
if (!X509_sign(x, ikey, EVP_sha256())) {
|
|
||||||
ERR_print_errors_fp(stdout);
|
ERR_print_errors_fp(stdout);
|
||||||
return 0;
|
goto END;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* X509 certificate signed successfully */
|
||||||
|
rc = 1;
|
||||||
cert->x = x;
|
cert->x = x;
|
||||||
return 1;
|
|
||||||
|
END:
|
||||||
|
EVP_MD_CTX_cleanup(&mdCtx);
|
||||||
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
int cert_init(void)
|
int cert_init(void)
|
||||||
|
|
Loading…
Reference in New Issue