Merge pull request #1080 from soby-mathew/eb/RSA-PKCS1-5_support_1
Support legacy RSA PKCS#1 v1.5 in cert create
This commit is contained in:
commit
5457874575
|
@ -405,6 +405,13 @@ Common build options
|
|||
AArch64 and facilitates the loading of ``SP_MIN`` and BL33 as AArch32 executable
|
||||
images.
|
||||
|
||||
- ``KEY_ALG``: This build flag enables the user to select the algorithm to be
|
||||
used for generating the PKCS keys and subsequent signing of the certificate.
|
||||
It accepts 3 values viz ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is
|
||||
the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR compliant and is
|
||||
retained only for compatibility. The default value of this flag is ``rsa``
|
||||
which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
|
||||
|
||||
- ``LDFLAGS``: Extra user options appended to the linkers' command line in
|
||||
addition to the one set by the build system.
|
||||
|
||||
|
|
|
@ -7,9 +7,15 @@
|
|||
include drivers/auth/mbedtls/mbedtls_common.mk
|
||||
|
||||
# The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
|
||||
# algorithm to use. Default algorithm is RSA.
|
||||
# algorithm to use. If the variable is not defined, select it based on algorithm
|
||||
# used for key generation `KEY_ALG`. If `KEY_ALG` is not defined or is
|
||||
# defined to `rsa`/`rsa_1_5`, then set the variable to `rsa`.
|
||||
ifeq (${TF_MBEDTLS_KEY_ALG},)
|
||||
TF_MBEDTLS_KEY_ALG := rsa
|
||||
ifeq (${KEY_ALG}, ecdsa)
|
||||
TF_MBEDTLS_KEY_ALG := ecdsa
|
||||
else
|
||||
TF_MBEDTLS_KEY_ALG := rsa
|
||||
endif
|
||||
endif
|
||||
|
||||
# If MBEDTLS_KEY_ALG build flag is defined use it to set TF_MBEDTLS_KEY_ALG for
|
||||
|
|
|
@ -81,6 +81,9 @@ GENERATE_COT := 0
|
|||
# operations.
|
||||
HW_ASSISTED_COHERENCY := 0
|
||||
|
||||
# Set the default algorithm for the generation of Trusted Board Boot keys
|
||||
KEY_ALG := rsa
|
||||
|
||||
# Flag to enable new version of image loading
|
||||
LOAD_IMAGE_V2 := 0
|
||||
|
||||
|
|
|
@ -174,9 +174,6 @@ endif
|
|||
|
||||
ifneq (${TRUSTED_BOARD_BOOT},0)
|
||||
|
||||
# By default, ARM platforms use RSA keys
|
||||
KEY_ALG := rsa
|
||||
|
||||
# Include common TBB sources
|
||||
AUTH_SOURCES := drivers/auth/auth_mod.c \
|
||||
drivers/auth/crypto_mod.c \
|
||||
|
@ -195,8 +192,6 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
|
|||
|
||||
$(eval $(call FWU_FIP_ADD_IMG,NS_BL2U,--fwu))
|
||||
|
||||
TF_MBEDTLS_KEY_ALG := ${KEY_ALG}
|
||||
|
||||
# We expect to locate the *.mk files under the directories specified below
|
||||
ifeq (${ARM_CRYPTOCELL_INTEG},0)
|
||||
CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk
|
||||
|
|
|
@ -48,7 +48,7 @@ struct cert_s {
|
|||
int cert_init(void);
|
||||
cert_t *cert_get_by_opt(const char *opt);
|
||||
int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value);
|
||||
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk);
|
||||
int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk);
|
||||
|
||||
/* Macro to register the certificates used in the CoT */
|
||||
#define REGISTER_COT(_certs) \
|
||||
|
|
|
@ -22,7 +22,8 @@ enum {
|
|||
|
||||
/* Supported key algorithms */
|
||||
enum {
|
||||
KEY_ALG_RSA,
|
||||
KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */
|
||||
KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */
|
||||
#ifndef OPENSSL_NO_EC
|
||||
KEY_ALG_ECDSA,
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
|
|
|
@ -79,7 +79,7 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
|
|||
return 1;
|
||||
}
|
||||
|
||||
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
|
||||
int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
|
||||
{
|
||||
EVP_PKEY *pkey = keys[cert->key].key;
|
||||
cert_t *issuer_cert = &certs[cert->issuer];
|
||||
|
@ -90,7 +90,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
|
|||
X509_NAME *name;
|
||||
ASN1_INTEGER *sno;
|
||||
int i, num, rc = 0;
|
||||
EVP_MD_CTX mdCtx;
|
||||
EVP_MD_CTX mdCtx;
|
||||
EVP_PKEY_CTX *pKeyCtx = NULL;
|
||||
|
||||
/* Create the certificate structure */
|
||||
|
@ -112,24 +112,32 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
|
|||
}
|
||||
|
||||
EVP_MD_CTX_init(&mdCtx);
|
||||
|
||||
/* Sign the certificate with the issuer key */
|
||||
if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
|
||||
ERR_print_errors_fp(stdout);
|
||||
goto END;
|
||||
}
|
||||
|
||||
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
|
||||
ERR_print_errors_fp(stdout);
|
||||
goto END;
|
||||
}
|
||||
/*
|
||||
* Set additional parameters if algorithm is RSA PSS. This is not
|
||||
* required for RSA 1.5 or ECDSA.
|
||||
*/
|
||||
if (key_alg == KEY_ALG_RSA) {
|
||||
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
|
||||
ERR_print_errors_fp(stdout);
|
||||
goto END;
|
||||
}
|
||||
|
||||
if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) {
|
||||
ERR_print_errors_fp(stdout);
|
||||
goto END;
|
||||
}
|
||||
if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) {
|
||||
ERR_print_errors_fp(stdout);
|
||||
goto END;
|
||||
}
|
||||
|
||||
if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) {
|
||||
ERR_print_errors_fp(stdout);
|
||||
goto END;
|
||||
if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) {
|
||||
ERR_print_errors_fp(stdout);
|
||||
goto END;
|
||||
}
|
||||
}
|
||||
|
||||
/* x509.v3 */
|
||||
|
|
|
@ -89,6 +89,7 @@ static char *strdup(const char *str)
|
|||
|
||||
static const char *key_algs_str[] = {
|
||||
[KEY_ALG_RSA] = "rsa",
|
||||
[KEY_ALG_RSA_1_5] = "rsa_1_5",
|
||||
#ifndef OPENSSL_NO_EC
|
||||
[KEY_ALG_ECDSA] = "ecdsa"
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
|
@ -223,7 +224,8 @@ static const cmd_opt_t common_cmd_opt[] = {
|
|||
},
|
||||
{
|
||||
{ "key-alg", required_argument, NULL, 'a' },
|
||||
"Key algorithm: 'rsa' (default), 'ecdsa'"
|
||||
"Key algorithm: 'rsa' (default) - RSAPSS scheme as per \
|
||||
PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'"
|
||||
},
|
||||
{
|
||||
{ "save-keys", no_argument, NULL, 'k' },
|
||||
|
@ -450,8 +452,8 @@ int main(int argc, char *argv[])
|
|||
sk_X509_EXTENSION_push(sk, cert_ext);
|
||||
}
|
||||
|
||||
/* Create certificate. Signed with ROT key */
|
||||
if (cert->fn && !cert_new(cert, VAL_DAYS, 0, sk)) {
|
||||
/* Create certificate. Signed with corresponding key */
|
||||
if (cert->fn && !cert_new(key_alg, cert, VAL_DAYS, 0, sk)) {
|
||||
ERROR("Cannot create %s\n", cert->cn);
|
||||
exit(1);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue