Remove RSA PKCS#1 v1.5 support from cert_tool
Support for PKCS#1 v1.5 was deprecated in SHA1001202
and fully removed in SHAfe199e3
, however, cert_tool is still able to generate certificates in that form. This patch fully removes the ability for cert_tool to generate these certificates. Additionally, this patch also fixes a bug where the issuing certificate was a RSA and the issued certificate was EcDSA. In this case, the issued certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now that PKCS#1 v1.5 support is removed, all certificates that are signed with RSA now use the more modern padding scheme. Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
This commit is contained in:
parent
f29213d9e3
commit
6a415a508e
|
@ -588,10 +588,8 @@ Common build options
|
||||||
|
|
||||||
- ``KEY_ALG``: This build flag enables the user to select the algorithm to be
|
- ``KEY_ALG``: This build flag enables the user to select the algorithm to be
|
||||||
used for generating the PKCS keys and subsequent signing of the certificate.
|
used for generating the PKCS keys and subsequent signing of the certificate.
|
||||||
It accepts 3 values: ``rsa``, ``rsa_1_5`` and ``ecdsa``. The option
|
It accepts 2 values: ``rsa`` and ``ecdsa``. The default value of this flag
|
||||||
``rsa_1_5`` is the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR
|
is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
|
||||||
compliant and is retained only for compatibility. The default value of this
|
|
||||||
flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
|
|
||||||
|
|
||||||
- ``KEY_SIZE``: This build flag enables the user to select the key size for
|
- ``KEY_SIZE``: This build flag enables the user to select the key size for
|
||||||
the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE``
|
the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE``
|
||||||
|
|
|
@ -48,9 +48,9 @@ LIBMBEDTLS_SRCS := $(addprefix ${MBEDTLS_DIR}/library/, \
|
||||||
)
|
)
|
||||||
|
|
||||||
# The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
|
# The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
|
||||||
# algorithm to use. If the variable is not defined, select it based on algorithm
|
# algorithm to use. If the variable is not defined, select it based on
|
||||||
# used for key generation `KEY_ALG`. If `KEY_ALG` is not defined or is
|
# algorithm used for key generation `KEY_ALG`. If `KEY_ALG` is not defined,
|
||||||
# defined to `rsa`/`rsa_1_5`, then set the variable to `rsa`.
|
# then it is set to `rsa`.
|
||||||
ifeq (${TF_MBEDTLS_KEY_ALG},)
|
ifeq (${TF_MBEDTLS_KEY_ALG},)
|
||||||
ifeq (${KEY_ALG}, ecdsa)
|
ifeq (${KEY_ALG}, ecdsa)
|
||||||
TF_MBEDTLS_KEY_ALG := ecdsa
|
TF_MBEDTLS_KEY_ALG := ecdsa
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
|
* Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
|
||||||
*
|
*
|
||||||
* SPDX-License-Identifier: BSD-3-Clause
|
* SPDX-License-Identifier: BSD-3-Clause
|
||||||
*/
|
*/
|
||||||
|
@ -49,7 +49,6 @@ int cert_init(void);
|
||||||
cert_t *cert_get_by_opt(const char *opt);
|
cert_t *cert_get_by_opt(const char *opt);
|
||||||
int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value);
|
int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value);
|
||||||
int cert_new(
|
int cert_new(
|
||||||
int key_alg,
|
|
||||||
int md_alg,
|
int md_alg,
|
||||||
cert_t *cert,
|
cert_t *cert,
|
||||||
int days,
|
int days,
|
||||||
|
|
|
@ -21,7 +21,6 @@ enum {
|
||||||
/* Supported key algorithms */
|
/* Supported key algorithms */
|
||||||
enum {
|
enum {
|
||||||
KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */
|
KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */
|
||||||
KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */
|
|
||||||
#ifndef OPENSSL_NO_EC
|
#ifndef OPENSSL_NO_EC
|
||||||
KEY_ALG_ECDSA,
|
KEY_ALG_ECDSA,
|
||||||
#endif /* OPENSSL_NO_EC */
|
#endif /* OPENSSL_NO_EC */
|
||||||
|
@ -42,7 +41,6 @@ enum{
|
||||||
/* NOTE: the first item in each array is the default key size */
|
/* NOTE: the first item in each array is the default key size */
|
||||||
static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = {
|
static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = {
|
||||||
{ 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */
|
{ 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */
|
||||||
{ 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA_1_5 */
|
|
||||||
#ifndef OPENSSL_NO_EC
|
#ifndef OPENSSL_NO_EC
|
||||||
{} /* KEY_ALG_ECDSA */
|
{} /* KEY_ALG_ECDSA */
|
||||||
#endif /* OPENSSL_NO_EC */
|
#endif /* OPENSSL_NO_EC */
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
|
* Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
|
||||||
*
|
*
|
||||||
* SPDX-License-Identifier: BSD-3-Clause
|
* SPDX-License-Identifier: BSD-3-Clause
|
||||||
*/
|
*/
|
||||||
|
@ -93,7 +93,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
|
||||||
}
|
}
|
||||||
|
|
||||||
int cert_new(
|
int cert_new(
|
||||||
int key_alg,
|
|
||||||
int md_alg,
|
int md_alg,
|
||||||
cert_t *cert,
|
cert_t *cert,
|
||||||
int days,
|
int days,
|
||||||
|
@ -143,10 +142,10 @@ int cert_new(
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Set additional parameters if algorithm is RSA PSS. This is not
|
* Set additional parameters if issuing public key algorithm is RSA.
|
||||||
* required for RSA 1.5 or ECDSA.
|
* This is not required for ECDSA.
|
||||||
*/
|
*/
|
||||||
if (key_alg == KEY_ALG_RSA) {
|
if (EVP_PKEY_base_id(ikey) == EVP_PKEY_RSA) {
|
||||||
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
|
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
|
||||||
ERR_print_errors_fp(stdout);
|
ERR_print_errors_fp(stdout);
|
||||||
goto END;
|
goto END;
|
||||||
|
|
|
@ -112,7 +112,6 @@ err:
|
||||||
typedef int (*key_create_fn_t)(key_t *key, int key_bits);
|
typedef int (*key_create_fn_t)(key_t *key, int key_bits);
|
||||||
static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = {
|
static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = {
|
||||||
key_create_rsa, /* KEY_ALG_RSA */
|
key_create_rsa, /* KEY_ALG_RSA */
|
||||||
key_create_rsa, /* KEY_ALG_RSA_1_5 */
|
|
||||||
#ifndef OPENSSL_NO_EC
|
#ifndef OPENSSL_NO_EC
|
||||||
key_create_ecdsa, /* KEY_ALG_ECDSA */
|
key_create_ecdsa, /* KEY_ALG_ECDSA */
|
||||||
#endif /* OPENSSL_NO_EC */
|
#endif /* OPENSSL_NO_EC */
|
||||||
|
|
|
@ -92,7 +92,6 @@ static char *strdup(const char *str)
|
||||||
|
|
||||||
static const char *key_algs_str[] = {
|
static const char *key_algs_str[] = {
|
||||||
[KEY_ALG_RSA] = "rsa",
|
[KEY_ALG_RSA] = "rsa",
|
||||||
[KEY_ALG_RSA_1_5] = "rsa_1_5",
|
|
||||||
#ifndef OPENSSL_NO_EC
|
#ifndef OPENSSL_NO_EC
|
||||||
[KEY_ALG_ECDSA] = "ecdsa"
|
[KEY_ALG_ECDSA] = "ecdsa"
|
||||||
#endif /* OPENSSL_NO_EC */
|
#endif /* OPENSSL_NO_EC */
|
||||||
|
@ -277,8 +276,7 @@ static const cmd_opt_t common_cmd_opt[] = {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
{ "key-alg", required_argument, NULL, 'a' },
|
{ "key-alg", required_argument, NULL, 'a' },
|
||||||
"Key algorithm: 'rsa' (default) - RSAPSS scheme as per \
|
"Key algorithm: 'rsa' (default)- RSAPSS scheme as per PKCS#1 v2.1, 'ecdsa'"
|
||||||
PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'"
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
{ "key-size", required_argument, NULL, 'b' },
|
{ "key-size", required_argument, NULL, 'b' },
|
||||||
|
@ -545,7 +543,7 @@ int main(int argc, char *argv[])
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Create certificate. Signed with corresponding key */
|
/* Create certificate. Signed with corresponding key */
|
||||||
if (cert->fn && !cert_new(key_alg, hash_alg, cert, VAL_DAYS, 0, sk)) {
|
if (cert->fn && !cert_new(hash_alg, cert, VAL_DAYS, 0, sk)) {
|
||||||
ERROR("Cannot create %s\n", cert->cn);
|
ERROR("Cannot create %s\n", cert->cn);
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue