github
/
arm-trusted-firmware
mirror of https://github.com/ARM-software/arm-trusted-firmware.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

cert_create: Use RSASSA-PSS signature scheme for certificates 

This patch modifies the `cert_create` tool to use RSASSA-PSS scheme for
signing the certificates. This is compliant with RSA PKCS_2_1 standard as
mandated by TBBR.

Note that the certificates generated by using cert_create tool after this
patch can be authenticated during TBB only if the corresponding mbedtls
driver in ARM Trusted Firmware has the corresponding support.

Change-Id: If224f41c76b3c4765ae2af5259e67f73602818a4
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
pull/964/head
Soby Mathew 8 years ago
parent
1001202d24
commit
1f33ad4e9f
1 changed files with 34 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 40
      tools/cert_create/src/cert.c

40
tools/cert_create/src/cert.c
View File

@ -10,6 +10,7 @@
#include <openssl/conf.h>
#include <openssl/err.h>
#include <openssl/opensslv.h>
#include <openssl/pem.h>
#include <openssl/sha.h>
#include <openssl/x509v3.h>
@ -27,6 +28,7 @@
#include "sha.h"
#define SERIAL_RAND_BITS 64
#define RSA_SALT_LEN 32
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
{
@ -77,7 +79,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
return 1;
}
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
{
EVP_PKEY *pkey = keys[cert->key].key;
@ -88,7 +89,9 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
X509_EXTENSION *ex;
X509_NAME *name;
ASN1_INTEGER *sno;
int i, num;
int i, num, rc = 0;
EVP_MD_CTX mdCtx;
EVP_PKEY_CTX *pKeyCtx = NULL;
/* Create the certificate structure */
x = X509_new();
@ -108,6 +111,27 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
issuer = x;
}
EVP_MD_CTX_init(&mdCtx);
if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
ERR_print_errors_fp(stdout);
goto END;
}
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
ERR_print_errors_fp(stdout);
goto END;
}
if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) {
ERR_print_errors_fp(stdout);
goto END;
}
if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) {
ERR_print_errors_fp(stdout);
goto END;
}
/* x509.v3 */
X509_set_version(x, 2);
@ -152,14 +176,18 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
}
}
/* Sign the certificate with the issuer key */
if (!X509_sign(x, ikey, EVP_sha256())) {
if (!X509_sign_ctx(x, &mdCtx)) {
ERR_print_errors_fp(stdout);
return 0;
goto END;
}
/* X509 certificate signed successfully */
rc = 1;
cert->x = x;
return 1;
END:
EVP_MD_CTX_cleanup(&mdCtx);
return rc;
}
int cert_init(void)

Write Preview
Loading…
Cancel
Save