Commit 1f33ad4e authored by Soby Mathew's avatar Soby Mathew
Browse files

cert_create: Use RSASSA-PSS signature scheme for certificates



This patch modifies the `cert_create` tool to use RSASSA-PSS scheme for
signing the certificates. This is compliant with RSA PKCS_2_1 standard as
mandated by TBBR.

Note that the certificates generated by using cert_create tool after this
patch can be authenticated during TBB only if the corresponding mbedtls
driver in ARM Trusted Firmware has the corresponding support.

Change-Id: If224f41c76b3c4765ae2af5259e67f73602818a4
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
parent 1001202d
...@@ -10,6 +10,7 @@ ...@@ -10,6 +10,7 @@
#include <openssl/conf.h> #include <openssl/conf.h>
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/opensslv.h>
#include <openssl/pem.h> #include <openssl/pem.h>
#include <openssl/sha.h> #include <openssl/sha.h>
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
...@@ -27,6 +28,7 @@ ...@@ -27,6 +28,7 @@
#include "sha.h" #include "sha.h"
#define SERIAL_RAND_BITS 64 #define SERIAL_RAND_BITS 64
#define RSA_SALT_LEN 32
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
{ {
...@@ -77,7 +79,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value) ...@@ -77,7 +79,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
return 1; return 1;
} }
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
{ {
EVP_PKEY *pkey = keys[cert->key].key; EVP_PKEY *pkey = keys[cert->key].key;
...@@ -88,7 +89,9 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) ...@@ -88,7 +89,9 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
X509_EXTENSION *ex; X509_EXTENSION *ex;
X509_NAME *name; X509_NAME *name;
ASN1_INTEGER *sno; ASN1_INTEGER *sno;
int i, num; int i, num, rc = 0;
EVP_MD_CTX mdCtx;
EVP_PKEY_CTX *pKeyCtx = NULL;
/* Create the certificate structure */ /* Create the certificate structure */
x = X509_new(); x = X509_new();
...@@ -108,6 +111,27 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) ...@@ -108,6 +111,27 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
issuer = x; issuer = x;
} }
EVP_MD_CTX_init(&mdCtx);
if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
ERR_print_errors_fp(stdout);
goto END;
}
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
ERR_print_errors_fp(stdout);
goto END;
}
if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) {
ERR_print_errors_fp(stdout);
goto END;
}
if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) {
ERR_print_errors_fp(stdout);
goto END;
}
/* x509.v3 */ /* x509.v3 */
X509_set_version(x, 2); X509_set_version(x, 2);
...@@ -152,14 +176,18 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) ...@@ -152,14 +176,18 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
} }
} }
/* Sign the certificate with the issuer key */ if (!X509_sign_ctx(x, &mdCtx)) {
if (!X509_sign(x, ikey, EVP_sha256())) {
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
return 0; goto END;
} }
/* X509 certificate signed successfully */
rc = 1;
cert->x = x; cert->x = x;
return 1;
END:
EVP_MD_CTX_cleanup(&mdCtx);
return rc;
} }
int cert_init(void) int cert_init(void)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment