Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
Arm Trusted Firmware
Commits
47fd7cb0
Commit
47fd7cb0
authored
Jun 05, 2017
by
danh-arm
Committed by
GitHub
Jun 05, 2017
Browse files
Merge pull request #964 from soby-mathew/sm/rsapss_sup
Add support for RSASSAPSS algorithm
parents
b32e6b2b
1f33ad4e
Changes
4
Show whitespace changes
Inline
Side-by-side
drivers/auth/mbedtls/mbedtls_common.c
View file @
47fd7cb0
...
@@ -16,7 +16,7 @@
...
@@ -16,7 +16,7 @@
#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA)
#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA)
#define MBEDTLS_HEAP_SIZE (14*1024)
#define MBEDTLS_HEAP_SIZE (14*1024)
#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
#define MBEDTLS_HEAP_SIZE (
6
*1024)
#define MBEDTLS_HEAP_SIZE (
7
*1024)
#endif
#endif
static
unsigned
char
heap
[
MBEDTLS_HEAP_SIZE
];
static
unsigned
char
heap
[
MBEDTLS_HEAP_SIZE
];
...
...
drivers/auth/mbedtls/mbedtls_crypto.c
View file @
47fd7cb0
...
@@ -60,7 +60,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
...
@@ -60,7 +60,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
mbedtls_asn1_buf
signature
;
mbedtls_asn1_buf
signature
;
mbedtls_md_type_t
md_alg
;
mbedtls_md_type_t
md_alg
;
mbedtls_pk_type_t
pk_alg
;
mbedtls_pk_type_t
pk_alg
;
mbedtls_pk_context
pk
;
mbedtls_pk_context
pk
=
{
0
}
;
int
rc
;
int
rc
;
void
*
sig_opts
=
NULL
;
void
*
sig_opts
=
NULL
;
const
mbedtls_md_info_t
*
md_info
;
const
mbedtls_md_info_t
*
md_info
;
...
@@ -76,7 +76,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
...
@@ -76,7 +76,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
}
}
/* Get the actual signature algorithm (MD + PK) */
/* Get the actual signature algorithm (MD + PK) */
rc
=
mbedtls_
oid
_get_sig_alg
(
&
sig_oid
,
&
md_alg
,
&
pk_alg
);
rc
=
mbedtls_
x509
_get_sig_alg
(
&
sig_oid
,
&
sig_params
,
&
md_alg
,
&
pk_alg
,
&
sig_opts
);
if
(
rc
!=
0
)
{
if
(
rc
!=
0
)
{
return
CRYPTO_ERR_SIGNATURE
;
return
CRYPTO_ERR_SIGNATURE
;
}
}
...
@@ -87,7 +87,8 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
...
@@ -87,7 +87,8 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
end
=
(
unsigned
char
*
)(
p
+
pk_len
);
end
=
(
unsigned
char
*
)(
p
+
pk_len
);
rc
=
mbedtls_pk_parse_subpubkey
(
&
p
,
end
,
&
pk
);
rc
=
mbedtls_pk_parse_subpubkey
(
&
p
,
end
,
&
pk
);
if
(
rc
!=
0
)
{
if
(
rc
!=
0
)
{
return
CRYPTO_ERR_SIGNATURE
;
rc
=
CRYPTO_ERR_SIGNATURE
;
goto
end2
;
}
}
/* Get the signature (bitstring) */
/* Get the signature (bitstring) */
...
@@ -97,7 +98,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
...
@@ -97,7 +98,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
rc
=
mbedtls_asn1_get_bitstring_null
(
&
p
,
end
,
&
signature
.
len
);
rc
=
mbedtls_asn1_get_bitstring_null
(
&
p
,
end
,
&
signature
.
len
);
if
(
rc
!=
0
)
{
if
(
rc
!=
0
)
{
rc
=
CRYPTO_ERR_SIGNATURE
;
rc
=
CRYPTO_ERR_SIGNATURE
;
goto
end
;
goto
end
1
;
}
}
signature
.
p
=
p
;
signature
.
p
=
p
;
...
@@ -105,13 +106,13 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
...
@@ -105,13 +106,13 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
md_info
=
mbedtls_md_info_from_type
(
md_alg
);
md_info
=
mbedtls_md_info_from_type
(
md_alg
);
if
(
md_info
==
NULL
)
{
if
(
md_info
==
NULL
)
{
rc
=
CRYPTO_ERR_SIGNATURE
;
rc
=
CRYPTO_ERR_SIGNATURE
;
goto
end
;
goto
end
1
;
}
}
p
=
(
unsigned
char
*
)
data_ptr
;
p
=
(
unsigned
char
*
)
data_ptr
;
rc
=
mbedtls_md
(
md_info
,
p
,
data_len
,
hash
);
rc
=
mbedtls_md
(
md_info
,
p
,
data_len
,
hash
);
if
(
rc
!=
0
)
{
if
(
rc
!=
0
)
{
rc
=
CRYPTO_ERR_SIGNATURE
;
rc
=
CRYPTO_ERR_SIGNATURE
;
goto
end
;
goto
end
1
;
}
}
/* Verify the signature */
/* Verify the signature */
...
@@ -120,14 +121,16 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
...
@@ -120,14 +121,16 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
signature
.
p
,
signature
.
len
);
signature
.
p
,
signature
.
len
);
if
(
rc
!=
0
)
{
if
(
rc
!=
0
)
{
rc
=
CRYPTO_ERR_SIGNATURE
;
rc
=
CRYPTO_ERR_SIGNATURE
;
goto
end
;
goto
end
1
;
}
}
/* Signature verification success */
/* Signature verification success */
rc
=
CRYPTO_SUCCESS
;
rc
=
CRYPTO_SUCCESS
;
end:
end
1
:
mbedtls_pk_free
(
&
pk
);
mbedtls_pk_free
(
&
pk
);
end2:
mbedtls_free
(
sig_opts
);
return
rc
;
return
rc
;
}
}
...
...
include/drivers/auth/mbedtls/mbedtls_config.h
View file @
47fd7cb0
...
@@ -22,12 +22,15 @@
...
@@ -22,12 +22,15 @@
/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
#define MBEDTLS_PLATFORM_SNPRINTF_ALT
#define MBEDTLS_PLATFORM_SNPRINTF_ALT
#if !ERROR_DEPRECATED
#define MBEDTLS_PKCS1_V15
#define MBEDTLS_PKCS1_V15
#endif
#define MBEDTLS_PKCS1_V21
#define MBEDTLS_PKCS1_V21
#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
#define MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_ASN1_WRITE_C
...
...
tools/cert_create/src/cert.c
View file @
47fd7cb0
...
@@ -10,6 +10,7 @@
...
@@ -10,6 +10,7 @@
#include <openssl/conf.h>
#include <openssl/conf.h>
#include <openssl/err.h>
#include <openssl/err.h>
#include <openssl/opensslv.h>
#include <openssl/pem.h>
#include <openssl/pem.h>
#include <openssl/sha.h>
#include <openssl/sha.h>
#include <openssl/x509v3.h>
#include <openssl/x509v3.h>
...
@@ -27,6 +28,7 @@
...
@@ -27,6 +28,7 @@
#include "sha.h"
#include "sha.h"
#define SERIAL_RAND_BITS 64
#define SERIAL_RAND_BITS 64
#define RSA_SALT_LEN 32
int
rand_serial
(
BIGNUM
*
b
,
ASN1_INTEGER
*
ai
)
int
rand_serial
(
BIGNUM
*
b
,
ASN1_INTEGER
*
ai
)
{
{
...
@@ -77,7 +79,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
...
@@ -77,7 +79,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
return
1
;
return
1
;
}
}
int
cert_new
(
cert_t
*
cert
,
int
days
,
int
ca
,
STACK_OF
(
X509_EXTENSION
)
*
sk
)
int
cert_new
(
cert_t
*
cert
,
int
days
,
int
ca
,
STACK_OF
(
X509_EXTENSION
)
*
sk
)
{
{
EVP_PKEY
*
pkey
=
keys
[
cert
->
key
].
key
;
EVP_PKEY
*
pkey
=
keys
[
cert
->
key
].
key
;
...
@@ -88,7 +89,9 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
...
@@ -88,7 +89,9 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
X509_EXTENSION
*
ex
;
X509_EXTENSION
*
ex
;
X509_NAME
*
name
;
X509_NAME
*
name
;
ASN1_INTEGER
*
sno
;
ASN1_INTEGER
*
sno
;
int
i
,
num
;
int
i
,
num
,
rc
=
0
;
EVP_MD_CTX
mdCtx
;
EVP_PKEY_CTX
*
pKeyCtx
=
NULL
;
/* Create the certificate structure */
/* Create the certificate structure */
x
=
X509_new
();
x
=
X509_new
();
...
@@ -108,6 +111,27 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
...
@@ -108,6 +111,27 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
issuer
=
x
;
issuer
=
x
;
}
}
EVP_MD_CTX_init
(
&
mdCtx
);
if
(
!
EVP_DigestSignInit
(
&
mdCtx
,
&
pKeyCtx
,
EVP_sha256
(),
NULL
,
ikey
))
{
ERR_print_errors_fp
(
stdout
);
goto
END
;
}
if
(
!
EVP_PKEY_CTX_set_rsa_padding
(
pKeyCtx
,
RSA_PKCS1_PSS_PADDING
))
{
ERR_print_errors_fp
(
stdout
);
goto
END
;
}
if
(
!
EVP_PKEY_CTX_set_rsa_pss_saltlen
(
pKeyCtx
,
RSA_SALT_LEN
))
{
ERR_print_errors_fp
(
stdout
);
goto
END
;
}
if
(
!
EVP_PKEY_CTX_set_rsa_mgf1_md
(
pKeyCtx
,
EVP_sha256
()))
{
ERR_print_errors_fp
(
stdout
);
goto
END
;
}
/* x509.v3 */
/* x509.v3 */
X509_set_version
(
x
,
2
);
X509_set_version
(
x
,
2
);
...
@@ -152,14 +176,18 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
...
@@ -152,14 +176,18 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
}
}
}
}
/* Sign the certificate with the issuer key */
if
(
!
X509_sign_ctx
(
x
,
&
mdCtx
))
{
if
(
!
X509_sign
(
x
,
ikey
,
EVP_sha256
()))
{
ERR_print_errors_fp
(
stdout
);
ERR_print_errors_fp
(
stdout
);
return
0
;
goto
END
;
}
}
/* X509 certificate signed successfully */
rc
=
1
;
cert
->
x
=
x
;
cert
->
x
=
x
;
return
1
;
END:
EVP_MD_CTX_cleanup
(
&
mdCtx
);
return
rc
;
}
}
int
cert_init
(
void
)
int
cert_init
(
void
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment