Commit 6a415a50 authored by Justin Chadwell's avatar Justin Chadwell
Browse files

Remove RSA PKCS#1 v1.5 support from cert_tool

Support for PKCS#1 v1.5 was deprecated in SHA 1001202d and fully removed
in SHA fe199e3b

, however, cert_tool is still able to generate
certificates in that form. This patch fully removes the ability for
cert_tool to generate these certificates.

Additionally, this patch also fixes a bug where the issuing certificate
was a RSA and the issued certificate was EcDSA. In this case, the issued
certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per
PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now
that PKCS#1 v1.5 support is removed, all certificates that are signed
with RSA now use the more modern padding scheme.

Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a
Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
parent f29213d9
...@@ -588,10 +588,8 @@ Common build options ...@@ -588,10 +588,8 @@ Common build options
- ``KEY_ALG``: This build flag enables the user to select the algorithm to be - ``KEY_ALG``: This build flag enables the user to select the algorithm to be
used for generating the PKCS keys and subsequent signing of the certificate. used for generating the PKCS keys and subsequent signing of the certificate.
It accepts 3 values: ``rsa``, ``rsa_1_5`` and ``ecdsa``. The option It accepts 2 values: ``rsa`` and ``ecdsa``. The default value of this flag
``rsa_1_5`` is the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
compliant and is retained only for compatibility. The default value of this
flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
- ``KEY_SIZE``: This build flag enables the user to select the key size for - ``KEY_SIZE``: This build flag enables the user to select the key size for
the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE`` the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE``
......
...@@ -48,9 +48,9 @@ LIBMBEDTLS_SRCS := $(addprefix ${MBEDTLS_DIR}/library/, \ ...@@ -48,9 +48,9 @@ LIBMBEDTLS_SRCS := $(addprefix ${MBEDTLS_DIR}/library/, \
) )
# The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
# algorithm to use. If the variable is not defined, select it based on algorithm # algorithm to use. If the variable is not defined, select it based on
# used for key generation `KEY_ALG`. If `KEY_ALG` is not defined or is # algorithm used for key generation `KEY_ALG`. If `KEY_ALG` is not defined,
# defined to `rsa`/`rsa_1_5`, then set the variable to `rsa`. # then it is set to `rsa`.
ifeq (${TF_MBEDTLS_KEY_ALG},) ifeq (${TF_MBEDTLS_KEY_ALG},)
ifeq (${KEY_ALG}, ecdsa) ifeq (${KEY_ALG}, ecdsa)
TF_MBEDTLS_KEY_ALG := ecdsa TF_MBEDTLS_KEY_ALG := ecdsa
......
/* /*
* Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
...@@ -49,7 +49,6 @@ int cert_init(void); ...@@ -49,7 +49,6 @@ int cert_init(void);
cert_t *cert_get_by_opt(const char *opt); cert_t *cert_get_by_opt(const char *opt);
int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value); int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value);
int cert_new( int cert_new(
int key_alg,
int md_alg, int md_alg,
cert_t *cert, cert_t *cert,
int days, int days,
......
...@@ -21,7 +21,6 @@ enum { ...@@ -21,7 +21,6 @@ enum {
/* Supported key algorithms */ /* Supported key algorithms */
enum { enum {
KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */ KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */
KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
KEY_ALG_ECDSA, KEY_ALG_ECDSA,
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
...@@ -42,7 +41,6 @@ enum{ ...@@ -42,7 +41,6 @@ enum{
/* NOTE: the first item in each array is the default key size */ /* NOTE: the first item in each array is the default key size */
static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = { static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = {
{ 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */ { 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */
{ 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA_1_5 */
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
{} /* KEY_ALG_ECDSA */ {} /* KEY_ALG_ECDSA */
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
......
/* /*
* Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
...@@ -93,7 +93,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value) ...@@ -93,7 +93,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
} }
int cert_new( int cert_new(
int key_alg,
int md_alg, int md_alg,
cert_t *cert, cert_t *cert,
int days, int days,
...@@ -143,10 +142,10 @@ int cert_new( ...@@ -143,10 +142,10 @@ int cert_new(
} }
/* /*
* Set additional parameters if algorithm is RSA PSS. This is not * Set additional parameters if issuing public key algorithm is RSA.
* required for RSA 1.5 or ECDSA. * This is not required for ECDSA.
*/ */
if (key_alg == KEY_ALG_RSA) { if (EVP_PKEY_base_id(ikey) == EVP_PKEY_RSA) {
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) { if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
goto END; goto END;
......
...@@ -112,7 +112,6 @@ err: ...@@ -112,7 +112,6 @@ err:
typedef int (*key_create_fn_t)(key_t *key, int key_bits); typedef int (*key_create_fn_t)(key_t *key, int key_bits);
static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = { static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = {
key_create_rsa, /* KEY_ALG_RSA */ key_create_rsa, /* KEY_ALG_RSA */
key_create_rsa, /* KEY_ALG_RSA_1_5 */
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
key_create_ecdsa, /* KEY_ALG_ECDSA */ key_create_ecdsa, /* KEY_ALG_ECDSA */
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
......
...@@ -92,7 +92,6 @@ static char *strdup(const char *str) ...@@ -92,7 +92,6 @@ static char *strdup(const char *str)
static const char *key_algs_str[] = { static const char *key_algs_str[] = {
[KEY_ALG_RSA] = "rsa", [KEY_ALG_RSA] = "rsa",
[KEY_ALG_RSA_1_5] = "rsa_1_5",
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
[KEY_ALG_ECDSA] = "ecdsa" [KEY_ALG_ECDSA] = "ecdsa"
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
...@@ -277,8 +276,7 @@ static const cmd_opt_t common_cmd_opt[] = { ...@@ -277,8 +276,7 @@ static const cmd_opt_t common_cmd_opt[] = {
}, },
{ {
{ "key-alg", required_argument, NULL, 'a' }, { "key-alg", required_argument, NULL, 'a' },
"Key algorithm: 'rsa' (default) - RSAPSS scheme as per \ "Key algorithm: 'rsa' (default)- RSAPSS scheme as per PKCS#1 v2.1, 'ecdsa'"
PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'"
}, },
{ {
{ "key-size", required_argument, NULL, 'b' }, { "key-size", required_argument, NULL, 'b' },
...@@ -545,7 +543,7 @@ int main(int argc, char *argv[]) ...@@ -545,7 +543,7 @@ int main(int argc, char *argv[])
} }
/* Create certificate. Signed with corresponding key */ /* Create certificate. Signed with corresponding key */
if (cert->fn && !cert_new(key_alg, hash_alg, cert, VAL_DAYS, 0, sk)) { if (cert->fn && !cert_new(hash_alg, cert, VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", cert->cn); ERROR("Cannot create %s\n", cert->cn);
exit(1); exit(1);
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment