Commit a8eb286a authored by Soby Mathew's avatar Soby Mathew
Browse files

cert_tool: Support for legacy RSA PKCS#1 v1.5



This patch enables choice of RSA version at run time to be used for
generating signatures by the cert_tool. The RSA PSS as defined in
PKCS#1 v2.1 becomes the default version and this patch enables to specify
the RSA PKCS#1 v1.5 algorithm to `cert_create` through the command line
-a option. Also, the build option `KEY_ALG` can be used to pass this
option from the build system. Please note that RSA PSS is mandated
by Trusted Board Boot requirements (TBBR) and legacy RSA support is
being added for compatibility reasons.

Fixes ARM-Software/tf-issues#499
Change-Id: Ifaa3f2f7c9b43f3d7b3effe2cde76bf6745a5d73
Co-Authored-By: default avatarEleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
parent 2091755c
...@@ -407,8 +407,10 @@ Common build options ...@@ -407,8 +407,10 @@ Common build options
- ``KEY_ALG``: This build flag enables the user to select the algorithm to be - ``KEY_ALG``: This build flag enables the user to select the algorithm to be
used for generating the PKCS keys and subsequent signing of the certificate. used for generating the PKCS keys and subsequent signing of the certificate.
It accepts 2 values viz ``rsa``, ``ecdsa``. The default value of this flag It accepts 3 values viz ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is
is ``rsa``. the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR compliant and is
retained only for compatibility. The default value of this flag is ``rsa``
which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
- ``LDFLAGS``: Extra user options appended to the linkers' command line in - ``LDFLAGS``: Extra user options appended to the linkers' command line in
addition to the one set by the build system. addition to the one set by the build system.
......
...@@ -9,7 +9,7 @@ include drivers/auth/mbedtls/mbedtls_common.mk ...@@ -9,7 +9,7 @@ include drivers/auth/mbedtls/mbedtls_common.mk
# The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
# algorithm to use. If the variable is not defined, select it based on algorithm # algorithm to use. If the variable is not defined, select it based on algorithm
# used for key generation `KEY_ALG`. If `KEY_ALG` is not defined or is # used for key generation `KEY_ALG`. If `KEY_ALG` is not defined or is
# defined to `rsa`, then set the variable to `rsa`. # defined to `rsa`/`rsa_1_5`, then set the variable to `rsa`.
ifeq (${TF_MBEDTLS_KEY_ALG},) ifeq (${TF_MBEDTLS_KEY_ALG},)
ifeq (${KEY_ALG}, ecdsa) ifeq (${KEY_ALG}, ecdsa)
TF_MBEDTLS_KEY_ALG := ecdsa TF_MBEDTLS_KEY_ALG := ecdsa
......
...@@ -48,7 +48,7 @@ struct cert_s { ...@@ -48,7 +48,7 @@ struct cert_s {
int cert_init(void); int cert_init(void);
cert_t *cert_get_by_opt(const char *opt); cert_t *cert_get_by_opt(const char *opt);
int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value); int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value);
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk); int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk);
/* Macro to register the certificates used in the CoT */ /* Macro to register the certificates used in the CoT */
#define REGISTER_COT(_certs) \ #define REGISTER_COT(_certs) \
......
...@@ -22,7 +22,8 @@ enum { ...@@ -22,7 +22,8 @@ enum {
/* Supported key algorithms */ /* Supported key algorithms */
enum { enum {
KEY_ALG_RSA, KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */
KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
KEY_ALG_ECDSA, KEY_ALG_ECDSA,
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
......
...@@ -79,7 +79,7 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value) ...@@ -79,7 +79,7 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
return 1; return 1;
} }
int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
{ {
EVP_PKEY *pkey = keys[cert->key].key; EVP_PKEY *pkey = keys[cert->key].key;
cert_t *issuer_cert = &certs[cert->issuer]; cert_t *issuer_cert = &certs[cert->issuer];
...@@ -112,11 +112,18 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) ...@@ -112,11 +112,18 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
} }
EVP_MD_CTX_init(&mdCtx); EVP_MD_CTX_init(&mdCtx);
/* Sign the certificate with the issuer key */
if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) { if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
goto END; goto END;
} }
/*
* Set additional parameters if algorithm is RSA PSS. This is not
* required for RSA 1.5 or ECDSA.
*/
if (key_alg == KEY_ALG_RSA) {
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) { if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
goto END; goto END;
...@@ -131,6 +138,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) ...@@ -131,6 +138,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
goto END; goto END;
} }
}
/* x509.v3 */ /* x509.v3 */
X509_set_version(x, 2); X509_set_version(x, 2);
......
...@@ -89,6 +89,7 @@ static char *strdup(const char *str) ...@@ -89,6 +89,7 @@ static char *strdup(const char *str)
static const char *key_algs_str[] = { static const char *key_algs_str[] = {
[KEY_ALG_RSA] = "rsa", [KEY_ALG_RSA] = "rsa",
[KEY_ALG_RSA_1_5] = "rsa_1_5",
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
[KEY_ALG_ECDSA] = "ecdsa" [KEY_ALG_ECDSA] = "ecdsa"
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
...@@ -223,7 +224,8 @@ static const cmd_opt_t common_cmd_opt[] = { ...@@ -223,7 +224,8 @@ static const cmd_opt_t common_cmd_opt[] = {
}, },
{ {
{ "key-alg", required_argument, NULL, 'a' }, { "key-alg", required_argument, NULL, 'a' },
"Key algorithm: 'rsa' (default), 'ecdsa'" "Key algorithm: 'rsa' (default) - RSAPSS scheme as per \
PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'"
}, },
{ {
{ "save-keys", no_argument, NULL, 'k' }, { "save-keys", no_argument, NULL, 'k' },
...@@ -450,8 +452,8 @@ int main(int argc, char *argv[]) ...@@ -450,8 +452,8 @@ int main(int argc, char *argv[])
sk_X509_EXTENSION_push(sk, cert_ext); sk_X509_EXTENSION_push(sk, cert_ext);
} }
/* Create certificate. Signed with ROT key */ /* Create certificate. Signed with corresponding key */
if (cert->fn && !cert_new(cert, VAL_DAYS, 0, sk)) { if (cert->fn && !cert_new(key_alg, cert, VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", cert->cn); ERROR("Cannot create %s\n", cert->cn);
exit(1); exit(1);
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment