Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
Arm Trusted Firmware
Commits
b5b12347
Commit
b5b12347
authored
Mar 06, 2015
by
danh-arm
Browse files
Merge pull request #260 from jcastillo-arm/jc/tbb_sha256
TBB: use SHA256 to generate the certificate signatures
parents
5930eadb
ea4ec3aa
Changes
2
Hide whitespace changes
Inline
Side-by-side
docs/trusted-board-boot.md
View file @
b5b12347
...
@@ -44,10 +44,9 @@ essential information to establish the CoT.
...
@@ -44,10 +44,9 @@ essential information to establish the CoT.
In the TBB CoT all certificates are self-signed. There is no need for a
In the TBB CoT all certificates are self-signed. There is no need for a
Certificate Authority (CA) because the CoT is not established by verifying the
Certificate Authority (CA) because the CoT is not established by verifying the
validity of a certificate's issuer but by the content of the certificate
validity of a certificate's issuer but by the content of the certificate
extensions. To sign the certificates, the PKCS#1 SHA-
1
with RSA Encryption
extensions. To sign the certificates, the PKCS#1 SHA-
256
with RSA Encryption
signature scheme is used with a RSA key length of 2048 bits. Future version of
signature scheme is used with a RSA key length of 2048 bits. Future version of
Trusted Firmware will replace SHA-1 usage with SHA-256 and support additional
Trusted Firmware will support additional cryptographic algorithms.
cryptographic algorithms.
The certificates are categorised as "Key" and "Content" certificates. Key
The certificates are categorised as "Key" and "Content" certificates. Key
certificates are used to verify public keys which have been used to sign content
certificates are used to verify public keys which have been used to sign content
...
@@ -218,7 +217,7 @@ corresponding certificates or images at each step in the Trusted Board Boot
...
@@ -218,7 +217,7 @@ corresponding certificates or images at each step in the Trusted Board Boot
sequence. The module relies on the PolarSSL library (v1.3.9) to perform the
sequence. The module relies on the PolarSSL library (v1.3.9) to perform the
following operations:
following operations:
*
Parsing X.509 certificates and verifying them using SHA-
1
with RSA
*
Parsing X.509 certificates and verifying them using SHA-
256
with RSA
Encryption.
Encryption.
*
Extracting public keys and hashes from the certificates.
*
Extracting public keys and hashes from the certificates.
*
Generating hashes (SHA-256) of boot loader images
*
Generating hashes (SHA-256) of boot loader images
...
...
tools/cert_create/src/cert.c
View file @
b5b12347
...
@@ -170,7 +170,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
...
@@ -170,7 +170,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
}
}
/* Sign the certificate with the issuer key */
/* Sign the certificate with the issuer key */
if
(
!
X509_sign
(
x
,
ikey
,
EVP_sha
1
()))
{
if
(
!
X509_sign
(
x
,
ikey
,
EVP_sha
256
()))
{
ERR_print_errors_fp
(
stdout
);
ERR_print_errors_fp
(
stdout
);
return
0
;
return
0
;
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment