Commit b5b12347 authored by danh-arm's avatar danh-arm
Browse files

Merge pull request #260 from jcastillo-arm/jc/tbb_sha256

TBB: use SHA256 to generate the certificate signatures
parents 5930eadb ea4ec3aa
...@@ -44,10 +44,9 @@ essential information to establish the CoT. ...@@ -44,10 +44,9 @@ essential information to establish the CoT.
In the TBB CoT all certificates are self-signed. There is no need for a In the TBB CoT all certificates are self-signed. There is no need for a
Certificate Authority (CA) because the CoT is not established by verifying the Certificate Authority (CA) because the CoT is not established by verifying the
validity of a certificate's issuer but by the content of the certificate validity of a certificate's issuer but by the content of the certificate
extensions. To sign the certificates, the PKCS#1 SHA-1 with RSA Encryption extensions. To sign the certificates, the PKCS#1 SHA-256 with RSA Encryption
signature scheme is used with a RSA key length of 2048 bits. Future version of signature scheme is used with a RSA key length of 2048 bits. Future version of
Trusted Firmware will replace SHA-1 usage with SHA-256 and support additional Trusted Firmware will support additional cryptographic algorithms.
cryptographic algorithms.
The certificates are categorised as "Key" and "Content" certificates. Key The certificates are categorised as "Key" and "Content" certificates. Key
certificates are used to verify public keys which have been used to sign content certificates are used to verify public keys which have been used to sign content
...@@ -218,7 +217,7 @@ corresponding certificates or images at each step in the Trusted Board Boot ...@@ -218,7 +217,7 @@ corresponding certificates or images at each step in the Trusted Board Boot
sequence. The module relies on the PolarSSL library (v1.3.9) to perform the sequence. The module relies on the PolarSSL library (v1.3.9) to perform the
following operations: following operations:
* Parsing X.509 certificates and verifying them using SHA-1 with RSA * Parsing X.509 certificates and verifying them using SHA-256 with RSA
Encryption. Encryption.
* Extracting public keys and hashes from the certificates. * Extracting public keys and hashes from the certificates.
* Generating hashes (SHA-256) of boot loader images * Generating hashes (SHA-256) of boot loader images
......
...@@ -170,7 +170,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk) ...@@ -170,7 +170,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
} }
/* Sign the certificate with the issuer key */ /* Sign the certificate with the issuer key */
if (!X509_sign(x, ikey, EVP_sha1())) { if (!X509_sign(x, ikey, EVP_sha256())) {
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
return 0; return 0;
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment