1. 12 Sep, 2019 2 commits
    • Justin Chadwell's avatar
      Remove RSA PKCS#1 v1.5 support from cert_tool · 6a415a50
      Justin Chadwell authored
      Support for PKCS#1 v1.5 was deprecated in SHA 1001202d and fully removed
      in SHA fe199e3b
      
      , however, cert_tool is still able to generate
      certificates in that form. This patch fully removes the ability for
      cert_tool to generate these certificates.
      
      Additionally, this patch also fixes a bug where the issuing certificate
      was a RSA and the issued certificate was EcDSA. In this case, the issued
      certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per
      PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now
      that PKCS#1 v1.5 support is removed, all certificates that are signed
      with RSA now use the more modern padding scheme.
      
      Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      6a415a50
    • Justin Chadwell's avatar
      Add cert_create tool support for RSA key sizes · dfe0f4c2
      Justin Chadwell authored
      
      
      cert_tool is now able to accept a command line option for specifying the
      key size. It now supports the following options: 1024, 2048 (default),
      3072 and 4096. This is also modifiable by TFA using the build flag
      KEY_SIZE.
      
      Change-Id: Ifadecf84ade3763249ee8cc7123a8178f606f0e5
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      dfe0f4c2
  2. 16 Aug, 2019 1 commit
  3. 09 Oct, 2017 1 commit
    • Qixiang Xu's avatar
      cert_tool: Fix ECDSA certificates create failure · 1727de0e
      Qixiang Xu authored
      Commit a8eb286a
      
       introduced the
      following error when creating ECDSA certificates.
          ERROR:   Error creating key 'Trusted World key'
          Makefile:634: recipe for target 'certificates' failed
          make: *** [certificates] Error 1
      
      this patch adds the function to create PKCS#1 v1.5.
      
      Change-Id: Ief96d55969d5e9877aeb528c6bb503b560563537
      Signed-off-by: default avatarQixiang Xu <qixiang.xu@arm.com>
      1727de0e
  4. 08 Oct, 2017 1 commit
  5. 23 May, 2017 1 commit
    • Masahiro Yamada's avatar
      cert: move platform_oid.h to include/tools_share for all platforms · bb41eb7a
      Masahiro Yamada authored
      
      
      Platforms aligned with TBBR are supposed to use their own OIDs, but
      defining the same macros with different OIDs does not provide any
      value (at least technically).
      
      For easier use of TBBR, this commit allows platforms to reuse the OIDs
      obtained by ARM Ltd.  This will be useful for non-ARM vendors that
      do not need their own extension fields in their certificate files.
      
      The OIDs of ARM Ltd. have been moved to include/tools_share/tbbr_oid.h
      
      Platforms can include <tbbr_oid.h> instead of <platform_oid.h> by
      defining USE_TBBR_DEFS as 1.  USE_TBBR_DEFS is 0 by default to keep the
      backward compatibility.
      
      For clarification, I inserted a blank line between headers from the
      include/ directory (#include <...>) and ones from a local directory
      (#include "..." ).
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      bb41eb7a
  6. 03 May, 2017 1 commit
  7. 11 Feb, 2017 2 commits
    • Masahiro Yamada's avatar
      cert_create: remove unneeded initializers · c893c733
      Masahiro Yamada authored
      
      
      These variables store return values of functions.  Remove all of
      meaningless initializers.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      c893c733
    • Masahiro Yamada's avatar
      cert_create: fix memory leak bug caused by key container overwrite · 762f1ebe
      Masahiro Yamada authored
      
      
      In the current code, both key_load() and key_create() call key_new()
      to allocate a key container (and they do not free it even if they
      fail).  If a specific key is not given by the command option,
      key_load() fails, then key_create() is called.  At this point, the
      key container that has been allocated in key_load() is still alive,
      and it is overwritten by a new key container created by key_create().
      
      Move the key_new() call to the main() function to make sure it is
      called just once for each descriptor.
      
      While we are here, let's fix one more bug; the error handling code
        ERROR("Malloc error while loading '%s'\n", keys[i].fn);
      is wrong because keys[i].fn is NULL pointer unless a specific key is
      given by the command option.  This code could be run in either case.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      762f1ebe
  8. 07 Jan, 2016 1 commit
    • Juan Castillo's avatar
      cert_create: update help message · 159807e2
      Juan Castillo authored
      The help message printed by the cert_create tool using the command
      line option -h (or --help) does not correctly list all the available
      command line options.
      
      This patch reworks the print_help() function to print the help
      messages in a data driven approach. For each command line option
      registered, an optional help message can be specified, which will
      be printed by print_help().
      
      Help messages for the TBBR options (certificates, keys and images)
      are also provided.
      
      Fix a small bug in the short options string passed to getopt_long:
      the ':' was missing in the '-a' option (this option must take an
      argument).
      
      Fixes ARM-software/tf-issues#337
      
      Change-Id: I9d08c2dfd349022808fcc884724f677eefdc1452
      159807e2
  9. 23 Oct, 2015 1 commit
    • Juan Castillo's avatar
      cert_create: specify command line options in the CoT · ad2c1a9a
      Juan Castillo authored
      This patch introduces a new API that allows to specify command
      line options in the Chain of Trust description. These command line
      options may be used to specify parameters related to the CoT (i.e.
      keys or certificates), instead of keeping a hardcoded list of
      options in main.c.
      
      Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44
      ad2c1a9a
  10. 01 Jul, 2015 1 commit
    • Juan Castillo's avatar
      TBB: build 'cert_create' with ECDSA only if OpenSSL supports it · ed2a76ea
      Juan Castillo authored
      Some Linux distributions include an OpenSSL library which has been
      built without ECDSA support. Trying to build the certificate
      generation tool on those distributions will result in a build error.
      
      This patch fixes that issue by including ECDSA support only if
      OpenSSL has been built with ECDSA. In that case, the OpenSSL
      configuration file does not define the OPENSSL_NO_EC macro. The tool
      will build successfully, although the resulting binary will not
      support ECDSA keys.
      
      Change-Id: I4627d1abd19eef7ad3251997d8218599187eb902
      ed2a76ea
  11. 25 Jun, 2015 1 commit
    • Juan Castillo's avatar
      TBB: add ECDSA support to the certificate generation tool · ccbf890e
      Juan Castillo authored
      This patch extends the 'cert_create' tool to support ECDSA keys
      to sign the certificates. The '--key-alg' command line option
      can be used to specify the key algorithm when invoking the tool.
      Available options are:
      
          * 'rsa': create RSA-2048 keys (default option)
          * 'ecdsa': create ECDSA-SECP256R1 keys
      
      The TF Makefile has been updated to allow the platform to specify
      the key algorithm by declaring the 'KEY_ALG' variable in the
      platform makefile.
      
      The behaviour regarding key management has changed. After applying
      this patch, the tool will try first to open the keys from disk. If
      one key does not exist or no key is specified, and the command line
      option to create keys has been specified, new keys will be created.
      Otherwise an error will be generated and the tool will exit. This
      way, the user may specify certain keys while the tool will create
      the remaining ones. This feature is useful for testing purposes
      and CI infrastructures.
      
      The OpenSSL directory may be specified using the build option
      'OPENSSL_DIR' when building the certificate generation tool.
      Default is '/usr'.
      
      Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7
      ccbf890e
  12. 28 Jan, 2015 1 commit
    • Juan Castillo's avatar
      TBB: add tool to generate certificates · 6f971622
      Juan Castillo authored
      This patch adds a tool that generates all the necessary elements
      to establish the chain of trust (CoT) between the images.
      
      The tool reads the binary images and signing keys and outputs the
      corresponding certificates that will be used by the target at run
      time to verify the authenticity of the images.
      
      Note: the platform port must provide the file platform_oid.h. This
      file will define the OIDs of the x509 extensions that will be added
      to the certificates in order to establish the CoT.
      
      Change-Id: I2734d6808b964a2107ab3a4805110698066a04be
      6f971622