aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/user-guide.rst6
-rw-r--r--drivers/auth/mbedtls/mbedtls_crypto.mk2
-rw-r--r--tools/cert_create/include/cert.h2
-rw-r--r--tools/cert_create/include/key.h3
-rw-r--r--tools/cert_create/src/cert.c34
-rw-r--r--tools/cert_create/src/main.c8
6 files changed, 34 insertions, 21 deletions
diff --git a/docs/user-guide.rst b/docs/user-guide.rst
index 1502c8c105..1181495cfc 100644
--- a/docs/user-guide.rst
+++ b/docs/user-guide.rst
@@ -407,8 +407,10 @@ Common build options
- ``KEY_ALG``: This build flag enables the user to select the algorithm to be
used for generating the PKCS keys and subsequent signing of the certificate.
- It accepts 2 values viz ``rsa``, ``ecdsa``. The default value of this flag
- is ``rsa``.
+ It accepts 3 values viz ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is
+ the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR compliant and is
+ retained only for compatibility. The default value of this flag is ``rsa``
+ which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
- ``LDFLAGS``: Extra user options appended to the linkers' command line in
addition to the one set by the build system.
diff --git a/drivers/auth/mbedtls/mbedtls_crypto.mk b/drivers/auth/mbedtls/mbedtls_crypto.mk
index 38197164c9..21b857bffe 100644
--- a/drivers/auth/mbedtls/mbedtls_crypto.mk
+++ b/drivers/auth/mbedtls/mbedtls_crypto.mk
@@ -9,7 +9,7 @@ include drivers/auth/mbedtls/mbedtls_common.mk
# The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
# algorithm to use. If the variable is not defined, select it based on algorithm
# used for key generation `KEY_ALG`. If `KEY_ALG` is not defined or is
-# defined to `rsa`, then set the variable to `rsa`.
+# defined to `rsa`/`rsa_1_5`, then set the variable to `rsa`.
ifeq (${TF_MBEDTLS_KEY_ALG},)
ifeq (${KEY_ALG}, ecdsa)
TF_MBEDTLS_KEY_ALG := ecdsa
diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h
index 543f12233a..256e7afd25 100644
--- a/tools/cert_create/include/cert.h
+++ b/tools/cert_create/include/cert.h
@@ -48,7 +48,7 @@ struct cert_s {
int cert_init(void);
cert_t *cert_get_by_opt(const char *opt);
int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value);
-int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk);
+int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk);
/* Macro to register the certificates used in the CoT */
#define REGISTER_COT(_certs) \
diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h
index 4b9e88258c..304fa6154f 100644
--- a/tools/cert_create/include/key.h
+++ b/tools/cert_create/include/key.h
@@ -22,7 +22,8 @@ enum {
/* Supported key algorithms */
enum {
- KEY_ALG_RSA,
+ KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */
+ KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */
#ifndef OPENSSL_NO_EC
KEY_ALG_ECDSA,
#endif /* OPENSSL_NO_EC */
diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c
index 9775664a38..1b84e36d35 100644
--- a/tools/cert_create/src/cert.c
+++ b/tools/cert_create/src/cert.c
@@ -79,7 +79,7 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
return 1;
}
-int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
+int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
{
EVP_PKEY *pkey = keys[cert->key].key;
cert_t *issuer_cert = &certs[cert->issuer];
@@ -90,7 +90,7 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
X509_NAME *name;
ASN1_INTEGER *sno;
int i, num, rc = 0;
- EVP_MD_CTX mdCtx;
+ EVP_MD_CTX mdCtx;
EVP_PKEY_CTX *pKeyCtx = NULL;
/* Create the certificate structure */
@@ -112,24 +112,32 @@ int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
}
EVP_MD_CTX_init(&mdCtx);
+
+ /* Sign the certificate with the issuer key */
if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
ERR_print_errors_fp(stdout);
goto END;
}
- if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
- ERR_print_errors_fp(stdout);
- goto END;
- }
+ /*
+ * Set additional parameters if algorithm is RSA PSS. This is not
+ * required for RSA 1.5 or ECDSA.
+ */
+ if (key_alg == KEY_ALG_RSA) {
+ if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
+ ERR_print_errors_fp(stdout);
+ goto END;
+ }
- if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) {
- ERR_print_errors_fp(stdout);
- goto END;
- }
+ if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) {
+ ERR_print_errors_fp(stdout);
+ goto END;
+ }
- if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) {
- ERR_print_errors_fp(stdout);
- goto END;
+ if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) {
+ ERR_print_errors_fp(stdout);
+ goto END;
+ }
}
/* x509.v3 */
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index f14601c8bc..df59961b0a 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -89,6 +89,7 @@ static char *strdup(const char *str)
static const char *key_algs_str[] = {
[KEY_ALG_RSA] = "rsa",
+ [KEY_ALG_RSA_1_5] = "rsa_1_5",
#ifndef OPENSSL_NO_EC
[KEY_ALG_ECDSA] = "ecdsa"
#endif /* OPENSSL_NO_EC */
@@ -223,7 +224,8 @@ static const cmd_opt_t common_cmd_opt[] = {
},
{
{ "key-alg", required_argument, NULL, 'a' },
- "Key algorithm: 'rsa' (default), 'ecdsa'"
+ "Key algorithm: 'rsa' (default) - RSAPSS scheme as per \
+PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'"
},
{
{ "save-keys", no_argument, NULL, 'k' },
@@ -450,8 +452,8 @@ int main(int argc, char *argv[])
sk_X509_EXTENSION_push(sk, cert_ext);
}
- /* Create certificate. Signed with ROT key */
- if (cert->fn && !cert_new(cert, VAL_DAYS, 0, sk)) {
+ /* Create certificate. Signed with corresponding key */
+ if (cert->fn && !cert_new(key_alg, cert, VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", cert->cn);
exit(1);
}