aboutsummaryrefslogtreecommitdiff
path: root/tools/cert_create
diff options
context:
space:
mode:
Diffstat (limited to 'tools/cert_create')
-rw-r--r--tools/cert_create/include/cert.h3
-rw-r--r--tools/cert_create/include/key.h19
-rw-r--r--tools/cert_create/src/cert.c9
-rw-r--r--tools/cert_create/src/key.c13
-rw-r--r--tools/cert_create/src/main.c62
5 files changed, 81 insertions, 25 deletions
diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h
index 39b45b58e..6db9b579d 100644
--- a/tools/cert_create/include/cert.h
+++ b/tools/cert_create/include/cert.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -49,7 +49,6 @@ int cert_init(void);
cert_t *cert_get_by_opt(const char *opt);
int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value);
int cert_new(
- int key_alg,
int md_alg,
cert_t *cert,
int days,
diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h
index 310a77f3e..d96d9839a 100644
--- a/tools/cert_create/include/key.h
+++ b/tools/cert_create/include/key.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -9,8 +9,6 @@
#include <openssl/ossl_typ.h>
-#define RSA_KEY_BITS 2048
-
/* Error codes */
enum {
KEY_ERR_NONE,
@@ -23,13 +21,15 @@ enum {
/* Supported key algorithms */
enum {
KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */
- KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */
#ifndef OPENSSL_NO_EC
KEY_ALG_ECDSA,
#endif /* OPENSSL_NO_EC */
KEY_ALG_MAX_NUM
};
+/* Maximum number of valid key sizes per algorithm */
+#define KEY_SIZE_MAX_NUM 4
+
/* Supported hash algorithms */
enum{
HASH_ALG_SHA256,
@@ -37,6 +37,15 @@ enum{
HASH_ALG_SHA512,
};
+/* Supported key sizes */
+/* NOTE: the first item in each array is the default key size */
+static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = {
+ { 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */
+#ifndef OPENSSL_NO_EC
+ {} /* KEY_ALG_ECDSA */
+#endif /* OPENSSL_NO_EC */
+};
+
/*
* This structure contains the relevant information to create the keys
* required to sign the certificates.
@@ -58,7 +67,7 @@ typedef struct key_s {
int key_init(void);
key_t *key_get_by_opt(const char *opt);
int key_new(key_t *key);
-int key_create(key_t *key, int type);
+int key_create(key_t *key, int type, int key_bits);
int key_load(key_t *key, unsigned int *err_code);
int key_store(key_t *key);
diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c
index 8e8aee699..c68a265b4 100644
--- a/tools/cert_create/src/cert.c
+++ b/tools/cert_create/src/cert.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -93,7 +93,6 @@ int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
}
int cert_new(
- int key_alg,
int md_alg,
cert_t *cert,
int days,
@@ -143,10 +142,10 @@ int cert_new(
}
/*
- * Set additional parameters if algorithm is RSA PSS. This is not
- * required for RSA 1.5 or ECDSA.
+ * Set additional parameters if issuing public key algorithm is RSA.
+ * This is not required for ECDSA.
*/
- if (key_alg == KEY_ALG_RSA) {
+ if (EVP_PKEY_base_id(ikey) == EVP_PKEY_RSA) {
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
ERR_print_errors_fp(stdout);
goto END;
diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c
index fece77085..0f80cce9b 100644
--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@@ -41,7 +41,7 @@ int key_new(key_t *key)
return 1;
}
-static int key_create_rsa(key_t *key)
+static int key_create_rsa(key_t *key, int key_bits)
{
BIGNUM *e;
RSA *rsa = NULL;
@@ -63,7 +63,7 @@ static int key_create_rsa(key_t *key)
goto err;
}
- if (!RSA_generate_key_ex(rsa, RSA_KEY_BITS, e, NULL)) {
+ if (!RSA_generate_key_ex(rsa, key_bits, e, NULL)) {
printf("Cannot generate RSA key\n");
goto err;
}
@@ -82,7 +82,7 @@ err:
}
#ifndef OPENSSL_NO_EC
-static int key_create_ecdsa(key_t *key)
+static int key_create_ecdsa(key_t *key, int key_bits)
{
EC_KEY *ec;
@@ -109,16 +109,15 @@ err:
}
#endif /* OPENSSL_NO_EC */
-typedef int (*key_create_fn_t)(key_t *key);
+typedef int (*key_create_fn_t)(key_t *key, int key_bits);
static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = {
key_create_rsa, /* KEY_ALG_RSA */
- key_create_rsa, /* KEY_ALG_RSA_1_5 */
#ifndef OPENSSL_NO_EC
key_create_ecdsa, /* KEY_ALG_ECDSA */
#endif /* OPENSSL_NO_EC */
};
-int key_create(key_t *key, int type)
+int key_create(key_t *key, int type, int key_bits)
{
if (type >= KEY_ALG_MAX_NUM) {
printf("Invalid key type\n");
@@ -126,7 +125,7 @@ int key_create(key_t *key, int type)
}
if (key_create_fn[type]) {
- return key_create_fn[type](key);
+ return key_create_fn[type](key, key_bits);
}
return 0;
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index 0f588cc8c..0cbd2196b 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <stdbool.h>
#include <openssl/conf.h>
#include <openssl/engine.h>
@@ -69,6 +70,7 @@
/* Global options */
static int key_alg;
static int hash_alg;
+static int key_size;
static int new_keys;
static int save_keys;
static int print_cert;
@@ -90,7 +92,6 @@ static char *strdup(const char *str)
static const char *key_algs_str[] = {
[KEY_ALG_RSA] = "rsa",
- [KEY_ALG_RSA_1_5] = "rsa_1_5",
#ifndef OPENSSL_NO_EC
[KEY_ALG_ECDSA] = "ecdsa"
#endif /* OPENSSL_NO_EC */
@@ -155,6 +156,18 @@ static int get_key_alg(const char *key_alg_str)
return -1;
}
+static int get_key_size(const char *key_size_str)
+{
+ char *end;
+ long key_size;
+
+ key_size = strtol(key_size_str, &end, 10);
+ if (*end != '\0')
+ return -1;
+
+ return key_size;
+}
+
static int get_hash_alg(const char *hash_alg_str)
{
int i;
@@ -174,6 +187,7 @@ static void check_cmd_params(void)
ext_t *ext;
key_t *key;
int i, j;
+ bool valid_size;
/* Only save new keys */
if (save_keys && !new_keys) {
@@ -181,6 +195,26 @@ static void check_cmd_params(void)
exit(1);
}
+ /* Validate key-size */
+ valid_size = false;
+ for (i = 0; i < KEY_SIZE_MAX_NUM; i++) {
+ if (key_size == KEY_SIZES[key_alg][i]) {
+ valid_size = true;
+ break;
+ }
+ }
+ if (!valid_size) {
+ ERROR("'%d' is not a valid key size for '%s'\n",
+ key_size, key_algs_str[key_alg]);
+ NOTICE("Valid sizes are: ");
+ for (i = 0; i < KEY_SIZE_MAX_NUM &&
+ KEY_SIZES[key_alg][i] != 0; i++) {
+ printf("%d ", KEY_SIZES[key_alg][i]);
+ }
+ printf("\n");
+ exit(1);
+ }
+
/* Check that all required options have been specified in the
* command line */
for (i = 0; i < num_certs; i++) {
@@ -242,8 +276,11 @@ static const cmd_opt_t common_cmd_opt[] = {
},
{
{ "key-alg", required_argument, NULL, 'a' },
- "Key algorithm: 'rsa' (default) - RSAPSS scheme as per \
-PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'"
+ "Key algorithm: 'rsa' (default)- RSAPSS scheme as per PKCS#1 v2.1, 'ecdsa'"
+ },
+ {
+ { "key-size", required_argument, NULL, 'b' },
+ "Key size (for supported algorithms)."
},
{
{ "hash-alg", required_argument, NULL, 's' },
@@ -286,6 +323,7 @@ int main(int argc, char *argv[])
/* Set default options */
key_alg = KEY_ALG_RSA;
hash_alg = HASH_ALG_SHA256;
+ key_size = -1;
/* Add common command line options */
for (i = 0; i < NUM_ELEM(common_cmd_opt); i++) {
@@ -315,7 +353,7 @@ int main(int argc, char *argv[])
while (1) {
/* getopt_long stores the option index here. */
- c = getopt_long(argc, argv, "a:hknps:", cmd_opt, &opt_idx);
+ c = getopt_long(argc, argv, "a:b:hknps:", cmd_opt, &opt_idx);
/* Detect the end of the options. */
if (c == -1) {
@@ -330,6 +368,13 @@ int main(int argc, char *argv[])
exit(1);
}
break;
+ case 'b':
+ key_size = get_key_size(optarg);
+ if (key_size <= 0) {
+ ERROR("Invalid key size '%s'\n", optarg);
+ exit(1);
+ }
+ break;
case 'h':
print_help(argv[0], cmd_opt);
exit(0);
@@ -371,6 +416,11 @@ int main(int argc, char *argv[])
}
}
+ /* Select a reasonable default key-size */
+ if (key_size == -1) {
+ key_size = KEY_SIZES[key_alg][0];
+ }
+
/* Check command line arguments */
check_cmd_params();
@@ -413,7 +463,7 @@ int main(int argc, char *argv[])
if (new_keys) {
/* Try to create a new key */
NOTICE("Creating new key for '%s'\n", keys[i].desc);
- if (!key_create(&keys[i], key_alg)) {
+ if (!key_create(&keys[i], key_alg, key_size)) {
ERROR("Error creating key '%s'\n", keys[i].desc);
exit(1);
}
@@ -493,7 +543,7 @@ int main(int argc, char *argv[])
}
/* Create certificate. Signed with corresponding key */
- if (cert->fn && !cert_new(key_alg, hash_alg, cert, VAL_DAYS, 0, sk)) {
+ if (cert->fn && !cert_new(hash_alg, cert, VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", cert->cn);
exit(1);
}