Remove RSA PKCS#1 v1.5 support from cert_tool
Support for PKCS#1 v1.5 was deprecated in SHA 1001202 and fully removed
in SHA fe199e3, however, cert_tool is still able to generate
certificates in that form. This patch fully removes the ability for
cert_tool to generate these certificates.
Additionally, this patch also fixes a bug where the issuing certificate
was a RSA and the issued certificate was EcDSA. In this case, the issued
certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per
PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now
that PKCS#1 v1.5 support is removed, all certificates that are signed
with RSA now use the more modern padding scheme.
Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c
index 8e8aee6..c68a265 100644
--- a/tools/cert_create/src/cert.c
+++ b/tools/cert_create/src/cert.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -93,7 +93,6 @@
}
int cert_new(
- int key_alg,
int md_alg,
cert_t *cert,
int days,
@@ -143,10 +142,10 @@
}
/*
- * Set additional parameters if algorithm is RSA PSS. This is not
- * required for RSA 1.5 or ECDSA.
+ * Set additional parameters if issuing public key algorithm is RSA.
+ * This is not required for ECDSA.
*/
- if (key_alg == KEY_ALG_RSA) {
+ if (EVP_PKEY_base_id(ikey) == EVP_PKEY_RSA) {
if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
ERR_print_errors_fp(stdout);
goto END;