Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / b12b3aebe1d0a8e2df2681922a5ab936a53ea1ba
commitb12b3aebe1d0a8e2df2681922a5ab936a53ea1ba[log] [tgz]
authorDonald Chan <donachan@tesla.com>Mon Apr 08 15:23:43 2024 -0700
committerDonald Chan <donachan@tesla.com>Fri Apr 12 18:18:04 2024 +0200
tree2a3a0ff06c0d06a1b3b35c64071bb29c8842450c
parentfe2463574625b09f953915e521f2c7ca28706172 [diff]
fix(cert-create): use a salt length equal to digest length for RSA-PSS

Currently when RSA-PSS signing is invoked, a salt length of 32 bytes
is assumed. This works well when SHA-256 is the digest algorithm, but
the standard industry practice is that the salt length should follow
the digest length (e.g. 48/64 bytes for SHA-384/SHA-512).

Various cloud services' key management services (KMS) offering have
such restrictions in place, so if someone wants to integrate cert_create
against these services for signing key/content certs, they will have
problem with integration.

Furthermore, JWS (RFC7518) defined these specific combinations as valid
specs and other combinations are not supported:

  - PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
  - PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
  - PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512

Change-Id: Iafc7c60ccb36f4681053dbeb4147bac01b9d724d
Signed-off-by: Donald Chan <donachan@tesla.com>
1 file changed
tree: 2a3a0ff06c0d06a1b3b35c64071bb29c8842450c
  1. .husky/
  2. bl1/
  3. bl2/
  4. bl2u/
  5. bl31/
  6. bl32/
  7. common/
  8. docs/
  9. drivers/
  10. fdts/
  11. include/
  12. lib/
  13. licenses/
  14. make_helpers/
  15. plat/
  16. services/
  17. tools/
  18. .checkpatch.conf
  19. .commitlintrc.js
  20. .cz-adapter.cjs
  21. .cz.json
  22. .editorconfig
  23. .gitignore
  24. .gitreview
  25. .nvmrc
  26. .readthedocs.yaml
  27. .versionrc.cjs
  28. changelog.yaml
  29. dco.txt
  30. license.rst
  31. Makefile
  32. package-lock.json
  33. package.json
  34. poetry.lock
  35. pyproject.toml
  36. readme.rst