feat(cert-create): update for ECDSA brainpoolP256r/t1 support
Updated cert_tool to be able to select brainpool P256r/t1
or NIST prim256v1 curve for certificates signature.
Change-Id: I6e800144697069ea83660053b8ba6e21c229243a
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index 0b42a79..402de13 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -610,22 +610,28 @@
- ``KEY_ALG``: This build flag enables the user to select the algorithm to be
used for generating the PKCS keys and subsequent signing of the certificate.
- It accepts 3 values: ``rsa``, ``rsa_1_5`` and ``ecdsa``. The option
- ``rsa_1_5`` is the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR
- compliant and is retained only for compatibility. The default value of this
- flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
+ It accepts 5 values: ``rsa``, ``rsa_1_5``, ``ecdsa``, ``ecdsa-brainpool-regular``
+ and ``ecdsa-brainpool-twisted``. The option ``rsa_1_5`` is the legacy PKCS#1
+ RSA 1.5 algorithm which is not TBBR compliant and is retained only for
+ compatibility. The default value of this flag is ``rsa`` which is the TBBR
+ compliant PKCS#1 RSA 2.1 scheme.
- ``KEY_SIZE``: This build flag enables the user to select the key size for
the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE``
depend on the chosen algorithm and the cryptographic module.
- +-----------+------------------------------------+
- | KEY_ALG | Possible key sizes |
- +===========+====================================+
- | rsa | 1024 , 2048 (default), 3072, 4096* |
- +-----------+------------------------------------+
- | ecdsa | unavailable |
- +-----------+------------------------------------+
+ +---------------------------+------------------------------------+
+ | KEY_ALG | Possible key sizes |
+ +===========================+====================================+
+ | rsa | 1024 , 2048 (default), 3072, 4096* |
+ +---------------------------+------------------------------------+
+ | ecdsa | unavailable |
+ +---------------------------+------------------------------------+
+ | ecdsa-brainpool-regular | unavailable |
+ +---------------------------+------------------------------------+
+ | ecdsa-brainpool-twisted | unavailable |
+ +---------------------------+------------------------------------+
+
* Only 2048 bits size is available with CryptoCell 712 SBROM release 1.
Only 3072 bits size is available with CryptoCell 712 SBROM release 2.
diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h
index 0ef046b..312575b 100644
--- a/tools/cert_create/include/key.h
+++ b/tools/cert_create/include/key.h
@@ -22,7 +22,9 @@
enum {
KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */
#ifndef OPENSSL_NO_EC
- KEY_ALG_ECDSA,
+ KEY_ALG_ECDSA_NIST,
+ KEY_ALG_ECDSA_BRAINPOOL_R,
+ KEY_ALG_ECDSA_BRAINPOOL_T,
#endif /* OPENSSL_NO_EC */
KEY_ALG_MAX_NUM
};
@@ -42,7 +44,9 @@
static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = {
{ 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */
#ifndef OPENSSL_NO_EC
- {} /* KEY_ALG_ECDSA */
+ {}, /* KEY_ALG_ECDSA_NIST */
+ {}, /* KEY_ALG_ECDSA_BRAINPOOL_R */
+ {} /* KEY_ALG_ECDSA_BRAINPOOL_T */
#endif /* OPENSSL_NO_EC */
};
diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c
index 0061b8a..487777b 100644
--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@@ -93,20 +93,39 @@
}
#ifndef OPENSSL_NO_EC
-static int key_create_ecdsa(key_t *key, int key_bits)
-{
#if USING_OPENSSL3
- EVP_PKEY *ec = EVP_EC_gen("prime256v1");
+static int key_create_ecdsa(key_t *key, int key_bits, const char *curve)
+{
+ EVP_PKEY *ec = EVP_EC_gen(curve);
if (ec == NULL) {
printf("Cannot generate EC key\n");
return 0;
}
+
key->key = ec;
return 1;
+}
+
+static int key_create_ecdsa_nist(key_t *key, int key_bits)
+{
+ return key_create_ecdsa(key, key_bits, "prime256v1");
+}
+
+static int key_create_ecdsa_brainpool_r(key_t *key, int key_bits)
+{
+ return key_create_ecdsa(key, key_bits, "brainpoolP256r1");
+}
+
+static int key_create_ecdsa_brainpool_t(key_t *key, int key_bits)
+{
+ return key_create_ecdsa(key, key_bits, "brainpoolP256t1");
+}
#else
+static int key_create_ecdsa(key_t *key, int key_bits, const int curve_id)
+{
EC_KEY *ec;
- ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ ec = EC_KEY_new_by_curve_name(curve_id);
if (ec == NULL) {
printf("Cannot create EC key\n");
return 0;
@@ -127,15 +146,32 @@
err:
EC_KEY_free(ec);
return 0;
-#endif
+}
+
+static int key_create_ecdsa_nist(key_t *key, int key_bits)
+{
+ return key_create_ecdsa(key, key_bits, NID_X9_62_prime256v1);
+}
+
+static int key_create_ecdsa_brainpool_r(key_t *key, int key_bits)
+{
+ return key_create_ecdsa(key, key_bits, NID_brainpoolP256r1);
+}
+
+static int key_create_ecdsa_brainpool_t(key_t *key, int key_bits)
+{
+ return key_create_ecdsa(key, key_bits, NID_brainpoolP256t1);
}
+#endif /* USING_OPENSSL3 */
#endif /* OPENSSL_NO_EC */
typedef int (*key_create_fn_t)(key_t *key, int key_bits);
static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = {
- key_create_rsa, /* KEY_ALG_RSA */
+ [KEY_ALG_RSA] = key_create_rsa,
#ifndef OPENSSL_NO_EC
- key_create_ecdsa, /* KEY_ALG_ECDSA */
+ [KEY_ALG_ECDSA_NIST] = key_create_ecdsa_nist,
+ [KEY_ALG_ECDSA_BRAINPOOL_R] = key_create_ecdsa_brainpool_r,
+ [KEY_ALG_ECDSA_BRAINPOOL_T] = key_create_ecdsa_brainpool_t,
#endif /* OPENSSL_NO_EC */
};
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index fe386b7..2ab6bcf 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -84,7 +84,9 @@
static const char *key_algs_str[] = {
[KEY_ALG_RSA] = "rsa",
#ifndef OPENSSL_NO_EC
- [KEY_ALG_ECDSA] = "ecdsa"
+ [KEY_ALG_ECDSA_NIST] = "ecdsa",
+ [KEY_ALG_ECDSA_BRAINPOOL_R] = "ecdsa-brainpool-regular",
+ [KEY_ALG_ECDSA_BRAINPOOL_T] = "ecdsa-brainpool-twisted",
#endif /* OPENSSL_NO_EC */
};
@@ -106,7 +108,7 @@
printf("\n\n");
printf("The certificate generation tool loads the binary images and\n"
- "optionally the RSA keys, and outputs the key and content\n"
+ "optionally the RSA or ECC keys, and outputs the key and content\n"
"certificates properly signed to implement the chain of trust.\n"
"If keys are provided, they must be in PEM format.\n"
"Certificates are generated in DER format.\n");
@@ -267,7 +269,8 @@
},
{
{ "key-alg", required_argument, NULL, 'a' },
- "Key algorithm: 'rsa' (default)- RSAPSS scheme as per PKCS#1 v2.1, 'ecdsa'"
+ "Key algorithm: 'rsa' (default)- RSAPSS scheme as per PKCS#1 v2.1, " \
+ "'ecdsa', 'ecdsa-brainpool-regular', 'ecdsa-brainpool-twisted'"
},
{
{ "key-size", required_argument, NULL, 'b' },