diff --git a/docs/getting_started/user-guide.rst b/docs/getting_started/user-guide.rst index 8915738..1229e66 100644 --- a/docs/getting_started/user-guide.rst +++ b/docs/getting_started/user-guide.rst @@ -588,10 +588,8 @@ - ``KEY_ALG``: This build flag enables the user to select the algorithm to be used for generating the PKCS keys and subsequent signing of the certificate. - It accepts 3 values: ``rsa``, ``rsa_1_5`` and ``ecdsa``. The option - ``rsa_1_5`` is the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR - compliant and is retained only for compatibility. The default value of this - flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme. + It accepts 2 values: ``rsa`` and ``ecdsa``. The default value of this flag + is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme. - ``KEY_SIZE``: This build flag enables the user to select the key size for the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE`` diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk index f34d3d0..4b83015 100644 --- a/drivers/auth/mbedtls/mbedtls_common.mk +++ b/drivers/auth/mbedtls/mbedtls_common.mk @@ -48,9 +48,9 @@ ) # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key -# algorithm to use. If the variable is not defined, select it based on algorithm -# used for key generation `KEY_ALG`. If `KEY_ALG` is not defined or is -# defined to `rsa`/`rsa_1_5`, then set the variable to `rsa`. +# algorithm to use. If the variable is not defined, select it based on +# algorithm used for key generation `KEY_ALG`. If `KEY_ALG` is not defined, +# then it is set to `rsa`. ifeq (${TF_MBEDTLS_KEY_ALG},) ifeq (${KEY_ALG}, ecdsa) TF_MBEDTLS_KEY_ALG := ecdsa diff --git a/tools/cert_create/include/cert.h b/tools/cert_create/include/cert.h index 39b45b5..6db9b57 100644 --- a/tools/cert_create/include/cert.h +++ b/tools/cert_create/include/cert.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -49,7 +49,6 @@ cert_t *cert_get_by_opt(const char *opt); int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value); int cert_new( - int key_alg, int md_alg, cert_t *cert, int days, diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h index c08beb8..d96d983 100644 --- a/tools/cert_create/include/key.h +++ b/tools/cert_create/include/key.h @@ -21,7 +21,6 @@ /* Supported key algorithms */ enum { KEY_ALG_RSA, /* RSA PSS as defined by PKCS#1 v2.1 (default) */ - KEY_ALG_RSA_1_5, /* RSA as defined by PKCS#1 v1.5 */ #ifndef OPENSSL_NO_EC KEY_ALG_ECDSA, #endif /* OPENSSL_NO_EC */ @@ -42,7 +41,6 @@ /* NOTE: the first item in each array is the default key size */ static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = { { 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */ - { 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA_1_5 */ #ifndef OPENSSL_NO_EC {} /* KEY_ALG_ECDSA */ #endif /* OPENSSL_NO_EC */ diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c index 8e8aee6..c68a265 100644 --- a/tools/cert_create/src/cert.c +++ b/tools/cert_create/src/cert.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -93,7 +93,6 @@ } int cert_new( - int key_alg, int md_alg, cert_t *cert, int days, @@ -143,10 +142,10 @@ } /* - * Set additional parameters if algorithm is RSA PSS. This is not - * required for RSA 1.5 or ECDSA. + * Set additional parameters if issuing public key algorithm is RSA. + * This is not required for ECDSA. */ - if (key_alg == KEY_ALG_RSA) { + if (EVP_PKEY_base_id(ikey) == EVP_PKEY_RSA) { if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) { ERR_print_errors_fp(stdout); goto END; diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c index 93d31f7..0f80cce 100644 --- a/tools/cert_create/src/key.c +++ b/tools/cert_create/src/key.c @@ -112,7 +112,6 @@ typedef int (*key_create_fn_t)(key_t *key, int key_bits); static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = { key_create_rsa, /* KEY_ALG_RSA */ - key_create_rsa, /* KEY_ALG_RSA_1_5 */ #ifndef OPENSSL_NO_EC key_create_ecdsa, /* KEY_ALG_ECDSA */ #endif /* OPENSSL_NO_EC */ diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c index 44a65eb..0cbd219 100644 --- a/tools/cert_create/src/main.c +++ b/tools/cert_create/src/main.c @@ -92,7 +92,6 @@ static const char *key_algs_str[] = { [KEY_ALG_RSA] = "rsa", - [KEY_ALG_RSA_1_5] = "rsa_1_5", #ifndef OPENSSL_NO_EC [KEY_ALG_ECDSA] = "ecdsa" #endif /* OPENSSL_NO_EC */ @@ -277,8 +276,7 @@ }, { { "key-alg", required_argument, NULL, 'a' }, - "Key algorithm: 'rsa' (default) - RSAPSS scheme as per \ -PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'" + "Key algorithm: 'rsa' (default)- RSAPSS scheme as per PKCS#1 v2.1, 'ecdsa'" }, { { "key-size", required_argument, NULL, 'b' }, @@ -545,7 +543,7 @@ } /* Create certificate. Signed with corresponding key */ - if (cert->fn && !cert_new(key_alg, hash_alg, cert, VAL_DAYS, 0, sk)) { + if (cert->fn && !cert_new(hash_alg, cert, VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", cert->cn); exit(1); }