#
-# Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
# Build options added by this file:
#
# KEY_ALG
+# KEY_SIZE
# ROT_KEY
# TRUSTED_WORLD_KEY
# NON_TRUSTED_WORLD_KEY
# packed in the FIP). Developers can use their own keys by specifying the proper
# build option in the command line when building the Trusted Firmware
$(if ${KEY_ALG},$(eval $(call CERT_ADD_CMD_OPT,${KEY_ALG},--key-alg)))
+$(if ${KEY_SIZE},$(eval $(call CERT_ADD_CMD_OPT,${KEY_SIZE},--key-size)))
$(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg)))
$(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
$(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key,FWU_)))
/*
- * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <openssl/ossl_typ.h>
-#define RSA_KEY_BITS 2048
-
/* Error codes */
enum {
KEY_ERR_NONE,
KEY_ALG_MAX_NUM
};
+/* Maximum number of valid key sizes per algorithm */
+#define KEY_SIZE_MAX_NUM 4
+
/* Supported hash algorithms */
enum{
HASH_ALG_SHA256,
HASH_ALG_SHA512,
};
+/* Supported key sizes */
+/* NOTE: the first item in each array is the default key size */
+static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = {
+ { 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA */
+ { 2048, 1024, 3072, 4096 }, /* KEY_ALG_RSA_1_5 */
+#ifndef OPENSSL_NO_EC
+ {} /* KEY_ALG_ECDSA */
+#endif /* OPENSSL_NO_EC */
+};
+
/*
* This structure contains the relevant information to create the keys
* required to sign the certificates.
int key_init(void);
key_t *key_get_by_opt(const char *opt);
int key_new(key_t *key);
-int key_create(key_t *key, int type);
+int key_create(key_t *key, int type, int key_bits);
int key_load(key_t *key, unsigned int *err_code);
int key_store(key_t *key);
return 1;
}
-static int key_create_rsa(key_t *key)
+static int key_create_rsa(key_t *key, int key_bits)
{
BIGNUM *e;
RSA *rsa = NULL;
goto err;
}
- if (!RSA_generate_key_ex(rsa, RSA_KEY_BITS, e, NULL)) {
+ if (!RSA_generate_key_ex(rsa, key_bits, e, NULL)) {
printf("Cannot generate RSA key\n");
goto err;
}
}
#ifndef OPENSSL_NO_EC
-static int key_create_ecdsa(key_t *key)
+static int key_create_ecdsa(key_t *key, int key_bits)
{
EC_KEY *ec;
}
#endif /* OPENSSL_NO_EC */
-typedef int (*key_create_fn_t)(key_t *key);
+typedef int (*key_create_fn_t)(key_t *key, int key_bits);
static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = {
key_create_rsa, /* KEY_ALG_RSA */
key_create_rsa, /* KEY_ALG_RSA_1_5 */
#endif /* OPENSSL_NO_EC */
};
-int key_create(key_t *key, int type)
+int key_create(key_t *key, int type, int key_bits)
{
if (type >= KEY_ALG_MAX_NUM) {
printf("Invalid key type\n");
}
if (key_create_fn[type]) {
- return key_create_fn[type](key);
+ return key_create_fn[type](key, key_bits);
}
return 0;
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <stdbool.h>
#include <openssl/conf.h>
#include <openssl/engine.h>
/* Global options */
static int key_alg;
static int hash_alg;
+static int key_size;
static int new_keys;
static int save_keys;
static int print_cert;
return -1;
}
+static int get_key_size(const char *key_size_str)
+{
+ char *end;
+ long key_size;
+
+ key_size = strtol(key_size_str, &end, 10);
+ if (*end != '\0')
+ return -1;
+
+ return key_size;
+}
+
static int get_hash_alg(const char *hash_alg_str)
{
int i;
ext_t *ext;
key_t *key;
int i, j;
+ bool valid_size;
/* Only save new keys */
if (save_keys && !new_keys) {
exit(1);
}
+ /* Validate key-size */
+ valid_size = false;
+ for (i = 0; i < KEY_SIZE_MAX_NUM; i++) {
+ if (key_size == KEY_SIZES[key_alg][i]) {
+ valid_size = true;
+ break;
+ }
+ }
+ if (!valid_size) {
+ ERROR("'%d' is not a valid key size for '%s'\n",
+ key_size, key_algs_str[key_alg]);
+ NOTICE("Valid sizes are: ");
+ for (i = 0; i < KEY_SIZE_MAX_NUM &&
+ KEY_SIZES[key_alg][i] != 0; i++) {
+ printf("%d ", KEY_SIZES[key_alg][i]);
+ }
+ printf("\n");
+ exit(1);
+ }
+
/* Check that all required options have been specified in the
* command line */
for (i = 0; i < num_certs; i++) {
"Key algorithm: 'rsa' (default) - RSAPSS scheme as per \
PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'"
},
+ {
+ { "key-size", required_argument, NULL, 'b' },
+ "Key size (for supported algorithms)."
+ },
{
{ "hash-alg", required_argument, NULL, 's' },
"Hash algorithm : 'sha256' (default), 'sha384', 'sha512'"
/* Set default options */
key_alg = KEY_ALG_RSA;
hash_alg = HASH_ALG_SHA256;
+ key_size = -1;
/* Add common command line options */
for (i = 0; i < NUM_ELEM(common_cmd_opt); i++) {
while (1) {
/* getopt_long stores the option index here. */
- c = getopt_long(argc, argv, "a:hknps:", cmd_opt, &opt_idx);
+ c = getopt_long(argc, argv, "a:b:hknps:", cmd_opt, &opt_idx);
/* Detect the end of the options. */
if (c == -1) {
exit(1);
}
break;
+ case 'b':
+ key_size = get_key_size(optarg);
+ if (key_size <= 0) {
+ ERROR("Invalid key size '%s'\n", optarg);
+ exit(1);
+ }
+ break;
case 'h':
print_help(argv[0], cmd_opt);
exit(0);
}
}
+ /* Select a reasonable default key-size */
+ if (key_size == -1) {
+ key_size = KEY_SIZES[key_alg][0];
+ }
+
/* Check command line arguments */
check_cmd_params();
if (new_keys) {
/* Try to create a new key */
NOTICE("Creating new key for '%s'\n", keys[i].desc);
- if (!key_create(&keys[i], key_alg)) {
+ if (!key_create(&keys[i], key_alg, key_size)) {
ERROR("Error creating key '%s'\n", keys[i].desc);
exit(1);
}
projects / project / bcm63xx / atf.git / commitdiff