feat(cert-create): update for ECDSA brainpoolP256r/t1 support

Updated cert_tool to be able to select brainpool P256r/t1 or NIST prim256v1 curve for certificates signature. Change-Id: I6e800144697069ea83660053b8ba6e21c229243a Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com> Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
2025-04-16 09:34:18 +00:00 · 2022-11-14 11:03:42 +01:00 · 2022-11-14 11:03:42 +01:00 · e78ba69e35
commit e78ba69e35
parent 2742374414
4 changed files with 72 additions and 23 deletions
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@ -610,22 +610,28 @@ Common build options

 -  ``KEY_ALG``: This build flag enables the user to select the algorithm to be
   used for generating the PKCS keys and subsequent signing of the certificate.
-   It accepts 3 values: ``rsa``, ``rsa_1_5`` and ``ecdsa``. The option
-   ``rsa_1_5`` is the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR
-   compliant and is retained only for compatibility. The default value of this
-   flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
+   It accepts 5 values: ``rsa``, ``rsa_1_5``, ``ecdsa``, ``ecdsa-brainpool-regular``
+   and ``ecdsa-brainpool-twisted``. The option ``rsa_1_5`` is the legacy PKCS#1
+   RSA 1.5 algorithm which is not TBBR compliant and is retained only for
+   compatibility. The default value of this flag is ``rsa`` which is the TBBR
+   compliant PKCS#1 RSA 2.1 scheme.

 -  ``KEY_SIZE``: This build flag enables the user to select the key size for
   the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE``
   depend on the chosen algorithm and the cryptographic module.

-   +-----------+------------------------------------+
-   |  KEY_ALG  |        Possible key sizes          |
-   +===========+====================================+
-   |    rsa    | 1024 , 2048 (default), 3072, 4096* |
-   +-----------+------------------------------------+
-   |   ecdsa   |            unavailable             |
-   +-----------+------------------------------------+
+   +---------------------------+------------------------------------+
+   |         KEY_ALG           |        Possible key sizes          |
+   +===========================+====================================+
+   |           rsa             | 1024 , 2048 (default), 3072, 4096* |
+   +---------------------------+------------------------------------+
+   |          ecdsa            |            unavailable             |
+   +---------------------------+------------------------------------+
+   |  ecdsa-brainpool-regular  |            unavailable             |
+   +---------------------------+------------------------------------+
+   |  ecdsa-brainpool-twisted  |            unavailable             |
+   +---------------------------+------------------------------------+
+

   * Only 2048 bits size is available with CryptoCell 712 SBROM release 1.
     Only 3072 bits size is available with CryptoCell 712 SBROM release 2.
--- a/tools/cert_create/include/key.h
+++ b/tools/cert_create/include/key.h
@ -22,7 +22,9 @@ enum {
 enum {
 	KEY_ALG_RSA,		/* RSA PSS as defined by PKCS#1 v2.1 (default) */
 #ifndef OPENSSL_NO_EC
-	KEY_ALG_ECDSA,
+	KEY_ALG_ECDSA_NIST,
+	KEY_ALG_ECDSA_BRAINPOOL_R,
+	KEY_ALG_ECDSA_BRAINPOOL_T,
 #endif /* OPENSSL_NO_EC */
 	KEY_ALG_MAX_NUM
 };
@ -42,7 +44,9 @@ enum{
 static const unsigned int KEY_SIZES[KEY_ALG_MAX_NUM][KEY_SIZE_MAX_NUM] = {
 	{ 2048, 1024, 3072, 4096 },	/* KEY_ALG_RSA */
 #ifndef OPENSSL_NO_EC
-	{}				/* KEY_ALG_ECDSA */
+	{},				/* KEY_ALG_ECDSA_NIST */
+	{},				/* KEY_ALG_ECDSA_BRAINPOOL_R */
+	{}				/* KEY_ALG_ECDSA_BRAINPOOL_T */
 #endif /* OPENSSL_NO_EC */
 };

--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@ -93,20 +93,39 @@ err2:
 }

 #ifndef OPENSSL_NO_EC
-static int key_create_ecdsa(key_t *key, int key_bits)
-{
 #if USING_OPENSSL3
-	EVP_PKEY *ec = EVP_EC_gen("prime256v1");
+static int key_create_ecdsa(key_t *key, int key_bits, const char *curve)
+{
+	EVP_PKEY *ec = EVP_EC_gen(curve);
 	if (ec == NULL) {
 		printf("Cannot generate EC key\n");
 		return 0;
 	}
+
 	key->key = ec;
 	return 1;
+}
+
+static int key_create_ecdsa_nist(key_t *key, int key_bits)
+{
+	return key_create_ecdsa(key, key_bits, "prime256v1");
+}
+
+static int key_create_ecdsa_brainpool_r(key_t *key, int key_bits)
+{
+	return key_create_ecdsa(key, key_bits, "brainpoolP256r1");
+}
+
+static int key_create_ecdsa_brainpool_t(key_t *key, int key_bits)
+{
+	return key_create_ecdsa(key, key_bits, "brainpoolP256t1");
+}
 #else
+static int key_create_ecdsa(key_t *key, int key_bits, const int curve_id)
+{
 	EC_KEY *ec;

-	ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+	ec = EC_KEY_new_by_curve_name(curve_id);
 	if (ec == NULL) {
 		printf("Cannot create EC key\n");
 		return 0;
@ -127,15 +146,32 @@ static int key_create_ecdsa(key_t *key, int key_bits)
 err:
 	EC_KEY_free(ec);
 	return 0;
-#endif
 }
+
+static int key_create_ecdsa_nist(key_t *key, int key_bits)
+{
+	return key_create_ecdsa(key, key_bits, NID_X9_62_prime256v1);
+}
+
+static int key_create_ecdsa_brainpool_r(key_t *key, int key_bits)
+{
+	return key_create_ecdsa(key, key_bits, NID_brainpoolP256r1);
+}
+
+static int key_create_ecdsa_brainpool_t(key_t *key, int key_bits)
+{
+	return key_create_ecdsa(key, key_bits, NID_brainpoolP256t1);
+}
+#endif /* USING_OPENSSL3 */
 #endif /* OPENSSL_NO_EC */

 typedef int (*key_create_fn_t)(key_t *key, int key_bits);
 static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = {
-	key_create_rsa, 	/* KEY_ALG_RSA */
+	[KEY_ALG_RSA] = key_create_rsa,
 #ifndef OPENSSL_NO_EC
-	key_create_ecdsa, 	/* KEY_ALG_ECDSA */
+	[KEY_ALG_ECDSA_NIST] = key_create_ecdsa_nist,
+	[KEY_ALG_ECDSA_BRAINPOOL_R] = key_create_ecdsa_brainpool_r,
+	[KEY_ALG_ECDSA_BRAINPOOL_T] = key_create_ecdsa_brainpool_t,
 #endif /* OPENSSL_NO_EC */
 };

--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@ -84,7 +84,9 @@ static char *strdup(const char *str)
 static const char *key_algs_str[] = {
 	[KEY_ALG_RSA] = "rsa",
 #ifndef OPENSSL_NO_EC
-	[KEY_ALG_ECDSA] = "ecdsa"
+	[KEY_ALG_ECDSA_NIST] = "ecdsa",
+	[KEY_ALG_ECDSA_BRAINPOOL_R] = "ecdsa-brainpool-regular",
+	[KEY_ALG_ECDSA_BRAINPOOL_T] = "ecdsa-brainpool-twisted",
 #endif /* OPENSSL_NO_EC */
 };

@ -106,7 +108,7 @@ static void print_help(const char *cmd, const struct option *long_opt)

 	printf("\n\n");
 	printf("The certificate generation tool loads the binary images and\n"
-	       "optionally the RSA keys, and outputs the key and content\n"
+	       "optionally the RSA or ECC keys, and outputs the key and content\n"
 	       "certificates properly signed to implement the chain of trust.\n"
 	       "If keys are provided, they must be in PEM format.\n"
 	       "Certificates are generated in DER format.\n");
@ -267,7 +269,8 @@ static const cmd_opt_t common_cmd_opt[] = {
 	},
 	{
 		{ "key-alg", required_argument, NULL, 'a' },
-		"Key algorithm: 'rsa' (default)- RSAPSS scheme as per PKCS#1 v2.1, 'ecdsa'"
+		"Key algorithm: 'rsa' (default)- RSAPSS scheme as per PKCS#1 v2.1, " \
+		"'ecdsa', 'ecdsa-brainpool-regular', 'ecdsa-brainpool-twisted'"
 	},
 	{
 		{ "key-size", required_argument, NULL, 'b' },