Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-26 06:50:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
arm-trusted-firmware/tools/cert_create
History
Donald Chan e639ad23c8 fix(cert-create): use a salt length equal to digest length for RSA-PSS 
Currently when RSA-PSS signing is invoked, a salt length of 32 bytes
is assumed. This works well when SHA-256 is the digest algorithm, but
the standard industry practice is that the salt length should follow
the digest length (e.g. 48/64 bytes for SHA-384/SHA-512).

Various cloud services' key management services (KMS) offering have
such restrictions in place, so if someone wants to integrate cert_create
against these services for signing key/content certs, they will have
problem with integration.

Furthermore, JWS (RFC7518) defined these specific combinations as valid
specs and other combinations are not supported:

  - PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
  - PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
  - PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512

Change-Id: Iafc7c60ccb36f4681053dbeb4147bac01b9d724d
Signed-off-by: Donald Chan <donachan@tesla.com>
2024-04-12 18:18:04 +02:00
..
include fix(cert-create): fix key loading logic 2023-10-19 11:34:55 +02:00
src fix(cert-create): use a salt length equal to digest length for RSA-PSS 2024-04-12 18:18:04 +02:00
Makefile build: use new toolchain variables for tools 2024-02-06 11:14:52 +00:00