tools: add an option -hash-alg for cert_create
This option enables the user to select the secure hash algorithm
to be used for generating the hash. It supports the following
options:
- sha256 (default)
- sha384
- sha512
Change-Id: Icb093cec1b5715e248c3d1c3749a2479a7ab4b89
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c
index 3f0b4d3..8e8aee6 100644
--- a/tools/cert_create/src/cert.c
+++ b/tools/cert_create/src/cert.c
@@ -56,6 +56,19 @@
return ret;
}
+const EVP_MD *get_digest(int alg)
+{
+ switch (alg) {
+ case HASH_ALG_SHA256:
+ return EVP_sha256();
+ case HASH_ALG_SHA384:
+ return EVP_sha384();
+ case HASH_ALG_SHA512:
+ return EVP_sha512();
+ default:
+ return NULL;
+ }
+}
int cert_add_ext(X509 *issuer, X509 *subject, int nid, char *value)
{
@@ -79,7 +92,13 @@
return 1;
}
-int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
+int cert_new(
+ int key_alg,
+ int md_alg,
+ cert_t *cert,
+ int days,
+ int ca,
+ STACK_OF(X509_EXTENSION) * sk)
{
EVP_PKEY *pkey = keys[cert->key].key;
cert_t *issuer_cert = &certs[cert->issuer];
@@ -118,7 +137,7 @@
}
/* Sign the certificate with the issuer key */
- if (!EVP_DigestSignInit(mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
+ if (!EVP_DigestSignInit(mdCtx, &pKeyCtx, get_digest(md_alg), NULL, ikey)) {
ERR_print_errors_fp(stdout);
goto END;
}
@@ -138,7 +157,7 @@
goto END;
}
- if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) {
+ if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, get_digest(md_alg))) {
ERR_print_errors_fp(stdout);
goto END;
}