Searched hist:e639ad23c8c7a1b320af9ebd519420ae7d431531 (Results 1 – 1 of 1) sorted by relevance
| /rk3399_ARM-atf/tools/cert_create/src/ |
| H A D | cert.c | e639ad23c8c7a1b320af9ebd519420ae7d431531 Mon Apr 08 22:23:43 UTC 2024 Donald Chan <donachan@tesla.com> fix(cert-create): use a salt length equal to digest length for RSA-PSS
Currently when RSA-PSS signing is invoked, a salt length of 32 bytes
is assumed. This works well when SHA-256 is the digest algorithm, but
the standard industry practice is that the salt length should follow
the digest length (e.g. 48/64 bytes for SHA-384/SHA-512).
Various cloud services' key management services (KMS) offering have
such restrictions in place, so if someone wants to integrate cert_create
against these services for signing key/content certs, they will have
problem with integration.
Furthermore, JWS (RFC7518) defined these specific combinations as valid
specs and other combinations are not supported:
- PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
- PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
- PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512
Change-Id: Iafc7c60ccb36f4681053dbeb4147bac01b9d724d
Signed-off-by: Donald Chan <donachan@tesla.com>
|