rpms/tss2
7
0
Fork 0
Code Issues Pull Requests Releases Activity
05991f9e4c
tss2/SOURCES/0001-utils-Generate-X509-certificate-serial-number-using-.patch
CentOS Sources b44929825a import tss2-1.6.0-6.el9_0
2022-05-17 10:33:30 +00:00

63 lines
2.4 KiB
Diff
Raw Blame History

From e0c1e3efd187a3cfa77906eef978fa6beada0b31 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgoldman@us.ibm.com>
Date: Thu, 1 Jul 2021 13:55:28 -0400
Subject: [PATCH] utils: Generate X509 certificate serial number using sha256
This is just a test certificate, not a real CA. Certificate serial
numbers can be 20 octets maximum. Use a truncated sha256 because some
'lint' programs are now scanning for sha1.
Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
---
utils/ekutils.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/utils/ekutils.c b/utils/ekutils.c
index a0a2734..aad6fba 100644
--- a/utils/ekutils.c
+++ b/utils/ekutils.c
@@ -61,6 +61,7 @@
#include <openssl/pem.h>
#include <openssl/x509.h>
+#include <openssl/evp.h>
#include <ibmtss/tssresponsecode.h>
#include <ibmtss/tssutils.h>
@@ -1835,7 +1836,7 @@ TPM_RC startCertificate(X509 *x509Certificate, /* X509 certificate to be generat
ASN1_TIME *arc; /* return code */
ASN1_INTEGER *x509Serial; /* certificate serial number in ASN1 */
BIGNUM *x509SerialBN; /* certificate serial number as a BIGNUM */
- unsigned char x509Serialbin[SHA1_DIGEST_SIZE]; /* certificate serial number in binary */
+ unsigned char x509Serialbin[EVP_MAX_MD_SIZE]; /* certificate serial number in binary */
X509_NAME *x509IssuerName; /* composite issuer name, key/value pairs */
X509_NAME *x509SubjectName; /* composite subject name, key/value pairs */
@@ -1855,11 +1856,20 @@ TPM_RC startCertificate(X509 *x509Certificate, /* X509 certificate to be generat
add certificate serial number
*/
if (rc == 0) {
+ const EVP_MD *type;
+
if (tssUtilsVerbose) printf("startCertificate: Adding certificate serial number\n");
/* to create a unique serial number, hash the key to be certified */
- SHA1(keyBuffer, keyLength, x509Serialbin);
- /* convert the SHA1 digest to a BIGNUM */
- x509SerialBN = BN_bin2bn(x509Serialbin, SHA1_DIGEST_SIZE, x509SerialBN);
+ type = EVP_sha256();
+ irc = EVP_Digest(keyBuffer, keyLength, x509Serialbin, NULL, type, NULL);
+ if (irc == 0) {
+ printf("startCertificate: Error in serial number EVP_Digest\n");
+ rc = TSS_RC_X509_ERROR;
+ }
+ }
+ if (rc == 0) {
+ /* convert the digest to a BIGNUM, use 20 octets */
+ x509SerialBN = BN_bin2bn(x509Serialbin, 20, x509SerialBN);
if (x509SerialBN == NULL) {
printf("startCertificate: Error in serial number BN_bin2bn\n");
rc = TSS_RC_X509_ERROR;
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink