cert_tool: update for compatibility with OpenSSL v1.1

This patch fixes incompatibility issues that prevent building the cert_tool
with OpenSSL >= v1.1.0. The changes introduced are still backwards
compatible with OpenSSL v1.0.2.

Fixes arm-software/trusted-fw#521

Signed-off-by: Michalis Pappas <[email protected]>

diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c
index 1b84e36d35ac020e86d3e58f24a67fca443f7c59..3f0b4d363c12f4bef883af3c4ec21a48039b3fe2 100644 (file)
--- a/tools/cert_create/src/cert.c
+++ b/tools/cert_create/src/cert.c
@@ -90,7 +90,7 @@ int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSIO
        X509_NAME *name;
        ASN1_INTEGER *sno;
        int i, num, rc = 0;
-       EVP_MD_CTX mdCtx;
+       EVP_MD_CTX *mdCtx;
        EVP_PKEY_CTX *pKeyCtx = NULL;
 
        /* Create the certificate structure */
@@ -111,10 +111,14 @@ int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSIO
                issuer = x;
        }
 
-       EVP_MD_CTX_init(&mdCtx);
+       mdCtx = EVP_MD_CTX_create();
+       if (mdCtx == NULL) {
+               ERR_print_errors_fp(stdout);
+               goto END;
+       }
 
        /* Sign the certificate with the issuer key */
-       if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
+       if (!EVP_DigestSignInit(mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
                ERR_print_errors_fp(stdout);
                goto END;
        }
@@ -184,7 +188,7 @@ int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSIO
                }
        }
 
-       if (!X509_sign_ctx(x, &mdCtx)) {
+       if (!X509_sign_ctx(x, mdCtx)) {
                ERR_print_errors_fp(stdout);
                goto END;
        }
@@ -194,7 +198,7 @@ int cert_new(int key_alg, cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSIO
        cert->x = x;
 
 END:
-       EVP_MD_CTX_cleanup(&mdCtx);
+       EVP_MD_CTX_destroy(mdCtx);
        return rc;
 }
 

diff --git a/tools/cert_create/src/ext.c b/tools/cert_create/src/ext.c
index 8ae6640d35845f3341270e4a2c176c3d7bba2851..055ddbfd07c91c4306e817987f5f58d061e1863e 100644 (file)
--- a/tools/cert_create/src/ext.c
+++ b/tools/cert_create/src/ext.c
@@ -166,7 +166,7 @@ X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
        int sz;
 
        /* OBJECT_IDENTIFIER with hash algorithm */
-       algorithm = OBJ_nid2obj(md->type);
+       algorithm = OBJ_nid2obj(EVP_MD_type(md));
        if (algorithm == NULL) {
                return NULL;
        }

diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c
index c1bde5dea3b998ee80c7805327c76b5b7cf17dab..b7f21a261f19013942d63aff9eb08564f8868d40 100644 (file)
--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@@ -43,13 +43,31 @@ int key_new(key_t *key)
 
 static int key_create_rsa(key_t *key)
 {
-       RSA *rsa;
+       BIGNUM *e;
+       RSA *rsa = NULL;
 
-       rsa = RSA_generate_key(RSA_KEY_BITS, RSA_F4, NULL, NULL);
+       e = BN_new();
+       if (e == NULL) {
+               printf("Cannot create RSA exponent\n");
+               goto err;
+       }
+
+       if (!BN_set_word(e, RSA_F4)) {
+               printf("Cannot assign RSA exponent\n");
+               goto err;
+       }
+
+       rsa = RSA_new();
        if (rsa == NULL) {
                printf("Cannot create RSA key\n");
                goto err;
        }
+
+       if (!RSA_generate_key_ex(rsa, RSA_KEY_BITS, e, NULL)) {
+               printf("Cannot generate RSA key\n");
+               goto err;
+       }
+
        if (!EVP_PKEY_assign_RSA(key->key, rsa)) {
                printf("Cannot assign RSA key\n");
                goto err;
@@ -58,6 +76,7 @@ static int key_create_rsa(key_t *key)
        return 1;
 err:
        RSA_free(rsa);
+       BN_free(e);
        return 0;
 }
 

diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index df59961b0ac18b07c386355e853f031199fd3a56..741242f59f9bc1b900a8066e569623e0c92c016b 100644 (file)
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -244,7 +244,7 @@ PKCS#1 v2.1, 'rsa_1_5' - RSA PKCS#1 v1.5, 'ecdsa'"
 int main(int argc, char *argv[])
 {
        STACK_OF(X509_EXTENSION) * sk;
-       X509_EXTENSION *cert_ext;
+       X509_EXTENSION *cert_ext = NULL;
        ext_t *ext;
        key_t *key;
        cert_t *cert;