Audit/pubkey prefixes (#147)

2026-04-05 03:00:53 -04:00 · 2025-02-19 18:10:54 -08:00
parent 074b1cc947
commit d263620dc2
169 changed files with 6311 additions and 4746 deletions
--- a/common/src/scripts/generateCertificates.sh
+++ b/common/src/scripts/generateCertificates.sh
@@ -110,14 +110,14 @@ generate_certificate() {
    if [ "$role" = "csca" ]; then
        # Generate a self-signed CSCA
        if [ "$sig_alg" = "ecdsa" ]; then
-            openssl ecparam -name "$exp_or_curve" -genkey -noout -out "$dir_name/$key_file"
+            openssl ecparam -name "$exp_or_curve" -genkey -noout -out "$dir_name/$key_file" -param_enc explicit
            openssl req -new -x509 \
                -key "$dir_name/$key_file" \
                -out "$dir_name/$crt_file" \
                -days 3650 -sha${hash#sha} \
                -subj "/C=FR/ST=IDF/L=Paris/O=Mock CSCA/OU=PKI/CN=MockCSCA"
        elif [ "$sig_alg" = "rsapss" ]; then
-            openssl genpkey -algorithm RSA-PSS \
+            openssl genpkey -algorithm RSA \
                -pkeyopt rsa_keygen_bits:"$bits" \
                -pkeyopt rsa_keygen_pubexp:"$exp_or_curve" \
                -out "$dir_name/$key_file"
@@ -164,9 +164,9 @@ generate_certificate() {

        # Generate DSC key
        if [ "$sig_alg" = "ecdsa" ]; then
-            openssl ecparam -name "$exp_or_curve" -genkey -noout -out "$dir_name/$key_file"
+            openssl ecparam -name "$exp_or_curve" -genkey -noout -out "$dir_name/$key_file" -param_enc explicit
        elif [ "$sig_alg" = "rsapss" ]; then
-            openssl genpkey -algorithm RSA-PSS \
+            openssl genpkey -algorithm RSA \
                -pkeyopt rsa_keygen_bits:"$bits" \
                -pkeyopt rsa_keygen_pubexp:"$exp_or_curve" \
                -out "$dir_name/$key_file"
@@ -186,11 +186,23 @@ generate_certificate() {
            -subj "/C=FR/ST=IDF/L=Paris/O=Mock DSC/OU=PKI/CN=MockDSC"

        # Sign with the CSCA
-        openssl x509 -req -in "$csr_file" \
-            -CA "$csca_crt" -CAkey "$csca_key" -CAcreateserial \
-            -days 3650 -sha${hash#sha} \
-            -out "$dir_name/$crt_file"
+        if [ "$sig_alg" = "rsapss" ]; then
+            # For RSAPSS, we need to specify the PSS padding mode during signing
+            openssl x509 -req -in "$csr_file" \
+                -CA "$csca_crt" -CAkey "$csca_key" -CAcreateserial \
+                -days 3650 -sha${hash#sha} \
+                -sigopt rsa_padding_mode:pss \
+                -sigopt rsa_pss_saltlen:"$salt" \
+                -out "$dir_name/$crt_file"
+        else
+            # For standard RSA or ECDSA
+            openssl x509 -req -in "$csr_file" \
+                -CA "$csca_crt" -CAkey "$csca_key" -CAcreateserial \
+                -days 3650 -sha${hash#sha} \
+                -out "$dir_name/$crt_file"
+        fi

+        
        # Clean up
        rm -f "$csr_file" "$signer/mock_csca.srl"
        echo "[OK] Created DSC in $dir_name => $key_file, $crt_file (signed by $signer)"