From bfc61430db2195b4751ada107266b7b5c5d5f83e Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:22:20 -0600 Subject: [PATCH 1/6] Fix XMSS and ML_DSA keygen type mismatch between image headers and keystore by unifying AUTH_KEY_*/KEYGEN_* constants --- tools/keytools/keygen.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c index d0552f025f..ac31633e23 100644 --- a/tools/keytools/keygen.c +++ b/tools/keytools/keygen.c @@ -506,6 +506,10 @@ void keystore_add(uint32_t ktype, uint8_t *key, uint32_t sz, const char *keyfile memset(&sl, 0, sizeof(sl)); sl.slot_id = id_slot; + if (ktype >= AUTH_KEY_NUM) { + fprintf(stderr, "error: unknown key type %u\n", ktype); + exit(1); + } sl.key_type = ktype; sl.part_id_mask = id_mask; From 0c976e6257b3def4b64d9e738614c6d77059556d Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Tue, 17 Mar 2026 20:46:12 -0600 Subject: [PATCH 2/6] Add SW-only RSA PSS --- .github/workflows/test-sunnyday-simulator.yml | 240 ++++++++++++++++++ config/examples/sim-rsapss2048.config | 21 ++ include/image.h | 10 + include/loader.h | 9 +- include/user_settings.h | 26 +- include/wolfboot/wolfboot.h | 42 ++- options.mk | 108 +++++++- src/image.c | 86 ++++++- src/xmalloc.c | 8 +- tools/keytools/keygen.c | 64 +++-- tools/keytools/sign.c | 98 ++++++- tools/keytools/user_settings.h | 1 + 12 files changed, 673 insertions(+), 40 deletions(-) create mode 100644 config/examples/sim-rsapss2048.config diff --git a/.github/workflows/test-sunnyday-simulator.yml b/.github/workflows/test-sunnyday-simulator.yml index 5f39a08385..81d60d8f7b 100644 --- a/.github/workflows/test-sunnyday-simulator.yml +++ b/.github/workflows/test-sunnyday-simulator.yml @@ -175,6 +175,66 @@ jobs: run: | tools/scripts/sim-sunnyday-update.sh + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS2048) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS2048 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS2048, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS2048 WOLFBOOT_SMALL_STACK=1 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS3072) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS3072 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS3072, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS3072 WOLFBOOT_SMALL_STACK=1 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS4096) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS4096 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS4096, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS4096 WOLFBOOT_SMALL_STACK=1 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + # 32 Bit simulator, FASTMATH # - name: make clean @@ -305,6 +365,66 @@ jobs: run: | tools/scripts/sim-sunnyday-update.sh + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS2048, FASTMATH) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS2048 SPMATH=0 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS2048, FASTMATH, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS2048 WOLFBOOT_SMALL_STACK=1 SPMATH=0 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS3072, FASTMATH) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS3072 SPMATH=0 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS3072, FASTMATH, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS3072 WOLFBOOT_SMALL_STACK=1 SPMATH=0 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS4096, FASTMATH) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS4096 SPMATH=0 WOLFBOOT_HUGE_STACK=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS4096, FASTMATH, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS4096 WOLFBOOT_SMALL_STACK=1 SPMATH=0 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + # 64 Bit simulator, SP_MATH # @@ -460,6 +580,66 @@ jobs: run: | tools/scripts/sim-sunnyday-update.sh + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS2048) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS2048 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS2048, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS2048 WOLFBOOT_SMALL_STACK=1 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS3072) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS3072 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS3072, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS3072 WOLFBOOT_SMALL_STACK=1 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS4096) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS4096 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS4096, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS4096 WOLFBOOT_SMALL_STACK=1 SPMATH=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + # 64 Bit simulator, FASTMATH # - name: make clean @@ -590,6 +770,66 @@ jobs: run: | tools/scripts/sim-sunnyday-update.sh + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS2048, FASTMATH) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS2048 SPMATH=0 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS2048, FASTMATH, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS2048 WOLFBOOT_SMALL_STACK=1 SPMATH=0 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS3072, FASTMATH) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS3072 SPMATH=0 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS3072, FASTMATH, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS3072 WOLFBOOT_SMALL_STACK=1 SPMATH=0 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Cleanup to change key type + run: | + make keysclean + + - name: Build wolfboot.elf (RSAPSS4096, FASTMATH) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS4096 SPMATH=0 WOLFBOOT_HUGE_STACK=1 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + + - name: Build wolfboot.elf (RSAPSS4096, FASTMATH, WOLFBOOT_SMALL_STACK) + run: | + make clean && make test-sim-internal-flash-with-update SIGN=RSAPSS4096 WOLFBOOT_SMALL_STACK=1 SPMATH=0 + + - name: Run sunny day update test + run: | + tools/scripts/sim-sunnyday-update.sh + - name: Run sunny day LMS update test run: | tools/scripts/sim-pq-sunnyday-update.sh config/examples/sim-lms.config diff --git a/config/examples/sim-rsapss2048.config b/config/examples/sim-rsapss2048.config new file mode 100644 index 0000000000..8effe6e57c --- /dev/null +++ b/config/examples/sim-rsapss2048.config @@ -0,0 +1,21 @@ +ARCH=sim +TARGET=sim +SIGN?=RSAPSS2048 +HASH?=SHA256 +WOLFBOOT_SMALL_STACK?=0 +SPI_FLASH=0 +DEBUG=1 + +# sizes should be multiple of system page size +WOLFBOOT_PARTITION_SIZE=0x40000 +WOLFBOOT_SECTOR_SIZE=0x1000 +WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000 +# if on external flash, it should be multiple of system page size +WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x100000 +WOLFBOOT_PARTITION_SWAP_ADDRESS=0x180000 + +# required for keytools +WOLFBOOT_FIXED_PARTITIONS=1 + +# For debugging XMALLOC/XFREE +#CFLAGS_EXTRA+=-DWOLFBOOT_DEBUG_MALLOC diff --git a/include/image.h b/include/image.h index c8f15ebaf1..4e88af84e9 100644 --- a/include/image.h +++ b/include/image.h @@ -68,6 +68,11 @@ extern "C" { defined (WOLFBOOT_SIGN_RSA4096ENC) #define wolfBoot_verify_signature_primary wolfBoot_verify_signature_rsa #endif +#if defined (WOLFBOOT_SIGN_RSAPSS2048) || \ + defined (WOLFBOOT_SIGN_RSAPSS3072) || \ + defined (WOLFBOOT_SIGN_RSAPSS4096) +#define wolfBoot_verify_signature_primary wolfBoot_verify_signature_rsa_pss +#endif #if defined (WOLFBOOT_SIGN_ECC256) || \ defined (WOLFBOOT_SIGN_ECC384) || \ defined (WOLFBOOT_SIGN_ECC521) @@ -97,6 +102,11 @@ extern "C" { defined (WOLFBOOT_SIGN_SECONDARY_RSA4096ENC) #define wolfBoot_verify_signature_secondary wolfBoot_verify_signature_rsa #endif +#if defined (WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ + defined (WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ + defined (WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) +#define wolfBoot_verify_signature_secondary wolfBoot_verify_signature_rsa_pss +#endif #if defined (WOLFBOOT_SIGN_SECONDARY_ECC256) || \ defined (WOLFBOOT_SIGN_SECONDARY_ECC384) || \ defined (WOLFBOOT_SIGN_SECONDARY_ECC521) diff --git a/include/loader.h b/include/loader.h index 798836d4d5..decacde31f 100644 --- a/include/loader.h +++ b/include/loader.h @@ -40,11 +40,14 @@ extern "C" { #define ECC_IMAGE_SIGNATURE_SIZE (132) #endif -#if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) +#if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \ + defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) #define RSA_IMAGE_SIGNATURE_SIZE (256) -#elif defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) +#elif defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \ + defined(WOLFBOOT_SIGN_RSAPSS3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) #define RSA_IMAGE_SIGNATURE_SIZE (384) -#elif defined(WOLFBOOT_SIGN_RSA4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) +#elif defined(WOLFBOOT_SIGN_RSA4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \ + defined(WOLFBOOT_SIGN_RSAPSS4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) #define RSA_IMAGE_SIGNATURE_SIZE (512) #endif diff --git a/include/user_settings.h b/include/user_settings.h index ca93d72af9..3950d6062b 100644 --- a/include/user_settings.h +++ b/include/user_settings.h @@ -222,12 +222,25 @@ extern int tolower(int c); defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \ defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \ defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \ + defined(WOLFBOOT_SIGN_RSAPSS2048) || \ + defined(WOLFBOOT_SIGN_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_RSAPSS4096) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) || \ (defined(WOLFCRYPT_SECURE_MODE) && (!defined(PKCS11_SMALL))) # define WC_RSA_BLINDING # define WC_RSA_DIRECT # define RSA_LOW_MEM # define WC_ASN_HASH_SHA256 +# if defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_RSAPSS4096) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) +# define WC_RSA_PSS +# endif # if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE) && \ !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK) && \ !defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ @@ -235,7 +248,9 @@ extern int tolower(int c); # define WOLFSSL_RSA_VERIFY_INLINE # define WOLFSSL_RSA_VERIFY_ONLY # define WOLFSSL_RSA_PUBLIC_ONLY -# define WC_NO_RSA_OAEP +# if !defined(WC_RSA_PSS) +# define WC_NO_RSA_OAEP +# endif # define NO_RSA_BOUNDS_CHECK # endif # if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) @@ -244,7 +259,8 @@ extern int tolower(int c); # define WOLFSSL_SP_SMALL # define WOLFSSL_SP_MATH # endif -# if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) +# if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \ + defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) # define FP_MAX_BITS (2048 * 2) # define SP_INT_BITS 2048 # define WOLFSSL_SP_NO_3072 @@ -253,7 +269,8 @@ extern int tolower(int c); # define RSA_MIN_SIZE 2048 # define RSA_MAX_SIZE 2048 # endif -# if defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) +# if defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \ + defined(WOLFBOOT_SIGN_RSAPSS3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) # define FP_MAX_BITS (3072 * 2) # define SP_INT_BITS 3072 # define WOLFSSL_SP_NO_2048 @@ -263,7 +280,8 @@ extern int tolower(int c); # define RSA_MAX_SIZE 3072 # endif -# if defined(WOLFBOOT_SIGN_RSA4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) +# if defined(WOLFBOOT_SIGN_RSA4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \ + defined(WOLFBOOT_SIGN_RSAPSS4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) # define FP_MAX_BITS (4096 * 2) # define SP_INT_BITS 4096 # define WOLFSSL_SP_NO_2048 diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h index 88ea47523b..d02355c0a7 100644 --- a/include/wolfboot/wolfboot.h +++ b/include/wolfboot/wolfboot.h @@ -126,16 +126,16 @@ extern "C" { #ifndef IMAGE_HEADER_SIZE /* Largest cases first */ -# if defined(WOLFBOOT_SIGN_RSA4096) +# if defined(WOLFBOOT_SIGN_RSA4096) || defined(WOLFBOOT_SIGN_RSAPSS4096) # define IMAGE_HEADER_SIZE 1024 - /* RSA3072 + strong hash */ -# elif (defined(WOLFBOOT_SIGN_RSA3072) && \ + /* RSA3072/RSAPSS3072 + strong hash */ +# elif ((defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_RSAPSS3072)) && \ (defined(WOLFBOOT_HASH_SHA384) || defined(WOLFBOOT_HASH_SHA3_384))) # define IMAGE_HEADER_SIZE 1024 - /* RSA2048 + SHA256 */ -# elif defined(WOLFBOOT_SIGN_RSA2048) && defined(WOLFBOOT_HASH_SHA256) + /* RSA2048/RSAPSS2048 + SHA256 */ +# elif (defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_RSAPSS2048)) && defined(WOLFBOOT_HASH_SHA256) # define IMAGE_HEADER_SIZE 512 /* ECC384 requires 512 with SHA256 */ @@ -155,7 +155,7 @@ extern "C" { # define IMAGE_HEADER_SIZE 256 /* Secondary 512-byte fallbacks */ -# elif defined(WOLFBOOT_SIGN_RSA3072) || \ +# elif defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_RSAPSS3072) || \ defined(WOLFBOOT_SIGN_ECC521) || \ defined(WOLFBOOT_SIGN_ED448) || \ defined(WOLFBOOT_HASH_SHA384) || \ @@ -248,9 +248,12 @@ extern "C" { #define AUTH_KEY_ECC521 0x07 #define AUTH_KEY_RSA3072 0x08 #define AUTH_KEY_LMS 0x09 -#define AUTH_KEY_XMSS 0x0A -#define AUTH_KEY_ML_DSA 0x0B -#define AUTH_KEY_NUM 0x0C +#define AUTH_KEY_XMSS 0x0A +#define AUTH_KEY_ML_DSA 0x0B +#define AUTH_KEY_RSAPSS2048 0x0C +#define AUTH_KEY_RSAPSS3072 0x0D +#define AUTH_KEY_RSAPSS4096 0x0E +#define AUTH_KEY_NUM 0x0F /* * 8 bits: auth type @@ -271,6 +274,9 @@ extern "C" { #define HDR_IMG_TYPE_AUTH_LMS (AUTH_KEY_LMS << 8) #define HDR_IMG_TYPE_AUTH_XMSS (AUTH_KEY_XMSS << 8) #define HDR_IMG_TYPE_AUTH_ML_DSA (AUTH_KEY_ML_DSA << 8) +#define HDR_IMG_TYPE_AUTH_RSAPSS2048 (AUTH_KEY_RSAPSS2048 << 8) +#define HDR_IMG_TYPE_AUTH_RSAPSS3072 (AUTH_KEY_RSAPSS3072 << 8) +#define HDR_IMG_TYPE_AUTH_RSAPSS4096 (AUTH_KEY_RSAPSS4096 << 8) #define HDR_IMG_TYPE_DIFF 0x00D0 @@ -289,6 +295,9 @@ extern "C" { #define KEYSTORE_PUBKEY_SIZE_RSA2048 320 #define KEYSTORE_PUBKEY_SIZE_RSA3072 448 #define KEYSTORE_PUBKEY_SIZE_RSA4096 576 +#define KEYSTORE_PUBKEY_SIZE_RSAPSS2048 KEYSTORE_PUBKEY_SIZE_RSA2048 +#define KEYSTORE_PUBKEY_SIZE_RSAPSS3072 KEYSTORE_PUBKEY_SIZE_RSA3072 +#define KEYSTORE_PUBKEY_SIZE_RSAPSS4096 KEYSTORE_PUBKEY_SIZE_RSA4096 #define KEYSTORE_PUBKEY_SIZE_LMS 60 #define KEYSTORE_PUBKEY_SIZE_XMSS 68 @@ -463,6 +472,21 @@ extern "C" { # ifndef WOLFBOOT_UNIVERSAL_KEYSTORE # define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA4096 # endif + #elif defined(WOLFBOOT_SIGN_RSAPSS2048) + # define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSAPSS2048 + # ifndef WOLFBOOT_UNIVERSAL_KEYSTORE + # define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA2048 + # endif + #elif defined(WOLFBOOT_SIGN_RSAPSS3072) + # define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSAPSS3072 + # ifndef WOLFBOOT_UNIVERSAL_KEYSTORE + # define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA3072 + # endif + #elif defined(WOLFBOOT_SIGN_RSAPSS4096) + # define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSAPSS4096 + # ifndef WOLFBOOT_UNIVERSAL_KEYSTORE + # define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA4096 + # endif #elif defined(WOLFBOOT_SIGN_LMS) # define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_LMS # ifndef WOLFBOOT_UNIVERSAL_KEYSTORE diff --git a/options.mk b/options.mk index e75f43c6a2..5afeb7dae3 100644 --- a/options.mk +++ b/options.mk @@ -305,6 +305,98 @@ ifeq ($(SIGN),ED448) endif endif +ifeq ($(SIGN),RSAPSS2048) + KEYGEN_OPTIONS+=--rsapss2048 + SIGN_OPTIONS+=--rsapss2048 + SIGN_ALG=RSAPSS2048 + WOLFCRYPT_OBJS+= $(RSA_OBJS) + WOLFCRYPT_OBJS+=$(MATH_OBJS) + CFLAGS+=-D"WOLFBOOT_SIGN_RSAPSS2048" $(RSA_EXTRA_CFLAGS) + ifeq ($(WOLFBOOT_SMALL_STACK),1) + ifneq ($(SPMATH),1) + STACK_USAGE=5008 + else + STACK_USAGE=4096 + endif + else + ifeq ($(WOLFTPM),1) + STACK_USAGE=$(STACK_USAGE_WOLFTPM) + else + ifneq ($(SPMATH),1) + STACK_USAGE=35952 + else + STACK_USAGE=17568 + endif + endif + endif + ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 512; echo $$?),0) + IMAGE_HEADER_SIZE=512 + endif +endif + +ifeq ($(SIGN),RSAPSS3072) + KEYGEN_OPTIONS+=--rsapss3072 + SIGN_OPTIONS+=--rsapss3072 + SIGN_ALG=RSAPSS3072 + WOLFCRYPT_OBJS+= $(RSA_OBJS) + WOLFCRYPT_OBJS+=$(MATH_OBJS) + CFLAGS+=-D"WOLFBOOT_SIGN_RSAPSS3072" $(RSA_EXTRA_CFLAGS) + ifeq ($(WOLFBOOT_SMALL_STACK),1) + ifneq ($(SPMATH),1) + STACK_USAGE=5008 + else + STACK_USAGE=4364 + endif + else + ifeq ($(WOLFTPM),1) + STACK_USAGE=$(STACK_USAGE_WOLFTPM) + else + ifneq ($(SPMATH),1) + STACK_USAGE=52592 + else + STACK_USAGE=12288 + endif + endif + endif + ifneq ($(HASH),SHA256) + ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 1024; echo $$?),0) + IMAGE_HEADER_SIZE=1024 + endif + endif + ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 512; echo $$?),0) + IMAGE_HEADER_SIZE=512 + endif +endif + +ifeq ($(SIGN),RSAPSS4096) + KEYGEN_OPTIONS+=--rsapss4096 + SIGN_OPTIONS+=--rsapss4096 + SIGN_ALG=RSAPSS4096 + WOLFCRYPT_OBJS+= $(RSA_OBJS) + WOLFCRYPT_OBJS+=$(MATH_OBJS) + CFLAGS+=-D"WOLFBOOT_SIGN_RSAPSS4096" $(RSA_EXTRA_CFLAGS) + ifeq ($(WOLFBOOT_SMALL_STACK),1) + ifneq ($(SPMATH),1) + STACK_USAGE=5888 + else + STACK_USAGE=5768 + endif + else + ifeq ($(WOLFTPM),1) + STACK_USAGE=$(STACK_USAGE_WOLFTPM) + else + ifneq ($(SPMATH),1) + STACK_USAGE=69232 + else + STACK_USAGE=18064 + endif + endif + endif + ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 1024; echo $$?),0) + IMAGE_HEADER_SIZE=1024 + endif +endif + ifneq ($(findstring RSA2048,$(SIGN)),) KEYGEN_OPTIONS+=--rsa2048 ifeq ($(SIGN),RSA2048ENC) @@ -367,7 +459,9 @@ ifneq ($(findstring RSA3072,$(SIGN)),) endif endif ifneq ($(HASH),SHA256) - IMAGE_HEADER_SIZE=1024 + ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 1024; echo $$?),0) + IMAGE_HEADER_SIZE=1024 + endif endif ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 512; echo $$?),0) IMAGE_HEADER_SIZE=512 @@ -510,6 +604,18 @@ ifneq ($(SIGN_SECONDARY),) WOLFCRYPT_OBJS+=$(RSA_OBJS) WOLFCRYPT_OBJS+=$(MATH_OBJS) endif + ifeq ($(SIGN_SECONDARY),RSAPSS2048) + WOLFCRYPT_OBJS+=$(RSA_OBJS) + WOLFCRYPT_OBJS+=$(MATH_OBJS) + endif + ifeq ($(SIGN_SECONDARY),RSAPSS3072) + WOLFCRYPT_OBJS+=$(RSA_OBJS) + WOLFCRYPT_OBJS+=$(MATH_OBJS) + endif + ifeq ($(SIGN_SECONDARY),RSAPSS4096) + WOLFCRYPT_OBJS+=$(RSA_OBJS) + WOLFCRYPT_OBJS+=$(MATH_OBJS) + endif ifeq ($(SIGN_SECONDARY),ECC256) WOLFCRYPT_OBJS+=$(ECC_OBJS) WOLFCRYPT_OBJS+=$(MATH_OBJS) diff --git a/src/image.c b/src/image.c index 18038cb150..5883ce0e70 100644 --- a/src/image.c +++ b/src/image.c @@ -364,7 +364,13 @@ static void wolfBoot_verify_signature_ecc(uint8_t key_slot, defined(WOLFBOOT_SIGN_RSA4096) || \ defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \ defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \ - defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) + defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \ + defined(WOLFBOOT_SIGN_RSAPSS2048) || \ + defined(WOLFBOOT_SIGN_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_RSAPSS4096) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) #include #include @@ -562,6 +568,74 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot, * WOLFBOOT_SIGN_RSA4096 || WOLFBOOT_SIGN_SECONDARY_RSA2048 || * WOLFBOOT_SIGN_SECONDARY_RSA3072 || WOLFBOOT_SIGN_SECONDARY_RSA4096 */ +#if defined(WOLFBOOT_SIGN_RSAPSS2048) || \ + defined(WOLFBOOT_SIGN_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_RSAPSS4096) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) + +static void wolfBoot_verify_signature_rsa_pss(uint8_t key_slot, + struct wolfBoot_image *img, uint8_t *sig) +{ + int ret; + uint8_t output[RSA_IMAGE_SIGNATURE_SIZE]; + uint8_t* digest_out = NULL; + word32 inOutIdx = 0; + struct RsaKey rsa; + +#if defined(WOLFBOOT_HASH_SHA256) + enum wc_HashType hash_type = WC_HASH_TYPE_SHA256; + int mgf = WC_MGF1SHA256; +#elif defined(WOLFBOOT_HASH_SHA384) + enum wc_HashType hash_type = WC_HASH_TYPE_SHA384; + int mgf = WC_MGF1SHA384; +#else + #error "RSA-PSS requires SHA-256 or SHA-384" +#endif + + uint8_t *pubkey = keystore_get_buffer(key_slot); + int pubkey_sz = keystore_get_size(key_slot); + + if (pubkey == NULL || pubkey_sz < 0) { + return; + } + + /* wolfCrypt software RSA-PSS verify */ + ret = wc_InitRsaKey(&rsa, NULL); + if (ret == 0) { + /* Import public key */ + ret = wc_RsaPublicKeyDecode((byte*)pubkey, &inOutIdx, &rsa, pubkey_sz); + if (ret >= 0) { + XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); + RSA_VERIFY_FN(ret, + wc_RsaPSS_VerifyCheckInline, output, RSA_IMAGE_SIGNATURE_SIZE, + &digest_out, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE, + hash_type, mgf, &rsa); + } + } + wc_FreeRsaKey(&rsa); + /* wc_RsaPSS_VerifyCheckInline returns the PSS-verified data length on + * success (>= digest size), or a negative error code on failure. + * The hash comparison is performed internally by the function. + * + * Note: uses '>=' rather than '==' because PSS verify returns the digest + * size on success, unlike PKCS#1 v1.5 which returns exact decoded length. + * + * ARMORED limitation: the PKCS#1 v1.5 path uses both RSA_VERIFY_FN and + * RSA_VERIFY_HASH armored macros (two hardened gates), but PSS only uses + * RSA_VERIFY_FN because wc_RsaPSS_VerifyCheckInline performs the hash + * comparison internally. The branch below is not armored. Full armored + * hardening for PSS would require a new macro or restructuring. */ + if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img) { + wolfBoot_image_confirm_signature_ok(img); + } +} + +#endif /* WOLFBOOT_SIGN_RSAPSS2048 || WOLFBOOT_SIGN_RSAPSS3072 || \ + * WOLFBOOT_SIGN_RSAPSS4096 || WOLFBOOT_SIGN_SECONDARY_RSAPSS2048 || \ + * WOLFBOOT_SIGN_SECONDARY_RSAPSS3072 || WOLFBOOT_SIGN_SECONDARY_RSAPSS4096 */ + #ifdef WOLFBOOT_SIGN_LMS #include #ifdef HAVE_LIBLMS @@ -2356,7 +2430,10 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img) defined (WOLFBOOT_SIGN_RSA4096) || \ defined (WOLFBOOT_SIGN_RSA2048ENC) || \ defined (WOLFBOOT_SIGN_RSA3072ENC) || \ - defined (WOLFBOOT_SIGN_RSA4096ENC) + defined (WOLFBOOT_SIGN_RSA4096ENC) || \ + defined (WOLFBOOT_SIGN_RSAPSS2048) || \ + defined (WOLFBOOT_SIGN_RSAPSS3072) || \ + defined (WOLFBOOT_SIGN_RSAPSS4096) if (stored_signature_size != RSA_IMAGE_SIGNATURE_SIZE) return -1; #elif defined (WOLFBOOT_SIGN_ECC256) || \ @@ -2428,7 +2505,10 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img) defined (WOLFBOOT_SIGN_SECONDARY_RSA4096) || \ defined (WOLFBOOT_SIGN_SECONDARY_RSA2048ENC) || \ defined (WOLFBOOT_SIGN_SECONDARY_RSA3072ENC) || \ - defined (WOLFBOOT_SIGN_SECONDARY_RSA4096ENC) + defined (WOLFBOOT_SIGN_SECONDARY_RSA4096ENC) || \ + defined (WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ + defined (WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ + defined (WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) expected_secondary_signature_size = RSA_IMAGE_SIGNATURE_SIZE; #elif defined (WOLFBOOT_SIGN_SECONDARY_ECC256) || \ defined (WOLFBOOT_SIGN_SECONDARY_ECC384) || \ diff --git a/src/xmalloc.c b/src/xmalloc.c index 38780b21e9..358f3e5663 100644 --- a/src/xmalloc.c +++ b/src/xmalloc.c @@ -336,7 +336,9 @@ static struct xmalloc_slot xmalloc_pool[] = { #elif defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_RSA4096) || \ - defined(WOLFBOOT_SIGN_RSA3072) + defined(WOLFBOOT_SIGN_RSA3072) || \ + defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_RSAPSS4096) || \ + defined(WOLFBOOT_SIGN_RSAPSS3072) #if defined(WOLFBOOT_HASH_SHA256) || defined(WOLFBOOT_HASH_SHA384) static uint32_t sha_block[HASH_BLOCK_SIZE]; @@ -350,7 +352,7 @@ static uint32_t sha_block[HASH_BLOCK_SIZE]; static uint8_t asncheck_buf[ASNCHECK_BUF_SIZE]; #ifndef USE_FAST_MATH - #ifdef WOLFBOOT_SIGN_RSA2048 + #if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_RSAPSS2048) #define MP_SCHEME "SP RSA2048" #define MP_INT_DYNAMIC_SIZE MP_INT_SIZEOF(MP_BITS_CNT(2048)) #define MP_BIGINT_MODEXP_SIZE (MP_INT_DYNAMIC_SIZE * 4) @@ -363,7 +365,7 @@ static uint8_t asncheck_buf[ASNCHECK_BUF_SIZE]; #define MPDIGIT_BUF1_SIZE (MP_DIGIT_SIZE * (72 * 4 + 3)) static uint8_t mp_digit_buf1[MPDIGIT_BUF1_SIZE]; #endif - #elif defined WOLFBOOT_SIGN_RSA3072 + #elif defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_RSAPSS3072) #define MP_SCHEME "SP RSA3072" #define MP_INT_DYNAMIC_SIZE MP_INT_SIZEOF(MP_BITS_CNT(3072)) #define MP_BIGINT_MODEXP_SIZE (MP_INT_DYNAMIC_SIZE * 4) diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c index ac31633e23..cdf123245a 100644 --- a/tools/keytools/keygen.c +++ b/tools/keytools/keygen.c @@ -283,7 +283,7 @@ static void fwritekey(uint8_t *key, int len, FILE *f) } } -const char KType[][17] = { +const char KType[][21] = { "AUTH_KEY_NONE", "AUTH_KEY_ED25519", "AUTH_KEY_ECC256", @@ -295,10 +295,13 @@ const char KType[][17] = { "AUTH_KEY_RSA3072", "AUTH_KEY_LMS", "AUTH_KEY_XMSS", - "AUTH_KEY_ML_DSA" + "AUTH_KEY_ML_DSA", + "AUTH_KEY_RSAPSS2048", + "AUTH_KEY_RSAPSS3072", + "AUTH_KEY_RSAPSS4096" }; -const char KSize[][29] = { +const char KSize[][32] = { "KEYSTORE_PUBKEY_SIZE_NONE", "KEYSTORE_PUBKEY_SIZE_ED25519", "KEYSTORE_PUBKEY_SIZE_ECC256", @@ -310,10 +313,13 @@ const char KSize[][29] = { "KEYSTORE_PUBKEY_SIZE_RSA3072", "KEYSTORE_PUBKEY_SIZE_LMS", "KEYSTORE_PUBKEY_SIZE_XMSS", - "KEYSTORE_PUBKEY_SIZE_ML_DSA" + "KEYSTORE_PUBKEY_SIZE_ML_DSA", + "KEYSTORE_PUBKEY_SIZE_RSAPSS2048", + "KEYSTORE_PUBKEY_SIZE_RSAPSS3072", + "KEYSTORE_PUBKEY_SIZE_RSAPSS4096" }; -const char KName[][8] = { +const char KName[][12] = { "NONE", "ED25519", "ECC256", @@ -325,7 +331,10 @@ const char KName[][8] = { "RSA3072", "LMS", "XMSS", - "ML_DSA" + "ML_DSA", + "RSAPSS2048", + "RSAPSS3072", + "RSAPSS4096" }; #define MAX_PUBKEYS 64 @@ -433,6 +442,15 @@ static uint32_t get_pubkey_size(uint32_t keyType) case AUTH_KEY_RSA4096: size = KEYSTORE_PUBKEY_SIZE_RSA4096; break; + case AUTH_KEY_RSAPSS2048: + size = KEYSTORE_PUBKEY_SIZE_RSA2048; + break; + case AUTH_KEY_RSAPSS3072: + size = KEYSTORE_PUBKEY_SIZE_RSA3072; + break; + case AUTH_KEY_RSAPSS4096: + size = KEYSTORE_PUBKEY_SIZE_RSA4096; + break; case AUTH_KEY_LMS: size = KEYSTORE_PUBKEY_SIZE_LMS; break; @@ -537,7 +555,8 @@ void keystore_add(uint32_t ktype, uint8_t *key, uint32_t sz, const char *keyfile } -static void keygen_rsa(const char *keyfile, int kbits, uint32_t id_mask) +static void keygen_rsa(const char *keyfile, int kbits, uint32_t id_mask, + int ktype) { RsaKey k; uint8_t priv_der[4096], pub_der[2048]; @@ -591,12 +610,7 @@ static void keygen_rsa(const char *keyfile, int kbits, uint32_t id_mask) } } - if (kbits == 2048) - keystore_add(AUTH_KEY_RSA2048, pub_der, publen, keyfile, id_mask); - else if (kbits == 3072) - keystore_add(AUTH_KEY_RSA3072, pub_der, publen, keyfile, id_mask); - else if (kbits == 4096) - keystore_add(AUTH_KEY_RSA4096, pub_der, publen, keyfile, id_mask); + keystore_add(ktype, pub_der, publen, keyfile, id_mask); cleanup: wc_ForceZero(priv_der, sizeof(priv_der)); @@ -1325,13 +1339,22 @@ static void key_generate(uint32_t ktype, const char *kfilename, uint32_t id_mask #ifndef NO_RSA case AUTH_KEY_RSA2048: - keygen_rsa(kfilename, 2048, id_mask); + keygen_rsa(kfilename, 2048, id_mask, AUTH_KEY_RSA2048); break; case AUTH_KEY_RSA3072: - keygen_rsa(kfilename, 3072, id_mask); + keygen_rsa(kfilename, 3072, id_mask, AUTH_KEY_RSA3072); break; case AUTH_KEY_RSA4096: - keygen_rsa(kfilename, 4096, id_mask); + keygen_rsa(kfilename, 4096, id_mask, AUTH_KEY_RSA4096); + break; + case AUTH_KEY_RSAPSS2048: + keygen_rsa(kfilename, 2048, id_mask, AUTH_KEY_RSAPSS2048); + break; + case AUTH_KEY_RSAPSS3072: + keygen_rsa(kfilename, 3072, id_mask, AUTH_KEY_RSAPSS3072); + break; + case AUTH_KEY_RSAPSS4096: + keygen_rsa(kfilename, 4096, id_mask, AUTH_KEY_RSAPSS4096); break; #endif @@ -1506,6 +1529,15 @@ int main(int argc, char** argv) else if (strcmp(argv[i], "--rsa4096") == 0) { keytype = AUTH_KEY_RSA4096; } + else if (strcmp(argv[i], "--rsapss2048") == 0) { + keytype = AUTH_KEY_RSAPSS2048; + } + else if (strcmp(argv[i], "--rsapss3072") == 0) { + keytype = AUTH_KEY_RSAPSS3072; + } + else if (strcmp(argv[i], "--rsapss4096") == 0) { + keytype = AUTH_KEY_RSAPSS4096; + } #if defined(WOLFSSL_HAVE_LMS) else if (strcmp(argv[i], "--lms") == 0) { keytype = AUTH_KEY_LMS; diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c index 42df218894..f5c7c23937 100644 --- a/tools/keytools/sign.c +++ b/tools/keytools/sign.c @@ -193,6 +193,9 @@ static inline int fp_truncate(FILE *f, size_t len) #define SIGN_RSA2048 HDR_IMG_TYPE_AUTH_RSA2048 #define SIGN_RSA3072 HDR_IMG_TYPE_AUTH_RSA3072 #define SIGN_RSA4096 HDR_IMG_TYPE_AUTH_RSA4096 +#define SIGN_RSAPSS2048 HDR_IMG_TYPE_AUTH_RSAPSS2048 +#define SIGN_RSAPSS3072 HDR_IMG_TYPE_AUTH_RSAPSS3072 +#define SIGN_RSAPSS4096 HDR_IMG_TYPE_AUTH_RSAPSS4096 #define SIGN_ED448 HDR_IMG_TYPE_AUTH_ED448 #define SIGN_ECC384 HDR_IMG_TYPE_AUTH_ECC384 #define SIGN_ECC521 HDR_IMG_TYPE_AUTH_ECC521 @@ -836,6 +839,25 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz, if (ret == 0) break; + FALL_THROUGH; /* we didn't solve the key, keep trying */ + case SIGN_RSAPSS2048: + ret = load_key_rsa(SIGN_RSAPSS2048, 256, KEYSTORE_PUBKEY_SIZE_RSA2048, 512, + key_buffer, key_buffer_sz, pubkey, pubkey_sz, secondary); + if (ret == 0) + break; + FALL_THROUGH; + case SIGN_RSAPSS3072: + ret = load_key_rsa(SIGN_RSAPSS3072, 384, KEYSTORE_PUBKEY_SIZE_RSA3072, 512, + key_buffer, key_buffer_sz, pubkey, pubkey_sz, secondary); + if (ret == 0) + break; + FALL_THROUGH; + case SIGN_RSAPSS4096: + ret = load_key_rsa(SIGN_RSAPSS4096, 512, KEYSTORE_PUBKEY_SIZE_RSA4096, 1024, + key_buffer, key_buffer_sz, pubkey, pubkey_sz, secondary); + if (ret == 0) + break; + FALL_THROUGH; /* we didn't solve the key, keep trying */ case SIGN_LMS: ret = -1; @@ -1109,6 +1131,30 @@ static int sign_digest(int sign, int hash_algo, } } else + if (sign == SIGN_RSAPSS2048 || + sign == SIGN_RSAPSS3072 || + sign == SIGN_RSAPSS4096) + { + enum wc_HashType hash_type; + int mgf; + if (hash_algo == HASH_SHA256) { + hash_type = WC_HASH_TYPE_SHA256; + mgf = WC_MGF1SHA256; + } else if (hash_algo == HASH_SHA384) { + hash_type = WC_HASH_TYPE_SHA384; + mgf = WC_MGF1SHA384; + } else { + fprintf(stderr, "RSA-PSS requires SHA-256 or SHA-384\n"); + return -1; + } + ret = wc_RsaPSS_Sign(digest, digest_sz, signature, *signature_sz, + hash_type, mgf, &key.rsa, &rng); + if (ret > 0) { + *signature_sz = ret; + ret = 0; + } + } + else if (sign == SIGN_LMS) { const char *key_file = CMD.key_file; if (secondary) { @@ -2630,6 +2676,23 @@ static void set_signature_sizes(int secondary) CMD.header_sz = 1024; *sz = 512; } + else if (*sign == SIGN_RSAPSS2048) { + if (CMD.header_sz < 512) + CMD.header_sz = 512; + *sz = 256; + } + else if (*sign == SIGN_RSAPSS3072) { + if ((CMD.header_sz < 1024) && (CMD.hash_algo != HASH_SHA256)) + CMD.header_sz = 1024; + if (CMD.header_sz < 512) + CMD.header_sz = 512; + *sz = 384; + } + else if (*sign == SIGN_RSAPSS4096) { + if (CMD.header_sz < 1024) + CMD.header_sz = 1024; + *sz = 512; + } else if (*sign == SIGN_LMS) { int lms_ret = 0; word32 sig_sz = 0; @@ -2923,6 +2986,36 @@ int main(int argc, char** argv) sign_str = "RSA4096"; } } + else if (strcmp(argv[i], "--rsapss2048") == 0) { + if (CMD.sign != SIGN_AUTO) { + CMD.hybrid = 1; + CMD.secondary_sign = SIGN_RSAPSS2048; + secondary_sign_str = "RSAPSS2048"; + } else { + CMD.sign = SIGN_RSAPSS2048; + sign_str = "RSAPSS2048"; + } + } + else if (strcmp(argv[i], "--rsapss3072") == 0) { + if (CMD.sign != SIGN_AUTO) { + CMD.hybrid = 1; + CMD.secondary_sign = SIGN_RSAPSS3072; + secondary_sign_str = "RSAPSS3072"; + } else { + CMD.sign = SIGN_RSAPSS3072; + sign_str = "RSAPSS3072"; + } + } + else if (strcmp(argv[i], "--rsapss4096") == 0) { + if (CMD.sign != SIGN_AUTO) { + CMD.hybrid = 1; + CMD.secondary_sign = SIGN_RSAPSS4096; + secondary_sign_str = "RSAPSS4096"; + } else { + CMD.sign = SIGN_RSAPSS4096; + sign_str = "RSAPSS4096"; + } + } else if (strcmp(argv[i], "--lms") == 0) { if (CMD.sign != SIGN_AUTO) { CMD.hybrid = 1; @@ -3331,7 +3424,10 @@ int main(int argc, char** argv) } else if (CMD.sign == SIGN_RSA2048 || CMD.sign == SIGN_RSA3072 || - CMD.sign == SIGN_RSA4096) { + CMD.sign == SIGN_RSA4096 || + CMD.sign == SIGN_RSAPSS2048 || + CMD.sign == SIGN_RSAPSS3072 || + CMD.sign == SIGN_RSAPSS4096) { wc_FreeRsaKey(&key.rsa); } else if (CMD.sign == SIGN_LMS) { diff --git a/tools/keytools/user_settings.h b/tools/keytools/user_settings.h index 3a1beb9fb0..28237d591e 100644 --- a/tools/keytools/user_settings.h +++ b/tools/keytools/user_settings.h @@ -68,6 +68,7 @@ /* RSA */ #define HAVE_RSA #define WC_RSA_BLINDING +#define WC_RSA_PSS #define WOLFSSL_KEY_GEN /* Hashing */ From 640e0e3b109f76904985ee3b187972abdb1ab80a Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Wed, 18 Mar 2026 13:57:44 -0600 Subject: [PATCH 3/6] support rsa-pss in ARMORED mode --- include/image.h | 130 +++++++++++++++++++++++++++++++++++++----------- src/image.c | 31 +++++------- 2 files changed, 115 insertions(+), 46 deletions(-) diff --git a/include/image.h b/include/image.h index 4e88af84e9..73db171f23 100644 --- a/include/image.h +++ b/include/image.h @@ -382,6 +382,8 @@ static void NOINLINEFUNCTION wolfBoot_image_clear_signature_ok( * double checking its return value contains a valid * len (>= WOLFBOOT_SHA_DIGEST_SIZE). * + * Uses GAS local numeric labels (1f/1:) so the macro can be safely expanded + * multiple times in the same function (e.g. RSA PKCS#1.5 + RSA-PSS paths). */ #define RSA_VERIFY_FN(ret,fn,...) \ { \ @@ -400,22 +402,22 @@ static void NOINLINEFUNCTION wolfBoot_image_clear_signature_ok( asm volatile("cmp r0, r2":::"cc"); \ asm volatile("cmp r0, r2":::"cc"); \ asm volatile("cmp r0, r2":::"cc"); \ - asm volatile("blt nope"); \ + asm volatile("blt 1f"); \ asm volatile("cmp r0, r2":::"cc"); \ asm volatile("cmp r0, r2":::"cc"); \ asm volatile("cmp r0, r2":::"cc"); \ - asm volatile("blt nope"); \ + asm volatile("blt 1f"); \ asm volatile("cmp r0, r2":::"cc"); \ asm volatile("cmp r0, r2":::"cc"); \ asm volatile("cmp r0, r2":::"cc"); \ - asm volatile("blt nope"); \ + asm volatile("blt 1f"); \ asm volatile("cmp r0, r2":::"cc"); \ asm volatile("cmp r0, r2":::"cc"); \ asm volatile("cmp r0, r2":::"cc"); \ - asm volatile("blt nope"); \ + asm volatile("blt 1f"); \ /* Return value is set here in case of success */ \ ret = tmp_ret; \ - asm volatile("nope:"); \ + asm volatile("1:"); \ asm volatile("nop"); \ } @@ -424,12 +426,14 @@ static void NOINLINEFUNCTION wolfBoot_image_clear_signature_ok( * * Compare the digest twice, then confirm via * wolfBoot_image_confirm_signature_ok(); + * + * Uses GAS local numeric labels (2f/2:) for safe multi-expansion. */ #define RSA_VERIFY_HASH(img,digest) \ { \ volatile int compare_res; \ if (!img || !digest) \ - asm volatile("b hnope"); \ + asm volatile("b 2f"); \ /* Redundant set of r0=50*/ \ asm volatile("mov r0, #50":::"r0"); \ asm volatile("mov r0, #50":::"r0"); \ @@ -440,19 +444,19 @@ static void NOINLINEFUNCTION wolfBoot_image_clear_signature_ok( asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne hnope":::"cc"); \ + asm volatile("bne 2f":::"cc"); \ asm volatile("cmp r0, #0"); \ asm volatile("cmp r0, #0"); \ asm volatile("cmp r0, #0"); \ - asm volatile("bne hnope":::"cc"); \ + asm volatile("bne 2f":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne hnope"); \ + asm volatile("bne 2f"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne hnope"); \ + asm volatile("bne 2f"); \ /* Repeat comparison call */ \ compare_res = image_CT_compare(digest, img->sha_hash, \ WOLFBOOT_SHA_DIGEST_SIZE); \ @@ -461,22 +465,85 @@ static void NOINLINEFUNCTION wolfBoot_image_clear_signature_ok( asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne hnope"); \ + asm volatile("bne 2f"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne hnope"); \ + asm volatile("bne 2f"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne hnope"); \ + asm volatile("bne 2f"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne hnope"); \ + asm volatile("bne 2f"); \ /* Confirm that the signature is OK */ \ wolfBoot_image_confirm_signature_ok(img); \ - asm volatile("hnope:"); \ + asm volatile("2:"); \ + asm volatile("nop"); \ + } + +/** + * Second part of RSA-PSS verification. + * + * Call wc_RsaPSS_CheckPadding twice, then confirm via + * wolfBoot_image_confirm_signature_ok(); + * + * Uses GAS local numeric labels (3f/3:) for safe multi-expansion. + */ +#define RSA_PSS_VERIFY_HASH(img, pss_data, pss_data_sz, hash_type) \ + { \ + volatile int pss_res; \ + if (!img || !pss_data) \ + asm volatile("b 3f"); \ + /* Redundant set of r0=50*/ \ + asm volatile("mov r0, #50":::"r0"); \ + asm volatile("mov r0, #50":::"r0"); \ + asm volatile("mov r0, #50":::"r0"); \ + pss_res = wc_RsaPSS_CheckPadding(img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE, \ + pss_data, pss_data_sz, hash_type); \ + /* Redundant checks that ensure the function actually returned 0 */ \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("bne 3f":::"cc"); \ + asm volatile("cmp r0, #0"); \ + asm volatile("cmp r0, #0"); \ + asm volatile("cmp r0, #0"); \ + asm volatile("bne 3f":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("bne 3f"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("bne 3f"); \ + /* Repeat wc_RsaPSS_CheckPadding call */ \ + pss_res = wc_RsaPSS_CheckPadding(img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE, \ + pss_data, pss_data_sz, hash_type); \ + pss_res; \ + /* Redundant checks that ensure the function actually returned 0 */ \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("bne 3f"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("bne 3f"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("bne 3f"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("cmp r0, #0":::"cc"); \ + asm volatile("bne 3f"); \ + /* Confirm that the signature is OK */ \ + wolfBoot_image_confirm_signature_ok(img); \ + asm volatile("3:"); \ asm volatile("nop"); \ } @@ -489,6 +556,8 @@ static void NOINLINEFUNCTION wolfBoot_image_clear_signature_ok( * set the return value accordingly. * * Double check by reading the value in p_res from memory a few times. + * + * Uses GAS local numeric labels (4f/4:) for safe multi-expansion. */ #if defined(__GNUC__) @@ -503,63 +572,63 @@ static void NOINLINEFUNCTION wolfBoot_image_clear_signature_ok( asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ asm volatile("cmp r0, #0":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ /* Check that res = 1, a few times, reading the value from memory */ \ asm volatile("ldr r2, [%0]" ::"r"(p_res)); \ asm volatile("cmp r2, #1":::"cc"); \ asm volatile("cmp r2, #1":::"cc"); \ asm volatile("cmp r2, #1":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ asm volatile("mvn r3, r2":::"r3"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ asm volatile("ldr r2, [%0]" ::"r"(p_res)); \ asm volatile("cmp r2, #1":::"cc"); \ asm volatile("cmp r2, #1":::"cc"); \ asm volatile("cmp r2, #1":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ asm volatile("mvn r3, r2":::"r3"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ asm volatile("ldr r2, [%0]" ::"r"(p_res)); \ asm volatile("cmp r2, #1":::"cc"); \ asm volatile("cmp r2, #1":::"cc"); \ asm volatile("cmp r2, #1":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ asm volatile("mvn r3, r2":::"r3"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ asm volatile("ldr r2, [%0]" ::"r"(p_res)); \ asm volatile("cmp r2, #1":::"cc"); \ asm volatile("cmp r2, #1":::"cc"); \ asm volatile("cmp r2, #1":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ asm volatile("mvn r3, r2":::"r3"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \ - asm volatile("bne nope"); \ + asm volatile("bne 4f"); \ /* Confirm that the signature is OK */ \ wolfBoot_image_confirm_signature_ok(img); \ - asm volatile("nope:"); \ + asm volatile("4:"); \ asm volatile("nop") \ #elif defined(__ICCARM__) && defined(__IAR_SYSTEMS_ICC__) @@ -1249,6 +1318,11 @@ static void UNUSEDFUNCTION wolfBoot_image_clear_signature_ok( if (image_CT_compare(img->sha_hash, digest, WOLFBOOT_SHA_DIGEST_SIZE) == 0) \ wolfBoot_image_confirm_signature_ok(img); +#define RSA_PSS_VERIFY_HASH(img, pss_data, pss_data_sz, hash_type) \ + if (wc_RsaPSS_CheckPadding(img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE, \ + pss_data, pss_data_sz, hash_type) == 0) \ + wolfBoot_image_confirm_signature_ok(img); + #define PART_SANITY_CHECK(p) \ if (((p)->hdr_ok != 1) || ((p)->sha_ok != 1) || ((p)->signature_ok != 1)) \ wolfBoot_panic() diff --git a/src/image.c b/src/image.c index 5883ce0e70..600c4b471f 100644 --- a/src/image.c +++ b/src/image.c @@ -601,7 +601,15 @@ static void wolfBoot_verify_signature_rsa_pss(uint8_t key_slot, return; } - /* wolfCrypt software RSA-PSS verify */ + /* wolfCrypt software RSA-PSS verify (two-step) + * + * Step 1 (RSA_VERIFY_FN): wc_RsaPSS_VerifyInline performs the RSA + * operation and PSS unmasking, returning a pointer to the PSS data and + * its length. + * + * Step 2 (RSA_PSS_VERIFY_HASH): wc_RsaPSS_CheckPadding verifies the PSS + * padding against img->sha_hash. Returns 0 on success. Both steps are + * armored when WOLFBOOT_ARMORED is enabled. */ ret = wc_InitRsaKey(&rsa, NULL); if (ret == 0) { /* Import public key */ @@ -609,26 +617,13 @@ static void wolfBoot_verify_signature_rsa_pss(uint8_t key_slot, if (ret >= 0) { XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); RSA_VERIFY_FN(ret, - wc_RsaPSS_VerifyCheckInline, output, RSA_IMAGE_SIGNATURE_SIZE, - &digest_out, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE, - hash_type, mgf, &rsa); + wc_RsaPSS_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, + &digest_out, hash_type, mgf, &rsa); } } wc_FreeRsaKey(&rsa); - /* wc_RsaPSS_VerifyCheckInline returns the PSS-verified data length on - * success (>= digest size), or a negative error code on failure. - * The hash comparison is performed internally by the function. - * - * Note: uses '>=' rather than '==' because PSS verify returns the digest - * size on success, unlike PKCS#1 v1.5 which returns exact decoded length. - * - * ARMORED limitation: the PKCS#1 v1.5 path uses both RSA_VERIFY_FN and - * RSA_VERIFY_HASH armored macros (two hardened gates), but PSS only uses - * RSA_VERIFY_FN because wc_RsaPSS_VerifyCheckInline performs the hash - * comparison internally. The branch below is not armored. Full armored - * hardening for PSS would require a new macro or restructuring. */ - if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img) { - wolfBoot_image_confirm_signature_ok(img); + if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img && digest_out) { + RSA_PSS_VERIFY_HASH(img, digest_out, ret, hash_type); } } From 20b6c3130f73288121642c3ddff36ebf7faa96c9 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Mon, 23 Mar 2026 12:49:26 -0600 Subject: [PATCH 4/6] add wolfHSM support --- src/image.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 81 insertions(+), 1 deletion(-) diff --git a/src/image.c b/src/image.c index 600c4b471f..e7cbb63f05 100644 --- a/src/image.c +++ b/src/image.c @@ -584,6 +584,8 @@ static void wolfBoot_verify_signature_rsa_pss(uint8_t key_slot, word32 inOutIdx = 0; struct RsaKey rsa; + (void)inOutIdx; + #if defined(WOLFBOOT_HASH_SHA256) enum wc_HashType hash_type = WC_HASH_TYPE_SHA256; int mgf = WC_MGF1SHA256; @@ -594,14 +596,19 @@ static void wolfBoot_verify_signature_rsa_pss(uint8_t key_slot, #error "RSA-PSS requires SHA-256 or SHA-384" #endif +#if (!defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ + !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)) || \ + (defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ + !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID)) uint8_t *pubkey = keystore_get_buffer(key_slot); int pubkey_sz = keystore_get_size(key_slot); if (pubkey == NULL || pubkey_sz < 0) { return; } +#endif - /* wolfCrypt software RSA-PSS verify (two-step) + /* RSA-PSS verify (two-step) * * Step 1 (RSA_VERIFY_FN): wc_RsaPSS_VerifyInline performs the RSA * operation and PSS unmasking, returning a pointer to the PSS data and @@ -610,6 +617,78 @@ static void wolfBoot_verify_signature_rsa_pss(uint8_t key_slot, * Step 2 (RSA_PSS_VERIFY_HASH): wc_RsaPSS_CheckPadding verifies the PSS * padding against img->sha_hash. Returns 0 on success. Both steps are * armored when WOLFBOOT_ARMORED is enabled. */ +#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) || \ + defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) + ret = wc_InitRsaKey_ex(&rsa, NULL, hsmDevIdPubKey); + if (ret != 0) { + return; + } +#if defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) || \ + (defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \ + defined(WOLFBOOT_CERT_CHAIN_VERIFY)) + (void)key_slot; + /* public key is stored on server at hsmKeyIdPubKey*/ +#if defined(WOLFBOOT_CERT_CHAIN_VERIFY) + /* If using certificate chain verification and we have a verified leaf key + * ID */ + if (g_leafKeyIdValid) { + /* Use the leaf key ID from certificate verification */ +#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) + ret = wh_Client_RsaSetKeyId(&rsa, g_certLeafKeyId); +#elif defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) + ret = wh_Server_CacheExportRsaKey(&hsmServerCtx, g_certLeafKeyId, &rsa); +#endif + wolfBoot_printf( + "Using leaf cert public key (ID: %08x) for RSA-PSS verification\n", + (unsigned int)g_certLeafKeyId); + } + else { +#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) + /* Default behavior: use the pre-configured public key ID */ + ret = wh_Client_RsaSetKeyId(&rsa, hsmKeyIdPubKey); +#endif + } +#else + ret = wh_Client_RsaSetKeyId(&rsa, hsmKeyIdPubKey); +#endif + if (ret != 0) { + return; + } +#else + whKeyId hsmKeyId = WH_KEYID_ERASED; + /* Cache the public key on the server */ + ret = wh_Client_KeyCache(&hsmClientCtx, WH_NVM_FLAGS_USAGE_VERIFY, NULL, 0, + pubkey, pubkey_sz, &hsmKeyId); + if (ret != WH_ERROR_OK) { + return; + } + /* Associate this RSA struct with the keyId of the cached key */ + ret = wh_Client_RsaSetKeyId(&rsa, hsmKeyId); + if (ret != WH_ERROR_OK) { + return; + } +#endif /* !WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */ + XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); + RSA_VERIFY_FN(ret, wc_RsaPSS_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, + &digest_out, hash_type, mgf, &rsa); +#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ + !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) + /* evict the key after use, since we aren't using the RSA import API */ + if (WH_ERROR_OK != wh_Client_KeyEvict(&hsmClientCtx, hsmKeyId)) { + return; + } +#elif defined(WOLFBOOT_CERT_CHAIN_VERIFY) + if (g_leafKeyIdValid) { +#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) + (void)wh_Client_KeyEvict(&hsmClientCtx, g_certLeafKeyId); +#elif defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) + (void)wh_Server_KeystoreEvictKey(&hsmServerCtx, g_certLeafKeyId); +#endif + g_leafKeyIdValid = 0; + } +#endif /* !WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */ +#else + /* wolfCrypt software RSA-PSS verify */ ret = wc_InitRsaKey(&rsa, NULL); if (ret == 0) { /* Import public key */ @@ -621,6 +700,7 @@ static void wolfBoot_verify_signature_rsa_pss(uint8_t key_slot, &digest_out, hash_type, mgf, &rsa); } } +#endif /* WOLFBOOT_ENABLE_WOLFHSM */ wc_FreeRsaKey(&rsa); if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img && digest_out) { RSA_PSS_VERIFY_HASH(img, digest_out, ret, hash_type); From 29a049399ff6904206aedce247300e3f3863c34c Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Thu, 26 Mar 2026 13:25:03 -0600 Subject: [PATCH 5/6] unify rsa and rsa-pss into single verify method --- include/image.h | 6 ++ include/loader.h | 11 +++ src/image.c | 215 +++++++++++++---------------------------------- 3 files changed, 76 insertions(+), 156 deletions(-) diff --git a/include/image.h b/include/image.h index 73db171f23..69b8dc83e1 100644 --- a/include/image.h +++ b/include/image.h @@ -122,6 +122,12 @@ extern "C" { #define wolfBoot_verify_signature_secondary wolfBoot_verify_signature_ml_dsa #endif +/* Thin wrappers: dispatch RSA / RSA-PSS to the unified verify function */ +#define wolfBoot_verify_signature_rsa(ks, img, sig) \ + wolfBoot_verify_signature_rsa_common(ks, img, sig, 0) +#define wolfBoot_verify_signature_rsa_pss(ks, img, sig) \ + wolfBoot_verify_signature_rsa_common(ks, img, sig, 1) + #if defined(WOLFBOOT_TPM) && defined (WOLFBOOT_TPM_VERIFY) #undef wolfBoot_verify_signature_primary #define wolfBoot_verify_signature_primary wolfBoot_verify_signature_tpm diff --git a/include/loader.h b/include/loader.h index decacde31f..aec448fa8f 100644 --- a/include/loader.h +++ b/include/loader.h @@ -40,6 +40,17 @@ extern "C" { #define ECC_IMAGE_SIGNATURE_SIZE (132) #endif +/* Consolidated RSA-PSS flag: set when any RSA-PSS variant is enabled + * (primary or secondary). Used to guard PSS-specific code paths in the + * unified RSA verify function. */ +#if defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_RSAPSS4096) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) +#define WOLFBOOT_RSA_PSS +#endif + #if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \ defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) #define RSA_IMAGE_SIGNATURE_SIZE (256) diff --git a/src/image.c b/src/image.c index e7cbb63f05..31257f4f18 100644 --- a/src/image.c +++ b/src/image.c @@ -430,8 +430,8 @@ static int RsaDecodeSignature(uint8_t** pInput, int inputSz) } #endif /* !NO_RSA_SIG_ENCODING */ -static void wolfBoot_verify_signature_rsa(uint8_t key_slot, - struct wolfBoot_image *img, uint8_t *sig) +static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, + struct wolfBoot_image *img, uint8_t *sig, int is_pss) { int ret; uint8_t output[RSA_IMAGE_SIGNATURE_SIZE]; @@ -440,6 +440,21 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot, struct RsaKey rsa; (void)inOutIdx; + (void)is_pss; + +#ifdef WOLFBOOT_RSA_PSS + enum wc_HashType hash_type; + int mgf; +#if defined(WOLFBOOT_HASH_SHA256) + hash_type = WC_HASH_TYPE_SHA256; + mgf = WC_MGF1SHA256; +#elif defined(WOLFBOOT_HASH_SHA384) + hash_type = WC_HASH_TYPE_SHA384; + mgf = WC_MGF1SHA384; +#else + #error "RSA-PSS requires SHA-256 or SHA-384" +#endif +#endif /* WOLFBOOT_RSA_PSS */ #if (!defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)) || \ @@ -456,6 +471,7 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot, #if defined(WOLFBOOT_RENESAS_SCEPROTECT) || \ defined(WOLFBOOT_RENESAS_TSIP) || \ defined(WOLFBOOT_RENESAS_RSIP) + /* Renesas crypto callback — RSA PKCS#1 v1.5 only */ ret = wc_InitRsaKey_ex(&rsa, NULL, RENESAS_DEVID); if (ret == 0) { XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); @@ -519,8 +535,17 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot, } #endif /* !WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */ XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); - RSA_VERIFY_FN(ret, wc_RsaSSL_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, - &digest_out, &rsa); +#ifdef WOLFBOOT_RSA_PSS + if (is_pss) { + RSA_VERIFY_FN(ret, wc_RsaPSS_VerifyInline, output, + RSA_IMAGE_SIGNATURE_SIZE, &digest_out, hash_type, mgf, + &rsa); + } else +#endif + { + RSA_VERIFY_FN(ret, wc_RsaSSL_VerifyInline, output, + RSA_IMAGE_SIGNATURE_SIZE, &digest_out, &rsa); + } #if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) /* evict the key after use, since we aren't using the RSA import API */ @@ -545,170 +570,48 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot, ret = wc_RsaPublicKeyDecode((byte*)pubkey, &inOutIdx, &rsa, pubkey_sz); if (ret >= 0) { XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); - RSA_VERIFY_FN(ret, - wc_RsaSSL_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, - &digest_out, &rsa); +#ifdef WOLFBOOT_RSA_PSS + if (is_pss) { + RSA_VERIFY_FN(ret, + wc_RsaPSS_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, + &digest_out, hash_type, mgf, &rsa); + } else +#endif + { + RSA_VERIFY_FN(ret, + wc_RsaSSL_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, + &digest_out, &rsa); + } } } #endif /* SCE || TSIP */ wc_FreeRsaKey(&rsa); +#ifdef WOLFBOOT_RSA_PSS + if (is_pss) { + if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img && digest_out) { + RSA_PSS_VERIFY_HASH(img, digest_out, ret, hash_type); + } + } else +#endif + { #ifndef NO_RSA_SIG_ENCODING - if (ret > WOLFBOOT_SHA_DIGEST_SIZE) { - /* larger result indicates it might have an ASN.1 encoded header */ - ret = RsaDecodeSignature(&digest_out, ret); - } + if (ret > WOLFBOOT_SHA_DIGEST_SIZE) { + /* larger result indicates it might have an ASN.1 encoded header */ + ret = RsaDecodeSignature(&digest_out, ret); + } #endif - if (ret == WOLFBOOT_SHA_DIGEST_SIZE && img && digest_out) { - RSA_VERIFY_HASH(img, digest_out); + if (ret == WOLFBOOT_SHA_DIGEST_SIZE && img && digest_out) { + RSA_VERIFY_HASH(img, digest_out); + } } } #endif /* WOLFBOOT_SIGN_RSA2048 || WOLFBOOT_SIGN_RSA3072 || \ * WOLFBOOT_SIGN_RSA4096 || WOLFBOOT_SIGN_SECONDARY_RSA2048 || - * WOLFBOOT_SIGN_SECONDARY_RSA3072 || WOLFBOOT_SIGN_SECONDARY_RSA4096 */ - -#if defined(WOLFBOOT_SIGN_RSAPSS2048) || \ - defined(WOLFBOOT_SIGN_RSAPSS3072) || \ - defined(WOLFBOOT_SIGN_RSAPSS4096) || \ - defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ - defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ - defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) - -static void wolfBoot_verify_signature_rsa_pss(uint8_t key_slot, - struct wolfBoot_image *img, uint8_t *sig) -{ - int ret; - uint8_t output[RSA_IMAGE_SIGNATURE_SIZE]; - uint8_t* digest_out = NULL; - word32 inOutIdx = 0; - struct RsaKey rsa; - - (void)inOutIdx; - -#if defined(WOLFBOOT_HASH_SHA256) - enum wc_HashType hash_type = WC_HASH_TYPE_SHA256; - int mgf = WC_MGF1SHA256; -#elif defined(WOLFBOOT_HASH_SHA384) - enum wc_HashType hash_type = WC_HASH_TYPE_SHA384; - int mgf = WC_MGF1SHA384; -#else - #error "RSA-PSS requires SHA-256 or SHA-384" -#endif - -#if (!defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ - !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)) || \ - (defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ - !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID)) - uint8_t *pubkey = keystore_get_buffer(key_slot); - int pubkey_sz = keystore_get_size(key_slot); - - if (pubkey == NULL || pubkey_sz < 0) { - return; - } -#endif - - /* RSA-PSS verify (two-step) - * - * Step 1 (RSA_VERIFY_FN): wc_RsaPSS_VerifyInline performs the RSA - * operation and PSS unmasking, returning a pointer to the PSS data and - * its length. - * - * Step 2 (RSA_PSS_VERIFY_HASH): wc_RsaPSS_CheckPadding verifies the PSS - * padding against img->sha_hash. Returns 0 on success. Both steps are - * armored when WOLFBOOT_ARMORED is enabled. */ -#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) || \ - defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) - ret = wc_InitRsaKey_ex(&rsa, NULL, hsmDevIdPubKey); - if (ret != 0) { - return; - } -#if defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) || \ - (defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \ - defined(WOLFBOOT_CERT_CHAIN_VERIFY)) - (void)key_slot; - /* public key is stored on server at hsmKeyIdPubKey*/ -#if defined(WOLFBOOT_CERT_CHAIN_VERIFY) - /* If using certificate chain verification and we have a verified leaf key - * ID */ - if (g_leafKeyIdValid) { - /* Use the leaf key ID from certificate verification */ -#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) - ret = wh_Client_RsaSetKeyId(&rsa, g_certLeafKeyId); -#elif defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) - ret = wh_Server_CacheExportRsaKey(&hsmServerCtx, g_certLeafKeyId, &rsa); -#endif - wolfBoot_printf( - "Using leaf cert public key (ID: %08x) for RSA-PSS verification\n", - (unsigned int)g_certLeafKeyId); - } - else { -#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) - /* Default behavior: use the pre-configured public key ID */ - ret = wh_Client_RsaSetKeyId(&rsa, hsmKeyIdPubKey); -#endif - } -#else - ret = wh_Client_RsaSetKeyId(&rsa, hsmKeyIdPubKey); -#endif - if (ret != 0) { - return; - } -#else - whKeyId hsmKeyId = WH_KEYID_ERASED; - /* Cache the public key on the server */ - ret = wh_Client_KeyCache(&hsmClientCtx, WH_NVM_FLAGS_USAGE_VERIFY, NULL, 0, - pubkey, pubkey_sz, &hsmKeyId); - if (ret != WH_ERROR_OK) { - return; - } - /* Associate this RSA struct with the keyId of the cached key */ - ret = wh_Client_RsaSetKeyId(&rsa, hsmKeyId); - if (ret != WH_ERROR_OK) { - return; - } -#endif /* !WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */ - XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); - RSA_VERIFY_FN(ret, wc_RsaPSS_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, - &digest_out, hash_type, mgf, &rsa); -#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ - !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) - /* evict the key after use, since we aren't using the RSA import API */ - if (WH_ERROR_OK != wh_Client_KeyEvict(&hsmClientCtx, hsmKeyId)) { - return; - } -#elif defined(WOLFBOOT_CERT_CHAIN_VERIFY) - if (g_leafKeyIdValid) { -#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) - (void)wh_Client_KeyEvict(&hsmClientCtx, g_certLeafKeyId); -#elif defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) - (void)wh_Server_KeystoreEvictKey(&hsmServerCtx, g_certLeafKeyId); -#endif - g_leafKeyIdValid = 0; - } -#endif /* !WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */ -#else - /* wolfCrypt software RSA-PSS verify */ - ret = wc_InitRsaKey(&rsa, NULL); - if (ret == 0) { - /* Import public key */ - ret = wc_RsaPublicKeyDecode((byte*)pubkey, &inOutIdx, &rsa, pubkey_sz); - if (ret >= 0) { - XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); - RSA_VERIFY_FN(ret, - wc_RsaPSS_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, - &digest_out, hash_type, mgf, &rsa); - } - } -#endif /* WOLFBOOT_ENABLE_WOLFHSM */ - wc_FreeRsaKey(&rsa); - if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img && digest_out) { - RSA_PSS_VERIFY_HASH(img, digest_out, ret, hash_type); - } -} - -#endif /* WOLFBOOT_SIGN_RSAPSS2048 || WOLFBOOT_SIGN_RSAPSS3072 || \ - * WOLFBOOT_SIGN_RSAPSS4096 || WOLFBOOT_SIGN_SECONDARY_RSAPSS2048 || \ + * WOLFBOOT_SIGN_SECONDARY_RSA3072 || WOLFBOOT_SIGN_SECONDARY_RSA4096 || + * WOLFBOOT_SIGN_RSAPSS2048 || WOLFBOOT_SIGN_RSAPSS3072 || + * WOLFBOOT_SIGN_RSAPSS4096 || WOLFBOOT_SIGN_SECONDARY_RSAPSS2048 || * WOLFBOOT_SIGN_SECONDARY_RSAPSS3072 || WOLFBOOT_SIGN_SECONDARY_RSAPSS4096 */ #ifdef WOLFBOOT_SIGN_LMS From c28aae3d3a4b764327c26983bf32fc232ff67c4b Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Thu, 26 Mar 2026 14:54:42 -0600 Subject: [PATCH 6/6] rename aggregate RSA PSS macro, add Renesas protection --- include/loader.h | 18 +++++++++++++++++- src/image.c | 35 +++++++++++------------------------ 2 files changed, 28 insertions(+), 25 deletions(-) diff --git a/include/loader.h b/include/loader.h index aec448fa8f..930a7d410d 100644 --- a/include/loader.h +++ b/include/loader.h @@ -48,7 +48,23 @@ extern "C" { defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) -#define WOLFBOOT_RSA_PSS +#define WOLFBOOT_SIGN_RSAPSS_ANY +#endif + +/* Consolidated RSA flag: set when any RSA variant is enabled (PKCS#1 v1.5 or + * PSS, primary or secondary). Used to guard the unified RSA verify function + * and related RSA code paths. */ +#if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_RSA3072) || \ + defined(WOLFBOOT_SIGN_RSA4096) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \ + defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_RSAPSS4096) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ + defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) +#define WOLFBOOT_SIGN_RSA_ANY #endif #if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \ diff --git a/src/image.c b/src/image.c index 31257f4f18..aee76a2874 100644 --- a/src/image.c +++ b/src/image.c @@ -359,18 +359,7 @@ static void wolfBoot_verify_signature_ecc(uint8_t key_slot, * WOLFBOOT_SIGN_SECONDARY_ECC521 */ -#if defined(WOLFBOOT_SIGN_RSA2048) || \ - defined(WOLFBOOT_SIGN_RSA3072) || \ - defined(WOLFBOOT_SIGN_RSA4096) || \ - defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \ - defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \ - defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \ - defined(WOLFBOOT_SIGN_RSAPSS2048) || \ - defined(WOLFBOOT_SIGN_RSAPSS3072) || \ - defined(WOLFBOOT_SIGN_RSAPSS4096) || \ - defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \ - defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \ - defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) +#ifdef WOLFBOOT_SIGN_RSA_ANY #include #include @@ -442,7 +431,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, (void)inOutIdx; (void)is_pss; -#ifdef WOLFBOOT_RSA_PSS +#ifdef WOLFBOOT_SIGN_RSAPSS_ANY enum wc_HashType hash_type; int mgf; #if defined(WOLFBOOT_HASH_SHA256) @@ -454,7 +443,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, #else #error "RSA-PSS requires SHA-256 or SHA-384" #endif -#endif /* WOLFBOOT_RSA_PSS */ +#endif /* WOLFBOOT_SIGN_RSAPSS_ANY */ #if (!defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)) || \ @@ -471,7 +460,10 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, #if defined(WOLFBOOT_RENESAS_SCEPROTECT) || \ defined(WOLFBOOT_RENESAS_TSIP) || \ defined(WOLFBOOT_RENESAS_RSIP) - /* Renesas crypto callback — RSA PKCS#1 v1.5 only */ + /* Renesas crypto callback supports RSA PKCS#1 v1.5 only */ +#ifdef WOLFBOOT_SIGN_RSAPSS_ANY + #error "RSA-PSS is not yet supported with Renesas crypto callbacks" +#endif ret = wc_InitRsaKey_ex(&rsa, NULL, RENESAS_DEVID); if (ret == 0) { XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); @@ -535,7 +527,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, } #endif /* !WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */ XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); -#ifdef WOLFBOOT_RSA_PSS +#ifdef WOLFBOOT_SIGN_RSAPSS_ANY if (is_pss) { RSA_VERIFY_FN(ret, wc_RsaPSS_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, &digest_out, hash_type, mgf, @@ -570,7 +562,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, ret = wc_RsaPublicKeyDecode((byte*)pubkey, &inOutIdx, &rsa, pubkey_sz); if (ret >= 0) { XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); -#ifdef WOLFBOOT_RSA_PSS +#ifdef WOLFBOOT_SIGN_RSAPSS_ANY if (is_pss) { RSA_VERIFY_FN(ret, wc_RsaPSS_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, @@ -587,7 +579,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, #endif /* SCE || TSIP */ wc_FreeRsaKey(&rsa); -#ifdef WOLFBOOT_RSA_PSS +#ifdef WOLFBOOT_SIGN_RSAPSS_ANY if (is_pss) { if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img && digest_out) { RSA_PSS_VERIFY_HASH(img, digest_out, ret, hash_type); @@ -607,12 +599,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, } } -#endif /* WOLFBOOT_SIGN_RSA2048 || WOLFBOOT_SIGN_RSA3072 || \ - * WOLFBOOT_SIGN_RSA4096 || WOLFBOOT_SIGN_SECONDARY_RSA2048 || - * WOLFBOOT_SIGN_SECONDARY_RSA3072 || WOLFBOOT_SIGN_SECONDARY_RSA4096 || - * WOLFBOOT_SIGN_RSAPSS2048 || WOLFBOOT_SIGN_RSAPSS3072 || - * WOLFBOOT_SIGN_RSAPSS4096 || WOLFBOOT_SIGN_SECONDARY_RSAPSS2048 || - * WOLFBOOT_SIGN_SECONDARY_RSAPSS3072 || WOLFBOOT_SIGN_SECONDARY_RSAPSS4096 */ +#endif /* WOLFBOOT_SIGN_RSA_ANY */ #ifdef WOLFBOOT_SIGN_LMS #include