Add SW-only RSA PSS

Author: bigbrett

include/image.h

@@ -68,6 +68,11 @@ extern "C" {
     defined (WOLFBOOT_SIGN_RSA4096ENC)
 #define wolfBoot_verify_signature_primary wolfBoot_verify_signature_rsa
 #endif
+#if defined (WOLFBOOT_SIGN_RSAPSS2048) || \
+    defined (WOLFBOOT_SIGN_RSAPSS3072) || \
+    defined (WOLFBOOT_SIGN_RSAPSS4096)
+#define wolfBoot_verify_signature_primary wolfBoot_verify_signature_rsa_pss
+#endif
 #if defined (WOLFBOOT_SIGN_ECC256) || \
         defined (WOLFBOOT_SIGN_ECC384) || \
         defined (WOLFBOOT_SIGN_ECC521)
@@ -97,6 +102,11 @@ extern "C" {
     defined (WOLFBOOT_SIGN_SECONDARY_RSA4096ENC)
 #define wolfBoot_verify_signature_secondary wolfBoot_verify_signature_rsa
 #endif
+#if defined (WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
+    defined (WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
+    defined (WOLFBOOT_SIGN_SECONDARY_RSAPSS4096)
+#define wolfBoot_verify_signature_secondary wolfBoot_verify_signature_rsa_pss
+#endif
 #if defined (WOLFBOOT_SIGN_SECONDARY_ECC256) || \
         defined (WOLFBOOT_SIGN_SECONDARY_ECC384) || \
         defined (WOLFBOOT_SIGN_SECONDARY_ECC521)

include/loader.h

@@ -40,11 +40,14 @@ extern "C" {
 #define ECC_IMAGE_SIGNATURE_SIZE (132)
 #endif
 
-#if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048)
+#if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \
+    defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048)
 #define RSA_IMAGE_SIGNATURE_SIZE (256)
-#elif defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSA3072)
+#elif defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \
+    defined(WOLFBOOT_SIGN_RSAPSS3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072)
 #define RSA_IMAGE_SIGNATURE_SIZE (384)
-#elif defined(WOLFBOOT_SIGN_RSA4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSA4096)
+#elif defined(WOLFBOOT_SIGN_RSA4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \
+    defined(WOLFBOOT_SIGN_RSAPSS4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096)
 #define RSA_IMAGE_SIGNATURE_SIZE (512)
 #endif
 

include/user_settings.h

@@ -222,20 +222,35 @@ extern int tolower(int c);
     defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \
     defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \
     defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \
+    defined(WOLFBOOT_SIGN_RSAPSS2048) || \
+    defined(WOLFBOOT_SIGN_RSAPSS3072) || \
+    defined(WOLFBOOT_SIGN_RSAPSS4096) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) || \
     (defined(WOLFCRYPT_SECURE_MODE) && (!defined(PKCS11_SMALL)))
 
 #   define WC_RSA_BLINDING
 #   define WC_RSA_DIRECT
 #   define RSA_LOW_MEM
 #   define WC_ASN_HASH_SHA256
+#   if defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_RSAPSS3072) || \
+       defined(WOLFBOOT_SIGN_RSAPSS4096) || \
+       defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
+       defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
+       defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096)
+#       define WC_RSA_PSS
+#   endif
 #   if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE) && \
        !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK) && \
        !defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
        !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
 #       define WOLFSSL_RSA_VERIFY_INLINE
 #       define WOLFSSL_RSA_VERIFY_ONLY
 #       define WOLFSSL_RSA_PUBLIC_ONLY
-#       define WC_NO_RSA_OAEP
+#       if !defined(WC_RSA_PSS)
+#           define WC_NO_RSA_OAEP
+#       endif
 #       define NO_RSA_BOUNDS_CHECK
 #   endif
 #   if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
@@ -244,7 +259,8 @@ extern int tolower(int c);
 #       define WOLFSSL_SP_SMALL
 #       define WOLFSSL_SP_MATH
 #   endif
-#   if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048)
+#   if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \
+       defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048)
 #       define FP_MAX_BITS (2048 * 2)
 #       define SP_INT_BITS 2048
 #       define WOLFSSL_SP_NO_3072
@@ -253,7 +269,8 @@ extern int tolower(int c);
 #       define RSA_MIN_SIZE 2048
 #       define RSA_MAX_SIZE 2048
 #   endif
-#   if defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSA3072)
+#   if defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \
+       defined(WOLFBOOT_SIGN_RSAPSS3072) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072)
 #       define FP_MAX_BITS (3072 * 2)
 #       define SP_INT_BITS 3072
 #       define WOLFSSL_SP_NO_2048
@@ -263,7 +280,8 @@ extern int tolower(int c);
 #       define RSA_MAX_SIZE 3072
 #   endif
 
-#   if defined(WOLFBOOT_SIGN_RSA4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSA4096)
+#   if defined(WOLFBOOT_SIGN_RSA4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \
+       defined(WOLFBOOT_SIGN_RSAPSS4096) || defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096)
 #       define FP_MAX_BITS (4096 * 2)
 #       define SP_INT_BITS 4096
 #       define WOLFSSL_SP_NO_2048

include/wolfboot/wolfboot.h

@@ -112,16 +112,16 @@ extern "C" {
 
 #ifndef IMAGE_HEADER_SIZE
 /* Largest cases first */
-#   if defined(WOLFBOOT_SIGN_RSA4096)
+#   if defined(WOLFBOOT_SIGN_RSA4096) || defined(WOLFBOOT_SIGN_RSAPSS4096)
 #       define IMAGE_HEADER_SIZE 1024
 
-    /* RSA3072 + strong hash */
-#   elif (defined(WOLFBOOT_SIGN_RSA3072) && \
+    /* RSA3072/RSAPSS3072 + strong hash */
+#   elif ((defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_RSAPSS3072)) && \
           (defined(WOLFBOOT_HASH_SHA384) || defined(WOLFBOOT_HASH_SHA3_384)))
 #       define IMAGE_HEADER_SIZE 1024
 
-    /* RSA2048 + SHA256 */
-#   elif defined(WOLFBOOT_SIGN_RSA2048) && defined(WOLFBOOT_HASH_SHA256)
+    /* RSA2048/RSAPSS2048 + SHA256 */
+#   elif (defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_RSAPSS2048)) && defined(WOLFBOOT_HASH_SHA256)
 #       define IMAGE_HEADER_SIZE 512
 
     /* ECC384 requires 512 with SHA256 */
@@ -141,7 +141,7 @@ extern "C" {
 #       define IMAGE_HEADER_SIZE 256
 
     /* Secondary 512-byte fallbacks */
-#   elif defined(WOLFBOOT_SIGN_RSA3072) || \
+#   elif defined(WOLFBOOT_SIGN_RSA3072) || defined(WOLFBOOT_SIGN_RSAPSS3072) || \
           defined(WOLFBOOT_SIGN_ECC521) || \
           defined(WOLFBOOT_SIGN_ED448)  || \
           defined(WOLFBOOT_HASH_SHA384) || \
@@ -225,9 +225,12 @@ extern "C" {
 #define AUTH_KEY_ECC521  0x07
 #define AUTH_KEY_RSA3072 0x08
 #define AUTH_KEY_LMS     0x09
-#define AUTH_KEY_XMSS    0x0A
-#define AUTH_KEY_ML_DSA  0x0B
-#define AUTH_KEY_NUM     0x0C
+#define AUTH_KEY_XMSS        0x0A
+#define AUTH_KEY_ML_DSA      0x0B
+#define AUTH_KEY_RSAPSS2048  0x0C
+#define AUTH_KEY_RSAPSS3072  0x0D
+#define AUTH_KEY_RSAPSS4096  0x0E
+#define AUTH_KEY_NUM         0x0F
 
 /*
  * 8 bits: auth type
@@ -248,6 +251,9 @@ extern "C" {
 #define HDR_IMG_TYPE_AUTH_LMS     (AUTH_KEY_LMS     << 8)
 #define HDR_IMG_TYPE_AUTH_XMSS    (AUTH_KEY_XMSS    << 8)
 #define HDR_IMG_TYPE_AUTH_ML_DSA  (AUTH_KEY_ML_DSA  << 8)
+#define HDR_IMG_TYPE_AUTH_RSAPSS2048 (AUTH_KEY_RSAPSS2048 << 8)
+#define HDR_IMG_TYPE_AUTH_RSAPSS3072 (AUTH_KEY_RSAPSS3072 << 8)
+#define HDR_IMG_TYPE_AUTH_RSAPSS4096 (AUTH_KEY_RSAPSS4096 << 8)
 
 #define HDR_IMG_TYPE_DIFF         0x00D0
 
@@ -266,6 +272,9 @@ extern "C" {
 #define KEYSTORE_PUBKEY_SIZE_RSA2048 320
 #define KEYSTORE_PUBKEY_SIZE_RSA3072 448
 #define KEYSTORE_PUBKEY_SIZE_RSA4096 576
+#define KEYSTORE_PUBKEY_SIZE_RSAPSS2048 KEYSTORE_PUBKEY_SIZE_RSA2048
+#define KEYSTORE_PUBKEY_SIZE_RSAPSS3072 KEYSTORE_PUBKEY_SIZE_RSA3072
+#define KEYSTORE_PUBKEY_SIZE_RSAPSS4096 KEYSTORE_PUBKEY_SIZE_RSA4096
 #define KEYSTORE_PUBKEY_SIZE_LMS     60
 #define KEYSTORE_PUBKEY_SIZE_XMSS    68
 
@@ -440,6 +449,21 @@ extern "C" {
  #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
  #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA4096
  #   endif
+ #elif defined(WOLFBOOT_SIGN_RSAPSS2048)
+ #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSAPSS2048
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA2048
+ #   endif
+ #elif defined(WOLFBOOT_SIGN_RSAPSS3072)
+ #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSAPSS3072
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA3072
+ #   endif
+ #elif defined(WOLFBOOT_SIGN_RSAPSS4096)
+ #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSAPSS4096
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA4096
+ #   endif
  #elif defined(WOLFBOOT_SIGN_LMS)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_LMS
  #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE

options.mk

@@ -298,6 +298,84 @@ ifeq ($(SIGN),ED448)
   endif
 endif
 
+ifeq ($(SIGN),RSAPSS2048)
+  KEYGEN_OPTIONS+=--rsapss2048
+  SIGN_OPTIONS+=--rsapss2048
+  SIGN_ALG=RSAPSS2048
+  WOLFCRYPT_OBJS+= $(RSA_OBJS)
+  WOLFCRYPT_OBJS+=$(MATH_OBJS)
+  CFLAGS+=-D"WOLFBOOT_SIGN_RSAPSS2048" $(RSA_EXTRA_CFLAGS)
+  ifeq ($(WOLFBOOT_SMALL_STACK),1)
+    ifneq ($(SPMATH),1)
+      STACK_USAGE=5008
+    else
+      STACK_USAGE=4096
+    endif
+  else
+    ifneq ($(SPMATH),1)
+      STACK_USAGE=35952
+    else
+      STACK_USAGE=17568
+    endif
+  endif
+  ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 512; echo $$?),0)
+    IMAGE_HEADER_SIZE=512
+  endif
+endif
+
+ifeq ($(SIGN),RSAPSS3072)
+  KEYGEN_OPTIONS+=--rsapss3072
+  SIGN_OPTIONS+=--rsapss3072
+  SIGN_ALG=RSAPSS3072
+  WOLFCRYPT_OBJS+= $(RSA_OBJS)
+  WOLFCRYPT_OBJS+=$(MATH_OBJS)
+  CFLAGS+=-D"WOLFBOOT_SIGN_RSAPSS3072" $(RSA_EXTRA_CFLAGS)
+  ifeq ($(WOLFBOOT_SMALL_STACK),1)
+    ifneq ($(SPMATH),1)
+      STACK_USAGE=5008
+    else
+      STACK_USAGE=4364
+    endif
+  else
+    ifneq ($(SPMATH),1)
+      STACK_USAGE=52592
+    else
+      STACK_USAGE=12288
+    endif
+  endif
+  ifneq ($(HASH),SHA256)
+    IMAGE_HEADER_SIZE=1024
+  endif
+  ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 512; echo $$?),0)
+    IMAGE_HEADER_SIZE=512
+  endif
+endif
+
+ifeq ($(SIGN),RSAPSS4096)
+  KEYGEN_OPTIONS+=--rsapss4096
+  SIGN_OPTIONS+=--rsapss4096
+  SIGN_ALG=RSAPSS4096
+  WOLFCRYPT_OBJS+= $(RSA_OBJS)
+  WOLFCRYPT_OBJS+=$(MATH_OBJS)
+  CFLAGS+=-D"WOLFBOOT_SIGN_RSAPSS4096" $(RSA_EXTRA_CFLAGS)
+  ifeq ($(WOLFBOOT_SMALL_STACK),1)
+    ifneq ($(SPMATH),1)
+      STACK_USAGE=5888
+    else
+      STACK_USAGE=5768
+    endif
+  else
+    ifneq ($(SPMATH),1)
+      STACK_USAGE=69232
+    else
+      STACK_USAGE=18064
+    endif
+  endif
+  ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 1024; echo $$?),0)
+    IMAGE_HEADER_SIZE=1024
+  endif
+endif
+
 ifneq ($(findstring RSA2048,$(SIGN)),)
   KEYGEN_OPTIONS+=--rsa2048
   ifeq ($(SIGN),RSA2048ENC)

src/image.c

@@ -364,7 +364,13 @@ static void wolfBoot_verify_signature_ecc(uint8_t key_slot,
     defined(WOLFBOOT_SIGN_RSA4096) || \
     defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \
     defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSA4096)
+    defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \
+    defined(WOLFBOOT_SIGN_RSAPSS2048) || \
+    defined(WOLFBOOT_SIGN_RSAPSS3072) || \
+    defined(WOLFBOOT_SIGN_RSAPSS4096) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096)
 
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/rsa.h>
@@ -562,6 +568,65 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot,
         * WOLFBOOT_SIGN_RSA4096 || WOLFBOOT_SIGN_SECONDARY_RSA2048 ||
         * WOLFBOOT_SIGN_SECONDARY_RSA3072 || WOLFBOOT_SIGN_SECONDARY_RSA4096 */
 
+#if defined(WOLFBOOT_SIGN_RSAPSS2048) || \
+    defined(WOLFBOOT_SIGN_RSAPSS3072) || \
+    defined(WOLFBOOT_SIGN_RSAPSS4096) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096)
+
+static void wolfBoot_verify_signature_rsa_pss(uint8_t key_slot,
+        struct wolfBoot_image *img, uint8_t *sig)
+{
+    int ret;
+    uint8_t output[RSA_IMAGE_SIGNATURE_SIZE];
+    uint8_t* digest_out = NULL;
+    word32 inOutIdx = 0;
+    struct RsaKey rsa;
+
+#if defined(WOLFBOOT_HASH_SHA256)
+    enum wc_HashType hash_type = WC_HASH_TYPE_SHA256;
+    int mgf = WC_MGF1SHA256;
+#elif defined(WOLFBOOT_HASH_SHA384)
+    enum wc_HashType hash_type = WC_HASH_TYPE_SHA384;
+    int mgf = WC_MGF1SHA384;
+#else
+    #error "RSA-PSS requires SHA-256 or SHA-384"
+#endif
+
+    uint8_t *pubkey = keystore_get_buffer(key_slot);
+    int pubkey_sz = keystore_get_size(key_slot);
+
+    if (pubkey == NULL || pubkey_sz < 0) {
+        return;
+    }
+
+    /* wolfCrypt software RSA-PSS verify */
+    ret = wc_InitRsaKey(&rsa, NULL);
+    if (ret == 0) {
+        /* Import public key */
+        ret = wc_RsaPublicKeyDecode((byte*)pubkey, &inOutIdx, &rsa, pubkey_sz);
+        if (ret >= 0) {
+            XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE);
+            RSA_VERIFY_FN(ret,
+                wc_RsaPSS_VerifyCheckInline, output, RSA_IMAGE_SIGNATURE_SIZE,
+                    &digest_out, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE,
+                    hash_type, mgf, &rsa);
+        }
+    }
+    wc_FreeRsaKey(&rsa);
+    /* wc_RsaPSS_VerifyCheckInline returns the PSS-verified data length on
+     * success (>= digest size), or a negative error code on failure.
+     * The hash comparison is performed internally by the function. */
+    if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img) {
+        wolfBoot_image_confirm_signature_ok(img);
+    }
+}
+
+#endif /* WOLFBOOT_SIGN_RSAPSS2048 || WOLFBOOT_SIGN_RSAPSS3072 || \
+        * WOLFBOOT_SIGN_RSAPSS4096 || WOLFBOOT_SIGN_SECONDARY_RSAPSS2048 || \
+        * WOLFBOOT_SIGN_SECONDARY_RSAPSS3072 || WOLFBOOT_SIGN_SECONDARY_RSAPSS4096 */
+
 #ifdef WOLFBOOT_SIGN_LMS
 #include <wolfssl/wolfcrypt/lms.h>
 #ifdef HAVE_LIBLMS
@@ -2272,7 +2337,10 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img)
       defined (WOLFBOOT_SIGN_RSA4096) || \
       defined (WOLFBOOT_SIGN_RSA2048ENC) || \
       defined (WOLFBOOT_SIGN_RSA3072ENC) || \
-      defined (WOLFBOOT_SIGN_RSA4096ENC)
+      defined (WOLFBOOT_SIGN_RSA4096ENC) || \
+      defined (WOLFBOOT_SIGN_RSAPSS2048) || \
+      defined (WOLFBOOT_SIGN_RSAPSS3072) || \
+      defined (WOLFBOOT_SIGN_RSAPSS4096)
     if (stored_signature_size != RSA_IMAGE_SIGNATURE_SIZE)
         return -1;
 #elif defined (WOLFBOOT_SIGN_ECC256) || \