Skip to content

Commit c847529

Browse files
danielinuxdanielinux
committed
Added RSA-4096 bit support
1 parent 60c5e76 commit c847529

10 files changed

Lines changed: 114 additions & 14 deletions

File tree

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@
5353
src/ed25519_pub_key.c
5454
src/ecc256_pub_key.c
5555
src/rsa2048_pub_key.c
56+
src/rsa4096_pub_key.c
5657

5758
# keygen binaries
5859
tools/ed25519/ed25519_sign

Makefile

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ OBJS:= \
2020
WOLFCRYPT_OBJS:=
2121
PUBLIC_KEY_OBJS:=
2222

23+
ifeq ($(SIGN),RSA4096)
24+
SPMATH=0
25+
endif
2326

2427
## Architecture/CPU configuration
2528
include arch.mk
@@ -77,6 +80,25 @@ ifeq ($(SIGN),RSA2048)
7780
-Wstack-usage=12288 -DIMAGE_HEADER_SIZE=512
7881
endif
7982

83+
ifeq ($(SIGN),RSA4096)
84+
KEYGEN_OPTIONS=--rsa4096
85+
SIGN_OPTIONS=--rsa4096
86+
PRIVATE_KEY=rsa4096.der
87+
IMAGE_HEADER_SIZE=1024
88+
WOLFCRYPT_OBJS+= \
89+
$(RSA_EXTRA_OBJS) \
90+
$(MATH_OBJS) \
91+
./lib/wolfssl/wolfcrypt/src/rsa.o \
92+
./lib/wolfssl/wolfcrypt/src/sha256.o \
93+
./lib/wolfssl/wolfcrypt/src/asn.o \
94+
./lib/wolfssl/wolfcrypt/src/hash.o \
95+
./lib/wolfssl/wolfcrypt/src/wolfmath.o \
96+
./src/xmalloc_rsa.o
97+
PUBLIC_KEY_OBJS=./src/rsa4096_pub_key.o
98+
CFLAGS+=-DWOLFBOOT_SIGN_RSA4096 -DXMALLOC_USER $(RSA_EXTRA_CFLAGS) \
99+
-Wstack-usage=12288 -DIMAGE_HEADER_SIZE=1024
100+
endif
101+
80102

81103
CFLAGS+=-Wall -Wextra -Wno-main -ffreestanding -Wno-unused \
82104
-I. -Iinclude/ -Ilib/wolfssl -nostartfiles \
@@ -201,6 +223,9 @@ ecc256.der:
201223
rsa2048.der:
202224
@python3 tools/keytools/keygen.py $(KEYGEN_OPTIONS) src/rsa2048_pub_key.c
203225

226+
rsa4096.der:
227+
@python3 tools/keytools/keygen.py $(KEYGEN_OPTIONS) src/rsa4096_pub_key.c
228+
204229
factory.bin: $(BOOT_IMG) wolfboot-align.bin $(PRIVATE_KEY)
205230
@echo "\t[SIGN] $(BOOT_IMG)"
206231
$(Q)python3 tools/keytools/sign.py $(SIGN_OPTIONS) $(BOOT_IMG) $(PRIVATE_KEY) 1
@@ -222,6 +247,8 @@ src/ecc256_pub_key.c: ecc256.der
222247

223248
src/rsa2048_pub_key.c: rsa2048.der
224249

250+
src/rsa4096_pub_key.c: rsa4096.der
251+
225252
keys: $(PRIVATE_KEY)
226253

227254
clean:

arch.mk

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
ifeq ($(SPMATH),1)
55
MATH_OBJS:=./lib/wolfssl/wolfcrypt/src/sp_int.o
66
else
7-
MATH_OBJS:=./lib/wolfssl/wolfcrypt/src/integer.o
7+
MATH_OBJS:=./lib/wolfssl/wolfcrypt/src/integer.o ./lib/wolfssl/wolfcrypt/src/tfm.o
88
endif
99

1010
# Default flash offset

include/loader.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,12 @@
4343
# define KEY_BUFFER rsa2048_pub_key
4444
# define KEY_LEN rsa2048_pub_key_len
4545
# define IMAGE_SIGNATURE_SIZE (256)
46+
#elif defined(WOLFBOOT_SIGN_RSA4096)
47+
extern const unsigned char rsa4096_pub_key[];
48+
extern unsigned int rsa4096_pub_key_len;
49+
# define KEY_BUFFER rsa4096_pub_key
50+
# define KEY_LEN rsa4096_pub_key_len
51+
# define IMAGE_SIGNATURE_SIZE (512)
4652
#else
4753
# error "No public key available for given signing algorithm."
4854
#endif /* Algorithm selection */

include/user_settings.h

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
//#define TFM_TIMING_RESISTANT
3535
#define SIZEOF_LONG_LONG 8
3636

37+
3738
/* ED25519 and SHA512 */
3839
#ifdef WOLFBOOT_SIGN_ED25519
3940
# define HAVE_ED25519
@@ -97,6 +98,16 @@
9798
# define WOLFSSL_SP_NO_3072
9899
#endif
99100

101+
#ifdef WOLFBOOT_SIGN_RSA4096
102+
# define HAVE_RSA
103+
# define RSA_LOW_MEM
104+
# define WOLFSSL_RSA_VERIFY_INLINE
105+
# define FP_MAX_BITS (4096 * 2)
106+
# define WC_RSA_BLINDING
107+
# define USE_FAST_MATH
108+
# define TFM_TIMING_RESISTANT
109+
#endif
110+
100111
/* Disables - For minimum wolfCrypt build */
101112
#define NO_AES
102113
#define NO_CMAC

include/wolfboot/wolfboot.h

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@
4949
#define HDR_IMG_TYPE_AUTH_ED25519 0x0100
5050
#define HDR_IMG_TYPE_AUTH_ECC256 0x0200
5151
#define HDR_IMG_TYPE_AUTH_RSA2048 0x0300
52+
#define HDR_IMG_TYPE_AUTH_RSA4096 0x0400
5253
#define HDR_IMG_TYPE_WOLFBOOT 0x0000
5354
#define HDR_IMG_TYPE_APP 0x0001
5455

@@ -60,6 +61,8 @@
6061
# define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ECC256
6162
#elif defined(WOLFBOOT_SIGN_RSA2048)
6263
# define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSA2048
64+
#elif defined(WOLFBOOT_SIGN_RSA4096)
65+
# define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSA4096
6366
#else
6467
# error "no valid authentication mechanism selected. Please define WOLFBOOT_SIGN_ED25519 or WOLFBOOT_SIGN_ECC256 or WOLFBOOT_SIGN_RSA2048"
6568
#endif /* defined WOLFBOOT_SIGN_ECC256 || WOLFBOOT_SIGN_ED25519 */

src/image.c

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -90,11 +90,17 @@ static int wolfBoot_verify_signature(uint8_t *hash, uint8_t *sig)
9090
}
9191
#endif /* WOLFBOOT_SIGN_ECC256 */
9292

93-
#ifdef WOLFBOOT_SIGN_RSA2048
93+
#if defined(WOLFBOOT_SIGN_RSA2048) || defined (WOLFBOOT_SIGN_RSA4096)
9494
#include <wolfssl/wolfcrypt/rsa.h>
9595
#include <wolfssl/wolfcrypt/asn_public.h>
96-
#define RSA_MAX_KEY_SIZE 256
97-
#define RSA_SIG_SIZE 256
96+
97+
#ifdef WOLFBOOT_SIGN_RSA4096
98+
# define RSA_MAX_KEY_SIZE 512
99+
# define RSA_SIG_SIZE 512
100+
#else
101+
# define RSA_MAX_KEY_SIZE 256
102+
# define RSA_SIG_SIZE 256
103+
#endif
98104

99105
static int wolfBoot_verify_signature(uint8_t *hash, uint8_t *sig)
100106
{

test-app/Makefile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ ifeq ($(SIGN),RSA2048)
88
IMAGE_HEADER_SIZE:=512
99
endif
1010

11+
ifeq ($(SIGN),RSA4096)
12+
IMAGE_HEADER_SIZE:=1024
13+
endif
14+
1115
CFLAGS:=-g -ggdb -Wall -Wstack-usage=1024 -ffreestanding -Wno-unused -DPLATFORM_$(TARGET) -I../include -nostartfiles
1216

1317
APP_OBJS:=app_$(TARGET).o led.o system.o timer.o ../hal/$(TARGET).o ../src/libwolfboot.o

tools/keytools/keygen.py

Lines changed: 34 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -33,20 +33,21 @@
3333

3434
Ed25519_pub_key_define = "const uint8_t ed25519_pub_key[32] = {\n\t"
3535
Ecc256_pub_key_define = "const uint8_t ecc256_pub_key[64] = {\n\t"
36-
Rsa_pub_key_define = "const uint8_t rsa2048_pub_key[%d] = {\n\t"
36+
Rsa_2048_pub_key_define = "const uint8_t rsa2048_pub_key[%d] = {\n\t"
37+
Rsa_4096_pub_key_define = "const uint8_t rsa4096_pub_key[%d] = {\n\t"
3738

3839
sign="ed25519"
3940

4041
argc = len(sys.argv)
4142
argv = sys.argv
4243

4344
if (argc < 2) or (argc > 3):
44-
print("Usage: %s [--ed25519 | --ecc256 | --rsa2048 ] pub_key_file.c\n" % sys.argv[0])
45+
print("Usage: %s [--ed25519 | --ecc256 | --rsa2048 | --rsa4096 ] pub_key_file.c\n" % sys.argv[0])
4546
sys.exit(1)
4647

4748
if argc == 3:
48-
if argv[1] != '--ed25519' and argv[1] != '--ecc256' and argv[1] != '--rsa2048':
49-
print("Usage: %s [--ed25519 | --ecc256 | --rsa2048] pub_key_file.c\n" % sys.argv[0])
49+
if argv[1] != '--ed25519' and argv[1] != '--ecc256' and argv[1] != '--rsa2048' and argv[1] != '--rsa4096':
50+
print("Usage: %s [--ed25519 | --ecc256 | --rsa2048 | --rsa4096] pub_key_file.c\n" % sys.argv[0])
5051
sys.exit(1)
5152
sign=argv[1][2:]
5253
pubkey_cfile = argv[2]
@@ -130,7 +131,6 @@
130131
f.write("const uint32_t ecc256_pub_key_len = 64;\n")
131132
f.close()
132133

133-
134134
if (sign == "rsa2048"):
135135
rsa = ciphers.RsaPrivate.make_key(2048)
136136
if os.path.exists(key_file):
@@ -148,7 +148,7 @@
148148
print("Creating file " + pubkey_cfile)
149149
with open(pubkey_cfile, "w") as f:
150150
f.write(Cfile_Banner)
151-
f.write(Rsa_pub_key_define % len(pub))
151+
f.write(Rsa_2048_pub_key_define % len(pub))
152152
i = 0
153153
for c in bytes(pub):
154154
f.write("0x%02X, " % c)
@@ -158,3 +158,31 @@
158158
f.write("\n};\n")
159159
f.write("const uint32_t rsa2048_pub_key_len = %d;\n" % len(pub))
160160
f.close()
161+
162+
if (sign == "rsa4096"):
163+
rsa = ciphers.RsaPrivate.make_key(4096)
164+
if os.path.exists(key_file):
165+
choice = input("** Warning: key file already exist! Are you sure you want to "+
166+
"generate a new key and overwrite the existing key? [Type 'Yes, I am sure!']: ")
167+
if (choice != "Yes, I am sure!"):
168+
print("Operation canceled.")
169+
sys.exit(2)
170+
priv,pub = rsa.encode_key()
171+
print()
172+
print("Creating file " + key_file)
173+
with open(key_file, "wb") as f:
174+
f.write(priv)
175+
f.close()
176+
print("Creating file " + pubkey_cfile)
177+
with open(pubkey_cfile, "w") as f:
178+
f.write(Cfile_Banner)
179+
f.write(Rsa_4096_pub_key_define % len(pub))
180+
i = 0
181+
for c in bytes(pub):
182+
f.write("0x%02X, " % c)
183+
i += 1
184+
if (i % 8 == 0):
185+
f.write('\n')
186+
f.write("\n};\n")
187+
f.write("const uint32_t rsa4096_pub_key_len = %d;\n" % len(pub))
188+
f.close()

tools/keytools/sign.py

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@
4646
HDR_IMG_TYPE_AUTH_ED25519 = 0x0100
4747
HDR_IMG_TYPE_AUTH_ECC256 = 0x0200
4848
HDR_IMG_TYPE_AUTH_RSA2048 = 0x0300
49+
HDR_IMG_TYPE_AUTH_RSA4096 = 0x0400
4950

5051
HDR_IMG_TYPE_WOLFBOOT = 0x0000
5152
HDR_IMG_TYPE_APP = 0x0001
@@ -59,7 +60,7 @@
5960
argv = sys.argv
6061

6162
if (argc < 4) or (argc > 6):
62-
print("Usage: %s [--ed25519 | --ecc256 | --rsa2048 ] [--wolfboot-update] image key.der fw_version\n" % sys.argv[0])
63+
print("Usage: %s [--ed25519 | --ecc256 | --rsa2048 | --rsa4096 ] [--wolfboot-update] image key.der fw_version\n" % sys.argv[0])
6364
sys.exit(1)
6465
for i in range(1, len(argv)):
6566
if (argv[i] == '--ed25519'):
@@ -68,6 +69,8 @@
6869
sign='ecc256'
6970
elif (argv[i] == '--rsa2048'):
7071
sign='rsa2048'
72+
elif (argv[i] == '--rsa4096'):
73+
sign='rsa4096'
7174
elif (argv[i] == '--wolfboot-update'):
7275
self_update = True
7376
else:
@@ -114,6 +117,9 @@
114117
if sign == 'auto':
115118
sign = 'ecc256'
116119
print("'ecc256' key autodetected.")
120+
elif (wolfboot_private_key_len > 512):
121+
if (sign == 'auto'):
122+
print("'rsa4096' key autodetected.")
117123
elif (wolfboot_private_key_len > 128):
118124
if (sign == 'auto'):
119125
print("'rsa2048' key autodetected.")
@@ -134,16 +140,22 @@
134140
pubkey = wolfboot_private_key[0:64]
135141

136142
if sign == 'rsa2048':
137-
WOLFBOOT_HEADER_SIZE = 512
143+
WOLFBOOT_HEADER_SIZE = 512
138144
HDR_SIGNATURE_LEN = 256
139145
rsa = ciphers.RsaPrivate(wolfboot_private_key)
140146
privkey,pubkey = rsa.encode_key()
141147

148+
if sign == 'rsa4096':
149+
WOLFBOOT_HEADER_SIZE = 1024
150+
HDR_SIGNATURE_LEN = 512
151+
rsa = ciphers.RsaPrivate(wolfboot_private_key)
152+
privkey,pubkey = rsa.encode_key()
153+
142154

143155
img_size = os.path.getsize(image_file)
144156
# Magic header (spells 'WOLF')
145157
header = struct.pack('<L', WOLFBOOT_MAGIC)
146-
# Image size
158+
# Image size
147159
header += struct.pack('<L', img_size)
148160

149161
# No pad bytes, version is aligned
@@ -168,6 +180,8 @@
168180
img_type = HDR_IMG_TYPE_AUTH_ECC256
169181
if (sign == 'rsa2048'):
170182
img_type = HDR_IMG_TYPE_AUTH_RSA2048
183+
if (sign == 'rsa4096'):
184+
img_type = HDR_IMG_TYPE_AUTH_RSA4096
171185

172186
if (not self_update):
173187
img_type |= HDR_IMG_TYPE_APP
@@ -209,7 +223,7 @@
209223
elif (sign == 'ecc256'):
210224
r, s = ecc.sign_raw(digest)
211225
signature = r + s
212-
elif (sign == 'rsa2048'):
226+
elif (sign == 'rsa2048') or (sign == 'rsa4096'):
213227
signature = rsa.sign(digest)
214228
#plain = rsa.verify(signature)
215229
#print("plain:%d " % len(plain))

0 commit comments

Comments
 (0)