Add support for using an RSA signature that includes ASN.1 encoded header. On by default, can be disabled using NO_RSA_SIG_ENCODING. Added support for signing with encoding using --rsa2048enc or --rsa4096enc.

dgarske · dgarske · commit e91038088950 · 2020-06-23T11:39:30.000-07:00
diff --git a/src/image.c b/src/image.c
@@ -115,8 +115,54 @@ static int wolfBoot_verify_signature(uint8_t *hash, uint8_t *sig)
 #endif /* WOLFBOOT_SIGN_ECC256 */
 
 #if defined(WOLFBOOT_SIGN_RSA2048) || defined (WOLFBOOT_SIGN_RSA4096)
-#include <wolfssl/wolfcrypt/asn_public.h>
+#include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/rsa.h>
+
+#ifndef NO_RSA_SIG_ENCODING /* option to reduce code size */
+static inline int DecodeAsn1Tag(const uint8_t* input, int inputSz, int* inOutIdx,
+    int* tag_len, uint8_t tag)
+{
+    if (input[*inOutIdx] != tag) {
+        return -1;
+    }
+    (*inOutIdx)++;
+    *tag_len = input[*inOutIdx];
+    (*inOutIdx)++;
+    if (*tag_len + *inOutIdx > inputSz) {
+        return -1;
+    }
+    return 0;
+}
+static int RsaDecodeSignature(uint8_t** pInput, int inputSz)
+{
+    uint8_t* input = *pInput;
+    int idx = 0;
+    int digest_len = 0, algo_len, tot_len;
+
+    /* sequence - total size */
+    if (DecodeAsn1Tag(input, inputSz, &idx, &tot_len, 
+            ASN_SEQUENCE | ASN_CONSTRUCTED) != 0) {
+        return -1;
+    }
+
+    /* sequence - algoid */
+    if (DecodeAsn1Tag(input, inputSz, &idx, &algo_len, 
+            ASN_SEQUENCE | ASN_CONSTRUCTED) != 0) {
+        return -1;
+    }
+    idx += algo_len; /* skip algoid */
+
+    /* digest */
+    if (DecodeAsn1Tag(input, inputSz, &idx, &digest_len, 
+            ASN_OCTET_STRING) != 0) {
+        return -1;
+    }
+    /* return digest buffer pointer */
+    *pInput = &input[idx];
+    return digest_len;
+}
+#endif /* !NO_RSA_SIG_ENCODING */
+
 static int wolfBoot_verify_signature(uint8_t *hash, uint8_t *sig)
 {
 #ifdef WOLFBOOT_TPM
@@ -142,7 +188,8 @@ static int wolfBoot_verify_signature(uint8_t *hash, uint8_t *sig)
 #else
     int ret;
     struct RsaKey rsa;
-    uint8_t digest_out[IMAGE_SIGNATURE_SIZE];
+    uint8_t* digest_out = NULL;
+    uint8_t output[IMAGE_SIGNATURE_SIZE];
     word32 in_out = 0;
 
     ret = wc_InitRsaKey(&rsa, NULL);
@@ -156,10 +203,18 @@ static int wolfBoot_verify_signature(uint8_t *hash, uint8_t *sig)
         /* Failed to import rsa key */
         return -1;
     }
-    ret = wc_RsaSSL_Verify(sig, IMAGE_SIGNATURE_SIZE, digest_out, IMAGE_SIGNATURE_SIZE, &rsa);
-    if (ret == WOLFBOOT_SHA_DIGEST_SIZE) {
-        if (memcmp(digest_out, hash, ret) == 0)
-            return 0;
+    ret = wc_RsaSSL_Verify(sig, IMAGE_SIGNATURE_SIZE, output, 
+        IMAGE_SIGNATURE_SIZE, &rsa);
+    digest_out = output;
+#ifndef NO_RSA_SIG_ENCODING
+    if (ret > WOLFBOOT_SHA_DIGEST_SIZE) {
+        /* larger result indicates it might have an ASN.1 encoded header */
+        ret = RsaDecodeSignature(&digest_out, ret);
+    }
+#endif
+    if (ret == WOLFBOOT_SHA_DIGEST_SIZE && digest_out &&
+            memcmp(digest_out, hash, ret) == 0) {
+        return 0;
     }
     return -1;
 #endif /* WOLFBOOT_TPM */
diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
@@ -37,6 +37,7 @@
 #include <sys/types.h>
 
 #include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/asn.h>
 
 #ifdef HAVE_CHACHA
 #include <wolfssl/wolfcrypt/chacha.h>
@@ -158,6 +159,7 @@ int main(int argc, char** argv)
     uint32_t idx, read_sz, pos;
     uint16_t image_type;
     uint32_t fw_version32;
+    uint32_t sign_wenc = 0;
     struct stat attrib;
     union {
 #ifdef HAVE_ED25519
@@ -178,7 +180,7 @@ int main(int argc, char** argv)
 
     /* Check arguments and print usage */
     if (argc < 4 || argc > 10) {
-        printf("Usage: %s [--ed25519 | --ecc256 | --rsa2048 | --rsa4096 ] [--sha256 | --sha3] [--wolfboot-update] [--encrypt enc_key.bin] image key.der fw_version\n", argv[0]);
+        printf("Usage: %s [--ed25519 | --ecc256 | --rsa2048 | --rsa2048enc | --rsa4096 | --rsa4096enc ] [--sha256 | --sha3] [--wolfboot-update] [--encrypt enc_key.bin] image key.der fw_version\n", argv[0]);
         printf("  - or - ");
         printf("       %s [--sha256 | --sha3] [--sha-only] [--wolfboot-update] image pub_key.der fw_version\n", argv[0]);
         printf("  - or - ");
@@ -196,10 +198,20 @@ int main(int argc, char** argv)
             sign = SIGN_ECC256;
             sign_str = "ECC256";
         }
+        else if (strcmp(argv[i], "--rsa2048enc") == 0) {
+            sign = SIGN_RSA2048;
+            sign_str = "RSA2048ENC";
+            sign_wenc = 1;
+        }
         else if (strcmp(argv[i], "--rsa2048") == 0) {
             sign = SIGN_RSA2048;
             sign_str = "RSA2048";
         }
+        else if (strcmp(argv[i], "--rsa4096enc") == 0) {
+            sign = SIGN_RSA4096;
+            sign_str = "RSA4096ENC";
+            sign_wenc = 1;
+        }
         else if (strcmp(argv[i], "--rsa4096") == 0) {
             sign = SIGN_RSA4096;
             sign_str = "RSA4096";
@@ -585,7 +597,7 @@ int main(int argc, char** argv)
     }
 
     /* Sign the digest */
-    ret = NOT_COMPILED_IN; /* default erorr */
+    ret = NOT_COMPILED_IN; /* default error */
     signature = malloc(signature_sz);
     if (signature == NULL) {
         printf("Signature malloc error!\n");
@@ -614,7 +626,20 @@ int main(int argc, char** argv)
         }
         else if (sign == SIGN_RSA2048 || sign == SIGN_RSA4096) {
         #ifndef NO_RSA
-            ret = wc_RsaSSL_Sign(digest, digest_sz, signature, signature_sz, &key.rsa, &rng);
+            uint32_t enchash_sz = digest_sz;
+            uint8_t* enchash = digest;
+            if (sign_wenc) {
+                /* add ASN.1 signature encoding */
+                int hashOID = 0;
+                if (hash_algo == HASH_SHA256)
+                    hashOID = SHA256h;
+                else if (hash_algo == HASH_SHA3)
+                    hashOID = SHA3_384h;
+                enchash_sz = wc_EncodeSignature(buf, digest, digest_sz, hashOID);
+                enchash = buf;
+            }
+            ret = wc_RsaSSL_Sign(enchash, enchash_sz, signature, signature_sz, 
+                &key.rsa, &rng);
             wc_FreeRsaKey(&key.rsa);
             if (ret > 0) {
                 signature_sz = ret;
