aux algo support for RSA pss

bigbrett · bigbrett · commit 57facf1ce017 · 2026-04-28T10:58:54.000-06:00
diff --git a/include/user_settings.h b/include/user_settings.h
@@ -249,7 +249,8 @@ extern int tolower(int c);
        defined(WOLFBOOT_SIGN_RSAPSS4096) || \
        defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
        defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
-       defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096)
+       defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) || \
+       defined(WOLFBOOT_AUX_RSA_PSS)
 #       define WC_RSA_PSS
 #   endif
 #   if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE) && \
diff --git a/options.mk b/options.mk
@@ -1439,6 +1439,15 @@ ifneq ($(CERT_CHAIN_VERIFY),)
     ifeq ($(SIGN),RSA4096)
       CERT_CHAIN_GEN_ALGO+=rsa4096
     endif
+    ifeq ($(SIGN),RSAPSS2048)
+      CERT_CHAIN_GEN_ALGO+=rsapss2048
+    endif
+    ifeq ($(SIGN),RSAPSS3072)
+      CERT_CHAIN_GEN_ALGO+=rsapss3072
+    endif
+    ifeq ($(SIGN),RSAPSS4096)
+      CERT_CHAIN_GEN_ALGO+=rsapss4096
+    endif
 
     # Per-level overrides for the dummy chain generator. Defaults: CA chain
     # uses the same algo as the leaf (SIGN-derived), SHA256 for cert sigs.
@@ -1472,7 +1481,12 @@ endif
 # cert chain verifier auto-populates these (see above), but the variables
 # are also available as a generic primitive for any future feature that
 # needs extra algo support compiled in.
-# Usage: AUX_HASH_ALGOS=sha384,sha512  AUX_PK_ALGOS=rsa4096,ecc256
+# Usage: AUX_HASH_ALGOS=sha384,sha512  AUX_PK_ALGOS=rsa4096,rsapss4096,ecc256
+#
+# RSA tokens are orthogonal along two axes: size (rsa2048/3072/4096) and
+# padding mode (rsa* = PKCS#1 v1.5, rsapss* = PSS). Each rsapssN token
+# enables both the RSAN size and PSS padding; mixing rsaN and rsapssN for
+# the same size accepts either padding for that key length.
 ifneq ($(strip $(AUX_PK_ALGOS)$(AUX_HASH_ALGOS)),)
   comma := ,
   AUX_HASH_ALGOS_LIST := $(sort $(subst $(comma), ,$(AUX_HASH_ALGOS)))
@@ -1500,17 +1514,23 @@ ifneq ($(strip $(AUX_PK_ALGOS)$(AUX_HASH_ALGOS)),)
   endif
 
   # --- PK algorithms ---
-  ifneq ($(filter rsa2048,$(AUX_PK_ALGOS_LIST)),)
+  # RSA size flags - rsa{N} and rsapss{N} both select the same N-bit
+  # modulus support; padding is set separately below.
+  ifneq ($(filter rsa2048 rsapss2048,$(AUX_PK_ALGOS_LIST)),)
     CFLAGS += -DWOLFBOOT_AUX_PK_RSA2048
   endif
-  ifneq ($(filter rsa3072,$(AUX_PK_ALGOS_LIST)),)
+  ifneq ($(filter rsa3072 rsapss3072,$(AUX_PK_ALGOS_LIST)),)
     CFLAGS += -DWOLFBOOT_AUX_PK_RSA3072
   endif
-  ifneq ($(filter rsa4096,$(AUX_PK_ALGOS_LIST)),)
+  ifneq ($(filter rsa4096 rsapss4096,$(AUX_PK_ALGOS_LIST)),)
     CFLAGS += -DWOLFBOOT_AUX_PK_RSA4096
   endif
-  # Add RSA objects if any RSA aux PK is requested
-  ifneq ($(filter rsa2048 rsa3072 rsa4096,$(AUX_PK_ALGOS_LIST)),)
+  # PSS padding - any rsapss* token enables PSS for all selected RSA sizes
+  ifneq ($(filter rsapss2048 rsapss3072 rsapss4096,$(AUX_PK_ALGOS_LIST)),)
+    CFLAGS += -DWOLFBOOT_AUX_RSA_PSS
+  endif
+  # Add RSA objects if any RSA (PKCS#1 v1.5 or PSS) aux PK is requested
+  ifneq ($(filter rsa2048 rsa3072 rsa4096 rsapss2048 rsapss3072 rsapss4096,$(AUX_PK_ALGOS_LIST)),)
     ifeq ($(filter %/rsa.o,$(WOLFCRYPT_OBJS)),)
       WOLFCRYPT_OBJS += $(RSA_OBJS)
     endif
diff --git a/tools/scripts/sim-gen-dummy-chain.sh b/tools/scripts/sim-gen-dummy-chain.sh
@@ -15,7 +15,7 @@ LEAF_ALGO=""          # Defaults to CA_ALGO if not explicitly set
 CA_HASH="sha256"      # Hash used for cert signatures throughout the chain
 
 # Whitelists
-SUPPORTED_ALGOS="ecc256 ecc384 rsa2048 rsa3072 rsa4096"
+SUPPORTED_ALGOS="ecc256 ecc384 rsa2048 rsa3072 rsa4096 rsapss2048 rsapss3072 rsapss4096"
 SUPPORTED_HASHES="sha256 sha384 sha512"
 
 is_supported_algo() {
@@ -35,16 +35,18 @@ is_supported_hash() {
 }
 
 # Helper functions for key operations. Each takes the target algo as $1.
+# rsapss* tokens carry an RSA key plus a PSS padding intent — the key
+# itself is generated/handled identically to plain rsa*.
 generate_private_key() {
     local algo=$1
     local output_file=$2
 
     case "$algo" in
-        ecc256)  openssl ecparam -genkey -name prime256v1 -noout -out "$output_file" ;;
-        ecc384)  openssl ecparam -genkey -name secp384r1  -noout -out "$output_file" ;;
-        rsa2048) openssl genrsa -out "$output_file" 2048 ;;
-        rsa3072) openssl genrsa -out "$output_file" 3072 ;;
-        rsa4096) openssl genrsa -out "$output_file" 4096 ;;
+        ecc256)             openssl ecparam -genkey -name prime256v1 -noout -out "$output_file" ;;
+        ecc384)             openssl ecparam -genkey -name secp384r1  -noout -out "$output_file" ;;
+        rsa2048|rsapss2048) openssl genrsa -out "$output_file" 2048 ;;
+        rsa3072|rsapss3072) openssl genrsa -out "$output_file" 3072 ;;
+        rsa4096|rsapss4096) openssl genrsa -out "$output_file" 4096 ;;
         *) echo "Unsupported algo: $algo" >&2; exit 1 ;;
     esac
 }
@@ -58,7 +60,7 @@ convert_key_to_der() {
         ecc256|ecc384)
             openssl ec  -in "$input_file" -outform DER -out "$output_file"
             ;;
-        rsa2048|rsa3072|rsa4096)
+        rsa2048|rsa3072|rsa4096|rsapss2048|rsapss3072|rsapss4096)
             openssl rsa -in "$input_file" -outform DER -out "$output_file"
             ;;
         *) echo "Unsupported algo: $algo" >&2; exit 1 ;;
@@ -79,7 +81,7 @@ extract_public_key() {
         ecc256|ecc384)
             openssl ec  -pubin -in "$pubkey_pem" -outform DER -out "$pubkey_der"
             ;;
-        rsa2048|rsa3072|rsa4096)
+        rsa2048|rsa3072|rsa4096|rsapss2048|rsapss3072|rsapss4096)
             openssl rsa -pubin -in "$pubkey_pem" -outform DER -out "$pubkey_der"
             ;;
         *) echo "Unsupported algo: $algo" >&2; exit 1 ;;
@@ -94,13 +96,27 @@ validate_key_format() {
         ecc256|ecc384)
             openssl ec  -in "$key_file" -noout
             ;;
-        rsa2048|rsa3072|rsa4096)
+        rsa2048|rsa3072|rsa4096|rsapss2048|rsapss3072|rsapss4096)
             openssl rsa -in "$key_file" -noout
             ;;
         *) echo "Unsupported algo: $algo" >&2; exit 1 ;;
     esac
 }
 
+# Build openssl -sigopt args for a given algo + hash. For rsapss* algos
+# we ask openssl to use PSS padding with salt length equal to the digest
+# length and MGF1 keyed by the same hash (the standard interoperable
+# choice that wolfCrypt's PSS verify expects). Empty for non-PSS algos.
+sig_opts_for_algo() {
+    local algo=$1
+    local hash=$2
+    case "$algo" in
+        rsapss*)
+            echo "-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest -sigopt rsa_mgf1_md:$hash"
+            ;;
+    esac
+}
+
 usage() {
     cat <<EOT
 Usage: $0 [options]
@@ -191,6 +207,14 @@ if [[ -z "$LEAF_ALGO" ]]; then
     LEAF_ALGO="$CA_ALGO"
 fi
 
+# Resolve PSS sigopts once based on the selected algos. CA_SIG_OPTS
+# applies to every cert signed by a CA-tier key (root self-sig,
+# intermediate CSR self-sig, intermediate cert, leaf cert); LEAF_SIG_OPTS
+# applies to the leaf CSR self-sig only (the leaf cert itself is signed
+# by the intermediate's CA-tier key). Both are empty for non-PSS algos.
+CA_SIG_OPTS=$(sig_opts_for_algo "$CA_ALGO" "$CA_HASH")
+LEAF_SIG_OPTS=$(sig_opts_for_algo "$LEAF_ALGO" "$CA_HASH")
+
 # Configuration
 ROOT_SUBJECT="/C=US/ST=California/L=San Francisco/O=MyOrganization/OU=Root CA/CN=My Root CA"
 INTERMEDIATE_SUBJECT="/C=US/ST=California/L=San Francisco/O=MyOrganization/OU=Intermediate CA/CN=My Intermediate CA"
@@ -210,7 +234,7 @@ echo "Generating Root CA..."
 generate_private_key "$CA_ALGO" "${OUTPUT_DIR}/temp/root.key.pem"
 
 # Create PEM format root certificate (temporary)
-openssl req -new -x509 -days 3650 -$CA_HASH \
+openssl req -new -x509 -days 3650 -$CA_HASH $CA_SIG_OPTS \
     -key ${OUTPUT_DIR}/temp/root.key.pem \
     -out ${OUTPUT_DIR}/temp/root.crt.pem \
     -subj "$ROOT_SUBJECT" \
@@ -225,13 +249,13 @@ openssl x509 -in ${OUTPUT_DIR}/temp/root.crt.pem -outform DER -out ${OUTPUT_DIR}
 echo "Generating Intermediate CA..."
 generate_private_key "$CA_ALGO" "${OUTPUT_DIR}/temp/intermediate.key.pem"
 
-openssl req -new -$CA_HASH \
+openssl req -new -$CA_HASH $CA_SIG_OPTS \
     -key ${OUTPUT_DIR}/temp/intermediate.key.pem \
     -out ${OUTPUT_DIR}/temp/intermediate.csr \
     -subj "$INTERMEDIATE_SUBJECT"
 
 # Step 3: Sign Intermediate certificate with Root
-openssl x509 -req -days 1825 -$CA_HASH \
+openssl x509 -req -days 1825 -$CA_HASH $CA_SIG_OPTS \
     -in ${OUTPUT_DIR}/temp/intermediate.csr \
     -out ${OUTPUT_DIR}/temp/intermediate.crt.pem \
     -CA ${OUTPUT_DIR}/temp/root.crt.pem \
@@ -258,13 +282,13 @@ fi
 # Create CSR for leaf certificate (CSR is signed by leaf key, but the
 # resulting cert signature is set by the CA when signing - so the CSR
 # self-signature uses CA_HASH for consistency).
-openssl req -new -$CA_HASH \
+openssl req -new -$CA_HASH $LEAF_SIG_OPTS \
     -key ${OUTPUT_DIR}/temp/leaf.key.pem \
     -out ${OUTPUT_DIR}/temp/leaf.csr \
     -subj "$LEAF_SUBJECT"
 
 # Step 5: Sign Leaf certificate with Intermediate (uses CA_HASH)
-openssl x509 -req -days 365 -$CA_HASH \
+openssl x509 -req -days 365 -$CA_HASH $CA_SIG_OPTS \
     -in ${OUTPUT_DIR}/temp/leaf.csr \
     -out ${OUTPUT_DIR}/temp/leaf.crt.pem \
     -CA ${OUTPUT_DIR}/temp/intermediate.crt.pem \
