diff mbox series

Add the possibility to sign with RSA PSS

Message ID 20250319134035.11327-1-lpmeyer@ics.com
State Accepted
Delegated to: Stefano Babic
Headers show
Series Add the possibility to sign with RSA PSS | expand

Commit Message

Lisandro Pérez Meyer March 19, 2025, 1:40 p.m. UTC 
From: Lisandro Perez Meyer <lpmeyer@ics.com>

Add the RSA PSS variant described on SWUpdate's documentation by
extending the RSA method.

Signed-off-by: Lisandro Perez Meyer <lpmeyer@ics.com>
---
 README                                 | 4 +++-
 classes-recipe/swupdate-common.bbclass | 8 ++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

Comments

Lisandro Pérez Meyer March 19, 2025, 1:42 p.m. UTC | #1 
Apologies, this should have had [meta-swupdate] on the topic.

On Wed, Mar 19, 2025 at 10:41 AM Lisandro Pérez Meyer <lpmeyer@ics.com>
wrote:

> From: Lisandro Perez Meyer <lpmeyer@ics.com>
>
> Add the RSA PSS variant described on SWUpdate's documentation by
> extending the RSA method.
>
> Signed-off-by: Lisandro Perez Meyer <lpmeyer@ics.com>
> ---
>  README                                 | 4 +++-
>  classes-recipe/swupdate-common.bbclass | 8 ++++++++
>  2 files changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/README b/README
> index ec803cb..96dfbf2 100644
> --- a/README
> +++ b/README
> @@ -50,7 +50,9 @@ There are 3 signing mechanisms supported by
> meta-swupdate at the moment:
>
>  1. RSA signing:
>
> -  * Set variable: `SWUPDATE_SIGNING = "RSA"`
> +  * Set variable: `SWUPDATE_SIGNING` according to the RSA type you want
> to use:
> +     - For RSA PKCS#1.5 use `SWUPDATE_SIGNING = "RSA"`
> +     - For RSA PSS use `SWUPDATE_SIGNING = "RSA-PSS"`
>
>    * Set `SWUPDATE_PRIVATE_KEY` to the full path of private key file
>
> diff --git a/classes-recipe/swupdate-common.bbclass
> b/classes-recipe/swupdate-common.bbclass
> index 7b49561..2bc7f3e 100644
> --- a/classes-recipe/swupdate-common.bbclass
> +++ b/classes-recipe/swupdate-common.bbclass
> @@ -209,6 +209,14 @@ def prepare_sw_description(d):
>              if not os.path.exists(privkey):
>                  bb.fatal("SWUPDATE_PRIVATE_KEY %s doesn't exist" %
> (privkey))
>              signcmd = ["openssl", "dgst", "-sha256", "-sign", privkey] +
> get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + ["-out", sw_desc_sig,
> sw_desc]
> +        elif signing == "RSA-PSS":
> +            privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True)
> +            if not privkey:
> +                bb.fatal("SWUPDATE_PRIVATE_KEY isn't set")
> +            if not os.path.exists(privkey):
> +                bb.fatal("SWUPDATE_PRIVATE_KEY %s doesn't exist" %
> (privkey))
> +            signcmd = ["openssl", "dgst", "-sha256", "-sign", privkey] +
> get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + \
> +                      ["-sigopt", "rsa_padding_mode:pss", "-sigopt",
> "rsa_pss_saltlen:-2", "-out", sw_desc_sig, sw_desc]
>          elif signing == "CMS":
>              cms_cert = d.getVar('SWUPDATE_CMS_CERT')
>              if not cms_cert:
> --
> 2.47.2
>
>
Lisandro Pérez Meyer April 8, 2025, 4:23 p.m. UTC | #2 
On Wed, Mar 19, 2025 at 10:42 AM Lisandro Pérez Meyer <lpmeyer@ics.com>
wrote:

> Apologies, this should have had [meta-swupdate] on the topic.
>
> On Wed, Mar 19, 2025 at 10:41 AM Lisandro Pérez Meyer <lpmeyer@ics.com>
> wrote:
>
>> From: Lisandro Perez Meyer <lpmeyer@ics.com>
>>
>> Add the RSA PSS variant described on SWUpdate's documentation by
>> extending the RSA method.
>>
>
Also: I should have noted that I've tried to do the same via a custom
command, but I had an issue with the order of the elements passed on the
final command line. I could have very easily got that wrong though.
diff mbox series

Patch

diff --git a/README b/README
index ec803cb..96dfbf2 100644
--- a/README
+++ b/README
@@ -50,7 +50,9 @@  There are 3 signing mechanisms supported by meta-swupdate at the moment:
 
 1. RSA signing:
 
-  * Set variable: `SWUPDATE_SIGNING = "RSA"`
+  * Set variable: `SWUPDATE_SIGNING` according to the RSA type you want to use:
+     - For RSA PKCS#1.5 use `SWUPDATE_SIGNING = "RSA"`
+     - For RSA PSS use `SWUPDATE_SIGNING = "RSA-PSS"`
 
   * Set `SWUPDATE_PRIVATE_KEY` to the full path of private key file
 
diff --git a/classes-recipe/swupdate-common.bbclass b/classes-recipe/swupdate-common.bbclass
index 7b49561..2bc7f3e 100644
--- a/classes-recipe/swupdate-common.bbclass
+++ b/classes-recipe/swupdate-common.bbclass
@@ -209,6 +209,14 @@  def prepare_sw_description(d):
             if not os.path.exists(privkey):
                 bb.fatal("SWUPDATE_PRIVATE_KEY %s doesn't exist" % (privkey))
             signcmd = ["openssl", "dgst", "-sha256", "-sign", privkey] + get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + ["-out", sw_desc_sig, sw_desc]
+        elif signing == "RSA-PSS":
+            privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True)
+            if not privkey:
+                bb.fatal("SWUPDATE_PRIVATE_KEY isn't set")
+            if not os.path.exists(privkey):
+                bb.fatal("SWUPDATE_PRIVATE_KEY %s doesn't exist" % (privkey))
+            signcmd = ["openssl", "dgst", "-sha256", "-sign", privkey] + get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + \
+                      ["-sigopt", "rsa_padding_mode:pss", "-sigopt", "rsa_pss_saltlen:-2", "-out", sw_desc_sig, sw_desc]
         elif signing == "CMS":
             cms_cert = d.getVar('SWUPDATE_CMS_CERT')
             if not cms_cert: