fix: RSA: Use 32-byte salt with PSS
The verification code requires a fixed 32-byte salt, which seems is what
the old crypto library did. Use this same value to avoid having to
modify the code.
Signed-off-by: David Brown <david.brown@linaro.org>
diff --git a/scripts/imgtool/keys/rsa.py b/scripts/imgtool/keys/rsa.py
index 96951c9..4ddbfc6 100644
--- a/scripts/imgtool/keys/rsa.py
+++ b/scripts/imgtool/keys/rsa.py
@@ -87,7 +87,9 @@
f.write(pem)
def sign(self, payload):
+ # The verification code only allows the salt length to be the
+ # same as the hash length, 32.
return self.key.sign(
data=payload,
- padding=PSS(mgf=MGF1(SHA256()), salt_length=PSS.MAX_LENGTH),
+ padding=PSS(mgf=MGF1(SHA256()), salt_length=32),
algorithm=SHA256())
diff --git a/scripts/imgtool/keys/rsa_test.py b/scripts/imgtool/keys/rsa_test.py
index 0d3dfd8..8151878 100644
--- a/scripts/imgtool/keys/rsa_test.py
+++ b/scripts/imgtool/keys/rsa_test.py
@@ -87,7 +87,7 @@
k.key.public_key().verify(
signature=sig,
data=buf,
- padding=PSS(mgf=MGF1(SHA256()), salt_length=PSS.MAX_LENGTH),
+ padding=PSS(mgf=MGF1(SHA256()), salt_length=32),
algorithm=SHA256())
# Modify the message to make sure the signature fails.
@@ -95,7 +95,7 @@
k.key.public_key().verify,
signature=sig,
data=b'This is thE message',
- padding=PSS(mgf=MGF1(SHA256()), salt_length=PSS.MAX_LENGTH),
+ padding=PSS(mgf=MGF1(SHA256()), salt_length=32),
algorithm=SHA256())
if __name__ == '__main__':