Add bootutil support for RSA-3072
Signed-off-by: Fabio Utzig <utzig@apache.org>
diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h
index 6989049..4a9ad9d 100644
--- a/boot/bootutil/include/bootutil/image.h
+++ b/boot/bootutil/include/bootutil/image.h
@@ -72,6 +72,7 @@
#define IMAGE_TLV_RSA2048_PSS 0x20 /* RSA2048 of hash output */
#define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output */
#define IMAGE_TLV_ECDSA256 0x22 /* ECDSA of hash output */
+#define IMAGE_TLV_RSA3072_PSS 0x23 /* RSA3072 of hash output */
#define IMAGE_TLV_ENC_RSA2048 0x30 /* Key encrypted with RSA-OAEP-2048 */
#define IMAGE_TLV_ENC_KW128 0x31 /* Key encrypted with AES-KW-128 */
diff --git a/boot/bootutil/src/image_rsa.c b/boot/bootutil/src/image_rsa.c
index 0534c12..53a4591 100644
--- a/boot/bootutil/src/image_rsa.c
+++ b/boot/bootutil/src/image_rsa.c
@@ -39,7 +39,7 @@
*/
/* The size, in octets, of the message. */
-#define PSS_EMLEN 256
+#define PSS_EMLEN (MCUBOOT_SIGN_RSA_LEN / 8)
/* The size of the hash function. For SHA256, this is 32 bytes. */
#define PSS_HLEN 32
@@ -48,7 +48,7 @@
#define PSS_SLEN 32
/* The length of the mask: emLen - hLen - 1. */
-#define PSS_MASK_LEN (256 - PSS_HLEN - 1)
+#define PSS_MASK_LEN (PSS_EMLEN - PSS_HLEN - 1)
#define PSS_HASH_OFFSET PSS_MASK_LEN
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
index 9a5fe57..6597a81 100644
--- a/boot/bootutil/src/image_validate.c
+++ b/boot/bootutil/src/image_validate.c
@@ -123,21 +123,32 @@
* call. List the type of TLV we are expecting. If we aren't
* configured for any signature, don't define this macro.
*/
+#if (defined(MCUBOOT_SIGN_RSA) + \
+ defined(MCUBOOT_SIGN_EC) + \
+ defined(MCUBOOT_SIGN_EC256)) > 1
+#error "Only a single signature type is supported!"
+#endif
+
#if defined(MCUBOOT_SIGN_RSA)
-# define EXPECTED_SIG_TLV IMAGE_TLV_RSA2048_PSS
-# define EXPECTED_SIG_LEN(x) ((x) == 256) /* 2048 bits */
-# if defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256)
-# error "Multiple signature types not yet supported"
+# if MCUBOOT_SIGN_RSA_LEN == 2048
+# define EXPECTED_SIG_TLV IMAGE_TLV_RSA2048_PSS
+# elif MCUBOOT_SIGN_RSA_LEN == 3072
+# define EXPECTED_SIG_TLV IMAGE_TLV_RSA3072_PSS
+# else
+# error "Unsupported RSA signature length"
# endif
+# define SIG_BUF_SIZE (MCUBOOT_SIGN_RSA_LEN / 8)
+# define EXPECTED_SIG_LEN(x) ((x) == SIG_BUF_SIZE) /* 2048 bits */
#elif defined(MCUBOOT_SIGN_EC)
# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA224
+# define SIG_BUF_SIZE 128
# define EXPECTED_SIG_LEN(x) ((x) >= 64) /* oids + 2 * 28 bytes */
-# if defined(MCUBOOT_SIGN_EC256)
-# error "Multiple signature types not yet supported"
-# endif
#elif defined(MCUBOOT_SIGN_EC256)
# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA256
+# define SIG_BUF_SIZE 128
# define EXPECTED_SIG_LEN(x) ((x) >= 72) /* oids + 2 * 32 bytes */
+#else
+# define SIG_BUF_SIZE 32 /* no signing, sha256 digest only */
#endif
#ifdef EXPECTED_SIG_TLV
@@ -182,7 +193,7 @@
int key_id = -1;
#endif
struct image_tlv tlv;
- uint8_t buf[256];
+ uint8_t buf[SIG_BUF_SIZE];
uint8_t hash[32];
int rc;
diff --git a/docs/design.md b/docs/design.md
index 13f60b1..5c3d1b9 100644
--- a/docs/design.md
+++ b/docs/design.md
@@ -96,6 +96,7 @@
#define IMAGE_TLV_RSA2048_PSS 0x20 /* RSA2048 of hash output */
#define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output */
#define IMAGE_TLV_ECDSA256 0x22 /* ECDSA of hash output */
+#define IMAGE_TLV_RSA3072_PSS 0x23 /* RSA3072 of hash output */
```
Optional type-length-value records (TLVs) containing image metadata are placed