Skip to content

Commit

Permalink
Bigger header size when policy signature is added
Browse files Browse the repository at this point in the history
  • Loading branch information
@danielinux
danielinux committed Oct 29, 2024
1 parent 9819520 commit c390fec
Showing 1 changed file with 48 additions and 30 deletions.
78 changes: 48 additions & 30 deletions tools/keytools/sign.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,51 @@ static struct cmd_options CMD = {
.hybrid = 0
};

static void set_header_size(void)
{
uint32_t hdr_sz = CMD.header_sz;
/* get header and signature sizes */
if (CMD.sign == SIGN_ED25519) {
if (hdr_sz < 256)
hdr_sz = 256;
}
else if (CMD.sign == SIGN_ED448) {
if (hdr_sz < 512)
hdr_sz = 512;
}
else if (CMD.sign == SIGN_ECC256) {
if (hdr_sz < 256)
hdr_sz = 256;
}
else if (CMD.sign == SIGN_ECC384) {
if (hdr_sz < 512)
hdr_sz = 512;
}
else if (CMD.sign == SIGN_ECC521) {
if (hdr_sz < 512)
hdr_sz = 512;
}
else if (CMD.sign == SIGN_RSA2048) {
if (hdr_sz < 512)
hdr_sz = 512;
}
else if (CMD.sign == SIGN_RSA3072) {
if ((hdr_sz < 1024) && (CMD.hash_algo != HASH_SHA256))
hdr_sz = 1024;
if (hdr_sz < 512)
hdr_sz = 512;
}
else if (CMD.sign == SIGN_RSA4096) {
if (hdr_sz < 1024)
hdr_sz = 1024;
}
if (CMD.policy_sign)
hdr_sz += 512;

if (hdr_sz > CMD.header_sz)
CMD.header_sz = hdr_sz;
}

static int load_key_ecc(int sign_type, uint32_t curve_sz, int curve_id,
int header_sz,
uint8_t **key_buffer, uint32_t *key_buffer_sz,
Expand Down Expand Up @@ -425,12 +470,6 @@ static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz

if (*pubkey_sz <= rsa_pubkeysz) {
CMD.header_sz = header_sz;
if (CMD.policy_sign) {
CMD.header_sz += 512;
}
else if (sign_type == SIGN_RSA3072 && CMD.hash_algo != HASH_SHA256) {
CMD.header_sz += 512;
}
if (secondary) {
CMD.secondary_signature_sz = rsa_keysz;
CMD.secondary_sign = sign_type;
Expand Down Expand Up @@ -469,12 +508,6 @@ static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz

if (ret == 0 || CMD.sign != SIGN_AUTO) {
CMD.header_sz = header_sz;
if (CMD.policy_sign) {
CMD.header_sz += 512;
}
else if (sign_type == SIGN_RSA3072 && CMD.hash_algo != HASH_SHA256) {
CMD.header_sz += 512;
}
if (secondary) {
CMD.secondary_sign = sign_type;
CMD.secondary_signature_sz = keySzOut;
Expand Down Expand Up @@ -861,6 +894,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
goto failure;
}

set_header_size();
if (CMD.header_sz < IMAGE_HEADER_SIZE) {
printf("image header size overridden by config value (%u bytes)\n", IMAGE_HEADER_SIZE);
CMD.header_sz = IMAGE_HEADER_SIZE;
Expand Down Expand Up @@ -2028,6 +2062,7 @@ uint64_t arg2num(const char *arg, size_t len)
return ret;
}


static void set_signature_sizes(int secondary)
{
uint32_t *sz = &CMD.signature_sz;
Expand All @@ -2036,47 +2071,30 @@ static void set_signature_sizes(int secondary)
sz = &CMD.secondary_signature_sz;
sign = &CMD.secondary_sign;
}
set_header_size();
/* get header and signature sizes */
if (*sign == SIGN_ED25519) {
if (CMD.header_sz < 256)
CMD.header_sz = 256;
*sz = 64;
}
else if (*sign == SIGN_ED448) {
if (CMD.header_sz < 512)
CMD.header_sz = 512;
*sz = 114;
}
else if (*sign == SIGN_ECC256) {
if (CMD.header_sz < 256)
CMD.header_sz = 256;
*sz = 64;
}
else if (*sign == SIGN_ECC384) {
if (CMD.header_sz < 512)
CMD.header_sz = 512;
*sz = 96;
}
else if (*sign == SIGN_ECC521) {
if (CMD.header_sz < 512)
CMD.header_sz = 512;
*sz = 132;
}
else if (*sign == SIGN_RSA2048) {
if (CMD.header_sz < 512)
CMD.header_sz = 512;
*sz = 256;
}
else if (*sign == SIGN_RSA3072) {
if ((CMD.header_sz < 1024) && (CMD.hash_algo != HASH_SHA256))
CMD.header_sz = 1024;
if (CMD.header_sz < 512)
CMD.header_sz = 512;
*sz = 384;
}
else if (*sign == SIGN_RSA4096) {
if (CMD.header_sz < 1024)
CMD.header_sz = 1024;
*sz = 512;
}
#ifdef WOLFSSL_HAVE_LMS
Expand Down

0 comments on commit c390fec

Please sign in to comment.