add support for rsa-pss image signatures#737
add support for rsa-pss image signatures#737bigbrett wants to merge 11 commits intowolfSSL:masterfrom
Conversation
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #737
Scan targets checked: wolfboot-bugs, wolfboot-src
No new issues found in the changed files. ✅
There was a problem hiding this comment.
Pull request overview
Adds RSA-PSS signature support across key tooling, build configuration, and boot-time verification, including ARMORED mode and wolfHSM paths, while also addressing ARMORED inline-asm label collisions.
Changes:
- Add RSA-PSS keygen/signing CLI options and wire RSA-PSS into signing/verification flows.
- Extend build/config headers and make options to recognize RSA-PSS variants and sizing rules.
- Update ARMORED verification macros to use GAS numeric local labels and add PSS padding verification.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/keytools/user_settings.h | Enables wolfCrypt RSA-PSS support for keytools builds. |
| tools/keytools/sign.c | Adds RSA-PSS sign types, key loading, CLI flags, and signing logic. |
| tools/keytools/keygen.c | Adds RSA-PSS key types/CLI flags and maps keystore key_type for PSS. |
| src/image.c | Unifies RSA verification and adds RSA-PSS verification flow. |
| options.mk | Adds SIGN=RSAPSS* build options and related sizing/stack settings. |
| include/wolfboot/wolfboot.h | Defines AUTH_KEY/HDR types and header sizing rules for RSA-PSS. |
| include/user_settings.h | Enables WC_RSA_PSS and adjusts RSA-related wolfCrypt settings. |
| include/loader.h | Introduces consolidated WOLFBOOT_RSA_PSS and signature sizing for PSS. |
| include/image.h | Adds RSA vs RSA-PSS dispatch wrappers and new ARMORED/PSS verify macros. |
| config/examples/sim-rsapss2048.config | Adds a simulator example configuration for RSAPSS2048. |
| .github/workflows/test-sunnyday-simulator.yml | Expands CI to run simulator “sunny day update” tests for RSAPSS* variants. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…stead check for min size
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add RSA-PSS signature verification support. Supports ARMORED mode and wolfHSM offload
Also fixes duplicate ASM labels in ARMORED mode that could cause errors if using dual signatures with both PKCSv1.5 and PSS signature types