EVP_DigestVerifyFinal failed error while testing CONFIG_SIGNED_IMAGES

[Anjali Krishna]

Hi All,

 

 I am checking on the signed images part of thw swupdate where I got stuck with the below error

[ERROR] : SWUPDATE failed [0] ERROR /usr/src/debug/swupdate/2021.04-r0/git/corelib/swupdate_rsa_verify.c : verify_final : 99 : EVP_DigestVerifyFinal failed, error 0x407e086 0
[TRACE] : SWUPDATE running :  [swupdate_verify_file] : Error Verifying Data
[ERROR] : SWUPDATE failed [0] ERROR /usr/src/debug/swupdate/2021.04-r0/git/core/stream_interface.c : extract_files : 165 : Compatible SW not found

I have enabled the below configurations in swupdate make menuconfig

1. CONFIG_SIGNED_IMAGES

2. SSL_IMPL_OPENSSL

3.  Enable verification of signed images

4. SIGNATURE VERIFICATION ALGORITHM -RSA PSS

5. Enable image downloading

6. Allow to add sha256 hash to each image [Enabled automatically]

7.  Disable cpio CRC verify if SHA 256 is enabled [ Made this option 'y']

8. SSL Implementation to use - Openssl

Also I am creating the swu archive as apart of yocto . The bb file content is 

##################################################

ESCRIPTION = "Recipe to generate swu archive"
LICENSE = "CLOSED"

inherit swupdate

SRC_URI += "\
    file://sw-description \
    file://single_file_test.txt \
    file://post_install.sh \
"

SWUPDATE_SIGNING = "RSA"
SWUPDATE_PRIVATE_KEY = "${THISDIR}/../common/files/priv.pem"
SWUPDATE_PASSWORD_FILE = "${THISDIR}/../common/files/passphrase"

SWUPDATE_IMAGES_FSTYPES[single_file_test] = ".txt"
SWUPDATE_IMAGES_FSTYPES[post_install] = ".sh"

##########################################################

The .swu archive under build directory is as expected when extracted

cpio -idv < single-file-swu-imx6ull-iwg18m-sm.swu
sw-description
sw-description.sig
single_file_test.txt
post_install.sh
4 blocks

If I create swu acrhive with the below script ,with same private ,public key and passphrase, everything is working fine

#!/bin/sh

MODE="RSA-PSS"
PRODUCT_NAME="single_file_update"
CONTAINER_VER="1.0"
IMAGES="single_file_test.txt post_install.sh"
FILES="sw-description sw-description.sig $IMAGES"

#if you use RSA
if [ x"$MODE" = "xRSA-PKCS-1.5" ]; then
    openssl dgst -sha256 -sign priv.pem sw-description > sw-description.sig
elif [ x"$MODE" = "xRSA-PSS" ]; then
    openssl dgst -sha256 -sign priv.pem -sigopt rsa_padding_mode:pss \
        -sigopt rsa_pss_saltlen:-2 sw-description > sw-description.sig
else
    openssl cms -sign -in  sw-description -out sw-description.sig -signer mycert.cert.pem \
        -inkey mycert.key.pem -outform DER -nosmimecap -binary
fi
for i in $FILES;do
        echo $i;done | cpio -ov -H crc >  ${PRODUCT_NAME}_${CONTAINER_VER}.swu
   

Any help would be appreciated.                                                                    

[Anjali Krishna]

Hi All,

  The hex error code which appears in the error message is pointing to something like this

#openssl errstr 407e086
error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid

Any idea about this error?

[Anjali Krishna]

Hi All,

 

 After editing the  meta-swupdate/classes/swupdate-common.bbclass for RSA PSS .... I got this issue solved. Few testing is still pending.. But the initial testing was successful