swupdate + mbedtls does not support 4096-bit RSA keys for signature check

18 views

Skip to first unread message

Thomas Lorblanchès

unread,

Jun 7, 2024, 6:44:04 AM6/7/24

to swupdate

Hello all,

There seems to be a bug (or an undocumented limitation) when using mbedtls to check a RSA signature.

In function swupdate_rsa_verify_mbedtls.c/swupdate_verify_file(), the signature is stored in a 256-byte array. When I generate the signature with openssl, the sw-description.sign file has a length of 256 bytes when the RSA key has a length of 2048 bits, but it has a length of 512 bytes when the RSA key has a length of 4096 bits.

When the RSA key has a length of 4096 bits, swupdate_verify_file() only reads half of the sw-description.sign file, so the signature check fails.

Is this a know problem/limitation?

Regards,

Thomas

Reply all

Reply to author

Forward

0 new messages