[PATCH] [swugenerator] Add support for PSS padding when signing with RSA
32 views
Skip to first unread message
Paul HENRYS
Jul 25, 2025, 6:50:25 AM7/25/25
to swupdate+n...@googlegroups.com, paul.he...@softathome.com
SWUpdate supports both PKCS#1 and PSS padding with RSA but swugenerator only
implements PKCS#1 padding. PSS padding support is therefore added in SWUSignRSA.
One can use the keyword RSAPSS to sign the sw-description file with RSA and PSS
padding. For instance:
"-k RSAPSS,myprivatekey.pem"
Signed-off-by: Paul HENRYS <paul.he...@softathome.com>
---
swugenerator/main.py | 10 +++++-----
swugenerator/swu_sign.py | 7 ++++++-
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/swugenerator/main.py b/swugenerator/main.py
index cf66a13..e57482b 100644
--- a/swugenerator/main.py
+++ b/swugenerator/main.py
@@ -132,16 +132,16 @@ def parse_signing_option(
# Format : CMS,<private key>,<certificate used to sign>
else:
return SWUSignCMS(sign_parms[1], sign_parms[2], None, None, engine, keyform)
- if cmd == "RSA":
+ if cmd[:3] == "RSA":
if len(sign_parms) not in (2, 3) or not all(sign_parms):
raise InvalidSigningOption(
"RSA requires private key and an optional password file"
)
- # Format : RSA,<private key>,<file with password>
+ # Format : RSA(PSS),<private key>,<file with password>
if len(sign_parms) == 3:
- return SWUSignRSA(sign_parms[1], sign_parms[2])
- # Format : RSA,<private key>
- return SWUSignRSA(sign_parms[1], None)
+ return SWUSignRSA(sign_parms[1], sign_parms[2], pss=True if cmd == "RSAPSS" else False)
+ # Format : RSA(PSS),<private key>
+ return SWUSignRSA(sign_parms[1], None, pss=True if cmd == "RSAPSS" else False)
if cmd == "PKCS11":
# Format : PKCS11,<pin>[,<module>]
if len(sign_parms) not in (2, 3) or not all(sign_parms[0:2]):
diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py
index 992c5fd..0636f06 100644
--- a/swugenerator/swu_sign.py
+++ b/swugenerator/swu_sign.py
@@ -85,16 +85,21 @@ class SWUSignCMS(SWUSign):
class SWUSignRSA(SWUSign):
- def __init__(self, key, passin):
+ def __init__(self, key, passin, pss=False):
super().__init__()
self.type = "RSA"
self.key = key
self.passin = passin
+ if pss == True:
+ self.pss_args = ["-sigopt rsa_padding_mode:pss", "-sigopt rsa_pss_saltlen:-2"]
+ else:
+ self.pss_args = []
def prepare_cmd(self, sw_desc_in, sw_desc_sig):
self.signcmd = (
["openssl", "dgst", "-sha256", "-sign", self.key]
+ self.get_passwd_file_args()
+ + self.pss_args
+ ["-out", sw_desc_sig, sw_desc_in]
)
--
2.43.0
implements PKCS#1 padding. PSS padding support is therefore added in SWUSignRSA.
One can use the keyword RSAPSS to sign the sw-description file with RSA and PSS
padding. For instance:
"-k RSAPSS,myprivatekey.pem"
Signed-off-by: Paul HENRYS <paul.he...@softathome.com>
---
swugenerator/main.py | 10 +++++-----
swugenerator/swu_sign.py | 7 ++++++-
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/swugenerator/main.py b/swugenerator/main.py
index cf66a13..e57482b 100644
--- a/swugenerator/main.py
+++ b/swugenerator/main.py
@@ -132,16 +132,16 @@ def parse_signing_option(
# Format : CMS,<private key>,<certificate used to sign>
else:
return SWUSignCMS(sign_parms[1], sign_parms[2], None, None, engine, keyform)
- if cmd == "RSA":
+ if cmd[:3] == "RSA":
if len(sign_parms) not in (2, 3) or not all(sign_parms):
raise InvalidSigningOption(
"RSA requires private key and an optional password file"
)
- # Format : RSA,<private key>,<file with password>
+ # Format : RSA(PSS),<private key>,<file with password>
if len(sign_parms) == 3:
- return SWUSignRSA(sign_parms[1], sign_parms[2])
- # Format : RSA,<private key>
- return SWUSignRSA(sign_parms[1], None)
+ return SWUSignRSA(sign_parms[1], sign_parms[2], pss=True if cmd == "RSAPSS" else False)
+ # Format : RSA(PSS),<private key>
+ return SWUSignRSA(sign_parms[1], None, pss=True if cmd == "RSAPSS" else False)
if cmd == "PKCS11":
# Format : PKCS11,<pin>[,<module>]
if len(sign_parms) not in (2, 3) or not all(sign_parms[0:2]):
diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py
index 992c5fd..0636f06 100644
--- a/swugenerator/swu_sign.py
+++ b/swugenerator/swu_sign.py
@@ -85,16 +85,21 @@ class SWUSignCMS(SWUSign):
class SWUSignRSA(SWUSign):
- def __init__(self, key, passin):
+ def __init__(self, key, passin, pss=False):
super().__init__()
self.type = "RSA"
self.key = key
self.passin = passin
+ if pss == True:
+ self.pss_args = ["-sigopt rsa_padding_mode:pss", "-sigopt rsa_pss_saltlen:-2"]
+ else:
+ self.pss_args = []
def prepare_cmd(self, sw_desc_in, sw_desc_sig):
self.signcmd = (
["openssl", "dgst", "-sha256", "-sign", self.key]
+ self.get_passwd_file_args()
+ + self.pss_args
+ ["-out", sw_desc_sig, sw_desc_in]
)
--
2.43.0
Stefano Babic
Jul 29, 2025, 2:43:23 PM7/29/25
to Paul HENRYS, swupdate+n...@googlegroups.com
Hi Paul,
I will suggest to replace the boolean with a type identifying the RSA
flavor. It could be there will be a request for RSA-FDH,...and forcing a
boolean here is one way.
Best regards,
Stefano Babic
flavor. It could be there will be a request for RSA-FDH,...and forcing a
boolean here is one way.
Best regards,
Stefano Babic
Reply all
Reply to author
Forward
0 new messages