Remove PKCSv1.5 sig format option from RSA
Since we are changing the image header format, there is no reason to
continue to support the old PKCS#1 v1.5 signatures. Remove the
definitions, and conditional complication related to this, and only
support the newer PSS signatures.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
diff --git a/Makefile b/Makefile
index 533aff2..ca6b4ce 100644
--- a/Makefile
+++ b/Makefile
@@ -12,10 +12,6 @@
CONF_FILE = boot/zephyr/prj.conf
CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
-# Newer uses should use the RSA-PSS signature algorithm. This define
-# enables (and requires) this type of signature.
-#CFLAGS += -DMCUBOOT_RSA_PKCS1_15
-
# ECDSA P-256
#CONF_FILE = boot/zephyr/prj-p256.conf
#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
diff --git a/boot/bootutil/src/image_rsa.c b/boot/bootutil/src/image_rsa.c
index d452064..88ec784 100644
--- a/boot/bootutil/src/image_rsa.c
+++ b/boot/bootutil/src/image_rsa.c
@@ -32,15 +32,6 @@
#include "bootutil_priv.h"
-#ifdef MCUBOOT_RSA_PKCS1_15
-static const uint8_t sha256_oid[] = {
- 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
- 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
- 0x00, 0x04, 0x20
-};
-#endif
-
-#ifndef MCUBOOT_RSA_PKCS1_15
/*
* Constants for this particular constrained implementation of
* RSA-PSS. In particular, we support RSA 2048, with a SHA256 hash,
@@ -70,7 +61,6 @@
#define PSS_MASK_SALT_POS (PSS_MASK_ONE_POS + 1)
static const uint8_t pss_zeros[8] = {0};
-#endif
/*
* Parse the public key used for signing. Simple RSA format.
@@ -108,7 +98,6 @@
return 0;
}
-#ifndef MCUBOOT_RSA_PKCS1_15
/*
* Compute the RSA-PSS mask-generation function, MGF1. Assumptions
* are that the mask length will be less than 256 * PSS_HLEN, and
@@ -263,55 +252,6 @@
return 0;
}
-#else /* MCUBOOT_RSA_PKCS1_15 */
-/*
- * PKCS1.5 using RSA2048 computed over SHA256.
- */
-static int
-bootutil_cmp_rsasig(mbedtls_rsa_context *ctx, uint8_t *hash, uint32_t hlen,
- uint8_t *sig)
-{
- uint8_t buf[MBEDTLS_MPI_MAX_SIZE];
- uint8_t *p;
-
- if (ctx->len != 256) {
- return -1;
- }
-
- if (mbedtls_rsa_public(ctx, sig, buf)) {
- return -1;
- }
-
- p = buf;
-
- if (*p++ != 0 || *p++ != MBEDTLS_RSA_SIGN) {
- return -1;
- }
-
- while (*p != 0) {
- if (p >= buf + ctx->len - 1 || *p != 0xFF) {
- return -1;
- }
- p++;
- }
- p++;
-
- if ((p - buf) + sizeof(sha256_oid) + hlen != ctx->len) {
- return -1;
- }
-
- if (memcmp(p, sha256_oid, sizeof(sha256_oid))) {
- return -1;
- }
- p += sizeof(sha256_oid);
-
- if (memcmp(p, hash, hlen)) {
- return -1;
- }
-
- return 0;
-}
-#endif
int
bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, int slen,
diff --git a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h
index 416bf9e..fcc2fc5 100644
--- a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h
+++ b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h
@@ -33,9 +33,6 @@
#if MYNEWT_VAL(BOOTUTIL_SIGN_RSA)
#define MCUBOOT_SIGN_RSA 1
#endif
-#if MYNEWT_VAL(BOOTUTIL_RSA_PKCS1_15)
-#define MCUBOOT_RSA_PKCS1_15 1
-#endif
#if MYNEWT_VAL(BOOTUTIL_SIGN_EC)
#define MCUBOOT_SIGN_EC 1
#endif
diff --git a/boot/mynewt/mcuboot_config/syscfg.yml b/boot/mynewt/mcuboot_config/syscfg.yml
index 574aa37..7e8d241 100644
--- a/boot/mynewt/mcuboot_config/syscfg.yml
+++ b/boot/mynewt/mcuboot_config/syscfg.yml
@@ -25,9 +25,6 @@
BOOTUTIL_SIGN_RSA:
description: 'Images are signed using RSA2048.'
value: 0
- BOOTUTIL_RSA_PKCS1_15:
- description: 'Sign using old PKCS#1 1.5 (otherwise uses PSS)'
- value: 0
BOOTUTIL_SIGN_EC:
description: 'Images are signed using ECDSA NIST P-224.'
value: 0