Fixes for wolfHSM RSA with cert chain auth

Author: bigbrett

demo-build-offline-certs.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+make -C ../ clean CERT_CHAIN_FILE=foo
+
+# build keytools
+make -C tools/keytools/ \
+    HT_TRICORE_PATH=/opt/hightec/gnutri_v4.9.4.1-11fcedf-lin64 \
+    WOLFHSM_INFINEON_TC3XX=/home/brett/workspace/wolfssl/wolfssl-repos/wolfhsm-private/infineon/tc3xx \
+    TC3_DIR=/home/brett/workspace/wolfssl/wolfssl-repos/wolfhsm-private/infineon/tc3xx/wolfLLD-tc3xx/tc3 \
+    WOLFBOOT_LIB_WOLFSSL=/home/brett/workspace/wolfssl/wolfssl-repos/wolfhsm-private/infineon/tc3xx/wolfssl \
+    WOLFBOOT_LIB_WOLFHSM=/home/brett/workspace/wolfssl/wolfssl-repos/wolfhsm-private/infineon/tc3xx/wolfHSM
+
+# Build wolfBoot
+make DEBUG_SYMBOLS=1 GCC=1 \
+    CERT_CHAIN_FILE=$(pwd)/offline-dummy-chain/raw-chain.der \
+    NVM_CONFIG=$(pwd)/offline-dummy-chain/custom-root.nvminit \
+    PRIVATE_KEY=$(pwd)/offline-dummy-chain/leaf-prvkey.der \
+    IMPORT_PUBLIC_KEY=$(pwd)/offline-dummy-chain/leaf-pubkey.der \
+    HT_TRICORE_PATH=/opt/hightec/gnutri_v4.9.4.1-11fcedf-lin64 \
+    WOLFHSM_INFINEON_TC3XX=/home/brett/workspace/wolfssl/wolfssl-repos/wolfhsm-private/infineon/tc3xx \
+    TC3_DIR=/home/brett/workspace/wolfssl/wolfssl-repos/wolfhsm-private/infineon/tc3xx/wolfLLD-tc3xx/tc3 \
+    WOLFBOOT_LIB_WOLFSSL=/home/brett/workspace/wolfssl/wolfssl-repos/wolfhsm-private/infineon/tc3xx/wolfssl \
+    WOLFBOOT_LIB_WOLFHSM=/home/brett/workspace/wolfssl/wolfssl-repos/wolfhsm-private/infineon/tc3xx/wolfHSM
+
+# Sign v2 test app
+IMAGE_HEADER_SIZE=4096 tools/keytools/sign --rsa2048 --cert-chain offline-dummy-chain/raw-chain.der test-app/image.bin offline-dummy-chain/leaf-prvkey.der 2
+
+
+
+
+

demo-offline-certs.sh demo-gen-offline-certs.shdemo-offline-certs.sh renamed to demo-gen-offline-certs.sh

@@ -5,9 +5,6 @@ set -euo pipefail
 OUT_DIR="offline-dummy-chain"
 OUT_PATH="$(pwd)/${OUT_DIR}"
 
-# 1) Build keytools (same as Makefile prerequisite)
-make -C tools/keytools -j
-
 # 2) Generate signing key + keystore.c (same as Makefile rule wolfboot_signing_private_key.der)
 #    Uses RSA2048 to match your current setup. The generated keystore.c wont be used as it will
 #    be regenerated based on the input key when building wolfBoot with `make` later

include/user_settings.h

@@ -587,6 +587,7 @@ extern int tolower(int c);
 #   define WOLFSSL_USER_IO
 #   define WOLFSSL_SP_MUL_D
 #   define WOLFSSL_PEM_TO_DER
+#   define WOLFSSL_ALLOW_NO_SUITES
 #endif
 
 #ifdef WOLFSSL_STM32_PKA

src/image.c

@@ -499,7 +499,8 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot,
     XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE);
     RSA_VERIFY_FN(ret, wc_RsaSSL_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE,
                   &digest_out, &rsa);
-#if !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID)
+#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
+    !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID)
     /* evict the key after use, since we aren't using the RSA import API */
     if (WH_ERROR_OK != wh_Client_KeyEvict(&hsmClientCtx, hsmKeyId)) {
         return;

test-app/Makefile

@@ -21,13 +21,6 @@ BOOTLOADER_PARTITION_SIZE?=$$(( $(WOLFBOOT_PARTITION_BOOT_ADDRESS) - $(ARCH_FLAS
 # For test-applications we should only use user_settings.h
 CFLAGS+=-DWOLFSSL_USER_SETTINGS -DWOLFTPM_USER_SETTINGS
 
-ifeq ($(SIGN),RSA2048)
-  IMAGE_HEADER_SIZE:=512
-endif
-
-ifeq ($(SIGN),RSA4096)
-  IMAGE_HEADER_SIZE:=1024
-endif
 ifeq ($(HASH),SHA256)
   WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sha256.o
   CFLAGS+=-D"WOLFBOOT_HASH_SHA256"