Fixes for RSA PSS example based on feedback and testing.

2019-02-14 10:23:15 -08:00 · 2019-02-14 10:23:15 -08:00 · 7a1bffd8f9
parent 6130262b75
commit 7a1bffd8f9
3 changed files with 68 additions and 14 deletions
--- a/crypto/rsa-pss/Makefile
+++ b/crypto/rsa-pss/Makefile
@ -1,11 +1,36 @@
-CC=gcc
-CFLAGS=-Wall
-LIBS= -lwolfssl
+# Examples Makefile
+CC       = gcc
+LIB_PATH = /usr/local
+CFLAGS   = -Wall -I$(LIB_PATH)/include
+LIBS     = -L$(LIB_PATH)/lib -lm

-rsa-pss: rsa-pss.o
-	$(CC) -o $@ $^ $(CFLAGS) $(LIBS) 
+# option variables
+DYN_LIB         = -lwolfssl
+STATIC_LIB      = $(LIB_PATH)/lib/libwolfssl.a
+DEBUG_FLAGS     = -g -DDEBUG
+DEBUG_INC_PATHS = -MD
+OPTIMIZE        = -Os

-.PHONY: clean
+# Options
+#CFLAGS+=$(DEBUG_FLAGS)
+CFLAGS+=$(OPTIMIZE)
+#LIBS+=$(STATIC_LIB) -ldl -lm
+LIBS+=$(DYN_LIB)
+
+# build targets
+SRC=$(wildcard *.c)
+TARGETS=$(patsubst %.c, %, $(SRC))
+
+.PHONY: clean all
+
+all: $(TARGETS)
+
+debug: CFLAGS+=$(DEBUG_FLAGS)
+debug: all
+
+# build template
+%: %.c
+	$(CC) -o $@ $< $(CFLAGS) $(LIBS)

 clean:
-	rm -f *.o rsa-pss
+	rm -f $(TARGETS)
--- a/crypto/rsa-pss/README.md
+++ b/crypto/rsa-pss/README.md
@ -5,7 +5,7 @@
 ### Build wolfSSL

 ```
-./configure --enable-rsapss --enable-keygen --enable-certgen --enable-certext
+./configure --enable-rsapss --enable-keygen
 make
 sudo make install
 ```
--- a/crypto/rsa-pss/rsa-pss.c
+++ b/crypto/rsa-pss/rsa-pss.c
@ -33,6 +33,7 @@
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/ssl.h>
 #include <wolfssl/wolfcrypt/rsa.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>

 static const char* kRsaSignOpt = "-s";
 static const char* kRsaPubKey = "./rsa-public.der";
@ -41,8 +42,11 @@ static const char* kRsaPubKey = "./rsa-public.der";

 int main(int argc, char** argv)
 {
+/* These examples require RSA and Key Gen */
+#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN)
    RsaKey* pRsaKey = NULL;
    WC_RNG rng;
+    /* PSS requires message to be same as hash digest (SHA256=32) */
    const char* szMessage = "This is the string to be signed";
    unsigned char pSignature[RSA_KEY_SIZE/8];
    unsigned char pDecrypted[RSA_KEY_SIZE/8];
@ -52,6 +56,13 @@ int main(int argc, char** argv)
    unsigned char derBuf[MAX_DER_SIZE];
    FILE* f;

+    if (argc <= 2) {
+        printf("Usage:\n");
+        printf("\trsa-pss -s sign.txt\n");
+        printf("\trsa-pss -v sign.txt\n");
+        return 0;
+    }
+
    wolfSSL_Debugging_ON();

    wolfSSL_Init();
@ -83,8 +94,9 @@ int main(int argc, char** argv)

    if (memcmp(argv[1], kRsaSignOpt, 2) == 0) {
        printf("generating RSA key to make a PSS signature\n");
+
        /* Generate an RSA key pair */
-        if (wc_MakeRsaKey(pRsaKey, RSA_KEY_SIZE, 0x010001, &rng) != 0) {
+        if (wc_MakeRsaKey(pRsaKey, RSA_KEY_SIZE, WC_RSA_EXPONENT, &rng) != 0) {
            printf("failed to create rsa key\n");
        }

@ -142,7 +154,7 @@ int main(int argc, char** argv)
        }

        /* perform digital signature */
-        ret = wc_RsaPSS_Sign((byte*)szMessage, sizeof(szMessage),
+        ret = wc_RsaPSS_Sign((byte*)szMessage, XSTRLEN(szMessage)+1,
                pSignature, sizeof(pSignature),
                WC_HASH_TYPE_SHA256, WC_MGF1SHA256, pRsaKey, &rng);
        if (ret <= 0) {
@ -166,8 +178,9 @@ int main(int argc, char** argv)
        fseek(f, 0, SEEK_END);
        sz = ftell(f);
        if (sz > sizeof(pSignature)) {
+            printf("file is too big (%d bytes)\n", sz);
            fclose(f);
-            return BUFFER_E;
+            goto prog_end;
        }
        fseek(f, 0, SEEK_SET);
        fread(pSignature, 1, sz, f);
@ -177,14 +190,23 @@ int main(int argc, char** argv)
        Start by a RAW decrypt of the signature
        */
        pt = pDecrypted;
-        ret = wc_RsaPSS_VerifyInline(pSignature, sizeof(pSignature), &pt,
+        ret = wc_RsaPSS_VerifyInline(pSignature, sz, &pt,
                WC_HASH_TYPE_SHA256, WC_MGF1SHA256, pRsaKey);
        if (ret <= 0) {
            printf("RSA_public_decrypt failed with error %d\n", ret);
            goto prog_end;
        }
        else {
-            printf("RSA PSS verify success\n");
+            sz = ret;
+            ret = wc_RsaPSS_CheckPadding((byte*)szMessage, XSTRLEN(szMessage)+1,
+                pt, sz, WC_HASH_TYPE_SHA256);
+            if (ret == 0) {
+                printf("RSA PSS verify success\n");
+            }
+            else {
+                printf("RSA PSS Padding check failed! %d\n", ret);
+                goto prog_end;
+            }
        }
   }

@ -198,5 +220,12 @@ prog_end:
    wolfSSL_Cleanup();

    return 0;
-}
+#else
+    (void)kRsaSignOpt;
+    (void)kRsaPubKey;

+    printf("wolfSSL missing build features.\n");
+    printf("Please build using `./configure --enable-rsapss --enable-keygen`\n");
+    return -1;
+#endif
+}