ecdsa: Allow ECDSA signatures to be actual length

ECDSA signatures are variable length.  They are also encoded as ASN.1.
The ASN.1 parser we use is given the length, and will return a decoding
error if the signature block is not sufficiently long.  Instead of
requiring the signature block be padded to the longest possible length a
signature can be, allow them to be their natural length.

This allows image signing tools to be able to generate signatures that
don't have this padding.  Along with removing the pad removal code from
the EC224 code, this will allow this code to correctly validate all
signatures, not just 255 out of 256.

Signed-off-by: David Brown <david.brown@linaro.org>
This commit is contained in:
David Brown 2019-12-12 15:35:31 -07:00 committed by David Brown
parent 3639aca071
commit a36082664e
1 changed files with 2 additions and 2 deletions

View File

@ -161,11 +161,11 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index,
#elif defined(MCUBOOT_SIGN_EC) #elif defined(MCUBOOT_SIGN_EC)
# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA224 # define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA224
# define SIG_BUF_SIZE 128 # define SIG_BUF_SIZE 128
# define EXPECTED_SIG_LEN(x) ((x) >= 64) /* oids + 2 * 28 bytes */ # define EXPECTED_SIG_LEN(x) (1) /* always true, ASN.1 will validate */
#elif defined(MCUBOOT_SIGN_EC256) #elif defined(MCUBOOT_SIGN_EC256)
# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA256 # define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA256
# define SIG_BUF_SIZE 128 # define SIG_BUF_SIZE 128
# define EXPECTED_SIG_LEN(x) ((x) >= 72) /* oids + 2 * 32 bytes */ # define EXPECTED_SIG_LEN(x) (1) /* always true, ASN.1 will validate */
#elif defined(MCUBOOT_SIGN_ED25519) #elif defined(MCUBOOT_SIGN_ED25519)
# define EXPECTED_SIG_TLV IMAGE_TLV_ED25519 # define EXPECTED_SIG_TLV IMAGE_TLV_ED25519
# define SIG_BUF_SIZE 64 # define SIG_BUF_SIZE 64