diff --git a/swugenerator/main.py b/swugenerator/main.py index 22ff0ee..bca7ae8 100644 --- a/swugenerator/main.py +++ b/swugenerator/main.py @@ -119,16 +119,16 @@ def parse_signing_option( # Format : CMS,, else: return SWUSignCMS(sign_parms[1], sign_parms[2], None, None) - if cmd == "RSA": + if cmd[:3] == "RSA": if len(sign_parms) not in (2, 3) or not all(sign_parms): raise InvalidSigningOption( "RSA requires private key and an optional password file" ) - # Format : RSA,, + # Format : RSA(PSS),, if len(sign_parms) == 3: - return SWUSignRSA(sign_parms[1], sign_parms[2]) - # Format : RSA, - return SWUSignRSA(sign_parms[1], None) + return SWUSignRSA(sign_parms[1], sign_parms[2], pss=True if cmd == "RSAPSS" else False) + # Format : RSA(PSS), + return SWUSignRSA(sign_parms[1], None, pss=True if cmd == "RSAPSS" else False) if cmd == "PKCS11": # Format : PKCS11, if len(sign_parms) != 2 or not all(sign_parms): diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py index f73802e..54f721d 100644 --- a/swugenerator/swu_sign.py +++ b/swugenerator/swu_sign.py @@ -79,16 +79,21 @@ def prepare_cmd(self, sw_desc_in, sw_desc_sig): class SWUSignRSA(SWUSign): - def __init__(self, key, passin): + def __init__(self, key, passin, pss=False): super().__init__() self.type = "RSA" self.key = key self.passin = passin + if pss == True: + self.pss_args = ["-sigopt rsa_padding_mode:pss", "-sigopt rsa_pss_saltlen:-2"] + else: + self.pss_args = [] def prepare_cmd(self, sw_desc_in, sw_desc_sig): self.signcmd = ( ["openssl", "dgst", "-sha256", "-sign", self.key] + self.get_passwd_file_args() + + self.pss_args + ["-out", sw_desc_sig, sw_desc_in] )