Skip to content

Fix NS350 RSA-4096 Failures#494

Merged
dgarske merged 6 commits intowolfSSL:masterfrom
aidangarske:fix-nations-ns350-failures
Apr 27, 2026
Merged

Fix NS350 RSA-4096 Failures#494
dgarske merged 6 commits intowolfSSL:masterfrom
aidangarske:fix-nations-ns350-failures

Conversation

@aidangarske
Copy link
Copy Markdown
Member

@aidangarske aidangarske commented Apr 24, 2026
edited
Loading

Summary

Fix four host-side example failures against wolfTPM
4.0.0 on Nations NS350 with a 4096-bit RSA build, plus three same-class
issues uncovered while verifying the full example suite at RSA-4096.
No src/ or wolftpm/ changes

Fixes

  • wrap_testTPM_RC_TESTING (0x90a): message size hardcoded to
    256 bytes. Derive from keyBits/8 so RSA-4096 works. (6942a8e)
  • pkcs7BUFFER_E (0xffffff7c): MAX_PKCS7_SIZE was 2 KB, too
    small for an RSA-4096 signed blob. Gate on MAX_RSA_KEY_BITS so
    2048-bit builds are byte-identical. (90846ba)
  • nvram/read -aesTPM_RC_INTEGRITY: hardcoded RSA SRK failed
    to load an ECC child. Pick SRK from keyBlob.pub.publicArea.type.
    (eea8741)
  • seal + keyload -persistentTPM_RC_INTEGRITY: seal.c uses
    RSA SRK but keyload defaulted to ECC for KEYEDHASH blobs. Default
    keyload to RSA; switch to ECC only when the child is ECC. (34108a8)
  • keygen — aligned SRK default with keyload/seal so
    SYMCIPHER/KEYEDHASH blobs round-trip consistently. (52cdcdc)
  • csr — same buffer issue as pkcs7 in MAX_PEM_SIZE; same
    MAX_RSA_KEY_BITS gate. (ebb98f1)
  • native_test — flush unused EK before CreateLoaded so the test
    fits within NS350's 2-transient-object limit at RSA-4096. No-op on
    TPMs with spare object memory. (88c40e5)

@aidangarske
examples/wrap: use modulus size for RSA NULL-pad test message
6942a8e 
  The RSA encrypt/decrypt test with TPM_ALG_NULL padding hardcoded
  message.size = 256, which is only valid for 2048-bit RSA keys.
  With TPM_ALG_NULL padding the TPM returns a full modulus-sized
  plaintext on decrypt, so with a 4096-bit key the 256-byte message
  never equals the 512-byte plaintext and the test reports
  TPM_RC_TESTING.

  Derive the message size from the key's own keyBits so the test
  passes for any modulus size.

  Reported against wolfTPM 4.0.0 on Nations NS350 hardware (NSING).
@aidangarske
examples/pkcs7: size output buffer for RSA-4096 signatures
90846ba 
  MAX_PKCS7_SIZE aliased to MAX_CONTEXT_SIZE (2 KB), which is enough
  for an RSA-2048 signed blob but overflows at RSA-4096 where the
  signature alone is 512 B plus a ~1-1.5 KB cert and ASN.1 overhead.
  wc_PKCS7_EncodeSignedData then returned BUFFER_E (0xffffff7c).

  Gate on MAX_RSA_KEY_BITS so 2048-bit builds keep the exact same
  buffer size; 4096-bit builds (Nations NS350, Infineon SLB967x,
  or anyone overriding) get 4 KB.
@aidangarske
examples/nvram: pick SRK algorithm from stored key type
eea8741 
  nvram/read hardcoded the RSA SRK, so an ECC child key retrieved
  from NV would be loaded under the RSA parent and fail with
  TPM_RC_INTEGRITY. Switch the SRK selection to mirror the approach
  already used in keygen/keyload: inspect keyBlob.pub.publicArea.type
  and load the matching RSA or ECC SRK.
@aidangarske
examples/keygen: pick SRK algorithm from stored key type
34108a8 
  keyload defaulted srkAlg = TPM_ALG_ECC and only switched to RSA
  for TPM_ALG_RSA keys. A sealed KEYEDHASH blob (produced by
  examples/seal, which always uses the RSA SRK) therefore tried to
  load under the ECC SRK and failed with TPM_RC_INTEGRITY. SYMCIPHER
  blobs had the same issue.

  Invert the default to RSA (matching seal.c) and only switch to the
  ECC SRK when the stored key itself is ECC.
@aidangarske
examples/keygen: align keygen SRK default with keyload/seal
52cdcdc 
keygen defaulted srkAlg = TPM_ALG_ECC and only switched to RSA for
RSA keys, so SYMCIPHER and KEYEDHASH blobs were created under the
ECC SRK. After the prior keyload fix made keyload default to RSA
(matching seal.c), a sym/keyedhash blob produced by keygen could
not round-trip through keyload without a parent mismatch.

Invert the default to RSA (matching seal.c and keyload.c) and only
switch to the ECC SRK when the stored key itself is ECC. Keeps all
three tools aligned so any blob round-trips without callers having
to specify a parent.
@aidangarske
examples/csr: size PEM buffer for RSA-4096 signatures
ebb98f1 
MAX_PEM_SIZE aliased to MAX_CONTEXT_SIZE (2 KB), which is enough
for an RSA-2048 self-signed cert but overflows at RSA-4096 where
the signature alone is 512 B plus the cert body, ASN.1, and base64
overhead. wc_MakeCertReq / wc_MakeSelfSignedCert then returned
BUFFER_E (0xffffff7c / 0xffffff53).

Gate on MAX_RSA_KEY_BITS so 2048-bit builds keep the exact same
buffer size; 4096-bit builds (Nations NS350, Infineon SLB967x, or
anyone overriding) get 4 KB. Mirrors the fix already applied to
examples/pkcs7/pkcs7.c.
Copilot AI review requested due to automatic review settings April 24, 2026 23:39
@aidangarske aidangarske self-assigned this Apr 24, 2026
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates host-side example code to run cleanly on Nations NS350 with RSA-4096 builds by removing RSA-2048 assumptions, sizing buffers appropriately, and aligning SRK selection with stored key types / device transient limits.

Changes:

  • Make RSA “no padding” encrypt/decrypt tests use modulus-sized plaintext buffers.
  • Increase PKCS7/CSR output buffer sizing when MAX_RSA_KEY_BITS is 4096.
  • Improve example robustness by selecting SRK algorithm based on key type and freeing a transient object slot earlier in native_test.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
examples/wrap/wrap_test.c Sizes RSA NULL-pad message to modulus length to support RSA-4096 decrypt behavior.
examples/pkcs7/pkcs7.c Increases MAX_PKCS7_SIZE for RSA-4096 builds to prevent buffer overflow.
examples/nvram/read.c Chooses SRK algorithm based on stored key type (RSA vs ECC) before loading.
examples/native/native_test.c Flushes EK earlier to fit within small TPM transient object limits.
examples/keygen/keyload.c Defaults SRK to RSA and only switches to ECC SRK for ECC child keys.
examples/keygen/keygen.c Aligns SRK default/selection logic with keyload for consistent round-trips.
examples/csr/csr.c Increases MAX_PEM_SIZE for RSA-4096 builds to prevent buffer overflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread examples/native/native_test.c Outdated
Comment thread examples/keygen/keyload.c
@aidangarske aidangarske force-pushed the fix-nations-ns350-failures branch from 88c40e5 to 26090da Compare April 25, 2026 00:15
@aidangarske aidangarske requested a review from dgarske April 25, 2026 00:15
@aidangarske aidangarske force-pushed the fix-nations-ns350-failures branch from 26090da to ebb98f1 Compare April 27, 2026 17:00
@dgarske dgarske merged commit 5a093ac into wolfSSL:master Apr 27, 2026
123 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dgarske dgarske dgarske approved these changes

Assignees

@aidangarske aidangarske

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aidangarske @dgarske