Add the possibility to sign with RSA PSS

Add the RSA PSS variant described on SWUpdate's documentation by
extending the RSA method.

Signed-off-by: Lisandro Perez Meyer <lpmeyer@ics.com>

README

@@ -50,7 +50,9 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment:
 
 1. RSA signing:
 
-  * Set variable: `SWUPDATE_SIGNING = "RSA"`
+  * Set variable: `SWUPDATE_SIGNING` according to the RSA type you want to use:
+     - For RSA PKCS#1.5 use `SWUPDATE_SIGNING = "RSA"`
+     - For RSA PSS use `SWUPDATE_SIGNING = "RSA-PSS"`
 
   * Set `SWUPDATE_PRIVATE_KEY` to the full path of private key file
 

classes-recipe/swupdate-common.bbclass

@@ -208,6 +208,14 @@ def prepare_sw_description(d):
             if not os.path.exists(privkey):
                 bb.fatal("SWUPDATE_PRIVATE_KEY %s doesn't exist" % (privkey))
             signcmd = ["openssl", "dgst", "-sha256", "-sign", privkey] + get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + ["-out", sw_desc_sig, sw_desc]
+        elif signing == "RSA-PSS":
+            privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True)
+            if not privkey:
+                bb.fatal("SWUPDATE_PRIVATE_KEY isn't set")
+            if not os.path.exists(privkey):
+                bb.fatal("SWUPDATE_PRIVATE_KEY %s doesn't exist" % (privkey))
+            signcmd = ["openssl", "dgst", "-sha256", "-sign", privkey] + get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + \
+                      ["-sigopt", "rsa_padding_mode:pss", "-sigopt", "rsa_pss_saltlen:-2", "-out", sw_desc_sig, sw_desc]
         elif signing == "CMS":
             cms_cert = d.getVar('SWUPDATE_CMS_CERT')
             if not cms_cert: