CR50: add support for 4k RSA verify

Add support for verifying messages signed
with 4096-bit RSA keys.  Such messages may
be generated by host side applications.

Also update tpmtest.py to test 4k verification.

BRANCH=none
BUG=none
TEST=added new tests to tpmtest.py; TCG tests pass

Change-Id: I7450bd710c154c68c030ce176bfe7becbfbcb729
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/428220
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Marius Schilder <mschilder@chromium.org>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

9 files changed, 309 insertions, 51 deletions

diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c
index 9cc1d9ed7f..52507c985f 100644
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -472,7 +472,14 @@ enum {
 	TEST_X509_VERIFY = 7,
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_768_N = {
+/* Test support for RSA 2k (signing / encryption) and RSA 4k
+ * (verification) without changing the default value for
+ * MAX_RSA_KEY_BYTES (which corresponds to RSA 2k) in
+ * tpm2/tpm_types.h.
+ */
+TPM2B_BYTE_VALUE(512);
+
+static const TPM2B_512_BYTE_VALUE RSA_768_N = {
 	.t = {96, {
 			0xb0, 0xdb, 0xed, 0x46, 0xd9, 0x32, 0xf0, 0x7c,
 			0xd4, 0x20, 0x23, 0xd2, 0x35, 0x5a, 0x86, 0x17,
@@ -490,7 +497,7 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_768_N = {
 	}
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_768_D = {
+static const TPM2B_512_BYTE_VALUE RSA_768_D = {
 	.t = {96, {
 			0xae, 0xad, 0xb9, 0x50, 0x25, 0x8c, 0x1b, 0x5c,
 			0x9f, 0x42, 0xd3, 0x3e, 0x76, 0x75, 0xdf, 0x45,
@@ -508,7 +515,7 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_768_D = {
 	}
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_768_P = {
+static const TPM2B_512_BYTE_VALUE RSA_768_P = {
 	.t = {48, {
 			0xd6, 0x09, 0x64, 0xc8, 0xf3, 0x5c, 0x02, 0xc7,
 			0xc6, 0x47, 0x4e, 0x7f, 0x43, 0x9d, 0x31, 0x46,
@@ -520,7 +527,7 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_768_P = {
 	}
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_768_Q = {
+static const TPM2B_512_BYTE_VALUE RSA_768_Q = {
 	.t = {48, {
 			0xd3, 0x88, 0x92, 0x2d, 0xd5, 0xc6, 0x29, 0xf4,
 			0xf0, 0x2e, 0x61, 0xf0, 0x60, 0xad, 0xa9, 0x46,
@@ -532,7 +539,7 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_768_Q = {
 	}
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_1024_N = {
+static const TPM2B_512_BYTE_VALUE RSA_1024_N = {
 	.t = {128, {
 			0xdf, 0x4e, 0xaf, 0x73, 0x45, 0x94, 0x98, 0x34,
 			0x30, 0x7e, 0x26, 0xad, 0x40, 0x83, 0xf9, 0x17,
@@ -554,7 +561,7 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_1024_N = {
 	}
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_1024_D = {
+static const TPM2B_512_BYTE_VALUE RSA_1024_D = {
 	.t = {128, {
 			0x9a, 0x6d, 0x85, 0xf4, 0x07, 0xa8, 0x6d, 0x61,
 			0x9a, 0x2f, 0x83, 0x7b, 0xc8, 0xe3, 0xfb, 0x7c,
@@ -576,7 +583,7 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_1024_D = {
 	}
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_1024_P = {
+static const TPM2B_512_BYTE_VALUE RSA_1024_P = {
 	.t = {64, {
 			0xf9, 0x5e, 0x79, 0x65, 0x43, 0x70, 0x40, 0x83,
 			0x50, 0x0a, 0xbb, 0x61, 0xb3, 0x87, 0x7b, 0x24,
@@ -590,7 +597,7 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_1024_P = {
 	}
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_1024_Q = {
+static const TPM2B_512_BYTE_VALUE RSA_1024_Q = {
 	.t = {64, {
 			0xe5, 0x3e, 0xcd, 0x4b, 0x97, 0xc5, 0x96, 0x39,
 			0x70, 0x97, 0x3a, 0x10, 0xa9, 0xc3, 0x35, 0x0a,
@@ -604,7 +611,7 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_1024_Q = {
 	}
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_2048_N = {
+static const TPM2B_512_BYTE_VALUE RSA_2048_N = {
 	.t = {256, {
 			0x9c, 0xd7, 0x61, 0x2e, 0x43, 0x8e, 0x15, 0xbe,
 			0xcd, 0x73, 0x9f, 0xb7, 0xf5, 0x86, 0x4b, 0xe3,
@@ -754,7 +761,7 @@ static const uint8_t RSA_2048_CERT[] = {
 	0x57
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_2048_D = {
+static const TPM2B_512_BYTE_VALUE RSA_2048_D = {
 	.t  = {256, {
 			0x4e, 0x9d, 0x02, 0x1f, 0xdf, 0x4a, 0x8b, 0x89,
 			0xbc, 0x8f, 0x14, 0xe2, 0x6f, 0x15, 0x66, 0x5a,
@@ -792,7 +799,7 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_2048_D = {
 	}
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_2048_P = {
+static const TPM2B_512_BYTE_VALUE RSA_2048_P = {
 	.t  = {128, {
 			0xc8, 0x80, 0x6f, 0xf6, 0x2f, 0xfb, 0x49, 0x8b,
 			0x77, 0x39, 0xe2, 0x3d, 0x3d, 0x1f, 0x4d, 0xf9,
@@ -814,7 +821,7 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_2048_P = {
 	}
 };
 
-static const TPM2B_PUBLIC_KEY_RSA RSA_2048_Q = {
+static const TPM2B_512_BYTE_VALUE RSA_2048_Q = {
 	.t  = {128, {
 			0xc8, 0x41, 0x2a, 0x42, 0xf1, 0x6a, 0x81, 0xac,
 			0x06, 0xab, 0xd0, 0xb7, 0xc0, 0xbb, 0xc6, 0x13,
@@ -836,7 +843,77 @@ static const TPM2B_PUBLIC_KEY_RSA RSA_2048_Q = {
 	}
 };
 
-#define MAX_MSG_BYTES RSA_MAX_BYTES
+static const TPM2B_512_BYTE_VALUE RSA_4096_N = {
+	.t  = {512, {
+			0xB4, 0xD2, 0xAB, 0x9C, 0xFA, 0x42, 0x9A, 0x37,
+			0x70, 0x2A, 0xE4, 0x2D, 0x87, 0x67, 0x7F, 0x15,
+			0xB6, 0x31, 0x06, 0x06, 0xD5, 0x5A, 0xE9, 0x8E,
+			0xA9, 0xD4, 0x6D, 0x6B, 0x92, 0xB9, 0x63, 0x37,
+			0x7D, 0x9C, 0xF0, 0xCA, 0x0A, 0x44, 0x19, 0xF0,
+			0x71, 0xA7, 0x4C, 0xE0, 0x90, 0x9C, 0xBE, 0x69,
+			0x4A, 0x9C, 0x55, 0x18, 0xB3, 0x42, 0x43, 0xD9,
+			0x6C, 0x65, 0xFD, 0xD1, 0xCF, 0x20, 0x0C, 0x92,
+			0x34, 0x27, 0x46, 0x48, 0x58, 0x0B, 0x13, 0xCD,
+			0xF1, 0x67, 0x70, 0x02, 0x7E, 0xE7, 0x4C, 0xA9,
+			0xD8, 0xFD, 0x48, 0x17, 0x80, 0xF6, 0x01, 0x0E,
+			0x61, 0xB0, 0xBE, 0xEF, 0x87, 0x2B, 0x71, 0x0E,
+			0x65, 0x81, 0xC1, 0x50, 0xCE, 0xB8, 0x65, 0xD2,
+			0xD7, 0xFA, 0x76, 0xC4, 0xB7, 0x13, 0xD9, 0xED,
+			0xDA, 0xD6, 0x9F, 0x9E, 0x10, 0xB2, 0x50, 0xF4,
+			0xFD, 0xF4, 0xF9, 0xEC, 0xD8, 0x33, 0x56, 0xEF,
+			0xF4, 0x22, 0xD3, 0xC2, 0xBA, 0x49, 0xD5, 0xA9,
+			0x0B, 0xB0, 0x18, 0xA3, 0xD9, 0x26, 0xCD, 0x27,
+			0x76, 0x6A, 0x72, 0x1B, 0x31, 0xAC, 0x3D, 0x42,
+			0xE8, 0xD9, 0x26, 0xD3, 0x90, 0xBB, 0x39, 0x64,
+			0xBB, 0xEA, 0x89, 0x0B, 0x7A, 0xB4, 0x88, 0x39,
+			0xEA, 0xE9, 0xCA, 0x19, 0x8C, 0x42, 0xFB, 0x69,
+			0x22, 0xCA, 0x8E, 0xBD, 0x6C, 0x73, 0xB7, 0x88,
+			0xA0, 0xA1, 0x19, 0xA8, 0xFA, 0x94, 0x55, 0x20,
+			0x6F, 0x80, 0xBA, 0xD7, 0x69, 0x12, 0x1F, 0x74,
+			0x82, 0xEC, 0xAF, 0xEE, 0x28, 0xAF, 0xCD, 0xDA,
+			0xAD, 0x1B, 0x5B, 0x54, 0xE4, 0x2B, 0xEF, 0x0C,
+			0x4D, 0xD1, 0xAB, 0xD7, 0x03, 0xC4, 0xA4, 0x99,
+			0xA0, 0xBC, 0x7E, 0x9D, 0x3C, 0x2F, 0x34, 0x3B,
+			0xD5, 0xDD, 0x6A, 0xED, 0xA6, 0x19, 0x93, 0x83,
+			0xBE, 0xE2, 0xD4, 0x6F, 0x92, 0xFF, 0x55, 0xA7,
+			0xF7, 0x67, 0xEB, 0xE3, 0x46, 0xD3, 0xE7, 0x6D,
+			0xC0, 0x29, 0x95, 0x2B, 0xBF, 0xDD, 0xB4, 0x93,
+			0xBB, 0x45, 0x01, 0xFC, 0x53, 0x21, 0xCE, 0x9F,
+			0x8B, 0x90, 0x80, 0x09, 0xBA, 0x1A, 0x6E, 0x08,
+			0x87, 0x15, 0xB4, 0x74, 0xA3, 0xDC, 0xBB, 0xDB,
+			0x45, 0xF2, 0x38, 0x20, 0x85, 0xC3, 0x9E, 0x4A,
+			0x45, 0x1E, 0x75, 0x18, 0x05, 0x42, 0x86, 0xAD,
+			0x47, 0xE6, 0xAA, 0xED, 0x88, 0x9A, 0x9F, 0x37,
+			0xA3, 0xB8, 0xC7, 0x99, 0x35, 0xE2, 0xA8, 0x8E,
+			0x9D, 0x2E, 0xBC, 0xF2, 0x64, 0x48, 0xC3, 0x63,
+			0x4F, 0x1C, 0xD0, 0x45, 0xC3, 0x41, 0xA1, 0xBE,
+			0xE5, 0xC2, 0xA4, 0x5D, 0x45, 0xF0, 0x03, 0x83,
+			0xC9, 0x80, 0x4C, 0x68, 0xF0, 0xD1, 0xDA, 0xF1,
+			0x51, 0x81, 0xD5, 0xFE, 0xC4, 0xE8, 0x8A, 0xD6,
+			0x32, 0x95, 0x38, 0xD8, 0x3B, 0xDA, 0xF7, 0x8C,
+			0x5C, 0x6B, 0x01, 0xF4, 0x6E, 0x12, 0xB5, 0xB6,
+			0x36, 0xE3, 0xD1, 0xAA, 0x49, 0x44, 0x6A, 0xF3,
+			0xE6, 0x7B, 0x19, 0x7D, 0xF8, 0x35, 0xCB, 0x2D,
+			0xB8, 0x62, 0x54, 0xCF, 0x2D, 0x66, 0xB3, 0x7F,
+			0xE0, 0x37, 0x65, 0x19, 0x82, 0xD6, 0x88, 0x24,
+			0xC2, 0x31, 0x7E, 0x1F, 0x6E, 0xDA, 0x4B, 0x28,
+			0xAF, 0x5E, 0x2B, 0xE8, 0x34, 0xB2, 0xDC, 0xC7,
+			0xD1, 0x95, 0x0C, 0x94, 0xE7, 0x09, 0xA0, 0xED,
+			0xAA, 0x91, 0x2F, 0x91, 0x6F, 0xF0, 0x00, 0xDF,
+			0x0D, 0x46, 0xEF, 0xD2, 0x59, 0x7B, 0x65, 0xCE,
+			0xA2, 0xED, 0x8A, 0xE2, 0x1E, 0xD0, 0xE1, 0x93,
+			0x72, 0x7F, 0x18, 0x79, 0x18, 0x35, 0xF3, 0xCA,
+			0xDB, 0x01, 0x5F, 0x09, 0x48, 0x21, 0x45, 0xFE,
+			0x89, 0x44, 0xED, 0x07, 0x79, 0x68, 0x32, 0xD8,
+			0xD6, 0x8B, 0xA0, 0xC6, 0xDC, 0xF9, 0x56, 0x89,
+			0x5B, 0xCE, 0x35, 0x05, 0xE9, 0xC1, 0x4A, 0x1E,
+			0x24, 0x0B, 0xC8, 0x73, 0x18, 0x19, 0x6B, 0xED,
+			0xF9, 0x3E, 0x92, 0x92, 0xF2, 0x0B, 0x75, 0x25,
+		}
+	}
+};
+
+#define MAX_MSG_BYTES 512
 #define MAX_LABEL_LEN 32
 
 /* 128-byte buffer to hold entropy for generating a
@@ -858,10 +935,10 @@ static void rsa_command_handler(void *cmd_body,
 	uint16_t digest_len;
 	uint8_t digest[SHA_DIGEST_MAX_BYTES];
 	uint8_t *out = (uint8_t *) cmd_body;
-	TPM2B_PUBLIC_KEY_RSA N;
-	TPM2B_PUBLIC_KEY_RSA d;
-	TPM2B_PUBLIC_KEY_RSA p;
-	TPM2B_PUBLIC_KEY_RSA q;
+	TPM2B_512_BYTE_VALUE N;
+	TPM2B_512_BYTE_VALUE d;
+	TPM2B_512_BYTE_VALUE p;
+	TPM2B_512_BYTE_VALUE q;
 	RSA_KEY key;
 	uint32_t *response_size = (uint32_t *) response_size_out;
 	TPM2B_PUBLIC_KEY_RSA rsa_d;
@@ -942,6 +1019,10 @@ static void rsa_command_handler(void *cmd_body,
 		rsa_n.b.size = RSA_2048_N.b.size;
 		rsa_d.b.size = RSA_2048_D.b.size;
 		break;
+	case 4096:
+		N = RSA_4096_N;
+		rsa_n.b.size = RSA_4096_N.b.size;
+		break;
 	default:
 		*response_size = 0;
 		return;
diff --git a/chip/g/dcrypto/bn_hw.c b/chip/g/dcrypto/bn_hw.c
index d0e6377148..e1a0798ff8 100644
--- a/chip/g/dcrypto/bn_hw.c
+++ b/chip/g/dcrypto/bn_hw.c
@@ -2,6 +2,7 @@
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
+#include "dcrypto.h"
 #include "internal.h"
 #include "registers.h"
 #include "trng.h"
@@ -1017,12 +1018,12 @@ struct DMEM_montmul {
 	struct DMEM_montmul_ptrs sqr_ptrs;
 	struct DMEM_montmul_ptrs mul_ptrs;
 	struct DMEM_montmul_ptrs out_ptrs;
-	uint32_t mod[64];
+	uint32_t mod[RSA_WORDS_4K];
 	uint32_t dInv[8];
-	uint32_t RR[64];
-	uint32_t in[64];
-	uint32_t exp[64];
-	uint32_t out[64];
+	uint32_t RR[RSA_WORDS_4K];
+	uint32_t in[RSA_WORDS_4K];
+	uint32_t exp[RSA_WORDS_4K];
+	uint32_t out[RSA_WORDS_4K];
 };
 
 #define DMEM_CELL_SIZE 32
diff --git a/chip/g/dcrypto/dcrypto.h b/chip/g/dcrypto/dcrypto.h
index b7980dee15..5e17dd3c13 100644
--- a/chip/g/dcrypto/dcrypto.h
+++ b/chip/g/dcrypto/dcrypto.h
@@ -134,8 +134,17 @@ void DCRYPTO_bn_wrap(struct LITE_BIGNUM *b, void *buf, size_t len);
  *  RSA.
  */
 
-/* Largest supported key size, 2048-bits. */
-#define RSA_MAX_BYTES   256
+/* Largest supported key size for signing / encryption: 2048-bits.
+ * Verification is a special case and supports 4096-bits (signing /
+ * decryption could also support 4k-RSA, but is disabled since support
+ * is not required, and enabling support would result in increased
+ * stack usage for all key sizes.)
+ */
+#define RSA_BYTES_2K    256
+#define RSA_BYTES_4K    512
+#define RSA_WORDS_2K    (RSA_BYTES_2K / sizeof(uint32_t))
+#define RSA_WORDS_4K    (RSA_BYTES_4K / sizeof(uint32_t))
+#define RSA_MAX_BYTES   RSA_BYTES_2K
 #define RSA_MAX_WORDS   (RSA_MAX_BYTES / sizeof(uint32_t))
 #define RSA_F4          65537
 
diff --git a/chip/g/dcrypto/rsa.c b/chip/g/dcrypto/rsa.c
index eb567582e4..898482f38e 100644
--- a/chip/g/dcrypto/rsa.c
+++ b/chip/g/dcrypto/rsa.c
@@ -452,9 +452,10 @@ static int check_pkcs1_pss_pad(const uint8_t *in, uint32_t in_len,
 	return !bad;
 }
 
-static int check_modulus_params(const struct LITE_BIGNUM *N, uint32_t *out_len)
+static int check_modulus_params(
+	const struct LITE_BIGNUM *N, size_t rsa_max_bytes, uint32_t *out_len)
 {
-	if (bn_size(N) > RSA_MAX_BYTES)
+	if (bn_size(N) > rsa_max_bytes)
 		return 0;                      /* Unsupported key size. */
 	if (!bn_check_topbit(N))               /* Check that top bit is set. */
 		return 0;
@@ -476,7 +477,7 @@ int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
 	struct LITE_BIGNUM e;
 	struct LITE_BIGNUM encrypted;
 
-	if (!check_modulus_params(&rsa->N, out_len))
+	if (!check_modulus_params(&rsa->N, sizeof(padded_buf), out_len))
 		return 0;
 
 	bn_init(&padded, padded_buf, bn_size(&rsa->N));
@@ -536,7 +537,7 @@ int DCRYPTO_rsa_decrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
 	struct LITE_BIGNUM padded;
 	int ret = 1;
 
-	if (!check_modulus_params(&rsa->N, NULL))
+	if (!check_modulus_params(&rsa->N, sizeof(padded_buf), NULL))
 		return 0;
 	if (in_len != bn_size(&rsa->N))
 		return 0;                      /* Invalid input length. */
@@ -592,7 +593,7 @@ int DCRYPTO_rsa_sign(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
 	struct LITE_BIGNUM padded;
 	struct LITE_BIGNUM signature;
 
-	if (!check_modulus_params(&rsa->N, out_len))
+	if (!check_modulus_params(&rsa->N, sizeof(padded_buf), out_len))
 		return 0;
 
 	bn_init(&padded, padded_buf, bn_size(&rsa->N));
@@ -629,8 +630,8 @@ int DCRYPTO_rsa_verify(const struct RSA *rsa, const uint8_t *digest,
 		const uint32_t sig_len,	enum padding_mode padding,
 		enum hashing_mode hashing)
 {
-	uint32_t padded_buf[RSA_MAX_WORDS];
-	uint32_t signature_buf[RSA_MAX_WORDS];
+	uint32_t padded_buf[RSA_WORDS_4K];
+	uint32_t signature_buf[RSA_WORDS_4K];
 	uint32_t e_buf[LITE_BN_BYTES / sizeof(uint32_t)];
 
 	struct LITE_BIGNUM padded;
@@ -638,7 +639,7 @@ int DCRYPTO_rsa_verify(const struct RSA *rsa, const uint8_t *digest,
 	struct LITE_BIGNUM e;
 	int ret = 1;
 
-	if (!check_modulus_params(&rsa->N, NULL))
+	if (!check_modulus_params(&rsa->N, sizeof(padded_buf), NULL))
 		return 0;
 	if (sig_len != bn_size(&rsa->N))
 		return 0;                      /* Invalid input length. */
@@ -650,10 +651,10 @@ int DCRYPTO_rsa_verify(const struct RSA *rsa, const uint8_t *digest,
 	BN_DIGIT(&e, 0) = rsa->e;
 
 	/* Reverse from big-endian to little-endian notation. */
-	reverse((uint8_t *) signature.d, signature.dmax * LITE_BN_BYTES);
+	reverse((uint8_t *) signature.d, bn_size(&signature));
 	bn_mont_modexp(&padded, &signature, &e, &rsa->N);
 	/* Back to big-endian notation. */
-	reverse((uint8_t *) padded.d, padded.dmax * LITE_BN_BYTES);
+	reverse((uint8_t *) padded.d, bn_size(&padded));
 
 	switch (padding) {
 	case PADDING_MODE_PKCS1:
diff --git a/test/tpm_test/rsa1024.pem b/test/tpm_test/rsa1024.pem
new file mode 100644
index 0000000000..3a349130f0
--- /dev/null
+++ b/test/tpm_test/rsa1024.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDfTq9zRZSYNDB+Jq1Ag/kXIbBOGw1qRM5OPi5yTJffiYo5ECWu
+IEzyOyCypRDdsmtiTqafkkrZhpfMcCA7ajJjyn9Z+1e2qZnp0C4PHNR9i6C9D9LV
+Ox8RtGqUz08KK0Tn+mskkbSCH/Z1tpHFoPYv1f8Qc5s09nqII6lCPKgkkQIDAQAB
+AoGBAJpthfQHqG1hmi+De8jj+3y9tXkuSCa3kpyVb/VndpgGO+qeehBjEhNqRICG
+mpVWb+C6V4x+1Ph9lbixyfiMxm7le6CvoE5OhNeXuVrdMuUr5YCzsr9W/wHc5qZs
+SoEdj+pL7SQI9GevDfL9Nz8xJfruNbDbZhH/SeHl/xvMww4JAkEA+V55ZUNwQINQ
+Crths4d7JI8qA1u1S5SUZ6qY1hRAkDykDW1YMcVC8S0VDufN5j7K2JQ3qkzW8yEu
+pP4deUTXswJBAOU+zUuXxZY5cJc6EKnDNQrWK/USjbLACxxfoAuGg6eQ6fgWkp/O
+E0wU6J5MJO//WCIG+c/9Gbcj+eOz43qbsKsCQFYw7Uyu7pGd0YCkG7Tt0wZj5WWb
+wSIKjPD36jO0dExmaV2quZ0aTXUG3Ax22pgGhB4vvL3EKVeH1JN6sb1EqjkCQC8X
+yqanxABLRnTaicfGASR7wMX0jMVWrDGk90TG2k7W9yluwaowdEhh1zOFouTmiJ1c
+3365mMnFizUapDVwvEcCQGqkxcod+m/s4Zq2a9DAyfN3FD2AtJ7QasveLXvR16Od
+MRa0hOWA8d3hh+eHU8DsJ+csEuKeDui3tV4kY0UTF0Y=
+-----END RSA PRIVATE KEY-----
diff --git a/test/tpm_test/rsa2048.pem b/test/tpm_test/rsa2048.pem
new file mode 100644
index 0000000000..8031296fbd
--- /dev/null
+++ b/test/tpm_test/rsa2048.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAnNdhLkOOFb7Nc5+39YZL45WQXIUZTB0uLO9uH+11Mg8KwXKf
+DHhQopmCU5C+ZCNJdXsM6y1ol9avsaoq3l6b4wYN8qzZ1x9Qbsld67TwwJgjBDBG
+ENzUa1fHMMMG3a9RbkBB+BDeSRhSsxjKSVCoOs22lHvb8S0FzlcLvjhIu8mxdja4
+qMziB1zIe8/P8Pqjxdc6XrL0v+rC7VEWopKcNqaGDiSlZhXnlyJQBP/JTbC8JwVe
+LPfv3F1YoTtgg7eMt9A2bVUuBSNjdEqXN6d4QO8+Zv26brNySiGCHzOtYgzyGtJq
+tafyUWkfOKVXmsWIZ+MRplNPsekHQd7o35OpmQIDAQABAoIBAE6dAh/fSouJvI8U
+4m8VZlpncBl/uUNWaPuq8ybbrd9ufLSj0Ca+86Pcj9908IleyoYxLDOA6ikZOa0y
+nxQglcBAG6OkkffqwTUWh5YKdpYCa6LA043GMk6vi67cQkfBhW5elPJS+ifnIiSU
+62e+HuSCkd5xCrgjGgLnzIIG0iYVVJdSzfU/bca5cDC+xYimsGUWnEyE4npu6ce9
+z0Un/BnGIx0riKJnH8LW06B5+7/qOKjfT7ybju4Et3wA15UaA4J66EG4sa9/8TCJ
+Vm0HEVV53WgPgghczCRHVGiG8fA/UhCt5BYzFgIhYuMvXesiW2S0KSJ0JCmpTGaE
+McqZlfUCgYEAyIBv9i/7SYt3OeI9PR9N+btUBg1xv1SxHqIgft3PIRbpwLqUAtKk
+Lng8+2Sg5+knZCkZdMV3u+FttIMdQ1qAcuw8MsMgLM73uvbGDPRW/d8hVfPiViWm
+s5aknLj9nOyH+toupPYPFOaBIoTnwB3RP+2wutjk6dQYM64pUXl50Q8CgYEAyEEq
+QvFqgawGq9C3wLvGE939Xjx3/sEudvCUwF0kizAN+CrHJngbgVpClq33DqQbLI84
+BgWNmG43ZbQsgOI41XnS6mLyMqx7iJDDTp5T5X7vE7Hj1UHRqRUEPGF0XhoAXIqL
+F9V4rV7gzzVjCpUecL6X8tN4BoqImyfIsrE9itcCgYA0NHzydPvQ4mdgwu9/Aq+i
+3ou6J7X+Q2b6uuwLHGXaD8U9UVdIhOAK2XPHYSQkPijrg2gFZ4UNfly6K4lrCB15
+zti9vuCZyinmnGpk5RnhcD+VybKdC6CkEg06YVBnk460Wira+NZkcsAc5M4Sz7C0
+HIdvnxm7aGYEzswjUqXNMQKBgEA49e7GMdwoaXNM2sGK9vmEJi/EwM8I8XffrDUN
+Kh0hajl+rqPdvSR86AIfBK7DXpupytPTkBeksUuCvwsOgh+klEnrNbWer3eaxag/
+CrT9QntUf7bzBuRtAxDCSGmteRQ0smsQYUVoujx56KuKK1sJJP4RZ9rhLvJjjfAQ
++6W9AoGBAL0hOd3kCVY8kxDQry9M30lPZcftJga2IxTErBex60rA9ifmHLm4iFXt
+/e52/1OZVE4Cf7QFEFeSLiBA+U8I0FdV4VMyrfTpjKNVBIDB7JmskdhQbIPXOZzY
+fC2yxCmVsD6PjMDDlT//ck5AQVrktdDpwBj3OX7JSc31KOMBb8FU
+-----END RSA PRIVATE KEY-----
diff --git a/test/tpm_test/rsa4096.pem b/test/tpm_test/rsa4096.pem
new file mode 100644
index 0000000000..c1f82a2d38
--- /dev/null
+++ b/test/tpm_test/rsa4096.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEAtNKrnPpCmjdwKuQth2d/FbYxBgbVWumOqdRta5K5Yzd9nPDK
+CkQZ8HGnTOCQnL5pSpxVGLNCQ9lsZf3RzyAMkjQnRkhYCxPN8WdwAn7nTKnY/UgX
+gPYBDmGwvu+HK3EOZYHBUM64ZdLX+nbEtxPZ7drWn54QslD0/fT57NgzVu/0ItPC
+uknVqQuwGKPZJs0ndmpyGzGsPULo2SbTkLs5ZLvqiQt6tIg56unKGYxC+2kiyo69
+bHO3iKChGaj6lFUgb4C612kSH3SC7K/uKK/N2q0bW1TkK+8MTdGr1wPEpJmgvH6d
+PC80O9Xdau2mGZODvuLUb5L/Vaf3Z+vjRtPnbcAplSu/3bSTu0UB/FMhzp+LkIAJ
+uhpuCIcVtHSj3LvbRfI4IIXDnkpFHnUYBUKGrUfmqu2Imp83o7jHmTXiqI6dLrzy
+ZEjDY08c0EXDQaG+5cKkXUXwA4PJgExo8NHa8VGB1f7E6IrWMpU42Dva94xcawH0
+bhK1tjbj0apJRGrz5nsZffg1yy24YlTPLWazf+A3ZRmC1ogkwjF+H27aSyivXivo
+NLLcx9GVDJTnCaDtqpEvkW/wAN8NRu/SWXtlzqLtiuIe0OGTcn8YeRg188rbAV8J
+SCFF/olE7Qd5aDLY1ougxtz5VolbzjUF6cFKHiQLyHMYGWvt+T6SkvILdSUCAwEA
+AQKCAgBWbFY/edE5WgPPTC2CiPHRk7mMktmIURaxjukZQBBBHnV3/BHkpDXtmLSI
+ZtBXSh6S3XNCkfK68QEBIjYUE9JOUoTu74a9DKMinPiJCNRN7OPb8ofhSDKrB//s
+0hi9p5Rk6YZWs+aoLAS0He3ZPrCrISvxMB/0ygK+GkcVbyPiil8aAjIQzVdEK2Tn
+8e/Ivsb8rtWIr84NnZwipY76nrFItxPamlT0UiO0ZjcEzOf6t348Z8qbOhdfQr6c
+wAm7uY/+Gv2yFPLne81TiKaAZb4ypQftN/6yDNfJncvOwWtL7G1Jig5mhH0nmAjy
+oVEA6mNOaaV1CkHlU5lI3xJKeN8j5DWPVu8+12gCjQgasBwo9aEMgNZgu+GYJEt5
+YnNZNz0aYcwajRGrOnrGQBMdlj97ZGgJQableFqWxjxx2TnUuhr6jj62fyMB5FBh
+zVeFesLIvoobRXxYC7vpe1oyfy+hJjTrmDlhQiBLpX4zoAJG3qgqtuQPWrM3dkjT
+yESNSMoLIL2WA2XclWWlH/nQDYGB3HzJtJeg+M6+EDRxTL+pgTgsWxDIkizSiI1c
+Ums7slNfSrNlPPt8hCqyI+Hm+CjgSSXM8//mZjgWI0Req3Pj6aiYeCMJbSyNTJK1
+J4S4MNcLmG0c4rxd1SH9b3S9cIesKLibkl9X23pF8jW7xXxDZQKCAQEA596OJByw
+BAqoj/Vor3SOdnpTmXLpqNAT4YsmA4futyySPGuVaP4dypGrZhu6OTrnuQaUxcad
+3bbnpZeM6UQKoEbN7egCruWSx6h9wi3qzdXjm1OiLnTsPzKGm5U3nvp1CIZCUoay
+ceNWWeDcNTmZupnjKkG8RUpdqAy5pytji81L2y8eT38EbHLPVN5QpaJ9NS1TzuFF
+qZeOD3CbkxfNp1fy39dVq5Zx3n8Eg3vi6LvHWTYY6i4eG5HP5adb/CnT2MO7T//P
+qRb0ERIBmR+R+BTkBXQFUc65mTuV4XCxmvA4Nz8ydk5+4Gh6s5PZwiazeDH87Eup
+awv2b/pZsxr8twKCAQEAx6Qj7vE5MRSFA193+OnLgp4pikCosEzv+xcXmaYeuVmi
+H3RSexwM9QwtPy2cd9vIAsnG+o1aUTkU7I+MO4ZFLHp7DNVuXDS3hHPjYYx5GC87
+7NsTP3+fXNCJDsb5lO812BkTEijNcokazim9vyJxNL/2GDmYNPL1KcN0KTMhskdi
+3vBscyQ+lYMcqL6fi25mNL1F+JKIA7dT7yoEnvx9xqJPmvlktogILmfoowfdpi5k
+h6FVq40XyLpBQ/M2GiDmL4PNSLSAFnVhab8mh2ULGrMSGy/a6BEHz7qa18mjGseO
+NXL4FlVyfdsv3CWlitQqoiKUnwHnHeuNr28W6vh5AwKCAQAr4be+59r7+NRr4kL8
+qa9ohsAZk2DbPP32OnJoSqqH6hyG6MlvBGC4/JaWjXrR5+8A2lj/kRZBZqMyeJsH
+boQgTyYb90PCu9nqhV2/iRcd+3PG6q4P4rrvPu2wti2/naDWiyo0Gh/dY+vsuJyU
+SiFo6kTOs4AhEPDmo/nixFhjlefcRG+VFfHNYHESm7xhjH3ruXdZ+NJJRVByZZpb
+3S5jlEZ3zHX/Mkq8lAdTpveLmjYhERboAvBZwV+6E9FZyMS6ClkBy+UOGDT6ohDB
+XPMwIywASDPVhq0jbd5wuvYx33KUKhavwy1J5RwLrliQ4OgoQDWgtrUKeEocaSHe
+vqXDAoIBAEYG4UPTAUih9fY06pQ5DdWHPPLtsz4D/rmIZBLVHjnNovx9hOEB+dmK
+p+RdT2ELiqDPvifspR2QdDJ2N645btInNDpQMyHMrAKd08hHycId71spjRrc3T1l
+OG4ihTEkpzJhuTrJbScbyHdAVPpSTns+Skg9C5KnFi/MC1bYRJ2QRLIGi0PoFrvC
+/a6DDtuNofQl4AFNBMCo8ZwWlQBfeI7QKDQn/pe4J4Z/lC57d9futfyNLsu59fnG
+u1XmXbfUimloRf2Wssct7Tl2f0FGxBpdbaBzrMlyD9dhkSbX54phLRS6eyL6Xeqf
+k64Y1nRX74xnrNIJjNQF5/D9eoB5H5kCggEADkSUsvqv/hpMMNRIyXsIKIko4EW3
+L0ceh7Unl1vvekku7aLMrHqzu6tu6QoUXc9jMxhS9et41a7NqeLH4MFEqENoxQ6G
+tJTCuklNgKWiooQIN/Wm0t82a3M3kvcqIbCCG5EGDL/7Uh48DQGpSOGehEn6TYnG
+W42bU/Beq38LQzN4eQPhsiqmOwNJ4dYc4NqpOIkXi6UTCe9hDcpX2p7hG55zkpOA
+2rxpIOeOVSRHHOE8RsfIr8FzO/823P1mOQe5xMSCf1GSj6I+bopT0chL9JsiHLZa
+1VPn744OJjXt14LAt4byOVvgdSoQAgxWEC0LhmHYNXt8/YRMJiZ01bc1dA==
+-----END RSA PRIVATE KEY-----
diff --git a/test/tpm_test/rsa768.pem b/test/tpm_test/rsa768.pem
new file mode 100644
index 0000000000..5be0fdf5f7
--- /dev/null
+++ b/test/tpm_test/rsa768.pem
@@ -0,0 +1,12 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBywIBAAJhALDb7UbZMvB81CAj0jVahhfbJHI2MzvCZIukSW50/vrSggzEEjpI
+Z+EVzJTfRBtOwBi6RhtRLOIPwDJ37V+L5aMA5jwtpxCJU6grM3Q49zYA/d1bvXvB
+fOF1kCt4LTmFaQIDAQABAmEArq25UCWMG1yfQtM+dnXfRUarW6bOuXJJTmbIJDGn
++WHbEvLBMhF7kCOwuUU/Bl2i1zUP3fwD342Ra4P5We5nHhognov49uKy9SlxTCJU
+z36XvHAk3W1S/hfZ1kF7dkABAjEA1glkyPNcAsfGR05/Q50xRnozhaCkFuoie81k
+m1Dspy9+z+tpKTSOt7Wzun+bAX1pAjEA04iSLdXGKfTwLmHwYK2pRhGpDGkUMQk2
+i3AbEZsmOTQ0/fGaiVFjCsZgC7oYjsgBAjA8oMSPt3+kufoMUMvz1x8SG6NkgrB4
+XTIPZ4rMBAxE/0sokkJjjaOvniSe+25o6aECMQCG3oedM7SSIbpVSFqTuYW4yB/J
+auHV1fLx+ns3wX0gcdnro3SNYtfMEelA8NkhiAECMGVIqAN9qpGW5qAyikDrmzod
+7+wMrWHefpWKsih4+MIvAo7WOOoM+1UasRwVGhMxFQ==
+-----END RSA PRIVATE KEY-----
diff --git a/test/tpm_test/rsa_test.py b/test/tpm_test/rsa_test.py
index a368adefd0..b98d3306c5 100644
--- a/test/tpm_test/rsa_test.py
+++ b/test/tpm_test/rsa_test.py
@@ -6,13 +6,23 @@
 """Module for testing rsa functions using extended commands."""
 
 import binascii
+import Crypto
+import Crypto.Hash.SHA
+import Crypto.Hash.SHA256
+import Crypto.Hash.SHA384
+import Crypto.Hash.SHA512
+from Crypto.PublicKey import RSA
+import Crypto.Signature.PKCS1_PSS
+import Crypto.Signature.PKCS1_v1_5
 import hashlib
+import os
 import rsa
 import struct
 
 import subcmd
 import utils
 
+_MODULE_DIR = os.path.dirname(os.path.abspath(__file__))
 
 _RSA_OPCODES = {
   'ENCRYPT': 0x00,
@@ -41,9 +51,29 @@ _RSA_PADDING = {
 _HASH = {
   'NONE': 0x00,
   'SHA1': 0x04,
-  'SHA256': 0x0B
+  'SHA256': 0x0B,
+  'SHA384': 0x0C,
+  'SHA512': 0x0D,
 }
 
+_SIGNER = {
+  'PKCS1-SSA': Crypto.Signature.PKCS1_v1_5,
+  'PKCS1-PSS': Crypto.Signature.PKCS1_PSS,
+}
+
+_HASHER = {
+  'SHA1':   Crypto.Hash.SHA,
+  'SHA256': Crypto.Hash.SHA256,
+  'SHA384': Crypto.Hash.SHA384,
+  'SHA512': Crypto.Hash.SHA512,
+}
+
+_KEYS = {
+  768:  RSA.importKey(open(os.path.join(_MODULE_DIR, 'rsa768.pem')).read()),
+  1024: RSA.importKey(open(os.path.join(_MODULE_DIR, 'rsa1024.pem')).read()),
+  2048: RSA.importKey(open(os.path.join(_MODULE_DIR, 'rsa2048.pem')).read()),
+  4096: RSA.importKey(open(os.path.join(_MODULE_DIR, 'rsa4096.pem')).read()),
+}
 
 # Command format.
 #
@@ -80,13 +110,8 @@ def _encrypt_cmd(padding, hashing, key_len, msg):
                                 dl='', dig='')
 
 
-def _sign_cmd(padding, hashing, key_len, msg):
+def _sign_cmd(padding, hashing, key_len, digest):
   op = _RSA_OPCODES['SIGN']
-  digest = ''
-  if hashing == _HASH['SHA1']:
-      digest = hashlib.sha1(msg).digest()
-  elif hashing == _HASH['SHA256']:
-      digest = hashlib.sha256(msg).digest()
   digest_len = len(digest)
   return _RSA_CMD_FORMAT.format(o=op, p=padding, h=hashing,
                                 kl=struct.pack('>H', key_len),
@@ -94,14 +119,9 @@ def _sign_cmd(padding, hashing, key_len, msg):
                                 dl='', dig='')
 
 
-def _verify_cmd(padding, hashing, key_len, sig, msg):
+def _verify_cmd(padding, hashing, key_len, sig, digest):
   op = _RSA_OPCODES['VERIFY']
   sig_len = len(sig)
-  digest = ''
-  if hashing == _HASH['SHA1']:
-      digest = hashlib.sha1(msg).digest()
-  elif hashing == _HASH['SHA256']:
-      digest = hashlib.sha256(msg).digest()
   digest_len = len(digest)
   return _RSA_CMD_FORMAT.format(o=op, p=padding, h=hashing,
                                 kl=struct.pack('>H', key_len),
@@ -585,9 +605,23 @@ _SIGN_INPUTS = (
   ('PKCS1-SSA', 'SHA1', 768),
   ('PKCS1-SSA', 'SHA256', 768),
   ('PKCS1-SSA', 'SHA256', 1024),
+  ('PKCS1-SSA', 'SHA384', 2048),
+  ('PKCS1-SSA', 'SHA512', 2048),
+  ('PKCS1-PSS', 'SHA1', 768),
+  ('PKCS1-PSS', 'SHA256', 768),
+  ('PKCS1-PSS', 'SHA256', 2048),
+)
+
+_VERIFY_INPUTS = (
+  ('PKCS1-SSA', 'SHA1', 768),
+  ('PKCS1-SSA', 'SHA256', 768),
+  ('PKCS1-SSA', 'SHA256', 1024),
+  ('PKCS1-SSA', 'SHA384', 2048),
+  ('PKCS1-SSA', 'SHA512', 4096),
   ('PKCS1-PSS', 'SHA1', 768),
   ('PKCS1-PSS', 'SHA256', 768),
   ('PKCS1-PSS', 'SHA256', 2048),
+  ('PKCS1-PSS', 'SHA256', 4096),
 )
 
 _KEYTEST_INPUTS = (
@@ -644,17 +678,43 @@ def _encrypt_tests(tpm):
 
 
 def _sign_tests(tpm):
-  msg = 'Hello CR50!'
-
   for data in _SIGN_INPUTS:
+    msg = rsa.randnum.read_random_bits(256)
     padding, hashing, key_len = data
     test_name = 'RSA-SIGN:%s:%s:%d' % data
-    cmd = _sign_cmd(_RSA_PADDING[padding], _HASH[hashing], key_len, msg)
+
+    key = _KEYS[key_len]
+    verifier = _SIGNER[padding].new(key)
+    h = _HASHER[hashing].new()
+    h.update(msg)
+
+    cmd = _sign_cmd(_RSA_PADDING[padding], _HASH[hashing], key_len, h.digest())
     wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.RSA, cmd))
     signature = tpm.unwrap_ext_response(subcmd.RSA, wrapped_response)
 
+    signer = _SIGNER[padding].new(key)
+    expected_signature = signer.sign(h)
+
+    if not verifier.verify(h, signature):
+      raise subcmd.TpmTestError('%s error' % (
+          test_name,))
+    print('%sSUCCESS: %s' % (utils.cursor_back(), test_name))
+
+
+def _verify_tests(tpm):
+  for data in _VERIFY_INPUTS:
+    msg = rsa.randnum.read_random_bits(256)
+    padding, hashing, key_len = data
+    test_name = 'RSA-VERIFY:%s:%s:%d' % data
+
+    key = _KEYS[key_len]
+    signer = _SIGNER[padding].new(key)
+    h = _HASHER[hashing].new()
+    h.update(msg)
+    signature = signer.sign(h)
+
     cmd = _verify_cmd(_RSA_PADDING[padding], _HASH[hashing],
-                      key_len, signature, msg)
+                      key_len, signature, h.digest())
     wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.RSA, cmd))
     verified = tpm.unwrap_ext_response(subcmd.RSA, wrapped_response)
     expected = '\x01'
@@ -751,6 +811,7 @@ def _x509_verify_tests(tpm):
 def rsa_test(tpm):
   _encrypt_tests(tpm)
   _sign_tests(tpm)
+  _verify_tests(tpm)
   _keytest_tests(tpm)
   _keygen_tests(tpm)
   _primegen_tests(tpm)