diff options
author | Joakim Bech <joakim.bech@linaro.org> | 2016-09-04 20:54:01 +0200 |
---|---|---|
committer | Joakim Bech <joakim.bech@linaro.org> | 2016-09-05 09:59:04 +0200 |
commit | eab19a88a78c0d52e336cb4ce275448d7606234c (patch) | |
tree | 307cccc31393040783c794750f9c522d19835f67 | |
parent | 9b788ccc38bf80c04a9cb2e3ff90e4a3bd8b1094 (diff) |
Create RSA signatures
The script now also creates RSA signatures. The key (image_sign.pem) to
use when signing images, can be created by running:
$ openssl genrsa -out image_sign.pem 2048
The output now identical to what newt produces when enabling signature
verification.
The instruction for how to enable bootloader signature verification in
Mynewt can currently be found here:
https://github.com/apache/incubator-mynewt-core/blob/develop/libs/bootutil/signed_images.md
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
-rwxr-xr-x | zep2newt.py | 59 |
1 files changed, 54 insertions, 5 deletions
diff --git a/zep2newt.py b/zep2newt.py index 087f2a4..3ae3601 100755 --- a/zep2newt.py +++ b/zep2newt.py @@ -1,5 +1,4 @@ #!/usr/bin/python2 -import hashlib import mmap import os import struct @@ -7,6 +6,9 @@ import sys from argparse import ArgumentParser from newtimg import * from ctypes import * +from Crypto.Signature import PKCS1_v1_5 +from Crypto.Hash import SHA256 +from Crypto.PublicKey import RSA DEBUG = False @@ -140,8 +142,7 @@ def write_partial_img(binary_file, image_file, hdr, vtable_offs): ################################################################################ -def calculate_hash(image_file): - sha256 = hashlib.sha256() +def calculate_hash(image_file, sha256): try: with open(image_file, "rb") as f: sha256.update(f.read()) @@ -160,7 +161,6 @@ def calculate_hash(image_file): def append_hash(image_file, digest): try: with open(image_file, "ab") as f: - # Start by settings the TLV type # https://github.com/apache/incubator-mynewt-newt/blob/master/newt/image/image.go#L109-L116 tlv_type = struct.pack('b', IMAGE_TLV_SHA256) @@ -182,6 +182,43 @@ def append_hash(image_file, digest): sys.exit(1) ################################################################################ +def append_rsa_signature(image_file, key_file, sha256): + signature = None + try: + with open(key_file, "rb") as f: + rsa_key = RSA.importKey(f.read()) + f.close() + rsa = PKCS1_v1_5.new(rsa_key) + signature = rsa.sign(sha256) + + except (OSError, IOError): + print("[ERROR]: Cannot open %s" % (key_file)) + sys.exit(1) + + try: + with open(image_file, "ab") as f: + # Start by settings the TLV type + # https://github.com/apache/incubator-mynewt-newt/blob/master/newt/image/image.go#L109-L116 + tlv_type = struct.pack('b', IMAGE_TLV_RSA2048) + + # Next 1 byte padding + tlv_pad = '\x00' + + # Finally the size of the TLV, for SHA256 that is 32 bytes + tlv_len = struct.pack('h', RSA_SIZE) + + f.write(tlv_type) + f.write(tlv_pad) + f.write(tlv_len) + f.write(signature) + f.close() + + except (OSError, IOError): + print("[ERROR]: Cannot open/append to %s" % (image_file)) + sys.exit(1) + + +################################################################################ def create_jlink_script(image_file, offset, erase): """ Creates a jlink script to flash the created binary. @@ -272,10 +309,22 @@ def main(argv): # Write the image itself write_partial_img(args.binary_file, args.image_file, hdr, vtable_offs) + # We must use SHA256 from Crypto, since the RSA signature also uses some + # ASN.1 / oid, that will be created when using the SHA256 from Crypto + # (compared to hashlib that just do a pure hash). + sha256 = SHA256.new() + # Now we have a header and the binary itself and we should get the hash of # those concatenated. - digest = calculate_hash(args.image_file) + digest = calculate_hash(args.image_file, sha256) append_hash(args.image_file, digest) + + if args.sig_type == "RSA": + append_rsa_signature(args.image_file, args.key_file, sha256) + elif args.sig_type == "EC": + print("[ERROR]: ECDSA not implemented") + sys.exit(1) + print("[*] Successfully created: %s" % args.image_file) # Misc function related to flashing |