Skip to content

Commit

Permalink
imgtool: Add backwards compatibility for ECDSA
Browse files Browse the repository at this point in the history
Add backwards compatibility to the imgtool to support
the old curve specific TLVs. Currently only ECDSA256 needs this.

Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I275894ebc713ea8adcaab4198b036c41233b11e8
  • Loading branch information
Roland Mikhel committed Mar 14, 2023
1 parent 34cdc73 commit 6da11b8
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 5 deletions.
13 changes: 10 additions & 3 deletions scripts/imgtool/image.py
Original file line number Diff line number Diff line change
Expand Up @@ -306,7 +306,7 @@ def ecies_hkdf(self, enckey, plainkey):
return cipherkey, ciphermac, pubk

def create(self, key, public_key_format, enckey, dependencies=None,
sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False, fixed_sig=None, pub_key=None, vector_to_sign=None):
sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False, fixed_sig=None, pub_key=None, vector_to_sign=None, use_legacy_tlv=False):
self.enckey = enckey

# Check what hashing algorithm should be used
Expand Down Expand Up @@ -469,10 +469,17 @@ def create(self, key, public_key_format, enckey, dependencies=None,
else:
print(os.path.basename(__file__) + ": sign the digest")
sig = key.sign_digest(digest)
tlv.add(key.sig_tlv(), sig)
# only ecdsa256 has legacy tlv type
if use_legacy_tlv and isinstance(key, ecdsa.ECDSA256P1):
tlv.add(key.legacy_sig_tlv(),sig)
else:
tlv.add(key.sig_tlv(), sig)
self.signature = sig
elif fixed_sig is not None and key is None:
tlv.add(pub_key.sig_tlv(), fixed_sig['value'])
if use_legacy_tlv and isinstance(pub_key, ecdsa.ECDSA256P1Public):
tlv.add(pub_key.legacy_sig_tlv(), fixed_sig['value'])
else:
tlv.add(pub_key.sig_tlv(), fixed_sig['value'])
self.signature = fixed_sig['value']
else:
raise click.UsageError("Can not sign using key and provide fixed-signature at the same time")
Expand Down
6 changes: 4 additions & 2 deletions scripts/imgtool/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -354,6 +354,8 @@ def convert(self, value, param, ctx):
help='send to OUTFILE the payload or payload''s digest instead '
'of complied image. These data can be used for external image '
'signing')
@click.option('--legacy-ecdsa-tlv', default=False, is_flag=True,
help='Use the old curve specific ECDSA TLV')
@click.command(help='''Create a signed or unsigned image\n
INFILE and OUTFILE are parsed as Intel HEX if the params have
.hex extension, otherwise binary format is used''')
Expand All @@ -362,7 +364,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
endian, encrypt_keylen, encrypt, infile, outfile, dependencies,
load_addr, hex_addr, erased_val, save_enctlv, security_counter,
boot_record, custom_tlv, rom_fixed, max_align, clear, fix_sig,
fix_sig_pubkey, sig_out, vector_to_sign):
fix_sig_pubkey, sig_out, vector_to_sign, legacy_ecdsa_tlv):

if confirm:
# Confirmed but non-padded images don't make much sense, because
Expand Down Expand Up @@ -429,7 +431,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,

img.create(key, public_key_format, enckey, dependencies, boot_record,
custom_tlvs, int(encrypt_keylen), clear, baked_signature,
pub_key, vector_to_sign)
pub_key, vector_to_sign, legacy_ecdsa_tlv)
img.save(outfile, hex_addr)

if sig_out is not None:
Expand Down

0 comments on commit 6da11b8

Please sign in to comment.