The keys built into the barebox binary are not identifiable. They might have a key name hint, but this is optional. This adds a sha256 hash to struct public_key which can be printed when a key is used. The hash can be obtained on the host from the certificate files or public key PEM files with openssl commands:
openssl x509 -in crypto/fit-ecdsa-development.crt -pubkey -noout | openssl ec -pubin -inform PEM -outform DER | openssl dgst -sha256 cat ~/git/ptx-code-signing-dev/fit/fit-ecdsa-development.public-key | openssl ec -pubin -inform PEM -outform DER | openssl dgst -sha256 Signed-off-by: Sascha Hauer <[email protected]> --- crypto/public-keys.c | 2 ++ include/crypto/public_key.h | 2 ++ scripts/keytoc.c | 59 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) diff --git a/crypto/public-keys.c b/crypto/public-keys.c index fba963db4eb875196daf0e3a4e3fb3cac844796a..3b691ffd6aa536084aefca90933b4bb74b724423 100644 --- a/crypto/public-keys.c +++ b/crypto/public-keys.c @@ -46,6 +46,8 @@ static struct public_key *public_key_dup(const struct public_key *key) k->type = key->type; if (key->key_name_hint) k->key_name_hint = xstrdup(key->key_name_hint); + k->hash = xmemdup(key->hash, key->hashlen); + k->hashlen = key->hashlen; switch (key->type) { case PUBLIC_KEY_TYPE_RSA: diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index d4e75981738ba9651145b9a03527525ae63d6c39..7edea2d69190cb30f328510f905bab3054ad5845 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -15,6 +15,8 @@ struct public_key { enum public_key_type type; struct list_head list; char *key_name_hint; + unsigned char *hash; + unsigned int hashlen; union { struct rsa_public_key *rsa; diff --git a/scripts/keytoc.c b/scripts/keytoc.c index c92465707f65950e95b04afe58fb10161178998c..4e5ef72cfc9a82be6fa2a74b94a663136dd703b6 100644 --- a/scripts/keytoc.c +++ b/scripts/keytoc.c @@ -452,6 +452,45 @@ static EVP_PKEY *reimport_key(EVP_PKEY *pkey) return pkey_out; } +static int print_hash(EVP_PKEY *key) +{ + int i, ret; + BIO *mem; + BUF_MEM *p; + unsigned char hash[SHA256_DIGEST_LENGTH]; + SHA256_CTX sha256; + mem = BIO_new(BIO_s_mem()); + + ret = i2d_PUBKEY_bio(mem, key); + if (ret != 1) + goto err; + + BIO_get_mem_ptr(mem, &p); + + ret = SHA256_Init(&sha256); + if (ret != 1) + goto err; + + ret = SHA256_Update(&sha256, p->data, p->length); + if (ret != 1) + goto err; + + ret = SHA256_Final(hash, &sha256); + if (ret != 1) + goto err; + + for (i = 0; i < SHA256_DIGEST_LENGTH; i++) + fprintf(outfilep, "0x%02x, ", hash[i]); + + fprintf(outfilep, "\n"); + + ret = 0; +err: + BIO_free(mem); + + return ret ? -EINVAL : 0; +} + static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_name_c) { char group[128]; @@ -482,6 +521,14 @@ static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_na fprintf(stderr, "ERROR: generating a dts snippet for ECDSA keys is not yet supported\n"); return -EOPNOTSUPP; } else { + fprintf(outfilep, "\nstatic unsigned char %s_hash[] = {\n\t", key_name_c); + + ret = print_hash(key); + if (ret) + return ret; + + fprintf(outfilep, "\n};\n\n"); + fprintf(outfilep, "\nstatic uint64_t %s_x[] = {", key_name_c); ret = print_bignum(key_x, bits, 64); if (ret) @@ -506,6 +553,8 @@ static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_na fprintf(outfilep, "\nstruct public_key __attribute__((section(\".public_keys.rodata.%s\"))) %s_public_key = {\n", key_name_c, key_name_c); fprintf(outfilep, "\t.type = PUBLIC_KEY_TYPE_ECDSA,\n"); fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", key_name); + fprintf(outfilep, "\t.hash = %s_hash,\n", key_name_c); + fprintf(outfilep, "\t.hashlen = %u,\n", SHA256_DIGEST_LENGTH); fprintf(outfilep, "\t.ecdsa = &%s,\n", key_name_c); fprintf(outfilep, "};\n"); } @@ -568,6 +617,14 @@ static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *key_name fprintf(outfilep, "\t\t\tkey-name-hint = \"%s\";\n", key_name_c); fprintf(outfilep, "\t\t};\n"); } else { + fprintf(outfilep, "\nstatic unsigned char %s_hash[] = {\n\t", key_name_c); + + ret = print_hash(key); + if (ret) + return ret; + + fprintf(outfilep, "\n};\n\n"); + fprintf(outfilep, "\nstatic uint32_t %s_modulus[] = {", key_name_c); ret = print_bignum(modulus, bits, 32); if (ret) @@ -600,6 +657,8 @@ static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *key_name fprintf(outfilep, "\nstruct public_key __attribute__((section(\".public_keys.rodata.%s\"))) %s_public_key = {\n", key_name_c, key_name_c); fprintf(outfilep, "\t.type = PUBLIC_KEY_TYPE_RSA,\n"); fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", key_name); + fprintf(outfilep, "\t.hash = %s_hash,\n", key_name_c); + fprintf(outfilep, "\t.hashlen = %u,\n", SHA256_DIGEST_LENGTH); fprintf(outfilep, "\t.rsa = &%s,\n", key_name_c); fprintf(outfilep, "};\n"); } -- 2.39.5
