Hi Heinrich, > On 9/11/20 7:26 PM, Andrii Voloshyn wrote: >> Hi there, >> >> Does U-boot take into account certificate expiration date when verifying >> signed >> images in FIT? In other words, is date stored along with the public key in >> DTB >> file? >> >> Cheers, >> Andy >> > > Hello Philippe, > > looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot > find a comparison of the date on which an image was signed with the > expiry date of the certificate. Shouldn't there be a check? Or did I > simply look into the wrong function?
This function only check the padding using the algorithm pkcs-1.5 as defined here : https://tools.ietf.org/html/rfc3447#section-9.2 It doesn't check the certificate validity. I don't remember to have see a date checked in the signature process. If all informations are (or may be) available at runtime, we may add it. > Best regards > > Heinrich Best regards, Philippe