TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / 160303c202ade15b8d736094a6d616f63b309153^! / . / scripts / imgtool / image.py
commit160303c202ade15b8d736094a6d616f63b309153[log] [tgz]
authorAndrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>Tue Mar 15 15:41:14 2022 +0100
committerDavid Brown <davidb@davidb.org>Mon Apr 18 16:31:15 2022 -0600
tree49285d239847a5c4c42a1fec3a50d39a02cdd7cf
parentee1b7b9d6ea232ae1d38c2e8ef0e6c612458c43b [diff] [blame]
imgtool: Added support for providing the signature by 3rd party

The sign command was extended so it now allow to provide the signature
as base64 formatted RAW file using --fix-sig along with the relevant
public key --fix-sig-pubkey.

This patch is added for support the case where the party which produces
the image dose not have access to the signing image key but must request
third party for the signature.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>

diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py
index 627cc6c..749b6da 100644
--- a/scripts/imgtool/image.py
+++ b/scripts/imgtool/image.py

@@ -305,7 +305,7 @@
         return cipherkey, ciphermac, pubk
 
     def create(self, key, public_key_format, enckey, dependencies=None,
-               sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False):
+               sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False, fixed_sig=None, pub_key=None):
         self.enckey = enckey
 
         # Calculate the hash of the public key
@@ -314,6 +314,11 @@
             sha = hashlib.sha256()
             sha.update(pub)
             pubbytes = sha.digest()
+        elif pub_key is not None:
+            pub = pub_key.get_public_bytes()
+            sha = hashlib.sha256()
+            sha.update(pub)
+            pubbytes = sha.digest()
         else:
             pubbytes = bytes(hashlib.sha256().digest_size)
 
@@ -428,7 +433,7 @@
 
         tlv.add('SHA256', digest)
 
-        if key is not None:
+        if key is not None and fixed_sig is None:
             if public_key_format == 'hash':
                 tlv.add('KEYHASH', pubbytes)
             else:
@@ -442,6 +447,14 @@
             else:
                 sig = key.sign_digest(digest)
             tlv.add(key.sig_tlv(), sig)
+        elif fixed_sig is not None and key is None:
+            if public_key_format == 'hash':
+                tlv.add('KEYHASH', pubbytes)
+            else:
+                tlv.add('PUBKEY', pub)
+            tlv.add(pub_key.sig_tlv(), fixed_sig['value'])
+        else:
+            raise click.UsageError("Can not sign using key and provide fixed-signature at the same time")
 
         # At this point the image was hashed + signed, we can remove the
         # protected TLVs from the payload (will be re-added later)
@@ -486,6 +499,9 @@
 
         self.check_trailer()
 
+    def get_signature(self):
+        return self.signature
+
     def add_header(self, enckey, protected_tlv_size, aes_length=128):
         """Install the image header."""