You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mynewt.apache.org by ma...@apache.org on 2016/12/30 01:34:11 UTC
[1/2] incubator-mynewt-core git commit: boot;
drop unnecessary include from image_ec.c.
Repository: incubator-mynewt-core
Updated Branches:
refs/heads/develop b455cb0bf -> d08a47c1e
boot; drop unnecessary include from image_ec.c.
Project: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/commit/d08a47c1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/tree/d08a47c1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/diff/d08a47c1
Branch: refs/heads/develop
Commit: d08a47c1e0942121acc4c3faf2d39bbb66d05016
Parents: bf7b616
Author: Marko Kiiskila <ma...@runtime.io>
Authored: Thu Dec 29 17:31:00 2016 -0800
Committer: Marko Kiiskila <ma...@runtime.io>
Committed: Thu Dec 29 17:32:34 2016 -0800
----------------------------------------------------------------------
boot/bootutil/src/image_ec.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/d08a47c1/boot/bootutil/src/image_ec.c
----------------------------------------------------------------------
diff --git a/boot/bootutil/src/image_ec.c b/boot/bootutil/src/image_ec.c
index 6ddac59..f0c5d35 100644
--- a/boot/bootutil/src/image_ec.c
+++ b/boot/bootutil/src/image_ec.c
@@ -22,7 +22,6 @@
#if MYNEWT_VAL(BOOTUTIL_SIGN_EC)
#include "bootutil/sign_key.h"
-#include "mbedtls/sha256.h"
#include "mbedtls/ecdsa.h"
#include "mbedtls/oid.h"
#include "mbedtls/asn1.h"
@@ -36,7 +35,7 @@ static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_EC_ALG_UNRESTRICTED;
static const uint8_t ec_secp224r1_oid[] = MBEDTLS_OID_EC_GRP_SECP224R1;
/*
- * Parse the public key used for signing. Simple RSA format.
+ * Parse the public key used for signing.
*/
static int
bootutil_parse_eckey(mbedtls_ecdsa_context *ctx, uint8_t **p, uint8_t *end)
[2/2] incubator-mynewt-core git commit: boot;
first cut at adding support for signatures with ECSDA using NIST
P-256.
Posted by ma...@apache.org.
boot; first cut at adding support for signatures with ECSDA using
NIST P-256.
Project: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/commit/bf7b6161
Tree: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/tree/bf7b6161
Diff: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/diff/bf7b6161
Branch: refs/heads/develop
Commit: bf7b6161936b16cc8eb9c16d902755de90d4f823
Parents: b455cb0
Author: Marko Kiiskila <ma...@runtime.io>
Authored: Thu Dec 29 17:29:48 2016 -0800
Committer: Marko Kiiskila <ma...@runtime.io>
Committed: Thu Dec 29 17:32:34 2016 -0800
----------------------------------------------------------------------
boot/bootutil/include/bootutil/image.h | 9 +-
boot/bootutil/pkg.yml | 3 +
boot/bootutil/src/image_ec256.c | 183 ++++++++++++++++++++++++++++
boot/bootutil/src/image_validate.c | 20 ++-
boot/bootutil/syscfg.yml | 3 +
5 files changed, 215 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/bf7b6161/boot/bootutil/include/bootutil/image.h
----------------------------------------------------------------------
diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h
index ce98e0c..70ce7fb 100644
--- a/boot/bootutil/include/bootutil/image.h
+++ b/boot/bootutil/include/bootutil/image.h
@@ -39,8 +39,14 @@ struct flash_area;
#define IMAGE_F_PIC 0x00000001 /* Not currently supported. */
#define IMAGE_F_SHA256 0x00000002 /* Image contains hash TLV */
#define IMAGE_F_PKCS15_RSA2048_SHA256 0x00000004 /* PKCS15 w/RSA and SHA */
-#define IMAGE_F_ECDSA224_SHA256 0x00000008 /* ECDSA256 over SHA256 */
+#define IMAGE_F_ECDSA224_SHA256 0x00000008 /* ECDSA224 over SHA256 */
#define IMAGE_F_NON_BOOTABLE 0x00000010 /* Split image app. */
+#define IMAGE_F_ECDSA256_SHA256 0x00000020 /* ECDSA256 over SHA256 */
+
+/*
+ * ECSDA224 is with NIST P-224
+ * ECSDA256 is with NIST P-256
+ */
/*
* Image trailer TLV types.
@@ -48,6 +54,7 @@ struct flash_area;
#define IMAGE_TLV_SHA256 1 /* SHA256 of image hdr and body */
#define IMAGE_TLV_RSA2048 2 /* RSA2048 of hash output */
#define IMAGE_TLV_ECDSA224 3 /* ECDSA of hash output */
+#define IMAGE_TLV_ECDSA256 4 /* ECDSA of hash output */
struct image_version {
uint8_t iv_major;
http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/bf7b6161/boot/bootutil/pkg.yml
----------------------------------------------------------------------
diff --git a/boot/bootutil/pkg.yml b/boot/bootutil/pkg.yml
index ca9dbf7..20a7a58 100644
--- a/boot/bootutil/pkg.yml
+++ b/boot/bootutil/pkg.yml
@@ -31,3 +31,6 @@ pkg.deps:
- kernel/os
- sys/defs
- sys/flash_map
+
+pkg.deps.BOOTUTIL_SIGN_EC256:
+ - crypto/tinycrypt
http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/bf7b6161/boot/bootutil/src/image_ec256.c
----------------------------------------------------------------------
diff --git a/boot/bootutil/src/image_ec256.c b/boot/bootutil/src/image_ec256.c
new file mode 100644
index 0000000..b27a70b
--- /dev/null
+++ b/boot/bootutil/src/image_ec256.c
@@ -0,0 +1,183 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "syscfg/syscfg.h"
+
+#if MYNEWT_VAL(BOOTUTIL_SIGN_EC256)
+#include "bootutil/sign_key.h"
+
+#include "mbedtls/oid.h"
+#include "mbedtls/asn1.h"
+
+#include "tinycrypt/ecc_dsa.h"
+#include "bootutil_priv.h"
+
+/*
+ * Declaring these like this adds NULL termination.
+ */
+static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_EC_ALG_UNRESTRICTED;
+static const uint8_t ec_secp256r1_oid[] = MBEDTLS_OID_EC_GRP_SECP256R1;
+
+/*
+ * Parse the public key used for signing.
+ */
+static int
+tinycrypt_import_key(EccPoint *pubkey, uint8_t *cp, uint8_t *end)
+{
+ size_t len;
+ mbedtls_asn1_buf alg;
+ mbedtls_asn1_buf param;
+
+ if (mbedtls_asn1_get_tag(&cp, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
+ return -1;
+ }
+ end = cp + len;
+
+ if (mbedtls_asn1_get_alg(&cp, end, &alg, ¶m)) {
+ return -2;
+ }
+ if (alg.len != sizeof(ec_pubkey_oid) - 1 ||
+ memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
+ return -3;
+ }
+ if (param.len != sizeof(ec_secp256r1_oid) - 1 ||
+ memcmp(param.p, ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) {
+ return -4;
+ }
+ if (mbedtls_asn1_get_bitstring_null(&cp, end, &len)) {
+ return -6;
+ }
+ if (cp + len != end) {
+ return -7;
+ }
+
+ if (len != 2 * NUM_ECC_BYTES + 1) {
+ return -8;
+ }
+ if (cp[0] != 0x04) {
+ return -9;
+ }
+
+ ecc_bytes2native(pubkey->x, cp + 1);
+ ecc_bytes2native(pubkey->y, cp + 1 + NUM_ECC_BYTES);
+
+ return 0;
+}
+
+/*
+ * cp points to ASN1 string containing an integer.
+ * Verify the tag, and that the length is 32 bytes.
+ */
+static int
+tinycrypt_read_bigint(uint32_t i[NUM_ECC_DIGITS], uint8_t **cp, uint8_t *end)
+{
+ size_t len;
+
+ if (mbedtls_asn1_get_tag(cp, end, &len, MBEDTLS_ASN1_INTEGER)) {
+ return -3;
+ }
+
+ for (; *cp < end; *cp = *cp + 1, len--) {
+ if (**cp != 0) {
+ break;
+ }
+ }
+ if (len != NUM_ECC_BYTES) {
+ return -1;
+ }
+ ecc_bytes2native(i, *cp);
+ *cp += len;
+ return 0;
+}
+
+/*
+ * Read in signature. Signature has r and s encoded as integers.
+ */
+static int
+tinycrypt_decode_sig(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS],
+ uint8_t *cp, uint8_t *end)
+{
+ int rc;
+ size_t len;
+
+ rc = mbedtls_asn1_get_tag(&cp, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+ if (rc) {
+ return -1;
+ }
+ if (cp + len != end) {
+ return -2;
+ }
+ rc = tinycrypt_read_bigint(r, &cp, end);
+ if (rc) {
+ return -3;
+ }
+ rc = tinycrypt_read_bigint(s, &cp, end);
+ if (rc) {
+ return -4;
+ }
+ return 0;
+}
+
+int
+bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, int slen,
+ uint8_t key_id)
+{
+ int rc;
+ uint8_t *cp;
+ uint8_t *end;
+ EccPoint ctx;
+ uint32_t r[NUM_ECC_DIGITS];
+ uint32_t s[NUM_ECC_DIGITS];
+ uint32_t hash_t[NUM_ECC_DIGITS];
+
+ cp = (uint8_t *)bootutil_keys[key_id].key;
+ end = cp + *bootutil_keys[key_id].len;
+
+ rc = tinycrypt_import_key(&ctx, cp, end);
+ if (rc) {
+ return -1;
+ }
+
+ while (sig[slen - 1] == '\0') {
+ slen--;
+ }
+
+ rc = tinycrypt_decode_sig(r, s, sig, sig + slen);
+ if (rc) {
+ return -1;
+ }
+
+ /*
+ * This is simplified, as the hash length is also 32 bytes.
+ */
+ if (hlen != NUM_ECC_BYTES) {
+ return -1;
+ }
+
+ ecc_bytes2native(hash_t, hash);
+ rc = ecdsa_verify(&ctx, hash_t, r, s);
+ if (rc == 1) {
+ return 0;
+ } else {
+ return -2;
+ }
+}
+#endif /* MYNEWT_VAL(BOOTUTIL_SIGN_EC256) */
http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/bf7b6161/boot/bootutil/src/image_validate.c
----------------------------------------------------------------------
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
index 98fdc9b..9ab08b7 100644
--- a/boot/bootutil/src/image_validate.c
+++ b/boot/bootutil/src/image_validate.c
@@ -93,7 +93,8 @@ bootutil_img_validate(struct image_header *hdr, const struct flash_area *fap,
uint32_t off;
uint32_t size;
uint32_t sha_off = 0;
-#if MYNEWT_VAL(BOOTUTIL_SIGN_RSA) || MYNEWT_VAL(BOOTUTIL_SIGN_EC)
+#if MYNEWT_VAL(BOOTUTIL_SIGN_RSA) || MYNEWT_VAL(BOOTUTIL_SIGN_EC) || \
+ MYNEWT_VAL(BOOTUTIL_SIGN_EC256)
uint32_t sig_off = 0;
uint32_t sig_len = 0;
#endif
@@ -112,6 +113,11 @@ bootutil_img_validate(struct image_header *hdr, const struct flash_area *fap,
return -1;
}
#endif
+#if MYNEWT_VAL(BOOTUTIL_SIGN_EC256)
+ if ((hdr->ih_flags & IMAGE_F_ECDSA256_SHA256) == 0) {
+ return -1;
+ }
+#endif
if ((hdr->ih_flags & IMAGE_F_SHA256) == 0) {
return -1;
}
@@ -159,6 +165,15 @@ bootutil_img_validate(struct image_header *hdr, const struct flash_area *fap,
sig_len = tlv.it_len;
}
#endif
+#if MYNEWT_VAL(BOOTUTIL_SIGN_EC256)
+ if (tlv.it_type == IMAGE_TLV_ECDSA256) {
+ if (tlv.it_len < 72) { /* oids + 2 * 32 bytes */
+ return -1;
+ }
+ sig_off = off + sizeof(tlv);
+ sig_len = tlv.it_len;
+ }
+#endif
}
if (hdr->ih_flags & IMAGE_F_SHA256) {
if (!sha_off) {
@@ -175,7 +190,8 @@ bootutil_img_validate(struct image_header *hdr, const struct flash_area *fap,
return -1;
}
}
-#if MYNEWT_VAL(BOOTUTIL_SIGN_RSA) || MYNEWT_VAL(BOOTUTIL_SIGN_EC)
+#if MYNEWT_VAL(BOOTUTIL_SIGN_RSA) || MYNEWT_VAL(BOOTUTIL_SIGN_EC) || \
+ MYNEWT_VAL(BOOTUTIL_SIGN_EC256)
if (!sig_off) {
/*
* Header said there should be PKCS1.v5 signature, no TLV
http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/bf7b6161/boot/bootutil/syscfg.yml
----------------------------------------------------------------------
diff --git a/boot/bootutil/syscfg.yml b/boot/bootutil/syscfg.yml
index 2951c03..e896bf9 100644
--- a/boot/bootutil/syscfg.yml
+++ b/boot/bootutil/syscfg.yml
@@ -25,3 +25,6 @@ syscfg.defs:
BOOTUTIL_SIGN_EC:
description: 'TBD'
value: '0'
+ BOOTUTIL_SIGN_EC256:
+ description: 'TBD'
+ value: '0'