TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / 78e57c7b6e89eaae41b2426afb0e86a2146d6504^! / . / scripts / imgtool / keys / ecdsa.py
commit78e57c7b6e89eaae41b2426afb0e86a2146d6504[log] [tgz]
authorIoannis Konstantelias <ikonstadel@gmail.com>Thu Nov 28 16:06:12 2019 +0200
committerFabio Utzig <utzig@utzig.org>Tue Dec 17 16:26:53 2019 -0300
treea53f930ea06b85674fcc4d0191cdd26d81a9d854
parent6f4d8f8597a09b9ceda3f617328374ff717d5f73 [diff] [blame]
scripts: imgtool: Add command to dump private keys

This applies a few improvements to a commit previously included in
PR #596:

* Move functions to dump a private key to the private key classes
* Remove language option; always dumps in C format
* Add option to generate a minimal dump. This will remove extra
  parameters that are present in keys generated with the `keygen`
  command.
  For P256 this will remove the public point, which is already
  ignored by the parsing function. The resulting key dump shrinks
  from 138 to 70 bytes.
  For RSA it will remove the DP/DQ/QP parameters which are only
  used with CRT enabled, and if not available, can be calculated at
  runtime. This reduces the size of a key dump from around 1190
  bytes to somewhere close to 800 bytes. A patch to the RSA parsing
  routine will be added in another commit.

Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: Ioannis Konstantelias <ikonstadel@gmail.com>

diff --git a/scripts/imgtool/keys/ecdsa.py b/scripts/imgtool/keys/ecdsa.py
index f93783d..c1c1cac 100644
--- a/scripts/imgtool/keys/ecdsa.py
+++ b/scripts/imgtool/keys/ecdsa.py

@@ -31,6 +31,9 @@
                 encoding=serialization.Encoding.DER,
                 format=serialization.PublicFormat.SubjectPublicKeyInfo)
 
+    def get_private_bytes(self, minimal):
+        self._unsupported('get_private_bytes')
+
     def export_private(self, path, passwd=None):
         self._unsupported('export_private')
 
@@ -84,6 +87,39 @@
     def _get_public(self):
         return self.key.public_key()
 
+    def _build_minimal_ecdsa_privkey(self, der):
+        '''
+        Builds a new DER that only includes the EC private key, removing the
+        public key that is added as an "optional" BITSTRING.
+        '''
+        offset_PUB = 68
+        EXCEPTION_TEXT = "Error parsing ecdsa key. Please submit an issue!"
+        if der[offset_PUB] != 0xa1:
+            raise ECDSAUsageError(EXCEPTION_TEXT)
+        len_PUB = der[offset_PUB + 1]
+        b = bytearray(der[:-offset_PUB])
+        offset_SEQ = 29
+        if b[offset_SEQ] != 0x30:
+            raise ECDSAUsageError(EXCEPTION_TEXT)
+        b[offset_SEQ + 1] -= len_PUB
+        offset_OCT_STR = 27
+        if b[offset_OCT_STR] != 0x04:
+            raise ECDSAUsageError(EXCEPTION_TEXT)
+        b[offset_OCT_STR + 1] -= len_PUB
+        if b[0] != 0x30 or b[1] != 0x81:
+            raise ECDSAUsageError(EXCEPTION_TEXT)
+        b[2] -= len_PUB
+        return b
+
+    def get_private_bytes(self, minimal):
+        priv = self.key.private_bytes(
+                encoding=serialization.Encoding.DER,
+                format=serialization.PrivateFormat.PKCS8,
+                encryption_algorithm=serialization.NoEncryption())
+        if minimal:
+            priv = self._build_minimal_ecdsa_privkey(priv)
+        return priv
+
     def export_private(self, path, passwd=None):
         """Write the private key to the given file, protecting it with the optional password."""
         if passwd is None: