commit dfce0be6a1c6837c5be928d4912e9f3021cf1e9f
author Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> Mon Mar 28 09:34:15 2022 +0200
committer David Brown <davidb@davidb.org> Mon Apr 18 16:31:15 2022 -0600
tree b1239678cb25f7870f58f94373cdceba10fb1996
parent f72e3741d615d3d76246e426d53024efb76dfce9

imgtool: export data vector to be signed

Extend sign/create command so it allows to export image's byte string
which is the substrate for the image signature. The new option is
'--vector-to-sign'. It might takes 'payload' or 'digest'.
The exported data might be used to calculate the signature externally.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>

scripts/imgtool/image.py

diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py
index 834ec9d..e97810e 100644
--- a/scripts/imgtool/image.py
+++ b/scripts/imgtool/image.py
@@ -305,7 +305,7 @@
         return cipherkey, ciphermac, pubk
 
     def create(self, key, public_key_format, enckey, dependencies=None,
-               sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False, fixed_sig=None, pub_key=None):
+               sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False, fixed_sig=None, pub_key=None, vector_to_sign=None):
         self.enckey = enckey
 
         # Calculate the hash of the public key
@@ -315,6 +315,8 @@
             sha.update(pub)
             pubbytes = sha.digest()
         elif pub_key is not None:
+            if hasattr(pub_key, 'sign'):
+                print("sign the payload")
             pub = pub_key.get_public_bytes()
             sha = hashlib.sha256()
             sha.update(pub)
@@ -433,26 +435,34 @@
 
         tlv.add('SHA256', digest)
 
-        if key is not None and fixed_sig is None:
-            if public_key_format == 'hash':
-                tlv.add('KEYHASH', pubbytes)
-            else:
-                tlv.add('PUBKEY', pub)
+        if public_key_format == 'hash':
+            tlv.add('KEYHASH', pubbytes)
+        else:
+            tlv.add('PUBKEY', pub)
 
+        if vector_to_sign == 'payload':
+            # Stop amending data to the image
+            # Just keep data vector which is expected to be sigend
+            print('export payload')
+            return
+        elif vector_to_sign == 'digest':
+            self.payload = digest
+            print('export digest')
+            return
+
+        if key is not None and fixed_sig is None:
             # `sign` expects the full image payload (sha256 done internally),
             # while `sign_digest` expects only the digest of the payload
 
             if hasattr(key, 'sign'):
+                print("sign the payload")
                 sig = key.sign(bytes(self.payload))
             else:
+                print("sign the digest")
                 sig = key.sign_digest(digest)
             tlv.add(key.sig_tlv(), sig)
             self.signature = sig
         elif fixed_sig is not None and key is None:
-            if public_key_format == 'hash':
-                tlv.add('KEYHASH', pubbytes)
-            else:
-                tlv.add('PUBKEY', pub)
             tlv.add(pub_key.sig_tlv(), fixed_sig['value'])
             self.signature = fixed_sig['value']
         else: