Skip to content

Commit

Permalink
imgtool: Add support for calculating SHA512
Browse files Browse the repository at this point in the history 
The adds support for hashing image with SHA512.
The change has been added to natively support ED25519 signature
where SHA512 is used as hashing function.

Previously the SHA256 has been calculated on image and then passed
to ED25519 signing function, which would then calculate own SHA512
on the SHA256 of an image; that was not correct approach but it
has been left supported as is, but now when SHA512 is selected
the imgtool will not calculate SHA256 and pass it to ED25519, instead
it will calculate SHA512 for TLV but pass image to ED25519 directly
which will calcualte own SHA512 (same value) and sign it.

Generally previously ED25519 signature did
  ED25529(SHA512(SHA256(image)))
now when SHA512 is selected it does:
  ED25519(SHA512(image))

To support above --sha parameter has been added that can take value:
 auto, 256, 384, 512
to select sha, where auto brings the default behaviour, or current,
behaviour. The sha provided here is tested against key so not all
combinations are supported.

Signed-off-by: Dominik Ermel <[email protected]>
  • Loading branch information
@de-nordic
de-nordic committed Aug 23, 2024
1 parent 4b1d4b8 commit 332ac85
Show file tree
Hide file tree
Showing 2 changed files with 115 additions and 23 deletions.
130 changes: 109 additions & 21 deletions scripts/imgtool/image.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@
from .boot_record import create_sw_component_data
from .keys import rsa, ecdsa, x25519

from collections import namedtuple

IMAGE_MAGIC = 0x96f3b83d
IMAGE_HEADER_SIZE = 32
BIN_EXT = "bin"
Expand All @@ -65,6 +67,7 @@
'PUBKEY': 0x02,
'SHA256': 0x10,
'SHA384': 0x11,
'SHA512': 0x12,
'RSA2048': 0x20,
'ECDSASIG': 0x22,
'RSA3072': 0x23,
Expand Down Expand Up @@ -135,21 +138,92 @@ def get(self):
return header + bytes(self.buf)


SHAAndAlgT = namedtuple('SHAAndAlgT', ['sha', 'alg'])

TLV_SHA_TO_SHA_AND_ALG = {
TLV_VALUES['SHA256'] : SHAAndAlgT('256', hashlib.sha256),
TLV_VALUES['SHA384'] : SHAAndAlgT('384', hashlib.sha384),
TLV_VALUES['SHA512'] : SHAAndAlgT('512', hashlib.sha512),
}


USER_SHA_TO_ALG_AND_TLV = {
'auto' : (hashlib.sha256, 'SHA256'),
'256' : (hashlib.sha256, 'SHA256'),
'384' : (hashlib.sha384, 'SHA384'),
'512' : (hashlib.sha512, 'SHA512')
}


def is_sha_tlv(tlv):
return tlv in TLV_SHA_TO_SHA_AND_ALG.keys()


def tlv_sha_to_sha(tlv):
return TLV_SHA_TO_SHA_AND_ALG[tlv].sha


# Auto selecting hash algorithm for type(key)
ALLOWED_KEY_SHA = {
keys.ECDSA384P1 : ['384'],
keys.ECDSA384P1Public : ['384'],
keys.ECDSA256P1 : ['256'],
keys.RSA : ['256'],
# This two are set to 256 for compatibility, the right would be 512
keys.Ed25519 : ['256', '512'],
keys.X25519 : ['256', '512']
}

def key_and_user_sha_to_alg_and_tlv(key, user_sha):
"""Matches key and user requested sha to sha alogrithm and TLV name.
The returned tuple will contain hash functions and TVL name.
The function is designed to succeed or completely fail execution,
as providing incorrect pair here basically prevents doing
any more work."""
if key is None:
# If key is none, we allow whatever user has selected for sha
return USER_SHA_TO_ALG_AND_TLV[user_sha]

# If key is not None, then we have to filter hash to only allowed
allowed = None
try:
allowed = ALLOWED_KEY_SHA[type(key)]
except KeyError:
raise click.UsageError("Colud not find allowed hash algorithms for {}"
.format(type(key)))
if user_sha == 'auto':
return USER_SHA_TO_ALG_AND_TLV[allowed[0]]

if user_sha in allowed:
return USER_SHA_TO_ALG_AND_TLV[user_sha]

raise click.UsageError("Key {} can not be used with --sha {}; allowed sha are one of {}"
.format(key.sig_type(), user_sha, allowed))


def do_double_sha(key, sha):
return not (type(key) == keys.Ed25519 and (sha in ['512', 'SHA512']))


def get_digest(tlv_type, hash_region):
if tlv_type == TLV_VALUES["SHA384"]:
sha = hashlib.sha384()
elif tlv_type == TLV_VALUES["SHA256"]:
sha = hashlib.sha256()
sha = TLV_SHA_TO_SHA_AND_ALG[tlv_type].alg()

sha.update(hash_region)
return sha.digest()


def tlv_matches_key_type(tlv_type, key):
"""Check if provided key matches to TLV record in the image"""
return (key is None or
type(key) == keys.ECDSA384P1 and tlv_type == TLV_VALUES["SHA384"] or
type(key) != keys.ECDSA384P1 and tlv_type == TLV_VALUES["SHA256"])
try:
# We do not need the result here, and the key_and_user_sha_to_alg_and_tlv
# will either succeed finding match or rise exception, so on success we
# return True, on exception we return False.
_, _ = key_and_user_sha_to_alg_and_tlv(key, tlv_sha_to_sha(tlv_type))
return True
except:
pass

return False


class Image:
Expand Down Expand Up @@ -336,17 +410,14 @@ def ecies_hkdf(self, enckey, plainkey):

def create(self, key, public_key_format, enckey, dependencies=None,
sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False,
fixed_sig=None, pub_key=None, vector_to_sign=None):
fixed_sig=None, pub_key=None, vector_to_sign=None, user_sha='auto'):
self.enckey = enckey

# Check what hashing algorithm should be used
if (key and isinstance(key, ecdsa.ECDSA384P1)
or pub_key and isinstance(pub_key, ecdsa.ECDSA384P1Public)):
hash_algorithm = hashlib.sha384
hash_tlv = "SHA384"
else:
hash_algorithm = hashlib.sha256
hash_tlv = "SHA256"
# key decides on sha, then pub_key; of both are none default is used
check_key = key if key is not None else pub_key
hash_algorithm, hash_tlv = key_and_user_sha_to_alg_and_tlv(check_key, user_sha)
double_sha = do_double_sha(key, hash_tlv)

# Calculate the hash of the public key
if key is not None:
pub = key.get_public_bytes()
Expand Down Expand Up @@ -466,11 +537,22 @@ def create(self, key, public_key_format, enckey, dependencies=None,

tlv = TLV(self.endian)

# Note that ecdsa wants to do the hashing itself, which means
# we get to hash it twice.
# Proper use of ED25519 requires usage of SHA512; the default
# for imgtool, and MCUboot, is to calculate SHA256 and pass it
# to ED25519 where SHA512 of it is calculated and signed.
# That is not correct approach as it reduces domain of SHA512,
# and needlessly does double sha calculation.
# To remain compatible, when SHA256 is selected with ED25519
# it will do the double hashing, but when SHA512 is selected,
# the payload is directly passed for signature and only hashed
# once.
sha = hash_algorithm()
sha.update(self.payload)
digest = sha.digest()
if double_sha:
message = digest;
else:
message = bytes(self.payload)
tlv.add(hash_tlv, digest)

if vector_to_sign == 'payload':
Expand Down Expand Up @@ -499,7 +581,7 @@ def create(self, key, public_key_format, enckey, dependencies=None,
sig = key.sign(bytes(self.payload))
else:
print(os.path.basename(__file__) + ": sign the digest")
sig = key.sign_digest(digest)
sig = key.sign_digest(message)
tlv.add(key.sig_tlv(), sig)
self.signature = sig
elif fixed_sig is not None and key is None:
Expand Down Expand Up @@ -673,14 +755,17 @@ def verify(imgfile, key):
prot_tlv_size = tlv_off
hash_region = b[:prot_tlv_size]
digest = None
# Safe bet on sha256, the right one will be identified from TLV
digest_sha = '256'
tlv_end = tlv_off + tlv_tot
tlv_off += TLV_INFO_SIZE # skip tlv info
while tlv_off < tlv_end:
tlv = b[tlv_off:tlv_off + TLV_SIZE]
tlv_type, _, tlv_len = struct.unpack('BBH', tlv)
if tlv_type == TLV_VALUES["SHA256"] or tlv_type == TLV_VALUES["SHA384"]:
if is_sha_tlv(tlv_type):
if not tlv_matches_key_type(tlv_type, key):
return VerifyResult.KEY_MISMATCH, None, None
digest_sha = tlv_sha_to_sha(tlv_type)
off = tlv_off + TLV_SIZE
digest = get_digest(tlv_type, hash_region)
if digest == b[off:off + tlv_len]:
Expand All @@ -696,7 +781,10 @@ def verify(imgfile, key):
if hasattr(key, 'verify'):
key.verify(tlv_sig, payload)
else:
key.verify_digest(tlv_sig, digest)
if do_double_sha(key, digest_sha):
key.verify_digest(tlv_sig, digest)
else:
key.verify_digest(tlv_sig, hash_region)
return VerifyResult.OK, version, digest
except InvalidSignature:
# continue to next TLV
Expand Down
8 changes: 6 additions & 2 deletions scripts/imgtool/main.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ def gen_x25519(keyfile, passwd):
'x25519': gen_x25519,
}
valid_formats = ['openssl', 'pkcs8']
valid_sha = [ 'auto', '256', '384', '512' ]


def load_signature(sigfile):
Expand Down Expand Up @@ -401,6 +402,9 @@ def convert(self, value, param, ctx):
@click.option('--sig-out', metavar='filename',
help='Path to the file to which signature will be written. '
'The image signature will be encoded as base64 formatted string')
@click.option('--sha', 'user_sha', type=click.Choice(valid_sha), default='auto',
help='selected sha algorithm to use; defaults to "auto" which is 256 if '
'no cryptographic sygnature is used, or default for signature type')
@click.option('--vector-to-sign', type=click.Choice(['payload', 'digest']),
help='send to OUTFILE the payload or payload''s digest instead '
'of complied image. These data can be used for external image '
Expand All @@ -413,7 +417,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
endian, encrypt_keylen, encrypt, infile, outfile, dependencies,
load_addr, hex_addr, erased_val, save_enctlv, security_counter,
boot_record, custom_tlv, rom_fixed, max_align, clear, fix_sig,
fix_sig_pubkey, sig_out, vector_to_sign, non_bootable):
fix_sig_pubkey, sig_out, user_sha, vector_to_signi, non_bootable):

if confirm:
# Confirmed but non-padded images don't make much sense, because
Expand Down Expand Up @@ -481,7 +485,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,

img.create(key, public_key_format, enckey, dependencies, boot_record,
custom_tlvs, int(encrypt_keylen), clear, baked_signature,
pub_key, vector_to_sign)
pub_key, vector_to_sign, user_sha)
img.save(outfile, hex_addr)

if sig_out is not None:
Expand Down

0 comments on commit 332ac85

Please sign in to comment.