Skip to content

Commit

Permalink
scripts/bootloader: Add ed25519/sha512 to scripts
Browse files Browse the repository at this point in the history
Python scripts implementing ed25519 and sha512 support needed
for nsib image signing.

Signed-off-by: Lukasz Fundakowski <[email protected]>
  • Loading branch information
fundakol committed Nov 26, 2024
1 parent d839e3c commit 4a4b80b
Show file tree
Hide file tree
Showing 10 changed files with 2,276 additions and 105 deletions.
51 changes: 39 additions & 12 deletions scripts/bootloader/do_sign.py
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,21 @@
# Copyright (c) 2018 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause


import sys
import argparse
import hashlib
from ecdsa import SigningKey
import sys
from typing import BinaryIO

from cryptography.hazmat.primitives.serialization import load_pem_private_key
from ecdsa.keys import SigningKey # type: ignore[import-untyped]

def parse_args():

def parse_args(argv=None):
parser = argparse.ArgumentParser(
description='Sign data from stdin or file.',
formatter_class=argparse.RawDescriptionHelpFormatter,
allow_abbrev=False)
allow_abbrev=False
)

parser.add_argument('-k', '--private-key', required=True, type=argparse.FileType('rb'),
help='Private key to use.')
Expand All @@ -25,15 +27,40 @@ def parse_args():
parser.add_argument('-o', '--out', '-out', required=False, dest='outfile',
type=argparse.FileType('wb'), default=sys.stdout.buffer,
help='Write the signature to the specified file instead of stdout.')
parser.add_argument(
'--algorithm', '-a', dest='algorithm', help='Signing algorithm (default: %(default)s)',
action='store', choices=['ecdsa', 'ed25519'], default='ecdsa',
)

args = parser.parse_args()
args = parser.parse_args(argv)

return args


if __name__ == '__main__':
args = parse_args()
private_key = SigningKey.from_pem(args.private_key.read())
data = args.infile.read()
def sign_with_ecdsa(private_key_file: BinaryIO, input_file: BinaryIO, output_file: BinaryIO) -> int:
private_key = SigningKey.from_pem(private_key_file.read())
data = input_file.read()
signature = private_key.sign(data, hashfunc=hashlib.sha256)
args.outfile.write(signature)
output_file.write(signature)
return 0


def sign_with_ed25519(private_key_file: BinaryIO, input_file: BinaryIO, output_file: BinaryIO) -> int:
private_key = load_pem_private_key(private_key_file.read(), password=None)
data = input_file.read()
signature = private_key.sign(data)
output_file.write(signature)
return 0


def main(argv=None) -> int:
args = parse_args(argv)
if args.algorithm == 'ecdsa':
return sign_with_ecdsa(args.private_key, args.infile, args.outfile)
if args.algorithm == 'ed25519':
return sign_with_ed25519(args.private_key, args.infile, args.outfile)
return 1


if __name__ == '__main__':
sys.exit(main())
52 changes: 39 additions & 13 deletions scripts/bootloader/hash.py
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,20 @@
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause

"""
Hash content of a file.
"""

import argparse
import hashlib
import sys
import argparse
from intelhex import IntelHex

from intelhex import IntelHex # type: ignore[import-untyped]

HASH_FUNCTION_FACTORY = {
'sha256': hashlib.sha256,
'sha512': hashlib.sha512,
}


def parse_args():
Expand All @@ -17,20 +26,37 @@ def parse_args():
formatter_class=argparse.RawDescriptionHelpFormatter,
allow_abbrev=False)

parser.add_argument('--infile', '-i', '--in', '-in', required=True,
help='Hash the contents of the specified file. If a *.hex file is given, the contents will '
'first be converted to binary, with all non-specified area being set to 0xff. '
'For all other file types, no conversion is done.')
return parser.parse_args()
parser.add_argument(
'--infile', '-i', '--in', '-in', required=True,
help='Hash the contents of the specified file. If a *.hex file is given, the contents will '
'first be converted to binary, with all non-specified area being set to 0xff. '
'For all other file types, no conversion is done.'
)
parser.add_argument(
'--type', '-t', dest='hash_function', help='Hash function (default: %(default)s)',
action='store', choices=HASH_FUNCTION_FACTORY.keys(), default='sha256'
)

return parser.parse_args()

if __name__ == '__main__':
args = parse_args()

if args.infile.endswith('.hex'):
ih = IntelHex(args.infile)
def generate_hash_digest(file: str, hash_function: str) -> bytes:
if file.endswith('.hex'):
ih = IntelHex(file)
ih.padding = 0xff # Allows hashing with empty regions
to_hash = ih.tobinstr()
else:
to_hash = open(args.infile, 'rb').read()
sys.stdout.buffer.write(hashlib.sha256(to_hash).digest())
to_hash = open(file, 'rb').read()

hash_function = HASH_FUNCTION_FACTORY[hash_function]
return hash_function(to_hash).digest()


def main():
args = parse_args()
sys.stdout.buffer.write(generate_hash_digest(args.infile, args.hash_function))
return 0


if __name__ == '__main__':
sys.exit(main())
204 changes: 179 additions & 25 deletions scripts/bootloader/keygen.py
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,22 @@
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause

from __future__ import annotations

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.serialization import load_pem_private_key as load_pem
from hashlib import sha256
import argparse
import sys
from hashlib import sha256, sha512
from typing import BinaryIO

from cryptography.exceptions import InvalidSignature
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.asymmetric import ed25519
from cryptography.hazmat.primitives.serialization import load_pem_private_key

def generate_legal_key():

def generate_legal_key_for_elliptic_curve():
"""
Ensure that we don't have 0xFFFF in the hash of the public key of
the generated keypair.
Expand All @@ -23,8 +29,8 @@ def generate_legal_key():
while True:
key = ec.generate_private_key(ec.SECP256R1())
public_bytes = key.public_key().public_bytes(
encoding=serialization.Encoding.X962,
format=serialization.PublicFormat.UncompressedPoint,
encoding=serialization.Encoding.X962,
format=serialization.PublicFormat.UncompressedPoint,
)

# The digest don't contain the first byte as it denotes
Expand All @@ -35,7 +41,148 @@ def generate_legal_key():
return key


if __name__ == '__main__':
def generate_legal_key_for_ed25519():
"""
Ensure that we don't have 0xFFFF in the hash of the public key of
the generated keypair.
:return: A key who's SHA512 digest does not contain 0xFFFF
"""
while True:
key = ed25519.Ed25519PrivateKey.generate()
public_bytes = key.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
)

# The digest don't contain the first byte as it denotes
# if it is compressed/UncompressedPoint.
digest = sha512(public_bytes[1:]).digest()[:16]
if not any([digest[n:n + 2] == b'\xff\xff' for n in range(0, len(digest), 2)]):
return key


class EllipticCurveKeysGenerator:
"""Generate private and public keys for Elliptic Curve cryptography."""

def __init__(self, infile: BinaryIO | None = None) -> None:
"""
:param infile: A file-like object to read the private key.
"""
if infile is None:
self.private_key = generate_legal_key_for_elliptic_curve()
else:
self.private_key = load_pem_private_key(infile.read(), password=None)
self.public_key = self.private_key.public_key()

@property
def private_key_pem(self) -> bytes:
return self.private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)

def write_private_key_pem(self, outfile: BinaryIO) -> bytes:
"""
Write private key pem to file and return it.
:param outfile: A file-like object to write the private key.
"""
if outfile is not None:
outfile.write(self.private_key_pem)
return self.private_key_pem

@property
def public_key_pem(self) -> bytes:
return self.public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
)

def write_public_key_pem(self, outfile: BinaryIO) -> bytes:
"""
Write public key pem to file and return it.
:param outfile: A file-like object to write the public key.
"""
outfile.write(self.public_key_pem)
return self.public_key_pem

@staticmethod
def verify_signature(public_key, message: bytes, signature: bytes) -> bool:
try:
public_key.verify(signature, message, ec.ECDSA(hashes.SHA256()))
return True
except InvalidSignature:
return False

@staticmethod
def sign_message(private_key, message: bytes) -> bytes:
return private_key.sign(message, ec.ECDSA(hashes.SHA256()))


class Ed25519KeysGenerator:
"""Generate private and public keys for ED25519 cryptography."""

def __init__(self, infile: BinaryIO | None = None) -> None:
"""
:param infile: A file-like object to read the private key.
"""
if infile is None:
self.private_key = generate_legal_key_for_ed25519()
else:
self.private_key = load_pem_private_key(infile.read(), password=None)
self.public_key = self.private_key.public_key()

@property
def private_key_pem(self) -> bytes:
return self.private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
)

def write_private_key_pem(self, outfile: BinaryIO) -> bytes:
"""
Write private key pem to file and return it.
:param outfile: A file-like object to write the private key.
"""
outfile.write(self.private_key_pem)
return self.private_key_pem

@property
def public_key_pem(self) -> bytes:
return self.public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)

def write_public_key_pem(self, outfile: BinaryIO) -> bytes:
"""
Write public key pem to file and return it.
:param outfile: A file-like object to write the public key.
"""
if outfile is not None:
outfile.write(self.public_key_pem)
return self.public_key_pem

@staticmethod
def verify_signature(public_key, message: bytes, signature: bytes) -> bool:
try:
public_key.verify(signature, message)
return True
except InvalidSignature:
return False

@staticmethod
def sign_message(private_key, message: bytes) -> bytes:
return private_key.sign(message)


def main(argv=None) -> int:
parser = argparse.ArgumentParser(
description='Generate PEM file.',
formatter_class=argparse.RawDescriptionHelpFormatter,
Expand All @@ -53,21 +200,28 @@ def generate_legal_key():
type=argparse.FileType('rb'),
help='Read private key from specified PEM file instead '
'of generating it.')
parser.add_argument(
'--algorithm', '-a', help='Signing algorithm (default: %(default)s)',
required=False, action='store', choices=('ec', 'ed25519'), default='ec'
)

args = parser.parse_args(argv)

if args.algorithm == 'ed25519':
ed25519_generator = Ed25519KeysGenerator(args.infile)
if args.private:
ed25519_generator.write_private_key_pem(args.out)
if args.public:
ed25519_generator.write_public_key_pem(args.out)
else:
ec_generator = EllipticCurveKeysGenerator(args.infile)
if args.private:
ec_generator.write_private_key_pem(args.out)
elif args.public:
ec_generator.write_public_key_pem(args.out)

args = parser.parse_args()
sk = (load_pem(args.infile.read(), password=None) if args.infile else generate_legal_key())

if args.private:
private_pem = sk.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
args.out.write(private_pem)

if args.public:
public_pem = sk.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
args.out.write(public_pem)
return 0


if __name__ == '__main__':
sys.exit(main())
Loading

0 comments on commit 4a4b80b

Please sign in to comment.