From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Subject: [PATCH 3/6] crypto: include public key hashes
Date: Thu, 21 Aug 2025 15:18:26 +0200 [thread overview]
Message-ID: <20250821-keynames-v1-3-8144af76d0ab@pengutronix.de> (raw)
In-Reply-To: <20250821-keynames-v1-0-8144af76d0ab@pengutronix.de>
The keys built into the barebox binary are not identifiable. They might
have a key name hint, but this is optional. This adds a sha256 hash
to struct public_key which can be printed when a key is used. The
hash can be obtained on the host from the certificate files or public
key PEM files with openssl commands:
openssl x509 -in crypto/fit-ecdsa-development.crt -pubkey -noout | openssl ec -pubin -inform PEM -outform DER | openssl dgst -sha256
cat ~/git/ptx-code-signing-dev/fit/fit-ecdsa-development.public-key | openssl ec -pubin -inform PEM -outform DER | openssl dgst -sha256
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
crypto/public-keys.c | 2 ++
include/crypto/public_key.h | 2 ++
scripts/keytoc.c | 59 +++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 63 insertions(+)
diff --git a/crypto/public-keys.c b/crypto/public-keys.c
index fba963db4eb875196daf0e3a4e3fb3cac844796a..3b691ffd6aa536084aefca90933b4bb74b724423 100644
--- a/crypto/public-keys.c
+++ b/crypto/public-keys.c
@@ -46,6 +46,8 @@ static struct public_key *public_key_dup(const struct public_key *key)
k->type = key->type;
if (key->key_name_hint)
k->key_name_hint = xstrdup(key->key_name_hint);
+ k->hash = xmemdup(key->hash, key->hashlen);
+ k->hashlen = key->hashlen;
switch (key->type) {
case PUBLIC_KEY_TYPE_RSA:
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index d4e75981738ba9651145b9a03527525ae63d6c39..7edea2d69190cb30f328510f905bab3054ad5845 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -15,6 +15,8 @@ struct public_key {
enum public_key_type type;
struct list_head list;
char *key_name_hint;
+ unsigned char *hash;
+ unsigned int hashlen;
union {
struct rsa_public_key *rsa;
diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index c92465707f65950e95b04afe58fb10161178998c..4e5ef72cfc9a82be6fa2a74b94a663136dd703b6 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -452,6 +452,45 @@ static EVP_PKEY *reimport_key(EVP_PKEY *pkey)
return pkey_out;
}
+static int print_hash(EVP_PKEY *key)
+{
+ int i, ret;
+ BIO *mem;
+ BUF_MEM *p;
+ unsigned char hash[SHA256_DIGEST_LENGTH];
+ SHA256_CTX sha256;
+ mem = BIO_new(BIO_s_mem());
+
+ ret = i2d_PUBKEY_bio(mem, key);
+ if (ret != 1)
+ goto err;
+
+ BIO_get_mem_ptr(mem, &p);
+
+ ret = SHA256_Init(&sha256);
+ if (ret != 1)
+ goto err;
+
+ ret = SHA256_Update(&sha256, p->data, p->length);
+ if (ret != 1)
+ goto err;
+
+ ret = SHA256_Final(hash, &sha256);
+ if (ret != 1)
+ goto err;
+
+ for (i = 0; i < SHA256_DIGEST_LENGTH; i++)
+ fprintf(outfilep, "0x%02x, ", hash[i]);
+
+ fprintf(outfilep, "\n");
+
+ ret = 0;
+err:
+ BIO_free(mem);
+
+ return ret ? -EINVAL : 0;
+}
+
static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_name_c)
{
char group[128];
@@ -482,6 +521,14 @@ static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_na
fprintf(stderr, "ERROR: generating a dts snippet for ECDSA keys is not yet supported\n");
return -EOPNOTSUPP;
} else {
+ fprintf(outfilep, "\nstatic unsigned char %s_hash[] = {\n\t", key_name_c);
+
+ ret = print_hash(key);
+ if (ret)
+ return ret;
+
+ fprintf(outfilep, "\n};\n\n");
+
fprintf(outfilep, "\nstatic uint64_t %s_x[] = {", key_name_c);
ret = print_bignum(key_x, bits, 64);
if (ret)
@@ -506,6 +553,8 @@ static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_na
fprintf(outfilep, "\nstruct public_key __attribute__((section(\".public_keys.rodata.%s\"))) %s_public_key = {\n", key_name_c, key_name_c);
fprintf(outfilep, "\t.type = PUBLIC_KEY_TYPE_ECDSA,\n");
fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", key_name);
+ fprintf(outfilep, "\t.hash = %s_hash,\n", key_name_c);
+ fprintf(outfilep, "\t.hashlen = %u,\n", SHA256_DIGEST_LENGTH);
fprintf(outfilep, "\t.ecdsa = &%s,\n", key_name_c);
fprintf(outfilep, "};\n");
}
@@ -568,6 +617,14 @@ static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *key_name
fprintf(outfilep, "\t\t\tkey-name-hint = \"%s\";\n", key_name_c);
fprintf(outfilep, "\t\t};\n");
} else {
+ fprintf(outfilep, "\nstatic unsigned char %s_hash[] = {\n\t", key_name_c);
+
+ ret = print_hash(key);
+ if (ret)
+ return ret;
+
+ fprintf(outfilep, "\n};\n\n");
+
fprintf(outfilep, "\nstatic uint32_t %s_modulus[] = {", key_name_c);
ret = print_bignum(modulus, bits, 32);
if (ret)
@@ -600,6 +657,8 @@ static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *key_name
fprintf(outfilep, "\nstruct public_key __attribute__((section(\".public_keys.rodata.%s\"))) %s_public_key = {\n", key_name_c, key_name_c);
fprintf(outfilep, "\t.type = PUBLIC_KEY_TYPE_RSA,\n");
fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", key_name);
+ fprintf(outfilep, "\t.hash = %s_hash,\n", key_name_c);
+ fprintf(outfilep, "\t.hashlen = %u,\n", SHA256_DIGEST_LENGTH);
fprintf(outfilep, "\t.rsa = &%s,\n", key_name_c);
fprintf(outfilep, "};\n");
}
--
2.39.5
next prev parent reply other threads:[~2025-08-21 17:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-21 13:18 [PATCH 0/6] crypto: keys: Some work for public keys Sascha Hauer
2025-08-21 13:18 ` [PATCH 1/6] crypto: drop BOOTM_FITIMAGE_PUBKEY Sascha Hauer
2025-08-21 13:18 ` [PATCH 2/6] crypto: Allow to include development keys in build Sascha Hauer
2025-08-21 13:18 ` Sascha Hauer [this message]
2025-08-21 13:18 ` [PATCH 4/6] commands: add keys command Sascha Hauer
2025-08-21 13:18 ` [PATCH 5/6] fit: consistently pass around fit_handle Sascha Hauer
2025-08-21 13:18 ` [PATCH 6/6] fit: improve diagnostics Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250821-keynames-v1-3-8144af76d0ab@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox