forked from rkraevskiy/ubootpubkey
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathubpubkey.py
More file actions
executable file
·185 lines (147 loc) · 5.78 KB
/
ubpubkey.py
File metadata and controls
executable file
·185 lines (147 loc) · 5.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
#!/usr/bin/env python
#
# A script to convert RSA pubkey to u-boot dts format.
#
# Copyright (c) 2020, Roman Kraevskiy <rkraevskiy@gmail.com>
# All rights reserved.
#
# This software is dual licensed and available under the MPL-2.0
# or under the GPL-2.0-or-later.
#
"""
A script to convert RSA public key(s) to uboot dts format and
write them to a flattened device tree.
2020 Roman Kraievskyi <rkraevskiy@gmail.com>
"""
from __future__ import print_function
from Crypto.PublicKey import RSA
import fdt
VERSION = "1.0a"
NAME = "ubpubkey-ftd"
def egcd(a, b):
x,y, u,v = 0,1, 1,0
while a != 0:
q,r = b//a,b%a;
m,n = x-u*q,y-v*q
b,a, x,y, u,v = a,r, u,v, m,n
return b, x, y
# reciprocal
def inverse(v,mod):
g,x,y = egcd(v,mod)
if x<0:
x+=mod
return x
def bytelen(x):
return (x.bit_length() + 7) // 8
def int_to_hex(x,bits):
h = hex(x)[2:].rstrip('L')
lreq = ((bits+7)//8)*2
if len(h)<lreq:
h = "0"*(lreq-len(h)) + h
return h
def nsplit(l,size):
n = max(1, size)
r = list(l[i:i+n] for i in range(len(l)-n,-n,-n))
r.reverse()
return r
def int_to_str(x):
res = []
while x > 0:
res.append(chr(x&0xff))
x = x>>8
res.reverse()
return ''.join(res)
def int_to_hexlist(x,nbits,nbytes):
h = int_to_hex(x,nbits)
l = [ "0x"+(i.lstrip('0') if i.lstrip('0') else '00') for i in nsplit(h,nbytes*2)]
return l
class UbootKeyData:
def __init__(self,rsakey):
self.rsa_modulus = rsakey.n
self.rsa_exponent = rsakey.e
self.rsa_num_bits = rsakey.n.bit_length()
self.rsa_r_squared = ((2 ** self.rsa_num_bits) ** 2) % self.rsa_modulus
mod32 = 2**32
modmask = mod32-1
self.rsa_n0_inverse = (mod32 - inverse(self.rsa_modulus&modmask,mod32))%mod32
def n_int(i, n):
return (i & 0xffffffff<<n*32) >> n*32
if __name__ == "__main__":
import time
import sys
import datetime
import ssl
from Crypto.Util.asn1 import DerSequence
import hashlib
import os
import argparse
parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter, description=__doc__)
parser.add_argument('-o', '--outfile', help="Output dtb file")
parser.add_argument('-p', '--pubkey', nargs='+', help="Input public key file(s)")
parser.add_argument('-k', '--keynode', default=None, nargs='+', help = "Name of the public key node(s)")
parser.add_argument('-i', '--dtb_in', default=None, help="Optional input dtb file")
parser.add_argument('-r', '--required', choices=['image', 'conf'], default='conf', help='"required" property for the key(s), default is "conf"')
parser.add_argument('-a', '--algo', default='sha256,rsa4096', help='"algo" property for the key(s), default is "sha256,rsa4096"')
parser.add_argument('--set-any-key', action='store_true', help='Set the signature required-mode property to "any"')
parser.add_argument('--version', action='version', version="%s %s"%(NAME,VERSION))
args = parser.parse_args()
keys_nodes = zip(args.pubkey, args.keynode)
if args.dtb_in:
dtb_file = args.dtb_in
else:
dtb_file = args.outfile
try:
with open(dtb_file, 'rb') as f:
dtb = fdt.parse_dtb(f.read())
except:
sys.exit(f'"Failed to parse dtb file {dtb_file}')
if args.set_any_key:
dtb.set_property('required-mode', 'any', path='/signature', create=True)
for ifname, keynode in keys_nodes:
try:
f = open(ifname,"r")
key_data = f.read()
except:
sys.exit("Failed to open file '%s'"%ifname)
ifsrc = os.path.basename(ifname)
try:
# try to import as public key
key = RSA.importKey(key_data)
src = "pubk"
except:
# certificate?
try:
der_data = ssl.PEM_cert_to_DER_cert(str(key_data))
cert = DerSequence()
cert.decode(der_data)
tbsCertificate = DerSequence()
tbsCertificate.decode(cert[0])
cert = tbsCertificate[6]
key = RSA.importKey(cert)
src = "cert"
except:
sys.exit("Failed to import key from '%s'"%ifname)
try:
der_data = key.exportKey('DER')
x = UbootKeyData(key)
h = hashlib.sha256()
h.update(der_data)
k_gen = "%s/%s/%s"%(NAME,VERSION,int(time.mktime(datetime.datetime.now().timetuple())))
k_sha256_fp = "%s"%(h.hexdigest()[:64])
k_src = "%s/%s"%(src,ifsrc)
keypath = f'/signature/{keynode}'
dtb.set_property('required', 'conf', path=keypath)
dtb.set_property('algo', args.algo, path=keypath, create=True)
dtb.set_property('rsa,r-squared', [n_int(x.rsa_r_squared, a) for a in reversed(range(((x.rsa_r_squared.bit_length()+31) // 32)))], path=keypath)
dtb.set_property('rsa,modulus', [n_int(x.rsa_modulus, a) for a in reversed(range((x.rsa_num_bits+31) // 32))], path=keypath)
dtb.set_property('rsa,exponent', [n_int(x.rsa_exponent, a) for a in reversed(range(64 // 32))], path=keypath)
dtb.set_property('rsa,modulus', [n_int(x.rsa_modulus, a) for a in reversed(range((x.rsa_num_bits+31) // 32))], path=keypath)
dtb.set_property('rsa,n0-inverse', x.rsa_n0_inverse, path=keypath)
dtb.set_property('rsa,num-bits', x.rsa_num_bits, path=keypath)
dtb.set_property('k-gen ', k_gen, path=keypath)
dtb.set_property('k-sha256-fp', k_sha256_fp, path=keypath)
dtb.set_property('k-src', k_src, path=keypath)
except:
sys.exit('Failed to generate public key information')
with open(args.outfile, 'wb') as f:
f.write(dtb.to_dtb())