@@ -68,6 +68,97 @@ static void bytes_swap(uint8_t *ptr, uint32_t size)
6868 * manifest header (Public Key, Exponent and Signature).
6969*/
7070
71+ int pkcs_sign_v1_5 (struct image * image , struct fw_image_manifest_v1_5 * man ,
72+ void * ptr1 , unsigned int size1 )
73+ {
74+ RSA * priv_rsa = NULL ;
75+ EVP_PKEY * privkey ;
76+ FILE * fp ;
77+
78+ const BIGNUM * n , * e , * d ;
79+ unsigned char digest [SHA256_DIGEST_LENGTH ];
80+ unsigned char mod [MAN_RSA_KEY_MODULUS_LEN ];
81+ unsigned int siglen = MAN_RSA_SIGNATURE_LEN ;
82+ char path [256 ];
83+ int ret = - EINVAL , i ;
84+
85+ #if DEBUG_PKCS
86+ fprintf (stdout , "offsets 0x%lx size 0x%x\n" ,
87+ ptr1 - (void * )man , size1 );
88+ #endif
89+
90+ /* create new key */
91+ privkey = EVP_PKEY_new ();
92+ if (!privkey )
93+ return - ENOMEM ;
94+
95+ /* load in RSA private key from PEM file */
96+ if (!image -> key_name )
97+ sprintf (path , "%s/otc_private_key.pem" , PEM_KEY_PREFIX );
98+ else
99+ strcpy (path , image -> key_name );
100+
101+ fprintf (stdout , " pkcs: signing with key %s\n" , path );
102+ fp = fopen (path , "r" );
103+ if (!fp ) {
104+ fprintf (stderr , "error: can't open file %s %d\n" ,
105+ path , - errno );
106+ return - errno ;
107+ }
108+ PEM_read_PrivateKey (fp , & privkey , NULL , NULL );
109+ fclose (fp );
110+
111+ /* validate RSA private key */
112+ priv_rsa = EVP_PKEY_get1_RSA (privkey );
113+ if (RSA_check_key (priv_rsa )) {
114+ fprintf (stdout , " pkcs: RSA private key is valid.\n" );
115+ } else {
116+ fprintf (stderr , "error: validating RSA private key.\n" );
117+ return - EINVAL ;
118+ }
119+
120+ /* calculate the digest */
121+ module_sha256_create (image );
122+ module_sha256_update (image , ptr1 , size1 );
123+ module_sha256_complete (image , digest );
124+
125+ fprintf (stdout , " pkcs: digest for manifest is " );
126+ for (i = 0 ; i < SHA256_DIGEST_LENGTH ; i ++ )
127+ fprintf (stdout , "%02x" , digest [i ]);
128+ fprintf (stdout , "\n" );
129+
130+ /* sign the manifest */
131+ ret = RSA_sign (NID_sha256 , digest , SHA256_DIGEST_LENGTH ,
132+ (unsigned char * )man -> css_header .signature ,
133+ & siglen , priv_rsa );
134+ if (ret < 0 )
135+ fprintf (stderr , "error: failed to sign manifest\n" );
136+
137+ /* copy public key modulus and exponent to manifest */
138+ RSA_get0_key (priv_rsa , & n , & e , & d );
139+ BN_bn2bin (n , mod );
140+ BN_bn2bin (e , (unsigned char * )man -> css_header .exponent );
141+
142+ /* modulus is reveresd */
143+ for (i = 0 ; i < MAN_RSA_KEY_MODULUS_LEN ; i ++ )
144+ man -> css_header .modulus [i ]
145+ = mod [MAN_RSA_KEY_MODULUS_LEN - (1 + i )];
146+
147+ /* signature is reveresd, swap it */
148+ bytes_swap (man -> css_header .signature ,
149+ sizeof (man -> css_header .signature ));
150+
151+ EVP_PKEY_free (privkey );
152+ return ret ;
153+ }
154+
155+ /*
156+ * RSA signature of manifest. The signature is an PKCS
157+ * #1-v1_5 of the entire manifest structure, including all
158+ * extensions, and excluding the last 3 fields of the
159+ * manifest header (Public Key, Exponent and Signature).
160+ */
161+
71162int pkcs_sign_v1_8 (struct image * image , struct fw_image_manifest_v1_8 * man ,
72163 void * ptr1 , unsigned int size1 , void * ptr2 ,
73164 unsigned int size2 )
@@ -150,6 +241,15 @@ int pkcs_sign_v1_8(struct image *image, struct fw_image_manifest_v1_8 *man,
150241 return ret ;
151242}
152243
244+ int ri_manifest_sign_v1_5 (struct image * image )
245+ {
246+ struct fw_image_manifest_v1_5 * man = image -> fw_image ;
247+
248+ pkcs_sign_v1_5 (image , man , (void * )man + MAN_CSS_MAN_SIZE_V1_5 ,
249+ image -> image_end - sizeof (* man ));
250+ return 0 ;
251+ }
252+
153253int ri_manifest_sign_v1_8 (struct image * image )
154254{
155255 struct fw_image_manifest_v1_8 * man = image -> fw_image ;
0 commit comments