Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PKCS#8 identifier. (ESPTOOL-584) #819

Closed
wants to merge 1 commit into from
Closed

Add PKCS#8 identifier. (ESPTOOL-584) #819

wants to merge 1 commit into from

Conversation

StevenMacias
Copy link
Contributor

@StevenMacias StevenMacias commented Jan 2, 2023
edited
Loading

Description of change

Add extra condition to allow the serialization of PKCS#8 format.

This change fixes the following bug(s):

The documentation suggests to use the following command:

openssl genrsa -out my_secure_boot_signing_key.pem 3072

This generates a PKCS#8 pem file starting with -----BEGIN PRIVATE KEY----- which is different to the expected ---BEGIN RSA PRIVATE KEY---.

Since cryptography uses OpenSSL in the background this change should not be dangerous. I have tested espsecure.py locally and it works as expected.

cryptography.exceptions.UnsupportedAlgorithm – If the serialized key type is not supported by the OpenSSL version cryptography is using.

Before:

espsecure.py verify_signature --version 2 --keyfile development_private_key_rsa_3072.pem fbebbae17cf48279e7dcbc3782f8581542b281ca.bin 
espsecure.py v4.5-dev

A fatal error occurred: Verification key does not appear to be an RSA Private or Public key in PEM format. Unsupported

After:

espsecure.py verify_signature --version 2 --keyfile development_private_key_rsa_3072.pem fbebbae17cf48279e7dcbc3782f8581542b281ca.bin 
espsecure.py v4.5-dev
Signature block 0 is valid (RSA). 
Signature block 0 verification successful with /home/steven/Workspace/development_private_key_rsa_3072.pem (RSA).
Signature block 1 invalid. Skipping.
Signature block 2 invalid. Skipping.

I have tested this change with the following hardware & software combinations:

Operating system: Arch Linux x86_64
Kernel: 6.1.1-arch1-1
Chip name: ESP32-S3
IDF version: 4.4.3
OpenSSL version: OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

@github-actions github-actions bot changed the title Add PKCS#8 identifier. Add PKCS#8 identifier. (ESPTOOL-584) Jan 2, 2023
@radimkarnis
Copy link
Collaborator

Hi @StevenMacias,
Thank you for contributing! Your PR will be reviewed and hopefully merged soon.

In the meantime, there some stylistic issues. This repo follows black formatting and style is enforced with flake8. Details are described in the Contributing guide. Please resolve this small issue and squash the commits afterwards.

@StevenMacias
Copy link
Contributor Author

Format and style should be fixed now!

@radimkarnis
Copy link
Collaborator

This was merged in 1d34837. Thank you!

@radimkarnis radimkarnis closed this Jan 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mahavirj mahavirj mahavirj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@StevenMacias @radimkarnis @mahavirj