-
Notifications
You must be signed in to change notification settings - Fork 100
154 lines (116 loc) · 4.7 KB
/
test-keytools.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: Wolfboot keytools test workflow
on:
push:
branches: [master]
pull_request:
branches: [master]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
submodules: true
- name: Workaround for sources.list
run: sudo sed -i 's|http://azure.archive.ubuntu.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/sources.list
- name: Update repository
run: sudo apt-get update
- name: Install wolfSSL
run: |
sudo apt-get install --no-install-recommends -y -q make libwolfssl-dev
# ECC
- name: make clean
run: |
make distclean && make keysclean && make -C tools/keytools clean && rm -f include/target.h
- name: Select config
run: |
cp config/examples/sim-ecc.config .config && make include/target.h
- name: Build key tools
run: |
make -C tools/keytools
- name: Build wolfboot
run: |
make ${{inputs.make-args}}
- name: Generate external key
run: |
openssl ecparam -name prime256v1 -genkey -noout -outform DER -out private-key.der
- name: Export external public key
run: |
openssl ec -in private-key.der -inform DER -pubout -out public-key.der -outform DER
- name: Import external public key
run: |
./tools/keytools/keygen --ecc256 -i public-key.der
- name: Hash the image elf
run: |
./tools/keytools/sign --ecc256 --sha-only --sha256 test-app/image.elf public-key.der 1
- name: Sign the digest with the external key
run: |
openssl pkeyutl -sign -keyform der -inkey private-key.der -in test-app/image_v1_digest.bin > test-app/image_v1.sig
- name: Generate final signed binary
run: |
./tools/keytools/sign --ecc256 --sha256 --manual-sign test-app/image.elf public-key.der 1 test-app/image_v1.sig
# ED25519
- name: make clean
run: |
make distclean && make keysclean && make -C tools/keytools clean && rm -f include/target.h
- name: Select config
run: |
cp config/examples/sim.config .config && make include/target.h
- name: Build key tools
run: |
make -C tools/keytools
- name: Build wolfboot
run: |
make ${{inputs.make-args}}
- name: Generate external key
run: |
openssl genpkey -algorithm ed25519 -out private-key.der -outform DER
- name: Export external public key
run: |
openssl pkey -in private-key.der -inform DER -pubout -out public-key.der -outform DER
- name: Import external public key
run: |
./tools/keytools/keygen --ed25519 -i public-key.der
- name: Hash the image elf
run: |
./tools/keytools/sign --ed25519 --sha-only --sha256 test-app/image.elf public-key.der 1
- name: Sign the digest with the external key
run: |
openssl pkeyutl -sign -keyform der -inkey private-key.der -rawin -in test-app/image_v1_digest.bin > test-app/image_v1.sig
- name: Generate final signed binary
run: |
./tools/keytools/sign --ed25519 --sha256 --manual-sign test-app/image.elf public-key.der 1 test-app/image_v1.sig
# RSA
- name: make clean
run: |
make distclean && make keysclean && make -C tools/keytools clean && rm -f include/target.h
- name: Select config
run: |
cp config/examples/sim-rsa.config .config && make include/target.h
- name: Build key tools
run: |
make -C tools/keytools
- name: Build wolfboot
run: |
make ${{inputs.make-args}}
- name: Generate external key
run: |
openssl genrsa -out private-key.pem 2048
- name: Convert to DER
run: |
openssl rsa -in private-key.pem -inform PEM -out private-key.der -outform DER
- name: Export external public key
run: |
openssl rsa -inform DER -outform DER -in private-key.der -out public-key.der -pubout
- name: Import external public key
run: |
./tools/keytools/keygen --rsa2048 -i public-key.der
- name: Hash the image elf
run: |
./tools/keytools/sign --rsa2048 --sha-only --sha256 test-app/image.elf public-key.der 1
- name: Sign the digest with the external key
run: |
openssl pkeyutl -sign -keyform der -inkey private-key.der -in test-app/image_v1_digest.bin > test-app/image_v1.sig
- name: Generate final signed binary
run: |
./tools/keytools/sign --rsa2048 --sha256 --manual-sign test-app/image.elf public-key.der 1 test-app/image_v1.sig