right now, the tool preload_check_sign may only checks an image with a pre-load header with rsa. We add the support of pre-load header with ecdsa.
Reviewed-by: Simon Glass <[email protected]> Reviewed-by: Raymond Mao <[email protected]> Signed-off-by: Philippe Reynes <[email protected]> --- v3: - initial version v4: - free key to avoid mem leak - fix error management (set ret before goto out) v5: - add include ec.h, evp.h, err.h and image.h v6: - no change v7: - no change tools/preload_check_sign.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/tools/preload_check_sign.c b/tools/preload_check_sign.c index ebead459273..d94f0509e74 100644 --- a/tools/preload_check_sign.c +++ b/tools/preload_check_sign.c @@ -8,9 +8,13 @@ * complete file. The tool preload_check_sign allows to verify and authenticate * a file starting with a preload header. */ + +#define OPENSSL_API_COMPAT 0x10101000L + #include <stdio.h> #include <unistd.h> #include <openssl/pem.h> +#include <openssl/ec.h> #include <openssl/evp.h> #include <openssl/err.h> #include <image.h> @@ -144,6 +148,32 @@ int main(int argc, char **argv) info.sig_info.key = info.key; info.sig_info.keylen = info.key_len; + /* For ecdsa key, we have to update some values */ + if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { + EC_KEY *ecdsa_key; + const EC_GROUP *group; + + ecdsa_key = EVP_PKEY_get1_EC_KEY(pkey); + if (!ecdsa_key) { + fprintf(stderr, "Can not extract ECDSA key\n"); + ret = EXIT_FAILURE; + goto out; + } + + group = EC_KEY_get0_group(ecdsa_key); + if (!group) { + fprintf(stderr, "Can not extract ECDSA group\n"); + EC_KEY_free(ecdsa_key); + ret = EXIT_FAILURE; + goto out; + } + + info.sig_info.keyfile = keyfile; + info.sig_size = (EC_GROUP_order_bits(group) + 7) / 8 * 2; + + EC_KEY_free(ecdsa_key); + } + /* Check the signature */ image_pre_load_sig_set_info(&info); ret = image_pre_load_sig((ulong)buffer); -- 2.43.0
