tools: doimage: migrate to mbedtls v2.8 APIs
Replace deprecated mbedtls_sha256 with mbedtls_sha256_ret
The mbedtls_pk_parse_key does not work correctly anymore
with the DER buffer embedded in the secure image extentson
using the buffer size as the the key length.
Move to mbedtls_pk_parse_subpubkey API that handles such
case correctly.
The DER format already contains the key length, so there
is no particular reason to supply it to the key parser.
Update the doimage version to 3.3
Change-Id: I0ec5ee84b7d1505b43138e0b7a6bdba44a6702b6
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
diff --git a/tools/marvell/doimage/doimage.c b/tools/marvell/doimage/doimage.c
index 82fd375..deb0cbd 100644
--- a/tools/marvell/doimage/doimage.c
+++ b/tools/marvell/doimage/doimage.c
@@ -51,7 +51,7 @@
/* Number of address pairs in control array */
#define CP_CTRL_EL_ARRAY_SZ 32
-#define VERSION_STRING "Marvell(C) doimage utility version 3.2"
+#define VERSION_STRING "Marvell(C) doimage utility version 3.3"
/* A8K definitions */
@@ -303,7 +303,7 @@
MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256);
/* First compute the SHA256 hash for the input blob */
- mbedtls_sha256(input, ilen, hash, 0);
+ mbedtls_sha256_ret(input, ilen, hash, 0);
/* Then calculate the hash signature */
rval = mbedtls_rsa_rsassa_pss_sign(mbedtls_pk_rsa(*pk_ctx),
@@ -354,6 +354,7 @@
mbedtls_pk_context pk_ctx;
unsigned char hash[32];
int rval;
+ unsigned char *pkey = (unsigned char *)pub_key;
/* Not sure this is required,
* but it's safer to start with empty buffer
@@ -373,8 +374,7 @@
}
/* Check ability to read the public key */
- rval = mbedtls_pk_parse_public_key(&pk_ctx, pub_key,
- MAX_RSA_DER_BYTE_LEN);
+ rval = mbedtls_pk_parse_subpubkey(&pkey, pub_key + klen, &pk_ctx);
if (rval != 0) {
fprintf(stderr, " Failed in pk_parse_public_key (%#x)!\n",
rval);
@@ -387,7 +387,7 @@
MBEDTLS_MD_SHA256);
/* Compute the SHA256 hash for the input buffer */
- mbedtls_sha256(input, ilen, hash, 0);
+ mbedtls_sha256_ret(input, ilen, hash, 0);
rval = mbedtls_rsa_rsassa_pss_verify(mbedtls_pk_rsa(pk_ctx),
mbedtls_ctr_drbg_random,
@@ -458,7 +458,7 @@
/* compute SHA-256 digest of the results
* and use it as the init vector (IV)
*/
- mbedtls_sha256(IV, AES_BLOCK_SZ, digest, 0);
+ mbedtls_sha256_ret(IV, AES_BLOCK_SZ, digest, 0);
memcpy(IV, digest, AES_BLOCK_SZ);
mbedtls_aes_setkey_enc(&aes_ctx, opts.sec_opts->aes_key,
AES_KEY_BIT_LEN);
@@ -880,11 +880,13 @@
fname);
return 1;
}
+
/* Data in the output buffer is aligned to the buffer end */
der_buf_start = output_buf + sizeof(output_buf) - output_len;
/* In the header DER data is aligned
* to the start of appropriate field
*/
+ bzero(out_der_key, MAX_RSA_DER_BYTE_LEN);
memcpy(out_der_key, der_buf_start, output_len);
} /* for every private key file */
@@ -899,8 +901,10 @@
fprintf(stderr, "Failed to sign CSK keys block!\n");
return 1;
}
+
/* Check that everything is correct */
- if (verify_rsa_signature(sec_ext.kak_key, MAX_RSA_DER_BYTE_LEN,
+ if (verify_rsa_signature(sec_ext.kak_key,
+ MAX_RSA_DER_BYTE_LEN,
&sec_ext.csk_keys[0][0],
sizeof(sec_ext.csk_keys),
opts.sec_opts->kak_key_file,
@@ -1333,7 +1337,7 @@
goto error;
}
- mbedtls_sha256(sec_entry->kak_key,
+ mbedtls_sha256_ret(sec_entry->kak_key,
MAX_RSA_DER_BYTE_LEN, hash, 0);
fprintf(stdout,
">>>>>>>>>> KAK KEY HASH >>>>>>>>>>\n");