This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

extracting signature from DFU package

Our device is based on nrf52840 + SDK 15.0.0

We use nrfutil application for packaging sw update (application) and use DFU for uploading & verify authentication

We also authenticate messages and data during device normal operation so we can't enter DFU mode but we built ECDSA authentication functionalities which based on crypto frontend and enbedded CC310 backend.

Can we use nrfutil to simple sign data?

The result of nrfutil pkg command is zip file which contains signed file, dat file and manifest file.

How can we extract only the signature from zip file or force nrfutil to expose signature?

Moreover, can I use new "external application" feature which was introduced in SDK 15.3.0 for it?

Thanks in advance

Parents

0 Vidar Berg over 6 years ago

Hi,

I don't think nrfutil is a good option for this. It's made specifically to sign DFU packages for our DFU solution. It signs the init packet, not the FW image itself. If you have some experience with python it may be easier to make your own script based on nrfutil and the crypto module it uses. Or maybe you can use the OpenSSL command-line tool.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Wendel over 5 years ago in reply to Vidar Berg
Hi Vidar,

Any suggestion on how to sign the init packet with OpenSSL command-line tool?

The key was generated with command:

openssl ecparam -name prime256v1 -genkey -out private_key.pem

Thanks a lot.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Wendel over 5 years ago in reply to Vidar Berg
Hi Vidar,

Any suggestion on how to sign the init packet with OpenSSL command-line tool?

The key was generated with command:

openssl ecparam -name prime256v1 -genkey -out private_key.pem

Thanks a lot.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Vidar Berg over 5 years ago in reply to Wendel

Hi,

I'm not sure if there's an easy way to do this with openssl. Did you consider the option of modifying nrfutil to use this elliptic curve?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Wendel over 5 years ago in reply to Vidar Berg

Hi, Vidar

I afraid the answer is No, because our key-server is openssl-based, we want to sign the init packet with openssl rather than nrfutil.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vidar Berg over 5 years ago in reply to Wendel

I understand. I don't know the steps to do this with openssl, but I see already you got some advice in this post: https://devzone.nordicsemi.com/f/nordic-q-a/63773/cross-checking-nrfutil-boot_validation_signature-for-validate_ecdsa_p256_sha256-with-openssl-command-line.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel