Import public key for ECDSA verification - ncs

Question

Hi, I have been struggeling for a while to integrate digital sign and verification using the mbedtls ECDSA, and wonder if you have any tips. My goal is ultimately to run the ecdsa crypto sample with public and private keys generated with imgtool.py , however the import of the generated keys fail. 
 The commands python mcuboot/scripts/imgtool.py keygen -k ecdsa_key.pem -t ecdsa-p256 

python mcuboot/scripts/imgtool.py getpub -k ecdsa_key.pem

python mcuboot/scripts/imgtool.py getpriv -k ecdsa_key.pem 
 Generates the public hex key with length 91: 
 const unsigned char ecdsa_pub_key[] = {
 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
 0x42, 0x00, 0x04, 0x3e, 0x9b, 0xaa, 0x02, 0x26,
 0xcd, 0x70, 0x72, 0xca, 0x16, 0xaa, 0xc2, 0x42,
 0xb6, 0xca, 0xfc, 0x90, 0x39, 0x7a, 0x5b, 0x7b,
 0x07, 0x91, 0x48, 0x02, 0x5d, 0x75, 0x8a, 0x96,
 0x1e, 0x5a, 0x72, 0x9f, 0x86, 0x94, 0xdd, 0x91,
 0x71, 0x27, 0x8d, 0xae, 0xcc, 0xfb, 0x9e, 0x09,
 0xe3, 0xb2, 0xfd, 0xee, 0xaf, 0x7e, 0x02, 0xd4,
 0x89, 0xea, 0xc8, 0x6c, 0xa2, 0xb7, 0xfe, 0xde,
 0x68, 0xa3, 0xe4,
};
const unsigned int ecdsa_pub_key_len = 91; 
 
 and private hex key with length 138: 
 const unsigned char enc_priv_key[] = {
 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13,
 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02,
 0x01, 0x01, 0x04, 0x20, 0x99, 0x28, 0x16, 0xe4,
 0x6a, 0x4a, 0xb2, 0x4e, 0x5e, 0x61, 0x52, 0xdc,
 0x6f, 0xb0, 0x51, 0xf6, 0xfe, 0x5c, 0x5d, 0xc4,
 0x1c, 0xbf, 0xd7, 0x75, 0x4a, 0x12, 0x3f, 0x62,
 0x41, 0xe8, 0x53, 0xd1, 0xa1, 0x44, 0x03, 0x42,
 0x00, 0x04, 0x3e, 0x9b, 0xaa, 0x02, 0x26, 0xcd,
 0x70, 0x72, 0xca, 0x16, 0xaa, 0xc2, 0x42, 0xb6,
 0xca, 0xfc, 0x90, 0x39, 0x7a, 0x5b, 0x7b, 0x07,
 0x91, 0x48, 0x02, 0x5d, 0x75, 0x8a, 0x96, 0x1e,
 0x5a, 0x72, 0x9f, 0x86, 0x94, 0xdd, 0x91, 0x71,
 0x27, 0x8d, 0xae, 0xcc, 0xfb, 0x9e, 0x09, 0xe3,
 0xb2, 0xfd, 0xee, 0xaf, 0x7e, 0x02, 0xd4, 0x89,
 0xea, 0xc8, 0x6c, 0xa2, 0xb7, 0xfe, 0xde, 0x68,
 0xa3, 0xe4,
};
const unsigned int enc_priv_key_len = 138; 
 My issue is that the psa_import_key function requires a key length of 32 and 65 for the private and public keys for a secp256r1 curve. I am therefore not able to use the generated key directly. Ist there a workaround to this, or a way to parse the .pem keystring into the mbedtls libary? 
 I am using board: nrf9160dk with ncs version: 1.6.0

Einar Thorsrud · Accepted Answer

Hi, 
 Daniel Svendsen said: Interesting, so it is not possible to use the generated hex key from imgtool directly either? Why do the output not match the raw key length of 32 and 65 bytes? 
 No. I did not think of this before but imgtool getpub/getpriv does not give you raw keys, but rather ASN.1 encoded keys. So they need to be decoded to get the raw keys. You can use for instance this site to see how the ASN encoding works. If you want to do it on the nRF you can use the mbedtls_asn1_* functions if you want to do this decoding in the nRF. 
 Daniel Svendsen said: Can the flag --minimal be used to get a smaller key output? 
 No, you still don't get raw keys, and raw keys are needed by psa_import_key() .

Import public key for ECDSA verification - ncs

Top Replies