• State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 75 subscribers
  • Views 1909 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 272116
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Import public key for ECDSA verification - ncs

Daniel Svendsen

Hi,

I have been struggeling for a while to integrate digital sign and verification using the mbedtls ECDSA, and wonder if you have any tips.
My goal is ultimately to run the ecdsa crypto sample with public and private keys generated with imgtool.py, however the import of the generated keys fail.

The commands

python mcuboot/scripts/imgtool.py keygen -k ecdsa_key.pem -t ecdsa-p256 

python mcuboot/scripts/imgtool.py getpub -k ecdsa_key.pem

python mcuboot/scripts/imgtool.py getpriv -k ecdsa_key.pem

Generates the public hex key with length 91:

const unsigned char ecdsa_pub_key[] = {
    0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
    0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
    0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
    0x42, 0x00, 0x04, 0x3e, 0x9b, 0xaa, 0x02, 0x26,
    0xcd, 0x70, 0x72, 0xca, 0x16, 0xaa, 0xc2, 0x42,
    0xb6, 0xca, 0xfc, 0x90, 0x39, 0x7a, 0x5b, 0x7b,
    0x07, 0x91, 0x48, 0x02, 0x5d, 0x75, 0x8a, 0x96,
    0x1e, 0x5a, 0x72, 0x9f, 0x86, 0x94, 0xdd, 0x91,
    0x71, 0x27, 0x8d, 0xae, 0xcc, 0xfb, 0x9e, 0x09,
    0xe3, 0xb2, 0xfd, 0xee, 0xaf, 0x7e, 0x02, 0xd4,
    0x89, 0xea, 0xc8, 0x6c, 0xa2, 0xb7, 0xfe, 0xde,
    0x68, 0xa3, 0xe4,
};
const unsigned int ecdsa_pub_key_len = 91;

and private hex key with length 138:

const unsigned char enc_priv_key[] = {
    0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13,
    0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
    0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
    0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02,
    0x01, 0x01, 0x04, 0x20, 0x99, 0x28, 0x16, 0xe4,
    0x6a, 0x4a, 0xb2, 0x4e, 0x5e, 0x61, 0x52, 0xdc,
    0x6f, 0xb0, 0x51, 0xf6, 0xfe, 0x5c, 0x5d, 0xc4,
    0x1c, 0xbf, 0xd7, 0x75, 0x4a, 0x12, 0x3f, 0x62,
    0x41, 0xe8, 0x53, 0xd1, 0xa1, 0x44, 0x03, 0x42,
    0x00, 0x04, 0x3e, 0x9b, 0xaa, 0x02, 0x26, 0xcd,
    0x70, 0x72, 0xca, 0x16, 0xaa, 0xc2, 0x42, 0xb6,
    0xca, 0xfc, 0x90, 0x39, 0x7a, 0x5b, 0x7b, 0x07,
    0x91, 0x48, 0x02, 0x5d, 0x75, 0x8a, 0x96, 0x1e,
    0x5a, 0x72, 0x9f, 0x86, 0x94, 0xdd, 0x91, 0x71,
    0x27, 0x8d, 0xae, 0xcc, 0xfb, 0x9e, 0x09, 0xe3,
    0xb2, 0xfd, 0xee, 0xaf, 0x7e, 0x02, 0xd4, 0x89,
    0xea, 0xc8, 0x6c, 0xa2, 0xb7, 0xfe, 0xde, 0x68,
    0xa3, 0xe4,
};
const unsigned int enc_priv_key_len = 138;



My issue is that the psa_import_key function requires a key length of 32 and 65 for the private and public keys for a secp256r1 curve. I am therefore not able to use the generated key directly.
Ist there a workaround to this, or a way to parse the .pem keystring into the mbedtls libary?

I am using board: nrf9160dk with ncs version: 1.6.0

Parents
  • 0

    Interesting, so it is not possible to use the generated hex key from imgtool directly either? Why do the output not match the raw key length of 32 and 65 bytes? Can the flag --minimal be used to get a smaller key output?

    python mcuboot/scripts/imgtool.py getpriv -k ecdsa_key.pem --minimal

  • +1 in reply to Daniel Svendsen

    Hi,

    Daniel Svendsen said:
    Interesting, so it is not possible to use the generated hex key from imgtool directly either? Why do the output not match the raw key length of 32 and 65 bytes?

    No. I did not think of this before but imgtool getpub/getpriv does not give you raw keys, but rather ASN.1 encoded keys. So they need to be decoded to get the raw keys. You can use for instance this site to see how the ASN encoding works. If you want to do it on the nRF you can use the mbedtls_asn1_* functions if you want to do this decoding in the nRF. 

    Daniel Svendsen said:
    Can the flag --minimal be used to get a smaller key output?

    No, you still don't get raw keys, and raw keys are needed by psa_import_key()

Reply
  • +1 in reply to Daniel Svendsen

    Hi,

    Daniel Svendsen said:
    Interesting, so it is not possible to use the generated hex key from imgtool directly either? Why do the output not match the raw key length of 32 and 65 bytes?

    No. I did not think of this before but imgtool getpub/getpriv does not give you raw keys, but rather ASN.1 encoded keys. So they need to be decoded to get the raw keys. You can use for instance this site to see how the ASN encoding works. If you want to do it on the nRF you can use the mbedtls_asn1_* functions if you want to do this decoding in the nRF. 

    Daniel Svendsen said:
    Can the flag --minimal be used to get a smaller key output?

    No, you still don't get raw keys, and raw keys are needed by psa_import_key()

Children
No Data
Related
Terms of service