U-Boot FIT Signature Verification

Philippe REYNES philippe.reynes at softathome.com
Wed Sep 16 22:01:21 CEST 2020


Hi Heinrich,

> On 9/11/20 7:26 PM, Andrii Voloshyn wrote:
>> Hi there,
>> 
>> Does U-boot take into account certificate expiration date when verifying signed
>> images in FIT? In other words, is date stored along with the public key in DTB
>> file?
>> 
>> Cheers,
>> Andy
>> 
> 
> Hello Philippe,
> 
> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot
> find a comparison of the date on which an image was signed with the
> expiry date of the certificate. Shouldn't there be a check? Or did I
> simply look into the wrong function?

This function only check the padding using the algorithm pkcs-1.5 as
defined here : https://tools.ietf.org/html/rfc3447#section-9.2
It doesn't check the certificate validity.

I don't remember to have see a date checked in the signature process.
If all informations are (or may be) available at runtime, we may
add it.

> Best regards
> 
> Heinrich

Best regards,
Philippe


More information about the U-Boot mailing list