U-Boot FIT Signature Verification
Philippe REYNES
philippe.reynes at softathome.com
Wed Sep 16 22:01:21 CEST 2020
Hi Heinrich,
> On 9/11/20 7:26 PM, Andrii Voloshyn wrote:
>> Hi there,
>>
>> Does U-boot take into account certificate expiration date when verifying signed
>> images in FIT? In other words, is date stored along with the public key in DTB
>> file?
>>
>> Cheers,
>> Andy
>>
>
> Hello Philippe,
>
> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot
> find a comparison of the date on which an image was signed with the
> expiry date of the certificate. Shouldn't there be a check? Or did I
> simply look into the wrong function?
This function only check the padding using the algorithm pkcs-1.5 as
defined here : https://tools.ietf.org/html/rfc3447#section-9.2
It doesn't check the certificate validity.
I don't remember to have see a date checked in the signature process.
If all informations are (or may be) available at runtime, we may
add it.
> Best regards
>
> Heinrich
Best regards,
Philippe
More information about the U-Boot
mailing list