How to generate custom enc_key[] #1464

xianghui-renesas · 2022-09-03T04:19:27Z

xianghui-renesas
Sep 3, 2022

Hi,
I wonder if someone can explain to me how to create custom encryption keys: the enc_key array in the keys.c.
This page says to use the same method as the signing keys.

It however does not seem make sense, as the signing key size is 91 (root_pub_der[]), but the encryption key size is 70 (enc_key[]).
I have found this question was asked previously. Is there already a solution? Are there any updated documentation if there is a solution?
Appreciate any comments you may have!
regards,

Answered by utzig

Sep 3, 2022

It however does not seem make sense, as the signing key size is 91 (root_pub_der[]), but the encryption key size is 70 (enc_key[]).

The reason for the size difference is that one is a public key and the other is a private key. Signature verification is done by using a public key, so that is what's stored in root_pub_der. To generate it, would require running:

$ imgtool keygen -k sig_key.pem -t ecdsa-p256
$ imgtool getpub -k sig_key.pem

This will get you the 91 byte array with the public key dump.

To create the private key dump for encryption you would do:

$ imgtool keygen -k enc_key.pem -t ecdsa-p256
$ imgtool getpriv --minimal -k enc_key.pem

This will get you the 70 bytes private key d…

View full answer

utzig · 2022-09-03T17:36:25Z

utzig
Sep 3, 2022
Maintainer

It however does not seem make sense, as the signing key size is 91 (root_pub_der[]), but the encryption key size is 70 (enc_key[]).

The reason for the size difference is that one is a public key and the other is a private key. Signature verification is done by using a public key, so that is what's stored in root_pub_der. To generate it, would require running:

$ imgtool keygen -k sig_key.pem -t ecdsa-p256
$ imgtool getpub -k sig_key.pem

This will get you the 91 byte array with the public key dump.

To create the private key dump for encryption you would do:

$ imgtool keygen -k enc_key.pem -t ecdsa-p256
$ imgtool getpriv --minimal -k enc_key.pem

This will get you the 70 bytes private key dump. Btw, not using --minimal would generate a 138 bytes private key.

The important thing is to never reuse the keys, you should always have one key for signing and another for encrypting!

2 replies

xianghui-renesas Sep 4, 2022
Author

Hi utzig,
Thanks for your help! It worked for me.
I used openssl to get encryption public key in pem format. I wonder if imgtool can do this? It would be more streamlined if imgtool can generate the corresponding encryption public pem key. The imgtool documentation does not have indication of this.
Thanks!

utzig Sep 4, 2022
Maintainer

I used openssl to get encryption public key in pem format. I wonder if imgtool can do this? It would be more streamlined if imgtool can generate the corresponding encryption public pem key. The imgtool documentation does not have indication of this. Thanks!

I is not supported yet, but based on the suggestion I just submitted PR #1466 to add support. Give it a try!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to generate custom enc_key[] #1464

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

How to generate custom enc_key[] #1464

xianghui-renesas Sep 3, 2022

Replies: 1 comment · 2 replies

utzig Sep 3, 2022 Maintainer

xianghui-renesas Sep 4, 2022 Author

utzig Sep 4, 2022 Maintainer

xianghui-renesas
Sep 3, 2022

Replies: 1 comment 2 replies

utzig
Sep 3, 2022
Maintainer

xianghui-renesas Sep 4, 2022
Author

utzig Sep 4, 2022
Maintainer