Merge pull request #18130 from benpicco/suit-encrypted-key

dist/tools/suit: add support for password protected private keys
2025-12-25 22:43:50 +01:00 · 2022-05-24 18:47:35 +02:00 · 2022-05-24 18:47:35 +02:00 · 3db80fa75e
commit 3db80fa75e
parent 85169fc220 b3b8849f6b
6 changed files with 22 additions and 8 deletions
--- a/dist/tools/suit/gen_key.py
+++ b/dist/tools/suit/gen_key.py
@ -17,17 +17,24 @@ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
 from cryptography.hazmat.primitives.serialization import Encoding
 from cryptography.hazmat.primitives.serialization import PrivateFormat
 from cryptography.hazmat.primitives.serialization import NoEncryption
+from cryptography.hazmat.primitives.serialization import BestAvailableEncryption


 def main():
-    if len(sys.argv) != 2:
-        print("usage: gen_key.py <secret filename>")
+    if len(sys.argv) < 2:
+        print("usage: gen_key.py <secret filename> [password]")
        sys.exit(1)

+    if len(sys.argv) > 2:
+        pw = str.encode(sys.argv[2])
+        crypt = BestAvailableEncryption(pw)
+    else:
+        crypt = NoEncryption()
+
    pk = Ed25519PrivateKey.generate()
    pem = pk.private_bytes(encoding=Encoding.PEM,
                           format=PrivateFormat.PKCS8,
-                           encryption_algorithm=NoEncryption()
+                           encryption_algorithm=crypt,
                           )

    with open(sys.argv[1], "wb") as f:
--- a/dist/tools/suit/suit-manifest-generator/suit_tool/argparser.py
+++ b/dist/tools/suit/suit-manifest-generator/suit_tool/argparser.py
@ -66,6 +66,7 @@ class MainArgumentParser(object):
        sign_parser.add_argument('-k', '--private-key', metavar='FILE', type=argparse.FileType('rb'), required=True)
        sign_parser.add_argument('-i', '--key-id', metavar='ID', type=str)
        sign_parser.add_argument('-o', '--output-file', metavar='FILE', type=argparse.FileType('wb'), required=True)
+        sign_parser.add_argument('-p', '--password', type=str)

        parse_parser = subparsers.add_parser('parse', help='Parse a manifest')

@ -77,6 +78,7 @@ class MainArgumentParser(object):
        get_pubkey_parser.add_argument('-k', '--private-key', metavar='FILE', type=argparse.FileType('rb'), required=True)
        get_pubkey_parser.add_argument('-f', '--output-format', choices=get_pubkey.OutputFormaters.keys(), default='pem')
        get_pubkey_parser.add_argument('-o', '--output-file', metavar='FILE', type=argparse.FileType('wb'), default=sys.stdout)
+        get_pubkey_parser.add_argument('-p', '--password', type=str)

        keygen_parser = subparsers.add_parser('keygen', help='Create a signing key. Not for production use')

--- a/dist/tools/suit/suit-manifest-generator/suit_tool/get_pubkey.py
+++ b/dist/tools/suit/suit-manifest-generator/suit_tool/get_pubkey.py
@ -75,7 +75,7 @@ def main(options):
    if options.output_format in ('pem', 'der', 'uecc', 'header'):
        private_key = ks.load_pem_private_key(
            options.private_key.read(),
-            password=None,
+            password=str.encode(options.password) if options.password else None,
            backend=default_backend()
        )

--- a/dist/tools/suit/suit-manifest-generator/suit_tool/sign.py
+++ b/dist/tools/suit/suit-manifest-generator/suit_tool/sign.py
@ -60,7 +60,7 @@ def main(options):
    digest = None
    private_key_buffer = options.private_key.read()
    try:
-        private_key = ks.load_pem_private_key(private_key_buffer, password=None, backend=default_backend())
+        private_key = ks.load_pem_private_key(private_key_buffer, password=str.encode(options.password) if options.password else None, backend=default_backend())
        if isinstance(private_key, ec.EllipticCurvePrivateKey):
            options.key_type = 'ES{}'.format(private_key.key_size)
        elif isinstance(private_key, ed25519.Ed25519PrivateKey):
--- a/makefiles/suit.base.inc.mk
+++ b/makefiles/suit.base.inc.mk
@ -17,6 +17,11 @@ else
  SUIT_KEY_DIR ?= $(RIOTBASE)/keys
 endif

+# Enable user to encrypt private key with a password
+ifneq (,$(SUIT_SEC_PASSWORD))
+  SUIT_TOOL_ARGS += -p $(SUIT_SEC_PASSWORD)
+endif
+
 SUIT_SEC ?= $(SUIT_KEY_DIR)/$(SUIT_KEY).pem

 SUIT_PUB_HDR = $(BINDIR)/riotbuild/public_key.h
@ -27,14 +32,14 @@ BUILDDEPS += $(SUIT_PUB_HDR)
 $(SUIT_SEC): $(CLEAN)
 	$(Q)echo suit: generating key in $(SUIT_KEY_DIR)
 	$(Q)mkdir -p $(SUIT_KEY_DIR)
-	$(Q)$(RIOTBASE)/dist/tools/suit/gen_key.py $(SUIT_SEC)
+	$(Q)$(RIOTBASE)/dist/tools/suit/gen_key.py $(SUIT_SEC) $(SUIT_SEC_PASSWORD)

 # set FORCE so switching between keys using "SUIT_KEY=foo make ..."
 # triggers a rebuild even if the new key would otherwise not (because the other
 # key's mtime is too far back).
 $(SUIT_PUB_HDR): $(SUIT_SEC) FORCE | $(CLEAN)
 	$(Q)mkdir -p $(SUIT_PUB_HDR_DIR)
-	$(Q)$(SUIT_TOOL) pubkey -f header -k $(SUIT_SEC) \
+	$(Q)$(SUIT_TOOL) pubkey $(SUIT_TOOL_ARGS) -f header -k $(SUIT_SEC) \
 	  | '$(LAZYSPONGE)' $(LAZYSPONGE_FLAGS) '$@'

 suit/genkey: $(SUIT_SEC)
--- a/makefiles/suit.inc.mk
+++ b/makefiles/suit.inc.mk
@ -53,7 +53,7 @@ $(SUIT_MANIFEST): $(SUIT_MANIFEST_PAYLOADS) $(BINDIR_SUIT)
 	$(Q)rm -f $@.tmp

 $(SUIT_MANIFEST_SIGNED): $(SUIT_MANIFEST) $(SUIT_SEC)
-	$(Q)$(SUIT_TOOL) sign -k $(SUIT_SEC) -m $(SUIT_MANIFEST) -o $@
+	$(Q)$(SUIT_TOOL) sign $(SUIT_TOOL_ARGS) -k $(SUIT_SEC) -m $(SUIT_MANIFEST) -o $@

 $(SUIT_MANIFEST_LATEST): $(SUIT_MANIFEST)
 	$(Q)ln -f -s $< $@