diff --git a/dist/tools/suit/gen_key.py b/dist/tools/suit/gen_key.py index 3a5bbf148e..4065fc9bfe 100755 --- a/dist/tools/suit/gen_key.py +++ b/dist/tools/suit/gen_key.py @@ -17,17 +17,24 @@ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey from cryptography.hazmat.primitives.serialization import Encoding from cryptography.hazmat.primitives.serialization import PrivateFormat from cryptography.hazmat.primitives.serialization import NoEncryption +from cryptography.hazmat.primitives.serialization import BestAvailableEncryption def main(): - if len(sys.argv) != 2: - print("usage: gen_key.py ") + if len(sys.argv) < 2: + print("usage: gen_key.py [password]") sys.exit(1) + if len(sys.argv) > 2: + pw = str.encode(sys.argv[2]) + crypt = BestAvailableEncryption(pw) + else: + crypt = NoEncryption() + pk = Ed25519PrivateKey.generate() pem = pk.private_bytes(encoding=Encoding.PEM, format=PrivateFormat.PKCS8, - encryption_algorithm=NoEncryption() + encryption_algorithm=crypt, ) with open(sys.argv[1], "wb") as f: diff --git a/dist/tools/suit/suit-manifest-generator/suit_tool/argparser.py b/dist/tools/suit/suit-manifest-generator/suit_tool/argparser.py index f318ab293c..e99c30aa9f 100644 --- a/dist/tools/suit/suit-manifest-generator/suit_tool/argparser.py +++ b/dist/tools/suit/suit-manifest-generator/suit_tool/argparser.py @@ -66,6 +66,7 @@ class MainArgumentParser(object): sign_parser.add_argument('-k', '--private-key', metavar='FILE', type=argparse.FileType('rb'), required=True) sign_parser.add_argument('-i', '--key-id', metavar='ID', type=str) sign_parser.add_argument('-o', '--output-file', metavar='FILE', type=argparse.FileType('wb'), required=True) + sign_parser.add_argument('-p', '--password', type=str) parse_parser = subparsers.add_parser('parse', help='Parse a manifest') @@ -77,6 +78,7 @@ class MainArgumentParser(object): get_pubkey_parser.add_argument('-k', '--private-key', metavar='FILE', type=argparse.FileType('rb'), required=True) get_pubkey_parser.add_argument('-f', '--output-format', choices=get_pubkey.OutputFormaters.keys(), default='pem') get_pubkey_parser.add_argument('-o', '--output-file', metavar='FILE', type=argparse.FileType('wb'), default=sys.stdout) + get_pubkey_parser.add_argument('-p', '--password', type=str) keygen_parser = subparsers.add_parser('keygen', help='Create a signing key. Not for production use') diff --git a/dist/tools/suit/suit-manifest-generator/suit_tool/get_pubkey.py b/dist/tools/suit/suit-manifest-generator/suit_tool/get_pubkey.py index 720fefa08b..b9f075bb0b 100644 --- a/dist/tools/suit/suit-manifest-generator/suit_tool/get_pubkey.py +++ b/dist/tools/suit/suit-manifest-generator/suit_tool/get_pubkey.py @@ -75,7 +75,7 @@ def main(options): if options.output_format in ('pem', 'der', 'uecc', 'header'): private_key = ks.load_pem_private_key( options.private_key.read(), - password=None, + password=str.encode(options.password) if options.password else None, backend=default_backend() ) diff --git a/dist/tools/suit/suit-manifest-generator/suit_tool/sign.py b/dist/tools/suit/suit-manifest-generator/suit_tool/sign.py index b4d831a8ea..dad970be85 100644 --- a/dist/tools/suit/suit-manifest-generator/suit_tool/sign.py +++ b/dist/tools/suit/suit-manifest-generator/suit_tool/sign.py @@ -60,7 +60,7 @@ def main(options): digest = None private_key_buffer = options.private_key.read() try: - private_key = ks.load_pem_private_key(private_key_buffer, password=None, backend=default_backend()) + private_key = ks.load_pem_private_key(private_key_buffer, password=str.encode(options.password) if options.password else None, backend=default_backend()) if isinstance(private_key, ec.EllipticCurvePrivateKey): options.key_type = 'ES{}'.format(private_key.key_size) elif isinstance(private_key, ed25519.Ed25519PrivateKey): diff --git a/makefiles/suit.base.inc.mk b/makefiles/suit.base.inc.mk index e8cb8ee3d9..19bf209502 100644 --- a/makefiles/suit.base.inc.mk +++ b/makefiles/suit.base.inc.mk @@ -17,6 +17,11 @@ else SUIT_KEY_DIR ?= $(RIOTBASE)/keys endif +# Enable user to encrypt private key with a password +ifneq (,$(SUIT_SEC_PASSWORD)) + SUIT_TOOL_ARGS += -p $(SUIT_SEC_PASSWORD) +endif + SUIT_SEC ?= $(SUIT_KEY_DIR)/$(SUIT_KEY).pem SUIT_PUB_HDR = $(BINDIR)/riotbuild/public_key.h @@ -27,14 +32,14 @@ BUILDDEPS += $(SUIT_PUB_HDR) $(SUIT_SEC): $(CLEAN) $(Q)echo suit: generating key in $(SUIT_KEY_DIR) $(Q)mkdir -p $(SUIT_KEY_DIR) - $(Q)$(RIOTBASE)/dist/tools/suit/gen_key.py $(SUIT_SEC) + $(Q)$(RIOTBASE)/dist/tools/suit/gen_key.py $(SUIT_SEC) $(SUIT_SEC_PASSWORD) # set FORCE so switching between keys using "SUIT_KEY=foo make ..." # triggers a rebuild even if the new key would otherwise not (because the other # key's mtime is too far back). $(SUIT_PUB_HDR): $(SUIT_SEC) FORCE | $(CLEAN) $(Q)mkdir -p $(SUIT_PUB_HDR_DIR) - $(Q)$(SUIT_TOOL) pubkey -f header -k $(SUIT_SEC) \ + $(Q)$(SUIT_TOOL) pubkey $(SUIT_TOOL_ARGS) -f header -k $(SUIT_SEC) \ | '$(LAZYSPONGE)' $(LAZYSPONGE_FLAGS) '$@' suit/genkey: $(SUIT_SEC) diff --git a/makefiles/suit.inc.mk b/makefiles/suit.inc.mk index f5f97892f3..3c9b5f0c6e 100644 --- a/makefiles/suit.inc.mk +++ b/makefiles/suit.inc.mk @@ -53,7 +53,7 @@ $(SUIT_MANIFEST): $(SUIT_MANIFEST_PAYLOADS) $(BINDIR_SUIT) $(Q)rm -f $@.tmp $(SUIT_MANIFEST_SIGNED): $(SUIT_MANIFEST) $(SUIT_SEC) - $(Q)$(SUIT_TOOL) sign -k $(SUIT_SEC) -m $(SUIT_MANIFEST) -o $@ + $(Q)$(SUIT_TOOL) sign $(SUIT_TOOL_ARGS) -k $(SUIT_SEC) -m $(SUIT_MANIFEST) -o $@ $(SUIT_MANIFEST_LATEST): $(SUIT_MANIFEST) $(Q)ln -f -s $< $@