From a38666df7c0f5709cab5496f82185c33458c5af2 Mon Sep 17 00:00:00 2001 From: dehanj Date: Thu, 16 May 2024 16:05:27 +0200 Subject: [PATCH] Add show-pubkey command The show-pubkey command outputs the vendor signing pubkey, the app tag, and app hash digest to stdout. The output is in the format used for a line in the vendor-signing-pubkey.txt file, and used to embed another vendor signing key. The command takes takes an argument with the path to the devie app using --app path/to/app.bin --- cmd/tkey-verification/main.go | 20 +++++++++++-- cmd/tkey-verification/showpubkey.go | 46 +++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 cmd/tkey-verification/showpubkey.go diff --git a/cmd/tkey-verification/main.go b/cmd/tkey-verification/main.go index cd170e4..0cda80f 100644 --- a/cmd/tkey-verification/main.go +++ b/cmd/tkey-verification/main.go @@ -77,7 +77,7 @@ Known firmwares: vendorPubKey.String(), strings.Join(firmwares.List(), " \n ")) - var devPath, baseURL, baseDir, configFile string + var devPath, baseURL, baseDir, configFile, binPath string var checkConfigOnly, verbose, showURLOnly, versionOnly, helpOnly bool pflag.CommandLine.SetOutput(os.Stderr) @@ -96,6 +96,8 @@ Known firmwares: "Read verification data from a file located in `DIRECTORY` and named after the TKey UDI in hex, instead of from a URL. You can for example first use \"verify --show-url\" and download the verification file manually on some other computer, then transfer the file back and use \"verify --base-dir .\" (command: verify).") pflag.StringVar(&baseURL, "base-url", defaultBaseURL, "Set the base `URL` of verification server for fetching verification data (command: verify).") + pflag.StringVarP(&binPath, "app", "a", "", + "`PATH` to the device app to show vendor signing pubkey (command: show-pubkey).") pflag.BoolVar(&versionOnly, "version", false, "Output version information.") pflag.BoolVar(&helpOnly, "help", false, "Output this help.") pflag.Usage = func() { @@ -115,7 +117,13 @@ Commands: The flags --show-url and --base-dir can be used to show the URL for downloading the verification data on one machine, and verifying the - TKey on another machine that lacks network, see more below.`, progname) + TKey on another machine that lacks network, see more below. + + show-pubkey Prints the info needed for the vendor-signing-pubkeys.txt to stdout. + This includes public key, app tag, and app hash in the right format. + + Use the flag --app to specify the path o the desired app to use, i.e., + tkey-verification show-pubkey --app /path/to/app`, progname) le.Printf("%s\n\nFlags:\n%s\n%s", desc, pflag.CommandLine.FlagUsagesWrapped(86), builtWith) } @@ -129,7 +137,6 @@ Commands: fmt.Printf("%s %s\n\n%s", progname, version, builtWith) os.Exit(0) } - if pflag.NArg() != 1 { if pflag.NArg() > 1 { le.Printf("Unexpected argument: %s\n\n", strings.Join(pflag.Args()[1:], " ")) @@ -189,6 +196,13 @@ Commands: verify(devPath, verbose, showURLOnly, baseDir, baseURL, appBins, vendorKeys, firmwares) + case "show-pubkey": + if binPath == "" { + le.Printf("Needs the path to an app, use `--app PATH`\n") + os.Exit(2) + } + showPubkey(binPath, devPath, verbose) + default: le.Printf("%s is not a valid command.\n", cmd) pflag.Usage() diff --git a/cmd/tkey-verification/showpubkey.go b/cmd/tkey-verification/showpubkey.go new file mode 100644 index 0000000..b79fe77 --- /dev/null +++ b/cmd/tkey-verification/showpubkey.go @@ -0,0 +1,46 @@ +package main + +import ( + "crypto/sha512" + "encoding/hex" + "fmt" + "os" + "path/filepath" + "strings" + + "github.com/tillitis/tkey-verification/internal/tkey" +) + +func showPubkey(binPath string, devPath string, verbose bool) { + tk, err := tkey.NewTKey(devPath, verbose) + if err != nil { + le.Printf("Couldn't connect to TKey: %v\n", err) + os.Exit(1) + } + + exit := func(code int) { + tk.Close() + os.Exit(code) + } + + content, err := os.ReadFile(binPath) + if err != nil { + le.Printf("ReadFile: %v", err) + exit(1) + } + + appHash := sha512.Sum512(content) + + pubKey, err := tk.LoadSigner(content) + if err != nil { + le.Printf("LoadSigner: %v\n", err) + exit(1) + } + + tag := strings.TrimSuffix(filepath.Base(binPath), ".bin") + + le.Printf("Public Key, app tag, and app hash for vendor-signing-pubkeys.txt follows on stdout:\n") + fmt.Printf("%s %s %s\n", hex.EncodeToString(pubKey), tag, hex.EncodeToString(appHash[:])) + + exit(0) +}