# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import pytest
import subprocess
from click.testing import CliRunner
from imgtool import main as imgtool_main
from imgtool.main import imgtool
# all supported key types for 'keygen'
KEY_TYPES = [*imgtool_main.keygens]
KEY_ENCODINGS = [*imgtool_main.valid_encodings]
PUB_HASH_ENCODINGS = [*imgtool_main.valid_hash_encodings]
PVT_KEY_FORMATS = [*imgtool_main.valid_formats]
OPENSSL_KEY_TYPES = {
"rsa-2048": "Private-Key: (2048 bit, 2 primes)",
"rsa-3072": "Private-Key: (3072 bit, 2 primes)",
"ecdsa-p256": "Private-Key: (256 bit)",
"ecdsa-p384": "Private-Key: (384 bit)",
"ed25519": "ED25519 Private-Key:",
"x25519": "X25519 Private-Key:",
}
GEN_KEY_EXT = ".key"
GEN_ANOTHER_KEY_EXT = ".another.key"
PUB_KEY_EXT = ".pub"
PUB_KEY_HASH_EXT = ".pubhash"
def tmp_name(tmp_path, key_type, suffix=""):
return tmp_path / (key_type + suffix)
@pytest.fixture(scope="session")
def tmp_path_persistent(tmp_path_factory):
return tmp_path_factory.mktemp("keys")
@pytest.mark.parametrize("key_type", KEY_TYPES)
def test_keygen(key_type, tmp_path_persistent):
"""Generate keys by imgtool"""
runner = CliRunner()
gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
assert not gen_key.exists()
result = runner.invoke(
imgtool, ["keygen", "--key", str(gen_key), "--type", key_type]
)
assert result.exit_code == 0
assert gen_key.exists()
assert gen_key.stat().st_size > 0
# another key
gen_key2 = tmp_name(tmp_path_persistent, key_type, GEN_ANOTHER_KEY_EXT)
assert str(gen_key2) != str(gen_key)
assert not gen_key2.exists()
result = runner.invoke(
imgtool, ["keygen", "--key", str(gen_key2), "--type", key_type]
)
assert result.exit_code == 0
assert gen_key2.exists()
assert gen_key2.stat().st_size > 0
# content must be different
assert gen_key.read_bytes() != gen_key2.read_bytes()
@pytest.mark.parametrize("key_type", KEY_TYPES)
def test_keygen_type(key_type, tmp_path_persistent):
"""Check generated keys"""
assert key_type in OPENSSL_KEY_TYPES
gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
result = subprocess.run(
["openssl", "pkey", "-in", str(gen_key), "-check", "-noout", "-text"],
capture_output=True,
text=True,
)
assert result.returncode == 0
assert "Key is valid" in result.stdout
assert OPENSSL_KEY_TYPES[key_type] in result.stdout
@pytest.mark.parametrize("key_type", KEY_TYPES)
@pytest.mark.parametrize("format", PVT_KEY_FORMATS)
def test_getpriv(key_type, format, tmp_path_persistent):
"""Get private key"""
runner = CliRunner()
gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
result = runner.invoke(
imgtool,
[
"getpriv",
"--key",
str(gen_key),
"--format",
format,
],
)
assert result.exit_code == 0
@pytest.mark.parametrize("key_type", KEY_TYPES)
@pytest.mark.parametrize("encoding", KEY_ENCODINGS)
def test_getpub(key_type, encoding, tmp_path_persistent):
"""Get public key"""
runner = CliRunner()
gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
pub_key = tmp_name(tmp_path_persistent, key_type, PUB_KEY_EXT
+ "." + encoding)
assert not pub_key.exists()
result = runner.invoke(
imgtool,
[
"getpub",
"--key",
str(gen_key),
"--output",
str(pub_key),
"--encoding",
encoding,
],
)
assert result.exit_code == 0
assert pub_key.exists()
assert pub_key.stat().st_size > 0
@pytest.mark.parametrize("key_type", KEY_TYPES)
@pytest.mark.parametrize("encoding", PUB_HASH_ENCODINGS)
def test_getpubhash(key_type, encoding, tmp_path_persistent):
"""Get the hash of the public key"""
runner = CliRunner()
gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
pub_key_hash = tmp_name(
tmp_path_persistent, key_type, PUB_KEY_HASH_EXT + "." + encoding
)
assert not pub_key_hash.exists()
result = runner.invoke(
imgtool,
[
"getpubhash",
"--key",
str(gen_key),
"--output",
str(pub_key_hash),
"--encoding",
encoding,
],
)
assert result.exit_code == 0
assert pub_key_hash.exists()
assert pub_key_hash.stat().st_size > 0
@pytest.mark.parametrize("key_type", KEY_TYPES)
def test_sign_verify(key_type, tmp_path_persistent):
"""Test basic sign and verify"""
runner = CliRunner()
gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
wrong_key = tmp_name(tmp_path_persistent, key_type, GEN_ANOTHER_KEY_EXT)
image = tmp_name(tmp_path_persistent, "image", "bin")
image_signed = tmp_name(tmp_path_persistent, "image", "signed")
with image.open("wb") as f:
f.write(b"\x00" * 1024)
# not all required arguments are provided
result = runner.invoke(
imgtool,
[
"sign",
"--key",
str(gen_key),
str(image),
str(image_signed),
],
)
assert result.exit_code != 0
assert not image_signed.exists()
result = runner.invoke(
imgtool,
[
"sign",
"--key",
str(gen_key),
"--align",
"16",
"--version",
"1.0.0",
"--header-size",
"0x400",
"--slot-size",
"0x10000",
"--pad-header",
str(image),
str(image_signed),
],
)
assert result.exit_code == 0
assert image_signed.exists()
assert image_signed.stat().st_size > 0
# original key can be used to verify a signed image
result = runner.invoke(
imgtool,
[
"verify",
"--key",
str(gen_key),
str(image_signed),
],
)
assert result.exit_code == 0
# 'another' key is not valid to verify a signed image
result = runner.invoke(
imgtool,
[
"verify",
"--key",
str(wrong_key),
str(image_signed),
],
)
assert result.exit_code != 0
image_signed.unlink()