optee_os/scripts/sign_encrypt.py

2 # SPDX-License-Identifier: BSD-2-Clause
46     h.update(namespace_bytes + bytes(name, 'utf-8'))
78             '--uuid', required=True, type=uuid_parse,
83             '--key', required=True, help='''
91             '--enc-key', required=False, help='Encryption key string')
95             '--enc-key-type', required=False,
103             '--ta-version', required=False, type=int_parse, default=0, help='''
104                 TA version stored as a 32-bit unsigned integer and used for
110             '--sig', required=True, dest='sigf',
115             '--dig', required=True, dest='digf',
120             '--in', required=False, dest='inf', help='''
126             '--out', required=True, dest='outf',
131             '--algo', required=False, choices=list(sig_tee_alg.keys()),
138             '--subkey', action=OnlyOne, help='Name of subkey input file')
141         parser.add_argument('--name',
146             '--in', required=True, dest='inf',
151             '--max-depth', required=False, type=int_parse, help='''
152             Max depth of subkeys below this subkey''')
156             '--name-size', required=True, type=int_parse, help='''
163             '--subkey-version', required=False, type=int_parse, default=0,
168             '--in', required=True, dest='inf', help='''
173             '--out', required=True, dest='outf',
194         ' for OP-TEE.',
196         epilog='<command> -h for detailed help')
202         'sign-enc', prog=parser.prog + ' sign-enc',
217         'digest', aliases=['generate-digest'], prog=parser.prog + ' digest',
223               base64 -d <UUID>.dig | \\
224               openssl pkeyutl -sign -inkey <KEYFILE>.pem \\
225                   -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss \\
226                   -pkeyopt rsa_pss_saltlen:digest \\
227                   -pkeyopt rsa_mgf1_md:sha256 | \\
232               base64 -d <UUID>.dig | \\
233               openssl pkeyutl -sign -inkey <KEYFILE>.pem \\
234                   -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pkcs1 | \\
248         'stitch', aliases=['stitch-ta'], prog=parser.prog + ' stitch',
278         'subkey-uuid', prog=parser.prog + ' subkey-uuid',
285         'sign-subkey', prog=parser.prog + ' sign-subkey',
300     if (len(argv) > 0 and argv[0][0] == '-' and
301             argv[0] != '-h' and argv[0] != '--help'):
302         # The default sub-command is 'sign-enc' so add it to the parser
304         argv = ['sign-enc'] + argv
400         self.ciphertext = out[:-TAG_SIZE]
402         self.tag = out[-TAG_SIZE:]
439                     logger.error('Max depth of previous subkey is {}, '
444                 max_depth = self.previous_max_depth - 1
450                 logger.error('Max depth of previous subkey is {} '
455         def int_to_bytes(x: int) -> bytes:
542             self.attr = self.inf[offs:offs + img_size -
543                                  UUID_SIZE - len(self.subkey_hdr)]
567             self.img = self.inf[subkey_offs:offs - self.name_size]
747                          'please use offline-signing mode.')
883     max_depth = -1
918                     logger.error('--enc-key needed to decrypt TA')