From mboxrd@z Thu Jan  1 00:00:00 1970
From: Philippe REYNES <philippe.reynes@softathome.com>
Date: Wed, 16 Sep 2020 22:01:21 +0200 (CEST)
Subject: U-Boot FIT Signature Verification
In-Reply-To: <5075840b-acb3-5146-17ff-098dd739ee68@gmx.de>
References: <1747e3433d3.128f7ab51115315.564812166944516672@d.mobilunity.com>
 <5075840b-acb3-5146-17ff-098dd739ee68@gmx.de>
Message-ID: <1131280458.1110639.1600286481334.JavaMail.zimbra@softathome.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Hi Heinrich,

> On 9/11/20 7:26 PM, Andrii Voloshyn wrote:
>> Hi there,
>> 
>> Does U-boot take into account certificate expiration date when verifying signed
>> images in FIT? In other words, is date stored along with the public key in DTB
>> file?
>> 
>> Cheers,
>> Andy
>> 
> 
> Hello Philippe,
> 
> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot
> find a comparison of the date on which an image was signed with the
> expiry date of the certificate. Shouldn't there be a check? Or did I
> simply look into the wrong function?

This function only check the padding using the algorithm pkcs-1.5 as
defined here : https://tools.ietf.org/html/rfc3447#section-9.2
It doesn't check the certificate validity.

I don't remember to have see a date checked in the signature process.
If all informations are (or may be) available at runtime, we may
add it.

> Best regards
> 
> Heinrich

Best regards,
Philippe