From mboxrd@z Thu Jan  1 00:00:00 1970
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Wed, 16 Sep 2020 17:13:50 +0900
Subject: U-Boot FIT Signature Verification
In-Reply-To: <5075840b-acb3-5146-17ff-098dd739ee68@gmx.de>
References: <1747e3433d3.128f7ab51115315.564812166944516672@d.mobilunity.com>
 <5075840b-acb3-5146-17ff-098dd739ee68@gmx.de>
Message-ID: <20200916081350.GB2978867@laputa>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote:
> On 9/11/20 7:26 PM, Andrii Voloshyn wrote:
> > Hi there,
> >
> >     Does U-boot take into account certificate expiration date when verifying signed images in FIT? In other words, is date stored along with the public key in DTB file?
> >
> > Cheers,
> > Andy
> >
> 
> Hello Philippe,
> 
> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot
> find a comparison of the date on which an image was signed with the
> expiry date of the certificate. Shouldn't there be a check? Or did I
> simply look into the wrong function?

I think Simon is the right person to answer this question, but

as far as I know, we don't have any device tree property for the expiration
date of a public key. See doc/uImage.FIT/signature.txt.

-Takahiro Akashi

> Best regards
> 
> Heinrich