Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scripts: Fix extracted ECDSA signature padding #19931

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

scripts: Fix extracted ECDSA signature padding #19931

wants to merge 1 commit into from

Conversation

kendallgoto
Copy link

As the comments of get_ecdsa_signature() suggest, ECDSA r/s values can be short and require left-padding with zeroes. However, this change replaced the leftpad() function with ljust(), which provides right-padding. This can cause signature verification to occasionally fail when SB_CONFIG_SECURE_BOOT_SIGNING_OPENSSL is used:

[203/205] Creating validation for zephyr.hex, storing to
Traceback (most recent call last):
  File "/ncs/nrf/scripts/bootloader/validation_data.py", line 109, in <module>
    main()
  File "/ncs/nrf/scripts/bootloader/validation_data.py", line 99, in main
    append_validation_data(signature=args.signature.read(),
  File "/ncs/nrf/scripts/bootloader/validation_data.py", line 48, in append_validation_data
    validation_data = get_validation_data(signature_bytes=signature,
  File "/ncs/nrf/scripts/bootloader/validation_data.py", line 26, in get_validation_data
    public_key.verify(signature_bytes, hash_bytes, hashfunc=hashlib.sha256)
  File "/usr/local/lib/python3.9/site-packages/ecdsa/keys.py", line 685, in verify
    return self.verify_digest(signature, digest, sigdecode, allow_truncate)
  File "/usr/local/lib/python3.9/site-packages/ecdsa/keys.py", line 741, in verify_digest
    raise BadSignatureError("Signature verification failed")
ecdsa.keys.BadSignatureError: Signature verification failed

I presume this went uncaught for so long since SB_CONFIG_SECURE_BOOT_SIGNING_OPENSSL is rarely used and signature validation only occasionally fails when it is set.

@kendallgoto kendallgoto requested a review from a team as a code owner January 16, 2025 06:28
@CLAassistant
Copy link

CLAassistant commented Jan 16, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Jan 16, 2025
@NordicBuilder
Copy link
Contributor

Thank you for your contribution!
It seems you are not a member of the nrfconnect GitHub organization. External contributions are handled as follows:
Large contributions, affecting multiple subsystems for example, may be rejected if they are complex, may introduce regressions due to lack of test coverage, or if they are not consistent with the architecture of nRF Connect SDK.
PRs will be run in our continuous integration (CI) test system.
If CI passes, PRs will be tagged for review and merged on successful completion of review. You may be asked to make some modifications to your contribution during review.
If CI fails, PRs may be rejected or may be tagged for review and rework.
PRs that become outdated due to other changes in the repository may be rejected or rework requested.
External contributions will be prioritized for review based on the relevance to current development efforts in nRF Connect SDK. Bug fix PRs will be prioritized.
You may raise issues or ask for help from our Technical Support team by visiting https://devzone.nordicsemi.com/.

Note: This comment is automatically posted and updated by the Contribs GitHub Action.

@NordicBuilder NordicBuilder added the external External contribution label Jan 16, 2025
@fundakol fundakol self-requested a review January 17, 2025 11:11
fundakol
fundakol approved these changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@fundakol fundakol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nordicjm nordicjm added the CI-Requested Approves single commit for CI tests on Internal HW label Jan 17, 2025
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Jan 17, 2025
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 1

Inputs:

Sources:

sdk-nrf: PR head: 920e4d4cb84fe3703a4e41eaa09d8e03b5961007

more details

sdk-nrf:

PR head: 920e4d4cb84fe3703a4e41eaa09d8e03b5961007
merge base: c9251c2c358d8e184999c9ae1d37b5d4a901d53c
target head (main): 49dbb06eb203c453ec96603abc0a184721fc31ca
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (1) 
scripts
│  ├── bootloader
│  │  │ asn1parse.py

Outputs:

Toolchain

Version: 342151af73
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:342151af73_912848a074

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister
    • sdk-nrf test count: 38
  • ✅ Integration tests
    • ✅ test-fw-nrfconnect-boot
    • ✅ test-sdk-mcuboot
    • ⚠️ test-fw-nrfconnect-fw-update
Disabled integration tests
    • desktop52_verification
    • doc-internal
    • test_ble_nrf_config
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-chip
    • test-fw-nrfconnect-fem
    • test-fw-nrfconnect-nfc
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_mosh
    • test-fw-nrfconnect-nrf-iot_nrf_provisioning
    • test-fw-nrfconnect-nrf-iot_positioning
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-nrf_crypto
    • test-fw-nrfconnect-ps
    • test-fw-nrfconnect-rpc
    • test-fw-nrfconnect-rs
    • test-fw-nrfconnect-tfm
    • test-fw-nrfconnect-thread
    • test-fw-nrfconnect-zigbee
    • test-low-level
    • test-sdk-audio
    • test-sdk-dfu
    • test-sdk-find-my
    • test-sdk-pmic-samples
    • test-sdk-sidewalk
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@nordicjm
Copy link
Contributor

@kendallgoto can you fix compliance issue?

@github-actions github-actions bot removed the CI-Requested Approves single commit for CI tests on Internal HW label Jan 22, 2025
@kendallgoto
Copy link
Author

@nordicjm sure; fixed now if I understand the error correctly.

@kendallgoto
scripts: Fix extracted ECDSA signature padding
163dd30 
Ensure that ECDSA key components that are too short are properly
left-padded with 0s.

Signed-off-by: Kendall Goto <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@de-nordic de-nordic de-nordic approved these changes

@fundakol fundakol fundakol approved these changes

Assignees
No one assigned
Labels
changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. external External contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@kendallgoto @CLAassistant @NordicBuilder @nordicjm @fundakol @de-nordic