Firmware Key and Signature Formats

From OLPC
Revision as of 19:07, 23 August 2007 by CScott (talk | contribs) (→‎Signature: details on expiration time field)
Jump to navigation Jump to search

This page describes the key and signature formats understood by OFW. The Firmware Security page describes how these are used.

Key

key01 alg data\n
 3 2 1 3 1 N  1

So that's:

  • the literal string "key"
  • the two digit version number ("01" for now)
  • a space
  • the three character algorithm name (for now this will always be "rsa")
  • a space
  • the key data
  • a newline

The key data is a hexadecimal-encoded octet string. The octet string is the ASN.1 encoding of an RSA public key given by Appendix A.1.1 of RSA PKCS #1, version 2.1.

Signature

sig01 timestamp keyid data\n
 3 2 1    13   1  64 1  N  1

So that's:

  • the literal string "sig"
  • the two digit version number ("01" for now)
  • a space
  • the 15-character ISO 8601 UTC expiration time in basic format (no dashes or colons) and no fractional seconds. (eg: "20070816173500Z")
    • should consist of the 15 zeros if not present or not applicable.
    • firmware must ignore this expiration time if the signature is on a kernel or ramdisk.
  • a space
  • the 64 character key ID, which are the trailing 64 characters of the "key data" in the key format above. (for the immediate future you can ignore this in the firmware, and just use a single key for each task.)
    • This includes the exponent and the least significant bytes of the modulus
  • a space
  • the signature data as a hexadecimal-encoded string. The encoded data is the ASN.1 encoding of an RSA PSS signature given by Appendix A.2.3 of RSA PKCS #1, version 2.1. The hashAlgorithm field will have the value sha256, and the maskGenAlgorithm field will have the value mgf1SHA256.
  • a newline

Antitheft/Activation Lease