ERROR: swupdate fails loading certificate for signed image
1,253 views
Skip to first unread message
Mayer, Dirk
Apr 23, 2021, 4:49:36 AM4/23/21
to swup...@googlegroups.com
Hello,
I am trying to get swupdate running on Debian with a signed image. I created a private/public key which I use for signature verification.
But somehow swupdate fails with the following error:
bob@50a3e3879b59:~$ swupdate -l 5 -k public.pem
[ERROR] : SWUPDATE failed [0] ERROR corelib/verify_signature.c : swupdate_dgst_init : 151 : Error loading certificate chain from public.pem
Error: Crypto cannot be initialized.
I guess the openssl lib returns NULL for the object call crt = PEM_read_bio_X509(castore_bio, NULL, 0, NULL) in swupdate/corelib/swupdate_cms_verify.c
I am running swupdate 202.11-2 on Debian bullseye as well on Debian buster with a build from source and backports.
However, the error is always the same, it seems that the certificate generated is not getting picked up properly.
I generated the private/public keys according to the docu:
openssl genrsa -aes256 -out priv.pem
openssl rsa -in priv.pem -out public.pem -outform PEM -pubout
Can anybody help me out to get it running please ?
Best Regards,
Dirk
Stefano Babic
Apr 23, 2021, 4:58:24 AM4/23/21
to Mayer, Dirk, swup...@googlegroups.com
Hi Dirk,
On 23.04.21 10:49, Mayer, Dirk wrote:
> Hello,
>
> I am trying to get swupdate running on Debian
Debian or maybe ISAR ?
> with a signed image. I
> created a private/public key which I use for signature verification.
>
> But somehow swupdate fails with the following error:
>
> bob@50a3e3879b59:~$ swupdate -l 5 -k public.pem
>
> [ERROR] : SWUPDATE failed [0] ERROR corelib/verify_signature.c :
> swupdate_dgst_init : 151 : Error loading certificate chain from public.pem
>
> Error: Crypto cannot be initialized.
This is saying: I try to load a CMS public certificate, but I cannot
because format is not recognized. This is *NOT* a CMS certificate.
>
> I guess the openssl lib returns NULL for the object call crt =
> PEM_read_bio_X509(castore_bio, NULL, 0, NULL) in swupdate
> <https://github.com/sbabic/swupdate/tree/77863d7f40dff98a31ea0b2dc15a7710bc3c8427>/corelib
> <https://github.com/sbabic/swupdate/tree/77863d7f40dff98a31ea0b2dc15a7710bc3c8427/corelib>/swupdate_cms_verify.c
http://sbabic.github.io/swupdate/signed_images.html?highlight=cms#usage-with-certificates-and-cms
> openssl genrsa -aes256 -out priv.pem
>
> opensslrsa -in priv.pem -out public.pem -outform PEM -pubout
And you generated a couple of public and private RSA keys. Of course,
this does not match if you have configured SWUpdate to just use CMS
certificates.
Best regards,
Stefano Babic
>
> Can anybody help me out to get it running please ?
>
> Best Regards,
>
> Dirk
>
> --
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to swupdate+u...@googlegroups.com
> <mailto:swupdate+u...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/swupdate/AM0PR10MB2963E0A63A1999BC5626398B87459%40AM0PR10MB2963.EURPRD10.PROD.OUTLOOK.COM
> <https://groups.google.com/d/msgid/swupdate/AM0PR10MB2963E0A63A1999BC5626398B87459%40AM0PR10MB2963.EURPRD10.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.
--
=====================================================================
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de
=====================================================================
On 23.04.21 10:49, Mayer, Dirk wrote:
> Hello,
>
> I am trying to get swupdate running on Debian
> with a signed image. I
> created a private/public key which I use for signature verification.
>
> But somehow swupdate fails with the following error:
>
> bob@50a3e3879b59:~$ swupdate -l 5 -k public.pem
>
> [ERROR] : SWUPDATE failed [0] ERROR corelib/verify_signature.c :
> swupdate_dgst_init : 151 : Error loading certificate chain from public.pem
>
> Error: Crypto cannot be initialized.
because format is not recognized. This is *NOT* a CMS certificate.
>
> I guess the openssl lib returns NULL for the object call crt =
> PEM_read_bio_X509(castore_bio, NULL, 0, NULL) in swupdate
> <https://github.com/sbabic/swupdate/tree/77863d7f40dff98a31ea0b2dc15a7710bc3c8427/corelib>/swupdate_cms_verify.c
>
>
> I am running swupdate 202.11-2 on Debian bullseye as well on Debian
> buster with a build from source and backports.
>
> However, the error is always the same, it seems that the certificate
> generated is not getting picked up properly.
>
> I generated the private/public keys according to the docu:
>
You did not:
>
> I am running swupdate 202.11-2 on Debian bullseye as well on Debian
> buster with a build from source and backports.
>
> However, the error is always the same, it seems that the certificate
> generated is not getting picked up properly.
>
> I generated the private/public keys according to the docu:
>
http://sbabic.github.io/swupdate/signed_images.html?highlight=cms#usage-with-certificates-and-cms
> openssl genrsa -aes256 -out priv.pem
>
And you generated a couple of public and private RSA keys. Of course,
this does not match if you have configured SWUpdate to just use CMS
certificates.
Best regards,
Stefano Babic
>
> Can anybody help me out to get it running please ?
>
> Best Regards,
>
> Dirk
>
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to swupdate+u...@googlegroups.com
> <mailto:swupdate+u...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/swupdate/AM0PR10MB2963E0A63A1999BC5626398B87459%40AM0PR10MB2963.EURPRD10.PROD.OUTLOOK.COM
> <https://groups.google.com/d/msgid/swupdate/AM0PR10MB2963E0A63A1999BC5626398B87459%40AM0PR10MB2963.EURPRD10.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.
--
=====================================================================
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de
=====================================================================
Mayer, Dirk
Apr 26, 2021, 9:33:33 AM4/26/21
to Stefano Babic, swup...@googlegroups.com
Hi Stefano,
It's in context of a project called Detox, where we rebuild a minimized Debian from source and add some additional packages. Its not based in the ISAR platform.
Thx, I wasn't aware that swupdate supports image verification via chain of trust certificates now, great!
After digging around in the source code I found the config switch to build swupdate with RSA key verification, thank you!
The config switch I was looking for is called: CONFIG_SIGALG_RAWRSA=y
With best regards
Dirk Mayer
-----Original Message-----
From: Stefano Babic <sba...@denx.de>
Sent: Friday, 23 April 2021 10:58
To: Mayer, Dirk (DI PA DE-L SWA OP) <dirk....@siemens.com>; swup...@googlegroups.com
Subject: Re: [swupdate] ERROR: swupdate fails loading certificate for signed image
Hi Dirk,
On 23.04.21 10:49, Mayer, Dirk wrote:
> Hello,
>
> I am trying to get swupdate running on Debian
Debian or maybe ISAR ?
> with a signed image. I
> created a private/public key which I use for signature verification.
>
> But somehow swupdate fails with the following error:
>
> bob@50a3e3879b59:~$ swupdate -l 5 -k public.pem
>
> [ERROR] : SWUPDATE failed [0] ERROR corelib/verify_signature.c :
> swupdate_dgst_init : 151 : Error loading certificate chain from
> public.pem
>
> Error: Crypto cannot be initialized.
This is saying: I try to load a CMS public certificate, but I cannot because format is not recognized. This is *NOT* a CMS certificate.
>
> I guess the openssl lib returns NULL for the object call crt =
> PEM_read_bio_X509(castore_bio, NULL, 0, NULL) in swupdate
> hub.com%2Fsbabic%2Fswupdate%2Ftree%2F77863d7f40dff98a31ea0b2dc15a7710b
> c3c8427&data=04%7C01%7Cdirk.mayer%40siemens.com%7C06585d61ea3d4200
> af6508d90635f327%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C63754765
> 1059688076%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
> iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ryqdS5D6z06x23HZV8cnd
> 7B6MIAu%2Bix7A9uDUrFy5q8%3D&reserved=0>/corelib
> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
> hub.com%2Fsbabic%2Fswupdate%2Ftree%2F77863d7f40dff98a31ea0b2dc15a7710b
> c3c8427%2Fcorelib&data=04%7C01%7Cdirk.mayer%40siemens.com%7C06585d
> 61ea3d4200af6508d90635f327%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%
> 7C637547651059688076%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI
> joiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GM%2FCOqL%2
> BBpF3RG%2FJKnDk%2FHtE8db7wJ7e0ttN0%2F0FWi0%3D&reserved=0>/swupdate
> _cms_verify.c
>
>
> I am running swupdate 202.11-2 on Debian bullseye as well on Debian
> buster with a build from source and backports.
>
> However, the error is always the same, it seems that the certificate
> generated is not getting picked up properly.
>
> I generated the private/public keys according to the docu:
>
You did not:
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsbabic.github.io%2Fswupdate%2Fsigned_images.html%3Fhighlight%3Dcms%23usage-with-certificates-and-cms&data=04%7C01%7Cdirk.mayer%40siemens.com%7C06585d61ea3d4200af6508d90635f327%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637547651059688076%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9Wd7%2B2i2TRuwUV3cEGGOKpYZKMFRUsbVd%2Fo1c9wogEU%3D&reserved=0
>
>
> I am running swupdate 202.11-2 on Debian bullseye as well on Debian
> buster with a build from source and backports.
>
> However, the error is always the same, it seems that the certificate
> generated is not getting picked up properly.
>
> I generated the private/public keys according to the docu:
>
You did not:
> openssl genrsa -aes256 -out priv.pem
>
> opensslrsa -in priv.pem -out public.pem -outform PEM -pubout
And you generated a couple of public and private RSA keys. Of course, this does not match if you have configured SWUpdate to just use CMS certificates.
Best regards,
Stefano Babic
>
> Can anybody help me out to get it running please ?
>
> Best Regards,
>
> Dirk
>
> --
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to swupdate+u...@googlegroups.com
> <mailto:swupdate+u...@googlegroups.com>.
> To view this discussion on the web visit
> ps.google.com%2Fd%2Fmsgid%2Fswupdate%2FAM0PR10MB2963E0A63A1999BC562639
> 8B87459%2540AM0PR10MB2963.EURPRD10.PROD.OUTLOOK.COM&data=04%7C01%7
> Cdirk.mayer%40siemens.com%7C06585d61ea3d4200af6508d90635f327%7C38ae3bc
> d95794fd4addab42e1495d55a%7C1%7C0%7C637547651059688076%7CUnknown%7CTWF
> pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
> n0%3D%7C1000&sdata=Lqiuy6r3wcLi25L4ScJJ6fmBgSYihhUnPwLY2%2BB%2Bm2I
> %3D&reserved=0
> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fswupdate%2FAM0PR10MB2963E0A63A1999BC5626398B87459%2540AM0PR10MB2963.EURPRD10.PROD.OUTLOOK.COM%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Cdirk.mayer%40siemens.com%7C06585d61ea3d4200af6508d90635f327%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637547651059688076%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zr%2FqJkkWdJ2o9p4Ioj3%2BIjx8b5yyJVciNnQa0JuSqv0%3D&reserved=0>.
Reply all
Reply to author
Forward
0 new messages