OpenSSL integration for signing and verification

154 views
Skip to first unread message

Guttmann, Pascal

unread,
Sep 27, 2022, 5:41:47 AM9/27/22
to in...@swupdate.org, swup...@googlegroups.com

Dear Sir or Madam,

 

I am investigating on the possibility to deploy SWUpdate in a project and have some questions regarding the signing and verification process.

It would be a pleasure if you could clarify some of the points.

 

In the README.md support for OpenSSL to sign and verify updates is mentioned:

> Cryptographic sign and verification of updates

>             support for OpenSSL

>             support for mbedTLS

>             support for WolfSSL

(GitHub - sbabic/swupdate: Software Update for Embedded Systems)

 

In the documentation RSA and CMS are listed as implemented mechanism.

> The algorithm chosen to sign and verify the sw-descrription file can be selected via menuconfig. Currently, the following mechanisms are implemented:

>             RSA Public / private key. The private key belongs to the build system, while the public key must be installed on the target.

>             CMS using certificates

Update images from verified source — Embedded Software Update Documentation 2022.05 documentation (sbabic.github.io)

 

Is the implementation of SWUpdate restricted to use RSA keys for verification? Or can a custom call to OpenSSL be used to verify the certificates / signatures (e.g. using ECDSA) on the target/client side?

 

 

Mit freundlichen Grüßen/Best regards,

 

Pascal Guttmann

 

Dualer Student Elektrotechnik in Anwendung

A SMY HR VIL PE

Aus- und Weiterbildung

Smart Mobility (SMY)

Automotive

 

 

Besucheradresse / Visitor address:
Continental Automotive Technologies GmbH

Heinrich-Hertz-Straße 45, 78052 Villingen-Schwenningen

 

Rechnungsadresse / Invoice address:
Continental Automotive Technologies GmbH
Postfach 16 63, 78006 Villingen-Schwenningen

 

Phone:     --

 

E-Mail:     pascal....@continental-corporation.com

Web:        http://www.continental-automotive.com


 

<$$066!>

 


Internal


https://www.continental.com
________________________________________________________________________

Continental Automotive Technologies GmbH, Vahrenwalder Straße 9, 30165 Hannover
Geschäftsführung/Managing Directors: Nicole Werner, Harald Stuhlmann, Albrecht Poettcher, Frank Staiger, Andreas Listl
Sitz der Gesellschaft/Registered Office: Hannover
Registergericht/Registered Court: Amtsgericht Hannover HRB 3669
USt.-ID-Nr./VAT-ID-No. DE 341447066
________________________________________________________________________

Proprietary and confidential. Distribution only by express authority of Continental AG or its subsidiaries.

Stefano Babic

unread,
Sep 27, 2022, 5:45:51 AM9/27/22
to Guttmann, Pascal, in...@swupdate.org, swup...@googlegroups.com
Hi Pascal,


On 27.09.22 11:41, Guttmann, Pascal wrote:
> Dear Sir or Madam,
>
> I am investigating on the possibility to deploy SWUpdate in a project
> and have some questions regarding the signing and verification process.
>
> It would be a pleasure if you could clarify some of the points.
>
> In the README.md support for OpenSSL to sign and verify updates is
> mentioned:
>
> > Cryptographic sign and verification of updates
>
> >             support for OpenSSL
>
> >             support for mbedTLS
>
> >             support for WolfSSL
>
> (GitHub - sbabic/swupdate: Software Update for Embedded Systems
> <https://github.com/sbabic/swupdate#features>)
>
> In the documentation RSA and CMS are listed as implemented mechanism.

That's it.

>
> > The algorithm chosen to sign and verify the sw-descrription file can
> be selected via menuconfig. Currently, the following mechanisms are
> implemented:
>
> >             RSA Public / private key. The private key belongs to the
> build system, while the public key must be installed on the target.
>
> >             CMS using certificates
>
> Update images from verified source — Embedded Software Update
> Documentation 2022.05 documentation (sbabic.github.io)
> <https://sbabic.github.io/swupdate/signed_images.html#choice-of-algorithm>
>
> Is the implementation of SWUpdate restricted to use RSA keys for
> verification?

No - as above: you choose between plain RSA (public private keys) or
certificates (CMS). Full PKI is supported, too.

> Or can a custom call

Custom call ?

> to OpenSSL be used to verify the
> certificates / signatures (e.g. using ECDSA) on the target/client side?

ECSDA are supported, too.

>
> Mit freundlichen Grüßen/Best regards,
>

Viele Grüße,
Stefano Babic

> *Pascal Guttmann*
>
> **
>
> Dualer Student Elektrotechnik in Anwendung
>
> A SMY HR VIL PE
>
> Aus- und Weiterbildung
>
> Smart Mobility (SMY)
>
> Automotive
>
> *Besucheradresse / Visitor address:**
> *Continental Automotive Technologies GmbH**
>
> Heinrich-Hertz-Straße 45, 78052 Villingen-Schwenningen
>
> *Rechnungsadresse / Invoice address:
> *Continental Automotive Technologies GmbH
> Postfach 16 63, 78006 Villingen-Schwenningen**
>
> **
>
> *Phone:*     --
>
> *E-Mail: *pascal....@continental-corporation.com
> <pascal....@continental-corporation.com>
>
> *Web:*http://www.continental-automotive.com
> <http://www.continental-automotive.com/>_
>
> _
>
> _
> _
Reply all
Reply to author
Forward
0 new messages