Commit d1c9ed2c authored by Parthiban Nallathambi's avatar Parthiban Nallathambi
Browse files

secure-imx: unified security layer for imx6



- includes secure boot using HAB
- encrypted roorfs using DCP with eMMC

TODO:
- include CAAM
- Add support for UBI and block device
Signed-off-by: default avatarParthiban Nallathambi <pn@denx.de>
parents
# bbclass to take care of generating crypted FS image
inherit image_types
CONVERSIONTYPES += " crypt"
CONVERSION_DEPENDS_crypt = "dmcryptgen-native cryptsetup-native openssl-native coreutils-native"
# parameters: $1 = input file
crypt_file() {
echo "CRYPTING FILE " $1
# Add path to native libs so you need not the libs installed
# on your build host (libssl, libcrypto)
CP=${RECIPE_SYSROOT_NATIVE}/usr/lib
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${CP}
input=$1
key=${ENC_KEY_RAW}
dmcrypt_gen ${input} ${key}
}
CONVERSION_CMD_crypt(){
cp ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.crypt
crypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.crypt
}
python __anonymous () {
if d.getVar('HAB_ENABLE', True):
d.appendVar("DEPENDS", " cst-native perl-native")
}
attach_ivt() {
IMAGE_SIZE="`wc -c < ${1}`"
get_align_size_emit_file get_align_size.pl
genivt_emit_file imx6-genIVT.pl
ALIGNED_SIZE="$(perl -w get_align_size.pl ${IMAGE_SIZE})"
objcopy -I binary -O binary --pad-to ${ALIGNED_SIZE} --gap-fill=0x00 ${1} ${1}-pad
perl -w imx6-genIVT.pl ${FITLOADADDR} `printf "0x%x" ${ALIGNED_SIZE}`
cat ${1}-pad ivt.bin > ${1}-ivt
rm -f ${1}-pad
}
get_align_size_emit_file() {
cat << 'EOF' > ${1}
use strict;
my $image_size = $ARGV[0];
my $aligned_size = (($image_size + 0x1000 - 1) & ~ (0x1000 - 1));
print "$aligned_size\n";
EOF
}
genivt_emit_file() {
cat << 'EOF' > ${1}
use strict;
my $loadaddr = hex(shift);
my $img_size = hex(shift);
my $entry = $loadaddr + 0x1000;
my $ivt_addr = $loadaddr + $img_size;
my $csf_addr = $ivt_addr + 0x20;
open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";
print $out pack("V", 0x412000D1); # IVT Header
print $out pack("V", $entry); # Jump Location
print $out pack("V", 0x0); # Reserved
print $out pack("V", 0x0); # DCD pointer
print $out pack("V", 0x0); # Boot Data
print $out pack("V", $ivt_addr); # Self Pointer
print $out pack("V", $csf_addr); # CSF Pointer
print $out pack("V", 0x0); # Reserved
close($out);
EOF
}
#
# Emit the CSF File
#
# $1 ... .csf filename
# $2 ... SRK Table Binary
# $3 ... CSF Key File
# $4 ... Image Key File
# $5 ... Blocks Parameter
# $6 ... Image File
csf_emit_file() {
cat << EOF > ${1}
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
File = "${2}"
Source index = 0
[Install CSFK]
File = "${3}"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target Index = 2
File= "${4}"
[Authenticate Data]
Verification index = 2
Blocks = ${5} "${6}"
[Unlock]
Engine = CAAM
Features = RNG
EOF
}
#
# Assemble csf binary
#
# $1 ... .csf filename
# $2 ... signeable binary filename
#
csf_assemble() {
rm -f ${1}
RAM_AUTH_AREA_START=${FITLOADADDR}
IMG_SIGN_AREA_START=0x0000
IMG_SIGN_AREA_SIZE=$(printf "0x%x" `wc -c < ${2}`)
blocks="${RAM_AUTH_AREA_START} ${IMG_SIGN_AREA_START} ${IMG_SIGN_AREA_SIZE}"
csf_emit_file ${1} ${SRKTAB} ${CSFK} ${SIGN_CERT} "${blocks}" ${2}
}
kernel_do_deploy_append() {
cd ${B}/arch/${ARCH}/boot
if [ -n "${INITRAMFS_IMAGE}" ] && [ -f "fitImage-${INITRAMFS_IMAGE}" ]; then
attach_ivt fitImage-${INITRAMFS_IMAGE}
csf_assemble command_sequence_fitImage-${INITRAMFS_IMAGE}-ivt.csf fitImage-${INITRAMFS_IMAGE}-ivt
cst --o fitImage-${INITRAMFS_IMAGE}-ivt.csf --i command_sequence_fitImage-${INITRAMFS_IMAGE}-ivt.csf
cat fitImage-${INITRAMFS_IMAGE}-ivt fitImage-${INITRAMFS_IMAGE}-ivt.csf > fitImage-${INITRAMFS_IMAGE}-ivt.tmp
cp fitImage-${INITRAMFS_IMAGE}-ivt.tmp fitImage-${INITRAMFS_IMAGE}-ivt.${KERNEL_SIGN_SUFFIX}
rm -f fitImage-${INITRAMFS_IMAGE}-ivt.tmp fitImage-${INITRAMFS_IMAGE}-ivt.csf fitImage-${INITRAMFS_IMAGE}-ivt
install fitImage-${INITRAMFS_IMAGE}-ivt.${KERNEL_SIGN_SUFFIX} ${DEPLOYDIR}/fitImage-${INITRAMFS_IMAGE}-${MACHINE}.bin.${KERNEL_SIGN_SUFFIX}
else
bbwarn "${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} not found!"
fi
}
# bbclass to take care of generating encrypted images for swupdate.
DEPENDS += "openssl-native coreutils-native"
# parameters: $1 = input file, $2 = output file
swu_encrypt_file() {
input=$1
output=$2
key=`cat ${SWU_KEY} | cut -d ' ' -f 1`
iv=`cat ${SWU_KEY} | cut -d ' ' -f 2`
salt=`cat ${SWU_KEY} | cut -d ' ' -f 3`
openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt}
}
kernel_do_deploy_append() {
swu_encrypt_file ${DEPLOYDIR}/fitImage-${INITRAMFS_IMAGE}-${MACHINE}.bin.${KERNEL_SIGN_SUFFIX} ${DEPLOYDIR}/fitImage-${INITRAMFS_IMAGE}-${MACHINE}.bin.${KERNEL_SIGN_SUFFIX}.encrypt
}
CONVERSIONTYPES += " encrypt"
CONVERSION_CMD_encrypt(){
swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.encrypt
}
python __anonymous () {
if d.getVar('HAB_ENABLE', True):
d.appendVar("DEPENDS", " cst-native")
}
#
# Emit the CSF File
#
# $1 ... .csf filename
# $2 ... SRK Table Binary
# $3 ... CSF Key File
# $4 ... Image Key File
# $5 ... Blocks Parameter
# $6 ... Image File
csf_emit_file() {
cat << EOF > ${1}
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
File = "${2}"
Source index = 0
[Install CSFK]
File = "${3}"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target Index = 2
File= "${4}"
[Authenticate Data]
Verification index = 2
Blocks = ${5} "${6}"
[Unlock]
Engine = CAAM
Features = RNG
EOF
}
#
# Assemble csf binary
#
# $1 ... csf filename
# $2 ... binary to sign
#
csf_assemble() {
blocks="$(sed -n 's/HAB Blocks:[\t ]\+\(0x[0-9a-f]\+\)[ ]\+\(0x[0-9a-f]\+\)[ ]\+\(0x[0-9a-f]\+\)/\1 \2 \3/p' ${2}.log)"
csf_emit_file "${1}" "${SRKTAB}" "${CSFK}" "${SIGN_CERT}" "${blocks}" "${2}"
}
do_sign_uboot() {
for config in ${UBOOT_MACHINE}; do
cd ${B}/${config}
if [ -n "${SPL_BINARY}" ]; then
csf_assemble ${SPL_BINARY}.csf ${SPL_BINARY}
cst --o ${SPL_BINARY}.csf --i ${SPL_BINARY}.csf
cat ${SPL_BINARY} ${SPL_BINARY}.csf > ${SPL_BINARY}.tmp
mv ${SPL_BINARY}.tmp ${SPL_BINARY}.${UBOOT_SIGN_SUFFIX}
fi
csf_assemble ${UBOOT_BINARY}.csf ${UBOOT_BINARY}
cst --o ${UBOOT_BINARY}.csf --i ${UBOOT_BINARY}.csf
cat ${UBOOT_BINARY} ${UBOOT_BINARY}.csf > ${UBOOT_BINARY}.tmp
mv ${UBOOT_BINARY}.tmp ${UBOOT_BINARY}.${UBOOT_SIGN_SUFFIX}
done
}
do_deploy_append() {
for config in ${UBOOT_MACHINE}; do
i=$(expr $i + 1);
for type in ${UBOOT_CONFIG}; do
j=$(expr $j + 1);
if [ $j -eq $i ]
then
install ${B}/${config}/${SPL_BINARY}.${UBOOT_SIGN_SUFFIX} ${DEPLOYDIR}/${SPL_BINARY}-${type}.${UBOOT_SIGN_SUFFIX}
install ${B}/${config}/${UBOOT_BINARY}.${UBOOT_SIGN_SUFFIX} ${DEPLOYDIR}/${UBOOT_BINARY}-${type}.${UBOOT_SIGN_SUFFIX}
fi
done
unset j
done
unset i
}
addtask sign_uboot before do_install do_deploy after do_compile
# Steps to flash security keys into u-boot:
- Build the SPL and u-boot (without security on)
- Flash SPL and u-boot in SD card. Replace "sdX" with your block device
```shell
sudo dd if=./SPL of=/dev/sdX bs=512 seek=2 oflag=sync status=progress
sudo dd if=./uboot of=/dev/sdX bs=1024 seek=69 oflag=sync status=progress
```
- Connect UART debug to host
- Insert and power on the target
- Interrupt u-boot autoboot
- Get the keys used from conf/hab/crts/SRK_1_2_3_4_fuse.bin
```shell
hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < conf/hab/crts/SRK_1_2_3_4_fuse.bin
0xFC76DE67
0x38786AF5
0x5B7BCE42
0x5E1BAE2
0xDF068E6
0x3B298390
0x525CD002
0x257A5A07
```
- Fuse the security keys as below
```shell
fuse prog -y 3 0 0xFC76DE67
fuse prog -y 3 1 0x38786AF5
fuse prog -y 3 2 0x5B7BCE42
fuse prog -y 3 3 0x5E1BAE2
fuse prog -y 3 4 0xDF068E6
fuse prog -y 3 5 0x3B298390
fuse prog -y 3 6 0x525CD002
fuse prog -y 3 7 0x257A5A07
```
-----BEGIN CERTIFICATE-----
MIICYTCCAcKgAwIBAgIJAJ9SidJX+GtWMAoGCCqGSM49BAMCMCUxIzAhBgNVBAMU
GkNBMV9zaGEyNTZfc2VjcDUyMXIxX3YzX2NhMB4XDTE5MDEwMjE5MDgxNVoXDTQz
MTIyNzE5MDgxNVowJTEjMCEGA1UEAxQaQ0ExX3NoYTI1Nl9zZWNwNTIxcjFfdjNf
Y2EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAEIKdLnt2MxIvVc7TaGyH6OV3hz
cgktB//YJHzm63op0bW3218RmSczZK+Uak1a92ZqRgSFKZtefzmRm546SjHGDwC+
XPs+4xtfzGq3xOp4eTGvjfj/DIcfk4KiMKDV7azKCw8OaB0fazrSMJMiqdoM263C
YFtKhLU3kzd1aPzss1rlo6OBlzCBlDAdBgNVHQ4EFgQUcRuSGuz/Kufwb7bLnOOr
rhnfbSEwVQYDVR0jBE4wTIAUcRuSGuz/Kufwb7bLnOOrrhnfbSGhKaQnMCUxIzAh
BgNVBAMUGkNBMV9zaGEyNTZfc2VjcDUyMXIxX3YzX2NhggkAn1KJ0lf4a1YwDwYD
VR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwCgYIKoZIzj0EAwIDgYwAMIGIAkIB
Leqj19q3TTzP7JoDozAINhwt4VwirldyEkNpQXgxhAl4ko35idLD443woVfwxD2f
6z1GzLXzWJYEx0Kpk3oYPyQCQgFbhTzAYJw+2jFInCOZEf+tAA5Gxk8kNH8yjfrb
vxBWcOH5GWyUhThi8vGC2VIkmCj98uUq9sGYVSUrvUS+k6GTQA==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 580143450 (0x2294495a)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=SRK1_sha256_secp521r1_v3_ca
Validity
Not Before: Jan 2 19:08:15 2019 GMT
Not After : Dec 27 19:08:15 2043 GMT
Subject: CN=CSF1_1_sha256_secp521r1_v3_usr
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:01:1d:c9:73:44:6a:a7:2b:3d:46:65:3e:d3:5d:
76:98:73:83:79:47:c9:c5:7f:40:ad:32:d8:04:73:
88:e7:f5:20:ed:5b:61:44:cb:15:61:37:1d:7a:c0:
89:5d:34:b0:f7:53:62:13:c7:df:76:f0:0c:54:45:
76:48:b1:fa:64:07:92:00:db:3b:04:79:2a:3e:b3:
56:a5:e1:bc:77:40:4c:6c:96:54:5e:4c:f2:ee:dd:
5d:33:48:a6:7f:84:02:77:2e:64:fd:3e:a7:02:58:
53:01:cd:e0:09:14:50:16:06:d4:13:99:4d:f8:c6:
62:1e:b8:79:87:35:86:e6:da:cd:f8:26:6f
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A8:F7:94:4B:4B:5F:BF:36:7F:E1:81:F4:B1:EB:17:B8:3A:1E:C6:C0
X509v3 Authority Key Identifier:
keyid:C7:42:9A:DD:7C:C5:46:80:B3:94:D0:68:1C:79:B2:5A:0F:7E:A4:EB
Signature Algorithm: ecdsa-with-SHA256
30:81:87:02:42:00:f2:1d:80:ad:82:f6:b0:ad:28:b9:cc:d1:
ed:71:97:3f:85:a5:e7:5b:c1:6c:a2:f4:63:7c:94:22:72:36:
ff:56:d5:31:c0:02:ac:2b:2b:a0:3c:95:1d:be:d4:56:21:1f:
7a:89:0e:a5:36:06:35:8e:51:1f:bb:d0:86:1a:64:1d:7e:02:
41:7f:74:28:2e:ad:38:4a:6c:3e:d9:97:e5:3d:75:51:77:42:
79:5e:c8:6b:9e:20:57:1a:e4:de:96:bc:73:65:08:d7:17:cb:
06:dc:a2:08:f7:44:17:60:c6:17:95:70:d8:ba:92:7b:b4:98:
f5:04:8e:66:f2:aa:47:5d:19:1e:5a:6a
-----BEGIN CERTIFICATE-----
MIICQzCCAaWgAwIBAgIEIpRJWjAKBggqhkjOPQQDAjAmMSQwIgYDVQQDDBtTUksx
X3NoYTI1Nl9zZWNwNTIxcjFfdjNfY2EwHhcNMTkwMTAyMTkwODE1WhcNNDMxMjI3
MTkwODE1WjApMScwJQYDVQQDDB5DU0YxXzFfc2hhMjU2X3NlY3A1MjFyMV92M191
c3IwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAEdyXNEaqcrPUZlPtNddphzg3lH
ycV/QK0y2ARziOf1IO1bYUTLFWE3HXrAiV00sPdTYhPH33bwDFRFdkix+mQHkgDb
OwR5Kj6zVqXhvHdATGyWVF5M8u7dXTNIpn+EAncuZP0+pwJYUwHN4AkUUBYG1BOZ
TfjGYh64eYc1hubazfgmb6N7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKj3lEtLX782
f+GB9LHrF7g6HsbAMB8GA1UdIwQYMBaAFMdCmt18xUaAs5TQaBx5sloPfqTrMAoG
CCqGSM49BAMCA4GLADCBhwJCAPIdgK2C9rCtKLnM0e1xlz+FpedbwWyi9GN8lCJy
Nv9W1THAAqwrK6A8lR2+1FYhH3qJDqU2BjWOUR+70IYaZB1+AkF/dCgurThKbD7Z
l+U9dVF3QnleyGueIFca5N6WvHNlCNcXywbcogj3RBdgxheVcNi6knu0mPUEjmby
qkddGR5aag==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 580143453 (0x2294495d)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=SRK2_sha256_secp521r1_v3_ca
Validity
Not Before: Jan 2 19:08:15 2019 GMT
Not After : Dec 27 19:08:15 2043 GMT
Subject: CN=CSF2_1_sha256_secp521r1_v3_usr
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:9c:78:93:41:a3:2b:3b:b9:57:50:8f:32:5c:
10:86:22:a0:5b:bb:22:a0:51:66:a0:b9:84:90:dd:
51:04:2f:47:6c:90:df:56:54:1f:4e:6c:45:79:a1:
58:1b:7b:4c:ab:82:f4:53:d6:47:f9:b2:21:8e:bb:
e1:47:f8:d2:d6:04:60:00:22:8c:72:f1:a7:bf:3b:
64:8b:a0:c7:d8:93:7b:97:c1:89:d6:a4:d6:64:fc:
2c:7b:e2:d0:e2:21:72:44:c7:e7:e8:0a:1b:2a:3e:
ff:d0:35:07:86:99:0f:8d:87:f8:5d:fd:4d:72:aa:
c5:53:9e:db:58:50:45:81:26:c7:5c:08:1f
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A0:EC:87:D7:2A:D7:DE:84:14:1D:B2:27:24:F5:DC:20:68:C3:23:17
X509v3 Authority Key Identifier:
keyid:52:07:42:79:CD:94:29:81:82:1F:0D:7C:15:2D:5D:02:81:A3:93:6E
Signature Algorithm: ecdsa-with-SHA256
30:81:87:02:41:6b:49:d6:21:b5:fa:ee:74:8a:e9:d0:27:02:
f4:3b:f1:0e:6d:9f:89:dd:7e:fb:97:32:d3:a6:57:b5:8b:d3:
0f:8e:99:8a:0e:7d:16:9c:a9:83:93:15:41:e8:2f:13:cd:d8:
ac:1e:ba:1b:cd:e7:55:a7:ad:fc:84:21:30:bc:e0:00:02:42:
00:dc:05:e3:cb:dc:aa:cf:42:82:89:34:eb:69:91:f1:9f:17:
5b:99:58:0c:cc:01:19:d2:c1:18:8f:65:43:0d:65:3e:b1:84:
6b:bf:8b:49:59:4c:33:54:1b:0b:f9:ad:a4:f2:49:45:af:c4:
40:07:b4:34:35:55:36:30:80:50:90:94
-----BEGIN CERTIFICATE-----
MIICQzCCAaWgAwIBAgIEIpRJXTAKBggqhkjOPQQDAjAmMSQwIgYDVQQDDBtTUksy
X3NoYTI1Nl9zZWNwNTIxcjFfdjNfY2EwHhcNMTkwMTAyMTkwODE1WhcNNDMxMjI3
MTkwODE1WjApMScwJQYDVQQDDB5DU0YyXzFfc2hhMjU2X3NlY3A1MjFyMV92M191
c3IwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACceJNBoys7uVdQjzJcEIYioFu7
IqBRZqC5hJDdUQQvR2yQ31ZUH05sRXmhWBt7TKuC9FPWR/myIY674Uf40tYEYAAi
jHLxp787ZIugx9iTe5fBidak1mT8LHvi0OIhckTH5+gKGyo+/9A1B4aZD42H+F39
TXKqxVOe21hQRYEmx1wIH6N7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKDsh9cq196E
FB2yJyT13CBowyMXMB8GA1UdIwQYMBaAFFIHQnnNlCmBgh8NfBUtXQKBo5NuMAoG
CCqGSM49BAMCA4GLADCBhwJBa0nWIbX67nSK6dAnAvQ78Q5tn4ndfvuXMtOmV7WL
0w+OmYoOfRacqYOTFUHoLxPN2KweuhvN51WnrfyEITC84AACQgDcBePL3KrPQoKJ
NOtpkfGfF1uZWAzMARnSwRiPZUMNZT6xhGu/i0lZTDNUGwv5raTySUWvxEAHtDQ1
VTYwgFCQlA==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 580143456 (0x22944960)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=SRK3_sha256_secp521r1_v3_ca
Validity
Not Before: Jan 2 19:08:15 2019 GMT
Not After : Dec 27 19:08:15 2043 GMT
Subject: CN=CSF3_1_sha256_secp521r1_v3_usr
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:01:81:a2:df:cb:ec:49:cc:f4:53:a2:e1:34:f1:
29:a5:7c:73:1a:e5:14:7e:fd:a7:43:c9:f7:b6:b3:
75:ba:a6:38:17:04:f0:3a:4a:04:74:d4:24:d9:57:
08:e8:a5:5f:7f:ad:b8:47:8f:e6:33:90:4f:c0:e8:
51:6d:9d:0d:a3:22:2b:00:d5:bc:41:28:0a:db:94:
0f:f3:33:87:f9:eb:56:a2:0c:b2:6a:b9:0e:26:84:
a4:3c:6f:f0:04:5e:fd:df:a5:3b:19:00:0e:28:83:
c2:9c:0d:cb:b2:5d:ce:03:e9:cb:c7:28:58:38:3f:
8b:5d:e1:e2:98:ff:6f:48:d2:66:4a:45:5c
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8F:46:5C:0E:AF:A6:0F:88:0E:1E:17:46:28:BB:15:43:CF:D8:C7:8D
X509v3 Authority Key Identifier:
keyid:88:3F:74:7D:D0:84:31:61:D0:3A:6D:49:9E:6B:C3:64:87:E7:7D:0B
Signature Algorithm: ecdsa-with-SHA256
30:81:88:02:42:01:f8:a3:ee:1f:36:ff:de:85:48:cf:1d:49:
87:98:b8:84:ba:74:31:65:d0:41:4a:5f:d9:37:d2:aa:59:bf:
a7:8f:be:fe:e5:4c:44:b7:26:ae:0d:85:61:ce:33:2d:96:5c:
27:a4:59:a2:95:de:9b:63:9e:82:97:3f:55:a0:09:15:46:02:
42:00:96:be:1f:14:b7:45:1d:bb:0c:ea:c8:af:6a:2f:a6:8e:
ed:22:a8:c4:67:e2:5f:74:4c:83:6a:bc:27:d2:4b:46:28:0d:
db:40:f4:41:03:eb:e1:a8:ba:fc:a6:2e:62:60:17:4d:bd:84:
1d:79:65:3d:08:1a:4c:74:0e:6d:7f:ff:3b
-----BEGIN CERTIFICATE-----
MIICRDCCAaWgAwIBAgIEIpRJYDAKBggqhkjOPQQDAjAmMSQwIgYDVQQDDBtTUksz
X3NoYTI1Nl9zZWNwNTIxcjFfdjNfY2EwHhcNMTkwMTAyMTkwODE1WhcNNDMxMjI3
MTkwODE1WjApMScwJQYDVQQDDB5DU0YzXzFfc2hhMjU2X3NlY3A1MjFyMV92M191
c3IwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGBot/L7EnM9FOi4TTxKaV8cxrl
FH79p0PJ97azdbqmOBcE8DpKBHTUJNlXCOilX3+tuEeP5jOQT8DoUW2dDaMiKwDV
vEEoCtuUD/Mzh/nrVqIMsmq5DiaEpDxv8ARe/d+lOxkADiiDwpwNy7JdzgPpy8co
WDg/i13h4pj/b0jSZkpFXKN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFI9GXA6vpg+I
Dh4XRii7FUPP2MeNMB8GA1UdIwQYMBaAFIg/dH3QhDFh0DptSZ5rw2SH530LMAoG
CCqGSM49BAMCA4GMADCBiAJCAfij7h82/96FSM8dSYeYuIS6dDFl0EFKX9k30qpZ
v6ePvv7lTES3Jq4NhWHOMy2WXCekWaKV3ptjnoKXP1WgCRVGAkIAlr4fFLdFHbsM
6sivai+mju0iqMRn4l90TINqvCfSS0YoDdtA9EED6+GouvymLmJgF029hB15ZT0I
Gkx0Dm1//zs=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 580143459 (0x22944963)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=SRK4_sha256_secp521r1_v3_ca
Validity
Not Before: Jan 2 19:08:15 2019 GMT
Not After : Dec 27 19:08:15 2043 GMT
Subject: CN=CSF4_1_sha256_secp521r1_v3_usr
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:2d:9c:3b:52:dd:89:36:2b:5b:25:25:7e:0b:
93:34:05:8b:1b:29:29:45:a6:00:1d:57:73:f4:d6:
dd:0f:ec:c2:e0:ac:8f:3a:8a:eb:e7:81:e0:78:d7:
f0:a6:ef:57:8f:a4:78:78:45:83:60:41:9a:45:7b:
1e:76:df:be:cb:c3:bb:00:46:da:3c:d4:63:f1:bc:
42:de:59:ed:db:31:3e:40:88:dd:ae:e9:1b:b8:26:
0b:78:1c:56:e7:d2:9a:53:46:61:3b:14:12:30:cb:
1c:2d:85:6e:5c:68:c6:3e:35:ae:88:99:7b:74:22:
c2:c1:40:8d:50:c0:f1:dd:0c:09:87:b0:2d
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C0:F8:1D:F7:B2:25:08:40:FB:EC:35:37:99:C0:33:1F:A7:3B:70:E8
X509v3 Authority Key Identifier:
keyid:36:E8:91:C5:F9:13:6F:B8:E7:CC:CD:4C:DE:BC:4F:F8:65:C0:F6:EB
Signature Algorithm: ecdsa-with-SHA256
30:81:87:02:42:01:2a:68:36:78:bc:f0:1b:54:3d:e4:f6:f1:
85:a5:78:db:76:58:9f:bc:1d:32:27:e1:54:18:c5:a8:e7:1f:
71:23:cd:bf:7a:c3:e0:19:03:be:98:b2:70:d3:d2:59:9d:76:
2c:52:fb:0c:7a:1e:04:15:07:24:89:d0:7b:3b:f6:02:cf:02:
41:42:e9:ad:31:39:14:c5:71:d6:5a:17:5a:f2:bd:6a:2b:b8:
8a:40:f8:9e:6a:03:26:81:52:5f:63:80:70:12:f3:83:20:6b:
5f:31:86:46:f3:ad:20:f5:62:71:ab:20:ad:33:dc:77:3c:74:
2d:19:8f:5b:e5:91:87:ea:fc:d0:3f:7e
-----BEGIN CERTIFICATE-----
MIICQzCCAaWgAwIBAgIEIpRJYzAKBggqhkjOPQQDAjAmMSQwIgYDVQQDDBtTUks0
X3NoYTI1Nl9zZWNwNTIxcjFfdjNfY2EwHhcNMTkwMTAyMTkwODE1WhcNNDMxMjI3
MTkwODE1WjApMScwJQYDVQQDDB5DU0Y0XzFfc2hhMjU2X3NlY3A1MjFyMV92M191
c3IwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAAtnDtS3Yk2K1slJX4LkzQFixsp
KUWmAB1Xc/TW3Q/swuCsjzqK6+eB4HjX8KbvV4+keHhFg2BBmkV7HnbfvsvDuwBG
2jzUY/G8Qt5Z7dsxPkCI3a7pG7gmC3gcVufSmlNGYTsUEjDLHC2Fblxoxj41roiZ
e3QiwsFAjVDA8d0MCYewLaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFMD4HfeyJQhA
++w1N5nAMx+nO3DoMB8GA1UdIwQYMBaAFDbokcX5E2+458zNTN68T/hlwPbrMAoG
CCqGSM49BAMCA4GLADCBhwJCASpoNni88BtUPeT28YWleNt2WJ+8HTIn4VQYxajn
H3Ejzb96w+AZA76YsnDT0lmddixS+wx6HgQVBySJ0Hs79gLPAkFC6a0xORTFcdZa
F1ryvWoruIpA+J5qAyaBUl9jgHAS84Mga18xhkbzrSD1YnGrIK0z3Hc8dC0Zj1vl
kYfq/NA/fg==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 580143451 (0x2294495b)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=SRK1_sha256_secp521r1_v3_ca
Validity
Not Before: Jan 2 19:08:15 2019 GMT
Not After : Dec 27 19:08:15 2043 GMT
Subject: CN=IMG1_1_sha256_secp521r1_v3_usr
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:dd:0d:dd:81:c4:02:17:0c:72:70:71:43:7d:
59:ce:7c:69:91:0a:ef:bf:84:0b:83:50:a9:18:f4:
a3:45:5b:c0:9c:2b:a1:5b:a7:95:81:97:86:95:a8:
ac:46:ad:5a:e2:b2:1f:6e:87:af:b0:16:db:b0:c0:
1d:5f:fb:67:5b:a6:19:01:5c:82:0b:8d:b1:86:a7:
67:8a:92:a5:7c:0b:07:ae:c6:e7:97:44:db:22:56:
ab:e5:8c:e9:db:d7:21:86:1d:ca:30:41:e4:cd:7b:
69:4d:4a:18:87:32:b8:c0:63:62:a2:8b:b2:05:29:
ee:eb:d1:5e:da:4d:7e:2a:69:a8:4b:5a:21
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
70:7C:12:64:09:47:80:16:F3:41:80:CE:D8:28:9D:18:8C:70:C2:4C
X509v3 Authority Key Identifier:
keyid:C7:42:9A:DD:7C:C5:46:80:B3:94:D0:68:1C:79:B2:5A:0F:7E:A4:EB
Signature Algorithm: ecdsa-with-SHA256
30:81:88:02:42:01:a4:25:0e:82:39:d1:8e:6c:53:65:e5:d9:
8e:76:55:cc:99:33:4d:7d:e7:d3:cf:f8:5c:17:de:a8:43:0e:
78:2f:0f:93:ca:d4:11:e8:d3:68:e9:b4:b3:0b:74:6b:e7:e9:
b0:a2:35:1d:a2:46:e2:72:5d:3d:06:47:67:a4:e4:5f:17:02:
42:01:b4:c0:a1:0c:55:2f:2a:5b:92:e0:12:80:7f:c7:dd:b4:
4d:af:c8:c7:85:f4:f4:1c:97:b7:a7:3c:97:28:3c:e3:6c:26:
fe:87:c3:e9:39:83:ec:63:12:07:d6:7b:d5:e4:c9:6f:6b:23:
36:e7:42:45:82:ca:c8:2a:19:75:32:bf:70
-----BEGIN CERTIFICATE-----
MIICRDCCAaWgAwIBAgIEIpRJWzAKBggqhkjOPQQDAjAmMSQwIgYDVQQDDBtTUksx
X3NoYTI1Nl9zZWNwNTIxcjFfdjNfY2EwHhcNMTkwMTAyMTkwODE1WhcNNDMxMjI3
MTkwODE1WjApMScwJQYDVQQDDB5JTUcxXzFfc2hhMjU2X3NlY3A1MjFyMV92M191
c3IwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABADdDd2BxAIXDHJwcUN9Wc58aZEK