[PATCH 12/15] test: py: add signature to TLV integration tests

Ahmad Fatoum a.fatoum at pengutronix.de
Wed Oct 22 05:34:40 PDT 2025 

Hi,

On 10/22/25 2:28 PM, Jonas Rebmann wrote:
> Hi,
> 
> On 2025-10-22 12:11, Ahmad Fatoum wrote:
>>
>>
>> On 10/22/25 12:04 PM, Ahmad Fatoum wrote:
>>> Hi,
>>>
>>> On 10/14/25 1:03 PM, Jonas Rebmann wrote:
>>>> Add TLV signature to TLV integration tests:
>>>>   - Signed TLV using development RSA key
>>>>   - Modify payload and fix CRC for a "tampered" tlv
>>>>   - Include both cases in generator and tlv-command tests.
>>>>
>>>> Use the keys selected by CRYPTO_BUILTIN_DEVELOPMENT_KEYS for all TLV
>>>> testing. Consequentially add the matching private keys from the public
>>>> repository at [1].
>>>>
>>>> [1]: https://git.pengutronix.de/cgit/ptx-code-signing-dev/
>>>>
>>>> Signed-off-by: Jonas Rebmann <jre at pengutronix.de>
>>>> ---
>>>>   crypto/fit-4096-development.key  |  51 ++++++++++
>>>>   crypto/fit-ecdsa-development.key |   5 +
>>>
>>> Move this into test/?
>>
>> Ah, I see the *.crt files are already in crypto...
>> Can't you concatenate the *.key and *.crt files into a single pem file?
>>
>> That's what we do for test/self/development_rsa2048.pem and it works
>> there. Removes clutter a bit.
> 
> I'd prefer not to. I suppose our tooling supports this, users that
> utilize CRYPTO_BUILTIN_DEVELOPMENT_KEYS for testing may not; and they
> should not have to pick apart private and public key again.

Which users? These keys are for barebox-internal consumption.

> I'd consider concatenating them most of the time not the best practice.
> You'll have a file of which `file` tells you it's an "OpenSSH public
> key", but if you open it and then scroll down, you realize it's a
> private key.
> 
> Yes this particular private key is all but private but lets not endorse
> this practice.

I don't buy this argument.

> Keeping them separates also makes it visible where we use the private
> key: We need it when creating the signed TLVs in test/py/test_tlv.py and
> only there.

The private key we already have in tree are piggy backing on the public
key. I think we should do the same here as well.

Cheers,
Ahmad

> 
> Regards,
> Jonas
> 

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |

More information about the barebox mailing list