Hi Heinrich,
On 9/11/20 7:26 PM, Andrii Voloshyn wrote:
Hi there,
Does U-boot take into account certificate expiration date when verifying signed images in FIT? In other words, is date stored along with the public key in DTB file?
Cheers, Andy
Hello Philippe,
looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot find a comparison of the date on which an image was signed with the expiry date of the certificate. Shouldn't there be a check? Or did I simply look into the wrong function?
This function only check the padding using the algorithm pkcs-1.5 as defined here : https://tools.ietf.org/html/rfc3447#section-9.2 It doesn't check the certificate validity.
I don't remember to have see a date checked in the signature process. If all informations are (or may be) available at runtime, we may add it.
Best regards
Heinrich
Best regards, Philippe