-
-
Save karalabe/598c74a65042fc2eec7cf3322841c071 to your computer and use it in GitHub Desktop.
RaspberryPI secure-boot RSA key hasher
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Script to compute the RPI-style SHA256 hash of an RSA secure-boot public key. | |
| # Essentially: sha256(RSA modulus (256 bytes LE) || RSA exponent (8 bytes LE)) | |
| if [ $# -ne 1 ]; then | |
| echo "Usage: $0 <pubkey.pem>" | |
| exit 1 | |
| fi | |
| KEY_FILE="$1" | |
| if [ ! -f "$KEY_FILE" ]; then | |
| echo "Error: Key file not found: $KEY_FILE" | |
| exit 1 | |
| fi | |
| # Extract modulus and exponent in hex format. This is so epically yuck, but still | |
| # beats having to depend on an entire high level programming language to do it. | |
| MOD_HEX=$(openssl rsa -pubin -in "$KEY_FILE" -modulus -noout | sed 's/Modulus=//') | |
| EXP_HEX=$(openssl rsa -pubin -in "$KEY_FILE" -text -noout | sed -n 's/.*(0x\([0-9A-Fa-f]*\)).*/\1/p') | |
| # Convert hex to little-endian binary | |
| hex_to_le_binary() { | |
| input=$1 | |
| bytes=$2 | |
| width=$(( bytes * 2 )) | |
| printf "%0${width}s" "$input" \ | |
| | tr ' ' '0' \ | |
| | fold -w 2 \ | |
| | sed '1!G;h;$!d' \ | |
| | tr -d '\n' \ | |
| | xxd -r -p | |
| } | |
| # Compute the SHA256 hash of the modulus || exponent | |
| { | |
| hex_to_le_binary "$MOD_HEX" 256 | |
| hex_to_le_binary "$EXP_HEX" 8 | |
| } | openssl dgst -sha256 -hex | cut -d ' ' -f 2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment