Keystores

Bitpacker has a concept for bundling verification keys. This can either be used to generate a static keystore that is built in to a program or for extending the root-of-trust by loading the bpak keystore package at runtime.

A keystore uses a pre-allocated package uuid:

5df103ef-e774-450b-95c5-1fef51ceec28

The bpak tool will check for this uuid when for example the code generator is invoked. Other tools and software should as well check this id when the intention is to load a keystore.

A keystore must contain a metadata called ‘keystore-provider-id’ that identifies the keystore. This is the id that can later be refered to when signing another package, where the ‘keystore-id’ should match the ‘keystore-provider-id’ and ‘key-id’ should match one of the parts/keys in that keystore.

Example keystore:

BPAK File: example_keystore.bpak

Hash:        sha256
Signature:   prime256v1
Key ID:      9d104b9e
Keystore ID: d483ad3c

Metadata:
    ID         Size   Meta ID              Part Ref   Data
    fb2f1f3f   16     bpak-package                    5df103ef-e774-450b-95c5-1fef51ceec28
    fb367d9a   7

Parts:
    ID         Size         Z-pad  Flags          Transport Size
    a90f9680   91           421    --------       91
    25c6dd36   120          392    --------       120
    52c1eda0   158          354    --------       158
    cca57803   550          474    --------       550

Hash: a85c8af482551614b2fe4f633f6ad8f2179ca6fea34a8d38699e346c231e9a44

This example keystore contains four different keys. This keystore is also signed which means that it can be used to extend the root of trust.

Generating output code:

$ bpak generate keystore example_keystore.bpak --name test

/* Automatically generated with bpak 0.5.0 */
#include <bpak/bpak.h>
#include <bpak/keystore.h>

const struct bpak_key keystore_test_key0 =
{
    .id = 0xa90f9680,
    .size = 91,
    .kind = BPAK_KEY_PUB_PRIME256v1,
    .data =
    {
            0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
            0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
            0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
            0x42, 0x00, 0x04, 0x43, 0x75, 0x53, 0x46, 0x77,
            0x1f, 0x31, 0x36, 0x17, 0x99, 0x72, 0xcc, 0x7a,
            0xd2, 0xb0, 0x91, 0x0d, 0x58, 0xd3, 0x93, 0x2e,
            0x9a, 0x9e, 0x42, 0x35, 0x2d, 0x45, 0x11, 0x56,
            0x12, 0x64, 0xaa, 0xe0, 0xad, 0x98, 0x8f, 0x89,
            0x11, 0xa8, 0xbb, 0xd1, 0xf6, 0x4f, 0x2c, 0xa8,
            0xa6, 0x33, 0x1d, 0xd0, 0x82, 0x18, 0xa5, 0x15,
            0xad, 0x71, 0x82, 0xec, 0x68, 0xb2, 0xae, 0xc2,
            0xbf, 0x80, 0x9e,
    },
};

const struct bpak_key keystore_test_key1 =
{
    .id = 0x25c6dd36,
    .size = 120,
    .kind = BPAK_KEY_PUB_SECP384r1,
    .data =
    {
            0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86,
            0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b,
            0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04,
            0x39, 0x3d, 0xa9, 0x66, 0xf2, 0x08, 0x89, 0x6a,
            0xc3, 0xae, 0x37, 0x88, 0xf4, 0x09, 0xc8, 0xb8,
            0x1d, 0xcb, 0xd0, 0x6c, 0xa1, 0xcf, 0xb6, 0xaf,
            0xe0, 0x3c, 0x65, 0x95, 0x19, 0x13, 0xab, 0xa7,
            0x6c, 0x91, 0x0f, 0x55, 0xb6, 0xd4, 0xbc, 0x29,
            0x07, 0xc8, 0x80, 0xd7, 0x91, 0x63, 0x15, 0x06,
            0xd3, 0x36, 0x6a, 0xde, 0x2d, 0x30, 0x3d, 0xf1,
            0x52, 0x96, 0xe3, 0x57, 0x35, 0x3f, 0xcf, 0x0c,
            0x25, 0x15, 0x56, 0x0f, 0xc6, 0x46, 0x5b, 0xbe,
            0x88, 0x87, 0x32, 0x98, 0xdf, 0xe3, 0x47, 0xfc,
            0xb1, 0x6f, 0xba, 0x06, 0x10, 0x4d, 0x2a, 0x08,
            0xfc, 0xe8, 0xa3, 0x5e, 0xf2, 0xf2, 0x02, 0xd9,

    },
};

const struct bpak_key keystore_test_key2 =
{
    .id = 0x52c1eda0,
    .size = 158,
    .kind = BPAK_KEY_PUB_SECP521r1,
    .data =
    {
            0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a,
            0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05,
            0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86,
            0x00, 0x04, 0x00, 0x2e, 0x8c, 0xae, 0xc2, 0xf8,
            0x28, 0xa6, 0x67, 0xf1, 0x0c, 0x43, 0x05, 0xf5,
            0xa2, 0xc4, 0x87, 0x75, 0x29, 0x0d, 0xdd, 0xd1,
            0xae, 0x6c, 0x61, 0x6d, 0x79, 0x0b, 0xf5, 0x71,
            0xc5, 0xfc, 0xb3, 0x29, 0x55, 0xbe, 0x59, 0x64,
            0xd5, 0x56, 0xdd, 0x5e, 0xed, 0x0d, 0x30, 0x29,
            0x7d, 0x13, 0xd7, 0xc5, 0x8b, 0x8e, 0x12, 0x5b,
            0x49, 0x12, 0x1c, 0x8d, 0x25, 0x1b, 0x31, 0x41,
            0x02, 0x67, 0x8f, 0x3f, 0x01, 0xa0, 0xd8, 0x2c,
            0xa1, 0x3a, 0xd4, 0xf6, 0x00, 0x79, 0x57, 0xb2,
            0xbd, 0x48, 0xeb, 0xf6, 0x7a, 0x8a, 0x71, 0x19,
            0x83, 0xd8, 0x04, 0xb0, 0x23, 0xac, 0x92, 0x0f,
            0x6a, 0x9d, 0xb9, 0x84, 0xe7, 0xfc, 0x18, 0x42,
            0xbc, 0x92, 0xbe, 0xfb, 0xfd, 0x57, 0xcd, 0x04,
            0xcd, 0x48, 0x65, 0xd6, 0x0b, 0x36, 0x30, 0xad,
            0xd7, 0xc7, 0xf6, 0x2e, 0x27, 0x7f, 0xe0, 0xa8,
            0x6e, 0x07, 0x04, 0xaf, 0xaa, 0x33,
    },
};

const struct bpak_key keystore_test_key3 =
{
    .id = 0xcca57803,
    .size = 550,
    .kind = BPAK_KEY_PUB_RSA4096,
    .data =
    {
            0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09,
            0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
            0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00,
            0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, 0x01,
            0x00, 0xa6, 0xde, 0x6e, 0x59, 0x56, 0x9d, 0xa1,
            0xe5, 0x9f, 0x4c, 0x72, 0xe2, 0x6d, 0x7b, 0xbf,
            0xa6, 0x2d, 0xee, 0xed, 0xd2, 0x10, 0x3b, 0xd7,
            0xf1, 0x84, 0xe0, 0x19, 0x3e, 0xa8, 0x0d, 0x04,
            0x70, 0xfe, 0xee, 0x51, 0x14, 0xae, 0x61, 0xf3,
    },
};

const struct bpak_keystore keystore_test =
{
    .id = 0xf93ba110,
    .no_of_keys = 4,
    .verified = true,
    .keys =
    {
        (struct bpak_key *) &keystore_test_key0,
        (struct bpak_key *) &keystore_test_key1,
        (struct bpak_key *) &keystore_test_key2,
        (struct bpak_key *) &keystore_test_key3,
    },
};