commit ec8fdbbd990773f05b5f619eeb046310c7c2da20
author Christopher Collins <ccollins@apache.org> Fri Feb 28 16:26:10 2020 -0800
committer ccollins476ad <ccollins476ad@gmail.com> Fri Feb 28 17:12:17 2020 -0800
tree 98508f29c5afdda468582e35ee7a93ea23deeb3d
parent 296fca75b9a0504469dd79b2749b1465dc88dd2d

New command: image decrypthw

cli/image_cmds.go

diff --git a/cli/image_cmds.go b/cli/image_cmds.go
index a4ea984..882277b 100644
--- a/cli/image_cmds.go
+++ b/cli/image_cmds.go
@@ -492,6 +492,39 @@
 	}
 }
 
+func runDecryptHwCmd(cmd *cobra.Command, args []string) {
+	if len(args) < 2 {
+		ImgmodUsage(cmd, nil)
+	}
+
+	imgFilename := args[0]
+	secretFilename := args[1]
+
+	outFilename, err := CalcOutFilename(imgFilename)
+	if err != nil {
+		ImgmodUsage(cmd, err)
+	}
+
+	img, err := readImage(imgFilename)
+	if err != nil {
+		ImgmodUsage(cmd, err)
+	}
+
+	secretBytes, err := ioutil.ReadFile(secretFilename)
+	if err != nil {
+		ImgmodUsage(cmd, errors.Wrapf(err, "error reading secret file"))
+	}
+
+	img, err = iimg.DecryptImageHw(img, secretBytes)
+	if err != nil {
+		ImgmodUsage(nil, err)
+	}
+
+	if err := writeImage(img, outFilename); err != nil {
+		ImgmodUsage(nil, err)
+	}
+}
+
 func runEncryptCmd(cmd *cobra.Command, args []string) {
 	if len(args) < 2 {
 		ImgmodUsage(cmd, nil)
@@ -733,6 +766,21 @@
 		Run: runDecryptFullCmd,
 	}
 
+	decryptHwCmd := &cobra.Command{
+		Use:   "decrypthw <image> <aes-secret>",
+		Short: "Decrypts an hardware-encrypted Mynewt image file",
+		Long: "Decrypts the body of a hardware-encrypted Mynewt image file and " +
+			"removes the encryption TLVs.  The aes-secret can be 64-encoded " +
+			"or raw.",
+		Run: runDecryptHwCmd,
+	}
+
+	decryptHwCmd.PersistentFlags().StringVarP(&OptOutFilename, "outfile", "o",
+		"", "File to write to")
+	decryptHwCmd.PersistentFlags().BoolVarP(&OptInPlace, "inplace", "i", false,
+		"Replace input file")
+	imageCmd.AddCommand(decryptHwCmd)
+
 	decryptFullCmd.PersistentFlags().StringVarP(&OptOutFilename, "outfile", "o",
 		"", "File to write to")
 	decryptFullCmd.PersistentFlags().BoolVarP(&OptInPlace, "inplace", "i", false,

iimg/iimg.go

diff --git a/iimg/iimg.go b/iimg/iimg.go
index d4e7c9a..9fc53fd 100644
--- a/iimg/iimg.go
+++ b/iimg/iimg.go
@@ -20,6 +20,7 @@
 package iimg
 
 import (
+	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"strings"
@@ -181,6 +182,16 @@
 	return img, nil
 }
 
+func DecryptImageHw(img image.Image, secretBytes []byte) (image.Image, error) {
+	secret, err := base64.StdEncoding.DecodeString(string(secretBytes))
+	if err != nil {
+		// Not base64 encoded.  Assume this is a raw AES secret.
+		secret = secretBytes
+	}
+
+	return image.DecryptHw(img, secret)
+}
+
 func EncryptImage(img image.Image, pubKeBytes []byte) (image.Image, error) {
 	key, err := sec.ParsePubEncKey(pubKeBytes)
 	if err != nil {