From 5669a6095444e079af5e38b2b04ca5ff2e7c11f9 Mon Sep 17 00:00:00 2001
From: David Michieli <dmm@planetinnovation.com.au>
Date: Thu, 22 Apr 2021 13:43:50 +1000
Subject: [PATCH] stm32/mboot: Allow unpacking dfu without secret key.

- unpack-dfu command no longer requies a secret key to be present
- pack-dfu command raises an exception if no secret key is found
---
 ports/stm32/mboot/mboot_pack_dfu.py | 13 ++++++++++---
 tools/ci.sh                         |  4 ++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/ports/stm32/mboot/mboot_pack_dfu.py b/ports/stm32/mboot/mboot_pack_dfu.py
index 540057e06e..683cdd0a71 100644
--- a/ports/stm32/mboot/mboot_pack_dfu.py
+++ b/ports/stm32/mboot/mboot_pack_dfu.py
@@ -86,9 +86,14 @@ class Keys:
 
     def load(self):
         with open(self.filename) as f:
-            self.sign_sk = self._load_data("mboot_pack_sign_secret_key", f.readline())
-            self.sign_pk = self._load_data("mboot_pack_sign_public_key", f.readline())
-            self.secretbox = self._load_data("mboot_pack_secretbox_key", f.readline())
+            for line in f:
+                for key, attr in (
+                    ("mboot_pack_sign_secret_key", "sign_sk"),
+                    ("mboot_pack_sign_public_key", "sign_pk"),
+                    ("mboot_pack_secretbox_key", "secretbox"),
+                ):
+                    if key in line:
+                        setattr(self, attr, self._load_data(key, line))
 
 
 def dfu_read(filename):
@@ -135,6 +140,8 @@ def encrypt(keys, data):
 
 
 def sign(keys, data):
+    if not hasattr(keys, "sign_sk"):
+        raise Exception("packing a dfu requires a secret key")
     return pyhy.hydro_sign_create(data, MBOOT_PACK_HYDRO_CONTEXT, keys.sign_sk)
 
 
diff --git a/tools/ci.sh b/tools/ci.sh
index c018b55002..33cf364ddd 100755
--- a/tools/ci.sh
+++ b/tools/ci.sh
@@ -243,6 +243,10 @@ function ci_stm32_nucleo_build {
     BUILD_WB55=ports/stm32/build-NUCLEO_WB55
     python3 ports/stm32/mboot/mboot_pack_dfu.py -k $BOARD_WB55/mboot_keys.h unpack-dfu $BUILD_WB55/firmware.pack.dfu $BUILD_WB55/firmware.unpack.dfu
     diff $BUILD_WB55/firmware.unpack.dfu $BUILD_WB55/firmware.dfu
+    # Test unpack-dfu command works without a secret key
+    tail -n +2 $BOARD_WB55/mboot_keys.h > $BOARD_WB55/mboot_keys_no_sk.h
+    python3 ports/stm32/mboot/mboot_pack_dfu.py -k $BOARD_WB55/mboot_keys_no_sk.h unpack-dfu $BUILD_WB55/firmware.pack.dfu $BUILD_WB55/firmware.unpack_no_sk.dfu
+    diff $BUILD_WB55/firmware.unpack.dfu $BUILD_WB55/firmware.unpack_no_sk.dfu
 }
 
 ########################################################################################