imgtool: formalize public-key-only PEM support

imgtool's keys.load() silently falls through to load_pem_public_key
when the PEM contains no private material. As a result, `getpub`,
`getpubhash`, and `verify` have long accepted public-key-only PEMs,
which the Zephyr bootloader build relies on. This was neither tested
nor documented, leaving the capability exposed to silent regression.

Add parametrized tests covering getpub and getpubhash against pub-only
PEMs for all supported key types and encodings, asserting byte
equivalence with the private-key path.

Replace the AttributeError raised when `imgtool sign` is invoked with
a pub-only PEM with a descriptive click.UsageError, and add a regression
test. This matters for dev/prod key-split workflows where the signing
private key is held only by a release team.

Update docs/imgtool.md, docs/signed_images.md, and docs/readme-zephyr.md
to state that the bootloader build accepts pub-only PEMs, and that
`imgtool sign` itself still requires the private key.

Signed-off-by: JP Hutchins <jp@intercreate.io>

Author: JPHutchins

docs/imgtool.md

@@ -41,10 +41,15 @@ the key file.
 
     ./scripts/imgtool.py getpub -k filename.pem
 
-will extract the public key from the given private key file, and
-output it as a C data structure.  You can replace or insert this code
-into the key file. However, when the `MCUBOOT_HW_KEY` config option is
-enabled, this last step is unnecessary and can be skipped.
+will extract the public key from the given key file, and output it as
+a C data structure.  The input may be a keypair PEM (containing both
+private and public material) or a public-key-only PEM: `getpub`
+dispatches on the key format and requires no private key material.
+This matters for production workflows where the signing private key
+is held only by a release team, and the bootloader build consumes an
+exported public-key PEM.  You can replace or insert the emitted code
+into the key file. However, when the `MCUBOOT_HW_KEY` config option
+is enabled, this last step is unnecessary and can be skipped.
 
 ## [Signing images](#signing-images)
 

docs/readme-zephyr.md

@@ -156,6 +156,13 @@ the public key in a format usable by the C compiler.
 The generated public key is saved in `build/zephyr/autogen-pubkey.h`, which is included
 by the `boot/zephyr/keys.c`.
 
+``CONFIG_BOOT_SIGNATURE_KEY_FILE`` accepts either a keypair PEM or a
+public-key-only PEM: only the public key is consumed during the build.
+This enables production flows in which the signing private key is held
+by a release team and only an exported public key is provided to
+bootloader builders. Signing images (`imgtool sign`) requires the
+private key.
+
 Currently, the Zephyr RTOS port limits its support to one keypair at the time,
 although MCUboot's key management infrastructure supports multiple keypairs.
 

docs/signed_images.md

@@ -57,6 +57,16 @@ For ECDSA256 these commands are similar.
 openssl ecparam -name prime256v1 -genkey -noout -out image_sign.pem
 openssl ec -in image_sign.pem -pubout -outform DER -out image_sign_pub.der
 
+Note that the bootloader build does not require the private key: the
+exported public-key PEM (produced above, or via
+`imgtool getpub -k image_sign.pem -e pem`) is itself a valid input to
+`imgtool getpub`, and can be used as the
+`CONFIG_BOOT_SIGNATURE_KEY_FILE` setting for a Zephyr-based bootloader
+build. This supports a development workflow
+in which the production signing team releases only the public key,
+and the private key is never present on developer workstations.
+Running `imgtool sign` requires the private key.
+
 ## Creating a key package
 
 xxd -i image_sign_pub.der image_sign_pub.c.import

scripts/imgtool/keys/__init__.py

@@ -31,10 +31,12 @@
 
 from .ecdsa import ECDSA256P1, ECDSA384P1, ECDSA256P1Public, ECDSA384P1Public, ECDSAUsageError
 from .ed25519 import Ed25519, Ed25519Public, Ed25519UsageError
+from .general import DigestSigner, PayloadSigner
 from .rsa import RSA, RSA_KEY_SIZES, RSAPublic, RSAUsageError
 from .x25519 import X25519, X25519Public, X25519UsageError
 
 __all__ = [
+    "DigestSigner",
     "ECDSA256P1",
     "ECDSA384P1",
     "ECDSA256P1Public",
@@ -43,6 +45,7 @@
     "Ed25519",
     "Ed25519Public",
     "Ed25519UsageError",
+    "PayloadSigner",
     "RSA",
     "RSA_KEY_SIZES",
     "RSAPublic",

scripts/imgtool/keys/ecdsa.py

@@ -3,14 +3,17 @@
 """
 
 # SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
 import os.path
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.hashes import SHA256, SHA384
 
-from .general import KeyClass
+from .general import KeyClass, PayloadSigner, override
 from .privatebytes import PrivateBytesMixin
 
 
@@ -181,7 +184,7 @@ def verify(self, signature, payload):
                         signature_algorithm=ec.ECDSA(SHA256()))
 
 
-class ECDSA256P1(ECDSAPrivateKey, ECDSA256P1Public):
+class ECDSA256P1(ECDSAPrivateKey, ECDSA256P1Public, PayloadSigner):
     """
     Wrapper around an ECDSA (p256) private key.
     """
@@ -191,7 +194,7 @@ def __init__(self, key):
         self.pad_sig = False
 
     @staticmethod
-    def generate():
+    def generate() -> ECDSA256P1:
         pk = ec.generate_private_key(
                 ec.SECP256R1(),
                 backend=default_backend())
@@ -203,7 +206,8 @@ def raw_sign(self, payload):
                 data=payload,
                 signature_algorithm=ec.ECDSA(SHA256()))
 
-    def sign(self, payload):
+    @override
+    def sign(self, payload: bytes) -> bytes:
         sig = self.raw_sign(payload)
         if self.pad_sig:
             # To make fixed length, pad with one or two zeros.
@@ -254,7 +258,7 @@ def verify(self, signature, payload):
                         signature_algorithm=ec.ECDSA(SHA384()))
 
 
-class ECDSA384P1(ECDSAPrivateKey, ECDSA384P1Public):
+class ECDSA384P1(ECDSAPrivateKey, ECDSA384P1Public, PayloadSigner):
     """
     Wrapper around an ECDSA (p384) private key.
     """
@@ -266,7 +270,7 @@ def __init__(self, key):
         self.pad_sig = False
 
     @staticmethod
-    def generate():
+    def generate() -> ECDSA384P1:
         pk = ec.generate_private_key(
                 ec.SECP384R1(),
                 backend=default_backend())
@@ -278,7 +282,8 @@ def raw_sign(self, payload):
                 data=payload,
                 signature_algorithm=ec.ECDSA(SHA384()))
 
-    def sign(self, payload):
+    @override
+    def sign(self, payload: bytes) -> bytes:
         sig = self.raw_sign(payload)
         if self.pad_sig:
             # To make fixed length, pad with one or two zeros.

scripts/imgtool/keys/ed25519.py

@@ -4,10 +4,12 @@
 
 # SPDX-License-Identifier: Apache-2.0
 
+from __future__ import annotations
+
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ed25519
 
-from .general import KeyClass
+from .general import DigestSigner, KeyClass, override
 
 
 class Ed25519UsageError(Exception):
@@ -69,7 +71,7 @@ def verify_digest(self, signature, digest):
         return k.verify(signature=signature, data=digest)
 
 
-class Ed25519(Ed25519Public):
+class Ed25519(Ed25519Public, DigestSigner):
     """
     Wrapper around an ED25519 private key.
     """
@@ -79,7 +81,7 @@ def __init__(self, key):
         self.key = key
 
     @staticmethod
-    def generate():
+    def generate() -> Ed25519:
         pk = ed25519.Ed25519PrivateKey.generate()
         return Ed25519(pk)
 
@@ -105,6 +107,7 @@ def export_private(self, path, passwd=None):
         with open(path, 'wb') as f:
             f.write(pem)
 
-    def sign_digest(self, digest):
+    @override
+    def sign_digest(self, digest: bytes) -> bytes:
         """Return the actual signature"""
         return self.key.sign(data=digest)

scripts/imgtool/keys/general.py

@@ -2,14 +2,41 @@
 
 # SPDX-License-Identifier: Apache-2.0
 
+from __future__ import annotations
+
 import os
 import sys
+from typing import Protocol, runtime_checkable
 
 from cryptography.hazmat.primitives.hashes import SHA256, Hash
 
+if sys.version_info >= (3, 12):
+    from typing import override as override
+else:
+    try:
+        from typing_extensions import override as override
+    except ImportError:  # pragma: no cover
+        def override(func):  # type: ignore[no-redef]
+            """Runtime no-op fallback when typing_extensions is absent."""
+            return func
+
 AUTOGEN_MESSAGE = "/* Autogenerated by imgtool.py, do not edit. */"
 
 
+@runtime_checkable
+class PayloadSigner(Protocol):
+    """A key capable of signing a payload."""
+
+    def sign(self, payload: bytes) -> bytes: ...
+
+
+@runtime_checkable
+class DigestSigner(Protocol):
+    """A key capable of signing a digest (hash) of a payload."""
+
+    def sign_digest(self, digest: bytes) -> bytes: ...
+
+
 class FileHandler:
     def __init__(self, file, *args, **kwargs):
         self.file_in = file

scripts/imgtool/keys/rsa.py

@@ -4,13 +4,15 @@
 
 # SPDX-License-Identifier: Apache-2.0
 
+from __future__ import annotations
+
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.asymmetric.padding import MGF1, PSS
 from cryptography.hazmat.primitives.hashes import SHA256
 
-from .general import KeyClass
+from .general import KeyClass, PayloadSigner, override
 from .privatebytes import PrivateBytesMixin
 
 # Sizes that bootutil will recognize
@@ -81,7 +83,7 @@ def verify(self, signature, payload):
                         algorithm=SHA256())
 
 
-class RSA(RSAPublic, PrivateBytesMixin):
+class RSA(RSAPublic, PrivateBytesMixin, PayloadSigner):
     """
     Wrapper around an RSA key, with imgtool support.
     """
@@ -91,7 +93,7 @@ def __init__(self, key):
         self.key = key
 
     @staticmethod
-    def generate(key_size=2048):
+    def generate(key_size: int = 2048) -> RSA:
         if key_size not in RSA_KEY_SIZES:
             raise RSAUsageError(f"Key size {key_size} is not supported by MCUboot"
                                 )
@@ -163,7 +165,8 @@ def export_private(self, path, passwd=None):
         with open(path, 'wb') as f:
             f.write(pem)
 
-    def sign(self, payload):
+    @override
+    def sign(self, payload: bytes) -> bytes:
         # The verification code only allows the salt length to be the
         # same as the hash length, 32.
         return self.key.sign(

scripts/imgtool/keys/x25519.py

@@ -4,10 +4,12 @@
 
 # SPDX-License-Identifier: Apache-2.0
 
+from __future__ import annotations
+
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import x25519
 
-from .general import KeyClass
+from .general import DigestSigner, KeyClass, override
 from .privatebytes import PrivateBytesMixin
 
 
@@ -63,7 +65,7 @@ def sig_len(self):
         return 32
 
 
-class X25519(X25519Public, PrivateBytesMixin):
+class X25519(X25519Public, PrivateBytesMixin, DigestSigner):
     """
     Wrapper around an X25519 private key.
     """
@@ -73,7 +75,7 @@ def __init__(self, key):
         self.key = key
 
     @staticmethod
-    def generate():
+    def generate() -> X25519:
         pk = x25519.X25519PrivateKey.generate()
         return X25519(pk)
 
@@ -106,7 +108,8 @@ def export_private(self, path, passwd=None):
         with open(path, 'wb') as f:
             f.write(pem)
 
-    def sign_digest(self, digest):
+    @override
+    def sign_digest(self, digest: bytes) -> bytes:
         """Return the actual signature"""
         return self.key.sign(data=digest)
 

scripts/imgtool/main.py

@@ -481,6 +481,11 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
     compression_tlvs = {}
     img.load(infile)
     key = load_key(key) if key else None
+    if key is not None and not isinstance(key, (keys.PayloadSigner, keys.DigestSigner)):
+        raise click.UsageError(
+            "Cannot sign with a public-only PEM; signing requires the "
+            "private key."
+        )
     enckey = load_key(encrypt) if encrypt else None
     if enckey and key and ((isinstance(key, keys.ECDSA256P1) and
          not isinstance(enckey, keys.ECDSA256P1Public))