fix(espsecure): Extract public key version 1 in RAW format

peterdragun · peterdragun · commit 6cfced81f9b9 · 2025-08-22T12:37:23.000+02:00
diff --git a/espsecure/__init__.py b/espsecure/__init__.py
@@ -1056,24 +1056,29 @@ def verify_signature_v2(hsm: bool, hsm_config: IO | None, keyfile: IO, datafile:
         )
 
 
-def extract_public_key(version: int, keyfile: IO, public_keyfile: IO):
+def extract_public_key(version: str, keyfile: IO, public_keyfile: IO):
     _check_output_is_not_input(keyfile, public_keyfile)
     if version == "1":
         """
         Load an ECDSA private key and extract the embedded public key
         as raw binary data.
         """
         sk = _load_ecdsa_signing_key(keyfile)
+        # For Secure Boot V1, output raw binary format (X and Y coordinates)
+        public_numbers = sk.public_key().public_numbers()
+        x_bytes = public_numbers.x.to_bytes(32, "big")
+        y_bytes = public_numbers.y.to_bytes(32, "big")
+        vk = x_bytes + y_bytes
     elif version == "2":
         """
         Load an RSA or an ECDSA private key and extract the public key
         as raw binary data.
         """
         sk = _load_sbv2_signing_key(keyfile.read())
-    vk = sk.public_key().public_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PublicFormat.SubjectPublicKeyInfo,
-    )
+        vk = sk.public_key().public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo,
+        )
     public_keyfile.write(vk)
     log.print(f'"{keyfile.name}" public key extracted to "{public_keyfile.name}".')
 
diff --git a/test/test_espsecure.py b/test/test_espsecure.py
@@ -101,6 +101,74 @@ def test_digest_rsa_public_key(self):
         finally:
             os.unlink(output_file.name)
 
+    def test_extract_public_key_v1(self):
+        """Test that extract-public-key CLI command produces raw output for version 1"""
+        with tempfile.TemporaryDirectory() as keydir:
+            # Generate a version 1 ECDSA256 key
+            keyfile_name = os.path.join(keydir, "v1_key.pem")
+            espsecure.generate_signing_key("1", "ecdsa256", keyfile_name)
+
+            output_file = os.path.join(keydir, "v1_public_key.bin")
+            output = self.run_espsecure(
+                f"extract-public-key --version 1 --keyfile {keyfile_name} {output_file}"
+            )
+
+            # Check that the command succeeded
+            assert "public key extracted" in output.lower()
+
+            # Read the output file
+            with open(output_file, "rb") as f:
+                v1_output = f.read()
+
+            # Version 1 should produce raw binary (64 bytes for ECDSA256)
+            assert len(v1_output) == 64, (
+                f"Expected 64 bytes for ECDSA256, got {len(v1_output)}"
+            )
+
+            # Raw binary should not contain PEM markers
+            assert b"-----BEGIN PUBLIC KEY-----" not in v1_output
+            assert b"-----END PUBLIC KEY-----" not in v1_output
+            assert b"PUBLIC KEY" not in v1_output
+
+            # Raw binary should contain only binary data (not text)
+            printable_count = sum(1 for b in v1_output if 32 <= b <= 126)
+            assert printable_count < len(v1_output), (
+                "Raw binary should not be all printable ASCII"
+            )
+
+    def test_extract_public_key_v2(self):
+        """Test that extract-public-key CLI command produces PEM output for version 2"""
+        with tempfile.TemporaryDirectory() as keydir:
+            # Generate a version 2 ECDSA256 key
+            keyfile_name = os.path.join(keydir, "v2_key.pem")
+            espsecure.generate_signing_key("2", "ecdsa256", keyfile_name)
+
+            output_file = os.path.join(keydir, "v2_public_key.pem")
+            output = self.run_espsecure(
+                f"extract-public-key --version 2 --keyfile {keyfile_name} {output_file}"
+            )
+
+            # Check that the command succeeded
+            assert "public key extracted" in output.lower()
+
+            # Read the output file
+            with open(output_file, "rb") as f:
+                v2_output = f.read()
+
+            # Version 2 should produce PEM format
+            assert b"-----BEGIN PUBLIC KEY-----" in v2_output
+            assert b"-----END PUBLIC KEY-----" in v2_output
+            assert b"PUBLIC KEY" in v2_output
+
+            # PEM format should be longer than raw binary
+            assert len(v2_output) > 64, "PEM format should be longer than raw binary"
+
+            # PEM format should be mostly printable ASCII
+            printable_count = sum(1 for b in v2_output if 32 <= b <= 126)
+            assert printable_count > len(v2_output) * 0.8, (
+                "PEM format should be mostly printable ASCII"
+            )
+
 
 class TestSigning(EspSecureTestCase):
     def test_key_generation_v1(self):
