emSecure Tools

From SEGGER Knowledge Base
Jump to navigation Jump to search

emSecure comes with all tools and utilities required for digital signature creation and verification. The tools are ready for use in development and production workflows. Additionally the source code can serve as a reference to implement digital signature handling in host tools as well as in target firmware.

emKeyGen

emKeyGen generates a key pair. The generation parameters can be configured on the command line. By default a random, provable 2048 bit key is generated.

The key length can be configured from 512 to 16384 bits with command line option -l. For 2048 and 3072 bit keys, provable primes according to the FIPS specification can be generated. For other key lengths probabilistic primes are generated (enable with -nf).

In addition to random keys pairs, emKeyGen can generate proven prime key pairs derived from a set 128-bit initial seed value. The seed value can either be directly set with command line option -seed, or derived from a pass phrase string with command line option -pw. Generating key pairs from a known seed or passphrase enables re-creation in case the private key gets lost. A pass phrase may be easier to securely remember or store than the key pair.

For full tool reference refer to https://doc.segger.com/UM12002_emSecureRSA.html#emSecure_RSA_Key_Generator. 

C:> emKeyGenRSA -l 2048 -pw "SEGGER - The Embedded Experts"

(c) SEGGER Microcontroller GmbH    www.segger.com
emSecure-RSA KeyGen

Generating proven prime key pair with public modulus of 2048 bits
Public encryption exponent is set to 65537
Initial seed is 0xADBE961296F573AD2FA65468E1A8837D
Checking keys are consistent: OK
Writing public key file emSecure.pub.
Writing private key file emSecure.prv.

C:> _

emSign

emSign digitally signs a file with a private key. By default emSign loads the private key from a file emSecure.prv and signs the input file using RSASSA-PSS signature scheme. The signature is written to a new file <input-file>.sig. The signing process can be configured on the command line.

With command line option -k the key file can be changed.

Command line options -pss and -pkcs select RSASSA-PSS or RSASSA-PKCS v1.5 signature scheme and command line options -sha1 (default), -sha256, and -sha512 select the hash function to use. Additionally a salt for the signature can be set with -s.

For full tool reference refer to https://doc.segger.com/UM12002_emSecureRSA.html#emSecure_RSA_Sign 

C:> echo Is simply works! > test.txt

C:> emSignRSA -k emSecure.prv -pss -sha1 test.txt

(c) SEGGER Microcontroller GmbH    www.segger.com
emSecure-RSA Sign V2.50 compiled Sep 23 2025 16:26:24

Loading private key from emSecure.prv
  Probing file: Key file accepted
  Modulus length is 2048 bits
Loading content from test.txt
Loaded content is 17 bytes
  Digest: FB825A83CAEDDCBA6F23C97B6934D0FDC3DFDE07
Writing signature file test.txt.sig

C:> cat test.txt.sig
#
# RSA Signature
#
S=0x0E9BD43185FC3787[...]1633BF15D94FB985
#
# End Of File
#

C:> _

emVerify

emVerify verifies a file by its digital signature and the public key. Like emSign, it loads the default key emSecure.pub and uses the RSASSA-PSS signature scheme. The signature file is expected to be called <input-file>.sig. The verification process can be configured on the command line. The same command line options as for emSign are available. The same scheme and hash has to be used for signing and verification.

For full tool reference refer to https://doc.segger.com/UM12002_emSecureRSA.html#emSecure_RSA_Verify 

C:> emVerifyRSA test.txt

(c) SEGGER Microcontroller GmbH    www.segger.com
emSecure-RSA Verify

Loading public key from emSecure.pub
Key file accepted
  Modulus length is 2048 bits
Loading signature from test.txt.sig
  Probing file: Loading content from test.txt
  Loaded content is 17 bytes
  Digest: FB825A83CAEDDCBA6F23C97B6934D0FDC3DFDE07
  Signature: 0E9BD43185FC3787[...]1633BF15D94FB985
Signature OK.

C:> _

emPrintKey

emPrintKey converts key files and signature files into C source files suitable for inclusion in firmware projects. Converted keys can be statically linked and directly passed to the emSecure API, which saves resources as they do not need to be loaded and converted at runtime.

emPrintKey can convert keys in SEGGER fromat, as created by emKeyGen, as well as keys in PEM or DER format, such as generated by OpenSSL and other tools.

For full tool reference refer to https://doc.segger.com/UM12002_emSecureRSA.html#emSecure_RSA_Print_Key. 

C:> emPrintKeyRSA SECURE_RSA_Expert_Key.prv -p _SECURE_RSA_PrivateKey_Expert

(c) SEGGER Microcontroller GmbH    www.segger.com
emSecure-RSA PrintKey

Probing file to determine type of key

static const CRYPTO_MPI_LIMB _SECURE_RSA_PrivateKey_Expert_PrivateKey_D_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA4(C1, 0E, 67, 6C),
  CRYPTO_MPI_LIMB_DATA4(DE, F0, 5E, 22),
  CRYPTO_MPI_LIMB_DATA4(90, BC, CC, A8),
  [...]
  CRYPTO_MPI_LIMB_DATA4(4D, 93, 35, F3),
  CRYPTO_MPI_LIMB_DATA4(AA, 2F, AA, 48),
  CRYPTO_MPI_LIMB_DATA4(EC, 64, DA, 10)
};

static const CRYPTO_MPI_LIMB _SECURE_RSA_PrivateKey_Expert_PrivateKey_P_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA4(B7, 0E, 63, 39),
  CRYPTO_MPI_LIMB_DATA4(88, 90, 46, FE),
  CRYPTO_MPI_LIMB_DATA4(A7, B4, 02, 91),
  [...]
  CRYPTO_MPI_LIMB_DATA4(87, AB, 25, EB),
  CRYPTO_MPI_LIMB_DATA4(62, 57, 56, C4),
  CRYPTO_MPI_LIMB_DATA4(22, A8, 49, D2)
};

static const CRYPTO_MPI_LIMB _SECURE_RSA_PrivateKey_Expert_PrivateKey_Q_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA4(89, 0C, 90, 27),
  CRYPTO_MPI_LIMB_DATA4(48, E4, EA, FD),
  CRYPTO_MPI_LIMB_DATA4(1D, FC, 5A, 33),
  [...]
  CRYPTO_MPI_LIMB_DATA4(BC, FD, 32, 2A),
  CRYPTO_MPI_LIMB_DATA4(19, C2, 62, 81),
  CRYPTO_MPI_LIMB_DATA4(41, A3, 73, D8)
};

static const CRYPTO_MPI_LIMB _SECURE_RSA_PrivateKey_Expert_PrivateKey_DP_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA4(4B, CF, DB, DC),
  CRYPTO_MPI_LIMB_DATA4(52, 33, 3D, 8B),
  CRYPTO_MPI_LIMB_DATA4(66, C6, 20, 55),
  [...]
  CRYPTO_MPI_LIMB_DATA4(8D, E9, D1, 65),
  CRYPTO_MPI_LIMB_DATA4(2F, 05, D7, 8A),
  CRYPTO_MPI_LIMB_DATA4(0F, 29, D1, CF)
};

static const CRYPTO_MPI_LIMB _SECURE_RSA_PrivateKey_Expert_PrivateKey_DQ_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA4(09, 75, 79, 77),
  CRYPTO_MPI_LIMB_DATA4(06, 77, 27, 47),
  CRYPTO_MPI_LIMB_DATA4(DA, 0C, 7D, 14),
  [...]
  CRYPTO_MPI_LIMB_DATA4(25, C2, 14, A5),
  CRYPTO_MPI_LIMB_DATA4(CF, 3A, BF, 7D),
  CRYPTO_MPI_LIMB_DATA4(EC, C8, 5B, CE)
};

static const CRYPTO_MPI_LIMB _SECURE_RSA_PrivateKey_Expert_PrivateKey_QInv_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA4(8E, A6, AC, 41),
  CRYPTO_MPI_LIMB_DATA4(06, DC, EA, BA),
  CRYPTO_MPI_LIMB_DATA4(6D, BF, C2, 82),
  [...]
  CRYPTO_MPI_LIMB_DATA4(4D, 2D, DF, 47),
  CRYPTO_MPI_LIMB_DATA4(8D, 6E, 1C, CD),
  CRYPTO_MPI_LIMB_DATA4(86, E1, A5, AF)
};

static const CRYPTO_MPI_LIMB _SECURE_RSA_PrivateKey_Expert_PrivateKey_N_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA4(EF, 73, A3, 82),
  CRYPTO_MPI_LIMB_DATA4(05, 3A, 25, 1B),
  CRYPTO_MPI_LIMB_DATA4(C6, 77, FE, AE),
  [...]
  CRYPTO_MPI_LIMB_DATA4(28, FE, EB, EA),
  CRYPTO_MPI_LIMB_DATA4(B7, 1D, 51, 92),
  CRYPTO_MPI_LIMB_DATA4(0E, 23, CD, B1)
};

static const CRYPTO_MPI_LIMB _SECURE_RSA_PrivateKey_Expert_PrivateKey_E_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA4(EF, 73, A3, 82),
  CRYPTO_MPI_LIMB_DATA4(05, 3A, 25, 1B),
  CRYPTO_MPI_LIMB_DATA4(C6, 77, FE, AE),
  [...]
  CRYPTO_MPI_LIMB_DATA4(28, FE, EB, EA),
  CRYPTO_MPI_LIMB_DATA4(B7, 1D, 51, 92),
  CRYPTO_MPI_LIMB_DATA4(0E, 23, CD, B1)
};

static const CRYPTO_RSA_PRIVATE_KEY _SECURE_RSA_PrivateKey_ExpertPrivateKey = {
  { CRYPTO_MPI_INIT_RO(_SECURE_RSA_PrivateKey_Expert_PrivateKey_D_aLimbs) },
  { CRYPTO_MPI_INIT_RO(_SECURE_RSA_PrivateKey_Expert_PrivateKey_P_aLimbs) },
  { CRYPTO_MPI_INIT_RO(_SECURE_RSA_PrivateKey_Expert_PrivateKey_Q_aLimbs) },
  { CRYPTO_MPI_INIT_RO(_SECURE_RSA_PrivateKey_Expert_PrivateKey_DP_aLimbs) },
  { CRYPTO_MPI_INIT_RO(_SECURE_RSA_PrivateKey_Expert_PrivateKey_DQ_aLimbs) },
  { CRYPTO_MPI_INIT_RO(_SECURE_RSA_PrivateKey_Expert_PrivateKey_QInv_aLimbs) },
  { CRYPTO_MPI_INIT_RO(_SECURE_RSA_PrivateKey_Expert_PrivateKey_N_aLimbs) },
  { CRYPTO_MPI_INIT_RO(_SECURE_RSA_PrivateKey_Expert_PrivateKey_E_aLimbs) },
};

C:> _

C:> emPrintKeyRSA SECURE_RSA_Expert_Key.pub -p _SECURE_RSA_PublicKey_Expert

(c) SEGGER Microcontroller GmbH    www.segger.com
emSecure-RSA PrintKey

Probing file to determine type of key

static const CRYPTO_MPI_LIMB _SECURE_RSA_PublicKey_Expert_PublicKey_N_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA4(EF, 73, A3, 82),
  CRYPTO_MPI_LIMB_DATA4(05, 3A, 25, 1B),
  CRYPTO_MPI_LIMB_DATA4(C6, 77, FE, AE),
  [...]
  CRYPTO_MPI_LIMB_DATA4(28, FE, EB, EA),
  CRYPTO_MPI_LIMB_DATA4(B7, 1D, 51, 92),
  CRYPTO_MPI_LIMB_DATA4(0E, 23, CD, B1)
};

static const CRYPTO_MPI_LIMB _SECURE_RSA_PublicKey_Expert_PublicKey_E_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA3(01, 00, 01)
};

static const CRYPTO_RSA_PUBLIC_KEY _SECURE_RSA_PublicKey_ExpertPublicKey = {
  { CRYPTO_MPI_INIT_RO(_SECURE_RSA_PublicKey_Expert_PublicKey_N_aLimbs) },
  { CRYPTO_MPI_INIT_RO(_SECURE_RSA_PublicKey_Expert_PublicKey_E_aLimbs) },
};

C:> _

C:> emPrintKeyRSA test.txt.sig

(c) SEGGER Microcontroller GmbH    www.segger.com
emSecure-RSA PrintKey

Probing file to determine type of key

static const CRYPTO_MPI_LIMB __Signature_aLimbs[] = {
  CRYPTO_MPI_LIMB_DATA4(85, B9, 4F, D9),
  CRYPTO_MPI_LIMB_DATA4(15, BF, 33, 16),
  CRYPTO_MPI_LIMB_DATA4(CA, 57, C3, D2),
  [...]
  CRYPTO_MPI_LIMB_DATA4(20, 39, 5C, 36),
  CRYPTO_MPI_LIMB_DATA4(87, 37, FC, 85),
  CRYPTO_MPI_LIMB_DATA4(31, D4, 9B, 0E)
};

static const CRYPTO_MPI _ = {
  { CRYPTO_MPI_INIT_RO(__Signature_aLimbs) },
};

C:> _
Retrieved from "https://kb.segger.com/index.php?title=emSecure_Tools&oldid=26668"