From e1e4d5b658f925f45c72aef2524777472583e020 Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Thu, 16 May 2024 10:14:35 +0200
Subject: [PATCH 01/13] imgtool: Add pre-generated images and keys

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I52646f5f27d47e3639368c6adcaa9df62b1b7853
---
 scripts/tests/images/one.bin                  |   1 +
 scripts/tests/images/one_offset.hex           |  65 ++++++++++++++++++
 .../tests/images/signed/basic/ecdsa-p256.bin  | Bin 0 -> 1206 bytes
 .../tests/images/signed/basic/ecdsa-p384.bin  | Bin 0 -> 1271 bytes
 scripts/tests/images/signed/basic/ed25519.bin | Bin 0 -> 1200 bytes
 .../tests/images/signed/basic/rsa-2048.bin    | Bin 0 -> 1392 bytes
 .../tests/images/signed/basic/rsa-3072.bin    | Bin 0 -> 1520 bytes
 .../images/signed/basic/rsa-3072_invHash.bin  | Bin 0 -> 1520 bytes
 .../images/signed/basic/rsa-3072_invMagic.bin | Bin 0 -> 1520 bytes
 .../signed/basic/rsa-3072_invTLVMagic.bin     | Bin 0 -> 1520 bytes
 .../images/signed/customTLV/ecdsa-p256.bin    | Bin 0 -> 2208 bytes
 .../images/signed/customTLV/ecdsa-p384.bin    | Bin 0 -> 2273 bytes
 .../tests/images/signed/customTLV/ed25519.bin | Bin 0 -> 2202 bytes
 .../images/signed/customTLV/rsa-2048.bin      | Bin 0 -> 2394 bytes
 .../images/signed/customTLV/rsa-3072.bin      | Bin 0 -> 2522 bytes
 .../signed/encryptedClear/ecdsa-p256.enc      | Bin 0 -> 2315 bytes
 .../signed/encryptedClear/ecdsa-p384.enc      | Bin 0 -> 2262 bytes
 .../images/signed/encryptedClear/ed25519.enc  | Bin 0 -> 2276 bytes
 .../images/signed/encryptedClear/rsa-2048.enc | Bin 0 -> 2644 bytes
 .../images/signed/encryptedClear/rsa-3072.enc | Bin 0 -> 2900 bytes
 .../tests/images/signed/noKey/noKey256.bin    | Bin 0 -> 1096 bytes
 .../tests/images/signed/no_pad_sig_enc_16.bin | Bin 0 -> 2644 bytes
 .../images/signed/no_pad_sig_enc_16_inv.bin   | Bin 0 -> 2644 bytes
 scripts/tests/images/signed/pad/padNoEnc.bin  | Bin 0 -> 1536 bytes
 .../images/signed/pad_2.3K_sig_enc_16_inv.bin | Bin 0 -> 8960 bytes
 .../tests/images/signed/pad_sig_enc_16.bin    | Bin 0 -> 65536 bytes
 .../images/signed/pad_sig_enc_16_inv.bin      | Bin 0 -> 65536 bytes
 .../tests/images/signed/pad_sig_enc_32.bin    | Bin 0 -> 65536 bytes
 .../images/signed/pubKeyOnly/ecdsa-p256.bin   | Bin 0 -> 20480 bytes
 .../images/signed/pubKeyOnly/ecdsa-p384.bin   | Bin 0 -> 20480 bytes
 .../images/signed/pubKeyOnly/rsa-2048.bin     | Bin 0 -> 20480 bytes
 .../images/signed/pubKeyOnly/rsa-3072.bin     | Bin 0 -> 20480 bytes
 scripts/tests/images/zero.bin                 | Bin 0 -> 1024 bytes
 scripts/tests/images/zero.hex                 |  65 ++++++++++++++++++
 scripts/tests/keys/ecdsa-p256.key             |   5 ++
 scripts/tests/keys/ecdsa-p256_passwd.key      |   7 ++
 scripts/tests/keys/ecdsa-p384.key             |   6 ++
 scripts/tests/keys/ecdsa-p384_passwd.key      |   8 +++
 scripts/tests/keys/ed25519.key                |   3 +
 scripts/tests/keys/ed25519_passwd.key         |   6 ++
 scripts/tests/keys/public/ecdsa-p256-pem.pub  |   4 ++
 scripts/tests/keys/public/ecdsa-p384-pem.pub  |   5 ++
 scripts/tests/keys/public/rsa-2048-pem.pub    |   9 +++
 scripts/tests/keys/public/rsa-3072-pem.pub    |  11 +++
 scripts/tests/keys/public/x25519-pem.pub      |   3 +
 scripts/tests/keys/rsa-2048.key               |  28 ++++++++
 scripts/tests/keys/rsa-2048_passwd.key        |  30 ++++++++
 scripts/tests/keys/rsa-3072.key               |  40 +++++++++++
 scripts/tests/keys/rsa-3072_passwd.key        |  42 +++++++++++
 scripts/tests/keys/x25519.key                 |   3 +
 scripts/tests/keys/x25519_passwd.key          |   6 ++
 51 files changed, 347 insertions(+)
 create mode 100644 scripts/tests/images/one.bin
 create mode 100644 scripts/tests/images/one_offset.hex
 create mode 100644 scripts/tests/images/signed/basic/ecdsa-p256.bin
 create mode 100644 scripts/tests/images/signed/basic/ecdsa-p384.bin
 create mode 100644 scripts/tests/images/signed/basic/ed25519.bin
 create mode 100644 scripts/tests/images/signed/basic/rsa-2048.bin
 create mode 100644 scripts/tests/images/signed/basic/rsa-3072.bin
 create mode 100644 scripts/tests/images/signed/basic/rsa-3072_invHash.bin
 create mode 100644 scripts/tests/images/signed/basic/rsa-3072_invMagic.bin
 create mode 100644 scripts/tests/images/signed/basic/rsa-3072_invTLVMagic.bin
 create mode 100644 scripts/tests/images/signed/customTLV/ecdsa-p256.bin
 create mode 100644 scripts/tests/images/signed/customTLV/ecdsa-p384.bin
 create mode 100644 scripts/tests/images/signed/customTLV/ed25519.bin
 create mode 100644 scripts/tests/images/signed/customTLV/rsa-2048.bin
 create mode 100644 scripts/tests/images/signed/customTLV/rsa-3072.bin
 create mode 100644 scripts/tests/images/signed/encryptedClear/ecdsa-p256.enc
 create mode 100644 scripts/tests/images/signed/encryptedClear/ecdsa-p384.enc
 create mode 100644 scripts/tests/images/signed/encryptedClear/ed25519.enc
 create mode 100644 scripts/tests/images/signed/encryptedClear/rsa-2048.enc
 create mode 100644 scripts/tests/images/signed/encryptedClear/rsa-3072.enc
 create mode 100644 scripts/tests/images/signed/noKey/noKey256.bin
 create mode 100644 scripts/tests/images/signed/no_pad_sig_enc_16.bin
 create mode 100644 scripts/tests/images/signed/no_pad_sig_enc_16_inv.bin
 create mode 100644 scripts/tests/images/signed/pad/padNoEnc.bin
 create mode 100644 scripts/tests/images/signed/pad_2.3K_sig_enc_16_inv.bin
 create mode 100644 scripts/tests/images/signed/pad_sig_enc_16.bin
 create mode 100644 scripts/tests/images/signed/pad_sig_enc_16_inv.bin
 create mode 100644 scripts/tests/images/signed/pad_sig_enc_32.bin
 create mode 100644 scripts/tests/images/signed/pubKeyOnly/ecdsa-p256.bin
 create mode 100644 scripts/tests/images/signed/pubKeyOnly/ecdsa-p384.bin
 create mode 100644 scripts/tests/images/signed/pubKeyOnly/rsa-2048.bin
 create mode 100644 scripts/tests/images/signed/pubKeyOnly/rsa-3072.bin
 create mode 100644 scripts/tests/images/zero.bin
 create mode 100644 scripts/tests/images/zero.hex
 create mode 100644 scripts/tests/keys/ecdsa-p256.key
 create mode 100644 scripts/tests/keys/ecdsa-p256_passwd.key
 create mode 100644 scripts/tests/keys/ecdsa-p384.key
 create mode 100644 scripts/tests/keys/ecdsa-p384_passwd.key
 create mode 100644 scripts/tests/keys/ed25519.key
 create mode 100644 scripts/tests/keys/ed25519_passwd.key
 create mode 100644 scripts/tests/keys/public/ecdsa-p256-pem.pub
 create mode 100644 scripts/tests/keys/public/ecdsa-p384-pem.pub
 create mode 100644 scripts/tests/keys/public/rsa-2048-pem.pub
 create mode 100644 scripts/tests/keys/public/rsa-3072-pem.pub
 create mode 100644 scripts/tests/keys/public/x25519-pem.pub
 create mode 100644 scripts/tests/keys/rsa-2048.key
 create mode 100644 scripts/tests/keys/rsa-2048_passwd.key
 create mode 100644 scripts/tests/keys/rsa-3072.key
 create mode 100644 scripts/tests/keys/rsa-3072_passwd.key
 create mode 100644 scripts/tests/keys/x25519.key
 create mode 100644 scripts/tests/keys/x25519_passwd.key

diff --git a/scripts/tests/images/one.bin b/scripts/tests/images/one.bin
new file mode 100644
index 0000000000..0fa327f633
--- /dev/null
+++ b/scripts/tests/images/one.bin
@@ -0,0 +1 @@
+1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
\ No newline at end of file
diff --git a/scripts/tests/images/one_offset.hex b/scripts/tests/images/one_offset.hex
new file mode 100644
index 0000000000..ede08e5d58
--- /dev/null
+++ b/scripts/tests/images/one_offset.hex
@@ -0,0 +1,65 @@
+:10000A0031313131313131313131313131313131D6
+:10001A0031313131313131313131313131313131C6
+:10002A0031313131313131313131313131313131B6
+:10003A0031313131313131313131313131313131A6
+:10004A003131313131313131313131313131313196
+:10005A003131313131313131313131313131313186
+:10006A003131313131313131313131313131313176
+:10007A003131313131313131313131313131313166
+:10008A003131313131313131313131313131313156
+:10009A003131313131313131313131313131313146
+:1000AA003131313131313131313131313131313136
+:1000BA003131313131313131313131313131313126
+:1000CA003131313131313131313131313131313116
+:1000DA003131313131313131313131313131313106
+:1000EA0031313131313131313131313131313131F6
+:1000FA0031313131313131313131313131313131E6
+:10010A0031313131313131313131313131313131D5
+:10011A0031313131313131313131313131313131C5
+:10012A0031313131313131313131313131313131B5
+:10013A0031313131313131313131313131313131A5
+:10014A003131313131313131313131313131313195
+:10015A003131313131313131313131313131313185
+:10016A003131313131313131313131313131313175
+:10017A003131313131313131313131313131313165
+:10018A003131313131313131313131313131313155
+:10019A003131313131313131313131313131313145
+:1001AA003131313131313131313131313131313135
+:1001BA003131313131313131313131313131313125
+:1001CA003131313131313131313131313131313115
+:1001DA003131313131313131313131313131313105
+:1001EA0031313131313131313131313131313131F5
+:1001FA0031313131313131313131313131313131E5
+:10020A0031313131313131313131313131313131D4
+:10021A0031313131313131313131313131313131C4
+:10022A0031313131313131313131313131313131B4
+:10023A0031313131313131313131313131313131A4
+:10024A003131313131313131313131313131313194
+:10025A003131313131313131313131313131313184
+:10026A003131313131313131313131313131313174
+:10027A003131313131313131313131313131313164
+:10028A003131313131313131313131313131313154
+:10029A003131313131313131313131313131313144
+:1002AA003131313131313131313131313131313134
+:1002BA003131313131313131313131313131313124
+:1002CA003131313131313131313131313131313114
+:1002DA003131313131313131313131313131313104
+:1002EA0031313131313131313131313131313131F4
+:1002FA0031313131313131313131313131313131E4
+:10030A0031313131313131313131313131313131D3
+:10031A0031313131313131313131313131313131C3
+:10032A0031313131313131313131313131313131B3
+:10033A0031313131313131313131313131313131A3
+:10034A003131313131313131313131313131313193
+:10035A003131313131313131313131313131313183
+:10036A003131313131313131313131313131313173
+:10037A003131313131313131313131313131313163
+:10038A003131313131313131313131313131313153
+:10039A003131313131313131313131313131313143
+:1003AA003131313131313131313131313131313133
+:1003BA003131313131313131313131313131313123
+:1003CA003131313131313131313131313131313113
+:1003DA003131313131313131313131313131313103
+:1003EA0031313131313131313131313131313131F3
+:1003FA0031313131313131313131313131313131E3
+:00000001FF
diff --git a/scripts/tests/images/signed/basic/ecdsa-p256.bin b/scripts/tests/images/signed/basic/ecdsa-p256.bin
new file mode 100644
index 0000000000000000000000000000000000000000..7cb8ef214710939dc1bc6ab489e34d1a890778c3
GIT binary patch
literal 1206
zcmcEB@p&2p5Ga5M77)R}zzCs6$<YuP4S^9J0_>U77zBW&1LKUwwJ*1-Z=9dgbUUFl
zeDZpM-aiW`J<svncgOg*z^)05Ks9e(l?p9#xK}02`^hIm<oy3r5<PQr4@a#rN;~T$
zQ`y|7#NftY;KHOJo&Q04VO7EDXA&Eh{|NG0Z+y$))^sCo)h$}V&l>(M0je;Ysre+G
h?Zd>>r%(QyeHW8%YBDOz@A|R&!zqt_)8l730ss-mN9F(k

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/basic/ecdsa-p384.bin b/scripts/tests/images/signed/basic/ecdsa-p384.bin
new file mode 100644
index 0000000000000000000000000000000000000000..cf6b69cff3da9625efb40e25ee3d1ddd2a297779
GIT binary patch
literal 1271
zcmcEB@p&2p5Ga5M77)R}zzCs6$<YuP4S^9J0_>UB83Y*&80M_{EjJ}irhj|h<Bwkr
z`*-{8e|^9I>iwtF+800Gvb&~Gg!zEBCeyjVI@y)&OMCquF#`2S*+mt8{Hq_M;p;6l
z#c|K8WP7$mp7;{&e`d^byJm1t-2E-kyI^%;`L4&&;wQojRx2^2GZ>^Y83?zXS;1u*
zzIIOg_m?v@*6Qx9R;$lA)~3DIl;MlTbNTfl5vH$J++NI9DE%yBACH|0lOaQ^OZ?)A
x!YOa1x2qqLZOONcja9FTIu-4~+;OR=MKD0dXw8yUc4woVRr<rze^k6v1pug3V6OlG

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/basic/ed25519.bin b/scripts/tests/images/signed/basic/ed25519.bin
new file mode 100644
index 0000000000000000000000000000000000000000..0ff92713734d49ab7dd16fd9a1092b0f413b989f
GIT binary patch
literal 1200
zcmcEB@p&2p5Ga5M77)R}zzCs6$<YuP4S^9J0_>R+7zBW&1LKUwwJ*1-Z=9dgbUUFl
zeDZpM-aiW`J<svncgOg*z^)05Ks9Q6+CH!xN;LhL{cT#)q$!V|y_oWH#c}zAh6~s#
zU*@mfs>0yFaPp(#jt=&OcVTP#&M>{UKkCTVXb=>4_M&p>(ITf8&vy4YD=oj0#3XiD
cg=gJ5Zm~th6P6vk9hD;;WaMk_q*TrU0G@M2g#Z8m

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/basic/rsa-2048.bin b/scripts/tests/images/signed/basic/rsa-2048.bin
new file mode 100644
index 0000000000000000000000000000000000000000..2f4ed1f5b16fe892d22cf37b58ac5b0bc684be52
GIT binary patch
literal 1392
zcmcEB@p&2p5Ga5M77)R}zzCs6$<YuP4S^9J0_>Rqi~_*YfpJFT+Lv3^H_p##x}DG&
zK6$-B@1KQ}p67V(yJP%YVAljjpqe%NdZml(q<Y=mWkqlJimdGaE|YZk<9n0C-(`xt
z`xM+1fJKWq&von54+F21&MbV9cJAya?PcM!R~xP{aoAkwknu~4M>zVDU(VtsOKXBG
z=KivLHa%EnK`Vc!ocUoxo2mn6#2IGfABhR5c_Hke=e&WrKh@Ybc6CTT_kQi2vx+0{
zPl?}Iw0`kBr@k+{o$t2Tm+Khao5ZxQ=F9FS{5idmi)#13Ggkle@p;!@-ks%hcAi%H
zR{xwo<-NqGD}`U~FALeuP&ec2I?qP-brB-77nYiuW?cWqHBC?Xy@Qdm>cW??Ilr=_
zo|u%1&q(;oy7VOThEtY)=DUTaSj_J^#@O*R@=n6HUo3Ar(^KQt_<Fl<zI`KK!>wv<
V{h#=D%g1}|_Ll{RD8~PP0RUH+qxJv*

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/basic/rsa-3072.bin b/scripts/tests/images/signed/basic/rsa-3072.bin
new file mode 100644
index 0000000000000000000000000000000000000000..b37f3c2caed8b58d947a38452039bd616e25b2e3
GIT binary patch
literal 1520
zcmcEB@p&2p5Ga5M77)R}zzCs6$<YuP4S^9J0_>R=7zKc(1LKUwwJ*1-Z=9dgbUUFl
zeDZpM-aiW`J<svncgOg*z^)05KsEE$3v*P>Irrb=xIlP89oMqc`<yEKv=`^?@oZ0Q
zKDnGznW2GE>G}QnM<RqIE{U+6j_9g!_%Ekmvp8(=)xf=J>fTE;`EEN{8qX8{rgi74
z-rCdZ9d3s!Kdcp1cpT^Va$D$ATbEeY13PuZgZ7`e5VXw0yWOPjLCz-8+g$56`v2ir
z(i*at?>p<qogypmnHiYx-8$*&omcDa*6#64j9HXwSZ%VT=PK)x&z63luT%%~-<cm2
zulMFsV#fytZR5y0cQsPa<e%W)R~7oQC%D4n*gAc^zNs(HNhY7X<ow6=Llzr<HFssB
zq3nEp2KB32{j(RpD)iTINpAB~d8YaI$2?BYoa{~apXI-6ja;%Sit*0v>36l}O?Tot
z%Qy4>hf6n2XY#iH6y4I(m-$v;qQ$(`8j`j%c6Z;a?s%%_TsE^trFv&tZd>{0hwI-2
zdDchTC4cnY?RV#vXswl#oKh=SQfF|DOY-qEVWLj!o?Ywf?(}bR(lKIrvP5#mPZ6uK
ze{KC51%`5*${{{>o4>Fgv`Lb4IpMUDvE`9e_>aFU439mYb}~+8)lSKS2^t##VJP1=

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/basic/rsa-3072_invHash.bin b/scripts/tests/images/signed/basic/rsa-3072_invHash.bin
new file mode 100644
index 0000000000000000000000000000000000000000..905623758a89a62e46052564ac569b02bd1c2bfc
GIT binary patch
literal 1520
zcmcEB@p&2p5Ga5M77)R}zzCs6$<YuP4S^9J0_>R=7zG%LN-}0Nu6?;xedGL`rrQaf
z;gi=3^!`~m>3NRlzB|Uh1$Iqf1ePH4)(dk~%{lkq<G4V0K^@n!)BBt%`?MG5?eT0+
zY(BZ1Q<<TGkzs3O!H@WtTcrbX9$m2Gy}D)fH&(G@3@0nUGWYWLrtR67Uzm2`>7?eJ
z@?!Oe{(KGiH8bjn&)?HG_kP@PDOXu!%GXQN^<;fM{5d*_JE>&itE)k0bc=*rb@iqH
z{n)#!v?ud}9(!WD(UaMA2fn+9Zgx8`mGAL|`PF%TwaHo>sY%B>_FUU*@A8*@@!>5T
zd54)>=gfF;iO-AWRI-}nw5r`f*Sjq3j`B+OF8?nrD5b1_`tb=XuZ2?9=FvBDW@j%7
zex*>eGBbKvNb-_3H*P73eQeuaD$_e#wsA!f@2tbe3Z|OPk_?MwnR-~X@Y4lTN6yRF
zJ{`V0Nn>{!d!NtUCrvV&GOoRMj9KL|Vd?@#1-pRlvRhIkK1VE_bF0}*bg4%|&=w8@
zlNUSIlr*ZEf11<z@%Sp2$-n)w_tyU2@&04Xsres1A6m^5cF;ci(}Bb%CzlD!Eq2go
zx}KY?zl-z6AFqd=X>vhjI_Gxio_*JOfA99G>r$_X<{8>L7w|c4ycb%!gh^uA{E*)O
D>Er57

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/basic/rsa-3072_invMagic.bin b/scripts/tests/images/signed/basic/rsa-3072_invMagic.bin
new file mode 100644
index 0000000000000000000000000000000000000000..a6999a7d1efb3947a0fd3cd455d7e803812a668e
GIT binary patch
literal 1520
zcmcEBkvfe52oyjB3y5G~V1!Vk<Y)+thQJ690rt!bi~_*YfpJFT+Lv3^H_p##x}DG&
zK6$-B@1KQ}p67V(yJP%YVAljjpqhE>g*mF`ocr%_Tp+xlj%(TJeNL5q+Kcn{c(x}t
zpIpwV%+SEdur;#aNBqmJ(g8V-F4*y2-Lm={tJpDyla*hYd-;3Q_H4{AOuO)OQu9uE
zvHC-Qz6Si78Fj?x@9CR+KW?~`t1L3*>!s;>vOXXF9G%3SR5J0^)u1!FMZ&GR`qKY?
z?A=w`llei9J+a;B$?UoV-`ztuyB(Oy_xQs6>O8;NWG#-=q~jfXuI;sV`OCie@D`4|
z!_2L7W<0pW=f!d=Sxs_U)$X9{U6yu7c_n+7|Cbh&Qr18H_=J_$LMdzW=o>k+vlj)w
zQm9#(8NDnddC8g^x0J*_wrww!>76axxT1)6*5P9XQ_W^chQ+c>JuF)I>4K>v=jCgk
z4&R-mu{({u&*$!wCYenc*WNqEtn!#JbpfM-UBGtPEvXToBbLs&)odoZ)FUBi3x|Qp
ziydo98dc3d&FTDje3i@O-+tM9Yk%)}|1sv&{12ZGt>y_kXrKM*K;n~=%Y@|?J7_dr
z&rR0f#d+h8*F(=Vxu7zgb31g;zU#cdcl*?JsaHhv3~ikY_?$N03oTv3B(ZFM$Zr6K
CROpic

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/basic/rsa-3072_invTLVMagic.bin b/scripts/tests/images/signed/basic/rsa-3072_invTLVMagic.bin
new file mode 100644
index 0000000000000000000000000000000000000000..0fb0e565b4b6824fc06d1643b9d2123276f8e212
GIT binary patch
literal 1520
zcmcEB@p&2p5Ga5M77)R}zzCs6$<YuP4S^9J0wtLj7zKc(1LKUwwJ*1-Z=9dgbUUFl
zeDZpM-aiW`J<svncgOg*z^)05KsEE$3v*P>Irrb=xIlP89oMqc`<yEKv=`^?@oZ0Q
zKDnGznW2G^VQXZ;kNB5cr2}#vU9jW5x@Gk@R<UCYCo8`)_wx6q?b(=Ln0Ddmq~@LS
zV)cjqd=2<DGwO)X-_tkue%x>=S6O7r*Gtp&WPLvTIXa0usbu1-t3hXUi-cQs^`-y)
z*t@H=C-Z|Idt$rMli76#zPpERb~`YY@9~BC)p>rk$yyw#Nyj_(T-$5!@|S(_;Vm3_
zhnZXF%y@8#&x_?$vYO<ys@*}?yDaUF@=EqD|1T{lrL2GY@d+!hg;Lh$(Km8tXD<qV
zrBJgnGkRG_@{%<-ZYha<Y};Nc(>q(XaYYgDti#6&rkc%?42xx%dRVmZ(*;vU&db+6
z9lkqBV|N;RpU>SVO){G@uDy4RS>-Wd>H<auyMXPoTT&xFM=YIltJzF+sYgQ477hcG
z7dzIJG^(0^n$!95_$rslzx}fJ*8bk{{$tFk`5!(XTFn!7&_4Uqfy5^#mkG-)cF<_L
zo|~+{i}S`GuZNy#azSM}=XU6xeb;$^@Aj$dQm=^S8QMA*@HuU~7h1Z6Nn+Xjklz57
CB<YR-

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/customTLV/ecdsa-p256.bin b/scripts/tests/images/signed/customTLV/ecdsa-p256.bin
new file mode 100644
index 0000000000000000000000000000000000000000..9b2bd4e36638212d3f6e35300a1517149c5f773d
GIT binary patch
literal 2208
zcmcEB@p&2p2(WMgF_^``2%*5_|4}d+0;3@?Y(oGktB*2ALtr!nMpy`NWO6YqU|?ck
z_|Kj>jX{7xfnn`2yUrRzo4W}dNB%5*nl<gSnBZ|yUdDoJZFMeUwVX|iKs9e(l?p9#
zxK}02`^hIm<oy3r5<PQr4@a#rN;~T$Q`y|7#NftY;KHPk*k!CB@b*VYO4$!)eI@ZK
zNki`+p0gF}Ph6;Ww)Wh>%%l*edGD#H*+!k>mj{{GIjxc{{qyc;y-2Uwq-jbXvz9s>
F0|3y&9#H@Q

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/customTLV/ecdsa-p384.bin b/scripts/tests/images/signed/customTLV/ecdsa-p384.bin
new file mode 100644
index 0000000000000000000000000000000000000000..73f5c7c8055b9a9187a68f682336529215f5af0e
GIT binary patch
literal 2273
zcmcEB@p&2p2(WMgF_^``2%*5_|4}d+0;3@?Y(oGktB*2ALtr!nMpy`NWO6YqU|?ck
z_|Kksok5VnfI(-gA^#g?xy;n}Ty^5VqMbPmlmZqn>kzN2ka)_vAn1K`a$L(!p{X_-
ze5SHKe|P>lBT$c&T~y)6zxpv6zTQGp9QV9Rwr5M^i7(OqXT~hIYX<kk-QNPe3sx7F
z?|K|9ej>bJwGu-*gFz~jfxg_o6KajyOO0NMDjiE$%{RxQ_))rWUz^a^HE&mBhw#sD
zFaN&ua=vm!Yua|7a+5qJLxzVlt<-ma@0tEB<G4&XM{2=p$qh@^UNQ52^n1gbb&-E9
W4Q;|7Pf7XinmXs~L5<I!zXAX|X+Vqs

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/customTLV/ed25519.bin b/scripts/tests/images/signed/customTLV/ed25519.bin
new file mode 100644
index 0000000000000000000000000000000000000000..8708a49bf946a67c901f9af7226facd1906a666c
GIT binary patch
literal 2202
zcmcEB@p&2p2(WMgF_^``2%*5_|4}d+0;3@?Y(oGktB*2ALtr!nMpy`NWO6YqU|?ck
z_|Kj>fkA*lfnn`2yUrRzo4W}dNB%5*nl<gSnBZ|yUdDoJZFMeUwVX|iKs9Q6+CH!x
zN;LhL{cT#)q$!V|y_oWH#c}zAh6~s#U*@mfs>0yFu(-lfCX>&;b*IUujZU6#6zfkn
zCmrI^{j)IOyM>IRn|{^$iL85%O#C+8pMQm$&Wa7cq!NBSZMi%9&B8jqn$GLo0J7X7
A@&Et;

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/customTLV/rsa-2048.bin b/scripts/tests/images/signed/customTLV/rsa-2048.bin
new file mode 100644
index 0000000000000000000000000000000000000000..6a7e82d9688ce3bba881a2d41801d80b311b4741
GIT binary patch
literal 2394
zcmcEB@p&2p2(WMgF_^``2%*5_|4}d+0;3@?Y(oGktB*2ALtr!nMpy`NWO6YqU|?ck
z_|Kjhz$n0=z_9k1U1yD<&D{i!BY&1Y&6@UEOz^lUFJr;AwmKKFTFxd$pqe%NdZml(
zq<Y=mWkqlJimdGaE|YZk<9n0C-(`xt`xM+17#JA!e;@gG+LtpV>HJ*%>&NsIcs|V!
zS~Sx_#mzTZit|^Ww@=cV_V$$rEDrZB;B)ij&r$ug>xIwpSGRQ^wjOjokaDEg>+glo
z=S(*Yh0?i7EYeSQi3t=;bI=RgS+PX$*xVgD`ZrG{Gcff?q`p;`K6^>^!_PxDYOmZx
zSF=Cg;o_cTXY@6xOu^yp2FL6=$vf3Ef8Gk5y@H7?{P*d$yFdHii^p@HR^sF~Ili>5
z>^gVT$*9$>eE(DzKW{i4V0*th;~Br$_JyC-Z(lgg&F^?fpXH(9j2oHdXAhn|JEuf+
t&5g<1Z2J0yZg_~kN^lJ_(l}`w%@|nf_~re>*zhKg*H^U{`7-?N0|1LPdr$xX

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/customTLV/rsa-3072.bin b/scripts/tests/images/signed/customTLV/rsa-3072.bin
new file mode 100644
index 0000000000000000000000000000000000000000..9cbfc4c22156dcaaef002f04b0a941cf99422ea5
GIT binary patch
literal 2522
zcmcEB@p&2p2(WMgF_^``2%*5_|4}d+0;3@?Y(oGktB*2ALtr!nMpy`NWO6YqU|?ck
z_|Kksfl+`#fnn`2yUrRzo4W}dNB%5*nl<gSnBZ|yUdDoJZFMeUwVX|iKsEE$3v*P>
zIrrb=xIlP89oMqc`<yEKv=`^?@oZ0QKDnGznW2GE=P^T^>U_=oH?QV<FWl{VJO9{O
zyX4IRwQGX^v*vDhzi<0%p>Y5CjV#g=E_B{-Uz%#nlpLJAG$DRj!l9Cqqqiz^KW-H-
zJUVxQUdArRzMjtGZ|1eVGQTX5eRkrF2^Ta2yjgdD_jo;n*ERi4=wzO6zb9;T-{HC9
zfQoU@)JP5M{bjxRha*gLe)n=--?Zqrjn)?{{p9f7>{;#;--#x*D{&t`6)^n{+rs@h
zO>**u_s%Qzww-&N|4p|yJAd|Zt-DR9^-djecRhM#!(8^Mw%>~VS2O>$v59ei#*xN!
z>+VIX^^4-;-8~MdS!{GY8z*DsvRaej@vh9n9|N~eeYunU&f=A6XZE^Gi`5bGkN+rk
zU0~lG@#Rr1@$3T0oI&2}SFI7(nl$nJj{k?!z7%FC-tC^Ox_j<M-j`F3>wM0NUCLsp
z_~v)}C+mw(xFhemFlQ|H+8&(g`KxNfeO2*j-Y;f+M>lZs2NnF-_v+c-UvjHO92NML
ZCp_^J4Ba-lqjQf>ctzdIPt2Zt8vweBzVQG6

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/encryptedClear/ecdsa-p256.enc b/scripts/tests/images/signed/encryptedClear/ecdsa-p256.enc
new file mode 100644
index 0000000000000000000000000000000000000000..80466ba8759aac12782fd7875b07348fe23c9ff2
GIT binary patch
literal 2315
zcmcEB@p&2p2(Umfh++isq2T{07!85Z5E!;00L$m2^k@i-hQP=R0rpI8Mgax|2H#mW
zo#%RFcAmJ+_rv~tY(==N6-)i5;HSQ=jpw7TnB*`5)x3FCDzwPqUX?KKC!Y+F^Z!pt
z^vuaU9JR(M?W~hbWpkergByc^3zGuVBI&)63*u8}@7~brBF}&Q<z{{M<KI1I#;7`|
z*-!IIVp51b^8cybo^3hjKK@^_eU9<pXO-;se_noz{Kx%AA?0hPi4j8~1B-dkv#5QH
z#|(eStBd|$VUjg<&&gv4UH#6z^q9-IrBGl}Mtvg3&zWbcY*%QcXq6whT@%v2?Y(PU
z^CB60&$bCy8@}5yS_fI$`nnx(vsk#y&3R_vq<3rMRAO#Ot?VveHG9s_>eUx_7bN@j
Mf9+ep{o37C02YB--v9sr

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/encryptedClear/ecdsa-p384.enc b/scripts/tests/images/signed/encryptedClear/ecdsa-p384.enc
new file mode 100644
index 0000000000000000000000000000000000000000..cb10e4da3257f6c95949d950e6340f3ce687a881
GIT binary patch
literal 2262
zcmcEB@p&2p2(Umfh++isq2T{07!85Z5E!;00L$m2^k@i-hQP=R0rt#m41x>>4B06w
zrgS_Elybke@#ep6OJBe9uiL(QjdzvN!<4jVwX*wmh81v3o0D+9>E+Qr(-=QJMxY)k
zyQspCfAwQDe7%LHIPQ6sY|oa+6JMhJ&x~1a*9`87yT1i`7pyKU-}N|J{6u)cY9)p=
z27?qP1IDs{_xK}LR~`Ah;s!^>UjZBE^TAAM`(3PBq^h1vu=1Wf^Et?)!{>dggTR`T
z3<sYu8B}sjx$)x3%UOo~PuKS~Xl+{Io3_%U#QwEd;`+&Z`X?8@(7x~VB5Q+@^zoQe
Jm)_R80RUliLSz5{

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/encryptedClear/ed25519.enc b/scripts/tests/images/signed/encryptedClear/ed25519.enc
new file mode 100644
index 0000000000000000000000000000000000000000..c4fa606285c6e4c2cc2f67807d32e0e8c43fae15
GIT binary patch
literal 2276
zcmcEB@p&2p2(Umfh++isq2T{07!85Z5E!;00L$m2^k@i-hQP=R0rt!%3<3-a48F5$
zI?wgU>^yOs?}z>Q*otsjE0+3A!B2f#8_!2wG09;Bs!`k1_JQS4qUp!%Z_}D4O?mw6
z#gvyTj>{i3T)<ZOGJow>6$S@}M{gy6b3~QY9sjM`xuD)&qs!feXU_MTp&uhmY#gVX
z3*6LOes57^)b+o!)Gl&M?$%p9J0Wa$qHoJt(bnHA$<J7g83Gt4wH<WeajxrdNW7CG
z7kMeaP)(Fex=u!b>t=O=n{1=W2gffT%GSFo^CYbJAGTrB$p@Cp!|GN>trg$1yduJP
Y-s2aVi&riyJU4Ie!j8^EAMMuw05UR39{>OV

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/encryptedClear/rsa-2048.enc b/scripts/tests/images/signed/encryptedClear/rsa-2048.enc
new file mode 100644
index 0000000000000000000000000000000000000000..c931e759b0e83fb6fa74706f13e3652372f3e312
GIT binary patch
literal 2644
zcmcEB@p&2p2(Umfh++isq2T{07!85Z5E!;00L$m2^k@i-hQP=R0rt!gCIJQo2H#mW
zo#%RFcAmJ+_rv~tY(==N6-)i5;HSQ=jpw7TnB*`5)vVdqD_vwK)$8sqD|*9MWM%(%
znWVcP-<ur%E>q;)r{JalY&uBi%xivdZ^p4OKIXR@9<?|=Q1A%wtL)4yy>$QI|4AOz
zHzY1!`XzkzwoD~QZSnaSV_8o3X~`kZj_&*7Y9n5q*Ya#mb<A;Jv^FjJx?szf|J<eZ
z{9<>@>iihoB0Te?4)+*V)TN$tR{OHI#mwV}@$VTnPd*uiERJ6rtdz9N>{v|UwN-g0
zjSE+CSm|&Vc+UNx^T%fH9qvCq%mq11*BZPO;-4>CA()a|^E4+i?%0-P=i0wClq?tM
z{V^@2^5^OqR;LSD?!M8H>fHZyatr&arq_j$Gc%_4UZ0gd*DjXfBuC@&mCc_vp7{~k
zyDR9!j)3cXPgb$Nx^g5ZAt!=on`evKx2x#}z%cMC-`~^pSK;NyP0n}T`nO2GG4whg
zlrC)R|Mz0|ffYq(rno+RmX!P}fAf;i^QYBvq%QZqw~r8uD^xA{6~!1b>r)s*vl;(s
zmCPdd`-Pi%o;;ajutzs?(n)XrC*LePUain&?^I4Q=Bazx=%9an!O8!7G}1QoX0r6n
z*%-;RjosgQnuhO@wKoj*y(#ip&lsb&-sQjvuEP@SyR;P^t!(G;+bq_$a2@lD+fAot
z=ol}t*{}B9<$XAFrtHt>?ZNJ+^+IYVCEv8^)Sotc&tJ9G<*n_-7R!Y^7G2W+sBrP7
svya!xXB)ftq_sAGEc@Q|Dd}%s&MafT2|G<*sA>dPeSF>;9r&~j09Y3MK>z>%

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/encryptedClear/rsa-3072.enc b/scripts/tests/images/signed/encryptedClear/rsa-3072.enc
new file mode 100644
index 0000000000000000000000000000000000000000..1f13d3268f2128d501f8493ba06cd2bb539c2e99
GIT binary patch
literal 2900
zcmcEB@p&2p2(Umfh++isq2T{07!85Z5E!;00L$m2^k@i-hQP=R0rt!gW&s8T2H#mW
zo#%RFcAmJ+_rv~tY(==N6-)i5;HSQ=jpw7TnB*`5)y!Kj%uzMx+<%Yb0^tR9T+2@H
zbE@pqUYxhbvpuo-<Z@1Bh6ctk&A&Cp>ZOcVf=;P!3>FLfvh{wNiJ<<;6-LGkmB(Zi
zFL8u2S#-DT6j!`ovf+8YuBZGB&fS8JDHHbXeRwqEt-}L3HU08m&3z|kx*WQ_u%_~G
z!SpFYt{dL;a~N%?Xx}3L>>}&y{!GP?iq48A-RasK*Nr{G^w-)eFA-FA|G4CR@aHcd
z6Q+j#Tm6k&Z2duYdl|__g)&F>)VRjzEh7HAIrI*+a^yL_+<Uj(wo{J%yT;}}+?;h1
z;$NGVcqPgH`*&u6_tw>0wlJ6aFgwgi<T>CId-BSOmIZgU!VV^`Q@^D6`jn-Z>por^
zvE>Da_THJj@MY}J(~TjL7Srx`<#m6rb3KvneRSKzUkwRseOD_U-W<J7V_VCc^zPoJ
z4^}<cZoE+?c=@%+4zJ5be}4<UGMLmp|8!Je&nB+Bc|okL+dL=lxc~C|t~)Aa`-6Y>
zxUP7$vvLm8$?%*ttjXIHpS|aw8sn@{X(cV(cz;IlW$#Z>ry~otn6HkrKYOr$_t8iC
zU*&rL{%+i20E~m=KY!+k-f(^R?R(7X1s02sw_EOT6<xM-Z}$VqNBOxIUrH3eJ$cY2
zYt7PYR~H?=nx~PIb+Y9|(3#`;+h5<+-*&_Lj>W^9rD4|;6HisN2``_#KW1s0H{Tk*
zU^d6heT$<LcZFJr=-FJ9IND?vW~x)aNZcuuDXie~<HQq*e~)oZQtV1fzB%!SOVHaM
z*}dM!PAq-=O(V(ic-In(gFkpL=E|4LnoN7jCAc~2;`B4jcO#lteL1h!XLspn$h^J5
z&u{KZ%Dn8d?v7RbVwo?zyJ`eA6t#kTLw-A-Z*zM1cKM0Nj@<eS-aOgz;4e$ml0Oe0
zT-f^HyOU<Yyb}WV--TVVX^vd-`1P`d@Ap;6>LhUdYVgPsWI1N|xytS8%J~6Ig(lN_
z0z<bRKbCC3)-3o)O*z_l!tdj8QU+>?$Ml#~jQdX7cV_-Nn)@hjW!lDP%sKvbV)sw4
zQc;<5{;2Xr)h`WN&-_y)9T#k>i+J@*PDg{M_^L|Ni`1pl)=ko$nf0oQZ+HC76>6MP
Fs{y7KgKhu-

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/noKey/noKey256.bin b/scripts/tests/images/signed/noKey/noKey256.bin
new file mode 100644
index 0000000000000000000000000000000000000000..b8e68fb315c2315c6e0930d14fa731f3b60e23ec
GIT binary patch
literal 1096
zcmcEB@p&2p5Ga5M77)R}zzCs6$<YuP4S^9J0_>R@3<AK?fpJFT+Lv3^H_p##x}DG&
XK6$-B@1KQ}p67V(yJP%YVAliygVq%t

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/no_pad_sig_enc_16.bin b/scripts/tests/images/signed/no_pad_sig_enc_16.bin
new file mode 100644
index 0000000000000000000000000000000000000000..15eaadbddd11c0da2a33116ceea044f33d3b580a
GIT binary patch
literal 2644
zcmeH}`!^GeAIBFHO3@?t`z3~4a*s`BPch8(k-JcaqGe(vL+)ndn;IvNe3{1DGq)x~
z$Yr72hFp6x3Au~MWiIor^Zou6-_z@y_xYUnIq#odKYbvKEh6A2!2jmwIq|dqkK<qb
zGVsg5|E+;Au9DBfSy2h;;ESKZg`b@!-1pXn2@P?hTFOP%Y7y9jkG?xALUj|D36bB6
zW~NS_Yk!n~7vM-nu8>@VNTt8yV`IB=O&`+&U6Wzc6`(Pur)^N_@r6AFBTMV!Y_W{)
zR+}ShK~keq6|Am)0rN+N?pQ4{**<-IB+=6UH9_GvCL|h-*VCS98AlDrA9KoLdj4Y4
zTjDs)nVZ*E*0{a+rGG%4W(tn|M&#FR{abG5K}PO5%c5upgX8!To}|1{QbleK>Vwy(
z)pNs2;s&@77h_h8X(eXa`Ot7-$7kNWkoS9~R~9S`bKvc$s7H+4weD2BLrhgt8`j_a
z_U5i^>!++m^BHEb;0Lw~b=WW#HIorI$&$((H4S(4)GI&4gSO$d26PU!J4Dn@LeW|L
zB_*X4O4TUfkt5-5sy{EYqtouI_ogSOt&}&M!kJgXsS5*UE$<$PI8G@0QwiTD8}kbQ
zKIXb=I!Z{LDmZ+>iWcMc2r(SfPyo61*V}V3d@ijnU|BakM<IX2=HkOaY5%4g4tX^3
zWRU>sC^`{l?+b$pm5{TeN&Dt1{?9#H1G<RMKWSV^DfYAQq1VGq+U~^hX=bUsYni_c
zB6maA1fDEC!<?rdx;L+-Ox>1hx=Ndt^7-2YiA~(9mH{5@4?!wokv`l^FQxDCNuZ^h
z+4;H-j;YAA-D_|7)}w}%2oCjXM+d%6Y_@IG-1$*2`Sj6%Ygz>(XxSK2Zz{-l{3Bq_
zpQ}%z2@HRgMDR$MZa{%Kb$Ze_g6U1OSR>B{waU8MWl(t0THGVoPdpd%Vk4N9!hFJc
zaGnbi5O|qDZ5Ud*bT2bcH6m~~RR?o=CSq0|E_Z3b?V*jlHzHL&$yAl}%8A%>WvG}@
zpW7ku@Ap)4WD;}|R#C=(J;P(&G|Zy2N+m_y#N3R0+S>z4!i_myebcVh(JtI0HW1u6
zq72!c*Vi@BJT8V?@`_bq*~gr21n{0dqpNDgMvAa_AhIp=V9uU9qx|^N{m%YLlblP0
z4EN9FkfmP3gdJ%0)|IL3_J73*d2*s;4J$WrmsPPHlWe0Ww><Jh_Fl;Nq&R)k(;Sb&
z-wM^bPIa#3r0Xg?{gY5yGr$*!qT7B6uZto>bvjWmt3&=gU-S8ZgNftqaQ(nZTJ_3I
zW@=oHsP}^nrmEjZN=3(1irI+}XQfhD&o35W)Z?+-YV(9P<q=j9iXnvK7m3{F1u~-D
ziPh3PD2Ri~Z!!438@m8Tq|EdXmGhbo0VeLp3F~V1Q<nX#DadwwiWOq0U192F;by$G
zHcLj;)$MdRUlG3gLeKc=M%JD8;x~$$jlq5_*G<3C%!(BL&_8%Y0Ez&_GjL{qwroT9
z)Y-i&1HLita%RAUTGu&5YSMt$h+)`?ADhNCof^j$W>UH4cd0dR;-p}*ckO;Xicfs*
zZIJT`Kak>&*Fk1M`>3p(A&AdMTQTe!Moy`TdeECfCI6<VxTGcAEW{HT2rnD(%mEC{
zI$U6oUQO8zE1+A{?SyS*Zp`a`T?G_nNLAXi$1<m@x>~40VxZO<eklQT8bwRP#HRfr
zxnfAp;f1#PG+#3~opHopo0{+n2@e7v?G_0?@wruXCS;vrN*)7vs5ppyDK@rp(NAnS
zl~Y2IG~Rzoc>IDbD*Jj_KqL5(#TS_&%hlVNjRxIx&(@~2kOG^f5G}!qKC~Tej^bOD
zW5XK?RE@IIj?10IT7L~3XEZNPpR1o0L{%d6ohaot0c(tOQ$U&QBDS&XUR_Ve3rLwr
zhU9g<9}bkSe#Plo-mRB~cCLnBbF7OiqmILY+bgi&m~TZo5*m!XacEELlUxgoFf-sw
z+B&C#AGcKSK9Bg1mrO3LPkxJ7$C}?5To0dqQ<BEN;!2oM1Io3g^wGGAb^+EdIG6IJ
z!!g0fgWwZ1w=8p1=_a(SsuxR|<1%(WmL@lwxs+h!?-j|7G8+dV<7cAtm7mr3?MvIg
znjLJSMfNvrvoFv#p2~(wI@JlBnXV~(w>S}Ov7^jhiaz4a?*O#{$9<2&CSStj5P>s>
z2BmptgM4YO_bAi@@JxaGgRH6WTlvnv?{lrN8%QI5a<qg|8>yMKYRNpso))lWc~+PH
E2g79qzW@LL

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/no_pad_sig_enc_16_inv.bin b/scripts/tests/images/signed/no_pad_sig_enc_16_inv.bin
new file mode 100644
index 0000000000000000000000000000000000000000..d3ced947a1a24d14e2ec1d4f200835c6d786f362
GIT binary patch
literal 2644
zcmeH}`9BkmAICSJ%@NHIbFD2SA4kGa=9p_{xjN=(R!JYD9BYMK%aKe&`zRt2a;L^h
zWFm}@B+=YNDL3W5$+sTg&tLI*^n5&CkN4yCc)Wgk{`59^xpWWk3()`b>i~cCf7$)b
zZv(##{AUf6OPbCq>JY(jtc^N{eZIC5rkE2l-<nYj{5Bx9<3>U~Q4(><OO#>9DQ|2y
zI6Xi*j`@|usLpnq9<YzRXXMvuBUSW+_kyd^X_5bpI_iY}`o3_!7zwx<sQSlvB*iTI
z&B~|oNCUz_h*n+h+Yx5p%-Cjk*V37ykA0F0OT$M%q^cQ(QgXVciBKb@gE|XO?s5OC
zK6(?uph&4t)>t*w=2Wg*v-~t^*824RB7dv*ba(1Iqw`S-7??>)U9^dYc9v($YtY%0
zaI-Tt#bgBs>V@VUwZB1Ihdk3XhCioM!}vz55_`kQ?V|5#icM<im&<&i4B5ySxc^Wc
z4)8~c)KroEJ_!>9W}i-LD7z|PhHnE5pb6;KQ#Qcg#Vy)<1WFybmP>+8L7~JPV9W=I
zo&J2EnWsm5p*vd;mM>a~n9Uhn{Yc*RH?@)=du})RUp_ByR^e@{89ZKC7&Vn3c~X2f
zIr9jt{Ck7aDeV`-45JRKsW*+R6<Lq<o%%g?miA_FZcyBDi1?*!P-CGAwAf4R;`~<y
z$G&Z?oP%m@)H&~rK?C*I6nE5hmk&^$N03D@MeDjLU;6e&X~Dj-x_-A)cwgY8M(FYM
ziX5)<v2Vo#^~5<PdXJQuAuVOD^VOX1E=|lkm3m5CJuv=J`@LiB3yLSqcX|`)oHBa6
zZ0DS)oQ&?Ypmi(OJPf9X$npe#^MmMkH@cyy7MS^@kgq}Ffi|*TXs5$}W=jG>SoIbn
zvz1{5euLst{iJHbS%C;=QA17nJ5L!JQ^=89thj+{{WMxE0vye_e<n9-i0vt<iNV&^
zps3%EsRFt(lWLC|$cPT8xm?a&BpXy8Aj4*_vv8Bd92}u!?rw(N+UY69Rt?N;4zmdL
zjNtTYHA(Q%tV1Daxl>$hQCdf*;)9N_MarfTFOir5jQ4!o_Gd)32b)8pbxA9i3S#fJ
z=F>G(m)$VZ7z%jVNANC4bbsA&+O_rN+f{a4ts#{#=4S$xpI_;tv6mMq4>2elAz36F
zm5tcC$0}Dlte6`$TsWCBihm!ilaXX@lj1k9@Pm=9YFUWBx(Iu=A(M-WeK6|dHW1+F
zL4V5TION+Y1q(Op<@Fqjybf+!5bjkG(WSX@;ZRgKS>1`s;)e9U6G^>kz&N^DoBd>(
z@Z$k~<(5YAR<kArd{hrtz)|k7Cj>rBLrNjm$2)9B)sg)k5Is3-f0a+{0~c}JJfC>Z
z74j9{@G3R#oKQoJAtX+C>S_?WB0@poX^R1u=l$VQg3-gr0z$E?is{l>wMPpn4G(y!
z75tFDouYSKO5@eDCSGChAEq`nA#ogf+XY!<gxre?0^;yXp^HQTC;$ntPdC2xK0&eS
z%^+kQ+kPh41&#qlJUcaJe>19`)TQSO{JF^r1)ZE%^SkR>Kz=e;WEe{_lH6<aT-Rkv
zyBB+e-sy(?`8wb|HVv8h%z!(>62`#A?EqF!ro%f%-o1W-b=>La@YJ`J5{O6KiW}AL
z=R~4IO(w!E6~Dkq+iVK|iBj7*b|m~Sq{E=TJpQ)XOuN3^Kl>QtA~L--_AKAF_>@gx
z6tFlWWUX4RoEx}*!L^;uR3m?`)?q^Tzf-m7t1`dL7i&=W+OlLF6jL*^DuI67^70oc
z(5j2;LAb_v2_52BiCzmI+PHe(bt^0gpN5TZ1y4Wz(gJ&FE$&Fj@-*hjk0&&nq{8ID
z{Pv*X2@UhpQ05V|G9`We>odX_i<qg$4)g6Uy#wBmH8gLAw#)b8LNY5vlC*_KojXr>
z;0f-N+CLr8w2nJQrM|Ix=(;tL>lOTi<M489k1-1QqV?D=(RgrV@4RsR**({Is20J=
z*URX-`cK=VUbfa;Z2npix0}jIoMtMM<XYh)>Dssm3~r-auWU0}bT?R$)E01V7n_$@
zWo-42b7}aZ$^c+q2I7ixLKk#Qod~**#``3zq1@o3jsQ`1Sh?-sm&|^U-gCO^BDO2w
zgaq+UNqH6+z$5S{I`-zPd0ko)wmq;kH@*_{I1A3Ki}vg<IaIqiw0?usxIvj|6oTl?
zO*@0GbnHameB^5jeT&XZUAvJJM?2fqb5mCyj%OXVVzyw!(t1sy2o0tjF+y*3Xus7O
F{eOu0<Qo70

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/pad/padNoEnc.bin b/scripts/tests/images/signed/pad/padNoEnc.bin
new file mode 100644
index 0000000000000000000000000000000000000000..dfa44cfcd998850ca5d994defcaccd2273e18bd3
GIT binary patch
literal 1536
zcmcEB@p&2p5Ga5M77)R}zzCs6$<YuP4S^9J0_>R@3<AK?fpJFT+Lv3^H_p##x}DG&
uK6$-B@1KQ}p67V(yJP%YVAq8IqhLscK>4AmpA#;<uQv?};Mdt!*#H16Z^Nbl

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/pad_2.3K_sig_enc_16_inv.bin b/scripts/tests/images/signed/pad_2.3K_sig_enc_16_inv.bin
new file mode 100644
index 0000000000000000000000000000000000000000..8b81eebb33350967b22e3a951f0ffb8ba21b10b2
GIT binary patch
literal 8960
zcmeI!`8U-29|!Qk%`$Fd=vb1i5urwImRw^p7%3Vf`_fz)S&DM4GZ>8}3>Rf9G}K_S
zQ<fx?<<4AdNcP5-tYe8J%UHg3zTZFMd+zx>&v~8qd7bn6<@NaG^+vwlcm(>HU;bM^
zAD*B6|8fWf5C8=JwF0zkD(=-IHSdmEJapImu4D50E_HLpN{gs6b!*+by~<^w4KHL}
z8<d>p?(3JpnmCVyKkhGRKL!7;fwi6WKMXIwtcyI5KkyF?^T1R?p@F`9_+KxSkVax;
zn(3%ck!MwHNf%AfJ`N0<0ue<kY$GPCLCcTF(9xt*L(tah>Bp{Xa^$#KxvqMIGMIuu
ztPiQS%JML~VlOO~%*#u@p&(}QX%w`BOoEwZootSzU5|p;$--HpEB8&r*+trhX)Gf!
z7dlMO|1GXBsNi|7>3c%mIr`O|u%4ahqDxo;wsx`9Ud!e}8{ursW`p~(zQ6;ucax&W
z>^?X<@u~Y^sWLQLsVLZ_3%?g-=pi?0H1_8QO@@*C-!8O7urOzbfyyuC*hY;Ls@RgH
za47ghch7Mz4h){(^-sZmv%*J-y9cA_Q!BeUwNi!lh0!{VBA1Vv6$waIcY7^`WJ7C?
zB<I~THzd*4-0c0A1t}dMvz8>T?4U)2l>n#;(wljrE;#%#GwXG5u99WFS5kjFeaX!#
zLVeiysPGc}cXU1~`oj#9I(Mg&M%3|ODDyXM6w=am13W*Qx3gel@dmkL;OKW}#>dC+
zSb310L%2?=V%o^|#F~uj7!nURDEP(b`F^6r<sP#2(&P5b?S0LzBUZ>!$!??aeHtBi
zM^`cgZPu78k*KLPIP}zjb4%~f7S_yX#qLJF(3_|Eh;<&?k!69>``0!ZEcC1d=Vlm@
zKVFi5II_C)3q-^2l50DH0R7xEaXpO?O0AHZ4SjGdt!7}nd*KYILXU;fP{}JY6yGRg
z22lt6-*Q9lHt8}Y9yPxqgwMLiz#0(uPx_A~Caq_L2%u2-(f6%UO%lsh*7>Ks#Z&pE
zxkEQUU5!_D8424)ELCEbPmW?nyV{Id#;9^;)y1Rf>l^s5u`PC?2iObo1|XPvvg-)M
zRGmLvS{BwQwRl+5+S^FHI=%%niq9$IIp@9^X`N$+sW|FtKI|y!Zk7HWV?xq4DPI*H
zF`dc@5v|9bhx+bf1;tl;nPDoZV6*&W|A=dQOQ_nqr-l`Qw6!UeL`C}i@y#0F>F@>d
z68CkJ5ei37UQR<#i<ZTUWH%o6X_J=@l+4Wet}`rqQ#>OsrVo+A;Ys_Em(b+~;0FAp
zTD3A}m(?L9f!M5G1RJckDyU2;K51U`SGF))Lr*>L08cAXRe24Hp9EwG4HrFRWgoJK
zOP&>YL;hO3qm-wkrF|*L_{@{HBbF-uB-Jhb*I?DGHmb{<-YR{x`yGOjVy|tqH8;)7
zyMJ4(b7riTny}3zyd4!2P7tFN+(xQvhCM6M^WJP-g4hRM#!Xu@@~s7K+3-R^3Ls3j
zetb`&Ono~WvTe|dBihUA{X(v?p2fsO_Bst{`SARh5qk77fIBz*a8)HY^B#w9BRH-z
z{kSahs|idq|FnQbm%@*)!;#7@2%>+d23?8apD!;gWbD|jn{GMj?+Bhe%m|NK;90g<
zky?#$v=MqO_jglA2Dct>IO1s%>g#(Kwjs3V*eAgJ0?Vn16u}6d<FG3Xv&zx)-DNf;
zq()oxl|rkiVS2TXm|xsC{KSp%HwebPmAye+X29$Tor+K1@7=(PbP6Q<l~UskuN!%(
zLoZ3_lps<qYa1jJl|-W5=I9TPw0P*(t5pVt+N0OQ_xhwQ_mt&89js%6J8Mr7Z8oCf
ziMv+_FFu{1f=Y|Or&bP_*jD8o=D$=Dv)DitQLHac*fv+Kl;eD++LeY<aWVG{ihUrK
zM$`OU!ESl>p`4$_4}+8z(`$QdlrSZ+UZTu%5&>pE)SZl{s7Y4r<DUEJyiDbKrn=Q+
zjLtdR#@&w0`F3h<M=h;k6@%pPvQPh!;DGjX4wk9^GLI4rkj63;soI%^ucjxGmCaD(
zkFp%w*r4t&vA=<jXV<eUALO|F3RmZ;gAaN@h!&F`^5e-18;4k%ue{_zhj;gj+d_27
z6*R9u^mgswS62sLNb!XB$CBL&Cm@P*#g@)ohbx(a?2Zw|!TYN87)W2X>(|FK-uwI!
zM4?`?fH}U1NT-|=&h|!%@!NZ>oYf*KXosit8c#Mv2cNek3~2X=&#RO<h17UX1>$DP
zl)p_Qe{WJG{A-UTuoxf!2mk_r03ZMe00MvjAOHve0)PM@00;mAfB+x>2mk_r03ZMe
X{9g({LGVvFRYTz<f+tl}M84!d!jO;R

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/pad_sig_enc_16.bin b/scripts/tests/images/signed/pad_sig_enc_16.bin
new file mode 100644
index 0000000000000000000000000000000000000000..747d7aa9857f14c087fb4e931f959b7ecb759019
GIT binary patch
literal 65536
zcmeI!`8O1L9|v%gv6Zr=Yb~XfL9$#~CM8lC64#ccLe5wo*%Iop4rRH62~n0%*}36~
zhOs2iD3YR*M!HBUQkF)I+&a(mS9IR*b3W&LKIeRX`MiGle2p4rGx>go_`mx35PtUm
z&oTl52>h}FvT19q`I`I=r<CN*Rc(o|-1J(JuDnUyFo(xAv0tf2;tXXch<b4|R#*2X
zYiTc^ommVcNu_Pd4CODfHnqJ`VBMujAt&9-p!0SYa7M{1I;q{mO}vhgdHzoe60IIY
zx$QTi6_O3h#f_tTyC2Jh-V+~}p;wC1iKCOvmF+v6M$*qEDBG>PLG?{9R8oH-!=Bhi
z_Dnj`e0@G$l+6ym9QZ6%QSD5`#u3-kBNKFoCuP>h{zYl(dC~vZQNpy>$?pdJ*-NHw
z`my%$9k~w*Y#vFTQcgNMBS{WukZuh){&)7JuNBT+ErS;gvUjEII_}%o(M#RG=%({o
z!>(}g<}=o3&0?M9fp!wFFi7h)$81xgo^fjP+7D*Jz144n`5gb8JLp@|<e40)Y$P;e
zax=GCi1$8Pw4TM1TIHE3WaD=^Ro75xU(OvxR<(zZucL5SH)9=r^JVp$5eH`@V;*%?
zF}U<6{c05+w)8)%cAHBK8HZ*NE~Oc6wl16AzsY8@^IKC*-VC|JHK}pe?qQ|WM}khb
zOKSp5sf4_Zy50UnrW5l^iFHw|HqoawK+0xB#>5~w@yOHYaU(I^5F=xaJ_fP(3FB?S
zd~nWUD1CfAnY8adgT~rLSn11iAERwk4C}im_k82Fqo&Lw6W8LtX$Zt6NT;;cSZHW<
zUH;?y!#P&GpGI62Cxxsg>^63`XqedPEYscbeKm>7&VHIZerT7Pagw}>6yNi@-%X0g
z9c7n$>n%Nt?=%!997qtGaj`icocm4JmCs<rh+6u^JVlqi7&Nv%nWp`+R%gvRp}QJQ
z@som&Kdp7{n|Do!N}#RHv5ZxjbUU-;eZj%YDuUo--V-ZbesqJ7>K}sf0yCXrbrd=O
z72QM&9>wjT$d=$E+Zve+hc6E{-}*W=&9~5+qi~YF=W4C6!K=OMx}15zRv!jeC4R@X
zl{?;aE<14CvOTUo@6LKCwRQa|A8BbH(&4=YGvlPshMh5EWGDWdr&(bpFX}7vj@L=F
zRa@BUyg3r{T=EnzrKi<#-6e(g3k}N)6#gRf<IE7p*~K@3-$(;zF2{C>zbzf1HGYjT
z9J7$$DK+)7=x*#_m|5{XuLBzsDX-d6rT-IYm?hH5QgjHbZp<GIdFg(PqNO+ZrcA7y
zp6?bMXc|`eQX=8RgiAI57KKj!YT9V^ftgvU;`FLkM$1gC=e{a|ljXVL=h77A7Y;YN
z)VszGsSXTm@y}IW4m+lBOYXlX@~Nw|ZoA4nE_1F>sPn$wZZ5a9niQhXndtLAAn?i9
zejD?*k|8^@q4K{@bY=FiI3)QxlX9iw(GqheRvY>U((0u<jFg!<6?=$DefJ5es|xoD
zcZkmZdwHkeh!E9wg*cxQA0@}|;=^QxM)uGe?w($kv-XPm#K>DV;}lwSuT#IaFX6|G
z^Vd|yb+3<0+_M35Hz^`*4pyy9&7`G}1#(lv;O^3oN<Y31^;47-7qMW0>D!C>7PaTS
zm{%%O{U@h9ce=Zq>$z8QxLnV*)TYwRf|k5@v&*W<R+BY7^K7sE0k?|u=a*Di&y+tO
zG!uBX^I}M{M^T&`H^M{2L(fIEEbh#PgwiMJf2Zm(!gC9r#@@X{-lA>$w#$*p@d+F|
z=BYE=r|euaP(kjJ9_7F0E|n$S-Km*dRs42HBy9~rK={<97Pr8K>UVuE(<RH%TYGd{
zuk`n*N7wtrN0=+DHlpoL&<S$Lc+Y*cK7FsOyowy#p*idNl^~^$As?a?tQavvcj&Wh
zCxNKgMJkaxEv#^qs#{k$ZxNt>vVdn#KXs$I{A;mS<7uItKMdYg@XQ6SM9yXUu|x06
zeJpr16w~oxYX%|d&_1;i!pDb<C|cW??DMHw*`Ub4sc`8;cdHz3Fj?=ndRJ!dRs)}`
zF~cbLQ9t+7&B0<dcej6V@%B>6+1_@@ucckx;9a65>zucurrqzV85LuX9!F|rUa-11
zCw9``vEaTfP5I*8k^4n`L+{DygGmQ#PqWM#UparLv(&TfBrWBHyn_OhY~&3eG{^MC
z3P<}Y>1aP5sT-u3`*x5t6lK){IHGon9m7VZ)ckL~qFIFx_GoT)&zr5$FylGBa*Ufk
zdPZM|F`U@07k<9G^F3ePIm=<=NtNDloxFGZCDU(w3hxhK2rmAz#}bP{00Izz00bZa
z0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z
z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=
z5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf
zKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_
z009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz
z00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<
j0uX=z1Rwwb2teQ$7ZB%Dd+oAg@2Zqgud5Pb8xsEk7zV%?

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/pad_sig_enc_16_inv.bin b/scripts/tests/images/signed/pad_sig_enc_16_inv.bin
new file mode 100644
index 0000000000000000000000000000000000000000..7ebccb2a26fb9def614da7494fc9045a3ebf3027
GIT binary patch
literal 65536
zcmeI!`8O2$8wc<qQl~~&5tB@^G+JC)y9uR~ZKh~4l~6=NT%~4++t{^`l<u|PMCe*(
zOxeml3^#ja8Io)zBPFe<zIDF$ujstr=RD_go^zgGp4TtW$GCL*Pr{E#{J(xYVn6!-
z@(qCi1b$k9Em{ktpYW8(%_~0mIEZVLHRpAOolota49JSuar%QycvH=nImWZvoD-k7
zr&iG9XW!~>|0q_cbTrMp^RB-ob0p$pM53nbowaA@sh!`H>GW`5BIQHprFyQ(_{nTN
z2_kP^<Gy-TM#3(Y)lR)BQepAMJ`R+}Gp^Dd_WG*x=EiR4F77B(w!07)lzq6`Rnc2#
z_S=EDmlYPp5oS5wFC%SU2sIrvXqtHn9QEMqiK6Vvy-k;{irPE<j3^Xs*F)l4XO6`T
z?9k*r3cE?EA&dN_nEdeN*FqE~O#JwbZRfeZ@7N7V8UwV{$$UObP}ViT8}2u-Z|8{C
zdPQhAHA<A~rAMA!Zk#MM&QBKD*-XdREjHi$Y-4(;_Q&}RpBh8okWC6(xZjGH>Pa2-
zWph%bV^T}U*zYwNynX4?E)4tqJ1>bd)emumOIEC^trfqyUURgTrlAtxeK3RjyGK+9
z*@>;#o1p#8&0(`$Ka;wE&hK`y5Lif+e~lV&B;R;b&_UXKp-$xeg#C`+XT(WoM$C8L
z%Wi%z<x#ycmcIAl2&J>SzDw9svenDxzRfG11;I}6^z!%)S^2rtMS+T63`-*??!}Ar
zYaaQ=L^hv^GI%%B5H|42GCNb^;1T*3y|o^voaJ6})XuqE^Th*vRGI=WXlQMkN@(w0
zEhalZ<-S<bD-(^{(_U+4z4ZOBx+mym=B{HY^<^8+@M2@F2F6NlGH8#8e>F4G#vk(e
z(esP`HKV4Jnm@#}49|ovOQx&5ow;>-{j?Z0{FaBas=?i7*PJiQ_jg!rYtTE|W>*;U
zT>ZBx0^?tK)<03thIcJ28>i+!UMd~3-ROi~!amO57LzWCp5}ChYjjXgLEy)*rRmF7
zrUfN&ua;(*FQ~m)werr@fU<z)d1<st(+$h!-pbgt`n=YtKQgl9%U6D{*ic>3_=vY;
z<OgGG#vW0JUfULispxcYnP`!mka#A&MDF0=VBf<=%4=f$z~O;o3oT<_37(qktoyY8
z>pJ-smUQSCHI9=%J2SCw*}a{C*}pGVvGt9(ou{<OQ}%qEUofX~_EL1;tv$mE+Jr2&
zy4ji+dxv-Y(dBlEey{m!p_p!KLy_-qlkX#=`lp_huS*$v(B({sj=LB;ZP%AUFUfXv
z>CI^)+Ee?BycLJE{wnV1q8`<u#JccEC67%^*NRHzoCp7WZmz#IaW7A(8gprtRUuJu
zBO}bU_A&Q)C97O8pK@d@E1%V^VWyHxH`%5;tIevGjM$TNCXd@e^`U9>EXo<B4;_fs
zk0cr1m$Yu(Es|Cps%S`M$45DJaWm<K%JQX8`wS_8GK^KZkrM9gY{9+u!NOUQ%h|bL
z^(>X8bUjNckA3355R?hDB%=$h(JRXu`=mc@ZFBVBuVg5}=FvxK5g~2%kM&N7eV@^x
z2)asq$Md2H2|gY~wsWOq@d1Z~(On~+UWOKKRCVR=Ux%I2;@3so+f4TEDE_dut5%7Z
zp~8N(!e4in|6!t7<#8pMs$g-dZ-dwIr{tJT69(s22YL47Sj(#0rkz|EmT<iA@P?L2
zoxxC9-hfYTb_*%Jc6kO>c5qL}5!F$eNTE@;`rgiijQ4V)YGI%#Hir;DefNviF{g%_
zy2Vec$QflylTJRz9WNTL7xa{FZE=cH^<%z%F4V|Of3iezM$UTLxOLW`e@ZCeC~OO=
z%#@o-N!%!GGq@|Co1{jp|I%8>C6E8z*`27vZBigH)lbY$xu<X}8-H!BdSn|G&e)-A
zw7K5imQ&qbY{QZ`LW(VT_*&OWtsz{()SVgf#`v>9YvXqVjTNo7ua_0*WjQ){Y6c`(
zUh}ptNo0>12L>pIcIJInlp%*RkKQaNUGXnpc*ivJP|@%p$*<-dSNZKpFF(qe=n3MQ
zAo5xJie{Ewg_G5%s5g$m@;wi--rZ4~yn8wJ`h%lpW}z`|^ehFlH2J|nx2g~$&N+U7
znagSW^7ii1NAF+uciPHW(Q5pfzR@TOPPW?KE(A)bR{I3$fUkD4-HXQc*XlwI@(4w<
z{uxF&!s4W4Ezy=|6I*)Cbh`?!6rW>I<ya~qME2NdT9En}$5W!ruYxjRPYlnuNO>6?
z6R%IU9@=os!|kG(Mf2CH$wMJtBZj5QlDi8e<=5P}xbDqQdn~aS1Rwwb2tWV=5P$##
zAOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|
zfB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<
z00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa
z0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z
z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=
z5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf
fKmY;|fB*!3a)Dn6nuCsOO&7(m+*4$hth)F=Zsx+w

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/pad_sig_enc_32.bin b/scripts/tests/images/signed/pad_sig_enc_32.bin
new file mode 100644
index 0000000000000000000000000000000000000000..ff12b2191edca77d01efdde4a62278ca4d495b24
GIT binary patch
literal 65536
zcmeI!`8O2$8wYSpBVsH~Nn=S<b}m^{WJywpa#5m@EkcDDUD=ZHO^8y{H*VdsWxH9j
zRF(#nkxNS4YuseI_9Th1yLG<bzoPSgpYxp0dCqx$d0xLfALHt&8$92$>VNh9;r-tK
zKPw0XAn?NqkZdZdN93(Uhi`c%vhvJj{@l4(;1pswyt411+KKnltgcA~R;<q@k(rpQ
zjC`YG*45l6ar}S%UAy0PrPbOZ(5lQ&I*Tgg-o$S#8R1A=nNVHDe{_hJWhSO1LF>4`
z@MMC&GxyC_k#+@Ub$|Y}OUJLxRiz^IwdPAL1-Yd03mm^RvT1Z`-i|59Lvm^nzOvIS
zN%E9W%%{N;E?x1uT$|JKCYs2G@iK}UV{*bYNNzr3tq*-wS1T>?MTGYGbh{pnt>m}G
zgg4Ve)$-@q&kryTE)I&Al;26aCLpOuZ;}2yFFvDM$Z1)$U3hq~v(+g-)o((uV0T9M
zYER8;x;EjxiO(+=D^s3E$yjhh^j#9`9n}3aDs>K%EyhU;%+bZk$*gky?IkO7K`9aQ
zTR)2CT{)enZN<3lZz}3vP$;J2Vb#Y>Xm=9pb174p)gV&+g`Y|NW6icL3(G1_@zdg@
zm^rs|ng;s%!!5SO^06GJw+wDG8?|$|nLr|J*CBO<I;xO5Kls#CP^t#Dywt3HW8j`l
z(BlkGrqWCEcfAYDj&kLbYN>R|v7NIW)(%fKHoP$-ZEk=2lDDaDLz(n|nD6U3fjF}(
z*1xKI*J#!H?q!*k)f&H*?3>6Tjx%~fgKIjb{4y7vI{mzw+t;f<e!27h_I)4v>uu8O
z=qw)bfEZ8nztWqsLmu6cBoXeeH6d(tJEHlyJE2SZ{X+h`(P@&qf&ChCvcfufnTz-S
z8?f52G56_g!lo9|imTw>=-#l;r@Zqh(<Z4i7R&RkQ_IgYd+0X$LeI`lZH{bM<<P6v
z#g4f<-R(aYC3Sgko=a-MgPoM%D!B?`Qt4d@dFP(vzNdH>;(EFLM~B-R-d<hobtoBS
zWV|TjeU|GgYB%yBKE>jvAl)MJ4x)c9SG@KEBl*mGDW?5?PN0iK@>|ZVeZ7>QlC^8j
zxyonvbT_k0ZU}{DihQMdI8ySPw1VO%oh@Z3e4PsnO^fWt{cL5*hKXPH*)*Kllfsrd
z>~;ES{a#<ufbQ$Ird`YPLgaPfx&q|$QKa#ShGt%!FVb=zgNN+22wyK=i4ZDgJ$_^D
z6>1<%($qdYD|Phxmv><i!c$Q)`pMOfKe6>&t!{T;Du|4=Or!BB))gK|YQ3PWeZ1&s
z<Ywb$t7A*8fySD2jrfeD{;}X$<MLxe56oKY`MGQIQxXTMT;G^{UJLn<V9&1j!LK{1
z+-)09y4^Fn8!-O+Y>%gxu)ld4x%}YS_sO|!_XNex-v0Q4q4D5rpW>S~lG#m#L)7x6
zPZ#VeWQ!wNr%8tN$J5%(rkf>F=ZLQ&gFEh2Q0LB*KGNeA1ZVUFUKJ%-bnrQ<_l?E&
z(OgreyI8CJe&!SBk>|0!Wpt@6N#;>ATXfc>-7VZ%cE_sdGKT@%_}F%rPTc_BZ!^Q)
z_myfd3jY!p^ohEMwrPw&+_Kw8n?}ey??gEM_3#GyZ(oP?>CGjlb~E)X^#dPIL{4eT
zgb7Kd4ev_hd${pgl>B(5*O9_@VpXcLOmev{@5P21k_{hIynQnBk6HVr>SK|@a-@a_
zJcEwzXJy`T=IeE4rar3HZx`2WI-~yca>|a#sc6Nb3&wgT^S`@!TisvQ&hht7>iV$1
zu98U+Es>pNdh0UTu9?BbN^9HHzPzHB?{c;M$Q|*EKhfQp>r_;#@7#Ee$U_Ys@lWNd
z2G%S|2WhRB2vfPrbeWTMcW>A@cHo50yLC$nIakKb8<w-1o{*jOl{=V<dTY~+{w@p?
zu-rEjV!lH-EOzB`DNjZ~Z4l9%%DT~5A6l2#!4@>A)O6GOW?=M4@fO`Hy3se+Ez?Sd
z#uF>XK1mHzJ1w+0Xl%wgu;=cn-!>9^$Xp@AP-e*h*|OpD;pxy@MmFtHcaCJzbY2;5
zDt$CL_R>{E(2&z5dt7bH=rCF8#Ok4rxu@por3t2Y6039j_k}Ps=P#;_>F?jTrBlL8
z`E`bY(CUol^Z=(LDeD+M1|#bl7c8Sq6U6v9Jx*4ZUes}GLrPVP{BKH2dX8}>TRl#O
z5^k5B_E7!Dj!@j2aZY4pH@k^4r{rA0t1GM3dp5=?u1q_NkTs+l-ckRbW&TmxZk?+_
zP3mOBamD3jm)>*sAr)uRCbK;RpS)IyvF)!DxD{TPz{gPJtodP&B^HAK1Rwwb2tWV=
z5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf
zKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_
z009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz
z00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<
z0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb
z2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##
hAOHafKmY;|fWQwfAkU-G@1|lVoJ>2BDIvBg@n5Tou{!_&

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/pubKeyOnly/ecdsa-p256.bin b/scripts/tests/images/signed/pubKeyOnly/ecdsa-p256.bin
new file mode 100644
index 0000000000000000000000000000000000000000..c740f5090d173037210bd9d700b50c1cbfe1d0bc
GIT binary patch
literal 20480
zcmeIy&npCR7{~GNXrmM+93+XoaG*ruqU5lxP$DTwvlqV_a?!T-u-Ma-9~0T;pf<|Q
zj}(%F!|p+TwOYs7+%~NgStU_pHv2~?@8|G&E}z5G>+rOlrbEJ>s!TXCA%yh1NCXi0
z=K^^XhLG*=AQ=mLspFc%u)1g}+Ti+uy!^ej_NaEACz`(GGhMPf&rh?(+wBi?B?WKY
z<E1g{s%&X<Dmt{=IC|Sr;R~)fg<CYZa;nAkfN~SlYj-qbtiC5Q;=I3@Oa`pi{JT`8
z>WLTT+Le%F`rVx<Pws!VdOr02OMh@CY-+1r(H5`&$aD=`3<3xsfB*srAb<b@2q1s}
z0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*sr
xAb<b@2q1s}0tg_000IagfB*srAb<b@e^@}u-sX*Lq?Pzfpt-NNsP4o!{{u-tK>`2(

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/pubKeyOnly/ecdsa-p384.bin b/scripts/tests/images/signed/pubKeyOnly/ecdsa-p384.bin
new file mode 100644
index 0000000000000000000000000000000000000000..544f8f1dfa1cc90c64f74ead826b7d299343e0c3
GIT binary patch
literal 20480
zcmeIu%_{?N9LMqBHX*d-p_FFH!E>3|%E7Y(EwbgIP>hfRZ6)(O2j#?4NVp+Sr9{Xu
zQ79#poJ5usN)i_gi+{n%`*ZkwPoMAMm9q9cEWQ)wE)RDJA^ABp0tozb0k8UV;V;x;
zeC|y(SgW+HHaeeP5^VN-$Ni=4?DA%~cfz@B?=T0+wqv8ENBXYN+1{zX{A<bgCM31g
z{PYoD9+jsH7|htXt4{MY`c*W=y0kLY`iSp<{Z+3s&6_Rj&a&Wx64QLRs1xcMX@b~K
zYpkDX7+45BoZj!uO{!Qj^fy)QdQ8T6w{Ips$oo5w9CIp@QganjntqXGb4k_O!pyuj
zU6Em|MIJeNV%d{NSh5}Ztw7%%MTGVCb5Um9X=qMOKCXPvDSq=YPJa>v5I_I{1Q0*~
z0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**
z5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R;Y1K=S+CvNQBtdHQJ87zz||E3MsM
DxvUy(

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/pubKeyOnly/rsa-2048.bin b/scripts/tests/images/signed/pubKeyOnly/rsa-2048.bin
new file mode 100644
index 0000000000000000000000000000000000000000..ace017c7b343cfb4bb7c33591277413ff53ee55a
GIT binary patch
literal 20480
zcmeIy+e;Gw6vy!`mMt(^rWR_pK*_8ym|es)D$SNohq;zE!zpCpXdp2Wp}c@yXP4oS
z#!|Cjg0p5Ru|zPJM3GSW5H2krnyrUM4cx;vY*PP)-}CT0FX!ca9)3A5{ANL9q{|^%
z4uL@UZ;=Qfu)+n_Tu=%nk#-Pvwb;GG+a2AyR(I8Pwdsk(80x*Zpp%b%kp(5rJHp7#
zz?d<yJ~zQwP_QNLvm&<tb|9&G_O~x{B9K&H*daY8jZ};2jN(nkDw}%8sZnRxeq&w9
z)#E(}Cu_RI-%1^YzqG3>+Ml0zIrFH$HbXT&ZyVZpSwB^0>wS<r6fF8Q8+3(ZD()9&
zbl;6T(xmh_H2IZ-TcvGYb<X>CYgxK~Qq?+OlZm1XMc@0@ra980t@$IDQWiFCKJWb#
ze|B4H+dhTGbyJ^hYDksGYfRdo!y82D)roJr_j?Yw0zWiOVegFL&@;>2HJdqGTa)ZE
zA6E9|rN0hkK0R$|+<DF*9v`fnvxf9pSts3l+`8Dh#jn$g)8+PrPF3*nyNhKlB@;4T
z^26OudB?4BUzBHbs#r8%9{nNDB#y6*Nm*(>y2K!W00IagfB*srAb<b@2q1s}0tg_0
z00IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@
r2q1s}0tg_000IagfB*srtOx<&|1TR}b^5D5`mXFPRj%JP(%AeLjhNwP

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/signed/pubKeyOnly/rsa-3072.bin b/scripts/tests/images/signed/pubKeyOnly/rsa-3072.bin
new file mode 100644
index 0000000000000000000000000000000000000000..9f69fd658de9ddd56c2e325897627c5e32ae56c7
GIT binary patch
literal 20480
zcmeIy+e?!H7zXft<xD%wFAteFYNc2>$YbWk7>T8m3|H9{*VI(PL%I%X9_DG`A*Sh^
zF-WwTnJo`2*m7%`saau~ni%5DsbL;jU_vv^l=>UG>3J@m_vVEceitvJZTT)`Gmcwj
zvQ-oc@n@hR0D=EpU`PA_L2iBrLYm(^r*u)&CKZfDm2fIs$<j5M_-hiYUFZ3e)RYsO
zJ2kCVW|`If8-Z^~4nJpSLvOoZMw#n_WG$;GTKMjf`5{UkVG*ZEOz!zUOPKq{X4xjq
zNa%L?2|Z!uHkk?DspA^nS}@~7n|wrI@DP~NQkPV;(>A(_?3C$w@<qMSeYB<4^xpGu
zo@7eF+|T0NiRd6-oe>AH5+{U)&`a@0yc(IMGP<dQXq$j4Z;ohKob>2$$#&Hmub#ii
zTNUN3_*k#@MHX_#ih7wF;ktp!MMA^i%BUkhzIcQ?G5zH{X}7&sb>AS@%1%d}yj`ql
zntL)oG`w(bF-JN4HZjxWQ+{=wwL$C<mO5M>Q`hgiv=G9WU1yKd;<pb5a2qW@u73;k
zi_?osRPx=eL1l62FHh*Fjb@!Cj!k^G`_5&fTH3YPV)uF9>wEa#lrFI`C_1;LKD3z1
zJ}6a6Z?NB+beA4=JVukLf_s`~_#){q|GhU;B(E=Xvxh1##0VwNjz4ZOsC&&%)}(18
zuc&<<rtMQ_c|N5cICa=q$c~<x5Un^fZ0#%Db_sYsdMCqJeSws9>$Bx}W0w=DVs9W2
zfB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<
z00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00RF+fcSeQ
Uy|ZdLYRHi5eKy2`uFA;!4ST<)kpKVy

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/zero.bin b/scripts/tests/images/zero.bin
new file mode 100644
index 0000000000000000000000000000000000000000..06d7405020018ddf3cacee90fd4af10487da3d20
GIT binary patch
literal 1024
ScmZQz7zLvtFd70QH3R?z00031

literal 0
HcmV?d00001

diff --git a/scripts/tests/images/zero.hex b/scripts/tests/images/zero.hex
new file mode 100644
index 0000000000..e48389c5a0
--- /dev/null
+++ b/scripts/tests/images/zero.hex
@@ -0,0 +1,65 @@
+:10000A0001010101010101010101010101010101D6
+:10001A0001010101010101010101010101010101C6
+:10002A0001010101010101010101010101010101B6
+:10003A0001010101010101010101010101010101A6
+:10004A000101010101010101010101010101010196
+:10005A000101010101010101010101010101010186
+:10006A000101010101010101010101010101010176
+:10007A000101010101010101010101010101010166
+:10008A000101010101010101010101010101010156
+:10009A000101010101010101010101010101010146
+:1000AA000101010101010101010101010101010136
+:1000BA000101010101010101010101010101010126
+:1000CA000101010101010101010101010101010116
+:1000DA000101010101010101010101010101010106
+:1000EA0001010101010101010101010101010101F6
+:1000FA0001010101010101010101010101010101E6
+:10010A0001010101010101010101010101010101D5
+:10011A0001010101010101010101010101010101C5
+:10012A0001010101010101010101010101010101B5
+:10013A0001010101010101010101010101010101A5
+:10014A000101010101010101010101010101010195
+:10015A000101010101010101010101010101010185
+:10016A000101010101010101010101010101010175
+:10017A000101010101010101010101010101010165
+:10018A000101010101010101010101010101010155
+:10019A000101010101010101010101010101010145
+:1001AA000101010101010101010101010101010135
+:1001BA000101010101010101010101010101010125
+:1001CA000101010101010101010101010101010115
+:1001DA000101010101010101010101010101010105
+:1001EA0001010101010101010101010101010101F5
+:1001FA0001010101010101010101010101010101E5
+:10020A0001010101010101010101010101010101D4
+:10021A0001010101010101010101010101010101C4
+:10022A0001010101010101010101010101010101B4
+:10023A0001010101010101010101010101010101A4
+:10024A000101010101010101010101010101010194
+:10025A000101010101010101010101010101010184
+:10026A000101010101010101010101010101010174
+:10027A000101010101010101010101010101010164
+:10028A000101010101010101010101010101010154
+:10029A000101010101010101010101010101010144
+:1002AA000101010101010101010101010101010134
+:1002BA000101010101010101010101010101010124
+:1002CA000101010101010101010101010101010114
+:1002DA000101010101010101010101010101010104
+:1002EA0001010101010101010101010101010101F4
+:1002FA0001010101010101010101010101010101E4
+:10030A0001010101010101010101010101010101D3
+:10031A0001010101010101010101010101010101C3
+:10032A0001010101010101010101010101010101B3
+:10033A0001010101010101010101010101010101A3
+:10034A000101010101010101010101010101010193
+:10035A000101010101010101010101010101010183
+:10036A000101010101010101010101010101010173
+:10037A000101010101010101010101010101010163
+:10038A000101010101010101010101010101010153
+:10039A000101010101010101010101010101010143
+:1003AA000101010101010101010101010101010133
+:1003BA000101010101010101010101010101010123
+:1003CA000101010101010101010101010101010113
+:1003DA000101010101010101010101010101010103
+:1003EA0001010101010101010101010101010101F3
+:0F03FA00010101010101010101010101010101E5
+:00000001FF
diff --git a/scripts/tests/keys/ecdsa-p256.key b/scripts/tests/keys/ecdsa-p256.key
new file mode 100644
index 0000000000..ce910351de
--- /dev/null
+++ b/scripts/tests/keys/ecdsa-p256.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8lT9/Ie8bqdLrE8V
+V5tv22tuins00FLALIUZbf2sfMGhRANCAATSHV4f7Ekdq/IbuDH5tP3PHyNtY5tR
+4P+OQnrmZo7XcNXCfq+uCT3lOZxQH3YqcTaUXY+wPrUAF9alXPLcQDJx
+-----END PRIVATE KEY-----
diff --git a/scripts/tests/keys/ecdsa-p256_passwd.key b/scripts/tests/keys/ecdsa-p256_passwd.key
new file mode 100644
index 0000000000..5bf822536c
--- /dev/null
+++ b/scripts/tests/keys/ecdsa-p256_passwd.key
@@ -0,0 +1,7 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAjYjJg+mOKfAQICCAAw
+DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEGpBWXTQ3/vzFGEa1oQ5kqMEgZDu
+ZJi/Se4UZRylq89IvQ/NUAJqM5jNjZIigKNMBPqWtwpRJGq1rgQX1daXZS7xoOGN
+d9CYouvudlPb84pfhm2eF+ugMkS9N5s6UIjdqoG7NkWKMeTf3l+3KRQlYi9M2Ux9
+EDd6HLKC0DqPml9jTHYmBMM0DJZjgDYDGX2MOX8cIAujImTpBT4y7zXI1VIEVF8=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/scripts/tests/keys/ecdsa-p384.key b/scripts/tests/keys/ecdsa-p384.key
new file mode 100644
index 0000000000..ddc74ccb03
--- /dev/null
+++ b/scripts/tests/keys/ecdsa-p384.key
@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDtfiX2sq+e/pUzSoRU
+ZynSgF5LjuFC+vRKqFohPrOtVmv0zzf3wy3H8e3MFDQ+PRWhZANiAARP0qTM0V+4
+qwcZkwP9b0j+gLDkLeQoxfPNiL5bvflfC+Rvt4YAbKrEWDoE+9bNH6vr4A5YMB/a
+rvN1nMF6B/I/6ymvjpzJzWaTaAeBxeaWtwiJ7xk3aQEntfR71wubqAo=
+-----END PRIVATE KEY-----
diff --git a/scripts/tests/keys/ecdsa-p384_passwd.key b/scripts/tests/keys/ecdsa-p384_passwd.key
new file mode 100644
index 0000000000..fb5c790670
--- /dev/null
+++ b/scripts/tests/keys/ecdsa-p384_passwd.key
@@ -0,0 +1,8 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBHDBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI6gYH2/bOBzgCAggA
+MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDn3lId85/jWGXuMmdKMdy7BIHA
+ifbSyiBvpSCpun12zs6XdZ9AmSUoDSHLDLJhPm12uDT7FSH2hBUXxPfQdFWygXFM
+6Pgz3hg6gWWTWKo+FAgbvjWb+5Mj5jGUAXr++TsAjbGF6rDzdYPYNx/Spl7eaCuF
+H2q2cmWR3UR73AfWzkUmkvAnxtQJdJx6cvVV0JDixelJ69jDjfj3TVe2dx5InnWR
+8JxNmNFjBlLSABkk9VLvj3VZM3zMp7kkDDJ38rMtT0YGcRPUrGPtbxdGwyQhQpe7
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/scripts/tests/keys/ed25519.key b/scripts/tests/keys/ed25519.key
new file mode 100644
index 0000000000..96575818a2
--- /dev/null
+++ b/scripts/tests/keys/ed25519.key
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEICAZRgn1bHHzFW2pUUPHmhUn8w3F1pp8ppkXLzy8cize
+-----END PRIVATE KEY-----
diff --git a/scripts/tests/keys/ed25519_passwd.key b/scripts/tests/keys/ed25519_passwd.key
new file mode 100644
index 0000000000..29a301c1fb
--- /dev/null
+++ b/scripts/tests/keys/ed25519_passwd.key
@@ -0,0 +1,6 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIGbMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAgBGyz0bjJxbQICCAAw
+DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEKrnSOrOdfYVyacQVXdjddIEQMsC
+Fw2raJQtVfxWHDOfNcI62J/ZQ3mNSe4tCfAOsn+N3JfWOmac84Ba4BxzVTHj9jzs
+jik6pPaqDeealBCaWXM=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/scripts/tests/keys/public/ecdsa-p256-pem.pub b/scripts/tests/keys/public/ecdsa-p256-pem.pub
new file mode 100644
index 0000000000..76e8536fc4
--- /dev/null
+++ b/scripts/tests/keys/public/ecdsa-p256-pem.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0h1eH+xJHavyG7gx+bT9zx8jbWOb
+UeD/jkJ65maO13DVwn6vrgk95TmcUB92KnE2lF2PsD61ABfWpVzy3EAycQ==
+-----END PUBLIC KEY-----
diff --git a/scripts/tests/keys/public/ecdsa-p384-pem.pub b/scripts/tests/keys/public/ecdsa-p384-pem.pub
new file mode 100644
index 0000000000..e35349dd01
--- /dev/null
+++ b/scripts/tests/keys/public/ecdsa-p384-pem.pub
@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAET9KkzNFfuKsHGZMD/W9I/oCw5C3kKMXz
+zYi+W735Xwvkb7eGAGyqxFg6BPvWzR+r6+AOWDAf2q7zdZzBegfyP+spr46cyc1m
+k2gHgcXmlrcIie8ZN2kBJ7X0e9cLm6gK
+-----END PUBLIC KEY-----
diff --git a/scripts/tests/keys/public/rsa-2048-pem.pub b/scripts/tests/keys/public/rsa-2048-pem.pub
new file mode 100644
index 0000000000..48d9eb2b6c
--- /dev/null
+++ b/scripts/tests/keys/public/rsa-2048-pem.pub
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfUYKq0prScrSCjwnElK
+nitXPUU2NVnQmlTTDLZnwyzVen/dPzrUYznG+cHDLAZqGs0GhDMFsarV/I8fImWe
+qBHVJqYUfdMEmuvCYC7i/pwslprpInGhu0rakVuLJQdmC9jReoBa8gGZDy/NvuT6
+tMHD0Rw5WFzujEdbuNnK87GCTJXOzDvkWEZ2hhqHMO+zXHYIz31k5qD56X9/CFuk
+hl4O28QZlIseV5YkWbae6DlmqtHLa/YhMNS38GPSmma2MYtqQ/6UFT4d1K/6frze
+CbpeYRLbRVcrsYy9jQ8SZChGHzDH2FNYiQeTkrI/ONa4mAN+tGH9pTnrAOQuKLMT
+yQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/scripts/tests/keys/public/rsa-3072-pem.pub b/scripts/tests/keys/public/rsa-3072-pem.pub
new file mode 100644
index 0000000000..6f5ab6f7c7
--- /dev/null
+++ b/scripts/tests/keys/public/rsa-3072-pem.pub
@@ -0,0 +1,11 @@
+-----BEGIN PUBLIC KEY-----
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAirmhia5JyAeMl7P9kSCV
+a9OrShpatLbAwOfZRJS/8YqnJgUV6wZJwy+psxBd/3zfexN2fIUtOmqeDobeNAKC
+hNUeXWlwU0zL1omRzj3dYMfuGJqOrqeyC2MI7v4hkhrS7pw0wVWFefsoNtCQ/7bs
+dozAytZnyxPI8uiuPZI2yyc4G5aWiHH1gpwm+cEDn38qPZXDR20EI5tv1mvRRgJQ
+JrKrqVbh0ciFMspvfNoHhpC9Cc75KbSK4RzteMsCPGSkXjM+bupWaAPaeC1BHwTX
+PH2Qxpdb/vqivNEvobdbjdleN4T8+IKQLal51SvKX8cr26+sKC/ZB3JUcpltayr1
+X72SMFmXUW1+wx7ZWAPctIyFa7ADDh8jEDzzrhN8OJdyz2juhrVdE09KjfxoRTQ7
+PWaPzZP1IadV4YmsRMlQdEJjoaXTHB1Bp2N3AUy0wrixuTtnfqKJ1GBBcYQ+5eo7
+NaP0rdvIl2c2R65cuFW2R/xI7HqWSBYooyfBf6anspdrAgMBAAE=
+-----END PUBLIC KEY-----
diff --git a/scripts/tests/keys/public/x25519-pem.pub b/scripts/tests/keys/public/x25519-pem.pub
new file mode 100644
index 0000000000..eeb2ca0919
--- /dev/null
+++ b/scripts/tests/keys/public/x25519-pem.pub
@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VuAyEALSB7AUCjpej325Z7jEeKyMJRvoUfifRSozGkNVHJ02I=
+-----END PUBLIC KEY-----
diff --git a/scripts/tests/keys/rsa-2048.key b/scripts/tests/keys/rsa-2048.key
new file mode 100644
index 0000000000..08942e49c4
--- /dev/null
+++ b/scripts/tests/keys/rsa-2048.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt9RgqrSmtJytI
+KPCcSUqeK1c9RTY1WdCaVNMMtmfDLNV6f90/OtRjOcb5wcMsBmoazQaEMwWxqtX8
+jx8iZZ6oEdUmphR90wSa68JgLuL+nCyWmukicaG7StqRW4slB2YL2NF6gFryAZkP
+L82+5Pq0wcPRHDlYXO6MR1u42crzsYJMlc7MO+RYRnaGGocw77NcdgjPfWTmoPnp
+f38IW6SGXg7bxBmUix5XliRZtp7oOWaq0ctr9iEw1LfwY9KaZrYxi2pD/pQVPh3U
+r/p+vN4Jul5hEttFVyuxjL2NDxJkKEYfMMfYU1iJB5OSsj841riYA360Yf2lOesA
+5C4osxPJAgMBAAECggEAD0lNYVqsIeIiRIoMcr9iBjoqxWCSneeRlC5GCYTx403K
+SKR5zbeeuEV4fbQQMYsywb4oh29wXad0fGgbRUuGwKAoiefoPxJPAkobX5ZfLh6N
+MILWX8d6fdnbERDpTkyzI/FenxQuabvINnRt8QtwGHg6e+KuC1zHPZ57qefBlN5s
+Am4V+jQymGDkFalDRJ6QZYs9X9qIlejpsDfoKoL876U0YEWWAfKNdAboKfnMfXJH
+6pFNhwTjLmPPW9DID9S65rabyadae5e3vScmjqIiUs3O3RoX3NNxW7X61/ncRHqP
+CZ8M+aFmz4OX6/da+mtBa0GDPd0QvxHUX/nd94C5gQKBgQDvN9/12cGFUJJVMhw/
+JALk+OTH1VLlRy69fumCyifkmocSaaxt1iEr89EPkyMDoml7dLwiywhyTeDuRdoK
+F1t3N20rCwgirGsxhnVS07Jrq1AqVPKW0yBL9rnxOqiop8lN2qvZWP7dbdsK7SB1
+ZCPrXgDhAttxDYY9zlgKZYHb2QKBgQC6KTLULYwSdTZPWyJ3+aPnaSPcVVdrjiHX
+A9/7KFMoT6xPo5HEvyUHNkd+zJ+tQ9Jvutp9GHx/wUII5M8LkB9C6d7V/hoLCd18
+6gnywecnVhixXKzfAol1Ny+ALWJyKqodjhVrSe0cKPsKBampZAvYt4vRVIScUpj8
+SVczIGCxcQKBgQCIc9/NdhvcNrxx2nagUaNRBuRBVN7HKBZyQx1h3Hxq+vZHO33+
+3SDo2FgNQUm8vfzbThgu5I953BCM+c1I6k/jLfuYjN9kH+O5SVBNIbJpljvRGcmS
+3PVUP3WLM4GXSrYaMbzK6ufeWNaUYfSc4bVXgbSQpTeVQjirsrMnowUy6QKBgF64
+i7ZOHpFdtm6WTmmBShZ69tYrTjnZrfo7bIHcuMMwFtrGvWrAX1TWF3a7IxwEAFT9
+XCJ+jQpsCO+BjJ+zi1R+rvVvP00SjfH7G2i7pKPtOM81+nfWUJ6ln7O2Y/r3Hmu/
+WcKncM/9Qg6NZxBbaXOxoKC4QmlP1au4nXfUJ57hAoGBANMYGrQtnzwbB9o0srUQ
+b7kLjpkxLQMgKOdUYFcdOTkdamkRoeJa7nyP6QYOWp9FZPAjSXYPT5oyNKQkEzF0
+knEVAlAFfAQLQwbkEa+DVd0oPIPHZb5OZi0M+Kksv7aCEroaTb8/ZyXtCsaxjAYw
+ECXsGM49SPXGAahzWtLgVrEG
+-----END PRIVATE KEY-----
diff --git a/scripts/tests/keys/rsa-2048_passwd.key b/scripts/tests/keys/rsa-2048_passwd.key
new file mode 100644
index 0000000000..b5d6f1d669
--- /dev/null
+++ b/scripts/tests/keys/rsa-2048_passwd.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIm9I3BalGfDwCAggA
+MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDFx18QvRG2MwgxKfynmoAlBIIE
+0JOQRfuKgiZVjn7yKHaQI9jX8y84bn5z/o5V8HBEqAGrwAhZnRq1yqjM4iZOkGua
+oQ3yI+SXQ/9IZSsWTI1tkJThBIIXmA0owpLRRzDLwkpfy++EQgKlONz1KuDdWtEA
+sAPFSdO7cmJW6QglV98DRDx1QCynAHjyfQA3hOl9W/tCwqcItObBlWvhFvUbU4Or
+LKQ+D4NUAg+gXVgcbeC/iw4TL9au9RzvHcKQ+b/e+0eF9F7BlQ+vrWypVg6aJu8T
+XJ43QRgYqWu5wyRLVWUYDaRoas3w62c8oR2zNfwSAvqt6/K3idFZANSix3oW2yqW
+ckGVD1MH9fQXEkME8yhZUbZ+enqUqQbdSvoBe+oLO04V4eLgub0pDArk+sTRcPm/
+HU97ZRwleFlK0jJMrXhj3KmFmUwttqCWsU9wiKHpQpil/vq7V/QprV1mjWxVLjxC
+u3xv2I3rS9HwMCAFySy6hMT86Fdpb8auFQiW4YI6VqdkXDGq3wmckpJq6DN2CgrD
+/9rKHiY8vxEM0UJaVC5JWcyTnFztQG38LVSYDiOEXLxcNozlEjNNQ8jHYhijlnRW
+EJAbi63obF34O43WBLlh6blPmLjTf7+5BxrdAOT972/0XwxlCE9TO8VatXjNp2aN
+afjNeRI7R1OuycDIhyVwy3w5xdHwVXqh8/vGcc0XzHy15pmqQ/A1UzECflVVAipT
+kERDm/3Qrcc0O/R2csylvMviCXdiu7Lu49je4HJaQUGIEYoYTTSN0XsbxxpS8vK+
+Up9hSTQrAi9J+98GtBTJXDSCB9zMN+I1pE/2h4fMqmP12Jlk9kd3mVBlbyRpkMVg
+U+P7GLziXk+Rx4bacxKOtUA2bDV0pLDAKcnAMwZw2hV/ifCVHkWJSbky/G1QlmoN
+BU84t2UNdenHQx/EoL5qgNtee/NlZjQNv7eV2FuhCrt+qwOAouEQURw5eLyep/kB
+ZXJjqs7Ei5EGRuxsoA/zzUsqigEmcL2DimazNwybe1//ulLsEqmeSeCAzetFBlT3
+/69u9t5Rm6inyZoBZ0hoC2J3ehidC28xBltbw55vsLou6loneZBbAwbBMqLpSeIp
+/+D+FOxdI2+zo+afafqUBsZ1tC8mFMFZpCIZ63i3Yvx+8+JW7a/TRRZXhasTTu2o
+6ggHMlGQy3djXV3S41oQBcXocaF1jDIeiHqH6ZD5sktlx0d/eRKobuMEfgKaDPHi
+fs5HBAWnP4jbjM5C3s0o0c5+Tc1x19hF9L1rDeot5/WP7Qvs6OEHSw+M9wT/RrF6
+04juVN+nykQ5WyfCzBrLSZ7qP+Onvvw5Ffvj8+EN3OuFQFNZc/1Z5QFG3tmhlof7
+oO5jJNMuQHIlI5xxm8o14howIC+UAfOM6H6b0nfQ0g8lUwjuuMxh1UumB2DDO56e
+G9rq0Xvz+mXpdFdk2fZIQxU03A3KBpV284Yx2SRyykMKfICFPvR9k0/S90nvQMv/
+H6ZrNO/mm3VBlNY2UO1wa4wqTTxZJuPfj8GEV+coAueZnLUHTkp2GpCPVkBVXoKr
+Alg+P6hLDQYTRjNEMCDMtUSQkM5g9ACIZ4L8+wZTZlPV5GjSXz0VGSOH0Ig7rXd+
+nOjxFybeX41LN8NEEfrxKW/VsbgVvPJAPEhAbUTJ6+G5
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/scripts/tests/keys/rsa-3072.key b/scripts/tests/keys/rsa-3072.key
new file mode 100644
index 0000000000..ec92360d8b
--- /dev/null
+++ b/scripts/tests/keys/rsa-3072.key
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCKuaGJrknIB4yX
+s/2RIJVr06tKGlq0tsDA59lElL/xiqcmBRXrBknDL6mzEF3/fN97E3Z8hS06ap4O
+ht40AoKE1R5daXBTTMvWiZHOPd1gx+4Ymo6up7ILYwju/iGSGtLunDTBVYV5+yg2
+0JD/tux2jMDK1mfLE8jy6K49kjbLJzgblpaIcfWCnCb5wQOffyo9lcNHbQQjm2/W
+a9FGAlAmsqupVuHRyIUyym982geGkL0JzvkptIrhHO14ywI8ZKReMz5u6lZoA9p4
+LUEfBNc8fZDGl1v++qK80S+ht1uN2V43hPz4gpAtqXnVK8pfxyvbr6woL9kHclRy
+mW1rKvVfvZIwWZdRbX7DHtlYA9y0jIVrsAMOHyMQPPOuE3w4l3LPaO6GtV0TT0qN
+/GhFNDs9Zo/Nk/Uhp1XhiaxEyVB0QmOhpdMcHUGnY3cBTLTCuLG5O2d+oonUYEFx
+hD7l6js1o/St28iXZzZHrly4VbZH/EjsepZIFiijJ8F/pqeyl2sCAwEAAQKCAYA+
+CeMse+WiD4I367YHu48nIAuXwa5z59DO1ECtc2pdflje32Jcbzz4ja2yFy06TyFw
+XJVd/X7rA3g43easUr0E43xHYRprHkqAYJh0p+UDXZXkqeYKRJOSlREPNFZWDSns
+rK3JElJ1aTUkQmS9/xPDtpGXhIf5YRk6TIVzoppfguQMLm2WioQ1i1jA06knoIqG
+7R1eKWoy9FXxCdmWmf03OSscuW6WzzqGKtLt/mFkNAFeTBHQrV14a+PlY8BVutnA
+YF7UH6JLtQPmU5e+ysQhHKPiAYr0Rgz58VmCpsr1udJuaQg2p/kIh/PYXaBsMzSh
+5BiHwXY3Nd0DKNDvOYRT2zW+RODjrMFPXFtLEvyJrt2YEhHMR43puAd36fKESbCu
+BFQ6R9gYdJSbAFUYVoiNlYYgXRgvKtZlRO6VVnc0oeFjZjU4vPgjhlCd3ejMFBn8
+dKZfZoP1Gjnih4nDVsMA3oZy6py18P1sE+bJuBNPOVEm9hFGLDIUYw+cJ+L1an0C
+gcEAwysnNs4qlwNwilpBwp+GqeXctXAf+WOGkUzJx0ajL8ZqOzJYDy0qZjFvaYUw
+SoJA3/8LKkrQ2o4yEdo6FeZ+1THE0nmDee7QCXLv2f/Kz+BJMbY8bFDFJ5iZGYJo
+4qJZ5eYw7RwZtUVIEN6J2IehCeDoZ796lZCDym1kyfd9trAvLgyeeqYyIo5tTU/o
+m5iutWHf4E7h1wGGYLu0JOc8lfjNr1kLG2crOhGW6xv4GH/aN5uoJYyj5nT5MpJR
+FmSvAoHBALX2wUUlmLi9BUEt4HDyxfsQysjbaL60O816FkWPQ6wSeKZtKnnZ9SVG
+Zfc9YI/8XWbvw4RQAXK6foLQRqZBdTbyPvK4wcvsraZgDNZylZR57g0/lsEZb2x6
+rdkyGqYk636TkxZgjM9nobiUFl08DYCQx6+7agX317XJM2IgVHwCCN8yFCSBWMWv
+/0/FImYnwSaZcwoFl2NyNYp0Hm+46JbgeqNLRh/q5LP5ctswaf5ow1fQal7Pnujp
+epvTrc9gBQKBwAd8lkqB6hxU43JLOA6RNAc8bBUBshhM+xKD0ZG1YfkpMVYH/lzG
+rMOyzcVMeKfDC14MWI9Mw2o+3ijVKDlC2EaxXA1+385DnPNf11eTemIzBlvD09mL
+16RHNEhIOmHHPI+XHvVZiJrth3AuOTd3LHRGjmO8cqVeH9AaFi2xMr9ZTtYDYeju
+iynMMOEwWYnud3U5xe7C1+L5igAX8zcfL7HJE4rQbZ6lfIEDv7hRIFlAPky3yeF2
+3aqvfge0mSu0vQKBwQC0hSV+LOtTMyrYW+QTCbbB+gnDtHA46WN+2QTpY1TWi8io
+Cxsdoc6jeTDFVF3M2qfq7CiCxkB5imzh6DB+1eesaC1s7UBNx/MKYLW7theRIlm5
+SQGNdmdlLlv0YtGvTGdYvp0okQaA6KW3ESsSufYHOxrvyzVG0HdvADl6uuo10Gru
+yqbTBIOGM7FNeRxETmI/ofJP2fYzkWVugv6DBeWxcOgZwh7CoWzc47c/nss4usQ5
+BSnR/5X+KUsa9qizV+UCgcBs3GCVSvurlVKHbTHexZID4Lw1V6RygY7DOlqKAAr4
+B/mNG3c0hIv2IqbA2pXKznA4J5ofafa7f1tdAk9J1MgUqpcfhoNzhAX2PidS3xg+
+nTvTKM/LhFVfhiav66unQ+BOqSeODiipTuO2SxgSlMSKKN9YiCeK+lys/bYjmrV4
+i6B9cTRIaZCCzMR3VDpQkyp0ZObdp3vdz+l236IQteNVWK9s2E+fAkYHfMWOcMRf
+GnUCBmjiF4K0RZKvgQnw3R8=
+-----END PRIVATE KEY-----
diff --git a/scripts/tests/keys/rsa-3072_passwd.key b/scripts/tests/keys/rsa-3072_passwd.key
new file mode 100644
index 0000000000..bc8bb6ae28
--- /dev/null
+++ b/scripts/tests/keys/rsa-3072_passwd.key
@@ -0,0 +1,42 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIHbTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIRZc+6IinbS0CAggA
+MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCCemozgSC7rEyzT3BmsXC6BIIH
+EAnUppECIx5AcoXh7SnIE4D6C/NWU0OgLWyaHuEi3mBbrR0f9PSBtpBXsxZHiiMd
+1wnYAzs/C/8Uk6U2JxKG+rWfcQJaz6oeH5ujLenOHfadmbHFVFEWPLMWtRl/wJ4c
+dKn7wBxPzY8auWNIOa1BRifo9jGy8GVCB3AqxAUwtqvoMBQY2Eki0F33kik6CWNR
+KFjy/rUm6BOVK3/X4P848yirVIPfYiLNt0iwaDtJTO30Y7y5sKAY1WZoI/hr1hfa
+0yCZSB1G4UoArSYGgSb3/i6B1gpw/AOR6WcNkjvjTMCRlXDH9xTQ6X7mP4Nj/E9A
+2uPP6MAivGZAi/OY0Z3ezXPIRSmS61F+tUej9JOSjG2OuajqJGOnV5E9+1uvveIQ
+v4XXB7R/HTCGs59KRhO06xG2Xv+OHH4ibuYvIrXuaqjPIATThzzYJNuc/YLvob7W
+0ENAEyoERTL+QoNaFhbitAFxT5vzFXdB8XIdjikxWVjWrnZj26uhQJAszbQJOGVW
+6yAnCK4kCowS/g1mfHpiGopgr2dpcPSgI+Oyv9yFkY/oQb5+WvGhdbzhENDmFB2W
+FtSp9jTAKMN0hbXtV/kopgXAiWsDOOPHl61KHmQT9ZjnyAxt8smypAXQTXJEwnw7
+QtSnhBElii50LOlDa5hs8WwJ4j6guKiEzFMDHB6dsdl9ANOFPdagQ6VEEN+9pyLK
+ORtI3s4HMRYVuVC0Kuahz2NXldOvgKmcUlgtaEcIcjXSJtf6SOKEbclLPrgGrJp7
+e/3zEvLb9W/133XeWl6OKIaBLXsAAg13rrlwh5lbQZWAP/EkdQfUqHxV533q2DfU
+/janFmuhcuHgMNaRGOPyXXfTM1t5zXeioWJMZr4Sknn+Ny1GMrlF9ZGlEIrzTMML
+NnuBV+daoUzuWiCSroBs/FD4wfDqBQSlSSdmzpZXZvQXuerOLFZWW8TCVL7BW8Qq
+Mwo4STSGxrHqv7haNZU6MuaUEQ2MFv7wwgu+PnxWfnQF0B6bHP6Nx5EIw/y86SVa
+WiTgU89mTsYywURTTslzDIH+d2s7/HN1oKwsLBPGhjAif9hpl6jN8JbQDSczZhDn
+4o6RsHB+bvChboxyVBEisJJ4+bWBIW+Q6nwSQIVb7k06cq8FcXgXKb90NNOhV3jU
+h9IHdvjjhXa1FEDFb059YS+kXhFUw4yJ81GuPxANZXTW9h9JuFpLrSajjdCLmw1j
+NaCUJpkYO8dYlIxIXK1QBrQP6WflqeFZtwQvsWmAoQHD4DoVmE5ch3vWc0Oe/ywL
+i74adE0uf2WOnMP8aqtLSnxtordKiVBywjZGSuC1GbvYc4d/CbSqdXxxLA+QGOwP
+s0VEt1e5SbgpQmPQCIBg6gre75yLdWm2ZEGwmsEWaHeTWw+MyUBjr7xcosGunyG2
+3HwE5tb4v33mG+ZkS3gCyOhq/HkUYimwpOi9oIs2qeBVdRtYgtSthrk309JSy7CU
+AYftZ0kYJLPh9z7w3mzvz5cQEcoCguZLaNV1z7Ew5OrwAsY/bPqHSMo2MEtrXj/n
+lLp7xrl2bA2HMpn/Ciak0r4OV45ZMxT71XRkbOKINBBrCw5/0JcOXJC5OXW8ZsJ2
+LGNz0s0dGiUSFVoFRYTURSLjjMlZ+YvjM1l/pNEiwb/xskbGlkBveEGhejx/bYAe
+SZRMs/0P+Cc1IXpwFcf86UnGB7wYDxpVrMArt1tqdnzdk+bkTtcrscE02nlqN2Qv
+fPoMv9AV2FGT+PuJhAo1g9Mlnidcu66dHuGYFYRzTwNYJXKRrPgZv34t0GaQb+hM
+Q3eS51VSrIyuieN4n6XxQIjWzcNnIZ4G0LF5BXzar85/qiY2mB5vfei1M+ghbET0
+11s54Sm59aFQ8+kmE1wwBBy0cnEJlf4Rs98QONcOYVNPmb//rbmQF191tB4xXecS
+7z9pd7vv+QL0x26MMNNUxA9/Sbbx52WoQJY5HofecN+cZSdpskbEicA6AcwJvSg2
+OAyg8NyvW/c9dd+ka98i0Z+rR8HjGrz7Bv/ta8Wsy6EGRTfeKnCeI8LKtgJRWp90
+1hawqLyjmFfKZKkS3cRZkzVEElY71+SF4ehjZAMUm5lejF9YfLOrOPb0d9rtmVob
+qYfOw2gK4qF+Krk6Nq1SrvdFeSZuVK2GWyv2MPIofSygegYUJm1EXfeWyr2MHtIZ
+S2eyvK7Ffcs70sWPFJiDHo+j7yAwuzlV8R0AqLEbg3tfiy2cQzaiiThOqXx5FgMK
+tkD6tLbfN8GV1BLXXIqeCE4sqWOmhneT5gITl91TJDZU05w9OYLB0r/GYMsvMtHo
+LXey/l0sYYgFrK3iKCQ7u4CmSM2fE5MoFAkyIJNbwv9X5AE7ySuzqAr8cZ2s0ae+
+2u/YJspILVJl1Ythr5tWUelYrTJpSDOuSfL3Y05CRwpg
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/scripts/tests/keys/x25519.key b/scripts/tests/keys/x25519.key
new file mode 100644
index 0000000000..98ed2fdaa4
--- /dev/null
+++ b/scripts/tests/keys/x25519.key
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VuBCIEIOj5tRNYWq9IVzU6CXw2w76dR81c+eVSCdZ9q5cKmYJl
+-----END PRIVATE KEY-----
diff --git a/scripts/tests/keys/x25519_passwd.key b/scripts/tests/keys/x25519_passwd.key
new file mode 100644
index 0000000000..2cb6c8bc3c
--- /dev/null
+++ b/scripts/tests/keys/x25519_passwd.key
@@ -0,0 +1,6 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIGbMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAjs2EEY5ee3DAICCAAw
+DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEB1A8DsYxCImWNVt3PbkhOgEQDkd
+PJcS5uRJgb8yQQqjroVLf5pUFGnYaIp1Ils2TrYl/UtctIi2L0TIg1XJaS/wRIk6
+nCr0DZ3/gaVth13tRwo=
+-----END ENCRYPTED PRIVATE KEY-----

From 8963b5ac8f70bf057fff138126bb1a97a83a90ef Mon Sep 17 00:00:00 2001
From: David Vincze <david.vincze@arm.com>
Date: Wed, 19 Jun 2024 11:17:45 +0200
Subject: [PATCH 02/13] imgtool: Add missing copyright notice to test_keys.py

Add missing copyright notice to clarify authorship of the original
contribution. Having the notice present will make contributions to the
file from other parties easier. The date of the original contribution
is derived from the git history.

Change-Id: I9c97f064ee8c308333058113430176b87b81b397
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
---
 scripts/tests/test_keys.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/tests/test_keys.py b/scripts/tests/test_keys.py
index a812ba2f19..746a4d47a2 100644
--- a/scripts/tests/test_keys.py
+++ b/scripts/tests/test_keys.py
@@ -1,3 +1,5 @@
+# Copyright 2024 Denis Mingulov
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

From b95b3b56f47edf30923108406e3f6fd1b7863c3f Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Mon, 27 Nov 2023 21:22:20 +0100
Subject: [PATCH 03/13] imgtool: Add new tests for key operations

Refactor test_keys.py
Move constants to separate file
Verify key type in all testcases
Add tests for generating keys with password
Add more testcases for getpriv command
Add more testcases for getpub command
Add more testcases for getpubhash command
Update list of expected to fail tests

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: If48a1c1496aced2e6f69f317f200aafc08d55538
---
 scripts/tests/conftest.py  |  24 +-
 scripts/tests/constants.py |  43 +++
 scripts/tests/test_keys.py | 769 +++++++++++++++++++++++++++----------
 3 files changed, 618 insertions(+), 218 deletions(-)
 create mode 100644 scripts/tests/constants.py

diff --git a/scripts/tests/conftest.py b/scripts/tests/conftest.py
index 797bf25d1a..d0f90ac6e8 100644
--- a/scripts/tests/conftest.py
+++ b/scripts/tests/conftest.py
@@ -16,13 +16,23 @@
 
 # List of tests expected to fail for some reason
 XFAILED_TESTS = {
-    "tests/test_keys.py::test_getpriv[openssl-ed25519]",
-    "tests/test_keys.py::test_getpriv[openssl-x25519]",
-    "tests/test_keys.py::test_getpriv[pkcs8-rsa-2048]",
-    "tests/test_keys.py::test_getpriv[pkcs8-rsa-3072]",
-    "tests/test_keys.py::test_getpriv[pkcs8-ed25519]",
-    "tests/test_keys.py::test_getpub[pem-ed25519]",
-    "tests/test_keys.py::test_sign_verify[x25519]",
+    # Unsupported key_type and format combinations
+    "tests/test_keys.py::TestGetPriv::test_getpriv[openssl-ed25519]",
+    "tests/test_keys.py::TestGetPriv::test_getpriv[openssl-x25519]",
+    "tests/test_keys.py::TestGetPriv::test_getpriv[pkcs8-rsa-2048]",
+    "tests/test_keys.py::TestGetPriv::test_getpriv[pkcs8-rsa-3072]",
+    "tests/test_keys.py::TestGetPriv::test_getpriv[pkcs8-ed25519]",
+    "tests/test_keys.py::TestGetPriv::test_getpriv_with_password[openssl-ed25519]",
+    "tests/test_keys.py::TestGetPriv::test_getpriv_with_password[openssl-x25519]",
+    "tests/test_keys.py::TestGetPriv::test_getpriv_with_password[pkcs8-rsa-2048]",
+    "tests/test_keys.py::TestGetPriv::test_getpriv_with_password[pkcs8-rsa-3072]",
+    "tests/test_keys.py::TestGetPriv::test_getpriv_with_password[pkcs8-ed25519]",
+    # 'Ed25519' object has no attribute 'get_public_pem'
+    "tests/test_keys.py::TestGetPub::test_getpub[pem-ed25519]",
+    "tests/test_keys.py::TestGetPub::test_getpub_with_encoding[pem-ed25519]",
+    "tests/test_keys.py::TestGetPub::test_getpub_no_outfile[pem-ed25519]",
+    "tests/test_keys.py::TestLoading::test_load_key_public[pem-ed25519]",
+    "tests/test_keys.py::TestLoading::test_load_key_public_with_password[pem-ed25519]",
 }
 
 
diff --git a/scripts/tests/constants.py b/scripts/tests/constants.py
new file mode 100644
index 0000000000..2616b9a77f
--- /dev/null
+++ b/scripts/tests/constants.py
@@ -0,0 +1,43 @@
+# Copyright 2024 Arm Limited
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from imgtool import main as imgtool_main
+
+# all supported key types for 'keygen'
+KEY_TYPES = [*imgtool_main.keygens]
+KEY_ENCODINGS = [*imgtool_main.valid_encodings]
+KEY_LANGS = [*imgtool_main.valid_langs]
+PUB_HASH_ENCODINGS = [*imgtool_main.valid_hash_encodings]
+PVT_KEY_FORMATS = [*imgtool_main.valid_formats]
+
+OPENSSL_KEY_TYPES = {
+    "rsa-2048": "Private-Key: (2048 bit, 2 primes)",
+    "rsa-3072": "Private-Key: (3072 bit, 2 primes)",
+    "ecdsa-p256": "Private-Key: (256 bit)",
+    "ecdsa-p384": "Private-Key: (384 bit)",
+    "ed25519": "ED25519 Private-Key:",
+    "x25519": "X25519 Private-Key:",
+}
+GEN_KEY_EXT = ".key"
+PUB_KEY_EXT = ".pub"
+PUB_KEY_HASH_EXT = ".pubhash"
+
+images_dir = "./images"
+signed_images_dir = images_dir + "/signed"
+
+
+def tmp_name(tmp_path, key_type, suffix=""):
+    return tmp_path / (key_type + suffix)
diff --git a/scripts/tests/test_keys.py b/scripts/tests/test_keys.py
index 746a4d47a2..6ed59724e9 100644
--- a/scripts/tests/test_keys.py
+++ b/scripts/tests/test_keys.py
@@ -1,4 +1,5 @@
 # Copyright 2024 Denis Mingulov
+# Copyright 2024 Arm Limited
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -14,242 +15,588 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import pytest
-
+import re
 import subprocess
+from tempfile import mktemp
+
+import pytest
 from click.testing import CliRunner
-from imgtool import main as imgtool_main
-from imgtool.main import imgtool
 
-# all supported key types for 'keygen'
-KEY_TYPES = [*imgtool_main.keygens]
-KEY_ENCODINGS = [*imgtool_main.valid_encodings]
-PUB_HASH_ENCODINGS = [*imgtool_main.valid_hash_encodings]
-PVT_KEY_FORMATS = [*imgtool_main.valid_formats]
-
-OPENSSL_KEY_TYPES = {
-    "rsa-2048": "Private-Key: (2048 bit, 2 primes)",
-    "rsa-3072": "Private-Key: (3072 bit, 2 primes)",
-    "ecdsa-p256": "Private-Key: (256 bit)",
-    "ecdsa-p384": "Private-Key: (384 bit)",
-    "ed25519": "ED25519 Private-Key:",
-    "x25519": "X25519 Private-Key:",
+from imgtool.main import imgtool
+from tests.constants import KEY_TYPES, GEN_KEY_EXT, tmp_name, OPENSSL_KEY_TYPES, KEY_ENCODINGS, PUB_KEY_EXT, \
+    PVT_KEY_FORMATS, KEY_LANGS, PUB_HASH_ENCODINGS, PUB_KEY_HASH_EXT
+
+UNSUPPORTED_TYPES = [("openssl", "ed25519"),
+                     ("openssl", "x25519"),
+                     ("pkcs8", "rsa-2048"),
+                     ("pkcs8", "rsa-3072"),
+                     ("pkcs8", "ed25519"), ]
+
+OPENSSL_PUBLIC_KEY_TYPES = {
+    "rsa-2048": "Public-Key: (2048 bit)",
+    "rsa-3072": "Public-Key: (3072 bit)",
+    "ecdsa-p256": "Public-Key: (256 bit)",
+    "ecdsa-p384": "Public-Key: (384 bit)",
+    "ed25519": "ED25519 Public-Key:",
+    "x25519": "X25519 Public-Key:",
 }
 
-GEN_KEY_EXT = ".key"
 GEN_ANOTHER_KEY_EXT = ".another.key"
-PUB_KEY_EXT = ".pub"
-PUB_KEY_HASH_EXT = ".pubhash"
 
 
-def tmp_name(tmp_path, key_type, suffix=""):
-    return tmp_path / (key_type + suffix)
-
-
-@pytest.fixture(scope="session")
-def tmp_path_persistent(tmp_path_factory):
-    return tmp_path_factory.mktemp("keys")
-
-
-@pytest.mark.parametrize("key_type", KEY_TYPES)
-def test_keygen(key_type, tmp_path_persistent):
-    """Generate keys by imgtool"""
-
-    runner = CliRunner()
-
-    gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
-
-    assert not gen_key.exists()
-    result = runner.invoke(
-        imgtool, ["keygen", "--key", str(gen_key), "--type", key_type]
-    )
-    assert result.exit_code == 0
-    assert gen_key.exists()
-    assert gen_key.stat().st_size > 0
-
-    # another key
-    gen_key2 = tmp_name(tmp_path_persistent, key_type, GEN_ANOTHER_KEY_EXT)
-
-    assert str(gen_key2) != str(gen_key)
-
-    assert not gen_key2.exists()
-    result = runner.invoke(
-        imgtool, ["keygen", "--key", str(gen_key2), "--type", key_type]
-    )
-    assert result.exit_code == 0
-    assert gen_key2.exists()
-    assert gen_key2.stat().st_size > 0
-
-    # content must be different
-    assert gen_key.read_bytes() != gen_key2.read_bytes()
-
-
-@pytest.mark.parametrize("key_type", KEY_TYPES)
-def test_keygen_type(key_type, tmp_path_persistent):
+def verify_key(key_type, key, password=""):
     """Check generated keys"""
     assert key_type in OPENSSL_KEY_TYPES
 
-    gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
-
     result = subprocess.run(
-        ["openssl", "pkey", "-in", str(gen_key), "-check", "-noout", "-text"],
+        ["openssl", "pkey", "-in", str(key), "-check", "-noout", "-text", "-passin", "pass:" + password],
         capture_output=True,
         text=True,
+
     )
     assert result.returncode == 0
     assert "Key is valid" in result.stdout
     assert OPENSSL_KEY_TYPES[key_type] in result.stdout
 
 
-@pytest.mark.parametrize("key_type", KEY_TYPES)
-@pytest.mark.parametrize("format", PVT_KEY_FORMATS)
-def test_getpriv(key_type, format, tmp_path_persistent):
-    """Get private key"""
-    runner = CliRunner()
-
-    gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
-
-    result = runner.invoke(
-        imgtool,
-        [
-            "getpriv",
-            "--key",
-            str(gen_key),
-            "--format",
-            format,
-        ],
-    )
-    assert result.exit_code == 0
-
-
-@pytest.mark.parametrize("key_type", KEY_TYPES)
-@pytest.mark.parametrize("encoding", KEY_ENCODINGS)
-def test_getpub(key_type, encoding, tmp_path_persistent):
-    """Get public key"""
-    runner = CliRunner()
-
-    gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
-    pub_key = tmp_name(tmp_path_persistent, key_type, PUB_KEY_EXT
-                       + "." + encoding)
-
-    assert not pub_key.exists()
-    result = runner.invoke(
-        imgtool,
-        [
-            "getpub",
-            "--key",
-            str(gen_key),
-            "--output",
-            str(pub_key),
-            "--encoding",
-            encoding,
-        ],
-    )
-    assert result.exit_code == 0
-    assert pub_key.exists()
-    assert pub_key.stat().st_size > 0
+def verify_public_key(key_type, encoding, key, password=""):
+    """Check generated keys"""
 
+    key_file = str(key)
+    if encoding not in ['pem', 'raw']:
+        # convert to raw
+        # read file key to key_str
+        with open(key, 'r') as file:
+            hex_values = re.findall(r'0x([a-fA-F0-9]{2}),', file.read())
+            byte_data = bytes(int(h, 16) for h in hex_values)
 
-@pytest.mark.parametrize("key_type", KEY_TYPES)
-@pytest.mark.parametrize("encoding", PUB_HASH_ENCODINGS)
-def test_getpubhash(key_type, encoding, tmp_path_persistent):
-    """Get the hash of the public key"""
-    runner = CliRunner()
+        raw_file = mktemp("key.raw")
+        with open(raw_file, 'wb') as file:
+            file.write(byte_data)
 
-    gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
-    pub_key_hash = tmp_name(
-        tmp_path_persistent, key_type, PUB_KEY_HASH_EXT + "." + encoding
-    )
+        key_file = raw_file
 
-    assert not pub_key_hash.exists()
-    result = runner.invoke(
-        imgtool,
-        [
-            "getpubhash",
-            "--key",
-            str(gen_key),
-            "--output",
-            str(pub_key_hash),
-            "--encoding",
-            encoding,
-        ],
+    result = subprocess.run(
+        ["openssl", "pkey", "-in", key_file, "-pubin", "-pubcheck", "-noout", "-text"],
+        capture_output=True,
+        text=True,
     )
-    assert result.exit_code == 0
-    assert pub_key_hash.exists()
-    assert pub_key_hash.stat().st_size > 0
+    assert result.returncode == 0
+    assert "Key is valid" in result.stdout
+    assert OPENSSL_PUBLIC_KEY_TYPES[key_type] in result.stdout
 
 
-@pytest.mark.parametrize("key_type", KEY_TYPES)
-def test_sign_verify(key_type, tmp_path_persistent):
-    """Test basic sign and verify"""
+class TestKeys:
     runner = CliRunner()
-
-    gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
-    wrong_key = tmp_name(tmp_path_persistent, key_type, GEN_ANOTHER_KEY_EXT)
-    image = tmp_name(tmp_path_persistent, "image", "bin")
-    image_signed = tmp_name(tmp_path_persistent, "image", "signed")
-
-    with image.open("wb") as f:
-        f.write(b"\x00" * 1024)
-
-    # not all required arguments are provided
-    result = runner.invoke(
-        imgtool,
-        [
-            "sign",
-            "--key",
-            str(gen_key),
-            str(image),
-            str(image_signed),
-        ],
-    )
-    assert result.exit_code != 0
-    assert not image_signed.exists()
-
-    result = runner.invoke(
-        imgtool,
-        [
-            "sign",
-            "--key",
-            str(gen_key),
-            "--align",
-            "16",
-            "--version",
-            "1.0.0",
-            "--header-size",
-            "0x400",
-            "--slot-size",
-            "0x10000",
-            "--pad-header",
-            str(image),
-            str(image_signed),
-        ],
-    )
-    assert result.exit_code == 0
-    assert image_signed.exists()
-    assert image_signed.stat().st_size > 0
-
-    # original key can be used to verify a signed image
-    result = runner.invoke(
-        imgtool,
-        [
-            "verify",
-            "--key",
-            str(gen_key),
-            str(image_signed),
-        ],
-    )
-    assert result.exit_code == 0
-
-    # 'another' key is not valid to verify a signed image
-    result = runner.invoke(
-        imgtool,
-        [
-            "verify",
-            "--key",
-            str(wrong_key),
-            str(image_signed),
-        ],
-    )
-    assert result.exit_code != 0
-    image_signed.unlink()
+    password = "12345"  # Password for the keys in ./keys directory
+
+    @pytest.fixture(scope="session")
+    def tmp_path_persistent(self, tmp_path_factory):
+        return tmp_path_factory.mktemp("keys")
+
+
+class TestKeygen(TestKeys):
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_keygen(self, key_type, tmp_path_persistent):
+        """Generate keys by imgtool"""
+
+        gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+
+        assert not gen_key.exists()
+        result = self.runner.invoke(
+            imgtool, ["keygen", "--key", str(gen_key), "--type", key_type]
+        )
+        assert result.exit_code == 0
+        assert gen_key.exists()
+        assert gen_key.stat().st_size > 0
+        verify_key(key_type, gen_key)
+
+        # another key
+        gen_key2 = tmp_name(tmp_path_persistent, key_type, GEN_ANOTHER_KEY_EXT)
+
+        assert str(gen_key2) != str(gen_key)
+
+        assert not gen_key2.exists()
+        result = self.runner.invoke(
+            imgtool, ["keygen", "--key", str(gen_key2), "--type", key_type]
+        )
+        assert result.exit_code == 0
+        assert gen_key2.exists()
+        assert gen_key2.stat().st_size > 0
+        verify_key(key_type, gen_key2)
+
+        # content must be different
+        assert gen_key.read_bytes() != gen_key2.read_bytes()
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_keygen_with_password(self, key_type, tmp_path_persistent, monkeypatch):
+        """Generate keys by imgtool with password"""
+
+        gen_key = tmp_name(tmp_path_persistent, key_type + "_passwd", GEN_KEY_EXT)
+        assert not gen_key.exists()
+        monkeypatch.setattr('getpass.getpass', lambda _: self.password)
+        result = self.runner.invoke(
+            imgtool, ["keygen", "--key", str(gen_key), "--type", key_type, "-p"]
+        )
+
+        assert result.exit_code == 0
+        assert gen_key.exists()
+        assert gen_key.stat().st_size > 0
+        verify_key(key_type, gen_key, self.password)
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_keygen_with_mismatching_password(self, key_type, tmp_path_persistent, monkeypatch):
+        """Generate keys by imgtool with mismatching password should print error"""
+
+        gen_key = tmp_name(tmp_path_persistent, key_type + "-null", GEN_KEY_EXT)
+        assert not gen_key.exists()
+        passwords = iter([self.password, 'invalid'])
+        monkeypatch.setattr('getpass.getpass', lambda _: next(passwords))
+        result = self.runner.invoke(
+            imgtool, ["keygen", "--key", str(gen_key), "--type", key_type, "-p"],
+        )
+
+        assert result.exit_code != 0
+        assert not gen_key.exists()
+        assert "Passwords do not match, try again" in result.stdout
+
+
+class TestGetPriv(TestKeys):
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("key_format", PVT_KEY_FORMATS)
+    def test_getpriv(self, key_type, key_format, tmp_path_persistent):
+        """Get private key"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpriv",
+                "--key",
+                str(gen_key),
+                "--format",
+                key_format,
+            ],
+        )
+        assert result.exit_code == 0
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("key_format", PVT_KEY_FORMATS)
+    def test_getpriv_with_password(self, key_type, key_format, tmp_path_persistent, monkeypatch):
+        """Get private key with password"""
+
+        gen_key = "./keys/" + key_type + "_passwd" + GEN_KEY_EXT
+
+        monkeypatch.setattr('getpass.getpass', lambda _: self.password)
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpriv",
+                "--key",
+                str(gen_key),
+                "--format",
+                key_format,
+            ]
+        )
+        assert result.exit_code == 0
+
+    @pytest.mark.parametrize("key_format, key_type", UNSUPPORTED_TYPES)
+    def test_getpriv_unsupported(self, key_format, key_type, tmp_path_persistent):
+        """Get private key for unsupported combinations should print error message"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpriv",
+                "--key",
+                str(gen_key),
+                "--format",
+                key_format,
+            ],
+        )
+
+        assert result.exit_code == 2
+        assert "not support" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("key_format", PVT_KEY_FORMATS)
+    def test_getpriv_with_invalid_pass(self, key_type, key_format, tmp_path_persistent, monkeypatch):
+        """Get private key with invalid password should print 'Invalid passphrase' in stdout"""
+
+        gen_key = "./keys/" + key_type + "_passwd" + GEN_KEY_EXT
+
+        monkeypatch.setattr('getpass.getpass', lambda _: 'invalid')
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpriv",
+                "--key",
+                str(gen_key),
+                "--format",
+                key_format,
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Invalid passphrase" in result.stdout
+
+
+class TestGetPub(TestKeys):
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_getpub(self, key_type, tmp_path_persistent):
+        """Get public key - Default lang is c """
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key = tmp_name(tmp_path_persistent, key_type, "." + "default" + PUB_KEY_EXT)
+
+        assert not pub_key.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                gen_key,
+                "--output",
+                str(pub_key),
+            ],
+        )
+        assert result.exit_code == 0
+        assert pub_key.exists()
+        assert pub_key.stat().st_size > 0
+        verify_public_key(key_type, "c", pub_key)
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("encoding", KEY_ENCODINGS)
+    def test_getpub_with_encoding(self, key_type, encoding, tmp_path_persistent):
+        """Get public key with encoding"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key = tmp_name(tmp_path_persistent, key_type, "." + encoding + PUB_KEY_EXT)
+
+        assert not pub_key.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                gen_key,
+                "--output",
+                str(pub_key),
+                "--encoding",
+                encoding,
+            ],
+        )
+        assert result.exit_code == 0
+        assert pub_key.exists()
+        assert pub_key.stat().st_size > 0
+        verify_public_key(key_type, encoding, pub_key)
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("lang", KEY_LANGS)
+    def test_getpub_with_lang(self, key_type, lang, tmp_path_persistent):
+        """Get public key with specified lang"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key = tmp_name(tmp_path_persistent, key_type, PUB_KEY_EXT + "." + lang)
+
+        assert not pub_key.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                gen_key,
+                "--output",
+                str(pub_key),
+                "--lang",
+                lang,
+            ],
+        )
+        assert result.exit_code == 0
+        assert pub_key.exists()
+        assert pub_key.stat().st_size > 0
+        verify_public_key(key_type, lang, pub_key)
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("encoding", KEY_ENCODINGS)
+    def test_getpub_no_outfile(self, key_type, encoding, tmp_path_persistent):
+        """Get public key without output file should dump only to stdout"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key = tmp_name(tmp_path_persistent, key_type, "." + encoding + "-null" + PUB_KEY_EXT)
+
+        assert not pub_key.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                gen_key,
+                "--encoding",
+                encoding,
+            ],
+        )
+        assert result.exit_code == 0
+        assert len(result.stdout) != 0
+        assert not pub_key.exists()
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_getpub_invalid_encoding(self, key_type, tmp_path_persistent):
+        """Get public key with invalid encoding should error message in stdout"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key = tmp_name(tmp_path_persistent, key_type, "." + PUB_KEY_EXT)
+
+        assert not pub_key.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                gen_key,
+                "--output",
+                str(pub_key),
+                "--encoding",
+                "invalid",
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Invalid value for '-e' / '--encoding':" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_getpub_invalid_lang(self, key_type, tmp_path_persistent):
+        """Get public key with invalid lang should print error message in stdout"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key = tmp_name(tmp_path_persistent, key_type, "." + PUB_KEY_EXT)
+
+        assert not pub_key.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                gen_key,
+                "--output",
+                str(pub_key),
+                "--lang",
+                "invalid",
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Invalid value for '-l' / '--lang':" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("encoding", KEY_ENCODINGS)
+    @pytest.mark.parametrize("lang", KEY_LANGS)
+    def test_getpub_with_encoding_and_lang(self, key_type, encoding, lang, tmp_path_persistent):
+        """Get public key with both encoding and lang should print error message"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key = tmp_name(tmp_path_persistent, key_type, "." + lang + encoding + PUB_KEY_EXT)
+
+        assert not pub_key.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                gen_key,
+                "--output",
+                str(pub_key),
+                "--encoding",
+                encoding,
+                "--lang",
+                lang
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Please use only one of `--encoding/-e` or `--lang/-l`" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("encoding", KEY_ENCODINGS)
+    def test_getpub_invalid_pass(self, key_type, encoding, tmp_path_persistent, monkeypatch):
+        """Get public key with invalid password should print 'Invalid passphrase' in stdout"""
+
+        gen_key = "./keys/" + key_type + "_passwd" + GEN_KEY_EXT
+        pub_key = tmp_name(tmp_path_persistent, key_type, "." + encoding + PUB_KEY_EXT)
+
+        monkeypatch.setattr('getpass.getpass', lambda _: 'invalid')
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                gen_key,
+                "--output",
+                str(pub_key),
+                "--encoding",
+                encoding,
+            ]
+        )
+        assert result.exit_code != 0
+        assert "Invalid passphrase" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("encoding", KEY_ENCODINGS)
+    def test_getpub_null_pass(self, key_type, encoding, tmp_path_persistent, monkeypatch):
+        """Get public key with invalid password should print 'Invalid passphrase' in stdout"""
+
+        gen_key = keys_dir + "/" + key_type + "_passwd" + GEN_KEY_EXT
+        pub_key = tmp_name(tmp_path_persistent, key_type, "." + encoding + PUB_KEY_EXT)
+
+        monkeypatch.setattr('getpass.getpass', lambda _: '')
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                gen_key,
+                "--output",
+                str(pub_key),
+                "--encoding",
+                encoding,
+            ]
+        )
+        assert result.exit_code != 0
+        assert "Password was not given" in result.stdout
+
+
+class TestGetPubHash(TestKeys):
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_getpubhash(self, key_type, tmp_path_persistent):
+        """Get the hash of the public key - Default encoding is lang-c"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key_hash = tmp_name(
+            tmp_path_persistent, key_type, "." + "default" + PUB_KEY_HASH_EXT
+        )
+
+        assert not pub_key_hash.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpubhash",
+                "--key",
+                str(gen_key),
+                "--output",
+                str(pub_key_hash),
+            ],
+        )
+        assert result.exit_code == 0
+        assert pub_key_hash.exists()
+        assert pub_key_hash.stat().st_size > 0
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("encoding", PUB_HASH_ENCODINGS)
+    def test_getpubhash_with_encoding(self, key_type, encoding, tmp_path_persistent):
+        """Get the hash of the public key with encoding"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key_hash = tmp_name(
+            tmp_path_persistent, key_type, "." + encoding + PUB_KEY_HASH_EXT
+        )
+
+        assert not pub_key_hash.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpubhash",
+                "--key",
+                str(gen_key),
+                "--output",
+                str(pub_key_hash),
+                "--encoding",
+                encoding,
+            ],
+        )
+        assert result.exit_code == 0
+        assert pub_key_hash.exists()
+        assert pub_key_hash.stat().st_size > 0
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("encoding", PUB_HASH_ENCODINGS)
+    def test_getpubhash_with_no_output(self, key_type, encoding, tmp_path_persistent):
+        """Get the hash of the public key without outfile should dump only to stdout"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key_hash = tmp_name(
+            tmp_path_persistent, key_type, "." + encoding + "-null" + PUB_KEY_HASH_EXT
+        )
+
+        assert not pub_key_hash.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpubhash",
+                "--key",
+                str(gen_key),
+                "--encoding",
+                encoding,
+            ],
+        )
+        assert result.exit_code == 0
+        assert len(result.stdout) != 0
+        assert not pub_key_hash.exists()
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_getpubhash_with_invalid_encoding(self, key_type, tmp_path_persistent):
+        """Get the hash of the public key with encoding"""
+
+        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        pub_key_hash = tmp_name(
+            tmp_path_persistent, key_type, "." + "invalid" + PUB_KEY_HASH_EXT
+        )
+
+        assert not pub_key_hash.exists()
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpubhash",
+                "--key",
+                str(gen_key),
+                "--output",
+                str(pub_key_hash),
+                "--encoding",
+                "invalid",
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Invalid value for '-e' / '--encoding':" in result.stdout
+        assert not pub_key_hash.exists()
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    @pytest.mark.parametrize("encoding", PUB_HASH_ENCODINGS)
+    def test_getpubhash_with_invalid_pass(self, key_type, encoding, tmp_path_persistent, monkeypatch):
+        """Get the hash of the public key with invalid password should print 'Invalid passphrase' in stdout"""
+
+        gen_key = "./keys/" + key_type + "_passwd" + GEN_KEY_EXT
+        pub_key_hash = tmp_name(
+            tmp_path_persistent, key_type, "." + encoding + "-null" + PUB_KEY_HASH_EXT
+        )
+
+        assert not pub_key_hash.exists()
+
+        monkeypatch.setattr('getpass.getpass', lambda _: 'invalid')
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "getpubhash",
+                "--key",
+                str(gen_key),
+                "--output",
+                str(pub_key_hash),
+                "--encoding",
+                encoding,
+            ],
+            input="invalid"
+        )
+        assert result.exit_code != 0
+        assert not pub_key_hash.exists()
+        assert "Invalid passphrase" in result.stdout

From 4824e36df9229bbae160dc226fe8659696ac23d4 Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Mon, 27 Nov 2023 21:36:50 +0100
Subject: [PATCH 04/13] imgtool: Improve key type checks and invalid
 pass-phrase handling

Key type checking moved to separate function and added support for
ed25519, enckey is enforced to be a public key

Invalid pass-phrase was not reachable in methods as in that case an
exception raised instead of returning "None".
load_key function improved by adding handling for invalid pass-phrase
and FileNotFound exception.

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I0caa0a6100fc95c8339403e991d6de0337c7a725
---
 scripts/imgtool/keys/__init__.py | 16 +++++--
 scripts/imgtool/keys/general.py  | 72 ++++++++++++++++++--------------
 scripts/imgtool/main.py          | 51 ++++++++++++----------
 3 files changed, 83 insertions(+), 56 deletions(-)

diff --git a/scripts/imgtool/keys/__init__.py b/scripts/imgtool/keys/__init__.py
index ed2fed57e9..86e5e3d63c 100644
--- a/scripts/imgtool/keys/__init__.py
+++ b/scripts/imgtool/keys/__init__.py
@@ -1,5 +1,5 @@
 # Copyright 2017 Linaro Limited
-# Copyright 2023 Arm Limited
+# Copyright 2023-2024 Arm Limited
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -58,14 +58,24 @@ def load(path, passwd=None):
     except TypeError as e:
         msg = str(e)
         if "private key is encrypted" in msg:
+            print(msg)
             return None
         raise e
-    except ValueError:
+    except ValueError as e:
+        msg1 = str(e)
         # This seems to happen if the key is a public key, let's try
         # loading it as a public key.
-        pk = serialization.load_pem_public_key(
+        try:
+            pk = serialization.load_pem_public_key(
                 raw_pem,
                 backend=default_backend())
+        except ValueError as e:
+            # If loading as public key also fails, that indicates wrong
+            # passphrase input
+            msg2 = str(e)
+            if ("password may be incorrect" in msg1 and
+                    "Are you sure this is a public key" in msg2):
+                raise Exception("Invalid passphrase")
 
     if isinstance(pk, RSAPrivateKey):
         if pk.key_size not in RSA_KEY_SIZES:
diff --git a/scripts/imgtool/keys/general.py b/scripts/imgtool/keys/general.py
index 4ff700c495..675a6c2347 100644
--- a/scripts/imgtool/keys/general.py
+++ b/scripts/imgtool/keys/general.py
@@ -2,15 +2,25 @@
 
 # SPDX-License-Identifier: Apache-2.0
 
-import binascii
-import io
 import os
 import sys
+
+from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes, PublicKeyTypes
 from cryptography.hazmat.primitives.hashes import Hash, SHA256
 
+from imgtool import keys
+
 AUTOGEN_MESSAGE = "/* Autogenerated by imgtool.py, do not edit. */"
 
 
+def key_types_matching(key: PrivateKeyTypes, enckey: PublicKeyTypes):
+    type_dict = {keys.ECDSA256P1: keys.ECDSA256P1Public,
+                 keys.ECDSA384P1: keys.ECDSA384P1Public,
+                 keys.Ed25519: keys.X25519Public,
+                 keys.RSA: keys.RSAPublic}
+    return type_dict[type(key)] == type(enckey)
+
+
 class FileHandler(object):
     def __init__(self, file, *args, **kwargs):
         self.file_in = file
@@ -34,7 +44,7 @@ def _emit(self, header, trailer, encoded_bytes, indent, file=sys.stdout,
               len_format=None):
         with FileHandler(file, 'w') as file:
             self._emit_to_output(header, trailer, encoded_bytes, indent,
-                                     file, len_format)
+                                 file, len_format)
 
     def _emit_to_output(self, header, trailer, encoded_bytes, indent, file,
                         len_format):
@@ -62,27 +72,27 @@ def _emit_raw(self, encoded_bytes, file):
 
     def emit_c_public(self, file=sys.stdout):
         self._emit(
-                header="const unsigned char {}_pub_key[] = {{"
-                       .format(self.shortname()),
-                trailer="};",
-                encoded_bytes=self.get_public_bytes(),
-                indent="    ",
-                len_format="const unsigned int {}_pub_key_len = {{}};"
-                           .format(self.shortname()),
-                file=file)
+            header="const unsigned char {}_pub_key[] = {{"
+            .format(self.shortname()),
+            trailer="};",
+            encoded_bytes=self.get_public_bytes(),
+            indent="    ",
+            len_format="const unsigned int {}_pub_key_len = {{}};"
+            .format(self.shortname()),
+            file=file)
 
     def emit_c_public_hash(self, file=sys.stdout):
         digest = Hash(SHA256())
         digest.update(self.get_public_bytes())
         self._emit(
-                header="const unsigned char {}_pub_key_hash[] = {{"
-                       .format(self.shortname()),
-                trailer="};",
-                encoded_bytes=digest.finalize(),
-                indent="    ",
-                len_format="const unsigned int {}_pub_key_hash_len = {{}};"
-                           .format(self.shortname()),
-                file=file)
+            header="const unsigned char {}_pub_key_hash[] = {{"
+            .format(self.shortname()),
+            trailer="};",
+            encoded_bytes=digest.finalize(),
+            indent="    ",
+            len_format="const unsigned int {}_pub_key_hash_len = {{}};"
+            .format(self.shortname()),
+            file=file)
 
     def emit_raw_public(self, file=sys.stdout):
         self._emit_raw(self.get_public_bytes(), file=file)
@@ -94,12 +104,12 @@ def emit_raw_public_hash(self, file=sys.stdout):
 
     def emit_rust_public(self, file=sys.stdout):
         self._emit(
-                header="static {}_PUB_KEY: &[u8] = &["
-                       .format(self.shortname().upper()),
-                trailer="];",
-                encoded_bytes=self.get_public_bytes(),
-                indent="    ",
-                file=file)
+            header="static {}_PUB_KEY: &[u8] = &["
+            .format(self.shortname().upper()),
+            trailer="];",
+            encoded_bytes=self.get_public_bytes(),
+            indent="    ",
+            file=file)
 
     def emit_public_pem(self, file=sys.stdout):
         with FileHandler(file, 'w') as file:
@@ -107,9 +117,9 @@ def emit_public_pem(self, file=sys.stdout):
 
     def emit_private(self, minimal, format, file=sys.stdout):
         self._emit(
-                header="const unsigned char enc_priv_key[] = {",
-                trailer="};",
-                encoded_bytes=self.get_private_bytes(minimal, format),
-                indent="    ",
-                len_format="const unsigned int enc_priv_key_len = {};",
-                file=file)
+            header="const unsigned char enc_priv_key[] = {",
+            trailer="};",
+            encoded_bytes=self.get_private_bytes(minimal, format),
+            indent="    ",
+            len_format="const unsigned int enc_priv_key_len = {};",
+            file=file)
diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py
index 009d9234c5..23cf24a955 100755
--- a/scripts/imgtool/main.py
+++ b/scripts/imgtool/main.py
@@ -1,7 +1,7 @@
 #! /usr/bin/env python3
 #
 # Copyright 2017-2020 Linaro Limited
-# Copyright 2019-2023 Arm Limited
+# Copyright 2019-2024 Arm Limited
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -28,6 +28,7 @@
 import hashlib
 import base64
 from imgtool import image, imgtool_version
+from imgtool.keys.general import key_types_matching
 from imgtool.version import decode_version
 from imgtool.dumpinfo import dump_imginfo
 from .keys import (
@@ -99,12 +100,29 @@ def save_signature(sigfile, sig):
 
 
 def load_key(keyfile):
-    # TODO: better handling of invalid pass-phrase
-    key = keys.load(keyfile)
+    try:
+        key = keys.load(keyfile)
+    except FileNotFoundError as e:
+        print("Key File Not Found in the path: " + keyfile)
+        raise e
     if key is not None:
         return key
+
+    # Key is password protected
     passwd = getpass.getpass("Enter key passphrase: ").encode('utf-8')
-    return keys.load(keyfile, passwd)
+    try:
+        key = keys.load(keyfile, passwd)
+    except Exception as e:
+        msg = str(e)
+        if "Invalid passphrase" in msg:
+            print(msg)
+            exit(1)
+        else:
+            raise e
+    if key is None:
+        print("Could not load key for unknown error")
+        exit(1)
+    return key
 
 
 def get_password():
@@ -157,9 +175,8 @@ def getpub(key, encoding, lang, output):
 
     if not output:
         output = sys.stdout
-    if key is None:
-        print("Invalid passphrase")
-    elif lang == 'c' or encoding == 'lang-c':
+
+    if lang == 'c' or encoding == 'lang-c':
         key.emit_c_public(file=output)
     elif lang == 'rust' or encoding == 'lang-rust':
         key.emit_rust_public(file=output)
@@ -189,9 +206,8 @@ def getpubhash(key, output, encoding):
 
     if not output:
         output = sys.stdout
-    if key is None:
-        print("Invalid passphrase")
-    elif encoding == 'lang-c':
+
+    if encoding == 'lang-c':
         key.emit_c_public_hash(file=output)
     elif encoding == 'raw':
         key.emit_raw_public_hash(file=output)
@@ -212,8 +228,6 @@ def getpubhash(key, output, encoding):
 @click.command(help='Dump private key from keypair')
 def getpriv(key, minimal, format):
     key = load_key(key)
-    if key is None:
-        print("Invalid passphrase")
     try:
         key.emit_private(minimal, format)
     except (RSAUsageError, ECDSAUsageError, Ed25519UsageError,
@@ -460,16 +474,9 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
     img.load(infile)
     key = load_key(key) if key else None
     enckey = load_key(encrypt) if encrypt else None
-    if enckey and key:
-        if ((isinstance(key, keys.ECDSA256P1) and
-             not isinstance(enckey, keys.ECDSA256P1Public))
-           or (isinstance(key, keys.ECDSA384P1) and
-               not isinstance(enckey, keys.ECDSA384P1Public))
-                or (isinstance(key, keys.RSA) and
-                    not isinstance(enckey, keys.RSAPublic))):
-            # FIXME
-            raise click.UsageError("Signing and encryption must use the same "
-                                   "type of key")
+    if enckey and key and not key_types_matching(key, enckey):
+        raise click.UsageError("Encryption must use the public pair of the "
+                               "same type of key used for signing")
 
     if pad_sig and hasattr(key, 'pad_sig'):
         key.pad_sig = True

From f676afa829cf1c5e1b9a1d397725e39e63af28fe Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Thu, 16 May 2024 10:15:10 +0200
Subject: [PATCH 05/13] imgtool: Add tests for signing

Add tests for various features of sign command

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I46005bbbfa3b707076f5f69e49b7e2028e13af16
---
 scripts/tests/test_sign.py | 1366 ++++++++++++++++++++++++++++++++++++
 1 file changed, 1366 insertions(+)
 create mode 100644 scripts/tests/test_sign.py

diff --git a/scripts/tests/test_sign.py b/scripts/tests/test_sign.py
new file mode 100644
index 0000000000..0f10f172b7
--- /dev/null
+++ b/scripts/tests/test_sign.py
@@ -0,0 +1,1366 @@
+# Copyright 2024 Arm Limited
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import io
+import os
+from contextlib import redirect_stdout
+from pathlib import Path
+
+import pytest
+from click.testing import CliRunner
+
+from imgtool.dumpinfo import dump_imginfo
+from imgtool.main import imgtool
+from tests.constants import KEY_TYPES, GEN_KEY_EXT, PUB_KEY_EXT, tmp_name
+
+try:
+    KEY_TYPES.remove("x25519")  # x25519 is not used for signing, so directory does not contain any such image
+except ValueError:
+    pass
+
+KEY_DIR = "./keys/"
+
+
+def assert_image_signed(result, image_signed, verify=True):
+    assert result.exit_code == 0
+    assert image_signed.exists()
+    assert image_signed.stat().st_size > 0
+
+    # Verify unless specified otherwise
+    if verify:
+        runner = CliRunner()
+
+        result = runner.invoke(
+            imgtool, ["verify", str(image_signed), ],
+        )
+        assert result.exit_code == 0
+
+
+class TestSign:
+    image = None
+    image_signed = None
+    runner = CliRunner()
+    key = None
+
+    @pytest.fixture(scope="class")
+    def tmp_path_persistent(self, tmp_path_factory):
+        return tmp_path_factory.mktemp("keys")
+
+    @pytest.fixture(autouse=True)
+    def setup(self, tmp_path_persistent):
+        """Generate keys and images for testing"""
+
+        self.image = Path("./images/zero.bin")
+        self.image_signed = tmp_name(tmp_path_persistent, "image", ".signed")
+
+    @pytest.fixture(autouse=True)
+    def teardown(self):
+        if os.path.exists(str(self.image_signed)):
+            os.remove(str(self.image_signed))
+
+
+class TestSignBasic(TestSign):
+
+    def test_sign_basic(self, tmp_path_persistent):
+        """Test basic sign and verify"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("max_align", ("8", "16", "32"))
+    def test_sign_max_align(self, tmp_path_persistent, max_align):
+        """Test sign with max align"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                "--max-align",
+                max_align,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("version, expected", [
+        ("0.0.0", 0),
+        ("1.0.0", 0),
+        ("12.2.34", 0),
+        ("12.3.45+67", 0),
+        ("0.0.0+0", 0),
+        ("asd", 2),
+        ("2.2.a", 2),
+        ("a.2.3", 2),
+        ("1.2.3.4", 2),
+        ("0.0.0+00", 2),
+
+    ])
+    def test_sign_validations_version(self, tmp_path_persistent, version, expected):
+        """Test Signature validation"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                version,
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == expected
+
+    @pytest.mark.parametrize("sec_counter, expected", [
+        ("auto", 0),
+        ("1", 0),
+        ("2", 0),
+        ("inv", 2),
+
+    ])
+    def test_sign_validations_security_counter(self, tmp_path_persistent, sec_counter, expected):
+        """Test security counter validation"""
+
+        # validate security counter
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--security-counter",
+                sec_counter,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == expected
+
+    @pytest.mark.parametrize(
+        ("header_size", "expected"),
+        ((0, 2),
+         (64, 0),
+         ("invalid", 2),),
+    )
+    def test_sign_validations_header_size(self, tmp_path_persistent, header_size, expected):
+        """Test header size validation"""
+
+        # Header size validations
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                str(header_size),
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == expected
+
+    @pytest.mark.parametrize("dependencies, expected", [
+        ("(1, 1.2.3+0)", 0),
+        ("", 2),
+        ("(1, 1.2.3+0)(2)", 2),
+        ("(1, 1.)", 2),
+        ("1, 1.2)", 2),
+
+    ])
+    def test_sign_dependencies(self, tmp_path_persistent, dependencies, expected):
+        """Test with dependencies"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                str(self.image),
+                str(self.image_signed),
+                "--dependencies",
+                dependencies,
+            ],
+        )
+        assert result.exit_code == expected
+
+    def test_sign_header_not_padded(self, tmp_path_persistent):
+        """Test with un-padded header with non-zero start should fail"""
+
+        self.image = Path("./images/one.bin")
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Header padding was not requested" in result.output
+
+    def test_sign_pad(self, tmp_path_persistent):
+        """Test sign pad"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                "--pad",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("erased_val", ("0", "0xff"))
+    def test_sign_pad_erased_val(self, tmp_path_persistent, erased_val):
+        """Test sign pad"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                "--pad",
+                "--erased-val",
+                erased_val,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+        # Capture dumpinfo stdout to check value used for padding
+        f = io.StringIO()
+        with redirect_stdout(f):
+            dump_imginfo(self.image_signed)
+        result = f.getvalue()
+
+        assert f"padding ({erased_val}" in result
+
+    def test_sign_confirm(self, tmp_path_persistent):
+        """Test with confirm"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--confirm",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == 0
+
+    def test_sign_max_sectors(self, tmp_path_persistent):
+        """Test with max sectors"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--max-sectors",
+                "256",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("boot_record, expected", [
+        ("BABE", 0),
+        ("DEADBEEF", 0),
+        ("DEADBEEFF00D", 0),
+        ("DEADBEEFF00DB", 2),
+        ("DEADBEEFF00DBABE", 2),
+    ])
+    def test_sign_boot_record(self, tmp_path_persistent, boot_record, expected):
+        """Test with boot record"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                "--boot-record",
+                boot_record,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        if expected != 0:
+            assert result.exit_code != 0
+            assert "is too long" in result.stdout
+        else:
+            assert_image_signed(result, self.image_signed)
+
+    def test_sign_overwrite_only(self, tmp_path_persistent):
+        """Test sign overwrite"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--overwrite-only",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("endian", ("little", "big"))
+    def test_sign_endian(self, tmp_path_persistent, endian):
+        """Test sign endian"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                "--endian",
+                endian,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed, verify=False)
+
+    def test_sign_rom_fixed(self, tmp_path_persistent):
+        """Test sign with rom fixed"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                "--rom-fixed",
+                "1",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("vector", ("digest", "payload",))
+    def test_sign_vector_to_sign(self, tmp_path_persistent, vector):
+        """Test with vector to sign"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                "--vector-to-sign",
+                vector,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        # Don't verify as output is not expected to be a valid image
+        assert_image_signed(result, self.image_signed, verify=False)
+
+
+class TestSignKey(TestSign):
+    @pytest.fixture(autouse=True)
+    def setup_key(self, request, tmp_path_persistent, key_type):
+        """Generate keys for testing"""
+        self.key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", str(self.key), "--type", key_type]
+        )
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_missing_args(self, key_type, tmp_path_persistent):
+        """Test basic sign with missing args should fail"""
+
+        key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+
+        # not all required arguments are provided
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert not self.image_signed.exists()
+        assert "Error: Missing option" in result.stdout
+
+    @pytest.mark.parametrize("key_format", ("hash", "full",))
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_pub_key_format(self, key_type, tmp_path_persistent, key_format):
+        """Test with pub key format"""
+
+        loaded_key = KEY_DIR + key_type + ".key"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+
+                "--key",
+                loaded_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                "--public-key-format",
+                key_format,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_fix_sig(self, tmp_path_persistent, key_type):
+        """Test with fix signature"""
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--fix-sig",
+                "/dev/null",
+                "--fix-sig-pubkey",
+                self.key,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                self.key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--fix-sig",
+                "/dev/null",
+                "--fix-sig-pubkey",
+                self.key,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Can not sign using key and provide fixed-signature at" in result.output
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--fix-sig",
+                "/dev/null",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "public key of the fixed signature is not specified" in result.output
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_sig_out(self, tmp_path_persistent, key_type):
+        """Test signature output"""
+
+        key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", str(key), "--type", key_type]
+        )
+        sig_file = tmp_name(tmp_path_persistent, "signature", "sig")
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                str(self.image),
+                str(self.image_signed),
+                "--sig-out",
+                str(sig_file),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_load_addr(self, key_type, tmp_path_persistent):
+        """Test sign with load addr"""
+
+        loaded_key = KEY_DIR + key_type + ".key"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                loaded_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                "--load-addr",
+                "1",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_load_addr_rom_fixed(self, key_type, tmp_path_persistent):
+        """Test sign with both load addr and rom fixed should fail"""
+
+        loaded_key = KEY_DIR + key_type + ".key"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                loaded_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2500",
+                "--pad-header",
+                "--load-addr",
+                "1",
+                "--rom-fixed",
+                "1",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Can not set rom_fixed and load_addr at the same time" in result.output
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_custom_tlv(self, tmp_path_persistent, key_type):
+        """Test signing with custom TLV"""
+
+        key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+
+        # Sign
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--custom-tlv",
+                "0x00a0",
+                "0x00ff",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+        # Sign - TLV value in octal
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--custom-tlv",
+                "256",
+                "64",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == 0
+
+        # Fail - same TLV twice
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--custom-tlv",
+                "0x00a0",
+                "0x00ff",
+                "--custom-tlv",
+                "0x00a0",
+                "0x00ff",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "already exists" in result.stdout
+
+        # Fail - predefined TLV
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--custom-tlv",
+                "0x00a0",
+                "0x00ff",
+                "--custom-tlv",
+                "0x0010",
+                "0x00ff",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "conflicts with predefined TLV" in result.stdout
+
+        # Fail - odd TLV length
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--custom-tlv",
+                "0x00a0",
+                "0x00fff",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Custom TLV length is odd" in result.stdout
+
+        #  Fail - TLV < 0x00a0
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--custom-tlv",
+                "159",  # MIN is 160
+                "DEAD",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Invalid custom TLV type value" in result.stdout
+
+        #  Fail - TLV > 0xfffe
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--custom-tlv",
+                "65535",  # MAX is 65534
+                "DEAD",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Invalid custom TLV type value" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_pad_sig(self, tmp_path_persistent, key_type):
+        """Test pad signature"""
+
+        key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--pad-sig",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+
+class TestSignEncrypt(TestSign):
+
+    @pytest.fixture(autouse=True)
+    def setup_enc(self, tmp_path_persistent, key_type):
+        """Generate keys and images for testing"""
+        self.key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", str(self.key), "--type", key_type]
+        )
+
+        encoding = "pem"
+        self.pub_key = tmp_name(tmp_path_persistent, key_type, PUB_KEY_EXT + "." + encoding)
+
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", self.key, "--type", key_type]
+        )
+
+        # Get public pair for key
+        self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                self.key,
+                "--output",
+                self.pub_key,
+                "--encoding",
+                encoding,
+            ],
+        )
+
+    @pytest.mark.parametrize("key_len", ("128", "256",))
+    @pytest.mark.parametrize("align", ("1", "2", "4", "8", "16", "32",))
+    @pytest.mark.parametrize("key_type", KEY_TYPES[:-1])
+    def test_sign_enc_key(self, tmp_path_persistent, key_type, align, key_len):
+        """Test signing with encryption"""
+
+        encoding = "pem"
+        key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        pub_key = tmp_name(tmp_path_persistent, key_type, PUB_KEY_EXT + "." + encoding)
+
+        # Sign and encrypt
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--encrypt",
+                pub_key,
+                "--align",
+                align,
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--encrypt-keylen",
+                key_len,
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed, verify=False)
+
+        # Encryption key is not public should fail
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--encrypt",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+
+    @pytest.mark.parametrize("align", ("1", "2", "4", "8", "16", "32",))
+    @pytest.mark.parametrize("key_type", KEY_TYPES[:-1])
+    def test_sign_enc_key_non_16(self, tmp_path_persistent, key_type, align):
+        """Test signing with encryption with file with size that is not divisible by 16"""
+
+        encoding = "pem"
+        key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        pub_key = tmp_name(tmp_path_persistent, key_type, PUB_KEY_EXT + "." + encoding)
+        self.image = tmp_name(tmp_path_persistent, "1023", ".bin")
+        with self.image.open("wb") as f:
+            f.write(b"\x00" * 1023)
+
+        # Sign and encrypt
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--encrypt",
+                pub_key,
+                "--align",
+                align,
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        # Don't verify as verify command does not support encrypted images yet
+        assert_image_signed(result, self.image_signed, verify=False)
+
+    @pytest.mark.parametrize("key_type", ("ed25519",))
+    def test_sign_enc_key_x25519(self, tmp_path_persistent, key_type):
+        """Test signing with ed25519 and encrypting with x25519"""
+
+        encoding = "pem"
+        key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        enckey = tmp_name(tmp_path_persistent, "x25519", GEN_KEY_EXT)
+        pub_key = tmp_name(tmp_path_persistent, key_type, PUB_KEY_EXT + "." + encoding)
+
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", str(enckey), "--type", "x25519"]
+        )
+
+        # Get public pair for key
+        self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                str(enckey),
+                "--output",
+                str(pub_key),
+                "--encoding",
+                encoding,
+            ],
+        )
+
+        # Sign and encrypt
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--encrypt",
+                pub_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--clear",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        # Can be verified as --clean option used during signing
+        assert_image_signed(result, self.image_signed)
+
+        # Encryption key is not public should fail
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--encrypt",
+                key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES[:-1])
+    def test_sign_enc_save_enctlv(self, tmp_path_persistent, key_type):
+        """Test with save enctlv"""
+
+        encoding = "pem"
+        key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        pub_key = tmp_name(tmp_path_persistent, key_type, PUB_KEY_EXT + "." + encoding)
+
+        # Sign and encrypt
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                key,
+                "--encrypt",
+                pub_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--save-enctlv",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        # Don't verify as verify command does not support encrypted images yet
+        assert_image_signed(result, self.image_signed, verify=False)
+
+
+class TestSignHex(TestSign):
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_basic_hex(self, key_type, tmp_path_persistent):
+        """Test basic sign and verify hex file"""
+
+        loaded_key = KEY_DIR + key_type + ".key"
+        self.image = "./images/zero.hex"
+        self.image_signed = tmp_name(tmp_path_persistent, "image", ".hex")
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                loaded_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2048",
+                "--pad-header",
+                "--hex-addr",
+                "0",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_hex_file_not_exists(self, key_type, tmp_path_persistent):
+        """Test sign hex file with non-existent file"""
+
+        loaded_key = KEY_DIR + key_type + ".key"
+        self.image = "./images/invalid/path/file.hex"
+        self.image_signed = tmp_name(tmp_path_persistent, "image", ".hex")
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                loaded_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2048",
+                "--pad-header",
+                "--hex-addr",
+                "0",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Input file not found" in result.output
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_hex_padded(self, key_type, tmp_path_persistent):
+        """Test hex file with pad"""
+
+        loaded_key = KEY_DIR + key_type + ".key"
+        self.image = "./images/one_offset.hex"
+        # image above generated as below:
+        # ih = IntelHex()
+        # ih.puts(10, '1' * 1024)
+        # ih.write_hex_file(str(self.image))
+
+        self.image_signed = tmp_name(tmp_path_persistent, "image", ".hex")
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                loaded_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2048",
+                "--pad-header",
+                "--hex-addr",
+                "1",
+                "--pad",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_hex_confirm(self, key_type, tmp_path_persistent):
+        """Test hex file with confirm"""
+
+        loaded_key = KEY_DIR + key_type + ".key"
+        self.image = "./images/zero.hex"
+        self.image_signed = tmp_name(tmp_path_persistent, "image", ".hex")
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                loaded_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x2048",
+                "--pad-header",
+                "--hex-addr",
+                "0",
+                "--confirm",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert_image_signed(result, self.image_signed)
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_sign_basic_hex_bad_image_size(self, key_type, tmp_path_persistent):
+        """Test basic sign hex file with insufficient size should fail"""
+
+        loaded_key = KEY_DIR + key_type + ".key"
+        self.image = "./images/zero.hex"
+        self.image_signed = tmp_name(tmp_path_persistent, "image", ".hex")
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                loaded_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x20",
+                "--slot-size",
+                "0x1024",
+                "--pad-header",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "exceeds requested size" in result.output

From 46c94c3bd6564aba3d3e15df9f3a4c98ca76abf6 Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Mon, 27 Nov 2023 21:38:37 +0100
Subject: [PATCH 06/13] imgtool: Add testing for verify command

Tests for verify command with various types of signed
image files

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I309aa42a77812cae41007c70b99f28e2597840cf
---
 scripts/tests/test_verify.py | 425 +++++++++++++++++++++++++++++++++++
 1 file changed, 425 insertions(+)
 create mode 100644 scripts/tests/test_verify.py

diff --git a/scripts/tests/test_verify.py b/scripts/tests/test_verify.py
new file mode 100644
index 0000000000..9633768e6e
--- /dev/null
+++ b/scripts/tests/test_verify.py
@@ -0,0 +1,425 @@
+# Copyright 2024 Arm Limited
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import pytest
+from click.testing import CliRunner
+
+from imgtool.main import imgtool
+from tests.constants import KEY_TYPES, GEN_KEY_EXT, tmp_name, signed_images_dir
+
+try:
+    KEY_TYPES.remove("x25519")  # x25519 is not used for signing, so directory does not contain any such image
+except ValueError:
+    pass
+
+
+class TestVerify:
+    image = None
+    image_signed = None
+    runner = CliRunner()
+
+    @pytest.fixture(scope="session")
+    def tmp_path_persistent(self, tmp_path_factory):
+        return tmp_path_factory.mktemp("keys")
+
+
+class TestVerifyBasic(TestVerify):
+    key = None
+    gen_key = None
+    test_signed_images_dir = signed_images_dir + "/basic/"
+
+    @pytest.fixture(autouse=True)
+    def setup(self, request, tmp_path_persistent, key_type):
+        self.key = "./keys/" + key_type + ".key"
+        self.gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", str(self.gen_key), "--type", key_type]
+        )
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_verify_basic(self, key_type, tmp_path_persistent):
+        """Test verify basic image"""
+
+        self.image_signed = self.test_signed_images_dir + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        print(result.stdout)
+        assert result.exit_code == 0
+        assert "Image was correctly validated" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_verify_wrong_key(self, key_type, tmp_path_persistent):
+        """Test verify basic image with wrong key"""
+
+        self.image_signed = self.test_signed_images_dir + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.gen_key),
+                self.image_signed,
+            ],
+        )
+        assert result.exit_code != 0
+        assert "No signature found for the given key" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_verify_key_not_exists(self, key_type, tmp_path_persistent):
+        """Test verify basic image with non-existent key"""
+
+        inv_key = "./invalidPath"
+        self.image_signed = self.test_signed_images_dir + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(inv_key),
+                self.image_signed,
+            ],
+        )
+        assert result.exit_code != 0
+        assert "File Not Found" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_verify_image_not_exists(self, key_type, tmp_path_persistent):
+        """Test verify basic image with non-existent image"""
+
+        self.image_signed = "./invalid"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                self.key,
+                self.image_signed,
+            ],
+        )
+        assert result.exit_code != 0
+        assert "File Not Found" in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("rsa-3072",))
+    def test_verify_key_inv_magic(self, key_type, tmp_path_persistent):
+        """Test verify basic image with invalid magic"""
+
+        self.image_signed = self.test_signed_images_dir + key_type + "_invMagic.bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Invalid image magic" in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("rsa-3072",))
+    def test_verify_key_inv_tlv_magic(self, key_type, tmp_path_persistent):
+        """Test verify basic image with invalid tlv magic"""
+
+        self.image_signed = self.test_signed_images_dir + key_type + "_invTLVMagic.bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Invalid TLV info magic" in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("rsa-3072",))
+    def test_verify_key_inv_hash(self, key_type, tmp_path_persistent):
+        """ Test verify basic image with invalid hash"""
+
+        self.image_signed = self.test_signed_images_dir + key_type + "_invHash.bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "Image has an invalid hash" in result.stdout
+
+
+class TestVerifyEncryptedClear(TestVerify):
+    key = None
+    gen_key = None
+    test_signed_images_dir = signed_images_dir + "/encryptedClear/"
+
+    @pytest.fixture(autouse=True)
+    def setup(self, request, tmp_path_persistent, key_type):
+        self.key = "./keys/" + key_type + ".key"
+        self.gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", str(self.gen_key), "--type", key_type]
+        )
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_verify_encrypted_clear(self, key_type, tmp_path_persistent):
+        """Test verify encrypted imaged with clear option"""
+
+        self.image_signed = self.test_signed_images_dir + key_type + ".enc"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == 0
+        assert "Image was correctly validated" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_verify_encrypted_clear_wrong_key(self, key_type, tmp_path_persistent):
+        """Test verify with wrong key should fail"""
+
+        self.image_signed = self.test_signed_images_dir + key_type + ".enc"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.gen_key),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code != 0
+        assert "No signature found for the given key" in result.stdout
+
+
+class TestVerifyCustomTLV(TestVerify):
+    key = None
+    gen_key = None
+    test_signed_images_dir = signed_images_dir + "/customTLV/"
+
+    @pytest.fixture(autouse=True)
+    def setup(self, request, tmp_path_persistent, key_type):
+        self.key = "./keys/" + key_type + ".key"
+        self.gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", str(self.gen_key), "--type", key_type]
+        )
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_verify_custom_tlv(self, key_type, tmp_path_persistent):
+        """Test verify image with customTLV"""
+
+        self.image_signed = self.test_signed_images_dir + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == 0
+        assert "Image was correctly validated" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES)
+    def test_verify_custom_tlv_no_key(self, key_type, tmp_path_persistent):
+        """Test verify image with customTLV"""
+
+        self.image_signed = self.test_signed_images_dir + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                str(self.image_signed),
+            ],
+        )
+        print(result.stdout)
+        assert result.exit_code == 0
+        assert "Image was correctly validated" in result.stdout
+
+
+class TestVerifyNoKey(TestVerify):
+    """Tests for images that are signed without --key option """
+    key = None
+    test_signed_images_dir = signed_images_dir + "/noKey/"
+
+    def test_verify_no_key(self):
+        """Test verify image signed without key """
+
+        self.image_signed = self.test_signed_images_dir + "noKey256" + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                str(self.image_signed),
+            ],
+        )
+        print(result.stdout)
+        assert result.exit_code == 0
+        assert "Image was correctly validated" in result.stdout
+
+    def test_verify_no_key_image_with_key(self):
+        """Test verify image signed without key, attempt to verify with a key should fail on signature check"""
+
+        self.key = "./keys/" + "rsa-2048" + ".key"
+        self.image_signed = self.test_signed_images_dir + "noKey256" + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        print(result.stdout)
+        assert result.exit_code != 0
+        assert "No signature found for the given key" in result.stdout
+
+    def test_verify_no_key_image_with_wrong_key(self):
+        """Test verify image signed without key, attempt to verify with wrong key should fail on hash check"""
+
+        self.key = "./keys/" + "ecdsa-p384" + ".key"
+        self.image_signed = self.test_signed_images_dir + "noKey256" + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        print(result.stdout)
+        assert result.exit_code != 0
+        assert "Key type does not match TLV record" in result.stdout
+
+
+class TestVerifyPubKey(TestVerify):
+    """Tests for images that are signed without --key option and with --fix-sig-pubkey"""
+    key = None
+    gen_key = None
+    test_signed_images_dir = signed_images_dir + "/pubKeyOnly/"
+
+    @pytest.fixture(autouse=True)
+    def setup(self, request, tmp_path_persistent, key_type):
+        self.key = "./keys/" + key_type + ".key"
+        self.gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", str(self.gen_key), "--type", key_type]
+        )
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES[:-1])
+    def test_verify_no_key(self, key_type):
+        """Test verify image signed with --fix-sig, verify without key """
+
+        self.image_signed = self.test_signed_images_dir + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                str(self.image_signed),
+            ],
+        )
+        print(result.stdout)
+        assert result.exit_code == 0
+        assert "Image was correctly validated" in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("ecdsa-p384",))
+    def test_verify_384_key(self, key_type):
+        """Test verify image without key """
+
+        self.image_signed = self.test_signed_images_dir + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                str(self.image_signed),
+            ],
+        )
+        print(result.stdout)
+        assert result.exit_code == 0
+        assert "Image was correctly validated" in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES[:-2])
+    def test_verify_key_not_matching(self, key_type, tmp_path_persistent):
+        """Test verify image with mismatching key """
+
+        self.key = "./keys/" + "ecdsa-p384" + ".key"
+        self.image_signed = self.test_signed_images_dir + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        print(result.stdout)
+        assert result.exit_code != 0
+        assert "Key type does not match TLV record" in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("ecdsa-p256",))
+    def test_verify_key_not_matching_384(self, key_type, tmp_path_persistent):
+        """Test verify image with mismatching key """
+
+        self.image_signed = self.test_signed_images_dir + "ecdsa-p384" + ".bin"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        print(result.stdout)
+        assert result.exit_code != 0
+        assert "Key type does not match TLV record" in result.stdout

From 401e6e8b31eb5e86015d81a78ef3d77905b107bf Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Mon, 27 Nov 2023 21:15:58 +0100
Subject: [PATCH 07/13] imgtool: Add tests for dumpinfo command

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I380e2839ae14ceca706e5b03f5ecf2d4ed53af5c
---
 scripts/tests/test_dumpinfo.py | 328 +++++++++++++++++++++++++++++++++
 1 file changed, 328 insertions(+)
 create mode 100644 scripts/tests/test_dumpinfo.py

diff --git a/scripts/tests/test_dumpinfo.py b/scripts/tests/test_dumpinfo.py
new file mode 100644
index 0000000000..d8ba8515d4
--- /dev/null
+++ b/scripts/tests/test_dumpinfo.py
@@ -0,0 +1,328 @@
+# Copyright 2024 Arm Limited
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from pathlib import Path
+from tempfile import mktemp
+
+import pytest
+from click.testing import CliRunner
+
+from imgtool.main import imgtool
+from tests.constants import tmp_name, KEY_TYPES, signed_images_dir
+
+DUMPINFO_SUCCESS_LITERAL = "dumpinfo has run successfully"
+
+DUMPINFO_TRAILER = """
+swap status: (len: unknown)
+enc. keys:   Image not encrypted
+swap size:   unknown
+swap_info:   INVALID (0xff)
+copy_done:   INVALID (0xff)
+image_ok:    SET (0x1)
+boot magic:  """
+
+DUMPINFO_ENCRYPTED_TRAILER = """
+swap status: (len: unknown)
+enc. keys:   (len: 0x20, if BOOT_SWAP_SAVE_ENCTLV is unset)
+swap size:   unknown
+swap_info:   INVALID (0xff)
+copy_done:   INVALID (0xff)
+image_ok:    INVALID (0xff)
+boot magic:  """
+
+
+class TestDumpInfo:
+    image = None
+    image_signed = None
+    runner = CliRunner()
+    dumpfile = mktemp("dump.dat")
+
+    @pytest.fixture(scope="session")
+    def tmp_path_persistent(self, tmp_path_factory):
+        return tmp_path_factory.mktemp("keys")
+
+    @pytest.fixture(autouse=True)
+    def setup(self, tmp_path_persistent, key_type="rsa-2048"):
+        """Generate keys and images for testing"""
+
+        self.key = tmp_name(tmp_path_persistent, key_type, ".key")
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", str(self.key), "--type", key_type]
+        )
+
+        self.image = "./images/zero.bin"
+        self.image_signed = tmp_name(tmp_path_persistent, "image", ".signed")
+
+    @pytest.mark.parametrize("key_type", ("rsa-2048",))
+    def test_dumpinfo(self, tmp_path_persistent, key_type):
+        self.image_signed = signed_images_dir + "/basic/" + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", str(self.image_signed)]
+        )
+        assert result.exit_code == 0
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", "invalid"]
+        )
+        assert result.exit_code != 0
+        assert "Error: Image file not found" in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("rsa-2048",))
+    def test_dumpinfo_silent(self, tmp_path_persistent, key_type):
+        self.image_signed = signed_images_dir + "/basic/" + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", str(self.image_signed), "-s"]
+        )
+        assert result.exit_code == 0
+        assert result.stdout == ""
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", "invalid", "-s"]
+        )
+        assert result.exit_code != 0
+        assert "Error: Image file not found" in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("rsa-2048",))
+    def test_dumpinfo_tlv(self, tmp_path_persistent, key_type):
+        self.image_signed = signed_images_dir + "/customTLV/" + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", str(self.image_signed)]
+        )
+        assert result.exit_code == 0
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout
+        assert "type: UNKNOWN (0xa0)" in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("rsa-2048",))
+    def test_dumpinfo_tlv_outfile(self, tmp_path_persistent, key_type):
+        self.image_signed = signed_images_dir + "/customTLV/" + key_type + ".bin"
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", "-o", self.dumpfile, str(self.image_signed)]
+        )
+        assert result.exit_code == 0
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout
+        assert Path(self.dumpfile).exists()
+
+    @pytest.mark.parametrize("key_type", ("rsa-2048",))
+    @pytest.mark.parametrize("align", ('1', '2', '4', '8', '16', '32',))
+    def test_dumpinfo_align_pad(self, tmp_path_persistent, key_type, align):
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                self.key,
+                "--align",
+                align,
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--pad",
+                "--confirm",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == 0
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", str(self.image_signed)]
+        )
+        assert result.exit_code == 0
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout
+        assert DUMPINFO_TRAILER in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("rsa-2048",))
+    @pytest.mark.parametrize("align", ('1', '2', '4', '8', '16', '32',))
+    def test_dumpinfo_align_pad_outfile(self, tmp_path_persistent, key_type, align):
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                self.key,
+                "--align",
+                align,
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--pad",
+                "--confirm",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == 0
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", "-o", self.dumpfile, str(self.image_signed)]
+        )
+        assert result.exit_code == 0
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout
+        assert DUMPINFO_TRAILER in result.stdout
+        assert Path(self.dumpfile).exists()
+
+    @pytest.mark.parametrize("key_type", ("rsa-2048",))
+    @pytest.mark.parametrize("align", ('1', '2', '4', '8', '16', '32',))
+    def test_dumpinfo_max_align_pad(self, tmp_path_persistent, key_type, align):
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                self.key,
+                "--align",
+                align,
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x10000",
+                "--pad-header",
+                "--pad",
+                "--confirm",
+                "--max-align",
+                "32",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == 0
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", str(self.image_signed)]
+        )
+        assert result.exit_code == 0
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout
+        assert DUMPINFO_TRAILER in result.stdout
+
+    @pytest.mark.parametrize("key_type", KEY_TYPES[:-1])
+    def test_dumpinfo_encrypted_clear(self, tmp_path_persistent, key_type):
+        encoding = "pem"
+        enckey = "./keys/" + key_type + ".key"
+        pub_key = tmp_name(tmp_path_persistent, key_type, ".pub." + encoding)
+        self.image_signed = signed_images_dir + "/encryptedClear/" + key_type + ".enc"
+
+        self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                str(enckey),
+                "--output",
+                str(pub_key),
+                "--encoding",
+                encoding,
+            ],
+        )
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", str(self.image_signed)]
+        )
+        assert result.exit_code == 0
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("rsa-2048",))
+    def test_dumpinfo_encrypted_padded_outfile(self, tmp_path_persistent, key_type):
+        self.image_signed = signed_images_dir + "/pad_sig_enc_16.bin"
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", "-o", self.dumpfile, self.image_signed]
+        )
+        assert result.exit_code == 0
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout
+        assert DUMPINFO_ENCRYPTED_TRAILER in result.stdout
+        assert Path(self.dumpfile).exists()
+
+    @pytest.mark.parametrize("key_type", ("rsa-2048",))
+    def test_dumpinfo_encrypted_padded_invalid(self, tmp_path_persistent, key_type):
+        self.image_signed = signed_images_dir + "/pad_2.3K_sig_enc_16_inv.bin"
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", self.image_signed]
+        )
+        assert result.exit_code == 0
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout
+        assert "Warning: the trailer magic value is invalid!" in result.stdout
+
+    @pytest.mark.parametrize("key_type", ("rsa-2048",))
+    def test_dumpinfo_padded_multiflag(self, tmp_path_persistent, key_type):
+        encoding = "pem"
+        enckey = tmp_name(tmp_path_persistent, key_type, ".key")
+        pub_key = tmp_name(tmp_path_persistent, key_type, ".pub." + encoding)
+
+        self.runner.invoke(
+            imgtool, ["keygen", "--key", str(enckey), "--type", key_type]
+        )
+
+        self.runner.invoke(
+            imgtool,
+            [
+                "getpub",
+                "--key",
+                str(enckey),
+                "--output",
+                str(pub_key),
+                "--encoding",
+                encoding,
+            ],
+        )
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "sign",
+                "--key",
+                self.key,
+                "--encrypt",
+                pub_key,
+                "--align",
+                "16",
+                "--version",
+                "1.0.0",
+                "--header-size",
+                "0x400",
+                "--slot-size",
+                "0x2300",
+                "--pad-header",
+                "--pad",
+                "--rom-fixed",
+                "32",
+                str(self.image),
+                str(self.image_signed),
+            ],
+        )
+        assert result.exit_code == 0
+
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", str(self.image_signed)]
+        )
+        assert result.exit_code == 0
+        assert "ENCRYPTED_AES128" in result.stdout
+        assert "ROM_FIXED" in result.stdout
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout
+        assert DUMPINFO_ENCRYPTED_TRAILER in result.stdout

From 3af9d9bf94209f9e549d0d2365e34b3b2dac5c10 Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Fri, 15 Dec 2023 13:25:36 +0100
Subject: [PATCH 08/13] imgtool: Add verification tests for hex files

Added tests for verification of hex files
Extract common assertions to a separate function

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: Ia20fcbec81c0fea22f7cfe4af7a8927a6dbbbc74
---
 .../images/signed/hex/zero_hex-addr_0.hex     | 88 +++++++++++++++++++
 .../images/signed/hex/zero_hex-addr_16.hex    | 88 +++++++++++++++++++
 .../images/signed/hex/zero_hex-addr_35.hex    | 88 +++++++++++++++++++
 scripts/tests/test_verify.py                  | 76 ++++++++++------
 4 files changed, 311 insertions(+), 29 deletions(-)
 create mode 100644 scripts/tests/images/signed/hex/zero_hex-addr_0.hex
 create mode 100644 scripts/tests/images/signed/hex/zero_hex-addr_16.hex
 create mode 100644 scripts/tests/images/signed/hex/zero_hex-addr_35.hex

diff --git a/scripts/tests/images/signed/hex/zero_hex-addr_0.hex b/scripts/tests/images/signed/hex/zero_hex-addr_0.hex
new file mode 100644
index 0000000000..6f70b811b1
--- /dev/null
+++ b/scripts/tests/images/signed/hex/zero_hex-addr_0.hex
@@ -0,0 +1,88 @@
+:100000003DB8F3960000000020000000FF03000050
+:1000100000000000010000000000000000000000DF
+:1000200001010101010101010101010101010101C0
+:1000300001010101010101010101010101010101B0
+:1000400001010101010101010101010101010101A0
+:100050000101010101010101010101010101010190
+:100060000101010101010101010101010101010180
+:100070000101010101010101010101010101010170
+:100080000101010101010101010101010101010160
+:100090000101010101010101010101010101010150
+:1000A0000101010101010101010101010101010140
+:1000B0000101010101010101010101010101010130
+:1000C0000101010101010101010101010101010120
+:1000D0000101010101010101010101010101010110
+:1000E0000101010101010101010101010101010100
+:1000F00001010101010101010101010101010101F0
+:1001000001010101010101010101010101010101DF
+:1001100001010101010101010101010101010101CF
+:1001200001010101010101010101010101010101BF
+:1001300001010101010101010101010101010101AF
+:10014000010101010101010101010101010101019F
+:10015000010101010101010101010101010101018F
+:10016000010101010101010101010101010101017F
+:10017000010101010101010101010101010101016F
+:10018000010101010101010101010101010101015F
+:10019000010101010101010101010101010101014F
+:1001A000010101010101010101010101010101013F
+:1001B000010101010101010101010101010101012F
+:1001C000010101010101010101010101010101011F
+:1001D000010101010101010101010101010101010F
+:1001E00001010101010101010101010101010101FF
+:1001F00001010101010101010101010101010101EF
+:1002000001010101010101010101010101010101DE
+:1002100001010101010101010101010101010101CE
+:1002200001010101010101010101010101010101BE
+:1002300001010101010101010101010101010101AE
+:10024000010101010101010101010101010101019E
+:10025000010101010101010101010101010101018E
+:10026000010101010101010101010101010101017E
+:10027000010101010101010101010101010101016E
+:10028000010101010101010101010101010101015E
+:10029000010101010101010101010101010101014E
+:1002A000010101010101010101010101010101013E
+:1002B000010101010101010101010101010101012E
+:1002C000010101010101010101010101010101011E
+:1002D000010101010101010101010101010101010E
+:1002E00001010101010101010101010101010101FE
+:1002F00001010101010101010101010101010101EE
+:1003000001010101010101010101010101010101DD
+:1003100001010101010101010101010101010101CD
+:1003200001010101010101010101010101010101BD
+:1003300001010101010101010101010101010101AD
+:10034000010101010101010101010101010101019D
+:10035000010101010101010101010101010101018D
+:10036000010101010101010101010101010101017D
+:10037000010101010101010101010101010101016D
+:10038000010101010101010101010101010101015D
+:10039000010101010101010101010101010101014D
+:1003A000010101010101010101010101010101013D
+:1003B000010101010101010101010101010101012D
+:1003C000010101010101010101010101010101011D
+:1003D000010101010101010101010101010101010D
+:1003E00001010101010101010101010101010101FD
+:1003F00001010101010101010101010101010101ED
+:1004000001010101010101010101010101010101DC
+:1004100001010101010101010101010101010107C6
+:100420006950011000200034E38DD5950696DF9EBB
+:10043000E843F3857825F27DAA652686898B3231DB
+:1004400030DF88657666D701002000ACBE8D1B7258
+:100450003E1A8D47471D15D84D14A98FF71C62DD34
+:10046000F1EF34C3F71C724B8E20462000000120B0
+:1004700026407977596FE45645D988435802087E5B
+:1004800068A2FA1DAA56818D8647444EE0C56B8648
+:100490005B7411B94A5C9177F035C88D3C63A7C68F
+:1004A0000AA6D76DD20DE37A0DF6A8739FB16776D1
+:1004B0004F319BE664F6AA3D9434FA5AB7D14A8A82
+:1004C00020FF56580AA80B859603420A5EA1822196
+:1004D00060BD99A7027D6A787C0E1B44740F84F37B
+:1004E000AD9BDF6D7777BF0AF08D918882482675C6
+:1004F000A9B083CDED31C3FD9582ECD240543C0CC4
+:100500007256C0A1E75AE5BBF3B101753499E81BF7
+:10051000D7184411709F13BDC5417BDD6F8CF26904
+:1005200069C1025A15D6E5C191B70F9DB522FF9852
+:100530003A3C68A2E00470AA9AAA15D77D4E538D62
+:100540000240AB3003888CA2EA5BA6E9B5621E9A32
+:10055000FD9F1F74FB7786EC19D97D571C527B0CCD
+:0F0560000F2336A4684349944EF10AC97C8DC21B
+:00000001FF
diff --git a/scripts/tests/images/signed/hex/zero_hex-addr_16.hex b/scripts/tests/images/signed/hex/zero_hex-addr_16.hex
new file mode 100644
index 0000000000..c36e7849ef
--- /dev/null
+++ b/scripts/tests/images/signed/hex/zero_hex-addr_16.hex
@@ -0,0 +1,88 @@
+:100010003DB8F3960000000020000000FF03000040
+:1000200000000000010000000000000000000000CF
+:1000300001010101010101010101010101010101B0
+:1000400001010101010101010101010101010101A0
+:100050000101010101010101010101010101010190
+:100060000101010101010101010101010101010180
+:100070000101010101010101010101010101010170
+:100080000101010101010101010101010101010160
+:100090000101010101010101010101010101010150
+:1000A0000101010101010101010101010101010140
+:1000B0000101010101010101010101010101010130
+:1000C0000101010101010101010101010101010120
+:1000D0000101010101010101010101010101010110
+:1000E0000101010101010101010101010101010100
+:1000F00001010101010101010101010101010101F0
+:1001000001010101010101010101010101010101DF
+:1001100001010101010101010101010101010101CF
+:1001200001010101010101010101010101010101BF
+:1001300001010101010101010101010101010101AF
+:10014000010101010101010101010101010101019F
+:10015000010101010101010101010101010101018F
+:10016000010101010101010101010101010101017F
+:10017000010101010101010101010101010101016F
+:10018000010101010101010101010101010101015F
+:10019000010101010101010101010101010101014F
+:1001A000010101010101010101010101010101013F
+:1001B000010101010101010101010101010101012F
+:1001C000010101010101010101010101010101011F
+:1001D000010101010101010101010101010101010F
+:1001E00001010101010101010101010101010101FF
+:1001F00001010101010101010101010101010101EF
+:1002000001010101010101010101010101010101DE
+:1002100001010101010101010101010101010101CE
+:1002200001010101010101010101010101010101BE
+:1002300001010101010101010101010101010101AE
+:10024000010101010101010101010101010101019E
+:10025000010101010101010101010101010101018E
+:10026000010101010101010101010101010101017E
+:10027000010101010101010101010101010101016E
+:10028000010101010101010101010101010101015E
+:10029000010101010101010101010101010101014E
+:1002A000010101010101010101010101010101013E
+:1002B000010101010101010101010101010101012E
+:1002C000010101010101010101010101010101011E
+:1002D000010101010101010101010101010101010E
+:1002E00001010101010101010101010101010101FE
+:1002F00001010101010101010101010101010101EE
+:1003000001010101010101010101010101010101DD
+:1003100001010101010101010101010101010101CD
+:1003200001010101010101010101010101010101BD
+:1003300001010101010101010101010101010101AD
+:10034000010101010101010101010101010101019D
+:10035000010101010101010101010101010101018D
+:10036000010101010101010101010101010101017D
+:10037000010101010101010101010101010101016D
+:10038000010101010101010101010101010101015D
+:10039000010101010101010101010101010101014D
+:1003A000010101010101010101010101010101013D
+:1003B000010101010101010101010101010101012D
+:1003C000010101010101010101010101010101011D
+:1003D000010101010101010101010101010101010D
+:1003E00001010101010101010101010101010101FD
+:1003F00001010101010101010101010101010101ED
+:1004000001010101010101010101010101010101DC
+:1004100001010101010101010101010101010101CC
+:1004200001010101010101010101010101010107B6
+:100430006950011000200034E38DD5950696DF9EAB
+:10044000E843F3857825F27DAA652686898B3231CB
+:1004500030DF88657666D701002000ACBE8D1B7248
+:100460003E1A8D47471D15D84D14A98FF71C62DD24
+:10047000F1EF34C3F71C724B8E2046200000019D23
+:1004800068458A1A3EFF5B9C5765B3ECF9609EBED7
+:10049000736E2429860007387BA6DF2086BEAF82D4
+:1004A000C3D771F0EFC128C7BB96D97CD92EF5868A
+:1004B000751CEF59B1ED98FD03C9008D1A49635DB4
+:1004C0009E65DF1B526AA09D631A2FE8961074E4A4
+:1004D000FF684382FBAE86B1EA222297EC16B0E9B0
+:1004E0006EEAD60FAB8173BB3040FDBD1C5884262D
+:1004F00071630BCB07513811304B6391D97DA92A19
+:10050000BBD25F6ECF1CC066991C524251C3B6F07D
+:10051000406E43862BD66BE0A4102D6C5E754FF4B5
+:10052000198460107E2E197B65EA94F848D49C6388
+:10053000ADA12B7F01639D922CD11548BB3EDC956C
+:100540002FC2C924006FD5C7B20E4620FB5D48A854
+:1005500068055D49D58D3A4F4FFD86852E7DD9665C
+:1005600070AFEFE9FB2FB4F71A4E3EFEBE94931F17
+:0F057000F2BB6D8B96403FA14413682358D572A0
+:00000001FF
diff --git a/scripts/tests/images/signed/hex/zero_hex-addr_35.hex b/scripts/tests/images/signed/hex/zero_hex-addr_35.hex
new file mode 100644
index 0000000000..9954f22099
--- /dev/null
+++ b/scripts/tests/images/signed/hex/zero_hex-addr_35.hex
@@ -0,0 +1,88 @@
+:100023003DB8F3960000000020000000FF0300002D
+:1000330000000000010000000000000000000000BC
+:10004300010101010101010101010101010101019D
+:10005300010101010101010101010101010101018D
+:10006300010101010101010101010101010101017D
+:10007300010101010101010101010101010101016D
+:10008300010101010101010101010101010101015D
+:10009300010101010101010101010101010101014D
+:1000A300010101010101010101010101010101013D
+:1000B300010101010101010101010101010101012D
+:1000C300010101010101010101010101010101011D
+:1000D300010101010101010101010101010101010D
+:1000E30001010101010101010101010101010101FD
+:1000F30001010101010101010101010101010101ED
+:1001030001010101010101010101010101010101DC
+:1001130001010101010101010101010101010101CC
+:1001230001010101010101010101010101010101BC
+:1001330001010101010101010101010101010101AC
+:10014300010101010101010101010101010101019C
+:10015300010101010101010101010101010101018C
+:10016300010101010101010101010101010101017C
+:10017300010101010101010101010101010101016C
+:10018300010101010101010101010101010101015C
+:10019300010101010101010101010101010101014C
+:1001A300010101010101010101010101010101013C
+:1001B300010101010101010101010101010101012C
+:1001C300010101010101010101010101010101011C
+:1001D300010101010101010101010101010101010C
+:1001E30001010101010101010101010101010101FC
+:1001F30001010101010101010101010101010101EC
+:1002030001010101010101010101010101010101DB
+:1002130001010101010101010101010101010101CB
+:1002230001010101010101010101010101010101BB
+:1002330001010101010101010101010101010101AB
+:10024300010101010101010101010101010101019B
+:10025300010101010101010101010101010101018B
+:10026300010101010101010101010101010101017B
+:10027300010101010101010101010101010101016B
+:10028300010101010101010101010101010101015B
+:10029300010101010101010101010101010101014B
+:1002A300010101010101010101010101010101013B
+:1002B300010101010101010101010101010101012B
+:1002C300010101010101010101010101010101011B
+:1002D300010101010101010101010101010101010B
+:1002E30001010101010101010101010101010101FB
+:1002F30001010101010101010101010101010101EB
+:1003030001010101010101010101010101010101DA
+:1003130001010101010101010101010101010101CA
+:1003230001010101010101010101010101010101BA
+:1003330001010101010101010101010101010101AA
+:10034300010101010101010101010101010101019A
+:10035300010101010101010101010101010101018A
+:10036300010101010101010101010101010101017A
+:10037300010101010101010101010101010101016A
+:10038300010101010101010101010101010101015A
+:10039300010101010101010101010101010101014A
+:1003A300010101010101010101010101010101013A
+:1003B300010101010101010101010101010101012A
+:1003C300010101010101010101010101010101011A
+:1003D300010101010101010101010101010101010A
+:1003E30001010101010101010101010101010101FA
+:1003F30001010101010101010101010101010101EA
+:1004030001010101010101010101010101010101D9
+:1004130001010101010101010101010101010101C9
+:1004230001010101010101010101010101010101B9
+:1004330001010101010101010101010101010107A3
+:100443006950011000200034E38DD5950696DF9E98
+:10045300E843F3857825F27DAA652686898B3231B8
+:1004630030DF88657666D701002000ACBE8D1B7235
+:100473003E1A8D47471D15D84D14A98FF71C62DD11
+:10048300F1EF34C3F71C724B8E204620000001624B
+:100493000C085DF7F51FA1EC60386FDB5AFE1759A6
+:1004A3009103B96CC6887010413CC925524FD45C86
+:1004B300F708EF57A4F234A2B21E635B6EBA9277C9
+:1004C300D9566B452C7E6FBC0B9273CDE306A8C146
+:1004D300F3F85B52F806D82A01FEB7BC7F8D982C3F
+:1004E300BD6F5F97E93B7C49B05806EAFD07640A94
+:1004F300EC54A2AF45F613C74E8666C6062E678E2A
+:100503007EF6D79B1FB252E485D77750D4D7C9E77D
+:10051300D9283DDB2D7DF5467E8DE4CEE06A19F8C2
+:10052300FB499767772636B0D8C6D97C25A159EF02
+:10053300F5237FDD4ED26296B1C4EE3471A4991FC8
+:1005430088617DD545BDAD005F8C69F306B1CDAA49
+:100553006EDE73FD2430C4697136FB6855F2A783E0
+:100563002C199DE3F1F5032DD62B89639AB7BC595A
+:100573004E3C2B9B4728218CF904C7B510E12A195F
+:0F0583007AE0FB58627856A4F6F5EA20C0F7ED4F
+:00000001FF
diff --git a/scripts/tests/test_verify.py b/scripts/tests/test_verify.py
index 9633768e6e..70d1d68018 100644
--- a/scripts/tests/test_verify.py
+++ b/scripts/tests/test_verify.py
@@ -20,12 +20,20 @@
 from imgtool.main import imgtool
 from tests.constants import KEY_TYPES, GEN_KEY_EXT, tmp_name, signed_images_dir
 
+KEY_TYPE_MISMATCH_TLV = "Key type does not match TLV record"
+NO_SIG_FOR_KEY = "No signature found for the given key"
+
 try:
     KEY_TYPES.remove("x25519")  # x25519 is not used for signing, so directory does not contain any such image
 except ValueError:
     pass
 
 
+def assert_valid(result):
+    assert result.exit_code == 0
+    assert "Image was correctly validated" in result.stdout
+
+
 class TestVerify:
     image = None
     image_signed = None
@@ -64,9 +72,7 @@ def test_verify_basic(self, key_type, tmp_path_persistent):
                 str(self.image_signed),
             ],
         )
-        print(result.stdout)
-        assert result.exit_code == 0
-        assert "Image was correctly validated" in result.stdout
+        assert_valid(result)
 
     @pytest.mark.parametrize("key_type", KEY_TYPES)
     def test_verify_wrong_key(self, key_type, tmp_path_persistent):
@@ -84,7 +90,7 @@ def test_verify_wrong_key(self, key_type, tmp_path_persistent):
             ],
         )
         assert result.exit_code != 0
-        assert "No signature found for the given key" in result.stdout
+        assert NO_SIG_FOR_KEY in result.stdout
 
     @pytest.mark.parametrize("key_type", KEY_TYPES)
     def test_verify_key_not_exists(self, key_type, tmp_path_persistent):
@@ -206,8 +212,7 @@ def test_verify_encrypted_clear(self, key_type, tmp_path_persistent):
                 str(self.image_signed),
             ],
         )
-        assert result.exit_code == 0
-        assert "Image was correctly validated" in result.stdout
+        assert_valid(result)
 
     @pytest.mark.parametrize("key_type", KEY_TYPES)
     def test_verify_encrypted_clear_wrong_key(self, key_type, tmp_path_persistent):
@@ -225,7 +230,7 @@ def test_verify_encrypted_clear_wrong_key(self, key_type, tmp_path_persistent):
             ],
         )
         assert result.exit_code != 0
-        assert "No signature found for the given key" in result.stdout
+        assert NO_SIG_FOR_KEY in result.stdout
 
 
 class TestVerifyCustomTLV(TestVerify):
@@ -256,8 +261,7 @@ def test_verify_custom_tlv(self, key_type, tmp_path_persistent):
                 str(self.image_signed),
             ],
         )
-        assert result.exit_code == 0
-        assert "Image was correctly validated" in result.stdout
+        assert_valid(result)
 
     @pytest.mark.parametrize("key_type", KEY_TYPES)
     def test_verify_custom_tlv_no_key(self, key_type, tmp_path_persistent):
@@ -272,9 +276,7 @@ def test_verify_custom_tlv_no_key(self, key_type, tmp_path_persistent):
                 str(self.image_signed),
             ],
         )
-        print(result.stdout)
-        assert result.exit_code == 0
-        assert "Image was correctly validated" in result.stdout
+        assert_valid(result)
 
 
 class TestVerifyNoKey(TestVerify):
@@ -294,9 +296,7 @@ def test_verify_no_key(self):
                 str(self.image_signed),
             ],
         )
-        print(result.stdout)
-        assert result.exit_code == 0
-        assert "Image was correctly validated" in result.stdout
+        assert_valid(result)
 
     def test_verify_no_key_image_with_key(self):
         """Test verify image signed without key, attempt to verify with a key should fail on signature check"""
@@ -313,9 +313,8 @@ def test_verify_no_key_image_with_key(self):
                 str(self.image_signed),
             ],
         )
-        print(result.stdout)
         assert result.exit_code != 0
-        assert "No signature found for the given key" in result.stdout
+        assert NO_SIG_FOR_KEY in result.stdout
 
     def test_verify_no_key_image_with_wrong_key(self):
         """Test verify image signed without key, attempt to verify with wrong key should fail on hash check"""
@@ -332,9 +331,8 @@ def test_verify_no_key_image_with_wrong_key(self):
                 str(self.image_signed),
             ],
         )
-        print(result.stdout)
         assert result.exit_code != 0
-        assert "Key type does not match TLV record" in result.stdout
+        assert KEY_TYPE_MISMATCH_TLV in result.stdout
 
 
 class TestVerifyPubKey(TestVerify):
@@ -364,9 +362,7 @@ def test_verify_no_key(self, key_type):
                 str(self.image_signed),
             ],
         )
-        print(result.stdout)
-        assert result.exit_code == 0
-        assert "Image was correctly validated" in result.stdout
+        assert_valid(result)
 
     @pytest.mark.parametrize("key_type", ("ecdsa-p384",))
     def test_verify_384_key(self, key_type):
@@ -381,9 +377,7 @@ def test_verify_384_key(self, key_type):
                 str(self.image_signed),
             ],
         )
-        print(result.stdout)
-        assert result.exit_code == 0
-        assert "Image was correctly validated" in result.stdout
+        assert_valid(result)
 
     @pytest.mark.parametrize("key_type", KEY_TYPES[:-2])
     def test_verify_key_not_matching(self, key_type, tmp_path_persistent):
@@ -401,9 +395,8 @@ def test_verify_key_not_matching(self, key_type, tmp_path_persistent):
                 str(self.image_signed),
             ],
         )
-        print(result.stdout)
         assert result.exit_code != 0
-        assert "Key type does not match TLV record" in result.stdout
+        assert KEY_TYPE_MISMATCH_TLV in result.stdout
 
     @pytest.mark.parametrize("key_type", ("ecdsa-p256",))
     def test_verify_key_not_matching_384(self, key_type, tmp_path_persistent):
@@ -420,6 +413,31 @@ def test_verify_key_not_matching_384(self, key_type, tmp_path_persistent):
                 str(self.image_signed),
             ],
         )
-        print(result.stdout)
         assert result.exit_code != 0
-        assert "Key type does not match TLV record" in result.stdout
+        assert KEY_TYPE_MISMATCH_TLV in result.stdout
+
+
+class TestVerifyHex(TestVerify):
+    key = None
+    test_signed_images_dir = signed_images_dir + "/hex/"
+
+    @pytest.fixture(autouse=True)
+    def setup(self, request, tmp_path_persistent, key_type="rsa-2048"):
+        self.key = "./keys/" + key_type + ".key"
+
+    @pytest.mark.parametrize("hex_addr", ("0", "16", "35"))
+    def test_verify_basic(self, hex_addr, tmp_path_persistent):
+        """Test verify basic image"""
+
+        self.image_signed = self.test_signed_images_dir + f"zero_hex-addr_{hex_addr}" + ".hex"
+
+        result = self.runner.invoke(
+            imgtool,
+            [
+                "verify",
+                "--key",
+                str(self.key),
+                str(self.image_signed),
+            ],
+        )
+        assert_valid(result)

From 44e14a31f660cbf68a70ca508c2624d361e12675 Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Fri, 15 Dec 2023 17:49:19 +0100
Subject: [PATCH 09/13] imgtool: Add support for hex files in dumpinfo and
 tests

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I37b54000955f30f87aff8f23a1ea71804bf967cd
---
 scripts/imgtool/dumpinfo.py    | 11 +++++++++--
 scripts/tests/test_dumpinfo.py |  9 +++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/scripts/imgtool/dumpinfo.py b/scripts/imgtool/dumpinfo.py
index 55446574c1..3f97a49f5d 100644
--- a/scripts/imgtool/dumpinfo.py
+++ b/scripts/imgtool/dumpinfo.py
@@ -23,8 +23,10 @@
 
 import click
 import yaml
+from intelhex import IntelHex
 
 from imgtool import image
+from imgtool.image import INTEL_HEX_EXT
 
 HEADER_ITEMS = ("magic", "load_addr", "hdr_size", "protected_tlv_size",
                 "img_size", "flags", "version")
@@ -129,9 +131,14 @@ def dump_imginfo(imgfile, outfile=None, silent=False):
     trailer = {}
     key_field_len = None
 
+    ext = os.path.splitext(imgfile)[1][1:].lower()
     try:
-        with open(imgfile, "rb") as f:
-            b = f.read()
+        if ext == INTEL_HEX_EXT:
+            ih = IntelHex(imgfile)
+            b = ih.tobinstr()
+        else:
+            with open(imgfile, "rb") as f:
+                b = f.read()
     except FileNotFoundError:
         raise click.UsageError("Image file not found ({})".format(imgfile))
 
diff --git a/scripts/tests/test_dumpinfo.py b/scripts/tests/test_dumpinfo.py
index d8ba8515d4..8bc817b53f 100644
--- a/scripts/tests/test_dumpinfo.py
+++ b/scripts/tests/test_dumpinfo.py
@@ -326,3 +326,12 @@ def test_dumpinfo_padded_multiflag(self, tmp_path_persistent, key_type):
         assert "ROM_FIXED" in result.stdout
         assert DUMPINFO_SUCCESS_LITERAL in result.stdout
         assert DUMPINFO_ENCRYPTED_TRAILER in result.stdout
+
+    @pytest.mark.parametrize("hex_addr", ("0", "16", "35"))
+    def test_dumpinfo_hex(self, tmp_path_persistent, hex_addr):
+        self.image_signed = signed_images_dir + "/hex/" + f"zero_hex-addr_{hex_addr}" + ".hex"
+        result = self.runner.invoke(
+            imgtool, ["dumpinfo", str(self.image_signed)]
+        )
+        assert result.exit_code == 0
+        assert DUMPINFO_SUCCESS_LITERAL in result.stdout

From e765e0e99621d46499a84809a7810ea479433621 Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Thu, 23 May 2024 11:35:53 +0200
Subject: [PATCH 10/13] imgtool: Unify File not found error messages

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I67e614811c31e786efebc05b9264611d6bb17edb
---
 scripts/imgtool/dumpinfo.py  | 2 +-
 scripts/imgtool/image.py     | 4 ++--
 scripts/imgtool/main.py      | 2 +-
 scripts/tests/test_sign.py   | 2 +-
 scripts/tests/test_verify.py | 4 ++--
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/imgtool/dumpinfo.py b/scripts/imgtool/dumpinfo.py
index 3f97a49f5d..20cc63df75 100644
--- a/scripts/imgtool/dumpinfo.py
+++ b/scripts/imgtool/dumpinfo.py
@@ -140,7 +140,7 @@ def dump_imginfo(imgfile, outfile=None, silent=False):
             with open(imgfile, "rb") as f:
                 b = f.read()
     except FileNotFoundError:
-        raise click.UsageError("Image file not found ({})".format(imgfile))
+        raise click.UsageError(f"Image file not found: {imgfile}")
 
     # Parsing the image header
     _header = struct.unpack('IIHHIIBBHI', b[:28])
diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py
index 115d04ec9b..094d271214 100644
--- a/scripts/imgtool/image.py
+++ b/scripts/imgtool/image.py
@@ -333,7 +333,7 @@ def load(self, path):
                     self.infile_data = f.read()
                     self.payload = copy.copy(self.infile_data)
         except FileNotFoundError:
-            raise click.UsageError("Input file not found")
+            raise click.UsageError(f"Image file not found: {path}")
         self.image_size = len(self.payload)
 
         # Add the image header if needed.
@@ -779,7 +779,7 @@ def verify(imgfile, key):
                 with open(imgfile, 'rb') as f:
                     b = f.read()
         except FileNotFoundError:
-            raise click.UsageError(f"Image file {imgfile} not found")
+            raise click.UsageError(f"Image file not found: {imgfile}")
 
         magic, _, header_size, _, img_size = struct.unpack('IIHHI', b[:16])
         version = struct.unpack('BBHI', b[20:28])
diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py
index 23cf24a955..2b40dfca39 100755
--- a/scripts/imgtool/main.py
+++ b/scripts/imgtool/main.py
@@ -103,7 +103,7 @@ def load_key(keyfile):
     try:
         key = keys.load(keyfile)
     except FileNotFoundError as e:
-        print("Key File Not Found in the path: " + keyfile)
+        print(f"Key file not found: {keyfile}")
         raise e
     if key is not None:
         return key
diff --git a/scripts/tests/test_sign.py b/scripts/tests/test_sign.py
index 0f10f172b7..8b93525b11 100644
--- a/scripts/tests/test_sign.py
+++ b/scripts/tests/test_sign.py
@@ -1264,7 +1264,7 @@ def test_sign_hex_file_not_exists(self, key_type, tmp_path_persistent):
             ],
         )
         assert result.exit_code != 0
-        assert "Input file not found" in result.output
+        assert "Image file not found" in result.output
 
     @pytest.mark.parametrize("key_type", KEY_TYPES)
     def test_sign_hex_padded(self, key_type, tmp_path_persistent):
diff --git a/scripts/tests/test_verify.py b/scripts/tests/test_verify.py
index 70d1d68018..9aacfaa8af 100644
--- a/scripts/tests/test_verify.py
+++ b/scripts/tests/test_verify.py
@@ -109,7 +109,7 @@ def test_verify_key_not_exists(self, key_type, tmp_path_persistent):
             ],
         )
         assert result.exit_code != 0
-        assert "File Not Found" in result.stdout
+        assert "Key file not found" in result.stdout
 
     @pytest.mark.parametrize("key_type", KEY_TYPES)
     def test_verify_image_not_exists(self, key_type, tmp_path_persistent):
@@ -127,7 +127,7 @@ def test_verify_image_not_exists(self, key_type, tmp_path_persistent):
             ],
         )
         assert result.exit_code != 0
-        assert "File Not Found" in result.stdout
+        assert "Image file not found" in result.stdout
 
     @pytest.mark.parametrize("key_type", ("rsa-3072",))
     def test_verify_key_inv_magic(self, key_type, tmp_path_persistent):

From 31dfd124f820c6dccee35e145444bf1c283c33c2 Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Fri, 21 Jun 2024 10:59:01 +0200
Subject: [PATCH 11/13] imgtool: Fix test paths

Move tests from imgtool/keys to test/keys
Move pre-generated files to test/assets folder
Fix paths for tests to run from root directory
Replace hardcoded paths with constants in tests

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I100e65609f31cefa1c17f20143bceb165862fa14
---
 scripts/tests/{ => assets}/images/one.bin     |   0
 .../tests/{ => assets}/images/one_offset.hex  |   0
 .../images/signed/basic/ecdsa-p256.bin        | Bin
 .../images/signed/basic/ecdsa-p384.bin        | Bin
 .../images/signed/basic/ed25519.bin           | Bin
 .../images/signed/basic/rsa-2048.bin          | Bin
 .../images/signed/basic/rsa-3072.bin          | Bin
 .../images/signed/basic/rsa-3072_invHash.bin  | Bin
 .../images/signed/basic/rsa-3072_invMagic.bin | Bin
 .../signed/basic/rsa-3072_invTLVMagic.bin     | Bin
 .../images/signed/customTLV/ecdsa-p256.bin    | Bin
 .../images/signed/customTLV/ecdsa-p384.bin    | Bin
 .../images/signed/customTLV/ed25519.bin       | Bin
 .../images/signed/customTLV/rsa-2048.bin      | Bin
 .../images/signed/customTLV/rsa-3072.bin      | Bin
 .../signed/encryptedClear/ecdsa-p256.enc      | Bin
 .../signed/encryptedClear/ecdsa-p384.enc      | Bin
 .../images/signed/encryptedClear/ed25519.enc  | Bin
 .../images/signed/encryptedClear/rsa-2048.enc | Bin
 .../images/signed/encryptedClear/rsa-3072.enc | Bin
 .../images/signed/hex/zero_hex-addr_0.hex     |   0
 .../images/signed/hex/zero_hex-addr_16.hex    |   0
 .../images/signed/hex/zero_hex-addr_35.hex    |   0
 .../images/signed/noKey/noKey256.bin          | Bin
 .../images/signed/no_pad_sig_enc_16.bin       | Bin
 .../images/signed/no_pad_sig_enc_16_inv.bin   | Bin
 .../images/signed/pad/padNoEnc.bin            | Bin
 .../images/signed/pad_2.3K_sig_enc_16_inv.bin | Bin
 .../images/signed/pad_sig_enc_16.bin          | Bin
 .../images/signed/pad_sig_enc_16_inv.bin      | Bin
 .../images/signed/pad_sig_enc_32.bin          | Bin
 .../images/signed/pubKeyOnly/ecdsa-p256.bin   | Bin
 .../images/signed/pubKeyOnly/ecdsa-p384.bin   | Bin
 .../images/signed/pubKeyOnly/rsa-2048.bin     | Bin
 .../images/signed/pubKeyOnly/rsa-3072.bin     | Bin
 scripts/tests/{ => assets}/images/zero.bin    | Bin
 scripts/tests/{ => assets}/images/zero.hex    |   0
 .../tests/{ => assets}/keys/ecdsa-p256.key    |   0
 .../{ => assets}/keys/ecdsa-p256_passwd.key   |   0
 .../tests/{ => assets}/keys/ecdsa-p384.key    |   0
 .../{ => assets}/keys/ecdsa-p384_passwd.key   |   0
 scripts/tests/{ => assets}/keys/ed25519.key   |   0
 .../{ => assets}/keys/ed25519_passwd.key      |   0
 .../keys/public/ecdsa-p256-pem.pub            |   0
 .../keys/public/ecdsa-p384-pem.pub            |   0
 .../{ => assets}/keys/public/rsa-2048-pem.pub |   0
 .../{ => assets}/keys/public/rsa-3072-pem.pub |   0
 .../{ => assets}/keys/public/x25519-pem.pub   |   0
 scripts/tests/{ => assets}/keys/rsa-2048.key  |   0
 .../{ => assets}/keys/rsa-2048_passwd.key     |   0
 scripts/tests/{ => assets}/keys/rsa-3072.key  |   0
 .../{ => assets}/keys/rsa-3072_passwd.key     |   0
 scripts/tests/{ => assets}/keys/x25519.key    |   0
 .../tests/{ => assets}/keys/x25519_passwd.key |   0
 scripts/tests/constants.py                    |   4 +-
 scripts/{imgtool => tests}/keys/ecdsa_test.py |   0
 .../{imgtool => tests}/keys/ed25519_test.py   |   0
 scripts/{imgtool => tests}/keys/rsa_test.py   |   0
 scripts/tests/test_dumpinfo.py                |   4 +-
 scripts/tests/test_keys.py                    |  36 +++++++++---------
 scripts/tests/test_sign.py                    |  32 ++++++++--------
 scripts/tests/test_verify.py                  |  18 ++++-----
 62 files changed, 46 insertions(+), 48 deletions(-)
 rename scripts/tests/{ => assets}/images/one.bin (100%)
 rename scripts/tests/{ => assets}/images/one_offset.hex (100%)
 rename scripts/tests/{ => assets}/images/signed/basic/ecdsa-p256.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/basic/ecdsa-p384.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/basic/ed25519.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/basic/rsa-2048.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/basic/rsa-3072.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/basic/rsa-3072_invHash.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/basic/rsa-3072_invMagic.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/basic/rsa-3072_invTLVMagic.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/customTLV/ecdsa-p256.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/customTLV/ecdsa-p384.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/customTLV/ed25519.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/customTLV/rsa-2048.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/customTLV/rsa-3072.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/encryptedClear/ecdsa-p256.enc (100%)
 rename scripts/tests/{ => assets}/images/signed/encryptedClear/ecdsa-p384.enc (100%)
 rename scripts/tests/{ => assets}/images/signed/encryptedClear/ed25519.enc (100%)
 rename scripts/tests/{ => assets}/images/signed/encryptedClear/rsa-2048.enc (100%)
 rename scripts/tests/{ => assets}/images/signed/encryptedClear/rsa-3072.enc (100%)
 rename scripts/tests/{ => assets}/images/signed/hex/zero_hex-addr_0.hex (100%)
 rename scripts/tests/{ => assets}/images/signed/hex/zero_hex-addr_16.hex (100%)
 rename scripts/tests/{ => assets}/images/signed/hex/zero_hex-addr_35.hex (100%)
 rename scripts/tests/{ => assets}/images/signed/noKey/noKey256.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/no_pad_sig_enc_16.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/no_pad_sig_enc_16_inv.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/pad/padNoEnc.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/pad_2.3K_sig_enc_16_inv.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/pad_sig_enc_16.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/pad_sig_enc_16_inv.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/pad_sig_enc_32.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/pubKeyOnly/ecdsa-p256.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/pubKeyOnly/ecdsa-p384.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/pubKeyOnly/rsa-2048.bin (100%)
 rename scripts/tests/{ => assets}/images/signed/pubKeyOnly/rsa-3072.bin (100%)
 rename scripts/tests/{ => assets}/images/zero.bin (100%)
 rename scripts/tests/{ => assets}/images/zero.hex (100%)
 rename scripts/tests/{ => assets}/keys/ecdsa-p256.key (100%)
 rename scripts/tests/{ => assets}/keys/ecdsa-p256_passwd.key (100%)
 rename scripts/tests/{ => assets}/keys/ecdsa-p384.key (100%)
 rename scripts/tests/{ => assets}/keys/ecdsa-p384_passwd.key (100%)
 rename scripts/tests/{ => assets}/keys/ed25519.key (100%)
 rename scripts/tests/{ => assets}/keys/ed25519_passwd.key (100%)
 rename scripts/tests/{ => assets}/keys/public/ecdsa-p256-pem.pub (100%)
 rename scripts/tests/{ => assets}/keys/public/ecdsa-p384-pem.pub (100%)
 rename scripts/tests/{ => assets}/keys/public/rsa-2048-pem.pub (100%)
 rename scripts/tests/{ => assets}/keys/public/rsa-3072-pem.pub (100%)
 rename scripts/tests/{ => assets}/keys/public/x25519-pem.pub (100%)
 rename scripts/tests/{ => assets}/keys/rsa-2048.key (100%)
 rename scripts/tests/{ => assets}/keys/rsa-2048_passwd.key (100%)
 rename scripts/tests/{ => assets}/keys/rsa-3072.key (100%)
 rename scripts/tests/{ => assets}/keys/rsa-3072_passwd.key (100%)
 rename scripts/tests/{ => assets}/keys/x25519.key (100%)
 rename scripts/tests/{ => assets}/keys/x25519_passwd.key (100%)
 rename scripts/{imgtool => tests}/keys/ecdsa_test.py (100%)
 rename scripts/{imgtool => tests}/keys/ed25519_test.py (100%)
 rename scripts/{imgtool => tests}/keys/rsa_test.py (100%)

diff --git a/scripts/tests/images/one.bin b/scripts/tests/assets/images/one.bin
similarity index 100%
rename from scripts/tests/images/one.bin
rename to scripts/tests/assets/images/one.bin
diff --git a/scripts/tests/images/one_offset.hex b/scripts/tests/assets/images/one_offset.hex
similarity index 100%
rename from scripts/tests/images/one_offset.hex
rename to scripts/tests/assets/images/one_offset.hex
diff --git a/scripts/tests/images/signed/basic/ecdsa-p256.bin b/scripts/tests/assets/images/signed/basic/ecdsa-p256.bin
similarity index 100%
rename from scripts/tests/images/signed/basic/ecdsa-p256.bin
rename to scripts/tests/assets/images/signed/basic/ecdsa-p256.bin
diff --git a/scripts/tests/images/signed/basic/ecdsa-p384.bin b/scripts/tests/assets/images/signed/basic/ecdsa-p384.bin
similarity index 100%
rename from scripts/tests/images/signed/basic/ecdsa-p384.bin
rename to scripts/tests/assets/images/signed/basic/ecdsa-p384.bin
diff --git a/scripts/tests/images/signed/basic/ed25519.bin b/scripts/tests/assets/images/signed/basic/ed25519.bin
similarity index 100%
rename from scripts/tests/images/signed/basic/ed25519.bin
rename to scripts/tests/assets/images/signed/basic/ed25519.bin
diff --git a/scripts/tests/images/signed/basic/rsa-2048.bin b/scripts/tests/assets/images/signed/basic/rsa-2048.bin
similarity index 100%
rename from scripts/tests/images/signed/basic/rsa-2048.bin
rename to scripts/tests/assets/images/signed/basic/rsa-2048.bin
diff --git a/scripts/tests/images/signed/basic/rsa-3072.bin b/scripts/tests/assets/images/signed/basic/rsa-3072.bin
similarity index 100%
rename from scripts/tests/images/signed/basic/rsa-3072.bin
rename to scripts/tests/assets/images/signed/basic/rsa-3072.bin
diff --git a/scripts/tests/images/signed/basic/rsa-3072_invHash.bin b/scripts/tests/assets/images/signed/basic/rsa-3072_invHash.bin
similarity index 100%
rename from scripts/tests/images/signed/basic/rsa-3072_invHash.bin
rename to scripts/tests/assets/images/signed/basic/rsa-3072_invHash.bin
diff --git a/scripts/tests/images/signed/basic/rsa-3072_invMagic.bin b/scripts/tests/assets/images/signed/basic/rsa-3072_invMagic.bin
similarity index 100%
rename from scripts/tests/images/signed/basic/rsa-3072_invMagic.bin
rename to scripts/tests/assets/images/signed/basic/rsa-3072_invMagic.bin
diff --git a/scripts/tests/images/signed/basic/rsa-3072_invTLVMagic.bin b/scripts/tests/assets/images/signed/basic/rsa-3072_invTLVMagic.bin
similarity index 100%
rename from scripts/tests/images/signed/basic/rsa-3072_invTLVMagic.bin
rename to scripts/tests/assets/images/signed/basic/rsa-3072_invTLVMagic.bin
diff --git a/scripts/tests/images/signed/customTLV/ecdsa-p256.bin b/scripts/tests/assets/images/signed/customTLV/ecdsa-p256.bin
similarity index 100%
rename from scripts/tests/images/signed/customTLV/ecdsa-p256.bin
rename to scripts/tests/assets/images/signed/customTLV/ecdsa-p256.bin
diff --git a/scripts/tests/images/signed/customTLV/ecdsa-p384.bin b/scripts/tests/assets/images/signed/customTLV/ecdsa-p384.bin
similarity index 100%
rename from scripts/tests/images/signed/customTLV/ecdsa-p384.bin
rename to scripts/tests/assets/images/signed/customTLV/ecdsa-p384.bin
diff --git a/scripts/tests/images/signed/customTLV/ed25519.bin b/scripts/tests/assets/images/signed/customTLV/ed25519.bin
similarity index 100%
rename from scripts/tests/images/signed/customTLV/ed25519.bin
rename to scripts/tests/assets/images/signed/customTLV/ed25519.bin
diff --git a/scripts/tests/images/signed/customTLV/rsa-2048.bin b/scripts/tests/assets/images/signed/customTLV/rsa-2048.bin
similarity index 100%
rename from scripts/tests/images/signed/customTLV/rsa-2048.bin
rename to scripts/tests/assets/images/signed/customTLV/rsa-2048.bin
diff --git a/scripts/tests/images/signed/customTLV/rsa-3072.bin b/scripts/tests/assets/images/signed/customTLV/rsa-3072.bin
similarity index 100%
rename from scripts/tests/images/signed/customTLV/rsa-3072.bin
rename to scripts/tests/assets/images/signed/customTLV/rsa-3072.bin
diff --git a/scripts/tests/images/signed/encryptedClear/ecdsa-p256.enc b/scripts/tests/assets/images/signed/encryptedClear/ecdsa-p256.enc
similarity index 100%
rename from scripts/tests/images/signed/encryptedClear/ecdsa-p256.enc
rename to scripts/tests/assets/images/signed/encryptedClear/ecdsa-p256.enc
diff --git a/scripts/tests/images/signed/encryptedClear/ecdsa-p384.enc b/scripts/tests/assets/images/signed/encryptedClear/ecdsa-p384.enc
similarity index 100%
rename from scripts/tests/images/signed/encryptedClear/ecdsa-p384.enc
rename to scripts/tests/assets/images/signed/encryptedClear/ecdsa-p384.enc
diff --git a/scripts/tests/images/signed/encryptedClear/ed25519.enc b/scripts/tests/assets/images/signed/encryptedClear/ed25519.enc
similarity index 100%
rename from scripts/tests/images/signed/encryptedClear/ed25519.enc
rename to scripts/tests/assets/images/signed/encryptedClear/ed25519.enc
diff --git a/scripts/tests/images/signed/encryptedClear/rsa-2048.enc b/scripts/tests/assets/images/signed/encryptedClear/rsa-2048.enc
similarity index 100%
rename from scripts/tests/images/signed/encryptedClear/rsa-2048.enc
rename to scripts/tests/assets/images/signed/encryptedClear/rsa-2048.enc
diff --git a/scripts/tests/images/signed/encryptedClear/rsa-3072.enc b/scripts/tests/assets/images/signed/encryptedClear/rsa-3072.enc
similarity index 100%
rename from scripts/tests/images/signed/encryptedClear/rsa-3072.enc
rename to scripts/tests/assets/images/signed/encryptedClear/rsa-3072.enc
diff --git a/scripts/tests/images/signed/hex/zero_hex-addr_0.hex b/scripts/tests/assets/images/signed/hex/zero_hex-addr_0.hex
similarity index 100%
rename from scripts/tests/images/signed/hex/zero_hex-addr_0.hex
rename to scripts/tests/assets/images/signed/hex/zero_hex-addr_0.hex
diff --git a/scripts/tests/images/signed/hex/zero_hex-addr_16.hex b/scripts/tests/assets/images/signed/hex/zero_hex-addr_16.hex
similarity index 100%
rename from scripts/tests/images/signed/hex/zero_hex-addr_16.hex
rename to scripts/tests/assets/images/signed/hex/zero_hex-addr_16.hex
diff --git a/scripts/tests/images/signed/hex/zero_hex-addr_35.hex b/scripts/tests/assets/images/signed/hex/zero_hex-addr_35.hex
similarity index 100%
rename from scripts/tests/images/signed/hex/zero_hex-addr_35.hex
rename to scripts/tests/assets/images/signed/hex/zero_hex-addr_35.hex
diff --git a/scripts/tests/images/signed/noKey/noKey256.bin b/scripts/tests/assets/images/signed/noKey/noKey256.bin
similarity index 100%
rename from scripts/tests/images/signed/noKey/noKey256.bin
rename to scripts/tests/assets/images/signed/noKey/noKey256.bin
diff --git a/scripts/tests/images/signed/no_pad_sig_enc_16.bin b/scripts/tests/assets/images/signed/no_pad_sig_enc_16.bin
similarity index 100%
rename from scripts/tests/images/signed/no_pad_sig_enc_16.bin
rename to scripts/tests/assets/images/signed/no_pad_sig_enc_16.bin
diff --git a/scripts/tests/images/signed/no_pad_sig_enc_16_inv.bin b/scripts/tests/assets/images/signed/no_pad_sig_enc_16_inv.bin
similarity index 100%
rename from scripts/tests/images/signed/no_pad_sig_enc_16_inv.bin
rename to scripts/tests/assets/images/signed/no_pad_sig_enc_16_inv.bin
diff --git a/scripts/tests/images/signed/pad/padNoEnc.bin b/scripts/tests/assets/images/signed/pad/padNoEnc.bin
similarity index 100%
rename from scripts/tests/images/signed/pad/padNoEnc.bin
rename to scripts/tests/assets/images/signed/pad/padNoEnc.bin
diff --git a/scripts/tests/images/signed/pad_2.3K_sig_enc_16_inv.bin b/scripts/tests/assets/images/signed/pad_2.3K_sig_enc_16_inv.bin
similarity index 100%
rename from scripts/tests/images/signed/pad_2.3K_sig_enc_16_inv.bin
rename to scripts/tests/assets/images/signed/pad_2.3K_sig_enc_16_inv.bin
diff --git a/scripts/tests/images/signed/pad_sig_enc_16.bin b/scripts/tests/assets/images/signed/pad_sig_enc_16.bin
similarity index 100%
rename from scripts/tests/images/signed/pad_sig_enc_16.bin
rename to scripts/tests/assets/images/signed/pad_sig_enc_16.bin
diff --git a/scripts/tests/images/signed/pad_sig_enc_16_inv.bin b/scripts/tests/assets/images/signed/pad_sig_enc_16_inv.bin
similarity index 100%
rename from scripts/tests/images/signed/pad_sig_enc_16_inv.bin
rename to scripts/tests/assets/images/signed/pad_sig_enc_16_inv.bin
diff --git a/scripts/tests/images/signed/pad_sig_enc_32.bin b/scripts/tests/assets/images/signed/pad_sig_enc_32.bin
similarity index 100%
rename from scripts/tests/images/signed/pad_sig_enc_32.bin
rename to scripts/tests/assets/images/signed/pad_sig_enc_32.bin
diff --git a/scripts/tests/images/signed/pubKeyOnly/ecdsa-p256.bin b/scripts/tests/assets/images/signed/pubKeyOnly/ecdsa-p256.bin
similarity index 100%
rename from scripts/tests/images/signed/pubKeyOnly/ecdsa-p256.bin
rename to scripts/tests/assets/images/signed/pubKeyOnly/ecdsa-p256.bin
diff --git a/scripts/tests/images/signed/pubKeyOnly/ecdsa-p384.bin b/scripts/tests/assets/images/signed/pubKeyOnly/ecdsa-p384.bin
similarity index 100%
rename from scripts/tests/images/signed/pubKeyOnly/ecdsa-p384.bin
rename to scripts/tests/assets/images/signed/pubKeyOnly/ecdsa-p384.bin
diff --git a/scripts/tests/images/signed/pubKeyOnly/rsa-2048.bin b/scripts/tests/assets/images/signed/pubKeyOnly/rsa-2048.bin
similarity index 100%
rename from scripts/tests/images/signed/pubKeyOnly/rsa-2048.bin
rename to scripts/tests/assets/images/signed/pubKeyOnly/rsa-2048.bin
diff --git a/scripts/tests/images/signed/pubKeyOnly/rsa-3072.bin b/scripts/tests/assets/images/signed/pubKeyOnly/rsa-3072.bin
similarity index 100%
rename from scripts/tests/images/signed/pubKeyOnly/rsa-3072.bin
rename to scripts/tests/assets/images/signed/pubKeyOnly/rsa-3072.bin
diff --git a/scripts/tests/images/zero.bin b/scripts/tests/assets/images/zero.bin
similarity index 100%
rename from scripts/tests/images/zero.bin
rename to scripts/tests/assets/images/zero.bin
diff --git a/scripts/tests/images/zero.hex b/scripts/tests/assets/images/zero.hex
similarity index 100%
rename from scripts/tests/images/zero.hex
rename to scripts/tests/assets/images/zero.hex
diff --git a/scripts/tests/keys/ecdsa-p256.key b/scripts/tests/assets/keys/ecdsa-p256.key
similarity index 100%
rename from scripts/tests/keys/ecdsa-p256.key
rename to scripts/tests/assets/keys/ecdsa-p256.key
diff --git a/scripts/tests/keys/ecdsa-p256_passwd.key b/scripts/tests/assets/keys/ecdsa-p256_passwd.key
similarity index 100%
rename from scripts/tests/keys/ecdsa-p256_passwd.key
rename to scripts/tests/assets/keys/ecdsa-p256_passwd.key
diff --git a/scripts/tests/keys/ecdsa-p384.key b/scripts/tests/assets/keys/ecdsa-p384.key
similarity index 100%
rename from scripts/tests/keys/ecdsa-p384.key
rename to scripts/tests/assets/keys/ecdsa-p384.key
diff --git a/scripts/tests/keys/ecdsa-p384_passwd.key b/scripts/tests/assets/keys/ecdsa-p384_passwd.key
similarity index 100%
rename from scripts/tests/keys/ecdsa-p384_passwd.key
rename to scripts/tests/assets/keys/ecdsa-p384_passwd.key
diff --git a/scripts/tests/keys/ed25519.key b/scripts/tests/assets/keys/ed25519.key
similarity index 100%
rename from scripts/tests/keys/ed25519.key
rename to scripts/tests/assets/keys/ed25519.key
diff --git a/scripts/tests/keys/ed25519_passwd.key b/scripts/tests/assets/keys/ed25519_passwd.key
similarity index 100%
rename from scripts/tests/keys/ed25519_passwd.key
rename to scripts/tests/assets/keys/ed25519_passwd.key
diff --git a/scripts/tests/keys/public/ecdsa-p256-pem.pub b/scripts/tests/assets/keys/public/ecdsa-p256-pem.pub
similarity index 100%
rename from scripts/tests/keys/public/ecdsa-p256-pem.pub
rename to scripts/tests/assets/keys/public/ecdsa-p256-pem.pub
diff --git a/scripts/tests/keys/public/ecdsa-p384-pem.pub b/scripts/tests/assets/keys/public/ecdsa-p384-pem.pub
similarity index 100%
rename from scripts/tests/keys/public/ecdsa-p384-pem.pub
rename to scripts/tests/assets/keys/public/ecdsa-p384-pem.pub
diff --git a/scripts/tests/keys/public/rsa-2048-pem.pub b/scripts/tests/assets/keys/public/rsa-2048-pem.pub
similarity index 100%
rename from scripts/tests/keys/public/rsa-2048-pem.pub
rename to scripts/tests/assets/keys/public/rsa-2048-pem.pub
diff --git a/scripts/tests/keys/public/rsa-3072-pem.pub b/scripts/tests/assets/keys/public/rsa-3072-pem.pub
similarity index 100%
rename from scripts/tests/keys/public/rsa-3072-pem.pub
rename to scripts/tests/assets/keys/public/rsa-3072-pem.pub
diff --git a/scripts/tests/keys/public/x25519-pem.pub b/scripts/tests/assets/keys/public/x25519-pem.pub
similarity index 100%
rename from scripts/tests/keys/public/x25519-pem.pub
rename to scripts/tests/assets/keys/public/x25519-pem.pub
diff --git a/scripts/tests/keys/rsa-2048.key b/scripts/tests/assets/keys/rsa-2048.key
similarity index 100%
rename from scripts/tests/keys/rsa-2048.key
rename to scripts/tests/assets/keys/rsa-2048.key
diff --git a/scripts/tests/keys/rsa-2048_passwd.key b/scripts/tests/assets/keys/rsa-2048_passwd.key
similarity index 100%
rename from scripts/tests/keys/rsa-2048_passwd.key
rename to scripts/tests/assets/keys/rsa-2048_passwd.key
diff --git a/scripts/tests/keys/rsa-3072.key b/scripts/tests/assets/keys/rsa-3072.key
similarity index 100%
rename from scripts/tests/keys/rsa-3072.key
rename to scripts/tests/assets/keys/rsa-3072.key
diff --git a/scripts/tests/keys/rsa-3072_passwd.key b/scripts/tests/assets/keys/rsa-3072_passwd.key
similarity index 100%
rename from scripts/tests/keys/rsa-3072_passwd.key
rename to scripts/tests/assets/keys/rsa-3072_passwd.key
diff --git a/scripts/tests/keys/x25519.key b/scripts/tests/assets/keys/x25519.key
similarity index 100%
rename from scripts/tests/keys/x25519.key
rename to scripts/tests/assets/keys/x25519.key
diff --git a/scripts/tests/keys/x25519_passwd.key b/scripts/tests/assets/keys/x25519_passwd.key
similarity index 100%
rename from scripts/tests/keys/x25519_passwd.key
rename to scripts/tests/assets/keys/x25519_passwd.key
diff --git a/scripts/tests/constants.py b/scripts/tests/constants.py
index 2616b9a77f..6dc383ed1e 100644
--- a/scripts/tests/constants.py
+++ b/scripts/tests/constants.py
@@ -35,9 +35,9 @@
 PUB_KEY_EXT = ".pub"
 PUB_KEY_HASH_EXT = ".pubhash"
 
-images_dir = "./images"
+images_dir = "./tests/assets/images"
 signed_images_dir = images_dir + "/signed"
-
+keys_dir = "./tests/assets/keys/"
 
 def tmp_name(tmp_path, key_type, suffix=""):
     return tmp_path / (key_type + suffix)
diff --git a/scripts/imgtool/keys/ecdsa_test.py b/scripts/tests/keys/ecdsa_test.py
similarity index 100%
rename from scripts/imgtool/keys/ecdsa_test.py
rename to scripts/tests/keys/ecdsa_test.py
diff --git a/scripts/imgtool/keys/ed25519_test.py b/scripts/tests/keys/ed25519_test.py
similarity index 100%
rename from scripts/imgtool/keys/ed25519_test.py
rename to scripts/tests/keys/ed25519_test.py
diff --git a/scripts/imgtool/keys/rsa_test.py b/scripts/tests/keys/rsa_test.py
similarity index 100%
rename from scripts/imgtool/keys/rsa_test.py
rename to scripts/tests/keys/rsa_test.py
diff --git a/scripts/tests/test_dumpinfo.py b/scripts/tests/test_dumpinfo.py
index 8bc817b53f..1b8c4cda5f 100644
--- a/scripts/tests/test_dumpinfo.py
+++ b/scripts/tests/test_dumpinfo.py
@@ -21,7 +21,7 @@
 from click.testing import CliRunner
 
 from imgtool.main import imgtool
-from tests.constants import tmp_name, KEY_TYPES, signed_images_dir
+from tests.constants import tmp_name, KEY_TYPES, signed_images_dir, images_dir
 
 DUMPINFO_SUCCESS_LITERAL = "dumpinfo has run successfully"
 
@@ -63,7 +63,7 @@ def setup(self, tmp_path_persistent, key_type="rsa-2048"):
             imgtool, ["keygen", "--key", str(self.key), "--type", key_type]
         )
 
-        self.image = "./images/zero.bin"
+        self.image = images_dir + "/zero.bin"
         self.image_signed = tmp_name(tmp_path_persistent, "image", ".signed")
 
     @pytest.mark.parametrize("key_type", ("rsa-2048",))
diff --git a/scripts/tests/test_keys.py b/scripts/tests/test_keys.py
index 6ed59724e9..2fadd8b7af 100644
--- a/scripts/tests/test_keys.py
+++ b/scripts/tests/test_keys.py
@@ -24,7 +24,7 @@
 
 from imgtool.main import imgtool
 from tests.constants import KEY_TYPES, GEN_KEY_EXT, tmp_name, OPENSSL_KEY_TYPES, KEY_ENCODINGS, PUB_KEY_EXT, \
-    PVT_KEY_FORMATS, KEY_LANGS, PUB_HASH_ENCODINGS, PUB_KEY_HASH_EXT
+    PVT_KEY_FORMATS, KEY_LANGS, PUB_HASH_ENCODINGS, PUB_KEY_HASH_EXT, keys_dir
 
 UNSUPPORTED_TYPES = [("openssl", "ed25519"),
                      ("openssl", "x25519"),
@@ -169,7 +169,7 @@ class TestGetPriv(TestKeys):
     def test_getpriv(self, key_type, key_format, tmp_path_persistent):
         """Get private key"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
 
         result = self.runner.invoke(
             imgtool,
@@ -188,7 +188,7 @@ def test_getpriv(self, key_type, key_format, tmp_path_persistent):
     def test_getpriv_with_password(self, key_type, key_format, tmp_path_persistent, monkeypatch):
         """Get private key with password"""
 
-        gen_key = "./keys/" + key_type + "_passwd" + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + "_passwd" + GEN_KEY_EXT
 
         monkeypatch.setattr('getpass.getpass', lambda _: self.password)
         result = self.runner.invoke(
@@ -207,7 +207,7 @@ def test_getpriv_with_password(self, key_type, key_format, tmp_path_persistent,
     def test_getpriv_unsupported(self, key_format, key_type, tmp_path_persistent):
         """Get private key for unsupported combinations should print error message"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
 
         result = self.runner.invoke(
             imgtool,
@@ -228,7 +228,7 @@ def test_getpriv_unsupported(self, key_format, key_type, tmp_path_persistent):
     def test_getpriv_with_invalid_pass(self, key_type, key_format, tmp_path_persistent, monkeypatch):
         """Get private key with invalid password should print 'Invalid passphrase' in stdout"""
 
-        gen_key = "./keys/" + key_type + "_passwd" + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + "_passwd" + GEN_KEY_EXT
 
         monkeypatch.setattr('getpass.getpass', lambda _: 'invalid')
         result = self.runner.invoke(
@@ -251,7 +251,7 @@ class TestGetPub(TestKeys):
     def test_getpub(self, key_type, tmp_path_persistent):
         """Get public key - Default lang is c """
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key = tmp_name(tmp_path_persistent, key_type, "." + "default" + PUB_KEY_EXT)
 
         assert not pub_key.exists()
@@ -275,7 +275,7 @@ def test_getpub(self, key_type, tmp_path_persistent):
     def test_getpub_with_encoding(self, key_type, encoding, tmp_path_persistent):
         """Get public key with encoding"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key = tmp_name(tmp_path_persistent, key_type, "." + encoding + PUB_KEY_EXT)
 
         assert not pub_key.exists()
@@ -301,7 +301,7 @@ def test_getpub_with_encoding(self, key_type, encoding, tmp_path_persistent):
     def test_getpub_with_lang(self, key_type, lang, tmp_path_persistent):
         """Get public key with specified lang"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key = tmp_name(tmp_path_persistent, key_type, PUB_KEY_EXT + "." + lang)
 
         assert not pub_key.exists()
@@ -327,7 +327,7 @@ def test_getpub_with_lang(self, key_type, lang, tmp_path_persistent):
     def test_getpub_no_outfile(self, key_type, encoding, tmp_path_persistent):
         """Get public key without output file should dump only to stdout"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key = tmp_name(tmp_path_persistent, key_type, "." + encoding + "-null" + PUB_KEY_EXT)
 
         assert not pub_key.exists()
@@ -349,7 +349,7 @@ def test_getpub_no_outfile(self, key_type, encoding, tmp_path_persistent):
     def test_getpub_invalid_encoding(self, key_type, tmp_path_persistent):
         """Get public key with invalid encoding should error message in stdout"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key = tmp_name(tmp_path_persistent, key_type, "." + PUB_KEY_EXT)
 
         assert not pub_key.exists()
@@ -372,7 +372,7 @@ def test_getpub_invalid_encoding(self, key_type, tmp_path_persistent):
     def test_getpub_invalid_lang(self, key_type, tmp_path_persistent):
         """Get public key with invalid lang should print error message in stdout"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key = tmp_name(tmp_path_persistent, key_type, "." + PUB_KEY_EXT)
 
         assert not pub_key.exists()
@@ -397,7 +397,7 @@ def test_getpub_invalid_lang(self, key_type, tmp_path_persistent):
     def test_getpub_with_encoding_and_lang(self, key_type, encoding, lang, tmp_path_persistent):
         """Get public key with both encoding and lang should print error message"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key = tmp_name(tmp_path_persistent, key_type, "." + lang + encoding + PUB_KEY_EXT)
 
         assert not pub_key.exists()
@@ -423,7 +423,7 @@ def test_getpub_with_encoding_and_lang(self, key_type, encoding, lang, tmp_path_
     def test_getpub_invalid_pass(self, key_type, encoding, tmp_path_persistent, monkeypatch):
         """Get public key with invalid password should print 'Invalid passphrase' in stdout"""
 
-        gen_key = "./keys/" + key_type + "_passwd" + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + "_passwd" + GEN_KEY_EXT
         pub_key = tmp_name(tmp_path_persistent, key_type, "." + encoding + PUB_KEY_EXT)
 
         monkeypatch.setattr('getpass.getpass', lambda _: 'invalid')
@@ -473,7 +473,7 @@ class TestGetPubHash(TestKeys):
     def test_getpubhash(self, key_type, tmp_path_persistent):
         """Get the hash of the public key - Default encoding is lang-c"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key_hash = tmp_name(
             tmp_path_persistent, key_type, "." + "default" + PUB_KEY_HASH_EXT
         )
@@ -498,7 +498,7 @@ def test_getpubhash(self, key_type, tmp_path_persistent):
     def test_getpubhash_with_encoding(self, key_type, encoding, tmp_path_persistent):
         """Get the hash of the public key with encoding"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key_hash = tmp_name(
             tmp_path_persistent, key_type, "." + encoding + PUB_KEY_HASH_EXT
         )
@@ -525,7 +525,7 @@ def test_getpubhash_with_encoding(self, key_type, encoding, tmp_path_persistent)
     def test_getpubhash_with_no_output(self, key_type, encoding, tmp_path_persistent):
         """Get the hash of the public key without outfile should dump only to stdout"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key_hash = tmp_name(
             tmp_path_persistent, key_type, "." + encoding + "-null" + PUB_KEY_HASH_EXT
         )
@@ -549,7 +549,7 @@ def test_getpubhash_with_no_output(self, key_type, encoding, tmp_path_persistent
     def test_getpubhash_with_invalid_encoding(self, key_type, tmp_path_persistent):
         """Get the hash of the public key with encoding"""
 
-        gen_key = "./keys/" + key_type + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + GEN_KEY_EXT
         pub_key_hash = tmp_name(
             tmp_path_persistent, key_type, "." + "invalid" + PUB_KEY_HASH_EXT
         )
@@ -576,7 +576,7 @@ def test_getpubhash_with_invalid_encoding(self, key_type, tmp_path_persistent):
     def test_getpubhash_with_invalid_pass(self, key_type, encoding, tmp_path_persistent, monkeypatch):
         """Get the hash of the public key with invalid password should print 'Invalid passphrase' in stdout"""
 
-        gen_key = "./keys/" + key_type + "_passwd" + GEN_KEY_EXT
+        gen_key = keys_dir + "/" + key_type + "_passwd" + GEN_KEY_EXT
         pub_key_hash = tmp_name(
             tmp_path_persistent, key_type, "." + encoding + "-null" + PUB_KEY_HASH_EXT
         )
diff --git a/scripts/tests/test_sign.py b/scripts/tests/test_sign.py
index 8b93525b11..e3a5437a8a 100644
--- a/scripts/tests/test_sign.py
+++ b/scripts/tests/test_sign.py
@@ -24,15 +24,13 @@
 
 from imgtool.dumpinfo import dump_imginfo
 from imgtool.main import imgtool
-from tests.constants import KEY_TYPES, GEN_KEY_EXT, PUB_KEY_EXT, tmp_name
+from tests.constants import KEY_TYPES, GEN_KEY_EXT, PUB_KEY_EXT, tmp_name, images_dir, keys_dir
 
 try:
     KEY_TYPES.remove("x25519")  # x25519 is not used for signing, so directory does not contain any such image
 except ValueError:
     pass
 
-KEY_DIR = "./keys/"
-
 
 def assert_image_signed(result, image_signed, verify=True):
     assert result.exit_code == 0
@@ -63,7 +61,7 @@ def tmp_path_persistent(self, tmp_path_factory):
     def setup(self, tmp_path_persistent):
         """Generate keys and images for testing"""
 
-        self.image = Path("./images/zero.bin")
+        self.image = Path(images_dir + "/zero.bin")
         self.image_signed = tmp_name(tmp_path_persistent, "image", ".signed")
 
     @pytest.fixture(autouse=True)
@@ -252,7 +250,7 @@ def test_sign_dependencies(self, tmp_path_persistent, dependencies, expected):
     def test_sign_header_not_padded(self, tmp_path_persistent):
         """Test with un-padded header with non-zero start should fail"""
 
-        self.image = Path("./images/one.bin")
+        self.image = Path(images_dir + "/one.bin")
 
         result = self.runner.invoke(
             imgtool,
@@ -545,7 +543,7 @@ def test_sign_missing_args(self, key_type, tmp_path_persistent):
     def test_sign_pub_key_format(self, key_type, tmp_path_persistent, key_format):
         """Test with pub key format"""
 
-        loaded_key = KEY_DIR + key_type + ".key"
+        loaded_key = keys_dir + key_type + ".key"
 
         result = self.runner.invoke(
             imgtool,
@@ -683,7 +681,7 @@ def test_sign_sig_out(self, tmp_path_persistent, key_type):
     def test_sign_load_addr(self, key_type, tmp_path_persistent):
         """Test sign with load addr"""
 
-        loaded_key = KEY_DIR + key_type + ".key"
+        loaded_key = keys_dir + key_type + ".key"
 
         result = self.runner.invoke(
             imgtool,
@@ -712,7 +710,7 @@ def test_sign_load_addr(self, key_type, tmp_path_persistent):
     def test_sign_load_addr_rom_fixed(self, key_type, tmp_path_persistent):
         """Test sign with both load addr and rom fixed should fail"""
 
-        loaded_key = KEY_DIR + key_type + ".key"
+        loaded_key = keys_dir + key_type + ".key"
 
         result = self.runner.invoke(
             imgtool,
@@ -1207,8 +1205,8 @@ class TestSignHex(TestSign):
     def test_sign_basic_hex(self, key_type, tmp_path_persistent):
         """Test basic sign and verify hex file"""
 
-        loaded_key = KEY_DIR + key_type + ".key"
-        self.image = "./images/zero.hex"
+        loaded_key = keys_dir + key_type + ".key"
+        self.image = images_dir + "/zero.hex"
         self.image_signed = tmp_name(tmp_path_persistent, "image", ".hex")
 
         result = self.runner.invoke(
@@ -1238,7 +1236,7 @@ def test_sign_basic_hex(self, key_type, tmp_path_persistent):
     def test_sign_hex_file_not_exists(self, key_type, tmp_path_persistent):
         """Test sign hex file with non-existent file"""
 
-        loaded_key = KEY_DIR + key_type + ".key"
+        loaded_key = keys_dir + key_type + ".key"
         self.image = "./images/invalid/path/file.hex"
         self.image_signed = tmp_name(tmp_path_persistent, "image", ".hex")
 
@@ -1270,8 +1268,8 @@ def test_sign_hex_file_not_exists(self, key_type, tmp_path_persistent):
     def test_sign_hex_padded(self, key_type, tmp_path_persistent):
         """Test hex file with pad"""
 
-        loaded_key = KEY_DIR + key_type + ".key"
-        self.image = "./images/one_offset.hex"
+        loaded_key = keys_dir + key_type + ".key"
+        self.image = images_dir + "/one_offset.hex"
         # image above generated as below:
         # ih = IntelHex()
         # ih.puts(10, '1' * 1024)
@@ -1307,8 +1305,8 @@ def test_sign_hex_padded(self, key_type, tmp_path_persistent):
     def test_sign_hex_confirm(self, key_type, tmp_path_persistent):
         """Test hex file with confirm"""
 
-        loaded_key = KEY_DIR + key_type + ".key"
-        self.image = "./images/zero.hex"
+        loaded_key = keys_dir + key_type + ".key"
+        self.image = images_dir + "/zero.hex"
         self.image_signed = tmp_name(tmp_path_persistent, "image", ".hex")
 
         result = self.runner.invoke(
@@ -1339,8 +1337,8 @@ def test_sign_hex_confirm(self, key_type, tmp_path_persistent):
     def test_sign_basic_hex_bad_image_size(self, key_type, tmp_path_persistent):
         """Test basic sign hex file with insufficient size should fail"""
 
-        loaded_key = KEY_DIR + key_type + ".key"
-        self.image = "./images/zero.hex"
+        loaded_key = keys_dir + key_type + ".key"
+        self.image = images_dir + "/zero.hex"
         self.image_signed = tmp_name(tmp_path_persistent, "image", ".hex")
 
         result = self.runner.invoke(
diff --git a/scripts/tests/test_verify.py b/scripts/tests/test_verify.py
index 9aacfaa8af..8336936850 100644
--- a/scripts/tests/test_verify.py
+++ b/scripts/tests/test_verify.py
@@ -18,7 +18,7 @@
 from click.testing import CliRunner
 
 from imgtool.main import imgtool
-from tests.constants import KEY_TYPES, GEN_KEY_EXT, tmp_name, signed_images_dir
+from tests.constants import KEY_TYPES, GEN_KEY_EXT, tmp_name, signed_images_dir, keys_dir
 
 KEY_TYPE_MISMATCH_TLV = "Key type does not match TLV record"
 NO_SIG_FOR_KEY = "No signature found for the given key"
@@ -51,7 +51,7 @@ class TestVerifyBasic(TestVerify):
 
     @pytest.fixture(autouse=True)
     def setup(self, request, tmp_path_persistent, key_type):
-        self.key = "./keys/" + key_type + ".key"
+        self.key = keys_dir + key_type + ".key"
         self.gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
         self.runner.invoke(
             imgtool, ["keygen", "--key", str(self.gen_key), "--type", key_type]
@@ -191,7 +191,7 @@ class TestVerifyEncryptedClear(TestVerify):
 
     @pytest.fixture(autouse=True)
     def setup(self, request, tmp_path_persistent, key_type):
-        self.key = "./keys/" + key_type + ".key"
+        self.key = keys_dir + key_type + ".key"
         self.gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
         self.runner.invoke(
             imgtool, ["keygen", "--key", str(self.gen_key), "--type", key_type]
@@ -240,7 +240,7 @@ class TestVerifyCustomTLV(TestVerify):
 
     @pytest.fixture(autouse=True)
     def setup(self, request, tmp_path_persistent, key_type):
-        self.key = "./keys/" + key_type + ".key"
+        self.key = keys_dir + key_type + ".key"
         self.gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
         self.runner.invoke(
             imgtool, ["keygen", "--key", str(self.gen_key), "--type", key_type]
@@ -301,7 +301,7 @@ def test_verify_no_key(self):
     def test_verify_no_key_image_with_key(self):
         """Test verify image signed without key, attempt to verify with a key should fail on signature check"""
 
-        self.key = "./keys/" + "rsa-2048" + ".key"
+        self.key = keys_dir + "rsa-2048" + ".key"
         self.image_signed = self.test_signed_images_dir + "noKey256" + ".bin"
 
         result = self.runner.invoke(
@@ -319,7 +319,7 @@ def test_verify_no_key_image_with_key(self):
     def test_verify_no_key_image_with_wrong_key(self):
         """Test verify image signed without key, attempt to verify with wrong key should fail on hash check"""
 
-        self.key = "./keys/" + "ecdsa-p384" + ".key"
+        self.key = keys_dir + "ecdsa-p384" + ".key"
         self.image_signed = self.test_signed_images_dir + "noKey256" + ".bin"
 
         result = self.runner.invoke(
@@ -343,7 +343,7 @@ class TestVerifyPubKey(TestVerify):
 
     @pytest.fixture(autouse=True)
     def setup(self, request, tmp_path_persistent, key_type):
-        self.key = "./keys/" + key_type + ".key"
+        self.key = keys_dir + key_type + ".key"
         self.gen_key = tmp_name(tmp_path_persistent, key_type, GEN_KEY_EXT)
         self.runner.invoke(
             imgtool, ["keygen", "--key", str(self.gen_key), "--type", key_type]
@@ -383,7 +383,7 @@ def test_verify_384_key(self, key_type):
     def test_verify_key_not_matching(self, key_type, tmp_path_persistent):
         """Test verify image with mismatching key """
 
-        self.key = "./keys/" + "ecdsa-p384" + ".key"
+        self.key = keys_dir + "ecdsa-p384" + ".key"
         self.image_signed = self.test_signed_images_dir + key_type + ".bin"
 
         result = self.runner.invoke(
@@ -423,7 +423,7 @@ class TestVerifyHex(TestVerify):
 
     @pytest.fixture(autouse=True)
     def setup(self, request, tmp_path_persistent, key_type="rsa-2048"):
-        self.key = "./keys/" + key_type + ".key"
+        self.key = keys_dir + key_type + ".key"
 
     @pytest.mark.parametrize("hex_addr", ("0", "16", "35"))
     def test_verify_basic(self, hex_addr, tmp_path_persistent):

From 9d79458317f93dc26e4e60a658e2e27e271be76b Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Sun, 25 Aug 2024 13:44:26 +0200
Subject: [PATCH 12/13] imgtool: Install imgtool dependencies in fih-test

Install imgtool dependencies before tf-m build in fih-test to fix
failing ci job due to ImportError, originating from missing new types
added in cryptography library version 40.0.0.

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: Id05f251024cf126d90d0fea22d21167329530f87
---
 ci/fih_test_docker/execute_test.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ci/fih_test_docker/execute_test.sh b/ci/fih_test_docker/execute_test.sh
index cc67d846ad..5defacfd0e 100755
--- a/ci/fih_test_docker/execute_test.sh
+++ b/ci/fih_test_docker/execute_test.sh
@@ -1,6 +1,6 @@
 #!/bin/bash -x
 
-# Copyright (c) 2020-2023 Arm Limited
+# Copyright (c) 2020-2024 Arm Limited
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -30,6 +30,9 @@ else
     CMAKE_FIH_LEVEL="-DMCUBOOT_FIH_PROFILE=\"$FIH_LEVEL\""
 fi
 
+# Install imgtool dependencies
+pip install -r $MCUBOOT_PATH/scripts/requirements.txt
+
 # build TF-M with MCUBoot
 mkdir -p $TFM_BUILD_PATH $TFM_SPE_BUILD_PATH
 

From 65676cd2ccad48426e95f63a90ce112dce092c5f Mon Sep 17 00:00:00 2001
From: Rustam Ismayilov <rustam.ismayilov@arm.com>
Date: Sun, 25 Aug 2024 16:17:42 +0200
Subject: [PATCH 13/13] imgtool: Install imgtool dependencies in zephyr-build

Install imgtool dependencies before twister tests in zephyr-build to fix
failing ci job due to ImportError, originating from missing new types
added in cryptography library version 40.0.0.

Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I1e4ca88a4a0329a198290f6e1917c139c30abc4f
---
 .github/workflows/zephyr_build.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/zephyr_build.yaml b/.github/workflows/zephyr_build.yaml
index a34872d64f..c5032b6e40 100644
--- a/.github/workflows/zephyr_build.yaml
+++ b/.github/workflows/zephyr_build.yaml
@@ -1,4 +1,5 @@
 # Copyright (c) 2022-2023 Nordic Semiconductor ASA
+# Copyright (c) 2024, Arm Limited
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build Zephyr samples with Twister
@@ -91,6 +92,7 @@ jobs:
           export ZEPHYR_TOOLCHAIN_VARIANT=zephyr
           echo "Using Zephyr version: ${{ env.ZEPHYR_VERSION }}"
           echo "Using Mcuboot version: ${{ env.MCUBOOT_VERSION }}"
+          pip install -r ../bootloader/mcuboot/scripts/requirements.txt
           ./scripts/twister --inline-logs -v -N -M --integration --overflow-as-errors --retry-failed 2 ${test_paths}
 
       - name: Upload Tests Results