Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "Remove delegation chain example" #55

Merged
merged 1 commit into from
Feb 13, 2024
Merged

Revert "Remove delegation chain example" #55

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions draft-ietf-suit-firmware-encryption.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1341,6 +1341,28 @@ In hex format, the SUIT manifest is this:
{::include examples/suit-manifest-es-ecdh-content.hex.signed}
~~~

## ES-DH Example with Dependency {#example-ES-DH-dependency}

The following SUIT manifest requests a parser
to resolve the delegation chain and dependency respectively.
The parser validates the COSE_Key in the suit-delegation section using the key above,
and then dynamically trusts it.
The dependency manifest is embedded as an integrated-dependency
and referred by uri "#dependency-manifest" .

The SUIT manifest in diagnostic notation (with line breaks added for
readability) is shown here:

~~~
{::include examples/suit-manifest-es-ecdh-dependency.diag.signed}
~~~

In hex format, the SUIT manifest is this:

~~~
{::include examples/suit-manifest-es-ecdh-dependency.hex.signed}
~~~

# Operational Considerations

The algorithms described in this document assume that the party
Expand Down
4 changes: 3 additions & 1 deletion examples/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ SUIT_ENCRYPTION_INFO := \
SUIT_MANIFEST_WITH_ENCRYPTED_PAYLOAD := \
suit-manifest-aes-kw.suit \
suit-manifest-aes-kw-content.suit \
suit-manifest-es-ecdh-content.suit
suit-manifest-es-ecdh-content.suit \
suit-manifest-es-ecdh-dependency.suit

KDF_CONTEXT := a128kw_kdf_context.cbor

Expand Down Expand Up @@ -94,6 +95,7 @@ validate_cddl_match: all cddl
RUBYOPT="-W0" cddl draft-ietf-suit-manifest.cddl validate suit-manifest-aes-kw.suit
RUBYOPT="-W0" cddl draft-ietf-suit-manifest.cddl validate suit-manifest-aes-kw-content.suit
RUBYOPT="-W0" cddl draft-ietf-suit-manifest.cddl validate suit-manifest-es-ecdh-content.suit
RUBYOPT="-W0" cddl draft-ietf-suit-manifest.cddl validate suit-manifest-es-ecdh-dependency.suit
@echo [SUCCESS] Each SUIT Manifest with Encrypted Payloads matches to its CDDL
RUBYOPT="-W0" cddl ../cddls/kdf-context.cddl validate a128kw_kdf_context.cbor
@echo [SUCCESS] KDF Context matches to its CDDL
Expand Down
184 changes: 184 additions & 0 deletions examples/suit-manifest-es-ecdh-dependency.diag.signed
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
/ SUIT_Envelope_Tagged / 107({
/ delegation / 1: << [
[
/ NOTE: signed by trust anchor /
<< 18([
/ protected: / << {
/ alg / 1: -7 / ES256 /
} >>,
/ unprotected / {
},
/ payload: / << {
/ cnf / 8: {
/ NOTE: public key of delegated authority /
/ COSE_Key / 1: {
/ kty / 1: 2 / EC2 /,
/ crv / -1: 1 / P-256 /,
/ x / -2: h'0E908AA8F066DB1F084E0C3652C63952
BD99F2A5BDB22F9E01367AAD03ABA68B',
/ y / -3: h'77DA1BD8AC4F0CB490BA210648BF79AB
164D49AD3551D71D314B2749EE42D29A'
}
}
} >>,
/ signature: /
h'FB2D5ACF66B9C8573CE92E13BFB8D113
F798715CC10B5A0010B11925C155E724
5A64E131073B87AC50CAC71650A21315
B82D06CA2298CD1A95519AAE4C4B5315'
]) >>
]
] >>,
/ authentication-wrapper / 2: << [
<< [
/ digest-algorithm-id: / -16 / SHA256 /,
/ digest-bytes: / h'6A1D9F42E7B4047D2F54046019AE3ED4
3A8ACC467AC16576B17D6F8E633042D2'
] >>,
<< / COSE_Sign1_Tagged / 18([
/ protected: / << {
/ algorithm-id / 1: -7 / ES256 /
} >>,
/ unprotected: / {},
/ payload: / null,
/ signature: /
h'DF493BDBF167EFFB40593C5910D33B66
429721467DF05800EA66A88B91729CD5
1007981F151FC324745FF43E6F75AAF5
197DD5EC4AA6BCEFCE43E4B1E35C948E'
]) >>
] >>,
/ manifest / 3: << {
/ manifest-version / 1: 1,
/ manifest-sequence-number / 2: 1,
/ common / 3: << {
/ dependencies / 1: {
/ component-index / 1: {
/ dependency-prefix / 1: [
'dependency-manifest.suit'
]
}
},
/ components / 2: [
['decrypted-firmware']
]
} >>,
/ manifest-component-id / 5: [
'dependent-manifest.suit'
],
/ install / 17: << [
/ NOTE: set SUIT_Encryption_Info /
/ directive-set-component-index / 12, 0
/ ['decrypted-firmware'] /,
/ directive-override-parameters / 20, {
/ parameter-content / 18:
h'344FA2D5AD2F43F6F363DA6FF2C337FE69E33E3D63714D
23985BF02499EB0E8B231D45C378245DA3611C160CC511',
/ parameter-encryption-info / 19: << 96([
/ protected: / << {
/ alg / 1: 1 / AES-GCM-128 /
} >>,
/ unprotected: / {
/ IV / 5: h'DAE613B2E0DC55F4322BE38BDBA9DC68'
},
/ payload: / null / detached ciphertext /,
/ recipients: / [
[
/ protected: / << {
/ alg / 1: -29 / ECDH-ES + A128KW /
} >>,
/ unprotected: / {
/ ephemeral key / -1: {
/ kty / 1: 2 / EC2 /,
/ crv / -1: 1 / P-256 /,
/ x / -2: h'FF6E266DABAF51B7207569E31CF72646
183E94CEE64FCDC8695AD9A505AEFDEA',
/ y / -3: h'5FBC4A29844450B3AC22AB30C7F7004B
B59D8BD60D7997734A9FA0124B650895'
},
/ kid / 4: 'kid-2'
},
/ payload: /
h'B0E21628283F3E409F8158D8FFCA567F340E379AC39E49C9'
/ CEK encrypted with KEK /
]
]
]) >>
},

/ NOTE: call dependency-manifest /
/ directive-set-component-index / 12, 1
/ ['dependenty-manifest.suit'] /,
/ directive-override-parameters / 20, {
/ parameter-image-digest / 3: << [
/ algorithm-id / -16 / SHA256 /,
/ digest-bytes / h'1051324059C5193317CAC9A099BBC0B6
AFB56184C04277F566A3A4131F4A1C25'
] >>,
/ parameter-image-size / 14: 247,
/ parameter-uri / 21: "#dependency-manifest"
},
/ directive-fetch / 21, 15,
/ condition-dependency-integrity / 7, 15,
/ directive-process-dependency / 11, 15
] >>
} >>,
"#dependency-manifest": <<
/ SUIT_Envelope_Tagged / 107({
/ authentication-wrapper / 2: << [
<< [
/ digest-algorithm-id: / -16 / SHA256 /,
/ digest-bytes: / h'1051324059C5193317CAC9A099BBC0B6
AFB56184C04277F566A3A4131F4A1C25'
] >>,
<< / COSE_Sign1_Tagged / 18([
/ protected: / << {
/ algorithm-id / 1: -7 / ES256 /
} >>,
/ unprotected: / {},
/ payload: / null,
/ signature: /
h'55990F3745DC4F200FF946643A6DE30D
DCE57B080B7D68DE9896D8190B9A63E2
D60E7C3D9693B67221AA6D07BBF0AB45
314C236827A242C22B5E688DDC467269'
]) >>
] >>,
/ manifest / 3: << {
/ manifest-version / 1: 1,
/ manifest-sequence-number / 2: 1,
/ common / 3: << {
/ components / 2: [
['decrypted-firmware']
],
/ shared-sequence / 4: << [
/ directive-set-componnt-index / 12, 0
/ ['decrypted-firmware'] /,
/ directive-override-parameters / 20, {
/ parameter-image-digest / 3: << [
/ algorithm-id / -16 / SHA256 /,
/ digest-bytes / h'36921488FE6680712F734E11F58D87EE
B66D4B21A8A1AD3441060814DA16D50F'
] >>,
/ parameter-image-size / 14: 30
}
] >>
} >>,
/ manifest-component-id / 5: [
'dependency-manifest.suit'
],
/ validate / 7: << [
/ condition-image-match / 3, 15
] >>,
/ install / 17: << [
/ directive-set-component-index / 12, 0
/ ['decrypted-firmware'] /,
/ directive-write / 18, 15
/ consumes the SUIT_Encryption_Info set by dependent /,
/ condition-image-match / 3, 15
/ check the integrity of the decrypted payload /
] >>
} >>
})
>>
})
31 changes: 31 additions & 0 deletions examples/suit-manifest-es-ecdh-dependency.hex.signed
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
D86BA401589E8181589AD28443A10126A0584FA108A101A4010220012158
200E908AA8F066DB1F084E0C3652C63952BD99F2A5BDB22F9E01367AAD03
ABA68B22582077DA1BD8AC4F0CB490BA210648BF79AB164D49AD3551D71D
314B2749EE42D29A5840FB2D5ACF66B9C8573CE92E13BFB8D113F798715C
C10B5A0010B11925C155E7245A64E131073B87AC50CAC71650A21315B82D
06CA2298CD1A95519AAE4C4B5315025873825824822F58206A1D9F42E7B4
047D2F54046019AE3ED43A8ACC467AC16576B17D6F8E633042D2584AD284
43A10126A0F65840DF493BDBF167EFFB40593C5910D33B66429721467DF0
5800EA66A88B91729CD51007981F151FC324745FF43E6F75AAF5197DD5EC
4AA6BCEFCE43E4B1E35C948E03590170A501010201035837A201A101A101
815818646570656E64656E63792D6D616E69666573742E73756974028181
526465637279707465642D6669726D77617265058157646570656E64656E
742D6D616E69666573742E73756974115901138E0C0014A212582E344FA2
D5AD2F43F6F363DA6FF2C337FE69E33E3D63714D23985BF02499EB0E8B23
1D45C378245DA3611C160CC511135890D8608443A10101A10550DAE613B2
E0DC55F4322BE38BDBA9DC68F6818344A101381CA220A401022001215820
FF6E266DABAF51B7207569E31CF72646183E94CEE64FCDC8695AD9A505AE
FDEA2258205FBC4A29844450B3AC22AB30C7F7004BB59D8BD60D7997734A
9FA0124B65089504456B69642D325818B0E21628283F3E409F8158D8FFCA
567F340E379AC39E49C90C0114A3035824822F58201051324059C5193317
CAC9A099BBC0B6AFB56184C04277F566A3A4131F4A1C250E18F715742364
6570656E64656E63792D6D616E6966657374150F070F0B0F742364657065
6E64656E63792D6D616E696665737458F7D86BA2025873825824822F5820
1051324059C5193317CAC9A099BBC0B6AFB56184C04277F566A3A4131F4A
1C25584AD28443A10126A0F6584055990F3745DC4F200FF946643A6DE30D
DCE57B080B7D68DE9896D8190B9A63E2D60E7C3D9693B67221AA6D07BBF0
AB45314C236827A242C22B5E688DDC46726903587BA601010201035849A2
028181526465637279707465642D6669726D7761726504582F840C0014A2
035824822F582036921488FE6680712F734E11F58D87EEB66D4B21A8A1AD
3441060814DA16D50F0E181E05815818646570656E64656E63792D6D616E
69666573742E73756974074382030F1147860C00120F030F
Loading