diff --git a/draft-ietf-suit-firmware-encryption.md b/draft-ietf-suit-firmware-encryption.md index 54b58da..863bc80 100644 --- a/draft-ietf-suit-firmware-encryption.md +++ b/draft-ietf-suit-firmware-encryption.md @@ -750,7 +750,7 @@ This example uses the following parameters: - d: h'60FE6DD6D85D5740A5349B6F91267EEAC5BA81B8CB53EE249E4B4EB102C476B3' - kid: 'kid-2' - KDF Context - - Algorithm ID: 1 (A128GCM) + - Algorithm ID: -3 (A128KW) - SuppPubInfo - keyDataLength: 128 - protected: { / alg / 1: -29 / ECDH-ES+A128KW / } @@ -863,7 +863,7 @@ This example uses the following parameters: - d: h'60FE6DD6D85D5740A5349B6F91267EEAC5BA81B8CB53EE249E4B4EB102C476B3' - kid: 'kid-2' - KDF Context - - Algorithm ID: -65534 (A128CTR) + - Algorithm ID: -3 (A128KW) - SuppPubInfo - keyDataLength: 128 - protected: { / alg / 1: -29 / ECDH-ES+A128KW / } @@ -983,7 +983,7 @@ This example uses the following parameters: - d: h'60FE6DD6D85D5740A5349B6F91267EEAC5BA81B8CB53EE249E4B4EB102C476B3' - kid: 'kid-2' - KDF Context - - Algorithm ID: -65531 (A128CBC) + - Algorithm ID: -3 (A128KW) - SuppPubInfo - keyDataLength: 128 - protected: { / alg / 1: -29 / ECDH-ES+A128KW / } @@ -1324,9 +1324,7 @@ another component with the suit-directive-copy directive. This approach works well on constrained devices with XIP flash memory. The SUIT manifest in diagnostic notation (with line breaks added -for readability) is shown below. Line numbers and additional notes -(see /!!! text !!!/ ) have been inserted to provide further -information about the manifest processing. +for readability) is shown below. ~~~ {::include examples/suit-manifest-aes-kw.diag.signed} @@ -1336,19 +1334,18 @@ The default storage area is defined by the component identifier (see Section 8.4 While parsing the manifest, the behavior of SUIT manifest processor would be -- [L1-L17] authenticates the manifest part on [L18-L65] +- [L2-L17] authenticates the manifest part on [L18-L68] - [L22-L25] gets two component identifiers; ['plaintext-firmware'] for component #0, and ['encrypted-firmware'] for component # 1 respectively - [L29] sets current component index # 1 (the lasting directives target ['encrypted-firmware']) -- [L32] sets source uri parameter "https://example.com/encrypted-firmware" -- [L34] fetches content from source uri into ['encrypted-firmware'] -- [L37] sets current component index # 0 (the lasting directives target ['plaintext-firmware']) -- [L39-L60] sets SUIT encryption info parameter -- [L61] sets source component index parameter # 1 -- [L63] decrypts component # 1 (source component index) and stores the result into component # 0 (current component index) +- [L33] sets source uri parameter "https://example.com/encrypted-firmware" +- [L35] fetches content from source uri into ['encrypted-firmware'] +- [L38] sets current component index # 0 (the lasting directives target ['plaintext-firmware']) +- [L41-L61] sets SUIT encryption info parameter +- [L62] sets source component index parameter # 1 +- [L65] decrypts component # 1 (source component index) and stores the result into component # 0 (current component index) The following attributes and features from the SUIT manifest specification are used: -~~~ | Attribute Name | Abbreviation | Manifest Reference | |--------------------------------------------|---------------|--------------------| | component identifier | CI | Section 8.4.5.1 | @@ -1356,11 +1353,9 @@ The following attributes and features from the SUIT manifest specification are u | (destination) component slot OPTIONAL param| dst-CS | Section 8.4.8.8 | | (source) uri OPTIONAL parameter | src-URI | Section 8.4.8.10 | | source component index OPTIONAL parameter | src-CI | Section 8.4.8.11 | -~~~ The resulting state of SUIT manifest processor is shown in the following table: -~~~ | Abbreviation | Plaintext | Ciphertext | |---------------|------------------------|------------------------------------------| | CI | ['plaintext-firmware'] | ['encrypted-firmware'] | @@ -1368,7 +1363,6 @@ The resulting state of SUIT manifest processor is shown in the following table: | dst-CS | N/A | N/A | | src-URI | N/A | "https://example.com/encrypted-firmware" | | src-CI | 1 | N/A | -~~~ In hex format, the SUIT manifest shown above is: @@ -1379,79 +1373,7 @@ In hex format, the SUIT manifest shown above is: The example above does not use storage slots. However, it is possible to specify this functionality for devices that support slots in flash memory. In the augmented example below we refer to the slots using [h'00'] and [h'01']. The component identifier [h'00'] would, in this example, specify the component slot #0. ~~~ -1 / SUIT_Envelope_Tagged / 107({ -2 / authentication-wrapper / 2: << [ -3 << [ -4 / digest-algorithm-id: / -16 / SHA256 /, -5 / digest-bytes: / h'AAB6A7868C4E43D5983BDE019EF22779 -6 21F6F8EF1FCAF9403CA97255BED2CD30' -7 ] >>, -8 << / COSE_Mac0_Tagged / 17([ -9 / protected: / << { -10 / algorithm-id / 1: 5 / HMAC256 / -11 } >>, -12 / unprotected: / {}, -13 / payload: / null, -14 / tag: / h'93B4B774A5D0421ED6FB5EBF890A284C -15 DAC7816CBC048BF47EE7FA7FF3BC02C3' -16 ]) >> -17 ] >>, -18 / manifest / 3: << { -19 / manifest-version / 1: 1, -20 / manifest-sequence-number / 2: 1, -21 / common / 3: << { -22 / components / 2: [ - * /!!! component identifier for component index #0 !!!/ -23 [h'00'], - * /!!! component identifier for component index #1 !!!/ -24 [h'01'] -25 ] -26 } >>, -27 / install / 17: << [ -28 / fetch encrypted firmware / - * /!!! destination component index #1 = [h'01'] !!!/ -29 / directive-set-component-index / 12, 1, -30 / directive-override-parameters / 20, { -31 / parameter-image-size / 14: 46, - * /!!! source uri of #1 !!!/ -32 / parameter-uri / 21: "https://example.com/encrypted-firmware" -33 }, -34 / directive-fetch / 21, 15, -35 -36 / decrypt encrypted firmware / - * /!!! destination component index #0 = [h'00'] !!!/ -37 / directive-set-component-index / 12, 0, -38 / directive-override-parameters / 20, { -39 / parameter-encryption-info / 19: << 96([ -40 / protected: / << { -41 / alg / 1: 1 / AES-GCM-128 / -42 } >>, -43 / unprotected: / { -44 / IV / 5: h'F14AAB9D81D51F7AD943FE87AF4F70CD' -45 }, -46 / payload: / null / detached ciphertext /, -47 / recipients: / [ -48 [ -49 / protected: / << { -50 } >>, -51 / unprotected: / { -52 / alg / 1: -3 / A128KW /, -53 / kid / 4: 'kid-1' -54 }, -55 / payload: / -56 h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62' -57 / CEK encrypted with KEK / -58 ] -59 ] -60 ]) >>, - * /!!! source component index #1 = [h'01'] !!!/ -61 / parameter-source-component / 22: 1 -62 }, - * /!!! consumes the SUIT_Encryption_Info above !!!/ -63 / directive-copy / 22, 15 -64 ] >> -65 } >> -66 }) +{::include examples/suit-manifest-aes-kw-slot.diag.signed} ~~~ ## ES-DH Example with Write + Copy Directives {#example-ES-DH-write} @@ -1480,6 +1402,7 @@ In hex format, the SUIT manifest is this: The following SUIT manifest requests a parser to resolve the dependency. The dependent manifest is signed with another key: + ~~~ -----BEGIN EC PRIVATE KEY----- MHcCAQEEIIQa67e56m8CYL5zVaJFiLl30j0qxb8ray2DeUMqH+qYoAoGCCqGSM49 diff --git a/examples/Makefile b/examples/Makefile index 7726deb..5e4426e 100644 --- a/examples/Makefile +++ b/examples/Makefile @@ -7,8 +7,9 @@ SUIT_ENCRYPTION_INFO := \ suit-encryption-info-es-ecdh-aes-ctr.cose SUIT_MANIFEST_WITH_ENCRYPTED_PAYLOAD := \ - suit-manifest-aes-kw.suit \ suit-manifest-aes-kw-content.suit \ + suit-manifest-aes-kw.suit \ + suit-manifest-aes-kw-slot.suit \ suit-manifest-es-ecdh-content.suit \ suit-manifest-es-ecdh-dependency.suit @@ -55,6 +56,7 @@ draft-ietf-suit-trust-domains.cddl: draft-ietf-suit-manifest.cddl: draft-ietf-suit-firmware-encryption.cddl draft-ietf-suit-trust-domains.cddl curl --retry 3 https://raw.githubusercontent.com/suit-wg/manifest-spec/master/draft-ietf-suit-manifest.cddl -o $@ + sed -i -e 's/suit-install = 17/suit-install = 20/' $@ cat draft-ietf-suit-firmware-encryption.cddl >> $@ cat draft-ietf-suit-trust-domains.cddl >> $@ @@ -92,8 +94,9 @@ validate_cddl_match: all cddl RUBYOPT="-W0" cddl draft-ietf-suit-firmware-encryption.cddl validate suit-encryption-info-es-ecdh-aes-ctr.cose RUBYOPT="-W0" cddl esdh_aeskw.cddl validate suit-encryption-info-es-ecdh-aes-ctr.cose @echo [SUCCESS] Each SUIT_Encryption_Info matches to its CDDL - RUBYOPT="-W0" cddl draft-ietf-suit-manifest.cddl validate suit-manifest-aes-kw.suit RUBYOPT="-W0" cddl draft-ietf-suit-manifest.cddl validate suit-manifest-aes-kw-content.suit + RUBYOPT="-W0" cddl draft-ietf-suit-manifest.cddl validate suit-manifest-aes-kw.suit + RUBYOPT="-W0" cddl draft-ietf-suit-manifest.cddl validate suit-manifest-aes-kw-slot.suit RUBYOPT="-W0" cddl draft-ietf-suit-manifest.cddl validate suit-manifest-es-ecdh-content.suit RUBYOPT="-W0" cddl draft-ietf-suit-manifest.cddl validate suit-manifest-es-ecdh-dependency.suit @echo [SUCCESS] Each SUIT Manifest with Encrypted Payloads matches to its CDDL @@ -111,9 +114,9 @@ validate_decrypted_plaintext: @echo "\n# ECDH-ES+AES-KW + A128GCM (Example 2)" python3 ./validate_esdh_aead_suit_encryption_info.py suit-encryption-info-es-ecdh-aes-gcm.hex encrypted-payload-es-ecdh-aes-gcm.hex @echo "\n# ECDH-ES+AES-KW + A128CTR" - python3 ./validate_esdh_non_aead_suit_encryption_info.py suit-encryption-info-es-ecdh-aes-ctr.hex encrypted-payload-es-ecdh-aes-ctr.hex A128CTR + python3 ./validate_esdh_non_aead_suit_encryption_info.py suit-encryption-info-es-ecdh-aes-ctr.hex encrypted-payload-es-ecdh-aes-ctr.hex @echo "\n# ECDH-ES+AES-KW + A128CBC" - python3 ./validate_esdh_non_aead_suit_encryption_info.py suit-encryption-info-es-ecdh-aes-cbc.hex encrypted-payload-es-ecdh-aes-cbc.hex A128CBC + python3 ./validate_esdh_non_aead_suit_encryption_info.py suit-encryption-info-es-ecdh-aes-cbc.hex encrypted-payload-es-ecdh-aes-cbc.hex @echo [SUCCESS] The expected plaintext firmware can be decrypted .PHONY: clean diff --git a/examples/encrypted-payload-aes-kw-aes-gcm.hex b/examples/encrypted-payload-aes-kw-aes-gcm.hex index a1d0c45..48e2b52 100644 --- a/examples/encrypted-payload-aes-kw-aes-gcm.hex +++ b/examples/encrypted-payload-aes-kw-aes-gcm.hex @@ -1,2 +1,2 @@ -2F59C3A34D9570FB99A5382E66466A3221A8AD85CE508BA306FB431A60EF -A5AAAA078355070205A4B196832DF17F +758C4B7BBAE2C4C1D462423E0F0DC3164FFA7B85BB94D4BD6D7ED26AB32F +EB063385D4D3465927EC82CB5E198A59 diff --git a/examples/encrypted-payload-es-ecdh-aes-gcm.hex b/examples/encrypted-payload-es-ecdh-aes-gcm.hex index a1d0c45..48e2b52 100644 --- a/examples/encrypted-payload-es-ecdh-aes-gcm.hex +++ b/examples/encrypted-payload-es-ecdh-aes-gcm.hex @@ -1,2 +1,2 @@ -2F59C3A34D9570FB99A5382E66466A3221A8AD85CE508BA306FB431A60EF -A5AAAA078355070205A4B196832DF17F +758C4B7BBAE2C4C1D462423E0F0DC3164FFA7B85BB94D4BD6D7ED26AB32F +EB063385D4D3465927EC82CB5E198A59 diff --git a/examples/generate_suit_encryption_info_aescbc_aesctr.py b/examples/generate_suit_encryption_info_aescbc_aesctr.py index e308b91..728f7cf 100755 --- a/examples/generate_suit_encryption_info_aescbc_aesctr.py +++ b/examples/generate_suit_encryption_info_aescbc_aesctr.py @@ -86,7 +86,7 @@ receiver_public_key_jwk[key] = base64.b64encode(bytes.fromhex(receiver_public_key_jwk[key])).decode() kdf_context_a128cbc = { - "alg": "A128CBC", + "alg": "A128KW", "supp_pub": { "key_data_length": 128, "protected": {"alg": "ECDH-ES+A128KW"}, @@ -212,7 +212,7 @@ receiver_public_key_jwk[key] = base64.b64encode(bytes.fromhex(receiver_public_key_jwk[key])).decode() kdf_context_a128ctr = { - "alg": "A128CTR", + "alg": "A128KW", "supp_pub": { "key_data_length": 128, "protected": {"alg": "ECDH-ES+A128KW"}, diff --git a/examples/generate_suit_encryption_info_aesgcm.py b/examples/generate_suit_encryption_info_aesgcm.py index b8119d0..dc81cc5 100755 --- a/examples/generate_suit_encryption_info_aesgcm.py +++ b/examples/generate_suit_encryption_info_aesgcm.py @@ -24,7 +24,7 @@ "alg": "A128GCM" }, unprotected={ - "iv": bytes.fromhex("F14AAB9D81D51F7AD943FE87AF4F70CD") + "iv": bytes.fromhex("F14AAB9D81D51F7AD943FE87") }, recipients=[r], ) @@ -84,7 +84,7 @@ receiver_public_key_jwk[key] = base64.b64encode(bytes.fromhex(receiver_public_key_jwk[key])).decode() kdf_context_a128gcm = { - "alg": "A128GCM", + "alg": "A128KW", "supp_pub": { "key_data_length": 128, "protected": {"alg": "ECDH-ES+A128KW"}, @@ -108,7 +108,7 @@ "alg": "A128GCM" }, unprotected={ - "iv": bytes.fromhex("F14AAB9D81D51F7AD943FE87AF4F70CD") + "iv": bytes.fromhex("F14AAB9D81D51F7AD943FE87") }, recipients=[r], ) diff --git a/examples/suit-encryption-info-aes-kw-aes-gcm.diag b/examples/suit-encryption-info-aes-kw-aes-gcm.diag index 467ac4e..35fa377 100644 --- a/examples/suit-encryption-info-aes-kw-aes-gcm.diag +++ b/examples/suit-encryption-info-aes-kw-aes-gcm.diag @@ -1,9 +1,9 @@ 96([ / protected: / << { - / alg / 1: 1 / AES-GCM-128 / + / alg / 1: 1 / A128GCM / } >>, / unprotected: / { - / IV / 5: h'F14AAB9D81D51F7AD943FE87AF4F70CD' + / IV / 5: h'F14AAB9D81D51F7AD943FE87' }, / payload: / null / detached ciphertext /, / recipients: / [ diff --git a/examples/suit-encryption-info-aes-kw-aes-gcm.hex b/examples/suit-encryption-info-aes-kw-aes-gcm.hex index 90ea403..073972c 100644 --- a/examples/suit-encryption-info-aes-kw-aes-gcm.hex +++ b/examples/suit-encryption-info-aes-kw-aes-gcm.hex @@ -1,3 +1,3 @@ -D8608443A10101A10550F14AAB9D81D51F7AD943FE87AF4F70CDF6818340 -A2012204456B69642D31581875603FFC9518D794713C8CA8A115A7FB3256 -5A6D59534D62 +D8608443A10101A1054CF14AAB9D81D51F7AD943FE87F6818340A2012204 +456B69642D31581875603FFC9518D794713C8CA8A115A7FB32565A6D5953 +4D62 diff --git a/examples/suit-encryption-info-es-ecdh-aes-cbc.diag b/examples/suit-encryption-info-es-ecdh-aes-cbc.diag index 3640265..9c08c04 100644 --- a/examples/suit-encryption-info-es-ecdh-aes-cbc.diag +++ b/examples/suit-encryption-info-es-ecdh-aes-cbc.diag @@ -14,11 +14,13 @@ / ephemeral key / -1: { / kty / 1: 2 / EC2 /, / crv / -1: 1 / P-256 /, - / x / -2: h'BC6A2DCD5025C8C0F7A5D120EB3E458CA722F8FB94BD56A24709CB15A8697489', - / y / -3: h'10136574F673511540FE2A8589A7EDA372CB7B1AF94A8E1B4B94F6BDBD98AA18' + / x / -2: h'84C1768A1AFA92BAF27C3289A3FAF75E + 7511B27C654947BBD391E8A12EB8295B', + / y / -3: h'F32B0AECA4F8B6C51C155037B1FB726C + AE3D0C77976864EF725DB2B30ABCE6F6' } }, - / payload: / h'AC8CDFB5426422298FCF235EB5F24D9E4C44C1689167473A' + / payload: / h'04928D52CD34AC8CA0427CEED6D7C5D06A21B5F4F79CAA18' / CEK encrypted with KEK / ] ] diff --git a/examples/suit-encryption-info-es-ecdh-aes-cbc.hex b/examples/suit-encryption-info-es-ecdh-aes-cbc.hex index ded7775..3c98c06 100644 --- a/examples/suit-encryption-info-es-ecdh-aes-cbc.hex +++ b/examples/suit-encryption-info-es-ecdh-aes-cbc.hex @@ -1,5 +1,5 @@ D8608440A20139FFFA055093702C81590F845D9EC866CCAC767BD1F68183 -44A101381CA120A401022001215820BC6A2DCD5025C8C0F7A5D120EB3E45 -8CA722F8FB94BD56A24709CB15A869748922582010136574F673511540FE -2A8589A7EDA372CB7B1AF94A8E1B4B94F6BDBD98AA185818AC8CDFB54264 -22298FCF235EB5F24D9E4C44C1689167473A +44A101381CA120A40102200121582084C1768A1AFA92BAF27C3289A3FAF7 +5E7511B27C654947BBD391E8A12EB8295B225820F32B0AECA4F8B6C51C15 +5037B1FB726CAE3D0C77976864EF725DB2B30ABCE6F6581804928D52CD34 +AC8CA0427CEED6D7C5D06A21B5F4F79CAA18 diff --git a/examples/suit-encryption-info-es-ecdh-aes-ctr.diag b/examples/suit-encryption-info-es-ecdh-aes-ctr.diag index e64623e..182dcf7 100644 --- a/examples/suit-encryption-info-es-ecdh-aes-ctr.diag +++ b/examples/suit-encryption-info-es-ecdh-aes-ctr.diag @@ -14,11 +14,13 @@ / ephemeral key / -1: { / kty / 1: 2 / EC2 /, / crv / -1: 1 / P-256 /, - / x / -2: h'50364E4DF3F5E8749D98E4378C04FAFE643B6ACEE7138382D83F768C7186FB85', - / y / -3: h'99E6C96BEF3952B12EF83921B1749475D767284AA42D74D8923C137B01EDF5A0' + / x / -2: h'EE0718F6B019C29CC611C18CEDE22140 + 66DDCEDC2F0DBEF873CB224C715C1174', + / y / -3: h'279F2A88E4AB9E2ED30C0FCB69515B31 + B5D36725BFDB9AE02032ED4D5AB52CB8' } }, - / payload: / h'E8599DCEE4944EECA9781D3ECDE3D9C34E1C9FCE8906617F' + / payload: / h'E28B4502E4F5151884A995405579006E9465C3E94E3E0808' / CEK encrypted with KEK / ] ] diff --git a/examples/suit-encryption-info-es-ecdh-aes-ctr.hex b/examples/suit-encryption-info-es-ecdh-aes-ctr.hex index 08e84ed..c894cfe 100644 --- a/examples/suit-encryption-info-es-ecdh-aes-ctr.hex +++ b/examples/suit-encryption-info-es-ecdh-aes-ctr.hex @@ -1,5 +1,5 @@ D8608440A20139FFFD0550DAE613B2E0DC55F4322BE38BDBA9DC68F68183 -44A101381CA120A40102200121582050364E4DF3F5E8749D98E4378C04FA -FE643B6ACEE7138382D83F768C7186FB8522582099E6C96BEF3952B12EF8 -3921B1749475D767284AA42D74D8923C137B01EDF5A05818E8599DCEE494 -4EECA9781D3ECDE3D9C34E1C9FCE8906617F +44A101381CA120A401022001215820EE0718F6B019C29CC611C18CEDE221 +4066DDCEDC2F0DBEF873CB224C715C1174225820279F2A88E4AB9E2ED30C +0FCB69515B31B5D36725BFDB9AE02032ED4D5AB52CB85818E28B4502E4F5 +151884A995405579006E9465C3E94E3E0808 diff --git a/examples/suit-encryption-info-es-ecdh-aes-gcm.diag b/examples/suit-encryption-info-es-ecdh-aes-gcm.diag index fd5c822..be9b0b7 100644 --- a/examples/suit-encryption-info-es-ecdh-aes-gcm.diag +++ b/examples/suit-encryption-info-es-ecdh-aes-gcm.diag @@ -1,9 +1,9 @@ 96([ / protected: / << { - / alg / 1: 1 / AES-GCM-128 / + / alg / 1: 1 / A128GCM / } >>, / unprotected: / { - / IV / 5: h'F14AAB9D81D51F7AD943FE87AF4F70CD' + / IV / 5: h'F14AAB9D81D51F7AD943FE87' }, / payload: / null / detached ciphertext /, / recipients: / [ @@ -15,14 +15,14 @@ / ephemeral key / -1: { / kty / 1: 2 / EC2 /, / crv / -1: 1 / P-256 /, - / x / -2: h'38876D8B4552E6BC9484A3F06E3646B3 - 0AEFF51B95583CFFA0B5776D52734942', - / y / -3: h'34577AB5DD17276BB6BF15AA46531037 - 1557AFF61FAC5BA5A1EFF46698DD8B7B' + / x / -2: h'73024F415AA51529A66CCEFD88F3F62A + 734492FF45F6AD37FD2888E73EAF19DA', + / y / -3: h'4005B48A6FD091AA6ABFE3CFBEEDE88B + 347E521D43405FDBD7D2CFF0EBC21B26' } }, / payload: - / h'C36BF2E8843246F0E148DBA607375204A040D8B19629B2B5' + / h'A06B8E6550F308712B1DF044B21B7D11D9B22792F1DE0997' / CEK encrypted with KEK / ] ] diff --git a/examples/suit-encryption-info-es-ecdh-aes-gcm.hex b/examples/suit-encryption-info-es-ecdh-aes-gcm.hex index beb66a5..5d6c89e 100644 --- a/examples/suit-encryption-info-es-ecdh-aes-gcm.hex +++ b/examples/suit-encryption-info-es-ecdh-aes-gcm.hex @@ -1,5 +1,5 @@ -D8608443A10101A10550F14AAB9D81D51F7AD943FE87AF4F70CDF6818344 -A101381CA120A40102200121582038876D8B4552E6BC9484A3F06E3646B3 -0AEFF51B95583CFFA0B5776D5273494222582034577AB5DD17276BB6BF15 -AA465310371557AFF61FAC5BA5A1EFF46698DD8B7B5818C36BF2E8843246 -F0E148DBA607375204A040D8B19629B2B5 +D8608443A10101A1054CF14AAB9D81D51F7AD943FE87F6818344A101381C +A120A40102200121582073024F415AA51529A66CCEFD88F3F62A734492FF +45F6AD37FD2888E73EAF19DA2258204005B48A6FD091AA6ABFE3CFBEEDE8 +8B347E521D43405FDBD7D2CFF0EBC21B265818A06B8E6550F308712B1DF0 +44B21B7D11D9B22792F1DE0997 diff --git a/examples/suit-manifest-aes-kw-content.diag.signed b/examples/suit-manifest-aes-kw-content.diag.signed index 72d7032..9782a6b 100644 --- a/examples/suit-manifest-aes-kw-content.diag.signed +++ b/examples/suit-manifest-aes-kw-content.diag.signed @@ -1,73 +1,60 @@ -1 / SUIT_Envelope_Tagged / 107({ -2 / authentication-wrapper / 2: << [ -3 << [ -4 / digest-algorithm-id: / -16 / SHA256 /, -5 / digest-bytes: / h'AAB6A7868C4E43D5983BDE019EF22779 -6 21F6F8EF1FCAF9403CA97255BED2CD30' -7 ] >>, -8 << / COSE_Mac0_Tagged / 17([ -9 / protected: / << { -10 / algorithm-id / 1: 5 / HMAC256 / -11 } >>, -12 / unprotected: / {}, -13 / payload: / null, -14 / tag: / h'93B4B774A5D0421ED6FB5EBF890A284C -15 DAC7816CBC048BF47EE7FA7FF3BC02C3' -16 ]) >> -17 ] >>, -18 / manifest / 3: << { -19 / manifest-version / 1: 1, -20 / manifest-sequence-number / 2: 1, -21 / common / 3: << { -22 / components / 2: [ - * /!!! component identifier for component index #0 !!!/ -23 ['plaintext-firmware'], - * /!!! component identifier for component index #1 !!!/ -24 ['encrypted-firmware'] -25 ] -26 } >>, -27 / install / 17: << [ -28 / fetch encrypted firmware / - * /!!! destination component index #1 = ['encrypted-firmware'] !!!/ -29 / directive-set-component-index / 12, 1, -30 / directive-override-parameters / 20, { -31 / parameter-image-size / 14: 46, - * /!!! source uri of #1 !!!/ -32 / parameter-uri / 21: "https://example.com/encrypted-firmware" -33 }, -34 / directive-fetch / 21, 15, -35 -36 / decrypt encrypted firmware / - * /!!! destination component index #0 = ['plaintext-firmware'] !!!/ -37 / directive-set-component-index / 12, 0, -38 / directive-override-parameters / 20, { -39 / parameter-encryption-info / 19: << 96([ -40 / protected: / << { -41 / alg / 1: 1 / AES-GCM-128 / -42 } >>, -43 / unprotected: / { -44 / IV / 5: h'F14AAB9D81D51F7AD943FE87AF4F70CD' -45 }, -46 / payload: / null / detached ciphertext /, -47 / recipients: / [ -48 [ -49 / protected: / << { -50 } >>, -51 / unprotected: / { -52 / alg / 1: -3 / A128KW /, -53 / kid / 4: 'kid-1' -54 }, -55 / payload: / -56 h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62' -57 / CEK encrypted with KEK / -58 ] -59 ] -60 ]) >>, - * /!!! source component index #1 = ['encrypted-firmware'] !!!/ -61 / parameter-source-component / 22: 1 -62 }, - * / consumes the SUIT_Encryption_Info above / -63 / directive-copy / 22, 15 -64 ] >> -65 } >> -66 }) \ No newline at end of file +/ 1/ / SUIT_Envelope_Tagged / 107({ +/ 2/ / authentication-wrapper / 2: << [ +/ 3/ << [ +/ 4/ / digest-algorithm-id: / -16 / SHA256 /, +/ 5/ / digest-bytes: / h'037A5C325CE14078A0AADF007428EAC6 +/ 6/ 59361AD9402A732410BDA542FAE94E2C' +/ 7/ ] >>, +/ 8/ << / COSE_Mac0_Tagged / 17([ +/ 9/ / protected: / << { +/ 10/ / algorithm-id / 1: 5 / HMAC256 / +/ 11/ } >>, +/ 12/ / unprotected: / {}, +/ 13/ / payload: / null, +/ 14/ / tag: / h'8D92599011C451A4C5FB69709FA6CA6C +/ 15/ 0F846D692BDBB3F624EC91F82F9F620A' +/ 16/ ]) >> +/ 17/ ] >>, +/ 18/ / manifest / 3: << { +/ 19/ / manifest-version / 1: 1, +/ 20/ / manifest-sequence-number / 2: 1, +/ 21/ / common / 3: << { +/ 22/ / components / 2: [ +/ 23/ ['plaintext-firmware'] +/ 24/ ] +/ 25/ } >>, +/ 26/ / install / 20: << [ +/ 27/ / fetch encrypted firmware / +/ 28/ / directive-override-parameters / 20, { +/ 29/ / parameter-content / 18: +/ 30/ h'758C4B7BBAE2C4C1D462423E0F0DC3164FFA7B85BB94D4 +/ 31/ BD6D7ED26AB32FEB063385D4D3465927EC82CB5E198A59', +/ 32/ / parameter-encryption-info / 19: << 96([ +/ 33/ / protected: / << { +/ 34/ / alg / 1: 1 / A128GCM / +/ 35/ } >>, +/ 36/ / unprotected: / { +/ 37/ / IV / 5: h'F14AAB9D81D51F7AD943FE87' +/ 38/ }, +/ 39/ / payload: / null / detached ciphertext /, +/ 40/ / recipients: / [ +/ 41/ [ +/ 42/ / protected: / h'', +/ 43/ / unprotected: / { +/ 44/ / alg / 1: -3 / A128KW /, +/ 45/ / kid / 4: 'kid-1' +/ 46/ }, +/ 47/ / payload: / +/ 48/ h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62' +/ 49/ / CEK encrypted with KEK / +/ 50/ ] +/ 51/ ] +/ 52/ ]) >> +/ 53/ }, +/ 54/ +/ 55/ / decrypt encrypted firmware / +/ 56/ / directive-write / 18, 15 +/ 57/ / consumes the SUIT_Encryption_Info above / +/ 58/ ] >> +/ 59/ } >> +/ 60/ }) \ No newline at end of file diff --git a/examples/suit-manifest-aes-kw-content.hex.signed b/examples/suit-manifest-aes-kw-content.hex.signed index 1d936a8..d2af6ec 100644 --- a/examples/suit-manifest-aes-kw-content.hex.signed +++ b/examples/suit-manifest-aes-kw-content.hex.signed @@ -1,9 +1,9 @@ -D86BA2025853825824822F5820536EC695E423342FF57FA89B3E3C12C0F9 -257992F7D96F017281782D2DF1C50F582AD18443A10105A0F658203B7057 -1169B0FEE5E6220BF86E5E973F7F32875495908EDAA91EC994BCA44B2903 -589DA4010102010357A102818152706C61696E746578742D6669726D7761 -726511587C8414A212582E2F59C3A34D9570FB99A5382E66466A3221A8AD -85CE508BA306FB431A60EFA5AAAA078355070205A4B196832DF17F135843 -D8608443A10101A10550F14AAB9D81D51F7AD943FE87AF4F70CDF6818341 -A0A2012204456B69642D31581875603FFC9518D794713C8CA8A115A7FB32 -565A6D59534D62120F +D86BA2025853825824822F5820037A5C325CE14078A0AADF007428EAC659 +361AD9402A732410BDA542FAE94E2C582AD18443A10105A0F658208D9259 +9011C451A4C5FB69709FA6CA6C0F846D692BDBB3F624EC91F82F9F620A03 +5898A4010102010357A102818152706C61696E746578742D6669726D7761 +72651458778414A212582E758C4B7BBAE2C4C1D462423E0F0DC3164FFA7B +85BB94D4BD6D7ED26AB32FEB063385D4D3465927EC82CB5E198A5913583E +D8608443A10101A1054CF14AAB9D81D51F7AD943FE87F6818340A2012204 +456B69642D31581875603FFC9518D794713C8CA8A115A7FB32565A6D5953 +4D62120F diff --git a/examples/suit-manifest-aes-kw-slot.diag.signed b/examples/suit-manifest-aes-kw-slot.diag.signed new file mode 100644 index 0000000..4b9affe --- /dev/null +++ b/examples/suit-manifest-aes-kw-slot.diag.signed @@ -0,0 +1,66 @@ +/ 1/ / SUIT_Envelope_Tagged / 107({ +/ 2/ / authentication-wrapper / 2: << [ +/ 3/ << [ +/ 4/ / digest-algorithm-id: / -16 / SHA256 /, +/ 5/ / digest-bytes: / h'A6D2C13A0DEFD57A09FA65C24206A9A8 +/ 6/ 747261E6EA017532B3DAB0419C42A2FC' +/ 7/ ] >>, +/ 8/ << / COSE_Mac0_Tagged / 17([ +/ 9/ / protected: / << { +/ 10/ / algorithm-id / 1: 5 / HMAC256 / +/ 11/ } >>, +/ 12/ / unprotected: / {}, +/ 13/ / payload: / null, +/ 14/ / tag: / h'DB350AC9603B0BBA3895B85019699363 +/ 15/ 3F314A9066634B31BF62E596FD870434' +/ 16/ ]) >> +/ 17/ ] >>, +/ 18/ / manifest / 3: << { +/ 19/ / manifest-version / 1: 1, +/ 20/ / manifest-sequence-number / 2: 1, +/ 21/ / common / 3: << { +/ 22/ / components / 2: [ +/ 23/ [h'00'], +/ 24/ [h'01'] +/ 25/ ] +/ 26/ } >>, +/ 27/ / install / 20: << [ +/ 28/ / fetch encrypted firmware / +/ 29/ / directive-set-component-index / 12, 1 / [h'01'] /, +/ 30/ / directive-override-parameters / 20, { +/ 31/ / parameter-image-size / 14: 46, +/ 32/ / parameter-uri / 21: "https://example.com/encrypted-firmware" +/ 33/ }, +/ 34/ / directive-fetch / 21, 15, +/ 35/ +/ 36/ / decrypt encrypted firmware / +/ 37/ / directive-set-component-index / 12, 0 / ['00'] /, +/ 38/ / directive-override-parameters / 20, { +/ 39/ / parameter-encryption-info / 19: << 96([ +/ 40/ / protected: / << { +/ 41/ / alg / 1: 1 / A128GCM / +/ 42/ } >>, +/ 43/ / unprotected: / { +/ 44/ / IV / 5: h'F14AAB9D81D51F7AD943FE87' +/ 45/ }, +/ 46/ / payload: / null / detached ciphertext /, +/ 47/ / recipients: / [ +/ 48/ [ +/ 49/ / protected: / h'', +/ 50/ / unprotected: / { +/ 51/ / alg / 1: -3 / A128KW /, +/ 52/ / kid / 4: 'kid-1' +/ 53/ }, +/ 54/ / payload: / +/ 55/ h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62' +/ 56/ / CEK encrypted with KEK / +/ 57/ ] +/ 58/ ] +/ 59/ ]) >>, +/ 60/ / parameter-source-component / 22: 1 / [h'01'] / +/ 61/ }, +/ 62/ / directive-copy / 22, 15 +/ 63/ / consumes the SUIT_Encryption_Info above / +/ 64/ ] >> +/ 65/ } >> +/ 66/ }) \ No newline at end of file diff --git a/examples/suit-manifest-aes-kw-slot.hex.signed b/examples/suit-manifest-aes-kw-slot.hex.signed new file mode 100644 index 0000000..6bb18f0 --- /dev/null +++ b/examples/suit-manifest-aes-kw-slot.hex.signed @@ -0,0 +1,8 @@ +D86BA2025853825824822F5820A6D2C13A0DEFD57A09FA65C24206A9A874 +7261E6EA017532B3DAB0419C42A2FC582AD18443A10105A0F65820DB350A +C9603B0BBA3895B850196993633F314A9066634B31BF62E596FD87043403 +588FA4010102010349A1028281410081410114587C8C0C0114A20E182E15 +782668747470733A2F2F6578616D706C652E636F6D2F656E637279707465 +642D6669726D77617265150F0C0014A213583ED8608443A10101A1054CF1 +4AAB9D81D51F7AD943FE87F6818340A2012204456B69642D31581875603F +FC9518D794713C8CA8A115A7FB32565A6D59534D621601160F diff --git a/examples/suit-manifest-aes-kw.diag.signed b/examples/suit-manifest-aes-kw.diag.signed index 464c624..35527f9 100644 --- a/examples/suit-manifest-aes-kw.diag.signed +++ b/examples/suit-manifest-aes-kw.diag.signed @@ -1,66 +1,69 @@ -/ SUIT_Envelope_Tagged / 107({ - / authentication-wrapper / 2: << [ - << [ - / digest-algorithm-id: / -16 / SHA256 /, - / digest-bytes: / h'AAB6A7868C4E43D5983BDE019EF22779 - 21F6F8EF1FCAF9403CA97255BED2CD30' - ] >>, - << / COSE_Mac0_Tagged / 17([ - / protected: / << { - / algorithm-id / 1: 5 / HMAC256 / - } >>, - / unprotected: / {}, - / payload: / null, - / tag: / h'93B4B774A5D0421ED6FB5EBF890A284C - DAC7816CBC048BF47EE7FA7FF3BC02C3' - ]) >> - ] >>, - / manifest / 3: << { - / manifest-version / 1: 1, - / manifest-sequence-number / 2: 1, - / common / 3: << { - / components / 2: [ - ['plaintext-firmware'], - ['encrypted-firmware'] - ] - } >>, - / install / 17: << [ - / fetch encrypted firmware / - / directive-set-component-index / 12, 1 / ['encrypted-firmware'] /, - / directive-override-parameters / 20, { - / parameter-image-size / 14: 46, - / parameter-uri / 21: "https://example.com/encrypted-firmware" - }, - / directive-fetch / 21, 15, - - / decrypt encrypted firmware / - / directive-set-component-index / 12, 0 / ['plaintext-firmware'] /, - / directive-override-parameters / 20, { - / parameter-encryption-info / 19: << 96([ - / protected: / << { - / alg / 1: 1 / AES-GCM-128 / - } >>, - / unprotected: / { - / IV / 5: h'F14AAB9D81D51F7AD943FE87AF4F70CD' - }, - / payload: / null / detached ciphertext /, - / recipients: / [ - [ - / protected: / << { - } >>, - / unprotected: / { - / alg / 1: -3 / A128KW /, - / kid / 4: 'kid-1' - }, - / payload: / - h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62' - / CEK encrypted with KEK / - ] - ] - ]) >>, - / parameter-source-component / 22: 1 / ['encrypted-firmware'] / - }, - / directive-copy / 22, 15 / consumes the SUIT_Encryption_Info above / - ] >> - } >> -}) +/ 1/ / SUIT_Envelope_Tagged / 107({ +/ 2/ / authentication-wrapper / 2: << [ +/ 3/ << [ +/ 4/ / digest-algorithm-id: / -16 / SHA256 /, +/ 5/ / digest-bytes: / h'8814BC46089ACA6A863A7BA8393F9747 +/ 6/ 589940EFA40641335EF86155598F06C3' +/ 7/ ] >>, +/ 8/ << / COSE_Mac0_Tagged / 17([ +/ 9/ / protected: / << { +/ 10/ / algorithm-id / 1: 5 / HMAC256 / +/ 11/ } >>, +/ 12/ / unprotected: / {}, +/ 13/ / payload: / null, +/ 14/ / tag: / h'B68572F6F0494FEAF390CE44B462F2A7 +/ 15/ BDF73EF5DFE9FB8E12585A12F8F641AD' +/ 16/ ]) >> +/ 17/ ] >>, +/ 18/ / manifest / 3: << { +/ 19/ / manifest-version / 1: 1, +/ 20/ / manifest-sequence-number / 2: 1, +/ 21/ / common / 3: << { +/ 22/ / components / 2: [ +/ 23/ ['plaintext-firmware'], +/ 24/ ['encrypted-firmware'] +/ 25/ ] +/ 26/ } >>, +/ 27/ / install / 20: << [ +/ 28/ / fetch encrypted firmware / +/ 29/ / directive-set-component-index / 12, 1 +/ 30/ / ['encrypted-firmware'] /, +/ 31/ / directive-override-parameters / 20, { +/ 32/ / parameter-image-size / 14: 46, +/ 33/ / parameter-uri / 21: "https://example.com/encrypted-firmware" +/ 34/ }, +/ 35/ / directive-fetch / 21, 15, +/ 36/ +/ 37/ / decrypt encrypted firmware / +/ 38/ / directive-set-component-index / 12, 0 +/ 39/ / ['plaintext-firmware'] /, +/ 40/ / directive-override-parameters / 20, { +/ 41/ / parameter-encryption-info / 19: << 96([ +/ 42/ / protected: / << { +/ 43/ / alg / 1: 1 / A128GCM / +/ 44/ } >>, +/ 45/ / unprotected: / { +/ 46/ / IV / 5: h'F14AAB9D81D51F7AD943FE87' +/ 47/ }, +/ 48/ / payload: / null / detached ciphertext /, +/ 49/ / recipients: / [ +/ 50/ [ +/ 51/ / protected: / h'', +/ 52/ / unprotected: / { +/ 53/ / alg / 1: -3 / A128KW /, +/ 54/ / kid / 4: 'kid-1' +/ 55/ }, +/ 56/ / payload: / +/ 57/ h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62' +/ 58/ / CEK encrypted with KEK / +/ 59/ ] +/ 60/ ] +/ 61/ ]) >>, +/ 62/ / parameter-source-component / 22: 1 +/ 63/ / ['encrypted-firmware'] / +/ 64/ }, +/ 65/ / directive-copy / 22, 15 +/ 66/ / consumes the SUIT_Encryption_Info above / +/ 67/ ] >> +/ 68/ } >> +/ 69/ }) \ No newline at end of file diff --git a/examples/suit-manifest-aes-kw.hex.signed b/examples/suit-manifest-aes-kw.hex.signed index eca02fc..aaf81e6 100644 --- a/examples/suit-manifest-aes-kw.hex.signed +++ b/examples/suit-manifest-aes-kw.hex.signed @@ -1,10 +1,9 @@ -D86BA2025853825824822F5820AAB6A7868C4E43D5983BDE019EF2277921 -F6F8EF1FCAF9403CA97255BED2CD30582AD18443A10105A0F6582093B4B7 -74A5D0421ED6FB5EBF890A284CDAC7816CBC048BF47EE7FA7FF3BC02C303 -58B7A40101020103582BA102828152706C61696E746578742D6669726D77 -6172658152656E637279707465642D6669726D776172651158818C0C0114 +D86BA2025853825824822F58208814BC46089ACA6A863A7BA8393F974758 +9940EFA40641335EF86155598F06C3582AD18443A10105A0F65820B68572 +F6F0494FEAF390CE44B462F2A7BDF73EF5DFE9FB8E12585A12F8F641AD03 +58B2A40101020103582BA102828152706C61696E746578742D6669726D77 +6172658152656E637279707465642D6669726D7761726514587C8C0C0114 A20E182E15782668747470733A2F2F6578616D706C652E636F6D2F656E63 -7279707465642D6669726D77617265150F0C0014A2135843D8608443A101 -01A10550F14AAB9D81D51F7AD943FE87AF4F70CDF6818341A0A201220445 -6B69642D31581875603FFC9518D794713C8CA8A115A7FB32565A6D59534D -621601160F +7279707465642D6669726D77617265150F0C0014A213583ED8608443A101 +01A1054CF14AAB9D81D51F7AD943FE87F6818340A2012204456B69642D31 +581875603FFC9518D794713C8CA8A115A7FB32565A6D59534D621601160F diff --git a/examples/suit-manifest-es-ecdh-content.diag.signed b/examples/suit-manifest-es-ecdh-content.diag.signed index b550482..99d07c3 100644 --- a/examples/suit-manifest-es-ecdh-content.diag.signed +++ b/examples/suit-manifest-es-ecdh-content.diag.signed @@ -1,71 +1,70 @@ -/ SUIT_Envelope_Tagged / 107({ - / authentication-wrapper / 2: << [ - << [ - / digest-algorithm-id: / -16 / SHA256 /, - / digest-bytes: / h'CEF034223D7F2C39D676876995B4ED4E - 8221AC5BF184B6606EE62C41C149C266' - ] >>, - << / COSE_Sign1_Tagged / 18([ - / protected: / << { - / algorithm-id / 1: -7 / ES256 / - } >>, - / unprotected: / {}, - / payload: / null, - / signature: / - h'65E59AAB8A35BDE9547458316D1C769F - FB2CEA304C9FB6151E5C8A88A002A292 - C5B8C63C81B5AC0AE31948B610834E12 - CBDBB2753EA221544B6733076A92EE20' - ]) >> - ] >>, - / manifest / 3: << { - / manifest-version / 1: 1, - / manifest-sequence-number / 2: 1, - / common / 3: << { - / components / 2: [ - ['decrypted-firmware'] - ] - } >>, - / install / 17: << [ - / directive-set-component-index / 12, 0 - / ['plaintext-firmware'] /, - / directive-override-parameters / 20, { - / parameter-content / 18: - h'344FA2D5AD2F43F6F363DA6FF2C337FE69E33E3D63714D - 23985BF02499EB0E8B231D45C378245DA3611C160CC511', - / parameter-encryption-info / 19: << 96([ - / protected: / << { - / alg / 1: 1 / AES-GCM-128 / - } >>, - / unprotected: / { - / IV / 5: h'DAE613B2E0DC55F4322BE38BDBA9DC68' - }, - / payload: / null / detached ciphertext /, - / recipients: / [ - [ - / protected: / << { - / alg / 1: -29 / ECDH-ES + A128KW / - } >>, - / unprotected: / { - / ephemeral key / -1: { - / kty / 1: 2 / EC2 /, - / crv / -1: 1 / P-256 /, - / x / -2: h'FF6E266DABAF51B7207569E31CF72646 - 183E94CEE64FCDC8695AD9A505AEFDEA', - / y / -3: h'5FBC4A29844450B3AC22AB30C7F7004B - B59D8BD60D7997734A9FA0124B650895' - }, - / kid / 4: 'kid-2' - }, - / payload: / - h'B0E21628283F3E409F8158D8FFCA567F340E379AC39E49C9' - / CEK encrypted with KEK / - ] - ] - ]) >> - }, - / directive-write / 18, 15 - / consumes the SUIT_Encryption_Info above / - ] >> - } >> -}) +/ 1/ / SUIT_Envelope_Tagged / 107({ +/ 2/ / authentication-wrapper / 2: << [ +/ 3/ << [ +/ 4/ / digest-algorithm-id: / -16 / SHA256 /, +/ 5/ / digest-bytes: / h'1DB69EF1477E9942815F29F78E09957B +/ 6/ 26B4ADD03902BDB3D1EDF3DA2075F593' +/ 7/ ] >>, +/ 8/ << / COSE_Sign1_Tagged / 18([ +/ 9/ / protected: / << { +/ 10/ / algorithm-id / 1: -7 / ES256 / +/ 11/ } >>, +/ 12/ / unprotected: / {}, +/ 13/ / payload: / null, +/ 14/ / signature: / h'CB4EADA6BEC17EEB22EB836FB2BF9136 +/ 15/ A6EF733C11DAC955F543BBDCAA373B85 +/ 16/ 9321BC77969917E4C70F049527607F4C +/ 17/ 32752D53E01346E96BFF4880B437DF64' +/ 18/ ]) >> +/ 19/ ] >>, +/ 20/ / manifest / 3: << { +/ 21/ / manifest-version / 1: 1, +/ 22/ / manifest-sequence-number / 2: 1, +/ 23/ / common / 3: << { +/ 24/ / components / 2: [ +/ 25/ ['decrypted-firmware'] +/ 26/ ] +/ 27/ } >>, +/ 28/ / install / 20: << [ +/ 29/ / directive-set-component-index / 12, 0 +/ 30/ / ['plaintext-firmware'] /, +/ 31/ / directive-override-parameters / 20, { +/ 32/ / parameter-content / 18: +/ 33/ h'758C4B7BBAE2C4C1D462423E0F0DC3164FFA7B85BB94D4 +/ 34/ BD6D7ED26AB32FEB063385D4D3465927EC82CB5E198A59', +/ 35/ / parameter-encryption-info / 19: << 96([ +/ 36/ / protected: / << { +/ 37/ / alg / 1: 1 / A128GCM / +/ 38/ } >>, +/ 39/ / unprotected: / { +/ 40/ / IV / 5: h'F14AAB9D81D51F7AD943FE87' +/ 41/ }, +/ 42/ / payload: / null / detached ciphertext /, +/ 43/ / recipients: / [ +/ 44/ [ +/ 45/ / protected: / << { +/ 46/ / alg / 1: -29 / ECDH-ES + A128KW / +/ 47/ } >>, +/ 48/ / unprotected: / { +/ 49/ / ephemeral key / -1: { +/ 50/ / kty / 1: 2 / EC2 /, +/ 51/ / crv / -1: 1 / P-256 /, +/ 52/ / x / -2: h'73024F415AA51529A66CCEFD88F3F62A +/ 53/ 734492FF45F6AD37FD2888E73EAF19DA', +/ 54/ / y / -3: h'4005B48A6FD091AA6ABFE3CFBEEDE88B +/ 55/ 347E521D43405FDBD7D2CFF0EBC21B26' +/ 56/ }, +/ 57/ / kid / 4: 'kid-2' +/ 58/ }, +/ 59/ / payload: / +/ 60/ h'A06B8E6550F308712B1DF044B21B7D11D9B22792F1DE0997' +/ 61/ / CEK encrypted with KEK / +/ 62/ ] +/ 63/ ] +/ 64/ ]) >> +/ 65/ }, +/ 66/ / directive-write / 18, 15 +/ 67/ / consumes the SUIT_Encryption_Info above / +/ 68/ ] >> +/ 69/ } >> +/ 70/ }) \ No newline at end of file diff --git a/examples/suit-manifest-es-ecdh-content.hex.signed b/examples/suit-manifest-es-ecdh-content.hex.signed index f51f0ba..dabc590 100644 --- a/examples/suit-manifest-es-ecdh-content.hex.signed +++ b/examples/suit-manifest-es-ecdh-content.hex.signed @@ -1,12 +1,12 @@ -D86BA2025873825824822F5820CEF034223D7F2C39D676876995B4ED4E82 -21AC5BF184B6606EE62C41C149C266584AD28443A10126A0F6584065E59A -AB8A35BDE9547458316D1C769FFB2CEA304C9FB6151E5C8A88A002A292C5 -B8C63C81B5AC0AE31948B610834E12CBDBB2753EA221544B6733076A92EE -200358ECA4010102010357A1028181526465637279707465642D6669726D -776172651158CB860C0014A212582E344FA2D5AD2F43F6F363DA6FF2C337 -FE69E33E3D63714D23985BF02499EB0E8B231D45C378245DA3611C160CC5 -11135890D8608443A10101A10550DAE613B2E0DC55F4322BE38BDBA9DC68 -F6818344A101381CA220A401022001215820FF6E266DABAF51B7207569E3 -1CF72646183E94CEE64FCDC8695AD9A505AEFDEA2258205FBC4A29844450 -B3AC22AB30C7F7004BB59D8BD60D7997734A9FA0124B65089504456B6964 -2D325818B0E21628283F3E409F8158D8FFCA567F340E379AC39E49C9120F +D86BA2025873825824822F58201DB69EF1477E9942815F29F78E09957B26 +B4ADD03902BDB3D1EDF3DA2075F593584AD28443A10126A0F65840CB4EAD +A6BEC17EEB22EB836FB2BF9136A6EF733C11DAC955F543BBDCAA373B8593 +21BC77969917E4C70F049527607F4C32752D53E01346E96BFF4880B437DF +640358E8A4010102010357A1028181526465637279707465642D6669726D +776172651458C7860C0014A212582E758C4B7BBAE2C4C1D462423E0F0DC3 +164FFA7B85BB94D4BD6D7ED26AB32FEB063385D4D3465927EC82CB5E198A +5913588CD8608443A10101A1054CF14AAB9D81D51F7AD943FE87F6818344 +A101381CA220A40102200121582073024F415AA51529A66CCEFD88F3F62A +734492FF45F6AD37FD2888E73EAF19DA2258204005B48A6FD091AA6ABFE3 +CFBEEDE88B347E521D43405FDBD7D2CFF0EBC21B2604456B69642D325818 +A06B8E6550F308712B1DF044B21B7D11D9B22792F1DE0997120F diff --git a/examples/suit-manifest-es-ecdh-dependency.diag.signed b/examples/suit-manifest-es-ecdh-dependency.diag.signed index 7a7de0b..72a4299 100644 --- a/examples/suit-manifest-es-ecdh-dependency.diag.signed +++ b/examples/suit-manifest-es-ecdh-dependency.diag.signed @@ -1,154 +1,152 @@ -/ SUIT_Envelope_Tagged / 107({ - / authentication-wrapper / 2: << [ - << [ - / digest-algorithm-id: / -16 / SHA256 /, - / digest-bytes: / h'6A1D9F42E7B4047D2F54046019AE3ED4 - 3A8ACC467AC16576B17D6F8E633042D2' - ] >>, - << / COSE_Sign1_Tagged / 18([ - / protected: / << { - / algorithm-id / 1: -7 / ES256 / - } >>, - / unprotected: / {}, - / payload: / null, - / signature: / - h'DF493BDBF167EFFB40593C5910D33B66 - 429721467DF05800EA66A88B91729CD5 - 1007981F151FC324745FF43E6F75AAF5 - 197DD5EC4AA6BCEFCE43E4B1E35C948E' - ]) >> - ] >>, - / manifest / 3: << { - / manifest-version / 1: 1, - / manifest-sequence-number / 2: 1, - / common / 3: << { - / dependencies / 1: { - / component-index / 1: { - / dependency-prefix / 1: [ - 'dependency-manifest.suit' - ] - } - }, - / components / 2: [ - ['decrypted-firmware'] - ] - } >>, - / manifest-component-id / 5: [ - 'dependent-manifest.suit' - ], - / install / 17: << [ - / NOTE: set SUIT_Encryption_Info / - / directive-set-component-index / 12, 0 - / ['decrypted-firmware'] /, - / directive-override-parameters / 20, { - / parameter-content / 18: - h'344FA2D5AD2F43F6F363DA6FF2C337FE69E33E3D63714D - 23985BF02499EB0E8B231D45C378245DA3611C160CC511', - / parameter-encryption-info / 19: << 96([ - / protected: / << { - / alg / 1: 1 / AES-GCM-128 / - } >>, - / unprotected: / { - / IV / 5: h'DAE613B2E0DC55F4322BE38BDBA9DC68' - }, - / payload: / null / detached ciphertext /, - / recipients: / [ - [ - / protected: / << { - / alg / 1: -29 / ECDH-ES + A128KW / - } >>, - / unprotected: / { - / ephemeral key / -1: { - / kty / 1: 2 / EC2 /, - / crv / -1: 1 / P-256 /, - / x / -2: h'FF6E266DABAF51B7207569E31CF72646 - 183E94CEE64FCDC8695AD9A505AEFDEA', - / y / -3: h'5FBC4A29844450B3AC22AB30C7F7004B - B59D8BD60D7997734A9FA0124B650895' - }, - / kid / 4: 'kid-2' - }, - / payload: / - h'B0E21628283F3E409F8158D8FFCA567F340E379AC39E49C9' - / CEK encrypted with KEK / - ] - ] - ]) >> - }, - - / NOTE: call dependency-manifest / - / directive-set-component-index / 12, 1 - / ['dependenty-manifest.suit'] /, - / directive-override-parameters / 20, { - / parameter-image-digest / 3: << [ - / algorithm-id / -16 / SHA256 /, - / digest-bytes / h'1051324059C5193317CAC9A099BBC0B6 - AFB56184C04277F566A3A4131F4A1C25' - ] >>, - / parameter-image-size / 14: 247, - / parameter-uri / 21: "#dependency-manifest" - }, - / directive-fetch / 21, 15, - / condition-dependency-integrity / 7, 15, - / directive-process-dependency / 11, 15 - ] >> - } >>, - "#dependency-manifest": << - / SUIT_Envelope_Tagged / 107({ - / authentication-wrapper / 2: << [ - << [ - / digest-algorithm-id: / -16 / SHA256 /, - / digest-bytes: / h'1051324059C5193317CAC9A099BBC0B6 - AFB56184C04277F566A3A4131F4A1C25' - ] >>, - << / COSE_Sign1_Tagged / 18([ - / protected: / << { - / algorithm-id / 1: -7 / ES256 / - } >>, - / unprotected: / {}, - / payload: / null, - / signature: / - h'55990F3745DC4F200FF946643A6DE30D - DCE57B080B7D68DE9896D8190B9A63E2 - D60E7C3D9693B67221AA6D07BBF0AB45 - 314C236827A242C22B5E688DDC467269' - ]) >> - ] >>, - / manifest / 3: << { - / manifest-version / 1: 1, - / manifest-sequence-number / 2: 1, - / common / 3: << { - / components / 2: [ - ['decrypted-firmware'] - ], - / shared-sequence / 4: << [ - / directive-set-componnt-index / 12, 0 - / ['decrypted-firmware'] /, - / directive-override-parameters / 20, { - / parameter-image-digest / 3: << [ - / algorithm-id / -16 / SHA256 /, - / digest-bytes / h'36921488FE6680712F734E11F58D87EE - B66D4B21A8A1AD3441060814DA16D50F' - ] >>, - / parameter-image-size / 14: 30 - } - ] >> - } >>, - / manifest-component-id / 5: [ - 'dependency-manifest.suit' - ], - / validate / 7: << [ - / condition-image-match / 3, 15 - ] >>, - / install / 17: << [ - / directive-set-component-index / 12, 0 - / ['decrypted-firmware'] /, - / directive-write / 18, 15 - / consumes the SUIT_Encryption_Info set by dependent /, - / condition-image-match / 3, 15 - / check the integrity of the decrypted payload / - ] >> - } >> - }) - >> -}) +/ 1/ / SUIT_Envelope_Tagged / 107({ +/ 2/ / authentication-wrapper / 2: << [ +/ 3/ << [ +/ 4/ / digest-algorithm-id: / -16 / SHA256 /, +/ 5/ / digest-bytes: / h'A00CB6C85515C1EF471B50B542FACDD8 +/ 6/ 8B71B3C7EA2A43DE13D32C4A99056FE9' +/ 7/ ] >>, +/ 8/ << / COSE_Sign1_Tagged / 18([ +/ 9/ / protected: / << { +/ 10/ / algorithm-id / 1: -7 / ES256 / +/ 11/ } >>, +/ 12/ / unprotected: / {}, +/ 13/ / payload: / null, +/ 14/ / signature: / h'421B30FE76DA848616D72FC1115EA610 +/ 15/ 5578CB95DF9C6BEAD931105C9D555CF8 +/ 16/ CD38C8FD68ACE43445D8D2CAE6391A99 +/ 17/ 5A212487D92F8DAD789F65511AC61778' +/ 18/ ]) >> +/ 19/ ] >>, +/ 20/ / manifest / 3: << { +/ 21/ / manifest-version / 1: 1, +/ 22/ / manifest-sequence-number / 2: 1, +/ 23/ / common / 3: << { +/ 24/ / dependencies / 1: { +/ 25/ / component-index / 1: { +/ 26/ / dependency-prefix / 1: [ +/ 27/ 'dependency-manifest.suit' +/ 28/ ] +/ 29/ } +/ 30/ }, +/ 31/ / components / 2: [ +/ 32/ ['decrypted-firmware'] +/ 33/ ] +/ 34/ } >>, +/ 35/ / manifest-component-id / 5: [ +/ 36/ 'dependent-manifest.suit' +/ 37/ ], +/ 38/ / install / 20: << [ +/ 39/ / NOTE: set SUIT_Encryption_Info / +/ 40/ / directive-set-component-index / 12, 0 +/ 41/ / ['decrypted-firmware'] /, +/ 42/ / directive-override-parameters / 20, { +/ 43/ / parameter-content / 18: +/ 44/ h'758C4B7BBAE2C4C1D462423E0F0DC3164FFA7B85BB94D4 +/ 45/ BD6D7ED26AB32FEB063385D4D3465927EC82CB5E198A59', +/ 46/ / parameter-encryption-info / 19: << 96([ +/ 47/ / protected: / << { +/ 48/ / alg / 1: 1 / A128GCM / +/ 49/ } >>, +/ 50/ / unprotected: / { +/ 51/ / IV / 5: h'F14AAB9D81D51F7AD943FE87' +/ 52/ }, +/ 53/ / payload: / null / detached ciphertext /, +/ 54/ / recipients: / [ +/ 55/ [ +/ 56/ / protected: / << { +/ 57/ / alg / 1: -29 / ECDH-ES + A128KW / +/ 58/ } >>, +/ 59/ / unprotected: / { +/ 60/ / ephemeral key / -1: { +/ 61/ / kty / 1: 2 / EC2 /, +/ 62/ / crv / -1: 1 / P-256 /, +/ 63/ / x / -2: h'73024F415AA51529A66CCEFD88F3F62A +/ 64/ 734492FF45F6AD37FD2888E73EAF19DA', +/ 65/ / y / -3: h'4005B48A6FD091AA6ABFE3CFBEEDE88B +/ 66/ 347E521D43405FDBD7D2CFF0EBC21B26' +/ 67/ }, +/ 68/ / kid / 4: 'kid-2' +/ 69/ }, +/ 70/ / payload: / +/ 71/ h'A06B8E6550F308712B1DF044B21B7D11D9B22792F1DE0997' +/ 72/ / CEK encrypted with KEK / +/ 73/ ] +/ 74/ ] +/ 75/ ]) >> +/ 76/ }, +/ 77/ +/ 78/ / NOTE: call dependency-manifest / +/ 79/ / directive-set-component-index / 12, 1 +/ 80/ / ['dependenty-manifest.suit'] /, +/ 81/ / directive-override-parameters / 20, { +/ 82/ / parameter-image-digest / 3: << [ +/ 83/ / algorithm-id / -16 / SHA256 /, +/ 84/ / digest-bytes / h'4B15C90FBD776A820E7E733DF040D90B +/ 85/ 356B5C75982ECAECE8673818179BDF16' +/ 86/ ] >>, +/ 87/ / parameter-image-size / 14: 247, +/ 88/ / parameter-uri / 21: "#dependency-manifest" +/ 89/ }, +/ 90/ / directive-fetch / 21, 15, +/ 91/ / condition-dependency-integrity / 7, 15, +/ 92/ / directive-process-dependency / 11, 15 +/ 93/ ] >> +/ 94/ } >>, +/ 95/ "#dependency-manifest": << +/ 96/ / SUIT_Envelope_Tagged / 107({ +/ 97/ / authentication-wrapper / 2: << [ +/ 98/ << [ +/ 99/ / digest-algorithm-id: / -16 / SHA256 /, +/100/ / digest-bytes: / h'4B15C90FBD776A820E7E733DF040D90B +/101/ 356B5C75982ECAECE8673818179BDF16' +/102/ ] >>, +/103/ << / COSE_Sign1_Tagged / 18([ +/104/ / protected: / << { +/105/ / algorithm-id / 1: -7 / ES256 / +/106/ } >>, +/107/ / unprotected: / {}, +/108/ / payload: / null, +/109/ / signature: / h'2B1B9C4E44E52863A78F73DA2A935823 +/110/ B28AEAE6A85CADAC4C4E3AABAAD56CBC +/111/ E5A47D288F86B54D0186657E972E748B +/112/ 48CDB1D420FBAC1285DCC978382F62CC' +/113/ ]) >> +/114/ ] >>, +/115/ / manifest / 3: << { +/116/ / manifest-version / 1: 1, +/117/ / manifest-sequence-number / 2: 1, +/118/ / common / 3: << { +/119/ / components / 2: [ +/120/ ['decrypted-firmware'] +/121/ ], +/122/ / shared-sequence / 4: << [ +/123/ / directive-set-componnt-index / 12, 0 +/124/ / ['decrypted-firmware'] /, +/125/ / directive-override-parameters / 20, { +/126/ / parameter-image-digest / 3: << [ +/127/ / algorithm-id / -16 / SHA256 /, +/128/ / digest-bytes / h'36921488FE6680712F734E11F58D87EE +/129/ B66D4B21A8A1AD3441060814DA16D50F' +/130/ ] >>, +/131/ / parameter-image-size / 14: 30 +/132/ } +/133/ ] >> +/134/ } >>, +/135/ / manifest-component-id / 5: [ +/136/ 'dependency-manifest.suit' +/137/ ], +/138/ / validate / 7: << [ +/139/ / condition-image-match / 3, 15 +/140/ ] >>, +/141/ / install / 20: << [ +/142/ / directive-set-component-index / 12, 0 +/143/ / ['decrypted-firmware'] /, +/144/ / directive-write / 18, 15 +/145/ / consumes the SUIT_Encryption_Info set by dependent /, +/146/ / condition-image-match / 3, 15 +/147/ / check the integrity of the decrypted payload / +/148/ ] >> +/149/ } >> +/150/ }) +/151/ >> +/152/ }) \ No newline at end of file diff --git a/examples/suit-manifest-es-ecdh-dependency.hex.signed b/examples/suit-manifest-es-ecdh-dependency.hex.signed index b85bc8d..b332a1d 100644 --- a/examples/suit-manifest-es-ecdh-dependency.hex.signed +++ b/examples/suit-manifest-es-ecdh-dependency.hex.signed @@ -1,26 +1,26 @@ -D86BA3025873825824822F58206A1D9F42E7B4047D2F54046019AE3ED43A -8ACC467AC16576B17D6F8E633042D2584AD28443A10126A0F65840DF493B -DBF167EFFB40593C5910D33B66429721467DF05800EA66A88B91729CD510 -07981F151FC324745FF43E6F75AAF5197DD5EC4AA6BCEFCE43E4B1E35C94 -8E03590170A501010201035837A201A101A101815818646570656E64656E +D86BA3025873825824822F5820A00CB6C85515C1EF471B50B542FACDD88B +71B3C7EA2A43DE13D32C4A99056FE9584AD28443A10126A0F65840421B30 +FE76DA848616D72FC1115EA6105578CB95DF9C6BEAD931105C9D555CF8CD +38C8FD68ACE43445D8D2CAE6391A995A212487D92F8DAD789F65511AC617 +780359016CA501010201035837A201A101A101815818646570656E64656E 63792D6D616E69666573742E73756974028181526465637279707465642D 6669726D77617265058157646570656E64656E742D6D616E69666573742E -73756974115901138E0C0014A212582E344FA2D5AD2F43F6F363DA6FF2C3 -37FE69E33E3D63714D23985BF02499EB0E8B231D45C378245DA3611C160C -C511135890D8608443A10101A10550DAE613B2E0DC55F4322BE38BDBA9DC -68F6818344A101381CA220A401022001215820FF6E266DABAF51B7207569 -E31CF72646183E94CEE64FCDC8695AD9A505AEFDEA2258205FBC4A298444 -50B3AC22AB30C7F7004BB59D8BD60D7997734A9FA0124B65089504456B69 -642D325818B0E21628283F3E409F8158D8FFCA567F340E379AC39E49C90C -0114A3035824822F58201051324059C5193317CAC9A099BBC0B6AFB56184 -C04277F566A3A4131F4A1C250E18F7157423646570656E64656E63792D6D -616E6966657374150F070F0B0F7423646570656E64656E63792D6D616E69 -6665737458F7D86BA2025873825824822F58201051324059C5193317CAC9 -A099BBC0B6AFB56184C04277F566A3A4131F4A1C25584AD28443A10126A0 -F6584055990F3745DC4F200FF946643A6DE30DDCE57B080B7D68DE9896D8 -190B9A63E2D60E7C3D9693B67221AA6D07BBF0AB45314C236827A242C22B -5E688DDC46726903587BA601010201035849A20281815264656372797074 -65642D6669726D7761726504582F840C0014A2035824822F582036921488 -FE6680712F734E11F58D87EEB66D4B21A8A1AD3441060814DA16D50F0E18 -1E05815818646570656E64656E63792D6D616E69666573742E7375697407 -4382030F1147860C00120F030F \ No newline at end of file +737569741459010F8E0C0014A212582E758C4B7BBAE2C4C1D462423E0F0D +C3164FFA7B85BB94D4BD6D7ED26AB32FEB063385D4D3465927EC82CB5E19 +8A5913588CD8608443A10101A1054CF14AAB9D81D51F7AD943FE87F68183 +44A101381CA220A40102200121582073024F415AA51529A66CCEFD88F3F6 +2A734492FF45F6AD37FD2888E73EAF19DA2258204005B48A6FD091AA6ABF +E3CFBEEDE88B347E521D43405FDBD7D2CFF0EBC21B2604456B69642D3258 +18A06B8E6550F308712B1DF044B21B7D11D9B22792F1DE09970C0114A303 +5824822F58204B15C90FBD776A820E7E733DF040D90B356B5C75982ECAEC +E8673818179BDF160E18F7157423646570656E64656E63792D6D616E6966 +657374150F070F0B0F7423646570656E64656E63792D6D616E6966657374 +58F7D86BA2025873825824822F58204B15C90FBD776A820E7E733DF040D9 +0B356B5C75982ECAECE8673818179BDF16584AD28443A10126A0F658402B +1B9C4E44E52863A78F73DA2A935823B28AEAE6A85CADAC4C4E3AABAAD56C +BCE5A47D288F86B54D0186657E972E748B48CDB1D420FBAC1285DCC97838 +2F62CC03587BA601010201035849A2028181526465637279707465642D66 +69726D7761726504582F840C0014A2035824822F582036921488FE668071 +2F734E11F58D87EEB66D4B21A8A1AD3441060814DA16D50F0E181E058158 +18646570656E64656E63792D6D616E69666573742E73756974074382030F +1447860C00120F030F diff --git a/examples/validate_esdh_aead_suit_encryption_info.py b/examples/validate_esdh_aead_suit_encryption_info.py index 86282e9..db07054 100755 --- a/examples/validate_esdh_aead_suit_encryption_info.py +++ b/examples/validate_esdh_aead_suit_encryption_info.py @@ -32,7 +32,7 @@ # See Section 6.2.4 Context Information Structure # https://datatracker.ietf.org/doc/html/draft-ietf-suit-firmware-encryption#name-context-information-structu kdf_context = { - "alg": "A128GCM", + "alg": "A128KW", "supp_pub": { "key_data_length": 128, "protected": {"alg": "ECDH-ES+A128KW"}, diff --git a/examples/validate_esdh_non_aead_suit_encryption_info.py b/examples/validate_esdh_non_aead_suit_encryption_info.py index 4a8d3c0..db07054 100755 --- a/examples/validate_esdh_non_aead_suit_encryption_info.py +++ b/examples/validate_esdh_non_aead_suit_encryption_info.py @@ -4,13 +4,12 @@ import base64 from cwt import COSE, COSEKey -if len(sys.argv) != 4: - print(f"{sys.argv[0]} [hex-encryption-info] [hex-encrypted-payload] [KDF-ALGORITHM]") +if len(sys.argv) != 3: + print(f"{sys.argv[0]} [hex-encryption-info] [hex-encrypted-payload]") filename_hex_suit_encryption_info = sys.argv[1] filename_hex_encrypted_payload = sys.argv[2] filename_diag_suit_encryption_info = filename_hex_suit_encryption_info.replace(".hex", ".diag") -kdf_algorithm = sys.argv[3] expected_plaintext_payload = b'This is a real firmware image.' @@ -33,7 +32,7 @@ # See Section 6.2.4 Context Information Structure # https://datatracker.ietf.org/doc/html/draft-ietf-suit-firmware-encryption#name-context-information-structu kdf_context = { - "alg": kdf_algorithm, + "alg": "A128KW", "supp_pub": { "key_data_length": 128, "protected": {"alg": "ECDH-ES+A128KW"},