From cfcc884b79df64e9175f2041c95e5c2d9a33daeb Mon Sep 17 00:00:00 2001 From: Ken Takayama Date: Tue, 13 Feb 2024 06:02:09 +0000 Subject: [PATCH 1/2] update: remove delegation chain from dependency manifests --- draft-ietf-suit-firmware-encryption.md | 15 +++-- ...it-manifest-es-ecdh-dependency.diag.signed | 30 ---------- ...uit-manifest-es-ecdh-dependency.hex.signed | 57 +++++++++---------- 3 files changed, 37 insertions(+), 65 deletions(-) diff --git a/draft-ietf-suit-firmware-encryption.md b/draft-ietf-suit-firmware-encryption.md index 9557688..5086311 100644 --- a/draft-ietf-suit-firmware-encryption.md +++ b/draft-ietf-suit-firmware-encryption.md @@ -1343,10 +1343,17 @@ In hex format, the SUIT manifest is this: ## ES-DH Example with Dependency {#example-ES-DH-dependency} -The following SUIT manifest requests a parser -to resolve the delegation chain and dependency respectively. -The parser validates the COSE_Key in the suit-delegation section using the key above, -and then dynamically trusts it. +The following SUIT manifest requests a parser to resolve the dependency. + +The dependent manifest is signed with another key: +``` +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIIQa67e56m8CYL5zVaJFiLl30j0qxb8ray2DeUMqH+qYoAoGCCqGSM49 +AwEHoUQDQgAEDpCKqPBm2x8ITgw2UsY5Ur2Z8qW9si+eATZ6rQOrpot32hvYrE8M +tJC6IQZIv3mrFk1JrTVR1x0xSydJ7kLSmg== +-----END EC PRIVATE KEY----- +``` + The dependency manifest is embedded as an integrated-dependency and referred by uri "#dependency-manifest" . diff --git a/examples/suit-manifest-es-ecdh-dependency.diag.signed b/examples/suit-manifest-es-ecdh-dependency.diag.signed index a375592..7a7de0b 100644 --- a/examples/suit-manifest-es-ecdh-dependency.diag.signed +++ b/examples/suit-manifest-es-ecdh-dependency.diag.signed @@ -1,34 +1,4 @@ / SUIT_Envelope_Tagged / 107({ - / delegation / 1: << [ - [ - / NOTE: signed by trust anchor / - << 18([ - / protected: / << { - / alg / 1: -7 / ES256 / - } >>, - / unprotected / { - }, - / payload: / << { - / cnf / 8: { - / NOTE: public key of delegated authority / - / COSE_Key / 1: { - / kty / 1: 2 / EC2 /, - / crv / -1: 1 / P-256 /, - / x / -2: h'0E908AA8F066DB1F084E0C3652C63952 - BD99F2A5BDB22F9E01367AAD03ABA68B', - / y / -3: h'77DA1BD8AC4F0CB490BA210648BF79AB - 164D49AD3551D71D314B2749EE42D29A' - } - } - } >>, - / signature: / - h'FB2D5ACF66B9C8573CE92E13BFB8D113 - F798715CC10B5A0010B11925C155E724 - 5A64E131073B87AC50CAC71650A21315 - B82D06CA2298CD1A95519AAE4C4B5315' - ]) >> - ] - ] >>, / authentication-wrapper / 2: << [ << [ / digest-algorithm-id: / -16 / SHA256 /, diff --git a/examples/suit-manifest-es-ecdh-dependency.hex.signed b/examples/suit-manifest-es-ecdh-dependency.hex.signed index 2fa465e..b85bc8d 100644 --- a/examples/suit-manifest-es-ecdh-dependency.hex.signed +++ b/examples/suit-manifest-es-ecdh-dependency.hex.signed @@ -1,31 +1,26 @@ -D86BA401589E8181589AD28443A10126A0584FA108A101A4010220012158 -200E908AA8F066DB1F084E0C3652C63952BD99F2A5BDB22F9E01367AAD03 -ABA68B22582077DA1BD8AC4F0CB490BA210648BF79AB164D49AD3551D71D -314B2749EE42D29A5840FB2D5ACF66B9C8573CE92E13BFB8D113F798715C -C10B5A0010B11925C155E7245A64E131073B87AC50CAC71650A21315B82D -06CA2298CD1A95519AAE4C4B5315025873825824822F58206A1D9F42E7B4 -047D2F54046019AE3ED43A8ACC467AC16576B17D6F8E633042D2584AD284 -43A10126A0F65840DF493BDBF167EFFB40593C5910D33B66429721467DF0 -5800EA66A88B91729CD51007981F151FC324745FF43E6F75AAF5197DD5EC -4AA6BCEFCE43E4B1E35C948E03590170A501010201035837A201A101A101 -815818646570656E64656E63792D6D616E69666573742E73756974028181 -526465637279707465642D6669726D77617265058157646570656E64656E -742D6D616E69666573742E73756974115901138E0C0014A212582E344FA2 -D5AD2F43F6F363DA6FF2C337FE69E33E3D63714D23985BF02499EB0E8B23 -1D45C378245DA3611C160CC511135890D8608443A10101A10550DAE613B2 -E0DC55F4322BE38BDBA9DC68F6818344A101381CA220A401022001215820 -FF6E266DABAF51B7207569E31CF72646183E94CEE64FCDC8695AD9A505AE -FDEA2258205FBC4A29844450B3AC22AB30C7F7004BB59D8BD60D7997734A -9FA0124B65089504456B69642D325818B0E21628283F3E409F8158D8FFCA -567F340E379AC39E49C90C0114A3035824822F58201051324059C5193317 -CAC9A099BBC0B6AFB56184C04277F566A3A4131F4A1C250E18F715742364 -6570656E64656E63792D6D616E6966657374150F070F0B0F742364657065 -6E64656E63792D6D616E696665737458F7D86BA2025873825824822F5820 -1051324059C5193317CAC9A099BBC0B6AFB56184C04277F566A3A4131F4A -1C25584AD28443A10126A0F6584055990F3745DC4F200FF946643A6DE30D -DCE57B080B7D68DE9896D8190B9A63E2D60E7C3D9693B67221AA6D07BBF0 -AB45314C236827A242C22B5E688DDC46726903587BA601010201035849A2 -028181526465637279707465642D6669726D7761726504582F840C0014A2 -035824822F582036921488FE6680712F734E11F58D87EEB66D4B21A8A1AD -3441060814DA16D50F0E181E05815818646570656E64656E63792D6D616E -69666573742E73756974074382030F1147860C00120F030F +D86BA3025873825824822F58206A1D9F42E7B4047D2F54046019AE3ED43A +8ACC467AC16576B17D6F8E633042D2584AD28443A10126A0F65840DF493B +DBF167EFFB40593C5910D33B66429721467DF05800EA66A88B91729CD510 +07981F151FC324745FF43E6F75AAF5197DD5EC4AA6BCEFCE43E4B1E35C94 +8E03590170A501010201035837A201A101A101815818646570656E64656E +63792D6D616E69666573742E73756974028181526465637279707465642D +6669726D77617265058157646570656E64656E742D6D616E69666573742E +73756974115901138E0C0014A212582E344FA2D5AD2F43F6F363DA6FF2C3 +37FE69E33E3D63714D23985BF02499EB0E8B231D45C378245DA3611C160C +C511135890D8608443A10101A10550DAE613B2E0DC55F4322BE38BDBA9DC +68F6818344A101381CA220A401022001215820FF6E266DABAF51B7207569 +E31CF72646183E94CEE64FCDC8695AD9A505AEFDEA2258205FBC4A298444 +50B3AC22AB30C7F7004BB59D8BD60D7997734A9FA0124B65089504456B69 +642D325818B0E21628283F3E409F8158D8FFCA567F340E379AC39E49C90C +0114A3035824822F58201051324059C5193317CAC9A099BBC0B6AFB56184 +C04277F566A3A4131F4A1C250E18F7157423646570656E64656E63792D6D +616E6966657374150F070F0B0F7423646570656E64656E63792D6D616E69 +6665737458F7D86BA2025873825824822F58201051324059C5193317CAC9 +A099BBC0B6AFB56184C04277F566A3A4131F4A1C25584AD28443A10126A0 +F6584055990F3745DC4F200FF946643A6DE30DDCE57B080B7D68DE9896D8 +190B9A63E2D60E7C3D9693B67221AA6D07BBF0AB45314C236827A242C22B +5E688DDC46726903587BA601010201035849A20281815264656372797074 +65642D6669726D7761726504582F840C0014A2035824822F582036921488 +FE6680712F734E11F58D87EEB66D4B21A8A1AD3441060814DA16D50F0E18 +1E05815818646570656E64656E63792D6D616E69666573742E7375697407 +4382030F1147860C00120F030F \ No newline at end of file From 4f3e37a1b3b9d3f2ddccc3d080319c7719077a31 Mon Sep 17 00:00:00 2001 From: Ken Takayama Date: Tue, 13 Feb 2024 06:06:39 +0000 Subject: [PATCH 2/2] fix --- draft-ietf-suit-firmware-encryption.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-suit-firmware-encryption.md b/draft-ietf-suit-firmware-encryption.md index 5086311..af23b0c 100644 --- a/draft-ietf-suit-firmware-encryption.md +++ b/draft-ietf-suit-firmware-encryption.md @@ -1346,13 +1346,13 @@ In hex format, the SUIT manifest is this: The following SUIT manifest requests a parser to resolve the dependency. The dependent manifest is signed with another key: -``` +~~~ -----BEGIN EC PRIVATE KEY----- MHcCAQEEIIQa67e56m8CYL5zVaJFiLl30j0qxb8ray2DeUMqH+qYoAoGCCqGSM49 AwEHoUQDQgAEDpCKqPBm2x8ITgw2UsY5Ur2Z8qW9si+eATZ6rQOrpot32hvYrE8M tJC6IQZIv3mrFk1JrTVR1x0xSydJ7kLSmg== -----END EC PRIVATE KEY----- -``` +~~~ The dependency manifest is embedded as an integrated-dependency and referred by uri "#dependency-manifest" .