From 43f45a3afae48354718f1f85744f30ff0444d8a6 Mon Sep 17 00:00:00 2001 From: Ken Takayama Date: Sat, 6 Jul 2024 16:18:17 +0000 Subject: [PATCH 1/2] fix: KDF Context values for ECDH-ES+A128KW --- draft-ietf-suit-firmware-encryption.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/draft-ietf-suit-firmware-encryption.md b/draft-ietf-suit-firmware-encryption.md index 65e29af..7f67bc9 100644 --- a/draft-ietf-suit-firmware-encryption.md +++ b/draft-ietf-suit-firmware-encryption.md @@ -750,8 +750,8 @@ This example uses the following parameters: - Algorithm ID: 1 (A128GCM) - SuppPubInfo - keyDataLength: 128 - - protected = << { / alg / 1: -29 / ECDH-ES+A128KW / } >> - - other = 'SUIT Payload Encryption' + - protected: { / alg / 1: -29 / ECDH-ES+A128KW / } + - other: 'SUIT Payload Encryption' The COSE_Encrypt structure, in hex format, is (with a line break inserted): @@ -860,11 +860,11 @@ This example uses the following parameters: - d: h'60FE6DD6D85D5740A5349B6F91267EEAC5BA81B8CB53EE249E4B4EB102C476B3' - kid: 'kid-2' - KDF Context - - ALgorithm ID: -3 (A128KW) + - Algorithm ID: -65534 (A128CTR) - SuppPubInfo - keyDataLength: 128 - - protected = << { / alg / 1: -3 / A128KW / } >> - - other = 'SUIT Payload Encryption' + - protected: { / alg / 1: -29 / ECDH-ES+A128KW / } + - other: 'SUIT Payload Encryption' The COSE_Encrypt structure, in hex format, is (with a line break inserted): @@ -983,8 +983,8 @@ This example uses the following parameters: - Algorithm ID: -65531 (A128CBC) - SuppPubInfo - keyDataLength: 128 - - protected = h'' - - other = 'SUIT Payload Encryption' + - protected: { / alg / 1: -29 / ECDH-ES+A128KW / } + - other: 'SUIT Payload Encryption' The COSE_Encrypt structure, in hex format, is (with a line break inserted): From fee23b19a5bfcedd1dcd18b97c4286073a370313 Mon Sep 17 00:00:00 2001 From: Ken Takayama Date: Sat, 6 Jul 2024 16:19:20 +0000 Subject: [PATCH 2/2] fix: move ECDH-ES+A128KW to protected --- .../generate_suit_encryption_info_aescbc_aesctr.py | 10 ++++------ .../validate_esdh_non_aead_suit_encryption_info.py | 2 +- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/examples/generate_suit_encryption_info_aescbc_aesctr.py b/examples/generate_suit_encryption_info_aescbc_aesctr.py index cf198f3..e308b91 100755 --- a/examples/generate_suit_encryption_info_aescbc_aesctr.py +++ b/examples/generate_suit_encryption_info_aescbc_aesctr.py @@ -89,15 +89,14 @@ "alg": "A128CBC", "supp_pub": { "key_data_length": 128, - "protected": {}, + "protected": {"alg": "ECDH-ES+A128KW"}, "other": "SUIT Payload Encryption", } } # The sender side: r = Recipient.new( - protected={}, - unprotected={"alg": "ECDH-ES+A128KW"}, + protected={"alg": "ECDH-ES+A128KW"}, sender_key=COSEKey.from_jwk(sender_private_key_jwk), recipient_key=COSEKey.from_jwk(receiver_public_key_jwk), context=kdf_context_a128cbc @@ -216,15 +215,14 @@ "alg": "A128CTR", "supp_pub": { "key_data_length": 128, - "protected": {}, + "protected": {"alg": "ECDH-ES+A128KW"}, "other": "SUIT Payload Encryption", } } # The sender side: r = Recipient.new( - protected={}, - unprotected={"alg": "ECDH-ES+A128KW"}, + protected={"alg": "ECDH-ES+A128KW"}, sender_key=COSEKey.from_jwk(sender_private_key_jwk), recipient_key=COSEKey.from_jwk(receiver_public_key_jwk), context=kdf_context_a128ctr diff --git a/examples/validate_esdh_non_aead_suit_encryption_info.py b/examples/validate_esdh_non_aead_suit_encryption_info.py index 780191e..4a8d3c0 100755 --- a/examples/validate_esdh_non_aead_suit_encryption_info.py +++ b/examples/validate_esdh_non_aead_suit_encryption_info.py @@ -36,7 +36,7 @@ "alg": kdf_algorithm, "supp_pub": { "key_data_length": 128, - "protected": {}, + "protected": {"alg": "ECDH-ES+A128KW"}, "other": "SUIT Payload Encryption", }, }