Merge pull request #351 from kentakayama/update-esdh-example

[Hackathon117] Add encrypted personalization data using ES-ECDH
ietf-teep · Nov 4, 2023 · 655241b · 655241b
2 parents 36bb3b9 + bd68da2
commit 655241b
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 25 deletions.
diff --git a/cbor/suit_personalization.diag.txt b/cbor/suit_personalization.diag.txt
@@ -2,15 +2,15 @@
   / authentication-wrapper / 2: << [
     << [
       / digest-algorithm-id: / -16 / SHA256 /,
-      / digest-bytes: / h'F8CDE205EA2C63FB23042AAF336BA51C12DBDFAA9714149F42FA0F701490DF43'
+      / digest-bytes: / h'DDFC55B9FF63C1A27A7DA1CFB64DC924ACD5EFBAD5D5CAD2E7CFEDEB296C74D5'
     ] >>,
     << / COSE_Sign1_Tagged / 18([
       / protected: / << {
         / algorithm-id / 1: -7 / ES256 /
       } >>,
       / unprotected: / {},
       / payload: / null,
-      / signature: / h'34994DB97D120652829B242C9A33AEF892C213BB10550341B9816207EF78E21BE323A8B4C3BF2BD90E3EEE34D749D3AF45C972E3EA96B8FE3D49B3CD27FCF779'
+      / signature: / h'7BBA826B1F0F2D3607C239D94D2ECE75629FD56F86E120CC7731531E61C92ABF436B9CCE296F070FAFD94AE8BA3D33EC37256350DB95E3A67C50978563E76389'
     ]) >>
   ] >>,
   / manifest / 3: << {
@@ -55,9 +55,9 @@
         / NOTE: image-digest and image-size of plaintext config.json /
         / parameter-image-digest / 3: << [
           / digest-algorithm-id: / -16 / SHA256 /,
-          / digest-bytes: / h'2d62bc330d02054f4028e790a161cf26fce74ae5e05f6165ccbdf23b27faf5c7'
+          / digest-bytes: / h'8273468FB64BD84BB04825F8371744D952B751C73A60F455AF681E167726F116'
         ] >>,
-        / image-size / 14: 64
+        / image-size / 14: 61
       },
       / condition-image-match / 3, 15
     ] >>,
@@ -76,31 +76,38 @@
       / directive-set-component-index / 12, 0,
       / directive-override-parameters / 20, {
         / NOTE: encrypted payload and encryption-info /
-        / parameter-content / 18: h'48FE0794D291C42700D614FC7EF638A6CF9C6B40CBE172CC0EB2B0ECB9DA6071BE85CACB416090E350354760A463D3D85D7E835B5E48190DBE61F2DA1C1C687062AC556B89B8459FE99D79378158BAF5',
+        / parameter-content / 18: h'1A6D7C82357219BF85C334F673FB93E37A7443945A5B4E8E2391668E92B5936AB2B285FB4CEA6EADACC75242CE0B1C779DB36D34E2BDAD74666934778EC534628EFBA31805F5C699F66D7E4A03',
         / parameter-encryption-info / 19: << 96([
           / protected: / << {
             / alg / 1: 1 / AES-GCM-128 /
           } >>,
           / unprotected: / {
-            / IV / 5: h'5318E31B9825AAF12664796B5DC644EB'
+            / IV / 5: h'56255F07A12A0FCD0877D199EBE878DF'
           },
           / payload: / null / detached ciphertext /,
           / recipients: / [
             [
               / protected: / << {
+                / alg / 1: -29 / ECDH-ES + A128KW /
               } >>,
               / unprotected: / {
-                / alg / 1: -3 / A128KW /,
-                / kid / 4: 'kid-1'
+                / ephemeral key / -1: {
+                  / kty / 1: 2 / EC2 /,
+                  / crv / -1: 1 / P-256 /,
+                  / x / -2: h'F8D76E4011FAD67E236AFCE61CC2F472706BD08B451FC588EF758E0D4BF5E200',
+                  / y / -3: h'2D8A9B35903CD560F15DC011AB6398209724C6F41A7E9EBC9F3EB1B7BB30FBB8'
+                }
               },
-              / payload: / h'8A788C02AA608BAD1F94BDC4786E6BAFB9D805173A8B66DD' / CEK encrypted with KEK /
+              / payload: / h'ABACADEC902D882096A50D88A222644C25E6152B66B96B84'
+                / CEK encrypted with KEK /
             ]
           ]
         ]) >>
       },
 
       / decrypt encrypted firmware /
       / directive-write / 18, 15 / consumes the SUIT_Encryption_Info above /
+      / NOTE: decrypted payload would be ``{"name":"FOO Bar","secret":"0123456789abfcdef0123456789abcd"}'' /
     ] >>,
     / uninstall / 24: << [
       / directive-set-component-index / 12, 1,

diff --git a/cbor/suit_personalization.hex.txt b/cbor/suit_personalization.hex.txt
@@ -1,21 +1,23 @@
-A2025873825824822F5820F8CDE205EA2C63FB23042AAF336BA51C12DBDF
-AA9714149F42FA0F701490DF43584AD28443A10126A0F6584034994DB97D
-120652829B242C9A33AEF892C213BB10550341B9816207EF78E21BE323A8
-B4C3BF2BD90E3EEE34D749D3AF45C972E3EA96B8FE3D49B3CD27FCF77903
-5901E3A801010203035886A301A101A101844B544545502D446576696365
+A2025873825824822F5820DDFC55B9FF63C1A27A7DA1CFB64DC924ACD5EF
+BAD5D5CAD2E7CFEDEB296C74D5584AD28443A10126A0F658407BBA826B1F
+0F2D3607C239D94D2ECE75629FD56F86E120CC7731531E61C92ABF436B9C
+CE296F070FAFD94AE8BA3D33EC37256350DB95E3A67C50978563E7638903
+590226A801010203035886A301A101A101844B544545502D446576696365
 485365637572654653508D82573A926D4754935332DC29997F7444737569
 740281834B544545502D4465766963654853656375726546534B636F6E66
 69672E6A736F6E04582D880C0014A20150C0DDD5F15243566087DB4F5B0A
 A26C2F0250DB42F7093D8C55BAA8C5265FC5820F4E010F020F05834B5445
 45502D4465766963654853656375726546534B636F6E6669672E73756974
-075831860C0014A2035824822F58202D62BC330D02054F4028E790A161CF
-26FCE74AE5E05F6165CCBDF23B27FAF5C70E1840030F0F5847860C0114A1
+075831860C0014A2035824822F58208273468FB64BD84BB04825F8371744
+D952B751C73A60F455AF681E167726F1160E183D030F0F5847860C0114A1
 15783D68747470733A2F2F6578616D706C652E6F72672F38643832353733
 612D393236642D343735342D393335332D3332646332393939376637342E
-7375697415021158A48A0C010B000C0014A212585048FE0794D291C42700
-D614FC7EF638A6CF9C6B40CBE172CC0EB2B0ECB9DA6071BE85CACB416090
-E350354760A463D3D85D7E835B5E48190DBE61F2DA1C1C687062AC556B89
-B8459FE99D79378158BAF5135843D8608443A10101A105505318E31B9825
-AAF12664796B5DC644EBF6818341A0A2012204456B69642D3158188A788C
-02AA608BAD1F94BDC4786E6BAFB9D805173A8B66DD120F18184A880C010B
-000C0018210F
+7375697415021158E78A0C010B000C0014A212584D1A6D7C82357219BF85
+C334F673FB93E37A7443945A5B4E8E2391668E92B5936AB2B285FB4CEA6E
+ADACC75242CE0B1C779DB36D34E2BDAD74666934778EC534628EFBA31805
+F5C699F66D7E4A03135889D8608443A10101A1055056255F07A12A0FCD08
+77D199EBE878DFF6818344A101381CA120A401022001215820F8D76E4011
+FAD67E236AFCE61CC2F472706BD08B451FC588EF758E0D4BF5E200225820
+2D8A9B35903CD560F15DC011AB6398209724C6F41A7E9EBC9F3EB1B7BB30
+FBB85818ABACADEC902D882096A50D88A222644C25E6152B66B96B84120F
+18184A880C010B000C0018210F
diff --git a/draft-ietf-teep-protocol.md b/draft-ietf-teep-protocol.md
@@ -2177,6 +2177,13 @@ bz/m4rVlnIXbwK07HypLbAmBMcCjbazR14vTgdzfsJwFLbM5kdtzOLSolg==
 ## Example 3: Supplying Personalization Data for Trusted Component Binary {#suit-personalization}
 {: numbered='no'}
 
+This example uses the following parameters:
+
+- Algorithm for payload encryption: AES-GCM-128
+- Algorithm id for key wrap: A128KW
+- KEK: 'aaaaaaaaaaaaaaaa'
+- COSE_KDF_Context.SuppPubInfo.other: 'SUIT Payload Encryption'
+
 ### CBOR Diagnostic Notation of SUIT Manifest
 {: numbered='no'}
 
@@ -2192,8 +2199,6 @@ bz/m4rVlnIXbwK07HypLbAmBMcCjbazR14vTgdzfsJwFLbM5kdtzOLSolg==
 {::include cbor/suit_personalization.hex.txt}
 ~~~~
 
-The Personalization Data above is encrypted with A128KW.
-The secret key is h'61616161616161616161616161616161' (0x61 = 'a', and the length is 16).
 
 # F. Examples of SUIT Reports {#suit-reports}
 {: numbered='no'}