RIOT/dist/tools/suit_v3/suit-manifest-generator/suit_tool/sign.py

#!/usr/bin/python3
# -*- coding: utf-8 -*-
# ----------------------------------------------------------------------------
# Copyright 2019 ARM Limited or its affiliates
#
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ----------------------------------------------------------------------------
import cbor

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.asymmetric import ed25519
from cryptography.hazmat.primitives.asymmetric import utils as asymmetric_utils
from cryptography.hazmat.primitives import serialization as ks


from suit_tool.manifest import COSE_Sign1, COSEList, \
                               SUITWrapper, SUITBytes, SUITBWrapField
import logging
import binascii
LOG = logging.getLogger(__name__)

def get_cose_es_bytes(private_key, sig_val):
    ASN1_signature = private_key.sign(sig_val, ec.ECDSA(hashes.SHA256()))
    r,s = asymmetric_utils.decode_dss_signature(ASN1_signature)
    ssize = private_key.key_size
    signature_bytes = r.to_bytes(ssize//8, byteorder='big') + s.to_bytes(ssize//8, byteorder='big')
    return signature_bytes

def get_cose_ed25519_bytes(private_key, sig_val):
    return private_key.sign(sig_val)

def main(options):
    # Read the manifest wrapper
    wrapper = cbor.loads(options.manifest.read())

    private_key = None
    digest = None
    try:
        private_key = ks.load_pem_private_key(options.private_key.read(), password=None, backend=default_backend())
        if isinstance(private_key, ec.EllipticCurvePrivateKey):
            options.key_type = 'ES{}'.format(private_key.key_size)
        elif isinstance(private_key, ed25519.Ed25519PrivateKey):
            options.key_type = 'EdDSA'
        else:
            LOG.critical('Unrecognized key: {}'.format(type(private_key).__name__))
            return 1
        digest = {
            'ES256' : hashes.Hash(hashes.SHA256(), backend=default_backend()),
            'ES384' : hashes.Hash(hashes.SHA384(), backend=default_backend()),
            'ES512' : hashes.Hash(hashes.SHA512(), backend=default_backend()),
            'EdDSA' : hashes.Hash(hashes.SHA256(), backend=default_backend()),
        }.get(options.key_type)
    except:
        digest= hashes.Hash(hashes.SHA256(), backend=default_backend())
        # private_key = None
        # TODO: Implement loading of DSA keys not supported by python cryptography
        LOG.critical('Non-library key type not implemented')
        # return 1

    digest.update(cbor.dumps(wrapper[SUITWrapper.fields['manifest'].suit_key]))

    cose_signature = COSE_Sign1().from_json({
        'protected' : {
            'alg' : options.key_type
        },
        'unprotected' : {},
        'payload' : {
            'algorithm-id' : 'sha256',
            'digest-bytes' : binascii.b2a_hex(digest.finalize())
        }
    })

    Sig_structure = cbor.dumps([
        "Signature1",
        cose_signature.protected.to_suit(),
        b'',
        cose_signature.payload.to_suit(),
    ], sort_keys = True)
    sig_val = Sig_structure

    signature_bytes = {
        'ES256' : get_cose_es_bytes,
        'ES384' : get_cose_es_bytes,
        'ES512' : get_cose_es_bytes,
        'EdDSA' : get_cose_ed25519_bytes,
    }.get(options.key_type)(private_key, sig_val)

    cose_signature.signature = SUITBytes().from_suit(signature_bytes)

    auth = SUITBWrapField(COSEList)().from_json([{
        'COSE_Sign1_Tagged' : cose_signature.to_json()
    }])

    wrapper[SUITWrapper.fields['auth'].suit_key] = auth.to_suit()

    options.output_file.write(cbor.dumps(wrapper, sort_keys=True))
    return 0
dist/tools/suit_v3: Add ietf-v3 manifest generator Co-authored-by: Kaspar Schleiser <kaspar@schleiser.de> 2020-02-26 14:44:13 +01:00			`#!/usr/bin/python3`
			`# -- coding: utf-8 --`
			`# ----------------------------------------------------------------------------`
			`# Copyright 2019 ARM Limited or its affiliates`
			`#`
			`# SPDX-License-Identifier: Apache-2.0`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
			`# ----------------------------------------------------------------------------`
			`import cbor`

			`from cryptography.hazmat.backends import default_backend`
			`from cryptography.hazmat.primitives import hashes`
			`from cryptography.hazmat.primitives.asymmetric import ec`
			`from cryptography.hazmat.primitives.asymmetric import ed25519`
			`from cryptography.hazmat.primitives.asymmetric import utils as asymmetric_utils`
			`from cryptography.hazmat.primitives import serialization as ks`


			`from suit_tool.manifest import COSE_Sign1, COSEList, \`
			`SUITWrapper, SUITBytes, SUITBWrapField`
			`import logging`
			`import binascii`
			`LOG = logging.getLogger(__name__)`

			`def get_cose_es_bytes(private_key, sig_val):`
			`ASN1_signature = private_key.sign(sig_val, ec.ECDSA(hashes.SHA256()))`
			`r,s = asymmetric_utils.decode_dss_signature(ASN1_signature)`
			`ssize = private_key.key_size`
			`signature_bytes = r.to_bytes(ssize//8, byteorder='big') + s.to_bytes(ssize//8, byteorder='big')`
			`return signature_bytes`

			`def get_cose_ed25519_bytes(private_key, sig_val):`
			`return private_key.sign(sig_val)`

			`def main(options):`
			`# Read the manifest wrapper`
			`wrapper = cbor.loads(options.manifest.read())`

			`private_key = None`
			`digest = None`
			`try:`
			`private_key = ks.load_pem_private_key(options.private_key.read(), password=None, backend=default_backend())`
			`if isinstance(private_key, ec.EllipticCurvePrivateKey):`
			`options.key_type = 'ES{}'.format(private_key.key_size)`
			`elif isinstance(private_key, ed25519.Ed25519PrivateKey):`
			`options.key_type = 'EdDSA'`
			`else:`
			`LOG.critical('Unrecognized key: {}'.format(type(private_key).__name__))`
			`return 1`
			`digest = {`
			`'ES256' : hashes.Hash(hashes.SHA256(), backend=default_backend()),`
			`'ES384' : hashes.Hash(hashes.SHA384(), backend=default_backend()),`
			`'ES512' : hashes.Hash(hashes.SHA512(), backend=default_backend()),`
			`'EdDSA' : hashes.Hash(hashes.SHA256(), backend=default_backend()),`
			`}.get(options.key_type)`
			`except:`
			`digest= hashes.Hash(hashes.SHA256(), backend=default_backend())`
			`# private_key = None`
			`# TODO: Implement loading of DSA keys not supported by python cryptography`
			`LOG.critical('Non-library key type not implemented')`
			`# return 1`

			`digest.update(cbor.dumps(wrapper[SUITWrapper.fields['manifest'].suit_key]))`

			`cose_signature = COSE_Sign1().from_json({`
			`'protected' : {`
			`'alg' : options.key_type`
			`},`
			`'unprotected' : {},`
			`'payload' : {`
			`'algorithm-id' : 'sha256',`
			`'digest-bytes' : binascii.b2a_hex(digest.finalize())`
			`}`
			`})`

			`Sig_structure = cbor.dumps([`
			`"Signature1",`
			`cose_signature.protected.to_suit(),`
			`b'',`
			`cose_signature.payload.to_suit(),`
			`], sort_keys = True)`
			`sig_val = Sig_structure`

			`signature_bytes = {`
			`'ES256' : get_cose_es_bytes,`
			`'ES384' : get_cose_es_bytes,`
			`'ES512' : get_cose_es_bytes,`
			`'EdDSA' : get_cose_ed25519_bytes,`
			`}.get(options.key_type)(private_key, sig_val)`

			`cose_signature.signature = SUITBytes().from_suit(signature_bytes)`

			`auth = SUITBWrapField(COSEList)().from_json([{`
			`'COSE_Sign1_Tagged' : cose_signature.to_json()`
			`}])`

			`wrapper[SUITWrapper.fields['auth'].suit_key] = auth.to_suit()`

			`options.output_file.write(cbor.dumps(wrapper, sort_keys=True))`
			`return 0`