suit: try multiple keys

2024-12-29 04:50:03 +01:00 · 2022-08-15 19:17:03 +02:00 · 2022-08-15 19:17:03 +02:00 · abb5d0fab6
commit abb5d0fab6
parent 7f5c932f07
2 changed files with 26 additions and 7 deletions
--- a/dist/tools/suit/suit-manifest-generator/suit_tool/get_pubkey.py
+++ b/dist/tools/suit/suit-manifest-generator/suit_tool/get_pubkey.py
@ -49,11 +49,11 @@ def to_header(pk):
    if isinstance(pk, ed25519.Ed25519PrivateKey):
        public_bytes = pk.public_key().public_bytes(ks.Encoding.Raw,
                                                      ks.PublicFormat.Raw)
-        public_c_def = ['const uint8_t public_key[] = {'] + textwrap.wrap(
+        public_c_def = ['{'] + textwrap.wrap(
            ', '.join(['{:0=#4x}'.format(x) for x in public_bytes]),
            76
        )
-        return str.encode('\n    '.join(public_c_def) + '\n};\n')
+        return str.encode('\n    '.join(public_c_def) + '\n},\n')


 OutputFormaters = {
--- a/sys/suit/handlers_envelope.c
+++ b/sys/suit/handlers_envelope.c
@ -32,17 +32,18 @@
 #include "suit/handlers.h"
 #include "suit.h"

-static int _auth_handler(suit_manifest_t *manifest, int key,
-                         nanocbor_value_t *it)
+static int _verify_with_key(suit_manifest_t *manifest, const nanocbor_value_t *it,
+                            const void *key)
 {
-    (void)key;
    cose_sign_dec_t verify;
    const uint8_t *cose_buf;
    const uint8_t *auth_container;
    size_t auth_container_len;
    size_t cose_len = 0;
+    nanocbor_value_t tmp = *it;
+
    /* It is a list of cose signatures */
-    if (nanocbor_get_bstr(it, &auth_container, &auth_container_len) < 0) {
+    if (nanocbor_get_bstr(&tmp, &auth_container, &auth_container_len) < 0) {
        LOG_INFO("Unable to get auth container\n");
        return SUIT_ERR_INVALID_MANIFEST;
    }
@ -51,7 +52,7 @@ static int _auth_handler(suit_manifest_t *manifest, int key,
    cose_key_t pkey;
    cose_key_init(&pkey);
    cose_key_set_keys(&pkey, COSE_EC_CURVE_ED25519, COSE_ALGO_EDDSA,
-                      (uint8_t *)public_key, NULL, NULL);
+                      (void *)key, NULL, NULL);

    nanocbor_value_t _cont, arr;
    nanocbor_decoder_init(&_cont, auth_container, auth_container_len);
@ -96,6 +97,7 @@ static int _auth_handler(suit_manifest_t *manifest, int key,
            }
            else {
                LOG_INFO("Unable to validate signature: %d\n", verification);
+                res = SUIT_ERR_SIGNATURE;
            }
        }
    }
@ -103,6 +105,23 @@ static int _auth_handler(suit_manifest_t *manifest, int key,
    return res;
 }

+static int _auth_handler(suit_manifest_t *manifest, int key,
+                         nanocbor_value_t *it)
+{
+    (void)key;
+
+    int res = 0;
+
+    for (unsigned i = 0; i < ARRAY_SIZE(public_key); ++i) {
+        res = _verify_with_key(manifest, it, public_key[i]);
+        if (res != SUIT_ERR_SIGNATURE) {
+            break;
+        }
+    }
+
+    return res;
+}
+
 static int _manifest_handler(suit_manifest_t *manifest, int key,
                             nanocbor_value_t *it)
 {