Skip to content

Key distribution/communication/node #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
WadoMB wants to merge 5 commits into
base: node
Choose a base branch
from
Open

Key distribution/communication/node #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
394d50b
change cose service to use external buffer to sign
WadoMB Jun 23, 2025
924e961
adding key distribution for cose service
WadoMB Jun 30, 2025
6449f98
ignore prod keys
WadoMB Jun 30, 2025
a15f92b
ignore prod keys
WadoMB Jun 30, 2025
0925ec2
publish test keys
WadoMB Jun 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,4 +98,5 @@ coverage/
*.crt
*.key

nodes/lab_workarounds.mk
nodes/lab_workarounds.mk
nodes/custom-modules/key-distro/include/secrets
2 changes: 1 addition & 1 deletion nodes/RIOT
Open in desktop
Submodule RIOT updated 10 files
+1 −1 drivers/st77xx/include/st77xx_params.h
+1 −1 makefiles/docker.inc.mk
+2 −2 pkg/monocypher/Makefile
+17 −0 sys/checksum/crc8.c
+33 −0 sys/checksum/doc.md
+0 −35 sys/checksum/doc.txt
+20 −3 sys/include/checksum/crc8.h
+91 −0 tests/unittests/tests-checksum/tests-checksum-crc8-lsb.c
+1 −0 tests/unittests/tests-checksum/tests-checksum.c
+7 −0 tests/unittests/tests-checksum/tests-checksum.h
5 changes: 0 additions & 5 deletions nodes/apps/cose-test/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,6 @@ DEVELHELP ?= 1
USEMODULE += xtimer
USEMODULE += ztimer_sec
USEMODULE += benchmark
USEPKG += tinycbor
USEPKG += libcose
USEMODULE += libcose_crypt_monocypher

CFLAGS += -DTHREAD_STACKSIZE_MAIN=4096


# Change this to 0 show compiler invocation lines by default:
Expand Down
5 changes: 3 additions & 2 deletions nodes/apps/cose-test/main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,9 @@ int main(void)

// --- Encode code ---
uint8_t *encoded_ptr = NULL;
uint8_t encode_outbuf[256];
size_t encoded_len = 0;
BENCHMARK_FUNC("Signieren:", 5, sign_payload(payload, sizeof(payload), &encoded_ptr, &encoded_len));
BENCHMARK_FUNC("Signieren:", 5, sign_payload(payload, sizeof(payload),encode_outbuf,&encoded_ptr, &encoded_len));

// --- Verify code ---
uint8_t verify_outbuf[256]; // ausreichend groß dimensionieren
Expand All @@ -31,7 +32,7 @@ int main(void)
BENCHMARK_FUNC("Validieren:", 5,verify_decode(encoded_ptr, encoded_len,verify_outbuf, sizeof(verify_outbuf),&verify_payload_len));

// --- Auswertung ---
int sign_result = sign_payload(payload, sizeof(payload), &encoded_ptr, &encoded_len);
int sign_result = sign_payload(payload, sizeof(payload),encode_outbuf,&encoded_ptr, &encoded_len);
if (sign_result != 0) {
printf("❌ Signing fehlgeschlagen mit Fehlercode: %d\n", sign_result);
}
Expand Down
3 changes: 3 additions & 0 deletions nodes/custom-modules/cose-service/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
MODULE := cose-service

# Eigene Module aktivieren
USEMODULE += key-distro

SRC := $(MODULE).c

include $(RIOTBASE)/Makefile.base
8 changes: 8 additions & 0 deletions nodes/custom-modules/cose-service/Makefile.dep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# custom-modules/cose-service/Makefile.dep

ifneq (,$(filter cose-service,$(USEMODULE)))
USEMODULE += key-distro
USEPKG += tinycbor
USEPKG += libcose
USEMODULE += libcose_crypt_monocypher
endif
4 changes: 3 additions & 1 deletion nodes/custom-modules/cose-service/Makefile.include
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
USEMODULE_INCLUDES_cose_service := $(LAST_MAKEFILEDIR)/include
USEMODULE_INCLUDES += $(USEMODULE_INCLUDES_cose_service)
USEMODULE_INCLUDES += $(USEMODULE_INCLUDES_cose_service)

CFLAGS += -DTHREAD_STACKSIZE_MAIN=4096
8 changes: 3 additions & 5 deletions nodes/custom-modules/cose-service/cose-service.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,7 @@
#include "random.h"

#include "cose-service.h"
#include "public_keys.h"
#include "private_key.h"
#include "key_config.h"


/* COSE structs */
Expand All @@ -26,13 +25,12 @@ static cose_key_t signer1;
static cose_key_t verifyer;

/* Buffer */
static uint8_t sign_buf[2048];
static uint8_t v_buf[2048];

/* COSE Header KID */
#define COSE_HEADER_KID 4

int sign_payload(const uint8_t *payload, size_t payload_len,
int sign_payload(const uint8_t *payload, size_t payload_len,uint8_t *encoding_buf,
uint8_t **out_buf, size_t *out_len)
{
if (!payload || payload_len == 0 || !out_buf || !out_len)
Expand All @@ -52,7 +50,7 @@ int sign_payload(const uint8_t *payload, size_t payload_len,
cose_sign_set_payload(&sign, payload, payload_len);
cose_sign_add_signer(&sign, &signature1, &signer1);

ssize_t len = cose_sign_encode(&sign, sign_buf, sizeof(sign_buf), out_buf);
ssize_t len = cose_sign_encode(&sign,encoding_buf, sizeof(encoding_buf), out_buf);
if (len < 0)
{
printf("Signing faild with: %i",len);
Expand Down
45 changes: 26 additions & 19 deletions nodes/custom-modules/cose-service/include/cose-service.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,40 +42,47 @@ extern "C" {
#endif

/**
* Signiert einen Null-terminierten Payload mit Ed25519
* und liefert die CBOR-codierte COSE_Sign1-Struktur zurück.
* Signiert einen Payload mit Ed25519 und erzeugt eine CBOR-codierte COSE_Sign1-Struktur.
*
* @param payload Eingabe-String (Null-terminiert)
* @param out_buf Pointer auf den Ausgabebuffer (wird intern gesetzt, ggf. malloc)
* @param out_len Ausgabelänge des Buffers
* @return COSE_SIGN_SUCCESS bei Erfolg, sonst Fehlercode (z.B. COSE_SIGN_ERR_*)
* @param payload Pointer auf den zu signierenden Binärdaten-Buffer
* @param payload_len Länge des Payloads in Bytes
* @param encoding_buf Interner Arbeits-/Zwischenpuffer zur Kodierung (vom Aufrufer bereitgestellt)
* Muss ausreichend groß sein, z. B. 2048 Bytes.
* @param out_buf_ptr Pointer auf den Ausgabepuffer (wird intern gesetzt; zeigt auf encoding_buf oder intern allokiert)
* @param out_len Ausgabelänge des Puffers nach erfolgreicher Kodierung
* @return COSE_SIGN_SUCCESS bei Erfolg, sonst Fehlercode (z. B. COSE_SIGN_ERR_*)
*/
int sign_payload(const uint8_t *payload, size_t payload_len,
uint8_t **out_buf, size_t *out_len);
int sign_payload(const uint8_t *payload, size_t payload_len, uint8_t *encoding_buf,
uint8_t **out_buf_ptr, size_t *out_len);


/**
* Verifiziert und dekodiert eine COSE_Sign1 Nachricht.
* Verifiziert und dekodiert eine COSE_Sign1-Nachricht.
*
* @param encodedMsg Eingabepuffer mit COSE_Sign1
* @param encodedMsg Eingabepuffer mit COSE_Sign1-Daten
* @param len Länge des Eingabepuffers
* @param outbuf Ausgabepuffer für Payload
* @param outbuf_len Länge des Ausgabepuffers
* @param payload_len tatsächliche Länge des Payloads nach Decodierung
* @param outbuf Ausgabepuffer für den extrahierten Payload
* @param outbuf_len Größe des Ausgabepuffers
* @param payload_len Tatsächliche Länge des extrahierten Payloads
* @return COSE_VERIFY_SUCCESS bei Erfolg, sonst Fehlercode (COSE_VERIFY_ERR_*)
*/
int verify_decode(uint8_t *encodedMsg, size_t len,
uint8_t *outbuf, size_t outbuf_len, size_t *payload_len);


/**
* Extrahiert das KID (Key ID) aus dem Unprotected Header einer COSE_Sign1 Signatur.
* Extrahiert das KID (Key ID) aus dem ungeschützten Header einer COSE_Sign1-Signatur.
*
* @param sig Pointer auf COSE Signatur-Decoder Struktur
* @param kid_buf Zielpuffer für KID (max. MAX_KEY_ID_SIZE)
* @param kid_len Ein-/Ausgabeparameter mit Pufferlänge / gefundener Länge
* @return COSE_KID_SUCCESS bei Erfolg, sonst Fehlercode (COSE_KID_ERR_*)
* @param sig Pointer auf COSE-Signatur-Decoder-Struktur
* @param kid_buf Zielpuffer für das extrahierte KID (max. MAX_KEY_ID_SIZE Bytes)
* @param kid_len Ein-/Ausgabeparameter: Eingabe = Größe von kid_buf, Ausgabe = Länge des extrahierten KID
* @return KID_OK bei Erfolg, sonst Fehlercode (z. B. KID_ERR_*)
*/
int extract_kid_from_unprotected(cose_signature_dec_t *sig,
uint8_t *kid_buf, size_t *kid_len);
#endif //COSE_SERVICE_H

#ifdef __cplusplus
}
#endif

#endif // COSE_SERVICE_H
27 changes: 0 additions & 27 deletions nodes/custom-modules/cose-service/include/private_key.h
View file
Open in desktop

This file was deleted.

25 changes: 0 additions & 25 deletions nodes/custom-modules/cose-service/include/public_keys.h
View file
Open in desktop

This file was deleted.

5 changes: 5 additions & 0 deletions nodes/custom-modules/key-distro/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
MODULE := key-distro

INCLUDES += -I$(CURDIR)/include

include $(RIOTBASE)/Makefile.base
13 changes: 13 additions & 0 deletions nodes/custom-modules/key-distro/Makefile.include
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
USEMODULE_INCLUDES_key_distro := $(LAST_MAKEFILEDIR)/include
USEMODULE_INCLUDES += $(USEMODULE_INCLUDES_key_distro)

ifneq (,$(RIOT_CONFIG_USE_TEST_KEYS))
CFLAGS += -DTEST_KEYS
$(info test_Keys defined)
else
ifneq (,$(RIOT_CONFIG_DEVICE_ID))
CFLAGS += -DDEVICE_ID=$(RIOT_CONFIG_DEVICE_ID)
endif
endif

$(info $(CFLAGS))
0 .../cose-service/include/ed25519_key_entry.h → ...es/key-distro/include/ed25519_key_entry.h
View file
Open in desktop
File renamed without changes.
18 changes: 18 additions & 0 deletions nodes/custom-modules/key-distro/include/key_config.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#ifndef KEY_CONFIG_H
#define KEY_CONFIG_H

#ifdef TEST_KEYS
#include "test_private_key.h"
#include "test_public_keys.h"
#else
#define _STR(x) #x
#define STR(x) _STR(x)

#define FILE_PATH(dev) STR(secrets/dev##_private_key.h)
#define INCLUDE_FILE(dev) FILE_PATH(dev)

#include INCLUDE_FILE(DEVICE_ID)
#include "secrets/public_keys.h"
#endif

#endif // KEY_CONFIG_H
14 changes: 14 additions & 0 deletions nodes/custom-modules/key-distro/include/test_private_key.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#ifndef TEST_PRIVATE_KEY_H
#define TEST_PRIVATE_KEY_H

static const uint8_t ownId[] = "test-device";

static uint8_t ed25519_secret_key[64] = {
0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x65, 0x64, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32
};

static uint8_t ed25519_public_key[32] = {
0xd5, 0x38, 0x03, 0x54, 0x43, 0xa5, 0x0c, 0xff, 0xf8, 0x19, 0xc6, 0xdc, 0xc7, 0x59, 0x75, 0x46, 0xbc, 0x05, 0x96, 0xca, 0x32, 0xb2, 0xbb, 0xc7, 0x43, 0xac, 0xdd, 0x1c, 0xa7, 0x1b, 0xcb, 0x45
};

#endif // TEST_PRIVATE_KEY_H
17 changes: 17 additions & 0 deletions nodes/custom-modules/key-distro/include/test_public_keys.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#ifndef TEST_PUBLIC_KEYS_H
#define TEST_PUBLIC_KEYS_H

#include "ed25519_key_entry.h"

static const ed25519_public_key_entry_t known_keys[] = {
{
.kid = "test-device",
.kid_len = 11,
.public_key = {
0xd5, 0x38, 0x03, 0x54, 0x43, 0xa5, 0x0c, 0xff, 0xf8, 0x19, 0xc6, 0xdc, 0xc7, 0x59, 0x75, 0x46, 0xbc, 0x05, 0x96, 0xca, 0x32, 0xb2, 0xbb, 0xc7, 0x43, 0xac, 0xdd, 0x1c, 0xa7, 0x1b, 0xcb, 0x45
}
},
};
#define NUM_KNOWN_KEYS (sizeof(known_keys)/sizeof(known_keys[0]))

#endif // TEST_PUBLIC_KEYS_H
56 changes: 56 additions & 0 deletions nodes/custom-modules/key-distro/util_scripts/generate_prod_keys.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
from nacl.signing import SigningKey
from pathlib import Path
import json

NUM_DEVICES = 3

def main():
base_dir = Path(__file__).parent.parent
secrets_dir = base_dir / "include" / "secrets"
include_dir = base_dir / "include"

secrets_dir.mkdir(parents=True, exist_ok=True)

key_list = []

for i in range(NUM_DEVICES):
kid = f"device_{i+1:02d}"
sk = SigningKey.generate()
pk = sk.verify_key

key_list.append({
"kid": kid,
"public_key": pk.encode(),
})

# private_key pro device schreiben
with open(secrets_dir / f"{kid}_private_key.h", "w") as f:
f.write("#ifndef PRIVATE_KEY_H\n#define PRIVATE_KEY_H\n\n")
f.write(f'static const uint8_t ownId[] = "{kid}";\n\n')
f.write("static uint8_t ed25519_secret_key[64] = {\n")
f.write(" " + ", ".join(f"0x{x:02x}" for x in sk.encode()) + "\n};\n\n")
f.write("static uint8_t ed25519_public_key[32] = {\n")
f.write(" " + ", ".join(f"0x{x:02x}" for x in pk.encode()) + "\n};\n\n")
f.write("#endif // PRIVATE_KEY_H\n")

# public_keys_prod.h generieren
with open(secrets_dir / "public_keys.h", "w") as f:
f.write("#ifndef PUBLIC_KEYS_PROD_H\n#define PUBLIC_KEYS_PROD_H\n\n")
f.write('#include "ed25519_key_entry.h"\n\n')
f.write("static const ed25519_public_key_entry_t known_keys[] = {\n")
for entry in key_list:
kid = entry["kid"]
pub = entry["public_key"]
f.write(" {\n")
f.write(f' .kid = "{kid}",\n')
f.write(f" .kid_len = {len(kid)},\n")
f.write(" .public_key = {\n")
f.write(" " + ", ".join(f"0x{x:02x}" for x in pub) + "\n")
f.write(" }\n")
f.write(" },\n")
f.write("};\n")
f.write("#define NUM_KNOWN_KEYS (sizeof(known_keys)/sizeof(known_keys[0]))\n\n")
f.write("#endif // PUBLIC_KEYS_PROD_H\n")

if __name__ == "__main__":
main()
Loading