suit: Add support for Ed25519PH

ahasztag · ahasztag · commit d024cc86332c · 2025-02-05T13:29:07.000+01:00
Ref: NCSDK-31353

Signed-off-by: Artur Hadasz &lt;artur.hadasz@nordicsemi.no&gt;
diff --git a/ncs/Kconfig b/ncs/Kconfig
@@ -176,6 +176,10 @@ config SUIT_ENVELOPE_TARGET_SIGN_ALG_ECDSA_384
 config SUIT_ENVELOPE_TARGET_SIGN_ALG_ECDSA_521
 	bool "Use the ECDSA algorithm with key length of 521 bits"
 
+config SUIT_ENVELOPE_TARGET_SIGN_ALG_HASH_EDDSA
+	bool "Use the HashEdDSA algorithm (specifically: ed25519ph)"
+	select EXPERIMENTAL
+
 endchoice
 
 config SUIT_ENVELOPE_TARGET_SIGN_ALG_NAME
@@ -184,5 +188,6 @@ config SUIT_ENVELOPE_TARGET_SIGN_ALG_NAME
 	default "es-256" if SUIT_ENVELOPE_TARGET_SIGN_ALG_ECDSA_256
 	default "es-384" if SUIT_ENVELOPE_TARGET_SIGN_ALG_ECDSA_384
 	default "es-521" if SUIT_ENVELOPE_TARGET_SIGN_ALG_ECDSA_521
+	default "hash-eddsa" if SUIT_ENVELOPE_TARGET_SIGN_ALG_HASH_EDDSA
 
 endif # SUIT_ENVELOPE_TARGET_SIGN
diff --git a/ncs/basic_kms.py b/ncs/basic_kms.py
@@ -17,6 +17,11 @@
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
+
+# eddsa25519ph is not supported by cryptography, so we need to use pycryptodome
+from Crypto.PublicKey import ECC
+from Crypto.Signature import eddsa
+from Crypto.Hash import SHA512
 import math
 
 from suit_generator.suit_kms_base import SuitKMSBase
@@ -87,7 +92,7 @@ def _verify_signing_key_type(self, private_key, algorithm: str) -> bool:
         if isinstance(private_key, EllipticCurvePrivateKey):
             return f"es-{private_key.key_size}" == algorithm
         elif isinstance(private_key, Ed25519PrivateKey) or isinstance(private_key, Ed448PrivateKey):
-            return "eddsa" == algorithm
+            return "eddsa" == algorithm or "hash-eddsa" == algorithm
         else:
             raise ValueError(f"Key {type(private_key)} not supported")
 
@@ -104,11 +109,19 @@ def _create_cose_ed_signature(self, input_data, private_key) -> bytes:
         """Create ECDSA signature and return signature bytes."""
         return private_key.sign(input_data)
 
-    def _get_sign_method(self, private_key) -> bool:
+    def _create_cose_ed_prehashed_signature(self, input_data, private_key) -> bytes:
+        prehashed_message = SHA512.new(input_data)
+        key = ECC.import_key(private_key)
+        signer = eddsa.new(key, "rfc8032")
+        return signer.sign(prehashed_message)
+
+    def _get_sign_method(self, private_key, algorithm) -> bool:
         """Return sign method based on key type."""
         if isinstance(private_key, EllipticCurvePrivateKey):
             return self._create_cose_es_signature
         elif isinstance(private_key, Ed25519PrivateKey) or isinstance(private_key, Ed448PrivateKey):
+            if algorithm == "hash-eddsa":
+                return self._create_cose_ed_prehashed_signature
             return self._create_cose_ed_signature
         else:
             raise ValueError(f"Key {type(private_key)} not supported")
@@ -146,7 +159,13 @@ def sign(self, data: bytes, key_name: str, algorithm: str, context: str) -> byte
         if not self._verify_signing_key_type(private_key, algorithm):
             raise ValueError(f"Key {key_file_name} is not compatible with algorithm {algorithm}")
 
-        sign_method = self._get_sign_method(private_key)
+        sign_method = self._get_sign_method(private_key, algorithm)
+
+        if algorithm == "hash-eddsa":
+            # In the special case of hash-eddsa, we need to use pycryptodome, which needs the raw key
+            # data to import the key
+            private_key = open(private_key_path).read()
+
         signature = sign_method(data, private_key)
 
         return signature
diff --git a/ncs/sign_script.py b/ncs/sign_script.py
@@ -36,6 +36,7 @@ class SuitCoseSignAlgorithms(Enum):
     COSE_ALG_ES_384 = -35
     COSE_ALG_ES_521 = -36
     COSE_ALG_EdDSA = -8
+    COSE_ALG_VS_HashedEdDSA = -65537
 
 
 class SuitIds(Enum):
@@ -157,7 +158,7 @@ def sign_envelope(
         self.already_signed_action(already_signed_action)
 
         if self._skip_signing:
-            return
+            return self.envelope
         protected = {
             SuitIds.COSE_ALG.value: SuitCoseSignAlgorithms["COSE_ALG_" + self._algorithm.name].value,
             SuitIds.COSE_KEY_ID.value: cbor2.dumps(self._key_id),
diff --git a/suit_generator/cmd_image.py b/suit_generator/cmd_image.py
@@ -300,7 +300,7 @@ def as_intelhex(self, storage_domain: ManifestDomain = None):
                     raise GeneratorError(
                         f"Unable to fit envelope with role {role} inside the envelope slot (max: {max_size} bytes)"
                     )
-                envelope_bytes = self._envelopes[role].ljust(max_size, b"\xFF")
+                envelope_bytes = self._envelopes[role].ljust(max_size, b"\xff")
                 envelope_count += 1
             else:
                 continue
diff --git a/suit_generator/cmd_mpi.py b/suit_generator/cmd_mpi.py
@@ -143,13 +143,13 @@ def generate(
             + downgrade_prevention_enabled_bytes
             + independent_updates_bytes
             + signature_verification_bytes
-            + b"\xFF" * 12  # Reserved for future use
+            + b"\xff" * 12  # Reserved for future use
             + vid.bytes
             + cid.bytes
         )
 
         mpi_hex = IntelHex()
-        mpi_hex.frombytes(mpi.ljust(size, b"\xFF"), address)
+        mpi_hex.frombytes(mpi.ljust(size, b"\xff"), address)
         mpi_hex.write_hex_file(output_file)
 
     @staticmethod
diff --git a/suit_generator/cmd_sign.py b/suit_generator/cmd_sign.py
@@ -87,7 +87,7 @@ def __init__(
         self.key_id = int(envelope_json["key-id"], 0)
 
         if "sign-script" in envelope_json:
-            self.sign_script = envelope_json["sign_script"]
+            self.sign_script = envelope_json["sign-script"]
         elif self.sign_script is None:
             if os.environ.get("NCS_SUIT_SIGN_SCRIPT"):
                 self.sign_script = os.environ.get("NCS_SUIT_SIGN_SCRIPT")
@@ -102,7 +102,7 @@ def __init__(
         self.signer = _import_signer(self.sign_script)
 
         if "kms-script" in envelope_json:
-            self.kms_script = envelope_json["kms_script"]
+            self.kms_script = envelope_json["kms-script"]
         elif self.kms_script is None:
             if os.environ.get("NCS_SUIT_KMS_SCRIPT"):
                 self.kms_script = os.environ.get("NCS_SUIT_KMS_SCRIPT")
diff --git a/suit_generator/suit/security.py b/suit_generator/suit/security.py
@@ -47,6 +47,7 @@
     cose_alg_es_384,
     cose_alg_es_521,
     cose_alg_eddsa,
+    cose_alg_vs_hash_eddsa,
     cose_alg_aes_gcm_128,
     cose_alg_aes_gcm_192,
     cose_alg_aes_gcm_256,
@@ -183,6 +184,7 @@ class SuitcoseAlg(SuitEnum):
             cose_alg_es_384,
             cose_alg_es_521,
             cose_alg_eddsa,
+            cose_alg_vs_hash_eddsa,
             cose_alg_aes_gcm_128,
             cose_alg_aes_gcm_192,
             cose_alg_aes_gcm_256,
diff --git a/suit_generator/suit/types/keys.py b/suit_generator/suit/types/keys.py
@@ -694,6 +694,13 @@ class cose_alg_eddsa(suit_key):
     name = "cose-alg-eddsa"
 
 
+class cose_alg_vs_hash_eddsa(suit_key):
+    """Cose algorithm metadata."""
+
+    id = -65537
+    name = "cose-alg-vs-hash-eddsa"
+
+
 class cose_alg_aes_gcm_128(suit_key):
     """Cose algorithm metadata."""
 
diff --git a/suit_generator/suit_sign_script_base.py b/suit_generator/suit_sign_script_base.py
@@ -19,6 +19,7 @@ class SuitSignAlgorithms(Enum):
     ES_384 = "es-384"
     ES_521 = "es-521"
     EdDSA = "eddsa"
+    VS_HashedEdDSA = "hash-eddsa"
 
     def __str__(self):
         return self.value
diff --git a/tests/test_cmd_image.py b/tests/test_cmd_image.py
@@ -21,8 +21,8 @@
 
 MAX_CACHE_COUNT = 16
 
-addresses = {0x00000000: b"\x00\x00\x00\x00", 0xDEADBEEF: b"\xEF\xBE\xAD\xDE", 0xFFFFFFFF: b"\xFF\xFF\xFF\xFF"}
-sizes = {0x00000000: b"\x00\x00\x00\x00", 0x01020304: b"\x04\x03\x02\x01", 0xFFFFFFFF: b"\xFF\xFF\xFF\xFF"}
+addresses = {0x00000000: b"\x00\x00\x00\x00", 0xDEADBEEF: b"\xef\xbe\xad\xde", 0xFFFFFFFF: b"\xff\xff\xff\xff"}
+sizes = {0x00000000: b"\x00\x00\x00\x00", 0x01020304: b"\x04\x03\x02\x01", 0xFFFFFFFF: b"\xff\xff\xff\xff"}
 
 signed_envelope_without_class_id_input = (
     b"\xd8k\xa4\x02X'\x81X$\x82/X 7d\x90\xc1\xa5\x84\xc1\xed\xeeO\x0f\xd6\xad\xc5t\xb0\x1dr\xb5r"
@@ -346,7 +346,7 @@ def test_update_candidate_info_verify_class_id_offset():
 @pytest.mark.parametrize("address", addresses)
 @pytest.mark.parametrize("size", sizes)
 def test_update_candidate_info_for_update(address, size, nb_of_caches):
-    magic_bytes = b"\xAA\x55\xAA\x55"
+    magic_bytes = b"\xaa\x55\xaa\x55"
     nregions_bytes = b"\x01\x00\x00\x00"
     address_bytes = addresses[address]
     size_bytes = sizes[size]
diff --git a/tests/test_ncs_sign_script.py b/tests/test_ncs_sign_script.py
@@ -165,7 +165,7 @@ def test_ncs_cose(setup_and_teardown):
 def test_ncs_auth_block(setup_and_teardown):
     """Test if is possible to create authentication block using ncs sign_script.py."""
     signer = suit_signer_factory()
-    auth_block = signer.create_authentication_block({}, {}, b"\xDE\xAD\xBE\xEF")
+    auth_block = signer.create_authentication_block({}, {}, b"\xde\xad\xbe\xef")
     assert isinstance(auth_block, cbor2.CBORTag)
 
 

Original file line number	Diff line number	Diff line change
`@@ -300,7 +300,7 @@ def as_intelhex(self, storage_domain: ManifestDomain = None):`
`300`	`300`	`raise GeneratorError(`
`301`	`301`	`f"Unable to fit envelope with role {role} inside the envelope slot (max: {max_size} bytes)"`
`302`	`302`	`)`
`303`		`- envelope_bytes = self._envelopes[role].ljust(max_size, b"\xFF")`
	`303`	`+ envelope_bytes = self._envelopes[role].ljust(max_size, b"\xff")`
`304`	`304`	`envelope_count += 1`
`305`	`305`	`else:`
`306`	`306`	`continue`