|
1 | 1 | # signy |
2 | 2 |
|
3 | 3 | Signed URLs for small devices. |
| 4 | + |
| 5 | +## Background |
| 6 | + |
| 7 | +`signy` is a library for generating signed URLs on embedded devices using |
| 8 | +asymmetric cryptography. Signed URLs are typically utilized to grant |
| 9 | +time-limited access to private resources, such as those served by a [Content |
| 10 | +Delivery Network (CDN)](https://en.wikipedia.org/wiki/Content_delivery_network). |
| 11 | +In the context of embedded devices, signed URLs may be used to enable an |
| 12 | +external system, or another component in the same system, to access a specific |
| 13 | +resource. For example, a device may generate a signed URL and pass it to a more |
| 14 | +capable system to allow it to download the resource on its behalf. |
| 15 | + |
| 16 | +Use of `signy` requires a server that is capable of verifying the signed URLs it |
| 17 | +generates. If using `signy` with [Golioth](https://golioth.io), the certificates |
| 18 | +associated with the Certificate Authority (CA) that issued the device |
| 19 | +certificate must be [uploaded to your |
| 20 | +project](https://docs.golioth.io/connectivity/credentials/pki#integrating-with-golioth). |
| 21 | + |
| 22 | +## Usage |
| 23 | + |
| 24 | +The `signy` repository is a [Zephyr |
| 25 | +module](https://docs.zephyrproject.org/latest/develop/modules.html) and can be |
| 26 | +included in any Zephyr project by adding the following to the project's |
| 27 | +`west.yml` file. |
| 28 | + |
| 29 | +```yaml |
| 30 | +- name: signy |
| 31 | + path: modules/lib/signy |
| 32 | + revision: main |
| 33 | + url: https://github.com/golioth/signy.git |
| 34 | +``` |
| 35 | +
|
| 36 | +`signy` leverages the [Platform Security Architecture (PSA) Crypto |
| 37 | +API](https://arm-software.github.io/psa-api/crypto/) for signing operations. |
| 38 | +Private keys must be |
| 39 | +[generated](https://arm-software.github.io/psa-api/crypto/1.3/api/keys/management.html#c.psa_generate_key) |
| 40 | +or |
| 41 | +[imported](https://arm-software.github.io/psa-api/crypto/1.3/api/keys/management.html#c.psa_import_key) |
| 42 | +using PSA Crypto APIs, and a signed certificate containing the public key must |
| 43 | +be passed to the `signy` library. |
| 44 | + |
| 45 | +Signed URLs generated by `signy` adhere to the following format. |
| 46 | + |
| 47 | +``` |
| 48 | +BASEURL?nb=NOTBEFORE&na=NOTAFTER&cert=CERTIFICATE&sig=SIGNATURE |
| 49 | +``` |
| 50 | +
|
| 51 | +- `BASEURL`: the location of the resource (e.g. |
| 52 | + `https://gw.golioth.io/.u/c/[email protected]`) |
| 53 | +- `NOTBEFORE` / `NOTAFTER`: the unix timestamps defining the window in which the |
| 54 | + signed URL is valid. `signy` uses the device system time for `NOTBEFORE` and |
| 55 | + sets the `NOTAFTER` timestamp based on `CONFIG_SIGNY_URL_VALIDITY_DURATION`. |
| 56 | +- `CERTIFICATE`: the base64 unpadded URL encoding of the device certificate. |
| 57 | +- `SIGNATURE`: the signature over the entire portion of the URL preceding |
| 58 | + `&sig=`. |
| 59 | +
|
| 60 | +For more information on how to use `signy`, see the [examples](./examples) |
| 61 | +directory. |
0 commit comments