Home 零对冲(ZeroHedge)每日HackerNews

Signy:小型设备签名URL
Signy: Signed URLs for Small Devices

原始链接: https://github.com/golioth/signy

## signy:嵌入式设备的签名URL **signy** 是一个库,使嵌入式设备能够生成签名URL,以实现对资源的安全性、时限访问——这些资源通常通过CDN或外部系统提供。即使设备能力有限,也能通过将下载委托给更强大的系统来访问资源。 signy 通过 PSA Crypto API 利用非对称密码学,需要预生成/导入的私钥和包含公钥的已签名证书。生成的URL遵循特定格式,包括基本URL、有效性时间戳、设备证书和签名。 要使用 signy,需要一个验证服务器(例如上传了CA证书的Golioth项目)。它可以轻松地集成到项目中,作为Zephyr模块(通过`west.yml`)或ESP-IDF组件(通过`idf_component.yml`),并且针对这两个平台都有示例可用。该库的URL有效持续时间是可配置的。

Hacker News 新闻 | 过去 | 评论 | 提问 | 展示 | 招聘 | 提交 登录 Signy: 为小型设备设计的签名网址 (github.com/golioth) 5 分,hasheddan 发表于 1 小时前 | 隐藏 | 过去 | 收藏 | 讨论 指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系 搜索:
相关文章
原文

Signed URLs for small devices.

signy is a library for generating signed URLs on embedded devices using asymmetric cryptography. Signed URLs are typically utilized to grant time-limited access to private resources, such as those served by a Content Delivery Network (CDN). In the context of embedded devices, signed URLs may be used to enable an external system, or another component in the same system, to access a specific resource. For example, a device may generate a signed URL and pass it to a more capable system to allow it to download the resource on its behalf.

Use of signy requires a server that is capable of verifying the signed URLs it generates. If using signy with Golioth, the certificates associated with the Certificate Authority (CA) that issued the device certificate must be uploaded to your project.

signy leverages the Platform Security Architecture (PSA) Crypto API for signing operations. Private keys must be generated or imported using PSA Crypto APIs, and a signed certificate containing the public key must be passed to the signy library.

Signed URLs generated by signy adhere to the following format.

BASEURL?nb=NOTBEFORE&na=NOTAFTER&cert=CERTIFICATE&sig=SIGNATURE
  • BASEURL: the location of the resource (e.g. https://gw.golioth.io/.u/c/[email protected])
  • NOTBEFORE / NOTAFTER: the unix timestamps defining the window in which the signed URL is valid. signy uses the device system time for NOTBEFORE and sets the NOTAFTER timestamp based on CONFIG_SIGNY_URL_VALIDITY_DURATION.
  • CERTIFICATE: the base64 unpadded URL encoding of the device certificate.
  • SIGNATURE: the signature over the entire portion of the URL preceding &sig=.

The signy repository is a Zephyr module and can be included in any Zephyr project by adding the following to the project's west.yml file.

- name: signy
  path: modules/lib/signy
  revision: v0.2.0
  url: https://github.com/golioth/signy.git

See the Zephyr examples for more information.

The signy repository is an ESP-IDF component and can be included in any ESP-IDF project by specifying it as a dependency in the project's idf_component.yml.

dependencies:
  signy:
    version: v0.2.0
    git: https://github.com/golioth/signy.git

See the esp-idf examples for more information.

联系我们 contact @ memedata.com