Signed URLs for small devices.
signy is a library for generating signed URLs on embedded devices using
asymmetric cryptography. Signed URLs are typically utilized to grant
time-limited access to private resources, such as those served by a Content
Delivery Network (CDN).
In the context of embedded devices, signed URLs may be used to enable an
external system, or another component in the same system, to access a specific
resource. For example, a device may generate a signed URL and pass it to a more
capable system to allow it to download the resource on its behalf.
Use of signy requires a server that is capable of verifying the signed URLs it
generates. If using signy with Golioth, the certificates
associated with the Certificate Authority (CA) that issued the device
certificate must be uploaded to your
project.
The signy repository is a Zephyr
module and can be
included in any Zephyr project by adding the following to the project's
west.yml file.
- name: signy
path: modules/lib/signy
revision: main
url: https://github.com/golioth/signy.gitsigny leverages the Platform Security Architecture (PSA) Crypto
API for signing operations.
Private keys must be
generated
or
imported
using PSA Crypto APIs, and a signed certificate containing the public key must
be passed to the signy library.
Signed URLs generated by signy adhere to the following format.
BASEURL?nb=NOTBEFORE&na=NOTAFTER&cert=CERTIFICATE&sig=SIGNATURE
BASEURL: the location of the resource (e.g.https://gw.golioth.io/.u/c/[email protected])NOTBEFORE/NOTAFTER: the unix timestamps defining the window in which the signed URL is valid.signyuses the device system time forNOTBEFOREand sets theNOTAFTERtimestamp based onCONFIG_SIGNY_URL_VALIDITY_DURATION.CERTIFICATE: the base64 unpadded URL encoding of the device certificate.SIGNATURE: the signature over the entire portion of the URL preceding&sig=.
For more information on how to use signy, see the examples
directory.