AHAB usage example¶
This example shows how to create a product which enables AHAB container signing. Also example signing operations are performed.
This example uses the reference python client and the UI to perform different actions.
The example is divided to following stages:
- How to get authentication token
- Adding certificate profiles
- Creating product
- Getting the sensitive items.
- Signing AHAB container
- Verifying AHAB container
Authentication¶
In order to use the reference python client a valid JWT token is needed. How to obtain one is explained in more detail in the authentication chapter. New token must be requested if the current token expires. ( roughly 1 hour of validity)
(venv) $ az login --allow-no-subscriptions --only-show-error
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
[1] N/A(tenant level account) <redacted> <redacted>
The default is marked with an *; the default tenant is '<redacted>' and subscription is 'N/A(tenant level account)' (<redacted>).
Select a subscription and tenant (Type a number or Enter for no changes): 1
Tenant: <redacted>
Subscription: N/A(tenant level account) (<redacted>)
(venv) $ az account get-access-token --resource api://<redacted>
{
"accessToken": "<redacted>",
"expiresOn": "2025-06-04 15:18:10.000000",
"expires_on": 1749039490,
"subscription": "<redacted>",
"tenant": "<redacted>",
"tokenType": "Bearer"
}
(venv) $ export TOKEN=<redacted>
Add profiles¶
AHAB related signing is using a AHAB tree which consists in this example of four SRK{0...3} roots and related End-Entity certificates.
The ECDSA based example profiles were taken as base and modified for this example
(venv) $ ./signing-tool.py -c -t $TOKEN \
-a https://app.laavat.io/<CustomerName>/api/v1/ profile \
add -F rootca.yaml -N "Customer AHAB Root CA" -T ROOT
{
"id": "fbc77c3e-0980-4835-95a6-289d6d064bdf",
"profile_name": "Customer AHAB Root CA",
"profile_type": 3,
"profile_yaml": "IyBDb25maWcgZmlsZSBmb3IgdGhlIFJvb3QgcHJvZmlsZS4gRG8gbm90IHVzZSBUQUJTCiMgRG8gbm90IG1vZGlmeSB0aGUgQ29tbW9uTmFtZSBpZiB0aGlzIGlzIHVzZWQgYXMgSEFCIENBLgotLS0KTmFtZTogTlhQIGkuTVg5IEFIQUIgUm9vdCBDQSBQcm9maWxlCiMgRGlzdGluZ3Vpc2hlZCBuYW1lIG9mIHRoZSBDQQpETjoKICBPcmdhbml6YXRpb246IEN1c3RvbWVyCiAgIyBPcmdhbml6YXRpb25hbFVuaXQ6IAogICMgQ291bnRyeTogRkkKICAjIFByb3ZpbmNlOgogICMgTG9jYWxpdHk6CiAgIyBTdHJlZXRBZGRyZXNzOgogICMgUG9zdGFsQ29kZToKICAjIFNlcmlhbE51bWJlcgogICMgQ29tbW9uTmFtZTogSEFCIFJvb3QgQ0EKIyBFbmRFbnRpdHkgaXMgMSwgU3ViIENBIHByb2ZpbGUgMiAsIFJvb3QgcHJvZmlsZSAzClByb2ZpbGVUeXBlOiAzCiMgU2lnbmF0dXJlQWxnb3JpdGhtcwojICBTSEExV2l0aFJTQSA9IDMKIyAgU0hBMjU2V2l0aFJTQSA9IDQKIyAgU0hBMzg0V2l0aFJTQSA9IDUKIyAgU0hBNTEyV2l0aFJTQSA9IDYKIyAgRFNBV2l0aFNIQTEgPSA3CiMgIERTQVdpdGhTSEEyNTYgPSA4CiMgIEVDRFNBV2l0aFNIQTEgPSA5CiMgIEVDRFNBV2l0aFNIQTI1NiA9IDEwCiMgIEVDRFNBV2l0aFNIQTM4NCA9IDExCiMgIEVDRFNBV2l0aFNIQTUxMiA9IDEyCiMgIFNIQTI1NldpdGhSU0FQU1MgPSAxMwojICBTSEEzODRXaXRoUlNBUFNTID0gMTQKIyAgU0hBNTEyV2l0aFJTQVBTUyA9IDE1ClNpZ25hdHVyZUFsZ29yaXRobTogNAojIEtleUFsZ29yaXRobXMKIyAgIFJTQUFsZ29yaXRobSA9IDEKIyAgIEVDRFNBQWxnb3JpdGhtID0gMgpLZXlBbGdvcml0aG06IDEKIyBWYWxpZGl0eSBvZiB0aGUgY2VydGlmaWNhdGUgaW4gZHVyYXRpb24gKG1heCAyOTAgeWVhcnMpIG9yIHdpdGggYWJzb2x1dGUgZGF0ZSBpbiBSRkMzMzM5IGUuZy4gOTk5OS0xMi0zMVQyMzo1OTo1OVouCiMgRXhhbXBsZSBpbiBhYnNvbHV0ZSBkYXRlICI5OTk5LTEyLTMxVDIzOjU5OjU5WiIuCiMgRXhhbXBsZSBpbiBkdXJhdGlvbiAiMWgxMG0xMHMiLiBPbmx5IGgsIG0gYW5kL29yIHMgYXJlIGFjY2VwdGVkLgpWYWxpZGl0eVBlcmlvZDogIjE3NTIwMDBoIiAjIDIwMCBZZWFycwpCYXNpY0NvbnN0cmFpbnRzOgogIEJhc2ljQ29uc3RyYWludHNWYWxpZDogdHJ1ZQogIElzQ0E6IHRydWUKICBNYXhQYXRoTGVuOiAwCiAgIyBNYXhQYXRoTGVuWmVybyBpbmRpY2F0ZXMgdGhhdCBCYXNpY0NvbnN0cmFpbnRzVmFsaWQ9PXRydWUKICAjIGFuZCBNYXhQYXRoTGVuPT0wIHNob3VsZCBiZSBpbnRlcnByZXRlZCBhcyBhbiBhY3R1YWwKICAjIG1heGltdW0gcGF0aCBsZW5ndGggb2YgemVyby4gT3RoZXJ3aXNlLCB0aGF0IGNvbWJpbmF0aW9uIGlzCiAgIyBpbnRlcnByZXRlZCBhcyBNYXhQYXRoTGVuIG5vdCBiZWluZyBzZXQuCiAgTWF4UGF0aExlblplcm86IGZhbHNlCkFkZFNLSTogdHJ1ZQpBZGRBS0k6IHRydWUKIyBLZXlVc2FnZXMKIyAgS2V5VXNhZ2VEaWdpdGFsU2lnbmF0dXJlID0gMQojICBLZXlVc2FnZUNvbnRlbnRDb21taXRtZW50ID0gMgojICBLZXlVc2FnZUtleUVuY2lwaGVybWVudCA9IDQKIyAgS2V5VXNhZ2VEYXRhRW5jaXBoZXJtZW50ID0gOAojICBLZXlVc2FnZUtleUFncmVlbWVudCA9IDE2CiMgIEtleVVzYWdlQ2VydFNpZ24gPSAzMiAKIyAgS2V5VXNhZ2VDUkxTaWduID0gNjQKIyAgS2V5VXNhZ2VFbmNpcGhlck9ubHkgPSAxMjgKIyAgS2V5VXNhZ2VEZWNpcGhlck9ubHkgPSAyNTYKS2V5VXNhZ2U6CiAgLSAzMgpFeHRlbmRlZEtleVVzYWdlOgogICMgRXh0ZW5kZWRLZXlVc2FnZXMKICAjICBFeHRLZXlVc2FnZUFueSA9IDAKICAjICBFeHRLZXlVc2FnZVNlcnZlckF1dGggPSAxCiAgIyAgRXh0S2V5VXNhZ2VDbGllbnRBdXRoID0gMgogICMgIEV4dEtleVVzYWdlQ29kZVNpZ25pbmcgPSAzCiAgIyAgRXh0S2V5VXNhZ2VFbWFpbFByb3RlY3Rpb24gPSA0CiAgIyAgRXh0S2V5VXNhZ2VJUFNFQ0VuZFN5c3RlbSA9IDUKICAjICBFeHRLZXlVc2FnZUlQU0VDVHVubmVsID0gNgogICMgIEV4dEtleVVzYWdlSVBTRUNVc2VyID0gNwogICMgIEV4dEtleVVzYWdlVGltZVN0YW1waW5nID0gOAogICMgIEV4dEtleVVzYWdlT0NTUFNpZ25pbmcgPSA5CiAgIyAgRXh0S2V5VXNhZ2VNaWNyb3NvZnRTZXJ2ZXJHYXRlZENyeXB0byA9IDEwCiAgIyAgRXh0S2V5VXNhZ2VOZXRzY2FwZVNlcnZlckdhdGVkQ3J5cHRvID0gMTEKICAjICBFeHRLZXlVc2FnZU1pY3Jvc29mdENvbW1lcmNpYWxDb2RlU2lnbmluZyA9IDEyCiAgIyAgRXh0S2V5VXNhZ2VNaWNyb3NvZnRLZXJuZWxDb2RlU2lnbmluZyA9IDEzCiMgRXh0cmFFeHRlbnNpb25zOiB0cnVlCiMgU0FOVXNhZ2U6IHRydWUKIyBDUkxEaXN0cmlidXRpb25Qb2ludHMuIExpc3Qgb2YgVVJJIHN0cmluZ3MuCiNDUkxEaXN0cmlidXRpb25Qb2ludHM6CgojIFBvbGljeUlkZW50aWZpZXJzLiBMaXN0IG9mIEFTTjEgcG9saWN5IE9JRFMKI1BvbGljeUlkZW50aWZpZXJzOgojICAtIDEuMTAuMTIzLjQzMi40LjUKIyAgLSAyLjEwLjEyMy40MzIuNC42NQoK"
}
Profile added. Profile ID: fbc77c3e-0980-4835-95a6-289d6d064bdf
(venv) $ ./signing-tool.py -c -t $TOKEN \
-a https://app.laavat.io/<CustomerName>/api/v1/ profile \
add -F endentity.yaml -N "Customer AHAB tree endentity" -T END
{
"id": "b58d7902-5fec-4fa5-90b0-7b6c70a23d6f",
"profile_name": "Customer AHAB tree endentity",
"profile_type": 1,
"profile_yaml": "IyBDb25maWcgZmlsZSBmb3IgdGhlIEVuZC1FbnRpdHkgcHJvZmlsZS4gRG8gbm90IHVzZSBUQUJTCiMgRG8gbm90IG1vZGlmeSB0aGUgQ29tbW9uTmFtZSBpZiB0aGlzIGlzIHVzZWQgYXMgRW5kLUVudGl0eSBDZXJ0aWZpY2F0ZSBhbmQgdGhlIENvbW1vbiBOYW1lIGNvbWVzIGZyb20gdGhlIHByb2R1Y3QgdGVtcGxhdGUuCi0tLQpOYW1lOiBOWFAgaS5NWDkgQUhBQiBFbmRFbnRpdHkgUHJvZmlsZQpETjoKICBPcmdhbml6YXRpb246IEN1c3RvbWVyCiAgIyBPcmdhbml6YXRpb25hbFVuaXQ6IFImRAogICMgQ291bnRyeTogRkkKICAjIFByb3ZpbmNlOgogICMtIFNvbWV0aGluZwogICMgTG9jYWxpdHk6CiAgIyBTdHJlZXRBZGRyZXNzOgogICMgUG9zdGFsQ29kZToKICAjIFNlcmlhbE51bWJlcgogICMgQ29tbW9uTmFtZTogSU1HCiMgRW5kRW50aXR5IGlzIDEsIFN1YiBDQSBwcm9maWxlIDIgLCBSb290IHByb2ZpbGUgMwpQcm9maWxlVHlwZTogMQojIFNpZ25hdHVyZUFsZ29yaXRobXMKIyAgU0hBMVdpdGhSU0EgPSAzCiMgIFNIQTI1NldpdGhSU0EgPSA0CiMgIFNIQTM4NFdpdGhSU0EgPSA1CiMgIFNIQTUxMldpdGhSU0EgPSA2CiMgIERTQVdpdGhTSEExID0gNwojICBEU0FXaXRoU0hBMjU2ID0gOAojICBFQ0RTQVdpdGhTSEExID0gOQojICBFQ0RTQVdpdGhTSEEyNTYgPSAxMAojICBFQ0RTQVdpdGhTSEEzODQgPSAxMQojICBFQ0RTQVdpdGhTSEE1MTIgPSAxMgojICBTSEEyNTZXaXRoUlNBUFNTID0gMTMKIyAgU0hBMzg0V2l0aFJTQVBTUyA9IDE0CiMgIFNIQTUxMldpdGhSU0FQU1MgPSAxNQpTaWduYXR1cmVBbGdvcml0aG06IDQKIyBLZXlBbGdvcml0aG1zCiMgICBSU0FBbGdvcml0aG0gPSAxCiMgICBFQ0RTQUFsZ29yaXRobSA9IDIKS2V5QWxnb3JpdGhtOiAxCiMgVmFsaWRpdHkgb2YgdGhlIGNlcnRpZmljYXRlIGluIGR1cmF0aW9uIChtYXggMjkwIHllYXJzKSBvciB3aXRoIGFic29sdXRlIGRhdGUgaW4gUkZDMzMzOSBlLmcuIDk5OTktMTItMzFUMjM6NTk6NTlaLgojIEV4YW1wbGUgaW4gYWJzb2x1dGUgZGF0ZSAiOTk5OS0xMi0zMVQyMzo1OTo1OVoiLgojIEV4YW1wbGUgaW4gZHVyYXRpb24gIjFoMTBtMTBzIi4gT25seSBoLCBtIGFuZC9vciBzIGFyZSBhY2NlcHRlZC4KVmFsaWRpdHlQZXJpb2Q6ICIxNzUyMDAwaCIgIyAyMDAgWWVhcnMKQmFzaWNDb25zdHJhaW50czoKICBVc2U6IHRydWUKICBJc0NBOiBmYWxzZQpBZGRTS0k6IHRydWUKQWRkQUtJOiB0cnVlCiMgS2V5VXNhZ2VzCiMgIEtleVVzYWdlRGlnaXRhbFNpZ25hdHVyZSA9IDEKIyAgS2V5VXNhZ2VDb250ZW50Q29tbWl0bWVudCA9IDIKIyAgS2V5VXNhZ2VLZXlFbmNpcGhlcm1lbnQgPSA0CiMgIEtleVVzYWdlRGF0YUVuY2lwaGVybWVudCA9IDgKIyAgS2V5VXNhZ2VLZXlBZ3JlZW1lbnQgPSAxNgojICBLZXlVc2FnZUNlcnRTaWduID0gMzIgCiMgIEtleVVzYWdlQ1JMU2lnbiA9IDY0CiMgIEtleVVzYWdlRW5jaXBoZXJPbmx5ID0gMTI4CiMgIEtleVVzYWdlRGVjaXBoZXJPbmx5ID0gMjU2CktleVVzYWdlOiAKICAtIDEKRXh0ZW5kZWRLZXlVc2FnZToKICAjIEV4dGVuZGVkS2V5VXNhZ2VzCiAgIyAgRXh0S2V5VXNhZ2VBbnkgPSAwCiAgIyAgRXh0S2V5VXNhZ2VTZXJ2ZXJBdXRoID0gMQogICMgIEV4dEtleVVzYWdlQ2xpZW50QXV0aCA9IDIKICAjICBFeHRLZXlVc2FnZUNvZGVTaWduaW5nID0gMwogICMgIEV4dEtleVVzYWdlRW1haWxQcm90ZWN0aW9uID0gNAogICMgIEV4dEtleVVzYWdlSVBTRUNFbmRTeXN0ZW0gPSA1CiAgIyAgRXh0S2V5VXNhZ2VJUFNFQ1R1bm5lbCA9IDYKICAjICBFeHRLZXlVc2FnZUlQU0VDVXNlciA9IDcKICAjICBFeHRLZXlVc2FnZVRpbWVTdGFtcGluZyA9IDgKICAjICBFeHRLZXlVc2FnZU9DU1BTaWduaW5nID0gOQogICMgIEV4dEtleVVzYWdlTWljcm9zb2Z0U2VydmVyR2F0ZWRDcnlwdG8gPSAxMAogICMgIEV4dEtleVVzYWdlTmV0c2NhcGVTZXJ2ZXJHYXRlZENyeXB0byA9IDExCiAgIyAgRXh0S2V5VXNhZ2VNaWNyb3NvZnRDb21tZXJjaWFsQ29kZVNpZ25pbmcgPSAxMgogICMgIEV4dEtleVVzYWdlTWljcm9zb2Z0S2VybmVsQ29kZVNpZ25pbmcgPSAxMwpFeHRyYUV4dGVuc2lvbnM6IHRydWUKU0FOVXNhZ2U6IHRydWUKIyBDUkxEaXN0cmlidXRpb25Qb2ludHMuIExpc3Qgb2YgVVJJIHN0cmluZ3MuCiNDUkxEaXN0cmlidXRpb25Qb2ludHM6CgojIFBvbGljeUlkZW50aWZpZXJzLiBMaXN0IG9mIEFTTjEgcG9saWN5IE9JRFMKI1BvbGljeUlkZW50aWZpZXJzOgojICAtIDEuMTAuMTIzLjQzMi40LjUKIyAgLSAyLjEwLjEyMy40MzIuNC42NQoKIyBFbmZvcmNlVW5pcXVlRE4gZW5hYmxlcyB0aGUgY2hlY2tpbmcgaWYgYSBjZXJ0aWZpY2F0ZSBoYXMgYmVlbiBpc3N1ZWQgd2l0aCB0aGUgc2FtZSBzdWJqZWN0IEROIGZyb20gdGhlIENBCiMgVmFsdWVzIHRydWUgb3IgZmFsc2UKI0VuZm9yY2VVbmlxdWVETjogdHJ1RQo="
}
Profile added. Profile ID: b58d7902-5fec-4fa5-90b0-7b6c70a23d6f
(venv) $ ./signing-tool.py -c -t $TOKEN \
-a https://app.laavat.io/<CustomerName>/api/v1/ profile getall
{
"count": 2,
"items": [
{
"id": "fbc77c3e-0980-4835-95a6-289d6d064bdf",
"profile_name": "Customer AHAB Root CA",
"profile_type": 3
},
{
"id": "b58d7902-5fec-4fa5-90b0-7b6c70a23d6f",
"profile_name": "Customer AHAB tree endentity",
"profile_type": 1
}
],
"next": "/cas/profiles/?page=1",
"pages": 1,
"prev": "/cas/profiles/?page=1"
}
Create product¶
Here is the used product template. The product template was updated with the profile ids obtained from the previous commands. The values $ROOTPROFILEID, $ENDPROFILEID were changed with their corresponding profile id.
- ROOTPROFILEID=fbc77c3e-0980-4835-95a6-289d6d064bdf
- ENDPROFILEID=fbc77c3e-0980-4835-95a6-289d6d064bdf
In this product there are one operation. In the approval rule it was decided that entities in the $WRITERGROUP were able to make signing requests. And entities in the $APPROVERGROUP group would be able to approve those. Autoapproval was not used.
$WRITERGROUP and $APPROVERGROUP were replaced with the corresponding Group Object ID from Microsoft Entra.
The template was saved as product.json.
More information about rules can be found from approval rules.
Product was created using the python tool
(venv) $ ./signing-tool.py -c -t $TOKEN \
-a https://app.laavat.io/<CustomerName>/api/v1/ product add -T product.json
Product:
{
"ca_info": [
{
"cert_override_payload": null,
"certificate_type": "ROOT",
"cn": "SRK0",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "CA used for i.MX9 AHAB",
"external_request_id": null,
"external_root": null,
"id": null,
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [
{
"cert_override_payload": null,
"certificate_type": "ENDENTITY",
"cn": "SGK0",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "SGK End-Entity certificate for $PRODUCTNAME",
"external_request_id": null,
"external_root": null,
"id": null,
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "b58d7902-5fec-4fa5-90b0-7b6c70a23d6f",
"state": null,
"use_case": "HABCA"
}
],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "fbc77c3e-0980-4835-95a6-289d6d064bdf",
"state": null,
"use_case": "HABCA"
},
{
"cert_override_payload": null,
"certificate_type": "ROOT",
"cn": "SRK1",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "CA used for i.MX9 AHAB",
"external_request_id": null,
"external_root": null,
"id": null,
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [
{
"cert_override_payload": null,
"certificate_type": "ENDENTITY",
"cn": "SGK1",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "SGK End-Entity certificate for $PRODUCTNAME",
"external_request_id": null,
"external_root": null,
"id": null,
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "b58d7902-5fec-4fa5-90b0-7b6c70a23d6f",
"state": null,
"use_case": "HABCA"
}
],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "fbc77c3e-0980-4835-95a6-289d6d064bdf",
"state": null,
"use_case": "HABCA"
},
{
"cert_override_payload": null,
"certificate_type": "ROOT",
"cn": "SRK2",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "CA used for i.MX9 AHAB",
"external_request_id": null,
"external_root": null,
"id": null,
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [
{
"cert_override_payload": null,
"certificate_type": "ENDENTITY",
"cn": "SGK2",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "SGK End-Entity certificate for $PRODUCTNAME",
"external_request_id": null,
"external_root": null,
"id": null,
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "b58d7902-5fec-4fa5-90b0-7b6c70a23d6f",
"state": null,
"use_case": "HABCA"
}
],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "fbc77c3e-0980-4835-95a6-289d6d064bdf",
"state": null,
"use_case": "HABCA"
},
{
"cert_override_payload": null,
"certificate_type": "ROOT",
"cn": "SRK3",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "CA used for i.MX9 AHAB",
"external_request_id": null,
"external_root": null,
"id": null,
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [
{
"cert_override_payload": null,
"certificate_type": "ENDENTITY",
"cn": "SGK2",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "SGK End-Entity certificate for $PRODUCTNAME",
"external_request_id": null,
"external_root": null,
"id": null,
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "b58d7902-5fec-4fa5-90b0-7b6c70a23d6f",
"state": null,
"use_case": "HABCA"
}
],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "fbc77c3e-0980-4835-95a6-289d6d064bdf",
"state": null,
"use_case": "HABCA"
}
],
"description": "TEST Product for i.MX9 based product",
"enabled": true,
"external_request_id": null,
"id": null,
"name": "TEST for i.mx9",
"product_config_items": [
{
"name": "FusemapType",
"value": "IMXAHAB"
},
{
"name": "AHABDigest",
"value": "sha256"
}
],
"product_operations": [
{
"approval_rule": {
"allowed_groups": [
"b716abb1-2e3b-47a9-bca5-a3669faa50a6"
],
"approval_groups": [
"f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
],
"blanket_groups": [],
"description": "Rule used for TEST product",
"name": "Test rule"
},
"ca_use_case": null,
"description": "HABCST signing",
"id": null,
"name": "HAB CST signing",
"operation_type": "SignHAB",
"profile_id": null,
"token": null
}
],
"product_type": "Production",
"rnd_keys": [],
"state": null
}
Is product ok(Y/N): y
{
"ca_info": [],
"description": "TEST Product for i.MX9 based product",
"enabled": null,
"external_request_id": null,
"id": "608fdff6-2a06-4186-8267-94a84e7da88c",
"name": "TEST for i.mx9",
"product_config_items": null,
"product_operations": [],
"product_type": null,
"rnd_keys": [],
"state": 2
}
Product Add request sent. Request ID: 608fdff6-2a06-4186-8267-94a84e7da88c state: ApprovalRequired
Approve product¶
The product was approved using the GUI.
Then with the python tool the state was checked ( state is 16 for ready product) and the product ID and operation ID was obtained.
- productID = 608fdff6-2a06-4186-8267-94a84e7da88c
- operation ID for SignHAB operation = 42b5da24-d2fc-4776-8aa1-a9cf0acf734b
(venv) $ ./signing-tool.py -c -t $TOKEN \
-a https://app.laavat.io/<CustomerName>/api/v1/ product getall
{
"count": 1,
"items": [
{
"description": "TEST Product for i.MX9 based product",
"id": "608fdff6-2a06-4186-8267-94a84e7da88c",
"name": "TEST for i.mx9",
"state": 16
}
],
"next": "/products/?page=1",
"pages": 1,
"prev": "/products/?page=1"
}
(venv) $ ./signing-tool.py -c -t $TOKEN \
-a https://app.laavat.io/<CustomerName>/api/v1/ product \
get -I 608fdff6-2a06-4186-8267-94a84e7da88c
{
"ca_info": [
{
"cert_override_payload": null,
"certificate_type": "ROOT",
"cn": "SRK0",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "CA used for i.MX9 AHAB",
"external_request_id": null,
"external_root": null,
"id": "0f1ad448-e09a-488d-b988-a43a47b466e2",
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [
{
"cert_override_payload": null,
"certificate_type": "ENDENTITY",
"cn": "SGK0",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "SGK End-Entity certificate for $PRODUCTNAME",
"external_request_id": null,
"external_root": null,
"id": "d1059f21-1dc9-4484-b550-b80f1756c423",
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "b58d7902-5fec-4fa5-90b0-7b6c70a23d6f",
"state": 16,
"use_case": "HABCA"
}
],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "fbc77c3e-0980-4835-95a6-289d6d064bdf",
"state": 16,
"use_case": "HABCA"
},
{
"cert_override_payload": null,
"certificate_type": "ROOT",
"cn": "SRK3",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "CA used for i.MX9 AHAB",
"external_request_id": null,
"external_root": null,
"id": "74856068-ee4c-409a-9c30-8d597ca80daf",
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [
{
"cert_override_payload": null,
"certificate_type": "ENDENTITY",
"cn": "SGK2",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "SGK End-Entity certificate for $PRODUCTNAME",
"external_request_id": null,
"external_root": null,
"id": "abd21e28-fbef-48ae-8ba7-7acacdcf9219",
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "b58d7902-5fec-4fa5-90b0-7b6c70a23d6f",
"state": 16,
"use_case": "HABCA"
}
],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "fbc77c3e-0980-4835-95a6-289d6d064bdf",
"state": 16,
"use_case": "HABCA"
},
{
"cert_override_payload": null,
"certificate_type": "ROOT",
"cn": "SRK2",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "CA used for i.MX9 AHAB",
"external_request_id": null,
"external_root": null,
"id": "7d7cad51-cb2e-411a-a52b-b327fbeb9006",
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [
{
"cert_override_payload": null,
"certificate_type": "ENDENTITY",
"cn": "SGK2",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "SGK End-Entity certificate for $PRODUCTNAME",
"external_request_id": null,
"external_root": null,
"id": "f119d9db-7b55-4389-8211-f636b5647c7f",
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "b58d7902-5fec-4fa5-90b0-7b6c70a23d6f",
"state": 16,
"use_case": "HABCA"
}
],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "fbc77c3e-0980-4835-95a6-289d6d064bdf",
"state": 16,
"use_case": "HABCA"
},
{
"cert_override_payload": null,
"certificate_type": "ROOT",
"cn": "SRK1",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "CA used for i.MX9 AHAB",
"external_request_id": null,
"external_root": null,
"id": "8c3b4d7e-925a-4c81-9fa8-13ae492d89fc",
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [
{
"cert_override_payload": null,
"certificate_type": "ENDENTITY",
"cn": "SGK1",
"crl_distribution_points": null,
"crl_expiry": null,
"crl_issue_interval": null,
"csr": null,
"description": "SGK End-Entity certificate for $PRODUCTNAME",
"external_request_id": null,
"external_root": null,
"id": "12afffb4-22a1-4887-a9b4-f04f2788948b",
"issuer_ca_id": null,
"key_override_id": null,
"key_type": "ECDSAP521",
"leafs": [],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "b58d7902-5fec-4fa5-90b0-7b6c70a23d6f",
"state": 16,
"use_case": "HABCA"
}
],
"originating_id": null,
"policy_identifiers": null,
"product_id": null,
"profile_id": "fbc77c3e-0980-4835-95a6-289d6d064bdf",
"state": 16,
"use_case": "HABCA"
}
],
"description": "TEST Product for i.MX9 based product",
"enabled": null,
"external_request_id": "7541ce4b-5f4c-6258-753d-92f9e027562d",
"id": "608fdff6-2a06-4186-8267-94a84e7da88c",
"name": "TEST for i.mx9",
"product_config_items": [
{
"name": "FusemapType",
"value": "IMXAHAB"
},
{
"name": "AHABDigest",
"value": "sha256"
}
],
"product_operations": [
{
"approval_rule": {
"allowed_groups": [
"b716abb1-2e3b-47a9-bca5-a3669faa50a6"
],
"approval_groups": [
"f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
],
"blanket_groups": [
""
],
"description": "Rule used for TEST product",
"name": "Test rule"
},
"ca_use_case": null,
"description": "HABCST signing",
"id": "42b5da24-d2fc-4776-8aa1-a9cf0acf734b",
"name": "HAB CST signing",
"operation_type": "SignHAB",
"profile_id": "00000000-0000-0000-0000-000000000000",
"token": null
}
],
"product_type": "Production",
"rnd_keys": [],
"state": 16
}
Getting the sensitive items¶
In manufacturing there are some sensitive items which are needed. Here a client is registered which can obtain the SRK table and SRK hash.
(venv) $ ./signing-tool.py -c -t $TOKEN \
-a https://app.laavat.io/<CustomerName>/api/v1/ client add -N Manufacturing -D "Get sensitive information" \
-K client.public -U "upn:<redacted>" -T ProductionPC -p 608fdff6-2a06-4186-8267-94a84e7da88c
{
"client_type": "ProductionPC",
"description": "Get Sensitive information",
"id": "d8c97e98-a8f0-4fdc-99a0-ec628b3f3e30",
"id_product": "608fdff6-2a06-4186-8267-94a84e7da88c",
"name": "Manufacturing",
"state": 2
}
Client Add request sent. Request ID: d8c97e98-a8f0-4fdc-99a0-ec628b3f3e30 state: ApprovalRequired
Approve the client from UI
Now the product sensitive items can be fetched.
(venv) $ ./signing-tool.py -c -t $TOKEN \
-a https://app.laavat.io/<CustomerName>/api/v1/ secrets get \
-P 608fdff6-2a06-4186-8267-94a84e7da88c -C client.private -O /tmp/prod.json
SRKHASH written to: /tmp/prod.jsonSRKHASH
SRKTABLE written to: /tmp/prod.jsonSRKTABLE
KEKIV written to: /tmp/prod.jsonKEKIV
Full secret payload written to: /tmp/prod.json
The SRKHash has been store to /tmp/prod.jsonSRKHASH and SRKTable has been stored to /tmp/prod.jsonSRKTABLE. The /tmp/prod.json contains all the items in one file. All the Certificates can be seen in that file.
More info can be found from client usage.
AHAB container signing¶
A AHAB container image was was used for signing. The SignHAB operation is used in this case.
(venv) $ ./signing-tool.py -c -t $TOKEN \
-a https://app.laavat.io/<CustomerName>/api/v1/ imagesigning add SignHAB \
-P 6f603401-6723-4dec-a4a3-a8749865b46d \
--operid fe55fd4e-7bdc-4278-b594-e75ee81eea14 \
-N TEST -D TEST -F imx9-container.bin
{
"call_back_url": null,
"description": "TEST",
"id": "91b9f3bf-fb75-4294-8826-df3fc13e7332",
"id_product": "608fdff6-2a06-4186-8267-94a84e7da88c",
"id_product_operation": "42b5da24-d2fc-4776-8aa1-a9cf0acf734b",
"name": "TEST",
"payload": {
"id": null,
"metadata": [
{
"name": "first",
"value": "val"
}
],
"modified_sha256": null,
"name": "imx9-container.bin",
"original_sha256": null,
"s3_url": null,
"service_provided_parameters": null
},
"state": 1
}
Request sent. Request ID: 91b9f3bf-fb75-4294-8826-df3fc13e7332, state: Created
The operation created ID "91b9f3bf-fb75-4294-8826-df3fc13e7332" which is then used when querying/downloading the signed content.
The default signing key key be overridden with optionalParameters->signingKeyIndex in each imagesigning request.
See API specification ImageSigning POST endpoint for further details.
Approve AHAB container signing request¶
Request was approved from the GUI.
Download AHAB contaier signed content¶
After approval the request is processed and it can be queried. If the state is 16 then the signing is complete and the content is downloaded.
(venv) $ ./signing-tool.py -c -t $TOKEN \
-a https://app.laavat.io/<CustomerName>/api/v1/ imagesigning get \
-I 91b9f3bf-fb75-4294-8826-df3fc13e7332 -O /tmp/test.bin
{
"call_back_url": null,
"description": "TEST",
"id": "91b9f3bf-fb75-4294-8826-df3fc13e7332",
"id_product": "608fdff6-2a06-4186-8267-94a84e7da88c",
"id_product_operation": "42b5da24-d2fc-4776-8aa1-a9cf0acf734b",
"name": "TEST",
"payload": {
"id": "ea03cfcd-4486-433f-822a-682e1d3d6c84",
"metadata": [
{
"name": "first",
"value": "val"
}
],
"modified_sha256": null,
"name": "imx9-container.bin",
"original_sha256": null,
"s3_url": "<redacted>",
"service_provided_parameters": []
},
"state": 16
}
Downloading signed binary to: /tmp/test.bin
File Downloaded
Verifying AHAB container for experimentation and debugging purposes¶
The signed image can be verified using NXP ahab_image_verifier tool. Available as part of the NXP cst package.
$ ahab_image_verifier /tmp/test.bin
Notice: ahab_image_verifier is intended solely for experimentation and debugging purposes.
It should not be considered as proof or validation of a good ahab container under any circumstances.
For official verification and container integrity checks, users must proceed with the recommended secure boot procedures,
such as using the `ahab_status` command as outlined in the relevant documentation.
File: /tmp/test.bin
Container #0 - offset: 0x0
Header:
Version: 0
Length: 544 bytes
Tag: Container (0x87)
Flags: 0x1
SRK Set: NXP SRK
SRK Selection: SRK 0 is used
SRK Revoke Mask: None
SW Version: 1
Fuse Version: 2
Number of Images: 1
Signature Block Offset: 0x90
Reserved: 0x0
...
...
..