DOCSIS® 3.1 introduces a whole new range of possibilities for signing and co-signing images, as explained in a previous blog post. Getting the correct software version on each modem in the field can be an operational challenge. This blog post explains how the Excentis DOCSIS Signing Tool can help by co-signing software images.

Why co-sign images?

There are two main reasons why an operator can choose to co-sign manufacturer signed software images:

  1. Simplify config file management Including the operator's co-signer CVC (DOCSIS 3.0) or CVC chain (3.1) in the config file is sufficient to enable Secure Software Download (SSD) for all vendors/types of modems. If the image is not co-signed, the correct manufacturer CVC of each particular vendor must be included in the config file of that vendor's modems.
  2. Additional control over software images Software updates usually contain bug fixes and/or additional features. While the SSD mechanism is part of the certification process, there is no guarantee that the new software image is also certified. And even if it is, it's always good practice from an operator's point of view to do some own validation steps on a new software load. Co-signing a software image is a means to enforce that this validation has taken place.

Which Co-signer CVCs to include in the config file?

For 3.0 modems, a 3.0 Co-signer CVC needs to be included in the config file (TLV 33) to enable Secure Software download. To additionally support 3.1 modems, there are a number of options, as explained in a previous blog post on Secure Software Download in DOCSIS 3.1.

  • If the operator has a 3.1 Co-signer CVC chain, both 3.0 (TLV 33) and 3.1 chain (TLV 82) can be included in the config file. 3.0 modems will ignore TLV 82 and 3.1 modems will ignore TLV 33.
  • If the operator does not have a 3.1 Co-signer CVC chain, only the 3.0 CVC (TLV 33) can be included. In this case, the operator will have to request all 3.1 vendors to supply a 3.0 style signed software image.

How to co-sign a DOCSIS 3.0 image?

To co-sign a DOCSIS 3.0 image using CodeSigner, the Excentis DOCSIS Signing Tool, you need the following input parameters:

  • A Manufacturer signed DOCSIS 3.0 image
  • A Co-signer CVC
  • The private key corresponding to the Co-signer CVC
  • Optionally: a signing date and time.

Note that keeping the signing date/time the same allows upgrading and downgrading software versions without the need to re-sign.

Output will be the newly co-signed image. Example output (in verbose mode):

$ java -jar CodeSigner.jar --mode 30cosign --image files/manuf_signed_image.img \
       --cocvc files/cocvc.der --cokey files/cosig_privatekey.pk8 \
       --codate 20160426103000 --write files/cosigned_image.img --verbose

COPYRIGHT EXCENTIS 2016

Checking crypto... ok.
Required arguments successfully read.
loading image...
image loaded.
loading co-signer cvc...
Co-signer cvc loaded.
loading co-signer private key...
co-signer private key loaded.
Determine co-signer signing time...
datetime parsed, using signing time: Tue Apr 26 12:30:00 CEST 2016
calculating digest...
digest calculated.
creating co-signer signature...
co-signer signature created.
Signed image succesfully created and written to files/cosigned_image.img
performing sanity check, verify signatures...
Extracted Signed Data content
Found 2 certificate(s).
manufacturer signature verifies
cosigner signature verifies
signatures verify.

How to co-sign a DOCSIS 3.1 image?

Similarly, to co-sign a DOCSIS 3.1 image using CodeSigner, the Excentis DOCSIS Signing Tool, you need the following input parameters:

  • Manufacturer signed DOCSIS 3.1 image
  • A 3.1 Co-signer CVC
  • The private key corresponding to the Co-signer CVC
  • Optionally: a signing date and time
  • Optionally: a Co-signer CVC-CA (if it's different than the one used by the manufacturer)

Example:

$ java -jar CodeSigner.jar --mode 31cosign --image files/manuf_signed_31_image.img \
       --cocvc files/31cocvc.der --cokey files/31cosig_privatekey.pk8 \
       --codate 20160426103000 --write files/cosigned_31_image.img

More information

Visit the Excentis DOCSIS Signing tool page under the Products section of our website.

Comments

Is the Excentis co-signing software able to co-sign RPD (Remote PHY Device) images with structure PKCS#7 ?
Thanks!
Adrian
Hi Adrian,
Yes, the Excentis DOCSIS signing tool is compatible with RPD software images, so you can use the signing tool to sign and co-sign RPD images.

Add new comment