Added ECC Nist256 support in crypto HSM layer

project-chip · Apr 22, 2021 · 2407330 · 2407330
1 parent 0719dad
commit 2407330
Show file tree

Hide file tree

Showing 6 changed files with 420 additions and 23 deletions.
diff --git a/src/crypto/BUILD.gn b/src/crypto/BUILD.gn
@@ -87,6 +87,7 @@ static_library("crypto") {
 
   if (chip_with_se05x == 1) {
     sources += [ "hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp" ]
+    sources += [ "hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp" ]
     sources += [ "hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.cpp" ]
     public_deps += [ "${chip_root}/third_party/simw-top-mini:se05x" ]
     public_configs += [ "${chip_root}/third_party/simw-top-mini:se05x_config" ]

diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h
@@ -243,17 +243,17 @@ class P256Keypair : public ECPKeypair<P256PublicKey, P256ECDHDerivedSecret, P256
     /** @brief Initialize the keypair.
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR Initialize();
+    virtual CHIP_ERROR Initialize();
 
     /** @brief Serialize the keypair.
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR Serialize(P256SerializedKeypair & output);
+    virtual CHIP_ERROR Serialize(P256SerializedKeypair & output);
 
     /** @brief Deserialize the keypair.
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR Deserialize(P256SerializedKeypair & input);
+    virtual CHIP_ERROR Deserialize(P256SerializedKeypair & input);
 
     /** @brief Generate a new Certificate Signing Request (CSR).
      * @param csr Newly generated CSR
@@ -271,7 +271,7 @@ class P256Keypair : public ECPKeypair<P256PublicKey, P256ECDHDerivedSecret, P256
      *represented as ASN.1 DER integers, plus the ASN.1 sequence Header
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P256ECDSASignature & out_signature) override;
+    virtual CHIP_ERROR ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P256ECDSASignature & out_signature) override;
 
     /**
      * @brief A function to sign a hash using ECDSA
@@ -281,7 +281,7 @@ class P256Keypair : public ECPKeypair<P256PublicKey, P256ECDHDerivedSecret, P256
      *represented as ASN.1 DER integers, plus the ASN.1 sequence Header
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, P256ECDSASignature & out_signature) override;
+    virtual CHIP_ERROR ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, P256ECDSASignature & out_signature) override;
 
     /** @brief A function to derive a shared secret using ECDH
      * @param remote_public_key Public key of remote peer with which we are trying to establish secure channel. remote_public_key is
@@ -290,7 +290,7 @@ class P256Keypair : public ECPKeypair<P256PublicKey, P256ECDHDerivedSecret, P256
      * @param out_secret Buffer to write out secret into. This is a byte array representing the x coordinate of the shared secret.
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR ECDH_derive_secret(const P256PublicKey & remote_public_key, P256ECDHDerivedSecret & out_secret) const override;
+    virtual CHIP_ERROR ECDH_derive_secret(const P256PublicKey & remote_public_key, P256ECDHDerivedSecret & out_secret) const override;
 
     /** @brief Return public key for the keypair.
      **/

diff --git a/src/crypto/hsm/CHIPCryptoPALHsm.h b/src/crypto/hsm/CHIPCryptoPALHsm.h
@@ -30,7 +30,6 @@
 #endif
 
 #if ((ENABLE_HSM_SPAKE_VERIFIER) || (ENABLE_HSM_SPAKE_PROVER))
-
 typedef struct hsm_pake_context_s
 {
     uint8_t spake_context[32];
@@ -39,41 +38,85 @@ typedef struct hsm_pake_context_s
     SE05x_CryptoObjectID_t spake_objId;
 #endif
 } hsm_pake_context_t;
+#endif //#if ((ENABLE_HSM_SPAKE_VERIFIER) || (ENABLE_HSM_SPAKE_PROVER))
 
 namespace chip {
 namespace Crypto {
 
+
+#if ((ENABLE_HSM_SPAKE_VERIFIER) || (ENABLE_HSM_SPAKE_PROVER))
+/* Spake HSM class */
+
 class Spake2pHSM_P256_SHA256_HKDF_HMAC : public Spake2p_P256_SHA256_HKDF_HMAC
 {
 public:
     Spake2pHSM_P256_SHA256_HKDF_HMAC() {}
 
     ~Spake2pHSM_P256_SHA256_HKDF_HMAC() {}
 
-    CHIP_ERROR Init(const uint8_t * context, size_t context_len);
+    CHIP_ERROR Init(const uint8_t * context, size_t context_len) override;
 
 #if ENABLE_HSM_SPAKE_VERIFIER
     CHIP_ERROR BeginVerifier(const uint8_t * my_identity, size_t my_identity_len, const uint8_t * peer_identity,
-                             size_t peer_identity_len, const uint8_t * w0in, size_t w0in_len, const uint8_t * Lin, size_t Lin_len);
+                             size_t peer_identity_len, const uint8_t * w0in, size_t w0in_len, const uint8_t * Lin, size_t Lin_len) override;
 #endif
 
 #if ENABLE_HSM_SPAKE_PROVER
     CHIP_ERROR BeginProver(const uint8_t * my_identity, size_t my_identity_len, const uint8_t * peer_identity,
-                           size_t peer_identity_len, const uint8_t * w0in, size_t w0in_len, const uint8_t * w1in, size_t w1in_len);
+                           size_t peer_identity_len, const uint8_t * w0in, size_t w0in_len, const uint8_t * w1in, size_t w1in_len) override;
 #endif
 
-    CHIP_ERROR ComputeRoundOne(const uint8_t * pab, size_t pab_len, uint8_t * out, size_t * out_len);
+    CHIP_ERROR ComputeRoundOne(const uint8_t * pab, size_t pab_len, uint8_t * out, size_t * out_len) override;
 
-    CHIP_ERROR ComputeRoundTwo(const uint8_t * in, size_t in_len, uint8_t * out, size_t * out_len);
+    CHIP_ERROR ComputeRoundTwo(const uint8_t * in, size_t in_len, uint8_t * out, size_t * out_len) override;
 
-    CHIP_ERROR KeyConfirm(const uint8_t * in, size_t in_len);
+    CHIP_ERROR KeyConfirm(const uint8_t * in, size_t in_len) override;
 
     hsm_pake_context_t hsm_pake_context;
 };
 
+#endif //#if ((ENABLE_HSM_SPAKE_VERIFIER) || (ENABLE_HSM_SPAKE_PROVER))
+
+
+#if ENABLE_HSM_GENERATE_EC_KEY
+/* Nist256 Key pair HSM class */
+
+class P256KeypairHSM : public P256Keypair
+{
+public:
+    P256KeypairHSM()
+    {
+        provisioned_key = false;
+        keyid = 0;
+    }
+
+    ~P256KeypairHSM();
+
+    virtual CHIP_ERROR Initialize() override;
+
+    virtual CHIP_ERROR Serialize(P256SerializedKeypair & output) override;
+
+    virtual CHIP_ERROR Deserialize(P256SerializedKeypair & input) override;
+
+    virtual CHIP_ERROR ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P256ECDSASignature & out_signature) override;
+
+    virtual CHIP_ERROR ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, P256ECDSASignature & out_signature) override;
+
+    virtual CHIP_ERROR ECDH_derive_secret(const P256PublicKey & remote_public_key, P256ECDHDerivedSecret & out_secret) const override;
+
+    bool provisioned_key;
+
+    void SetKeyId(int id) { keyid = id; }
+
+    int GetKeyId( void ) { return keyid; }
+
+private:
+
+    int keyid;
+};
+#endif //#if ENABLE_HSM_GENERATE_EC_KEY
+
 } // namespace Crypto
 } // namespace chip
 
-#endif //#if ((ENABLE_HSM_SPAKE_VERIFIER) || (ENABLE_HSM_SPAKE_PROVER))
-
 #endif //#ifndef _CHIP_CRYPTO_PAL_HSM_H_
diff --git a/src/crypto/hsm/CHIPCryptoPALHsm_config.h b/src/crypto/hsm/CHIPCryptoPALHsm_config.h
@@ -33,8 +33,18 @@
  */
 #define ENABLE_HSM_SPAKE_PROVER 1
 
+/*
+ * Enable HSM for Generate EC Key
+ */
+#define ENABLE_HSM_GENERATE_EC_KEY 0
+
+
 #if ((CHIP_CRYPTO_HSM) && ((ENABLE_HSM_SPAKE_VERIFIER) || (ENABLE_HSM_SPAKE_PROVER)))
 #define ENABLE_HSM_SPAKE
 #endif
 
+#if ((CHIP_CRYPTO_HSM) && (ENABLE_HSM_GENERATE_EC_KEY))
+#define ENABLE_HSM_EC_KEY
+#endif
+
 #endif //#ifndef _CHIP_CRYPTO_PAL_HSM_CONFIG_H_