code cleanup

project-chip · Aug 5, 2022 · 2417320 · 2417320
1 parent 82ea15a
commit 2417320
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 34 deletions.
diff --git a/src/crypto/hsm/CHIPCryptoPALHsm.h b/src/crypto/hsm/CHIPCryptoPALHsm.h
@@ -145,8 +145,6 @@ class P256KeypairHSM : public P256Keypair
 
     uint32_t GetKeyId(void) { return keyid; }
 
-    CHIP_ERROR CreateOperationalKey(FabricIndex fabricIdx);
-
 private:
     uint32_t keyid;
     P256PublicKeyHSM mPublicKeyHSM;

diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp
@@ -693,19 +693,6 @@ CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t &
     return error;
 }
 
-CHIP_ERROR P256KeypairHSM::CreateOperationalKey(FabricIndex fabricIdx)
-{
-    (void) fabricIdx;
-    // TBD - Map fabric index to operational keys
-    SetKeyId(kKeyId_operational_key_keyid);
-    if (Initialize() == CHIP_NO_ERROR)
-    {
-        provisioned_key = true;
-        return CHIP_NO_ERROR;
-    }
-    return CHIP_ERROR_INTERNAL;
-}
-
 } // namespace Crypto
 } // namespace chip
 

diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp
@@ -71,7 +71,7 @@ CHIP_ERROR create_init_crypto_obj(chip::Crypto::CHIP_SPAKE2P_ROLE role, hsm_pake
     uint8_t create_crypto_obj = 1;
 #endif
 
-    ChipLogProgress(Crypto, "Using Object Id --> %d \n", spakeObjectId);
+    ChipLogProgress(Crypto, "SE05x: Using Object Id --> %d", spakeObjectId);
 
     if (spakeObjectId != 0)
     {
@@ -124,7 +124,7 @@ CHIP_ERROR Spake2p_ComputeRoundOne_HSM(hsm_pake_context_t * phsm_pake_context, c
 {
     SE05x_CryptoObjectID_t spakeObjectId = phsm_pake_context->spake_objId;
 
-    ChipLogProgress(Crypto, "Using HSM for spake2p ComputeRoundOne \n");
+    ChipLogProgress(Crypto, "SE05x: Using HSM for spake2p ComputeRoundOne");
 
     VerifyOrReturnError(out != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(out_len != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
@@ -156,7 +156,7 @@ CHIP_ERROR Spake2p_ComputeRoundTwo_HSM(hsm_pake_context_t * phsm_pake_context, c
     VerifyOrReturnError(pKeyKe != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(pkeyKeLen != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
 
-    ChipLogProgress(Crypto, "Using HSM for spake2p ComputeRoundTwo \n");
+    ChipLogProgress(Crypto, "SE05x: Using HSM for spake2p ComputeRoundTwo");
 
     const uint8_t * const pab = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER) ? NULL : in;
     const size_t pab_len      = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER) ? 0 : in_len;
@@ -178,7 +178,7 @@ CHIP_ERROR Spake2p_KeyConfirm_HSM(hsm_pake_context_t * phsm_pake_context, chip::
     VerifyOrReturnError(in != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(gex_sss_chip_ctx.ks.session != NULL, CHIP_ERROR_INTERNAL);
 
-    ChipLogProgress(Crypto, "Using HSM for spake2p KeyConfirm \n");
+    ChipLogProgress(Crypto, "SE05x: Using HSM for spake2p KeyConfirm");
 
     uint8_t presult                            = 0;
     const SE05x_CryptoObjectID_t spakeObjectId = phsm_pake_context->spake_objId;
@@ -251,7 +251,7 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginVerifier(const uint8_t * my_id
         VerifyOrReturnError(peer_identity != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     }
 
-    ChipLogProgress(Crypto, "HSM - BeginVerifier \n");
+    ChipLogProgress(Crypto, "SE05x: HSM - BeginVerifier");
 
     ReturnErrorOnFailure(FELoad(w0in, w0in_len, w0));
     ReturnErrorOnFailure(FEWrite(w0, w0in_mod, w0in_mod_len));
@@ -309,7 +309,7 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginProver(const uint8_t * my_iden
 
     VerifyOrReturnError(state == CHIP_SPAKE2P_STATE::INIT, CHIP_ERROR_INTERNAL);
 
-    ChipLogProgress(Crypto, "HSM - BeginProver \n");
+    ChipLogProgress(Crypto, "SE05x: HSM - BeginProver");
 
     ReturnErrorOnFailure(FELoad(w0in, w0in_len, w0));
     ReturnErrorOnFailure(FEWrite(w0, w0in_mod, w0in_mod_len));

diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.h b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.h
@@ -42,12 +42,11 @@ extern ex_sss_boot_ctx_t gex_sss_chip_ctx;
 enum keyid_values
 {
     kKeyId_NotInitialized           = 0,
-    kKeyId_pbkdf2_sha256_hmac_keyid = 0xBCBCBCBC,
+    kKeyId_pbkdf2_sha256_hmac_keyid = 0x7D000000,
     kKeyId_hkdf_sha256_hmac_keyid,
     kKeyId_hmac_sha256_keyid,
     kKeyId_sha256_ecc_pub_keyid,
     kKeyId_case_ephemeral_keyid,
-    kKeyId_operational_key_keyid,
 };
 
 // Enable the below macro to make spake HSM imlementation reentrant.

diff --git a/src/crypto/hsm/nxp/PersistentStorageOperationalKeystoreHSM_SE05X.cpp b/src/crypto/hsm/nxp/PersistentStorageOperationalKeystoreHSM_SE05X.cpp
@@ -52,7 +52,7 @@ constexpr size_t OpKeyTLVMaxSize()
 } // namespace
 
 #define MAX_KEYID_SLOTS_FOR_FABRICS 32
-#define FABRIC_SE05X_KEYID_START 0x56780000
+#define FABRIC_SE05X_KEYID_START 0x7D100000
 
 struct keyidFabIdMapping_t {
     uint32_t keyId;
@@ -66,7 +66,7 @@ uint8_t getEmpytSlotId()
 {
     uint8_t i = 0;
     while(i++ < MAX_KEYID_SLOTS_FOR_FABRICS){
-        if (keyidFabIdMapping[i].keyId == 0){
+        if (keyidFabIdMapping[i].keyId == 0 && keyidFabIdMapping[i].isPending == 0){
             break;
         }
     }
@@ -76,21 +76,23 @@ uint8_t getEmpytSlotId()
 bool PersistentStorageOperationalKeystoreHSM::HasOpKeypairForFabric(FabricIndex fabricIndex) const
 {
     uint8_t i = 0; 
-    ChipLogProgress(Crypto,"Se05x: HasOpKeypairForFabric");
     VerifyOrReturnError(IsValidFabricIndex(fabricIndex), false);
 
     // If there was a pending keypair, then there's really a usable key
     if (mIsPendingKeypairActive && (fabricIndex == mPendingFabricIndex) && (mPendingKeypair != nullptr))
     {
+        ChipLogProgress(Crypto,"SE05x: HasOpKeypairForFabric ==> mPendingKeypair found");
         return true;
     }
 
     while(i++ < MAX_KEYID_SLOTS_FOR_FABRICS){
         if (keyidFabIdMapping[i].fabricIndex == fabricIndex){
+            ChipLogProgress(Crypto,"SE05x: HasOpKeypairForFabric ==> stored keyPair found");
             return true;
         }
     }
 
+    ChipLogProgress(Crypto,"SE05x: HasOpKeypairForFabric ==> No key found");
     return false;
 }
 
@@ -103,7 +105,7 @@ CHIP_ERROR PersistentStorageOperationalKeystoreHSM::NewOpKeypairForFabric(Fabric
     VerifyOrReturnError(slotId != 0, CHIP_ERROR_NO_MEMORY);
     VerifyOrReturnError(IsValidFabricIndex(fabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
 
-    ChipLogProgress(Crypto,"Se05x: New OPS key for Fabric %02x",fabricIndex);
+    ChipLogProgress(Crypto,"SE05x: New OPS key for Fabric %02x",fabricIndex);
 
     // Replace previous pending keypair, if any was previously allocated
     ResetPendingKey();
@@ -136,7 +138,7 @@ CHIP_ERROR PersistentStorageOperationalKeystoreHSM::NewOpKeypairForFabric(Fabric
 CHIP_ERROR PersistentStorageOperationalKeystoreHSM::ActivateOpKeypairForFabric(FabricIndex fabricIndex,
                                                                             const Crypto::P256PublicKey & nocPublicKey)
 {
-    ChipLogProgress(Crypto,"Se05x: ActivateOpKeypair for Fabric %02x",fabricIndex);
+    ChipLogProgress(Crypto,"SE05x: ActivateOpKeypair for Fabric %02x",fabricIndex);
 
     VerifyOrReturnError(mPendingKeypair != nullptr, CHIP_ERROR_INVALID_FABRIC_INDEX);
     VerifyOrReturnError(IsValidFabricIndex(fabricIndex) && (fabricIndex == mPendingFabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
@@ -159,7 +161,7 @@ CHIP_ERROR PersistentStorageOperationalKeystoreHSM::CommitOpKeypairForFabric(Fab
     VerifyOrReturnError(IsValidFabricIndex(fabricIndex) && (fabricIndex == mPendingFabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
     VerifyOrReturnError(mIsPendingKeypairActive == true, CHIP_ERROR_INCORRECT_STATE);
 
-    ChipLogProgress(Crypto,"Se05x: CommitOpKeypair for Fabric %02x",fabricIndex);
+    ChipLogProgress(Crypto,"SE05x: CommitOpKeypair for Fabric %02x",fabricIndex);
 
     while(i++ < MAX_KEYID_SLOTS_FOR_FABRICS){
         if (keyidFabIdMapping[i].fabricIndex == fabricIndex){
@@ -188,7 +190,7 @@ CHIP_ERROR PersistentStorageOperationalKeystoreHSM::RemoveOpKeypairForFabric(Fab
     VerifyOrReturnError(mStorage != nullptr, CHIP_ERROR_INCORRECT_STATE);
     VerifyOrReturnError(IsValidFabricIndex(fabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
 
-    ChipLogProgress(Crypto,"Se05x: RemoveOpKeypair for Fabric %02x",fabricIndex);
+    ChipLogProgress(Crypto,"SE05x: RemoveOpKeypair for Fabric %02x",fabricIndex);
 
     // Remove pending state if matching
     if ((mPendingKeypair != nullptr) && (fabricIndex == mPendingFabricIndex))
@@ -212,7 +214,7 @@ CHIP_ERROR PersistentStorageOperationalKeystoreHSM::RemoveOpKeypairForFabric(Fab
 
 void PersistentStorageOperationalKeystoreHSM::RevertPendingKeypair()
 {
-    ChipLogProgress(Crypto,"Se05x: RevertPendingKeypair");
+    ChipLogProgress(Crypto,"SE05x: RevertPendingKeypair");
     VerifyOrReturn(mStorage != nullptr);
     // Just reset the pending key, we never stored anything
     ResetPendingKey();
@@ -222,38 +224,42 @@ CHIP_ERROR PersistentStorageOperationalKeystoreHSM::SignWithOpKeypair(FabricInde
                                                                    Crypto::P256ECDSASignature & outSignature) const
 {
     uint8_t i = 0;
-    ChipLogProgress(Crypto,"Se05x: SignWithOpKeypair");
+    ChipLogProgress(Crypto,"SE05x: SignWithOpKeypair");
 
     if (mIsPendingKeypairActive && (fabricIndex == mPendingFabricIndex))
     {
         VerifyOrReturnError(mPendingKeypair != nullptr, CHIP_ERROR_INTERNAL);
         // We have an override key: sign with it!
+        ChipLogProgress(Crypto,"SE05x: SignWithOpKeypair ==> using mPendingKeypair");
         return mPendingKeypair->ECDSA_sign_msg(message.data(), message.size(), outSignature);
 
     }
     else{
         while(i++ < MAX_KEYID_SLOTS_FOR_FABRICS)
         {
-            if (keyidFabIdMapping[i].fabricIndex == fabricIndex)
+            if ((keyidFabIdMapping[i].fabricIndex == fabricIndex)  && (keyidFabIdMapping[i].isPending == 0))
             {
+                ChipLogProgress(Crypto,"SE05x: SignWithOpKeypair ==> using stored keyPair");
                 return keyidFabIdMapping[i].pkeyPair->ECDSA_sign_msg(message.data(), message.size(), outSignature);
             }
         }
     }
 
+    ChipLogProgress(Crypto,"SE05x: SignWithOpKeypair ==> No keyPair found");
     return CHIP_ERROR_INTERNAL;
 }
 
 Crypto::P256Keypair * PersistentStorageOperationalKeystoreHSM::AllocateEphemeralKeypairForCASE()
 {
-    printf("AllocateEphemeralKeypairForCASE using se05x \n");
+    ChipLogProgress(Crypto, "AllocateEphemeralKeypairForCASE using se05x \n");
     Crypto::P256KeypairHSM *pkeyPair = Platform::New<Crypto::P256KeypairHSM>();
     pkeyPair->SetKeyId(kKeyId_case_ephemeral_keyid);
     return pkeyPair;
 }
 
 void PersistentStorageOperationalKeystoreHSM::ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair)
 {
+    ChipLogProgress(Crypto, "ReleaseEphemeralKeypair using se05x \n");
     Platform::Delete<Crypto::P256Keypair>(keypair);
 }