[Ameba] Add Ameba crypto implementation

* Add Ameba cryto implementation for security purposes

config/ameba/args.gni

@@ -15,15 +15,20 @@
 # Options from standalone-chip.mk that differ from configure defaults. These
 # options are used from examples/.
 
+import("//build_overrides/chip.gni")
 import("//build_overrides/pigweed.gni")
+import("${chip_root}/src/crypto/crypto.gni")
 
 chip_device_platform = "ameba"
 
 chip_project_config_include = ""
 chip_system_project_config_include = ""
 chip_ble_project_config_include = ""
 
-mbedtls_target = "//mbedtls:mbedtls"
+if (chip_crypto == "") {
+  mbedtls_target = "//mbedtls:mbedtls"
+}
+
 lwip_platform = "external"
 
 chip_build_tests = false

examples/air-purifier-app/ameba/main/chipinterface.cpp

@@ -37,6 +37,9 @@
 #include <platform/CHIPDeviceLayer.h>
 #include <setup_payload/ManualSetupPayloadGenerator.h>
 #include <setup_payload/QRCodeSetupPayloadGenerator.h>
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+#include <platform/Ameba/crypto/AmebaPersistentStorageOperationalKeystore.h>
+#endif
 
 #include <lwip_netconf.h>
 
@@ -130,6 +133,12 @@ static void InitServer(intptr_t context)
     // Init ZCL Data Model and CHIP App Server
     static chip::CommonCaseDeviceServerInitParams initParams;
     (void) initParams.InitializeStaticResourcesBeforeServerInit();
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+    ChipLogProgress(DeviceLayer, "platform crypto enabled!");
+    static chip::AmebaPersistentStorageOperationalKeystore sAmebaPersistentStorageOpKeystore;
+    VerifyOrDie((sAmebaPersistentStorageOpKeystore.Init(initParams.persistentStorageDelegate)) == CHIP_NO_ERROR);
+    initParams.operationalKeystore = &sAmebaPersistentStorageOpKeystore;
+#endif
     chip::Server::GetInstance().Init(initParams);
     gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage());
     chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);

examples/all-clusters-app/ameba/main/chipinterface.cpp

@@ -41,6 +41,9 @@
 #include <microwave-oven-device.h>
 #include <platform/Ameba/AmebaConfig.h>
 #include <platform/Ameba/NetworkCommissioningDriver.h>
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+#include <platform/Ameba/crypto/AmebaPersistentStorageOperationalKeystore.h>
+#endif
 #include <platform/CHIPDeviceLayer.h>
 #include <setup_payload/ManualSetupPayloadGenerator.h>
 #include <setup_payload/QRCodeSetupPayloadGenerator.h>
@@ -153,6 +156,13 @@ static void InitServer(intptr_t context)
 
     initParams.InitializeStaticResourcesBeforeServerInit();
 
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+    ChipLogProgress(DeviceLayer, "platform crypto enabled!");
+    static chip::AmebaPersistentStorageOperationalKeystore sAmebaPersistentStorageOpKeystore;
+    VerifyOrDie((sAmebaPersistentStorageOpKeystore.Init(initParams.persistentStorageDelegate)) == CHIP_NO_ERROR);
+    initParams.operationalKeystore = &sAmebaPersistentStorageOpKeystore;
+#endif
+
     chip::Server::GetInstance().Init(initParams);
     gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage());
     // TODO: Use our own DeviceInfoProvider

examples/light-switch-app/ameba/main/chipinterface.cpp

@@ -34,6 +34,9 @@
 #include <lib/core/ErrorStr.h>
 #include <platform/Ameba/AmebaConfig.h>
 #include <platform/Ameba/NetworkCommissioningDriver.h>
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+#include <platform/Ameba/crypto/AmebaPersistentStorageOperationalKeystore.h>
+#endif
 #include <platform/CHIPDeviceLayer.h>
 #include <setup_payload/ManualSetupPayloadGenerator.h>
 #include <setup_payload/QRCodeSetupPayloadGenerator.h>
@@ -100,6 +103,12 @@ static void InitServer(intptr_t context)
     // Init ZCL Data Model and CHIP App Server
     static chip::CommonCaseDeviceServerInitParams initParams;
     initParams.InitializeStaticResourcesBeforeServerInit();
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+    ChipLogProgress(DeviceLayer, "platform crypto enabled!");
+    static chip::AmebaPersistentStorageOperationalKeystore sAmebaPersistentStorageOpKeystore;
+    VerifyOrDie((sAmebaPersistentStorageOpKeystore.Init(initParams.persistentStorageDelegate)) == CHIP_NO_ERROR);
+    initParams.operationalKeystore = &sAmebaPersistentStorageOpKeystore;
+#endif
     chip::Server::GetInstance().Init(initParams);
     gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage());
     chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);

examples/lighting-app/ameba/main/chipinterface.cpp

@@ -35,12 +35,14 @@
 #include <lib/core/ErrorStr.h>
 #include <platform/Ameba/AmebaConfig.h>
 #include <platform/Ameba/NetworkCommissioningDriver.h>
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+#include <platform/Ameba/crypto/AmebaPersistentStorageOperationalKeystore.h>
+#endif
+#include <lwip_netconf.h>
 #include <platform/CHIPDeviceLayer.h>
 #include <setup_payload/ManualSetupPayloadGenerator.h>
 #include <setup_payload/QRCodeSetupPayloadGenerator.h>
 
-#include <lwip_netconf.h>
-
 #if CONFIG_ENABLE_PW_RPC
 #include "Rpc.h"
 #endif
@@ -121,6 +123,12 @@ static void InitServer(intptr_t context)
     // Init ZCL Data Model and CHIP App Server
     static chip::CommonCaseDeviceServerInitParams initParams;
     (void) initParams.InitializeStaticResourcesBeforeServerInit();
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+    ChipLogProgress(DeviceLayer, "platform crypto enabled!");
+    static chip::AmebaPersistentStorageOperationalKeystore sAmebaPersistentStorageOpKeystore;
+    VerifyOrDie((sAmebaPersistentStorageOpKeystore.Init(initParams.persistentStorageDelegate)) == CHIP_NO_ERROR);
+    initParams.operationalKeystore = &sAmebaPersistentStorageOpKeystore;
+#endif
     chip::Server::GetInstance().Init(initParams);
     gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage());
     chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);

src/platform/Ameba/BUILD.gn

@@ -14,8 +14,8 @@
 
 import("//build_overrides/chip.gni")
 
+import("${chip_root}/src/crypto/crypto.gni")
 import("${chip_root}/src/platform/device.gni")
-
 assert(chip_device_platform == "ameba")
 
 static_library("Ameba") {
@@ -71,4 +71,14 @@ static_library("Ameba") {
       "AmebaOTAImageProcessor.h",
     ]
   }
+
+  if (chip_crypto == "platform") {
+    sources += [
+      "${chip_root}/src/crypto/CHIPCryptoPALmbedTLS.cpp",
+      "${chip_root}/src/crypto/CHIPCryptoPALmbedTLS.h",
+      "${chip_root}/src/crypto/CHIPCryptoPALmbedTLSCert.cpp",
+      "crypto/AmebaPersistentStorageOperationalKeystore.cpp",
+      "crypto/AmebaPersistentStorageOperationalKeystore.h",
+    ]
+  }
 }

src/platform/Ameba/FactoryDataDecoder.cpp

@@ -41,5 +41,16 @@ CHIP_ERROR FactoryDataDecoder::DecodeFactoryData(uint8_t * buffer, FactoryData *
     return err;
 }
 
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+CHIP_ERROR FactoryDataDecoder::GetSign(uint8_t * PublicKeyData, size_t PublicKeySize, const unsigned char * MessageData,
+                                       size_t MessageSize, unsigned char * Signature)
+{
+    int32_t error  = matter_get_signature(PublicKeyData, PublicKeySize, MessageData, MessageSize, Signature);
+    CHIP_ERROR err = CHIP_NO_ERROR;
+
+    return err;
+}
+#endif
+
 } // namespace DeviceLayer
 } // namespace chip

src/platform/Ameba/FactoryDataDecoder.h

@@ -27,6 +27,10 @@ class FactoryDataDecoder
 public:
     CHIP_ERROR ReadFactoryData(uint8_t * buffer, uint16_t * pfactorydata_len);
     CHIP_ERROR DecodeFactoryData(uint8_t * buffer, FactoryData * fdata, uint16_t factorydata_len);
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+    CHIP_ERROR GetSign(uint8_t * PublicKeyData, size_t PublicKeySize, const unsigned char * MessageData, size_t MessageSize,
+                       unsigned char * Signature);
+#endif
     static FactoryDataDecoder & GetInstance()
     {
         static FactoryDataDecoder instance;

src/platform/Ameba/FactoryDataProvider.cpp

@@ -16,7 +16,6 @@
  */
 
 #include "FactoryDataProvider.h"
-
 #include "FactoryDataDecoder.h"
 #include <crypto/CHIPCryptoPAL.h>
 #include <lib/core/CHIPError.h>
@@ -254,25 +253,43 @@ CHIP_ERROR FactoryDataProvider::SignWithDeviceAttestationKey(const ByteSpan & me
 
     if (kReadFromFlash)
     {
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+        ReturnErrorCodeIf(!mFactoryData.dac.dac_cert.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);
+        // Extract public key from DAC cert.
+        ByteSpan dacCertSpan{ reinterpret_cast<uint8_t *>(mFactoryData.dac.dac_cert.value), mFactoryData.dac.dac_cert.len };
+        chip::Crypto::P256PublicKey dacPublicKey;
+
+        ReturnErrorOnFailure(chip::Crypto::ExtractPubkeyFromX509Cert(dacCertSpan, dacPublicKey));
+
+        CHIP_ERROR err             = CHIP_NO_ERROR;
+        FactoryDataDecoder decoder = FactoryDataDecoder::GetInstance();
+        err = decoder.GetSign(dacPublicKey.Bytes(), dacPublicKey.Length(), messageToSign.data(), messageToSign.size(),
+                              signature.Bytes());
+#else
         ReturnErrorCodeIf(!mFactoryData.dac.dac_cert.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);
         ReturnErrorCodeIf(!mFactoryData.dac.dac_key.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);
         // Extract public key from DAC cert.
         ByteSpan dacCertSpan{ reinterpret_cast<uint8_t *>(mFactoryData.dac.dac_cert.value), mFactoryData.dac.dac_cert.len };
         chip::Crypto::P256PublicKey dacPublicKey;
 
         ReturnErrorOnFailure(chip::Crypto::ExtractPubkeyFromX509Cert(dacCertSpan, dacPublicKey));
+
         ReturnErrorOnFailure(
             LoadKeypairFromRaw(ByteSpan(reinterpret_cast<uint8_t *>(mFactoryData.dac.dac_key.value), mFactoryData.dac.dac_key.len),
                                ByteSpan(dacPublicKey.Bytes(), dacPublicKey.Length()), keypair));
+#endif
     }
     else
     {
         ReturnErrorOnFailure(LoadKeypairFromRaw(ByteSpan(kDacPrivateKey), ByteSpan(kDacPublicKey), keypair));
     }
-
+#if CONFIG_ENABLE_AMEBA_CRYPTO
+    VerifyOrReturnError(signature.SetLength(chip::Crypto::kP256_ECDSA_Signature_Length_Raw) == CHIP_NO_ERROR, CHIP_ERROR_INTERNAL);
+    return CopySpanToMutableSpan(ByteSpan{ signature.ConstBytes(), signature.Length() }, outSignBuffer);
+#else
     ReturnErrorOnFailure(keypair.ECDSA_sign_msg(messageToSign.data(), messageToSign.size(), signature));
-
     return CopySpanToMutableSpan(ByteSpan{ signature.ConstBytes(), signature.Length() }, outSignBuffer);
+#endif
 }
 
 CHIP_ERROR FactoryDataProvider::GetSetupDiscriminator(uint16_t & setupDiscriminator)

src/platform/Ameba/args.gni

@@ -13,11 +13,15 @@
 # limitations under the License.
 
 import("//build_overrides/chip.gni")
+import("${chip_root}/src/crypto/crypto.gni")
 
 chip_device_platform = "ameba"
 
 lwip_platform = "external"
-mbedtls_target = "//mbedtls:mbedtls"
+
+if (chip_crypto == "") {
+  mbedtls_target = "//mbedtls:mbedtls"
+}
 
 chip_build_tests = false
 chip_inet_config_enable_tun_endpoint = false