feature/HSM-P256-Signature-asn1-to-raw (#8534)

* converting hsm signature from asn format to raw format * reduced buffer to 80 bytes * restyled * Update src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp Co-authored-by: Evgeny Margolis <[email protected]> * Update src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp Co-authored-by: Evgeny Margolis <[email protected]> * Update src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp Co-authored-by: Evgeny Margolis <[email protected]> * Update src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp Co-authored-by: Evgeny Margolis <[email protected]> * restyled * Using new asn1 apis * restyled * warning fix- specifying the type explicitly * Trigger Build Co-authored-by: Jagadish B E <[email protected]> Co-authored-by: Justin Wood <[email protected]> Co-authored-by: Evgeny Margolis <[email protected]> Co-authored-by: Jagadish-NXP <[email protected]>
project-chip · Aug 14, 2021 · f9af564 · f9af564
1 parent 81b224b
commit f9af564
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 26 deletions.
diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp
@@ -129,10 +129,12 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length
     uint8_t hash[kSHA256_Hash_Length] = {
         0,
     };
-    size_t hashLen         = sizeof(hash);
-    sss_status_t status    = kStatus_SSS_Success;
-    sss_object_t keyObject = { 0 };
-    size_t siglen          = out_signature.Capacity();
+    size_t hashLen                                           = sizeof(hash);
+    sss_status_t status                                      = kStatus_SSS_Success;
+    sss_object_t keyObject                                   = { 0 };
+    uint8_t signature_se05x[kMax_ECDSA_Signature_Length_Der] = { 0 };
+    size_t signature_se05x_len                               = sizeof(signature_se05x);
+    MutableByteSpan out_raw_sig_span(out_signature.Bytes(), out_signature.Capacity());
 
     VerifyOrReturnError(msg != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(msg_length > 0, CHIP_ERROR_INVALID_ARGUMENT);
@@ -182,10 +184,13 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length
     status = sss_asymmetric_context_init(&asymm_ctx, &gex_sss_chip_ctx.session, &keyObject, kAlgorithm_SSS_SHA256, kMode_SSS_Sign);
     VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL);
 
-    status = sss_asymmetric_sign_digest(&asymm_ctx, hash, hashLen, Uint8::to_uchar(out_signature), &siglen);
+    status = sss_asymmetric_sign_digest(&asymm_ctx, hash, hashLen, signature_se05x, &signature_se05x_len);
     VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL);
 
-    SuccessOrExit(out_signature.SetLength(siglen));
+    error = EcdsaAsn1SignatureToRaw(kP256_FE_Length, ByteSpan{ signature_se05x, signature_se05x_len }, out_raw_sig_span);
+    SuccessOrExit(error);
+
+    SuccessOrExit(out_signature.SetLength(2 * kP256_FE_Length));
 
     error = CHIP_NO_ERROR;
 exit:
@@ -202,11 +207,13 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length
 
 CHIP_ERROR P256KeypairHSM::ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, P256ECDSASignature & out_signature)
 {
-    CHIP_ERROR error           = CHIP_ERROR_INTERNAL;
-    sss_asymmetric_t asymm_ctx = { 0 };
-    sss_status_t status        = kStatus_SSS_Success;
-    sss_object_t keyObject     = { 0 };
-    size_t siglen              = out_signature.Capacity();
+    CHIP_ERROR error                                         = CHIP_ERROR_INTERNAL;
+    sss_asymmetric_t asymm_ctx                               = { 0 };
+    sss_status_t status                                      = kStatus_SSS_Success;
+    sss_object_t keyObject                                   = { 0 };
+    uint8_t signature_se05x[kMax_ECDSA_Signature_Length_Der] = { 0 };
+    size_t signature_se05x_len                               = sizeof(signature_se05x);
+    MutableByteSpan out_raw_sig_span(out_signature.Bytes(), out_signature.Capacity());
 
     VerifyOrReturnError(hash != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(hash_length == kSHA256_Hash_Length, CHIP_ERROR_INVALID_ARGUMENT);
@@ -228,10 +235,13 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_hash(const uint8_t * hash, size_t hash_len
     VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL);
 
     status =
-        sss_asymmetric_sign_digest(&asymm_ctx, const_cast<uint8_t *>(hash), hash_length, Uint8::to_uchar(out_signature), &siglen);
+        sss_asymmetric_sign_digest(&asymm_ctx, const_cast<uint8_t *>(hash), hash_length, signature_se05x, &signature_se05x_len);
     VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL);
 
-    SuccessOrExit(out_signature.SetLength(siglen));
+    error = EcdsaAsn1SignatureToRaw(kP256_FE_Length, ByteSpan{ signature_se05x, signature_se05x_len }, out_raw_sig_span);
+    SuccessOrExit(error);
+
+    SuccessOrExit(out_signature.SetLength(2 * kP256_FE_Length));
 
     error = CHIP_NO_ERROR;
 exit:
@@ -364,8 +374,11 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_msg_signature(const uint8_t * msg, s
     uint8_t hash[32]           = {
         0,
     };
-    size_t hash_length     = sizeof(hash);
-    sss_object_t keyObject = { 0 };
+    size_t hash_length                                       = sizeof(hash);
+    sss_object_t keyObject                                   = { 0 };
+    uint8_t signature_se05x[kMax_ECDSA_Signature_Length_Der] = { 0 };
+    size_t signature_se05x_len                               = sizeof(signature_se05x);
+    MutableByteSpan out_der_sig_span(signature_se05x, signature_se05x_len);
 
     VerifyOrReturnError(msg != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(msg_length > 0, CHIP_ERROR_INVALID_ARGUMENT);
@@ -425,8 +438,13 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_msg_signature(const uint8_t * msg, s
         sss_asymmetric_context_init(&asymm_ctx, &gex_sss_chip_ctx.session, &keyObject, kAlgorithm_SSS_SHA256, kMode_SSS_Verify);
     VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL);
 
-    status = sss_asymmetric_verify_digest(&asymm_ctx, hash, hash_length, (uint8_t *) Uint8::to_const_uchar(signature),
-                                          signature.Length());
+    error = EcdsaRawSignatureToAsn1(kP256_FE_Length, ByteSpan{ Uint8::to_const_uchar(signature.ConstBytes()), signature.Length() },
+                                    out_der_sig_span);
+    SuccessOrExit(error);
+
+    signature_se05x_len = out_der_sig_span.size();
+
+    status = sss_asymmetric_verify_digest(&asymm_ctx, hash, hash_length, (uint8_t *) signature_se05x, signature_se05x_len);
     VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INVALID_SIGNATURE);
 
     error = CHIP_NO_ERROR;
@@ -452,10 +470,13 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_msg_signature(const uint8_t * msg, s
 CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_hash_signature(const uint8_t * hash, size_t hash_length,
                                                            const P256ECDSASignature & signature) const
 {
-    CHIP_ERROR error           = CHIP_ERROR_INTERNAL;
-    sss_status_t status        = kStatus_SSS_Success;
-    sss_asymmetric_t asymm_ctx = { 0 };
-    sss_object_t keyObject     = { 0 };
+    CHIP_ERROR error                                         = CHIP_ERROR_INTERNAL;
+    sss_status_t status                                      = kStatus_SSS_Success;
+    sss_asymmetric_t asymm_ctx                               = { 0 };
+    sss_object_t keyObject                                   = { 0 };
+    uint8_t signature_se05x[kMax_ECDSA_Signature_Length_Der] = { 0 };
+    size_t signature_se05x_len                               = sizeof(signature_se05x);
+    MutableByteSpan out_der_sig_span(signature_se05x, signature_se05x_len);
 
     VerifyOrReturnError(hash != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(hash_length > 0, CHIP_ERROR_INVALID_ARGUMENT);
@@ -485,8 +506,14 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_hash_signature(const uint8_t * hash,
         sss_asymmetric_context_init(&asymm_ctx, &gex_sss_chip_ctx.session, &keyObject, kAlgorithm_SSS_SHA256, kMode_SSS_Verify);
     VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL);
 
-    status = sss_asymmetric_verify_digest(&asymm_ctx, const_cast<uint8_t *>(hash), hash_length,
-                                          (uint8_t *) Uint8::to_const_uchar(signature), signature.Length());
+    error = EcdsaRawSignatureToAsn1(kP256_FE_Length, ByteSpan{ Uint8::to_const_uchar(signature.ConstBytes()), signature.Length() },
+                                    out_der_sig_span);
+    SuccessOrExit(error);
+
+    signature_se05x_len = out_der_sig_span.size();
+
+    status = sss_asymmetric_verify_digest(&asymm_ctx, const_cast<uint8_t *>(hash), hash_length, (uint8_t *) signature_se05x,
+                                          signature_se05x_len);
     VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INVALID_SIGNATURE);
 
     error = CHIP_NO_ERROR;

diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp
@@ -286,7 +286,6 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginVerifier(const uint8_t * my_id
                                                            const uint8_t * w0in, size_t w0in_len, const uint8_t * Lin,
                                                            size_t Lin_len)
 {
-    CHIP_ERROR error     = CHIP_ERROR_INTERNAL;
     uint8_t w0in_mod[32] = {
         0,
     };
@@ -353,7 +352,6 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginProver(const uint8_t * my_iden
                                                          const uint8_t * w0in, size_t w0in_len, const uint8_t * w1in,
                                                          size_t w1in_len)
 {
-    CHIP_ERROR error     = CHIP_ERROR_INTERNAL;
     smStatus_t smstatus  = SM_NOT_OK;
     uint8_t w0in_mod[32] = {
         0,

diff --git a/third_party/simw-top-mini/repo b/third_party/simw-top-mini/repo