diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp index d38573d1d14695..b6272b201b7c82 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp @@ -129,10 +129,12 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length uint8_t hash[kSHA256_Hash_Length] = { 0, }; - size_t hashLen = sizeof(hash); - sss_status_t status = kStatus_SSS_Success; - sss_object_t keyObject = { 0 }; - size_t siglen = out_signature.Capacity(); + size_t hashLen = sizeof(hash); + sss_status_t status = kStatus_SSS_Success; + sss_object_t keyObject = { 0 }; + uint8_t signature_se05x[kMax_ECDSA_Signature_Length_Der] = { 0 }; + size_t signature_se05x_len = sizeof(signature_se05x); + MutableByteSpan out_raw_sig_span(out_signature.Bytes(), out_signature.Capacity()); VerifyOrReturnError(msg != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(msg_length > 0, CHIP_ERROR_INVALID_ARGUMENT); @@ -182,10 +184,13 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length status = sss_asymmetric_context_init(&asymm_ctx, &gex_sss_chip_ctx.session, &keyObject, kAlgorithm_SSS_SHA256, kMode_SSS_Sign); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - status = sss_asymmetric_sign_digest(&asymm_ctx, hash, hashLen, Uint8::to_uchar(out_signature), &siglen); + status = sss_asymmetric_sign_digest(&asymm_ctx, hash, hashLen, signature_se05x, &signature_se05x_len); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - SuccessOrExit(out_signature.SetLength(siglen)); + error = EcdsaAsn1SignatureToRaw(kP256_FE_Length, ByteSpan{ signature_se05x, signature_se05x_len }, out_raw_sig_span); + SuccessOrExit(error); + + SuccessOrExit(out_signature.SetLength(2 * kP256_FE_Length)); error = CHIP_NO_ERROR; exit: @@ -202,11 +207,13 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length CHIP_ERROR P256KeypairHSM::ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, P256ECDSASignature & out_signature) { - CHIP_ERROR error = CHIP_ERROR_INTERNAL; - sss_asymmetric_t asymm_ctx = { 0 }; - sss_status_t status = kStatus_SSS_Success; - sss_object_t keyObject = { 0 }; - size_t siglen = out_signature.Capacity(); + CHIP_ERROR error = CHIP_ERROR_INTERNAL; + sss_asymmetric_t asymm_ctx = { 0 }; + sss_status_t status = kStatus_SSS_Success; + sss_object_t keyObject = { 0 }; + uint8_t signature_se05x[kMax_ECDSA_Signature_Length_Der] = { 0 }; + size_t signature_se05x_len = sizeof(signature_se05x); + MutableByteSpan out_raw_sig_span(out_signature.Bytes(), out_signature.Capacity()); VerifyOrReturnError(hash != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(hash_length == kSHA256_Hash_Length, CHIP_ERROR_INVALID_ARGUMENT); @@ -228,10 +235,13 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_hash(const uint8_t * hash, size_t hash_len VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); status = - sss_asymmetric_sign_digest(&asymm_ctx, const_cast(hash), hash_length, Uint8::to_uchar(out_signature), &siglen); + sss_asymmetric_sign_digest(&asymm_ctx, const_cast(hash), hash_length, signature_se05x, &signature_se05x_len); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - SuccessOrExit(out_signature.SetLength(siglen)); + error = EcdsaAsn1SignatureToRaw(kP256_FE_Length, ByteSpan{ signature_se05x, signature_se05x_len }, out_raw_sig_span); + SuccessOrExit(error); + + SuccessOrExit(out_signature.SetLength(2 * kP256_FE_Length)); error = CHIP_NO_ERROR; exit: @@ -364,8 +374,11 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_msg_signature(const uint8_t * msg, s uint8_t hash[32] = { 0, }; - size_t hash_length = sizeof(hash); - sss_object_t keyObject = { 0 }; + size_t hash_length = sizeof(hash); + sss_object_t keyObject = { 0 }; + uint8_t signature_se05x[kMax_ECDSA_Signature_Length_Der] = { 0 }; + size_t signature_se05x_len = sizeof(signature_se05x); + MutableByteSpan out_der_sig_span(signature_se05x, signature_se05x_len); VerifyOrReturnError(msg != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(msg_length > 0, CHIP_ERROR_INVALID_ARGUMENT); @@ -425,8 +438,13 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_msg_signature(const uint8_t * msg, s sss_asymmetric_context_init(&asymm_ctx, &gex_sss_chip_ctx.session, &keyObject, kAlgorithm_SSS_SHA256, kMode_SSS_Verify); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - status = sss_asymmetric_verify_digest(&asymm_ctx, hash, hash_length, (uint8_t *) Uint8::to_const_uchar(signature), - signature.Length()); + error = EcdsaRawSignatureToAsn1(kP256_FE_Length, ByteSpan{ Uint8::to_const_uchar(signature.ConstBytes()), signature.Length() }, + out_der_sig_span); + SuccessOrExit(error); + + signature_se05x_len = out_der_sig_span.size(); + + status = sss_asymmetric_verify_digest(&asymm_ctx, hash, hash_length, (uint8_t *) signature_se05x, signature_se05x_len); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INVALID_SIGNATURE); error = CHIP_NO_ERROR; @@ -452,10 +470,13 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_msg_signature(const uint8_t * msg, s CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_hash_signature(const uint8_t * hash, size_t hash_length, const P256ECDSASignature & signature) const { - CHIP_ERROR error = CHIP_ERROR_INTERNAL; - sss_status_t status = kStatus_SSS_Success; - sss_asymmetric_t asymm_ctx = { 0 }; - sss_object_t keyObject = { 0 }; + CHIP_ERROR error = CHIP_ERROR_INTERNAL; + sss_status_t status = kStatus_SSS_Success; + sss_asymmetric_t asymm_ctx = { 0 }; + sss_object_t keyObject = { 0 }; + uint8_t signature_se05x[kMax_ECDSA_Signature_Length_Der] = { 0 }; + size_t signature_se05x_len = sizeof(signature_se05x); + MutableByteSpan out_der_sig_span(signature_se05x, signature_se05x_len); VerifyOrReturnError(hash != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(hash_length > 0, CHIP_ERROR_INVALID_ARGUMENT); @@ -485,8 +506,14 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_hash_signature(const uint8_t * hash, sss_asymmetric_context_init(&asymm_ctx, &gex_sss_chip_ctx.session, &keyObject, kAlgorithm_SSS_SHA256, kMode_SSS_Verify); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - status = sss_asymmetric_verify_digest(&asymm_ctx, const_cast(hash), hash_length, - (uint8_t *) Uint8::to_const_uchar(signature), signature.Length()); + error = EcdsaRawSignatureToAsn1(kP256_FE_Length, ByteSpan{ Uint8::to_const_uchar(signature.ConstBytes()), signature.Length() }, + out_der_sig_span); + SuccessOrExit(error); + + signature_se05x_len = out_der_sig_span.size(); + + status = sss_asymmetric_verify_digest(&asymm_ctx, const_cast(hash), hash_length, (uint8_t *) signature_se05x, + signature_se05x_len); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INVALID_SIGNATURE); error = CHIP_NO_ERROR; diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp index 9ca62a74c92b1e..ecf1e613fda9ff 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp @@ -286,7 +286,6 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginVerifier(const uint8_t * my_id const uint8_t * w0in, size_t w0in_len, const uint8_t * Lin, size_t Lin_len) { - CHIP_ERROR error = CHIP_ERROR_INTERNAL; uint8_t w0in_mod[32] = { 0, }; @@ -353,7 +352,6 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginProver(const uint8_t * my_iden const uint8_t * w0in, size_t w0in_len, const uint8_t * w1in, size_t w1in_len) { - CHIP_ERROR error = CHIP_ERROR_INTERNAL; smStatus_t smstatus = SM_NOT_OK; uint8_t w0in_mod[32] = { 0, diff --git a/third_party/simw-top-mini/repo b/third_party/simw-top-mini/repo index d9e1adfd698546..69d6929ff8286b 160000 --- a/third_party/simw-top-mini/repo +++ b/third_party/simw-top-mini/repo @@ -1 +1 @@ -Subproject commit d9e1adfd6985464bf6c2862b912af96a9a379b14 +Subproject commit 69d6929ff8286b9d54f9387c4ef289c39c8c0df5