From 394d56cbdc2c1d8a5b9801893ef36b75c6073ee4 Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Wed, 23 Jun 2021 13:29:05 +0530 Subject: [PATCH 01/15] Added CSR support in HSM --- src/crypto/hsm/CHIPCryptoPALHsm.h | 4 +- src/crypto/hsm/CHIPCryptoPALHsm_config.h | 4 +- .../hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp | 244 +++++++++++++++++- .../nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp | 15 +- src/crypto/tests/CHIPCryptoPALTest.cpp | 2 +- src/protocols/secure_channel/CASESession.cpp | 6 + src/protocols/secure_channel/CASESession.h | 9 + src/transport/AdminPairingTable.cpp | 3 + 8 files changed, 272 insertions(+), 15 deletions(-) diff --git a/src/crypto/hsm/CHIPCryptoPALHsm.h b/src/crypto/hsm/CHIPCryptoPALHsm.h index 6701c795edf082..89c99bcb6f36ff 100644 --- a/src/crypto/hsm/CHIPCryptoPALHsm.h +++ b/src/crypto/hsm/CHIPCryptoPALHsm.h @@ -116,7 +116,7 @@ class P256KeypairHSM : public P256Keypair virtual CHIP_ERROR Initialize() override; - virtual CHIP_ERROR Serialize(P256SerializedKeypair & output) override; + virtual CHIP_ERROR Serialize(P256SerializedKeypair & output) const override; virtual CHIP_ERROR Deserialize(P256SerializedKeypair & input) override; @@ -127,6 +127,8 @@ class P256KeypairHSM : public P256Keypair virtual CHIP_ERROR ECDH_derive_secret(const P256PublicKey & remote_public_key, P256ECDHDerivedSecret & out_secret) const override; + CHIP_ERROR NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) override; + const P256PublicKeyHSM & Pubkey() const override { return mPublicKeyHSM; } bool provisioned_key; diff --git a/src/crypto/hsm/CHIPCryptoPALHsm_config.h b/src/crypto/hsm/CHIPCryptoPALHsm_config.h index 380a497a6e55e9..a04db54104ffb4 100644 --- a/src/crypto/hsm/CHIPCryptoPALHsm_config.h +++ b/src/crypto/hsm/CHIPCryptoPALHsm_config.h @@ -41,7 +41,7 @@ /* * Enable HSM for PBKDF SHA256 */ -#define ENABLE_HSM_PBKDF2_SHA256 1 +#define ENABLE_HSM_PBKDF2_SHA256 0 /* * Enable HSM for HKDF SHA256 @@ -54,6 +54,8 @@ #if ((CHIP_CRYPTO_HSM) && (ENABLE_HSM_GENERATE_EC_KEY)) #define ENABLE_HSM_EC_KEY +#define ENABLE_HSM_CASE_EPHERMAL_KEY +#define ENABLE_HSM_CASE_OPS_KEY #endif #if ((CHIP_CRYPTO_HSM) && (ENABLE_HSM_PBKDF2_SHA256)) diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp index 1d9209fb7951ad..f27f60d478ba09 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp @@ -30,6 +30,19 @@ #define MAX_SHA_ONE_SHOT_DATA_LEN 900 #define NIST256_HEADER_OFFSET 26 +/* Used for CSR generation */ +// Organisation info. +#define SUBJECT_STR "CSR" +#define ASN1_BIT_STRING 0x03 +#define ASN1_NULL 0x05 +#define ASN1_OID 0x06 +#define ASN1_SEQUENCE 0x10 +#define ASN1_SET 0x11 +#define ASN1_UTF8_STRING 0x0C +#define ASN1_CONSTRUCTED 0x20 +#define ASN1_CONTEXT_SPECIFIC 0x80 + + namespace chip { namespace Crypto { @@ -55,8 +68,8 @@ CHIP_ERROR P256KeypairHSM::Initialize() uint8_t pubkey[128] = { 0, }; - constexpr size_t pubKeyLen = sizeof(pubkey); - constexpr size_t pbKeyBitLen = sizeof(pubkey) * 8; + size_t pubKeyLen = sizeof(pubkey); + size_t pbKeyBitLen = sizeof(pubkey) * 8; if (keyid == 0) { @@ -227,7 +240,7 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_hash(const uint8_t * hash, size_t hash_len return error; } -CHIP_ERROR P256KeypairHSM::Serialize(P256SerializedKeypair & output) +CHIP_ERROR P256KeypairHSM::Serialize(P256SerializedKeypair & output) const { const size_t len = output.Length() == 0 ? output.Capacity() : output.Length(); Encoding::BufferWriter bbuf(output, len); @@ -308,6 +321,7 @@ CHIP_ERROR SE05X_Set_ECDSA_Public_Key(sss_object_t * keyObject, const uint8_t * uint8_t public_key[128] = { 0, }; + size_t public_key_len = 0; /* ECC NIST-256 Public Key header */ const uint8_t nist256_header[] = { 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, @@ -324,7 +338,7 @@ CHIP_ERROR SE05X_Set_ECDSA_Public_Key(sss_object_t * keyObject, const uint8_t * VerifyOrReturnError((sizeof(nist256_header) + keylen) <= sizeof(public_key), CHIP_ERROR_INTERNAL); memcpy(public_key, nist256_header, sizeof(nist256_header)); - size_t public_key_len = public_key_len + sizeof(nist256_header); + public_key_len = sizeof(nist256_header); memcpy(public_key + public_key_len, key, keylen); public_key_len = public_key_len + keylen; @@ -482,6 +496,228 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_hash_signature(const uint8_t * hash, return error; } + +static void add_tlv(uint8_t* buf, size_t buf_index, uint8_t tag, size_t len, uint8_t* val) +{ + buf[buf_index++] = (uint8_t)tag; + buf[buf_index++] = (uint8_t)len; + if (len > 0 && val != NULL){ + memcpy(&buf[buf_index], val, len); + buf_index = buf_index + len; + } +} + + +/* + * CSR format used in the below function, + * + * + * (ASN1_CONSTRUCTED | ASN1_SEQUENCE) LENGTH + * + * (ASN1_CONSTRUCTED | ASN1_SEQUENCE) LENGTH + * + * VERSION ::= INTEGER { v1(0), v2(1), v3(2) } + * + * (ASN1_CONSTRUCTED | ASN1_SEQUENCE) LENGTH + * + * (ASN1_CONSTRUCTED | ASN1_SET) LENGTH + * + * (ASN1_CONSTRUCTED | ASN1_SEQUENCE) LENGTH + * + * (ASN1_OID) LENGTH VALUE(Organisation OID) + * + * (ASN1_UTF8_STRING) LENGTH VALUE(Subject Str == "CSR") + * + * PUBLIC KEY {WITH HEADER. 91 Bytes} + * + * (ASN1_CONSTRUCTED | ASN1_SEQUENCE) LENGTH + * + * (ASN1_OID) LENGTH VALUE(ECDSA SHA256 OID) + * + * (ASN1_NULL) 0x00 + * + * (ASN1_BIT_STRING) LENGTH VALUE(SIGNATURE) + * + */ + +CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) +{ + CHIP_ERROR error = CHIP_ERROR_INTERNAL; + sss_status_t status = kStatus_SSS_Success; + sss_asymmetric_t asymm_ctx = { 0 }; + sss_object_t keyObject = { 0 }; + sss_digest_t digest_ctx = { 0 }; + + uint8_t data_to_hash[128] = { 0 }; + size_t data_to_hash_len = sizeof(data_to_hash); + uint8_t pubkey[128] = { 0 }; + size_t pubKeyLen = 0; + uint8_t hash[32] = { 0 }; + size_t hash_length = sizeof(hash); + uint8_t signature[128] = { 0 }; + size_t signature_len = sizeof(signature); + + size_t csr_index = 0; + size_t buffer_index = data_to_hash_len; + + uint8_t organisation_oid[3]= { 0x55, 0x04, 0x0a }; + + //Version ::= INTEGER { v1(0), v2(1), v3(2) } + uint8_t version[3] = { 0x02, 0x01, 0x00 }; + uint8_t signature_oid[8] = { 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 }; + uint8_t nist256_header[] = { 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, + 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, + 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, + 0x42, 0x00 }; + + + // No extensions are copied + buffer_index = buffer_index - 2; + add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC), 0, NULL); + + // Copy public key (with header) + { + P256PublicKeyHSM & public_key = const_cast(Pubkey()); + + VerifyOrExit((sizeof(nist256_header) + public_key.Length()) <= sizeof(pubkey), error = CHIP_ERROR_INTERNAL); + + memcpy(pubkey, nist256_header, sizeof(nist256_header)); + pubKeyLen = pubKeyLen + sizeof(nist256_header); + + memcpy((pubkey + pubKeyLen), Uint8::to_uchar(public_key), public_key.Length()); + pubKeyLen = pubKeyLen + public_key.Length(); + } + + buffer_index = buffer_index - pubKeyLen; + VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); + memcpy((void*)&data_to_hash[buffer_index], pubkey, pubKeyLen); + + + // Copy subject (in the current implementation only organisation name info is added) and organisation OID + buffer_index = buffer_index - (1 + 1 + sizeof(SUBJECT_STR)-1); + VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); + add_tlv(data_to_hash, buffer_index, ASN1_UTF8_STRING, sizeof(SUBJECT_STR)-1, (uint8_t*)SUBJECT_STR); + + buffer_index = buffer_index - (1 + 1 + sizeof(organisation_oid)); + VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); + add_tlv(data_to_hash, buffer_index, ASN1_OID, sizeof(organisation_oid), organisation_oid); + + // Add length + buffer_index = buffer_index - 2; + // Subject TLV ==> 1 + 1 + len(subject) + // Org OID TLV ==> 1 + 1 + len(organisation_oid) + VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); + add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE), + (4 + (sizeof(SUBJECT_STR)-1) + sizeof(organisation_oid)), + NULL); + + buffer_index = buffer_index - 2; + VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); + add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SET), + (6 + (sizeof(SUBJECT_STR)-1) + sizeof(organisation_oid)), + NULL); + + buffer_index = buffer_index - 2; + VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); + add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE), + (8 + (sizeof(SUBJECT_STR)-1) + sizeof(organisation_oid)), + NULL); + + + buffer_index = buffer_index - 3; + VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); + memcpy((void*)&data_to_hash[buffer_index], version, sizeof(version)); + + buffer_index = buffer_index - 2; + VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); + add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE), + (data_to_hash_len - buffer_index - 2), + NULL); + + // TLV data is created by copying from backwards. move it to start of buffer. + data_to_hash_len = (data_to_hash_len - buffer_index); + memmove(data_to_hash, (data_to_hash+buffer_index), data_to_hash_len); + + + + /* Create hash of `data_to_hash` buffer */ + status = sss_digest_context_init(&digest_ctx, &gex_sss_chip_ctx.session, kAlgorithm_SSS_SHA256, kMode_SSS_Digest); + VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); + + status = sss_digest_one_go(&digest_ctx, data_to_hash, data_to_hash_len, hash, &hash_length); + VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); + + + // Sign on hash + status = sss_key_object_init(&keyObject, &gex_sss_chip_ctx.ks); + VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); + + status = sss_key_object_get_handle(&keyObject, keyid); + VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); + + status = sss_asymmetric_context_init(&asymm_ctx, &gex_sss_chip_ctx.session, &keyObject, kAlgorithm_SSS_SHA256, kMode_SSS_Sign); + VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); + + status = sss_asymmetric_sign_digest(&asymm_ctx, hash, hash_length, Uint8::to_uchar(signature), &signature_len); + VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); + + VerifyOrExit((csr_index + 3) <= csr_length, error = CHIP_ERROR_INTERNAL); + csr[csr_index++] = (ASN1_CONSTRUCTED | ASN1_SEQUENCE); + if ( (data_to_hash_len + 14 + 2 + signature_len) >= 0x80) { + csr[csr_index++] = 0x81; + } + csr[csr_index++] = (uint8_t)(data_to_hash_len + 14 + 2 + signature_len); + + VerifyOrExit((csr_index + data_to_hash_len) <= csr_length, error = CHIP_ERROR_INTERNAL); + memcpy( (csr+csr_index), data_to_hash, data_to_hash_len); + csr_index = csr_index + data_to_hash_len; + + + // ECDSA SHA256 Signature OID TLV ==> 1 + 1 + len(signature_oid) (8) + // ASN_NULL ==> 1 + 1 + VerifyOrExit((csr_index + 2) <= csr_length, error = CHIP_ERROR_INTERNAL); + add_tlv(csr, csr_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE), 0x0C, NULL); + csr_index = csr_index + 2; + + VerifyOrExit((csr_index + sizeof(signature_oid) + 2) <= csr_length, error = CHIP_ERROR_INTERNAL); + add_tlv(csr, csr_index, ASN1_OID, sizeof(signature_oid), signature_oid); + csr_index = csr_index + 2 + sizeof(signature_oid); + + VerifyOrExit((csr_index + 2) <= csr_length, error = CHIP_ERROR_INTERNAL); + add_tlv(csr, csr_index, ASN1_NULL, 0x00, NULL); + csr_index = csr_index + 2; + + VerifyOrExit((csr_index + 2) <= csr_length, error = CHIP_ERROR_INTERNAL); + csr[csr_index++] = ASN1_BIT_STRING; + csr[csr_index++] = (uint8_t)((signature[0] != 0)? (signature_len+1) : (signature_len)); + + if (signature[0] != 0){ + VerifyOrExit(csr_index <= csr_length, error = CHIP_ERROR_INTERNAL); + csr[csr_index++] = 0x00; + // Increament total count by 1 + csr[2]++; + } + VerifyOrExit((csr_index + signature_len) <= csr_length, error = CHIP_ERROR_INTERNAL); + memcpy(&csr[csr_index], signature, signature_len); + + csr_length = (csr_index + signature_len); + + error = CHIP_NO_ERROR; +exit: + if (asymm_ctx.session != NULL) + { + sss_asymmetric_context_free(&asymm_ctx); + } + + if (digest_ctx.session != NULL) + { + sss_digest_context_free(&digest_ctx); + } + + return error; +} + + } // namespace Crypto } // namespace chip diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp index fd09be13d387c3..65d825e37c2f68 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp @@ -159,11 +159,8 @@ CHIP_ERROR Spake2p_ComputeRoundOne_HSM(hsm_pake_context_t * phsm_pake_context, c if (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER) { - if (pab == NULL) - { - /* Need X/Y value to verify abort condition */ - goto exit; - } + /* Need X/Y value to verify abort condition */ + VerifyOrReturnError(pab != NULL, CHIP_ERROR_INVALID_ARGUMENT); } #if SSS_HAVE_SE05X_VER_GTE_16_03 @@ -262,7 +259,9 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::Init(const uint8_t * context, size_ } VerifyOrReturnError(context_len <= sizeof(hsm_pake_context.spake_context), CHIP_ERROR_INTERNAL); memset(hsm_pake_context.spake_context, 0, sizeof(hsm_pake_context.spake_context)); - memcpy(hsm_pake_context.spake_context, context, context_len); + if (context_len > 0){ + memcpy(hsm_pake_context.spake_context, context, context_len); + } hsm_pake_context.spake_context_len = context_len; const CHIP_ERROR error = Spake2p::Init(context, context_len); @@ -487,7 +486,7 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::ComputeRoundTwo(const uint8_t * in, uint8_t pKeyKe[16] = { 0, }; - constexpr size_t pkeyKeLen = sizeof(pKeyKe); + size_t pkeyKeLen = sizeof(pKeyKe); const CHIP_ERROR error = Spake2p_ComputeRoundTwo_HSM(&hsm_pake_context, role, in, in_len, out, out_len, pKeyKe, &pkeyKeLen); if (CHIP_NO_ERROR == error) @@ -500,7 +499,7 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::ComputeRoundTwo(const uint8_t * in, CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::KeyConfirm(const uint8_t * in, size_t in_len) { - VerifyOrExit(state == CHIP_SPAKE2P_STATE::R2, error = CHIP_ERROR_INTERNAL); + VerifyOrReturnError(state == CHIP_SPAKE2P_STATE::R2, CHIP_ERROR_INTERNAL); #if !ENABLE_HSM_SPAKE_VERIFIER const bool sw_rollback_verifier = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER); diff --git a/src/crypto/tests/CHIPCryptoPALTest.cpp b/src/crypto/tests/CHIPCryptoPALTest.cpp index 2a8aec586bcebc..c05eec28a4d855 100644 --- a/src/crypto/tests/CHIPCryptoPALTest.cpp +++ b/src/crypto/tests/CHIPCryptoPALTest.cpp @@ -997,7 +997,7 @@ static void TestCSR_Gen(nlTestSuite * inSuite, void * inContext) static uint8_t csr[kMAX_CSR_Length]; size_t length = sizeof(csr); - static P256Keypair keypair; + static Test_P256Keypair keypair; NL_TEST_ASSERT(inSuite, keypair.Initialize() == CHIP_NO_ERROR); NL_TEST_ASSERT(inSuite, keypair.NewCertificateSigningRequest(csr, length) == CHIP_NO_ERROR); NL_TEST_ASSERT(inSuite, length > 0); diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp index be3bf1664bf374..6d7f7790e74b4b 100644 --- a/src/protocols/secure_channel/CASESession.cpp +++ b/src/protocols/secure_channel/CASESession.cpp @@ -323,6 +323,9 @@ CHIP_ERROR CASESession::SendSigmaR1() ReturnErrorOnFailure(DRBG_get_bytes(msg, kSigmaParamRandomNumberSize)); // Step 4 + #ifdef ENABLE_HSM_CASE_EPHERMAL_KEY + mEphemeralKey.SetKeyId(CASE_EPHEMERAL_KEY); + #endif ReturnErrorOnFailure(mEphemeralKey.Initialize()); // Step 5 @@ -463,6 +466,9 @@ CHIP_ERROR CASESession::SendSigmaR2() // Step 3 // hardcoded to use a p256keypair + #ifdef ENABLE_HSM_CASE_EPHERMAL_KEY + mEphemeralKey.SetKeyId(0x22334455); + #endif err = mEphemeralKey.Initialize(); SuccessOrExit(err); diff --git a/src/protocols/secure_channel/CASESession.h b/src/protocols/secure_channel/CASESession.h index 67e9bf7d86a8b5..f026d69d7dabd2 100644 --- a/src/protocols/secure_channel/CASESession.h +++ b/src/protocols/secure_channel/CASESession.h @@ -54,6 +54,11 @@ constexpr uint16_t kMaxTrustedRootIds = 5; constexpr uint16_t kIPKSize = 32; + +#ifdef ENABLE_HSM_CASE_EPHERMAL_KEY +#define CASE_EPHEMERAL_KEY 0x11223344 +#endif + using namespace Crypto; using namespace Credentials; @@ -248,7 +253,11 @@ class DLL_EXPORT CASESession : public Messaging::ExchangeDelegate, public Pairin Hash_SHA256_stream mCommissioningHash; P256PublicKey mRemotePubKey; + #ifdef ENABLE_HSM_CASE_EPHERMAL_KEY + P256KeypairHSM mEphemeralKey; + #else P256Keypair mEphemeralKey; + #endif P256ECDHDerivedSecret mSharedSecret; OperationalCredentialSet * mOpCredSet; CertificateKeyId mTrustedRootId; diff --git a/src/transport/AdminPairingTable.cpp b/src/transport/AdminPairingTable.cpp index ceb554f473e4a3..8cb13c122c5750 100644 --- a/src/transport/AdminPairingTable.cpp +++ b/src/transport/AdminPairingTable.cpp @@ -23,6 +23,9 @@ #include #include #include +#if CHIP_CRYPTO_HSM +#include +#endif namespace chip { using namespace Credentials; From 6f286b02cba1451c24a7596d14ebae7e204e3ddd Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Wed, 23 Jun 2021 13:35:53 +0530 Subject: [PATCH 02/15] updated keyid --- src/protocols/secure_channel/CASESession.cpp | 2 +- src/protocols/secure_channel/CASESession.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp index 6d7f7790e74b4b..4de16a537e5b15 100644 --- a/src/protocols/secure_channel/CASESession.cpp +++ b/src/protocols/secure_channel/CASESession.cpp @@ -467,7 +467,7 @@ CHIP_ERROR CASESession::SendSigmaR2() // Step 3 // hardcoded to use a p256keypair #ifdef ENABLE_HSM_CASE_EPHERMAL_KEY - mEphemeralKey.SetKeyId(0x22334455); + mEphemeralKey.SetKeyId(CASE_EPHEMERAL_KEY); #endif err = mEphemeralKey.Initialize(); SuccessOrExit(err); diff --git a/src/protocols/secure_channel/CASESession.h b/src/protocols/secure_channel/CASESession.h index f026d69d7dabd2..c0c5071185bf23 100644 --- a/src/protocols/secure_channel/CASESession.h +++ b/src/protocols/secure_channel/CASESession.h @@ -56,7 +56,7 @@ constexpr uint16_t kIPKSize = 32; #ifdef ENABLE_HSM_CASE_EPHERMAL_KEY -#define CASE_EPHEMERAL_KEY 0x11223344 +#define CASE_EPHEMERAL_KEY 0xCA5EECD0 #endif using namespace Crypto; From 4ddbf4d82195fd9dfe6e570f3b9b6a4069feb67d Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Wed, 23 Jun 2021 22:00:19 +0530 Subject: [PATCH 03/15] added support for linux in simw build file --- third_party/simw-top-mini/BUILD.gn | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/third_party/simw-top-mini/BUILD.gn b/third_party/simw-top-mini/BUILD.gn index b3dec26278b0a2..aa36eddc53b38d 100644 --- a/third_party/simw-top-mini/BUILD.gn +++ b/third_party/simw-top-mini/BUILD.gn @@ -99,6 +99,11 @@ source_set("se05x") { "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/ksdk/timer_kinetis_freertos.c", ] } + else if (host == "host_linux") { + sources += [ + "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/linux/i2c_a7.c", + ] + } public_deps = [ "${chip_root}/third_party/mbedtls:mbedtls" ] configs += [ ":se05x_config" ] From ceb14e8d8603d259d32e62805232174f3cac39c0 Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Wed, 23 Jun 2021 22:03:08 +0530 Subject: [PATCH 04/15] build fix --- third_party/simw-top-mini/BUILD.gn | 1 + 1 file changed, 1 insertion(+) diff --git a/third_party/simw-top-mini/BUILD.gn b/third_party/simw-top-mini/BUILD.gn index aa36eddc53b38d..260395c7e9ae0c 100644 --- a/third_party/simw-top-mini/BUILD.gn +++ b/third_party/simw-top-mini/BUILD.gn @@ -102,6 +102,7 @@ source_set("se05x") { else if (host == "host_linux") { sources += [ "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/linux/i2c_a7.c", + "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/generic/sm_timer.c", ] } From f809671465dc8b49b7cd6198277d8d002c7eaad3 Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Wed, 23 Jun 2021 23:10:26 +0530 Subject: [PATCH 05/15] Added logs --- src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp | 10 ++++++++++ src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.cpp | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp index 65d825e37c2f68..080f20b5446310 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp @@ -150,6 +150,8 @@ CHIP_ERROR Spake2p_ComputeRoundOne_HSM(hsm_pake_context_t * phsm_pake_context, c #endif SE05x_CryptoObjectID_t spakeObjectId = phsm_pake_context->spake_objId; + ChipLogProgress(Crypto, "Using HSM for spake ComputeRoundOne \n"); + VerifyOrReturnError(out != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(out_len != nullptr, CHIP_ERROR_INVALID_ARGUMENT); if (pab_len > 0) @@ -207,6 +209,8 @@ CHIP_ERROR Spake2p_ComputeRoundTwo_HSM(hsm_pake_context_t * phsm_pake_context, c VerifyOrReturnError(pKeyKe != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(pkeyKeLen != nullptr, CHIP_ERROR_INVALID_ARGUMENT); + ChipLogProgress(Crypto, "Using HSM for spake ComputeRoundTwo \n"); + const uint8_t * const pab = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER) ? NULL : in; const size_t pab_len = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER) ? 0 : in_len; @@ -227,6 +231,8 @@ CHIP_ERROR Spake2p_KeyConfirm_HSM(hsm_pake_context_t * phsm_pake_context, chip:: VerifyOrReturnError(in != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(gex_sss_chip_ctx.ks.session != NULL, CHIP_ERROR_INTERNAL); + ChipLogProgress(Crypto, "Using HSM for spake KeyConfirm \n"); + uint8_t presult = 0; const SE05x_CryptoObjectID_t spakeObjectId = phsm_pake_context->spake_objId; const smStatus_t smstatus = Se05x_API_PAKEVerifySessionKeys(&((sss_se05x_session_t *) &gex_sss_chip_ctx.session)->s_ctx, @@ -298,6 +304,8 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginVerifier(const uint8_t * my_id VerifyOrReturnError(peer_identity != nullptr, CHIP_ERROR_INVALID_ARGUMENT); } + ChipLogProgress(Crypto, "HSM - BeginVerifier \n"); + error = FELoad(w0in, w0in_len, w0); VerifyOrReturnError(error == CHIP_NO_ERROR, CHIP_ERROR_INTERNAL); @@ -376,6 +384,8 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginProver(const uint8_t * my_iden VerifyOrReturnError(state == CHIP_SPAKE2P_STATE::INIT, CHIP_ERROR_INTERNAL); + ChipLogProgress(Crypto, "HSM - BeginProver \n"); + error = FELoad(w0in, w0in_len, w0); VerifyOrReturnError(error == CHIP_NO_ERROR, CHIP_ERROR_INTERNAL); diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.cpp index 391156b251c37e..5f07cec5893d97 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.cpp @@ -134,7 +134,7 @@ void se05x_delete_key(uint32_t keyid) } else { - ChipLogError(Crypto, "se05x error: %s\n", "Key doesnot exists"); + ChipLogError(Crypto, "se05x warn: %s\n", "Key doesnot exists"); } } else From 3ac7270bc6dad3e1f675a07745e834adef105678 Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Wed, 23 Jun 2021 23:23:43 +0530 Subject: [PATCH 06/15] build fix --- src/transport/AdminPairingTable.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/transport/AdminPairingTable.h b/src/transport/AdminPairingTable.h index 1b2126c762c29f..6a02aa86aaa19d 100644 --- a/src/transport/AdminPairingTable.h +++ b/src/transport/AdminPairingTable.h @@ -25,12 +25,19 @@ #include #include #include +#if CHIP_CRYPTO_HSM +#include +#endif #include #include #include #include #include +#ifdef ENABLE_HSM_CASE_OPS_KEY +#define CASE_OPS_KEY 0xCA5EECC0 +#endif + namespace chip { namespace Transport { From 648ea95f0a34c54a5e5a2106131265ffccfe2f58 Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Thu, 24 Jun 2021 23:18:54 +0530 Subject: [PATCH 07/15] Using HSM for ops key --- src/transport/AdminPairingTable.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/transport/AdminPairingTable.h b/src/transport/AdminPairingTable.h index 6a02aa86aaa19d..9f3115126f2a9c 100644 --- a/src/transport/AdminPairingTable.h +++ b/src/transport/AdminPairingTable.h @@ -105,7 +105,12 @@ class DLL_EXPORT AdminPairingInfo { if (mOperationalKey == nullptr) { +#ifdef ENABLE_HSM_CASE_OPS_KEY + mOperationalKey = chip::Platform::New(); + mOperationalKey->SetKeyId(CASE_OPS_KEY); +#else mOperationalKey = chip::Platform::New(); +#endif mOperationalKey->Initialize(); } return mOperationalKey; @@ -167,7 +172,11 @@ class DLL_EXPORT AdminPairingInfo AccessControlList mACL; +#ifdef ENABLE_HSM_CASE_OPS_KEY + Crypto::P256KeypairHSM * mOperationalKey = nullptr; +#else Crypto::P256Keypair * mOperationalKey = nullptr; +#endif uint8_t * mRootCert = nullptr; uint16_t mRootCertLen = 0; From 7af515c7eeeb3daa1afeb20584e09b734c35bb35 Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Thu, 24 Jun 2021 23:23:27 +0530 Subject: [PATCH 08/15] Using HSM for OPS key --- src/transport/AdminPairingTable.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/transport/AdminPairingTable.cpp b/src/transport/AdminPairingTable.cpp index 8cb13c122c5750..f704e15f192363 100644 --- a/src/transport/AdminPairingTable.cpp +++ b/src/transport/AdminPairingTable.cpp @@ -139,7 +139,12 @@ CHIP_ERROR AdminPairingInfo::FetchFromKVS(PersistentStorageDelegate * kvs) if (mOperationalKey == nullptr) { +#ifdef ENABLE_HSM_CASE_OPS_KEY + mOperationalKey = chip::Platform::New(); + mOperationalKey->SetKeyId(CASE_OPS_KEY); +#else mOperationalKey = chip::Platform::New(); +#endif } VerifyOrExit(mOperationalKey != nullptr, err = CHIP_ERROR_NO_MEMORY); SuccessOrExit(err = mOperationalKey->Deserialize(info->mOperationalKey)); From c03542220d223bc1b7027b694317606f88b48e6e Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Thu, 24 Jun 2021 23:25:15 +0530 Subject: [PATCH 09/15] Using HSM for ops key --- src/transport/AdminPairingTable.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/transport/AdminPairingTable.cpp b/src/transport/AdminPairingTable.cpp index f704e15f192363..2b2f7a901d53a1 100644 --- a/src/transport/AdminPairingTable.cpp +++ b/src/transport/AdminPairingTable.cpp @@ -196,7 +196,12 @@ CHIP_ERROR AdminPairingInfo::SetOperationalKey(const P256Keypair & key) ReturnErrorOnFailure(key.Serialize(serialized)); if (mOperationalKey == nullptr) { +#ifdef ENABLE_HSM_CASE_OPS_KEY + mOperationalKey = chip::Platform::New(); + mOperationalKey->SetKeyId(CASE_OPS_KEY); +#else mOperationalKey = chip::Platform::New(); +#endif } VerifyOrReturnError(mOperationalKey != nullptr, CHIP_ERROR_NO_MEMORY); return mOperationalKey->Deserialize(serialized); From be36db82516fd061f4b535099eb7459f842659c6 Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Thu, 24 Jun 2021 23:29:01 +0530 Subject: [PATCH 10/15] added logs --- src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp index f27f60d478ba09..c19c0349852537 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp @@ -570,6 +570,7 @@ CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00 }; + ChipLogDetail(Crypto, "NewCertificateSigningRequest: Using SE05X for creating CSR !"); // No extensions are copied buffer_index = buffer_index - 2; From 0bcdd3b0c8aee553c78e6f36152544d724d2ce2e Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Fri, 25 Jun 2021 00:04:30 +0530 Subject: [PATCH 11/15] logs --- src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp index 287e000c0b3367..9cce25e017f66d 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp @@ -150,7 +150,7 @@ CHIP_ERROR Spake2p_ComputeRoundOne_HSM(hsm_pake_context_t * phsm_pake_context, c #endif SE05x_CryptoObjectID_t spakeObjectId = phsm_pake_context->spake_objId; - ChipLogProgress(Crypto, "Using HSM for spake ComputeRoundOne \n"); + ChipLogProgress(Crypto, "Using HSM for spake2p ComputeRoundOne \n"); VerifyOrReturnError(out != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(out_len != nullptr, CHIP_ERROR_INVALID_ARGUMENT); @@ -209,7 +209,7 @@ CHIP_ERROR Spake2p_ComputeRoundTwo_HSM(hsm_pake_context_t * phsm_pake_context, c VerifyOrReturnError(pKeyKe != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(pkeyKeLen != nullptr, CHIP_ERROR_INVALID_ARGUMENT); - ChipLogProgress(Crypto, "Using HSM for spake ComputeRoundTwo \n"); + ChipLogProgress(Crypto, "Using HSM for spake2p ComputeRoundTwo \n"); const uint8_t * const pab = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER) ? NULL : in; const size_t pab_len = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER) ? 0 : in_len; @@ -231,7 +231,7 @@ CHIP_ERROR Spake2p_KeyConfirm_HSM(hsm_pake_context_t * phsm_pake_context, chip:: VerifyOrReturnError(in != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(gex_sss_chip_ctx.ks.session != NULL, CHIP_ERROR_INTERNAL); - ChipLogProgress(Crypto, "Using HSM for spake KeyConfirm \n"); + ChipLogProgress(Crypto, "Using HSM for spake2p KeyConfirm \n"); uint8_t presult = 0; const SE05x_CryptoObjectID_t spakeObjectId = phsm_pake_context->spake_objId; From 970fc37e22a85f5b194b675364b6dc2813c1cb8a Mon Sep 17 00:00:00 2001 From: Jagadish B E Date: Fri, 25 Jun 2021 11:47:39 +0530 Subject: [PATCH 12/15] restyled --- .../hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp | 106 ++++++++---------- .../nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp | 3 +- src/protocols/secure_channel/CASESession.cpp | 14 +-- src/protocols/secure_channel/CASESession.h | 7 +- third_party/simw-top-mini/BUILD.gn | 5 +- 5 files changed, 60 insertions(+), 75 deletions(-) diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp index c19c0349852537..abc99601db2f11 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp @@ -32,16 +32,15 @@ /* Used for CSR generation */ // Organisation info. -#define SUBJECT_STR "CSR" -#define ASN1_BIT_STRING 0x03 -#define ASN1_NULL 0x05 -#define ASN1_OID 0x06 -#define ASN1_SEQUENCE 0x10 -#define ASN1_SET 0x11 -#define ASN1_UTF8_STRING 0x0C -#define ASN1_CONSTRUCTED 0x20 -#define ASN1_CONTEXT_SPECIFIC 0x80 - +#define SUBJECT_STR "CSR" +#define ASN1_BIT_STRING 0x03 +#define ASN1_NULL 0x05 +#define ASN1_OID 0x06 +#define ASN1_SEQUENCE 0x10 +#define ASN1_SET 0x11 +#define ASN1_UTF8_STRING 0x0C +#define ASN1_CONSTRUCTED 0x20 +#define ASN1_CONTEXT_SPECIFIC 0x80 namespace chip { namespace Crypto { @@ -496,18 +495,17 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_hash_signature(const uint8_t * hash, return error; } - -static void add_tlv(uint8_t* buf, size_t buf_index, uint8_t tag, size_t len, uint8_t* val) +static void add_tlv(uint8_t * buf, size_t buf_index, uint8_t tag, size_t len, uint8_t * val) { - buf[buf_index++] = (uint8_t)tag; - buf[buf_index++] = (uint8_t)len; - if (len > 0 && val != NULL){ + buf[buf_index++] = (uint8_t) tag; + buf[buf_index++] = (uint8_t) len; + if (len > 0 && val != NULL) + { memcpy(&buf[buf_index], val, len); buf_index = buf_index + len; } } - /* * CSR format used in the below function, * @@ -548,27 +546,25 @@ CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & sss_object_t keyObject = { 0 }; sss_digest_t digest_ctx = { 0 }; - uint8_t data_to_hash[128] = { 0 }; - size_t data_to_hash_len = sizeof(data_to_hash); - uint8_t pubkey[128] = { 0 }; - size_t pubKeyLen = 0; - uint8_t hash[32] = { 0 }; - size_t hash_length = sizeof(hash); - uint8_t signature[128] = { 0 }; - size_t signature_len = sizeof(signature); + uint8_t data_to_hash[128] = { 0 }; + size_t data_to_hash_len = sizeof(data_to_hash); + uint8_t pubkey[128] = { 0 }; + size_t pubKeyLen = 0; + uint8_t hash[32] = { 0 }; + size_t hash_length = sizeof(hash); + uint8_t signature[128] = { 0 }; + size_t signature_len = sizeof(signature); - size_t csr_index = 0; - size_t buffer_index = data_to_hash_len; + size_t csr_index = 0; + size_t buffer_index = data_to_hash_len; - uint8_t organisation_oid[3]= { 0x55, 0x04, 0x0a }; + uint8_t organisation_oid[3] = { 0x55, 0x04, 0x0a }; - //Version ::= INTEGER { v1(0), v2(1), v3(2) } - uint8_t version[3] = { 0x02, 0x01, 0x00 }; - uint8_t signature_oid[8] = { 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 }; - uint8_t nist256_header[] = { 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, - 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, - 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, - 0x42, 0x00 }; + // Version ::= INTEGER { v1(0), v2(1), v3(2) } + uint8_t version[3] = { 0x02, 0x01, 0x00 }; + uint8_t signature_oid[8] = { 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 }; + uint8_t nist256_header[] = { 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, + 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00 }; ChipLogDetail(Crypto, "NewCertificateSigningRequest: Using SE05X for creating CSR !"); @@ -591,13 +587,12 @@ CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & buffer_index = buffer_index - pubKeyLen; VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); - memcpy((void*)&data_to_hash[buffer_index], pubkey, pubKeyLen); - + memcpy((void *) &data_to_hash[buffer_index], pubkey, pubKeyLen); // Copy subject (in the current implementation only organisation name info is added) and organisation OID - buffer_index = buffer_index - (1 + 1 + sizeof(SUBJECT_STR)-1); + buffer_index = buffer_index - (1 + 1 + sizeof(SUBJECT_STR) - 1); VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); - add_tlv(data_to_hash, buffer_index, ASN1_UTF8_STRING, sizeof(SUBJECT_STR)-1, (uint8_t*)SUBJECT_STR); + add_tlv(data_to_hash, buffer_index, ASN1_UTF8_STRING, sizeof(SUBJECT_STR) - 1, (uint8_t *) SUBJECT_STR); buffer_index = buffer_index - (1 + 1 + sizeof(organisation_oid)); VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); @@ -609,37 +604,29 @@ CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & // Org OID TLV ==> 1 + 1 + len(organisation_oid) VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE), - (4 + (sizeof(SUBJECT_STR)-1) + sizeof(organisation_oid)), - NULL); + (4 + (sizeof(SUBJECT_STR) - 1) + sizeof(organisation_oid)), NULL); buffer_index = buffer_index - 2; VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); - add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SET), - (6 + (sizeof(SUBJECT_STR)-1) + sizeof(organisation_oid)), - NULL); + add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SET), (6 + (sizeof(SUBJECT_STR) - 1) + sizeof(organisation_oid)), + NULL); buffer_index = buffer_index - 2; VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE), - (8 + (sizeof(SUBJECT_STR)-1) + sizeof(organisation_oid)), - NULL); - + (8 + (sizeof(SUBJECT_STR) - 1) + sizeof(organisation_oid)), NULL); buffer_index = buffer_index - 3; VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); - memcpy((void*)&data_to_hash[buffer_index], version, sizeof(version)); + memcpy((void *) &data_to_hash[buffer_index], version, sizeof(version)); buffer_index = buffer_index - 2; VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL); - add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE), - (data_to_hash_len - buffer_index - 2), - NULL); + add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE), (data_to_hash_len - buffer_index - 2), NULL); // TLV data is created by copying from backwards. move it to start of buffer. data_to_hash_len = (data_to_hash_len - buffer_index); - memmove(data_to_hash, (data_to_hash+buffer_index), data_to_hash_len); - - + memmove(data_to_hash, (data_to_hash + buffer_index), data_to_hash_len); /* Create hash of `data_to_hash` buffer */ status = sss_digest_context_init(&digest_ctx, &gex_sss_chip_ctx.session, kAlgorithm_SSS_SHA256, kMode_SSS_Digest); @@ -648,7 +635,6 @@ CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & status = sss_digest_one_go(&digest_ctx, data_to_hash, data_to_hash_len, hash, &hash_length); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - // Sign on hash status = sss_key_object_init(&keyObject, &gex_sss_chip_ctx.ks); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); @@ -664,16 +650,16 @@ CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & VerifyOrExit((csr_index + 3) <= csr_length, error = CHIP_ERROR_INTERNAL); csr[csr_index++] = (ASN1_CONSTRUCTED | ASN1_SEQUENCE); - if ( (data_to_hash_len + 14 + 2 + signature_len) >= 0x80) { + if ((data_to_hash_len + 14 + 2 + signature_len) >= 0x80) + { csr[csr_index++] = 0x81; } csr[csr_index++] = (uint8_t)(data_to_hash_len + 14 + 2 + signature_len); VerifyOrExit((csr_index + data_to_hash_len) <= csr_length, error = CHIP_ERROR_INTERNAL); - memcpy( (csr+csr_index), data_to_hash, data_to_hash_len); + memcpy((csr + csr_index), data_to_hash, data_to_hash_len); csr_index = csr_index + data_to_hash_len; - // ECDSA SHA256 Signature OID TLV ==> 1 + 1 + len(signature_oid) (8) // ASN_NULL ==> 1 + 1 VerifyOrExit((csr_index + 2) <= csr_length, error = CHIP_ERROR_INTERNAL); @@ -690,9 +676,10 @@ CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & VerifyOrExit((csr_index + 2) <= csr_length, error = CHIP_ERROR_INTERNAL); csr[csr_index++] = ASN1_BIT_STRING; - csr[csr_index++] = (uint8_t)((signature[0] != 0)? (signature_len+1) : (signature_len)); + csr[csr_index++] = (uint8_t)((signature[0] != 0) ? (signature_len + 1) : (signature_len)); - if (signature[0] != 0){ + if (signature[0] != 0) + { VerifyOrExit(csr_index <= csr_length, error = CHIP_ERROR_INTERNAL); csr[csr_index++] = 0x00; // Increament total count by 1 @@ -718,7 +705,6 @@ CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & return error; } - } // namespace Crypto } // namespace chip diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp index 9cce25e017f66d..967e1338662807 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp @@ -265,7 +265,8 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::Init(const uint8_t * context, size_ } VerifyOrReturnError(context_len <= sizeof(hsm_pake_context.spake_context), CHIP_ERROR_INTERNAL); memset(hsm_pake_context.spake_context, 0, sizeof(hsm_pake_context.spake_context)); - if (context_len > 0){ + if (context_len > 0) + { memcpy(hsm_pake_context.spake_context, context, context_len); } hsm_pake_context.spake_context_len = context_len; diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp index aebb8c6212b93e..f597dae3345042 100644 --- a/src/protocols/secure_channel/CASESession.cpp +++ b/src/protocols/secure_channel/CASESession.cpp @@ -322,10 +322,10 @@ CHIP_ERROR CASESession::SendSigmaR1() // Fill in the random value ReturnErrorOnFailure(DRBG_get_bytes(msg, kSigmaParamRandomNumberSize)); - // Step 4 - #ifdef ENABLE_HSM_CASE_EPHERMAL_KEY +// Step 4 +#ifdef ENABLE_HSM_CASE_EPHERMAL_KEY mEphemeralKey.SetKeyId(CASE_EPHEMERAL_KEY); - #endif +#endif ReturnErrorOnFailure(mEphemeralKey.Initialize()); // Step 5 @@ -464,11 +464,11 @@ CHIP_ERROR CASESession::SendSigmaR2() msg_rand->SetDataLength(kSigmaParamRandomNumberSize); - // Step 3 - // hardcoded to use a p256keypair - #ifdef ENABLE_HSM_CASE_EPHERMAL_KEY +// Step 3 +// hardcoded to use a p256keypair +#ifdef ENABLE_HSM_CASE_EPHERMAL_KEY mEphemeralKey.SetKeyId(CASE_EPHEMERAL_KEY); - #endif +#endif err = mEphemeralKey.Initialize(); SuccessOrExit(err); diff --git a/src/protocols/secure_channel/CASESession.h b/src/protocols/secure_channel/CASESession.h index 956e33cb6c5476..67d81fa47b8840 100644 --- a/src/protocols/secure_channel/CASESession.h +++ b/src/protocols/secure_channel/CASESession.h @@ -54,7 +54,6 @@ constexpr uint16_t kMaxTrustedRootIds = 5; constexpr uint16_t kIPKSize = 32; - #ifdef ENABLE_HSM_CASE_EPHERMAL_KEY #define CASE_EPHEMERAL_KEY 0xCA5EECD0 #endif @@ -253,11 +252,11 @@ class DLL_EXPORT CASESession : public Messaging::ExchangeDelegate, public Pairin Hash_SHA256_stream mCommissioningHash; P256PublicKey mRemotePubKey; - #ifdef ENABLE_HSM_CASE_EPHERMAL_KEY +#ifdef ENABLE_HSM_CASE_EPHERMAL_KEY P256KeypairHSM mEphemeralKey; - #else +#else P256Keypair mEphemeralKey; - #endif +#endif P256ECDHDerivedSecret mSharedSecret; OperationalCredentialSet * mOpCredSet; CertificateKeyId mTrustedRootId; diff --git a/third_party/simw-top-mini/BUILD.gn b/third_party/simw-top-mini/BUILD.gn index 260395c7e9ae0c..300adb83957fb6 100644 --- a/third_party/simw-top-mini/BUILD.gn +++ b/third_party/simw-top-mini/BUILD.gn @@ -98,11 +98,10 @@ source_set("se05x") { "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/ksdk/i2c_dk6.c", "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/ksdk/timer_kinetis_freertos.c", ] - } - else if (host == "host_linux") { + } else if (host == "host_linux") { sources += [ - "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/linux/i2c_a7.c", "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/generic/sm_timer.c", + "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/linux/i2c_a7.c", ] } From 7029e4c133bd389b78b641249d11d4cc5e175108 Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Fri, 25 Jun 2021 13:48:29 +0530 Subject: [PATCH 13/15] updated readme --- src/crypto/hsm/nxp/README.md | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/src/crypto/hsm/nxp/README.md b/src/crypto/hsm/nxp/README.md index 7684b96409c918..2ab5a832388b47 100644 --- a/src/crypto/hsm/nxp/README.md +++ b/src/crypto/hsm/nxp/README.md @@ -2,22 +2,19 @@ ## Introduction -CHIPCryptoPALHsm_SE05X.cpp file provides the integration of secure element +CHIPCryptoPALHsm_SE05X_*.cpp file provides the integration of secure element (SE05x) in crypto layer of CHIP stack. By enabling the required directives in CHIPCryptoPALHsm_config.h header file, required crypto operations can be performed using SE05x. By default, the secure element is enabled only for PAKE -(Verifier role) operations. +(Verifier/Prover role) operations and HKDF. -Following table shows the operations supported by secure element. +Following are the list operations supported by secure element. + + 1. PAKE + 2. ECC KEY - P256 (Disabled by default) + 3. PBKDF (Disabled by default) + 4. HKDF -+-------------------------+-----------+----------------+---------------------------------+------------+----------------------------+ -| Operation | Software | Default config | Note | Re-entrant | Directive to -enabled in | | | fallback | value | | | CHIPCryptoPALHsm_config.h | -+-------------------------+-----------+----------------+---------------------------------+------------+----------------------------+ -| SPAKE Verifier | No | Enabled | - | No | ENABLE_HSM_SPAKE_VERIFIER | -+-------------------------+-----------+----------------+---------------------------------+------------+----------------------------+ -| SPAKE Prover | No | Enabled | - | No | ENABLE_HSM_SPAKE_PROVER | -+-------------------------+-----------+----------------+---------------------------------+------------+----------------------------+ ## Build @@ -25,7 +22,7 @@ enabled in | | | fallback | value | | | CHIPCryptoPALHsm_config.h | layer, ``` -smcom=\"t1oi2c\" chip_with_se05x=1 +chip_with_se05x=1 ``` ## Known Limitations: From 8b75dee75076dfe2e281de8eb9641124f13761cd Mon Sep 17 00:00:00 2001 From: sujaygkulkarni Date: Fri, 25 Jun 2021 14:08:27 +0530 Subject: [PATCH 14/15] updated readme --- src/crypto/hsm/nxp/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/crypto/hsm/nxp/README.md b/src/crypto/hsm/nxp/README.md index 2ab5a832388b47..e4c85aed79c15e 100644 --- a/src/crypto/hsm/nxp/README.md +++ b/src/crypto/hsm/nxp/README.md @@ -22,7 +22,7 @@ Following are the list operations supported by secure element. layer, ``` -chip_with_se05x=1 +chip_with_se05x=1 host = "host_k32w" ``` ## Known Limitations: From 862076c5ccf8f926d2f495ed54ec9f4e3d2f5639 Mon Sep 17 00:00:00 2001 From: "Restyled.io" Date: Fri, 25 Jun 2021 08:38:59 +0000 Subject: [PATCH 15/15] Restyled by prettier-markdown --- src/crypto/hsm/nxp/README.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/crypto/hsm/nxp/README.md b/src/crypto/hsm/nxp/README.md index e4c85aed79c15e..2c18a5108a4b47 100644 --- a/src/crypto/hsm/nxp/README.md +++ b/src/crypto/hsm/nxp/README.md @@ -2,7 +2,7 @@ ## Introduction -CHIPCryptoPALHsm_SE05X_*.cpp file provides the integration of secure element +CHIPCryptoPALHsm*SE05X*\*.cpp file provides the integration of secure element (SE05x) in crypto layer of CHIP stack. By enabling the required directives in CHIPCryptoPALHsm_config.h header file, required crypto operations can be performed using SE05x. By default, the secure element is enabled only for PAKE @@ -10,11 +10,10 @@ performed using SE05x. By default, the secure element is enabled only for PAKE Following are the list operations supported by secure element. - 1. PAKE - 2. ECC KEY - P256 (Disabled by default) - 3. PBKDF (Disabled by default) - 4. HKDF - + 1. PAKE + 2. ECC KEY - P256 (Disabled by default) + 3. PBKDF (Disabled by default) + 4. HKDF ## Build