diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp index d38573d1d14695..f20138f61298e6 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp @@ -129,10 +129,11 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length uint8_t hash[kSHA256_Hash_Length] = { 0, }; - size_t hashLen = sizeof(hash); - sss_status_t status = kStatus_SSS_Success; - sss_object_t keyObject = { 0 }; - size_t siglen = out_signature.Capacity(); + size_t hashLen = sizeof(hash); + sss_status_t status = kStatus_SSS_Success; + sss_object_t keyObject = { 0 }; + uint8_t signature_se05x[80] = { 0 }; + size_t signature_se05x_len = sizeof(signature_se05x); VerifyOrReturnError(msg != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(msg_length > 0, CHIP_ERROR_INVALID_ARGUMENT); @@ -182,10 +183,15 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length status = sss_asymmetric_context_init(&asymm_ctx, &gex_sss_chip_ctx.session, &keyObject, kAlgorithm_SSS_SHA256, kMode_SSS_Sign); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - status = sss_asymmetric_sign_digest(&asymm_ctx, hash, hashLen, Uint8::to_uchar(out_signature), &siglen); + status = sss_asymmetric_sign_digest(&asymm_ctx, hash, hashLen, signature_se05x, &signature_se05x_len); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - SuccessOrExit(out_signature.SetLength(siglen)); + VerifyOrExit(CHIP_NO_ERROR == + EcdsaAsn1SignatureToRaw(kP256_FE_Length, signature_se05x, signature_se05x_len, out_signature.Bytes(), + out_signature.Capacity()), + error = CHIP_ERROR_INTERNAL); + + SuccessOrExit(out_signature.SetLength(2 * kP256_FE_Length)); error = CHIP_NO_ERROR; exit: @@ -202,11 +208,12 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length CHIP_ERROR P256KeypairHSM::ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, P256ECDSASignature & out_signature) { - CHIP_ERROR error = CHIP_ERROR_INTERNAL; - sss_asymmetric_t asymm_ctx = { 0 }; - sss_status_t status = kStatus_SSS_Success; - sss_object_t keyObject = { 0 }; - size_t siglen = out_signature.Capacity(); + CHIP_ERROR error = CHIP_ERROR_INTERNAL; + sss_asymmetric_t asymm_ctx = { 0 }; + sss_status_t status = kStatus_SSS_Success; + sss_object_t keyObject = { 0 }; + uint8_t signature_se05x[80] = { 0 }; + size_t signature_se05x_len = sizeof(signature_se05x); VerifyOrReturnError(hash != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(hash_length == kSHA256_Hash_Length, CHIP_ERROR_INVALID_ARGUMENT); @@ -228,10 +235,15 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_hash(const uint8_t * hash, size_t hash_len VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); status = - sss_asymmetric_sign_digest(&asymm_ctx, const_cast(hash), hash_length, Uint8::to_uchar(out_signature), &siglen); + sss_asymmetric_sign_digest(&asymm_ctx, const_cast(hash), hash_length, signature_se05x, &signature_se05x_len); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - SuccessOrExit(out_signature.SetLength(siglen)); + VerifyOrExit(CHIP_NO_ERROR == + EcdsaAsn1SignatureToRaw(kP256_FE_Length, signature_se05x, signature_se05x_len, out_signature.Bytes(), + out_signature.Capacity()), + error = CHIP_ERROR_INTERNAL); + + SuccessOrExit(out_signature.SetLength(2 * kP256_FE_Length)); error = CHIP_NO_ERROR; exit: @@ -364,8 +376,10 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_msg_signature(const uint8_t * msg, s uint8_t hash[32] = { 0, }; - size_t hash_length = sizeof(hash); - sss_object_t keyObject = { 0 }; + size_t hash_length = sizeof(hash); + sss_object_t keyObject = { 0 }; + uint8_t signature_se05x[80] = { 0 }; + size_t signature_se05x_len = sizeof(signature_se05x); VerifyOrReturnError(msg != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(msg_length > 0, CHIP_ERROR_INVALID_ARGUMENT); @@ -425,8 +439,12 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_msg_signature(const uint8_t * msg, s sss_asymmetric_context_init(&asymm_ctx, &gex_sss_chip_ctx.session, &keyObject, kAlgorithm_SSS_SHA256, kMode_SSS_Verify); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - status = sss_asymmetric_verify_digest(&asymm_ctx, hash, hash_length, (uint8_t *) Uint8::to_const_uchar(signature), - signature.Length()); + VerifyOrExit(CHIP_NO_ERROR == + EcdsaRawSignatureToAsn1(kP256_FE_Length, Uint8::to_const_uchar(signature.ConstBytes()), signature.Length(), + signature_se05x, signature_se05x_len, signature_se05x_len), + error = CHIP_ERROR_INVALID_SIGNATURE); + + status = sss_asymmetric_verify_digest(&asymm_ctx, hash, hash_length, (uint8_t *) signature_se05x, signature_se05x_len); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INVALID_SIGNATURE); error = CHIP_NO_ERROR; @@ -452,10 +470,12 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_msg_signature(const uint8_t * msg, s CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_hash_signature(const uint8_t * hash, size_t hash_length, const P256ECDSASignature & signature) const { - CHIP_ERROR error = CHIP_ERROR_INTERNAL; - sss_status_t status = kStatus_SSS_Success; - sss_asymmetric_t asymm_ctx = { 0 }; - sss_object_t keyObject = { 0 }; + CHIP_ERROR error = CHIP_ERROR_INTERNAL; + sss_status_t status = kStatus_SSS_Success; + sss_asymmetric_t asymm_ctx = { 0 }; + sss_object_t keyObject = { 0 }; + uint8_t signature_se05x[80] = { 0 }; + size_t signature_se05x_len = sizeof(signature_se05x); VerifyOrReturnError(hash != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(hash_length > 0, CHIP_ERROR_INVALID_ARGUMENT); @@ -485,8 +505,13 @@ CHIP_ERROR P256PublicKeyHSM::ECDSA_validate_hash_signature(const uint8_t * hash, sss_asymmetric_context_init(&asymm_ctx, &gex_sss_chip_ctx.session, &keyObject, kAlgorithm_SSS_SHA256, kMode_SSS_Verify); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INTERNAL); - status = sss_asymmetric_verify_digest(&asymm_ctx, const_cast(hash), hash_length, - (uint8_t *) Uint8::to_const_uchar(signature), signature.Length()); + VerifyOrExit(CHIP_NO_ERROR == + EcdsaRawSignatureToAsn1(kP256_FE_Length, Uint8::to_const_uchar(signature.ConstBytes()), signature.Length(), + signature_se05x, signature_se05x_len, signature_se05x_len), + error = CHIP_ERROR_INVALID_SIGNATURE); + + status = sss_asymmetric_verify_digest(&asymm_ctx, const_cast(hash), hash_length, (uint8_t *) signature_se05x, + signature_se05x_len); VerifyOrExit(status == kStatus_SSS_Success, error = CHIP_ERROR_INVALID_SIGNATURE); error = CHIP_NO_ERROR; diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp index 9ca62a74c92b1e..ecf1e613fda9ff 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp @@ -286,7 +286,6 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginVerifier(const uint8_t * my_id const uint8_t * w0in, size_t w0in_len, const uint8_t * Lin, size_t Lin_len) { - CHIP_ERROR error = CHIP_ERROR_INTERNAL; uint8_t w0in_mod[32] = { 0, }; @@ -353,7 +352,6 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginProver(const uint8_t * my_iden const uint8_t * w0in, size_t w0in_len, const uint8_t * w1in, size_t w1in_len) { - CHIP_ERROR error = CHIP_ERROR_INTERNAL; smStatus_t smstatus = SM_NOT_OK; uint8_t w0in_mod[32] = { 0,