Skip to content

Commit

Permalink
[crypto] implement PBKDF2 key generation using PSA
Browse files Browse the repository at this point in the history
This commit adds support for PBKDF2 operation using PSA crypto. We import the salt and password into PSA and generate the key. The generated key is then exported into a flat buffer and all the transient keys are destroyed.
Remove dependency on psa_crypto_pbkdf2 component, psa_crypto_pbkdf2_cmac should be enough for our usecase

Co-authored-by: Hemanth Rao <[email protected]>
  • Loading branch information
lmnotran and Hemanth Rao committed Dec 8, 2023
1 parent 1ad2f42 commit 75d467d
Show file tree
Hide file tree
Showing 7 changed files with 140 additions and 1 deletion.
2 changes: 1 addition & 1 deletion ot-efr32.slce
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,6 @@ description: "ot-efr32 extension for Gecko SDK Suite"
label: "Silicon Labs Matter"
sdk:
id: gecko_sdk
version: 4.2.1
version: 4.3.2
component_path:
- path: slc/component
30 changes: 30 additions & 0 deletions slc/component/ot_psa_crypto.slcc
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: ot_psa_crypto
label: PSA Crypto
package: OpenThread
category: OpenThread
quality: production
description: This component references to all the third party support needed by the OpenThread stack
ui_hints:
visibility: never
provides:
- name: ot_psa_crypto
requires:
- name: psa_crypto
- name: psa_its
- name: psa_crypto_hkdf
- name: psa_crypto_cmac
- name: psa_crypto_hmac
- name: psa_crypto_tls12_prf
- name: psa_crypto_tls12_psk_to_ms
- name: psa_crypto_sha256
- name: psa_crypto_ecdh
- name: psa_crypto_ecdsa
- name: psa_crypto_ecc_secp256r1
- name: psa_crypto_pbkdf2_cmac
template_contribution:
- name: mbedtls_config
value: MBEDTLS_USE_PSA_CRYPTO
- name: psa_key_slots
value:
name: psa_key_slots_openthread
count: 15
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ quality: production
component:
- id: ot_platform_abstraction_core
- id: ot_psa_crypto
from: ot-efr32
- id: ot_thirdparty
- id: uartdrv_usart
instance:
Expand Down Expand Up @@ -53,3 +54,10 @@ configuration:
define:
- name: OPENTHREAD_CONFIG_MAC_CSL_RECEIVER_ENABLE
value: 1

sdk:
id: gecko_sdk
version: 4.3.2
sdk_extension:
- id: ot-efr32
version: 0.0.1
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ quality: production
component:
- id: ot_platform_abstraction_core
- id: ot_psa_crypto
from: ot-efr32
- id: ot_thirdparty
- id: uartdrv_usart
instance:
Expand Down Expand Up @@ -49,3 +50,10 @@ configuration:
condition: [freertos]
- name: SL_STACK_SIZE
value: 4608

sdk:
id: gecko_sdk
version: 4.3.2
sdk_extension:
- id: ot-efr32
version: 0.0.1
8 changes: 8 additions & 0 deletions src/platform_projects/openthread-efr32-soc-with-buttons.slcp
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ quality: production
component:
- id: ot_platform_abstraction_core
- id: ot_psa_crypto
from: ot-efr32
- id: ot_thirdparty
- id: uartdrv_usart
instance:
Expand Down Expand Up @@ -48,3 +49,10 @@ configuration:
condition: [freertos]
- name: SL_STACK_SIZE
value: 4608

sdk:
id: gecko_sdk
version: 4.3.2
sdk_extension:
- id: ot-efr32
version: 0.0.1
8 changes: 8 additions & 0 deletions src/platform_projects/openthread-efr32-soc.slcp
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ quality: production
component:
- id: ot_platform_abstraction_core
- id: ot_psa_crypto
from: ot-efr32
- id: ot_thirdparty
- id: uartdrv_usart
instance:
Expand Down Expand Up @@ -35,3 +36,10 @@ configuration:
condition: [freertos]
- name: SL_STACK_SIZE
value: 4608

sdk:
id: gecko_sdk
version: 4.3.2
sdk_extension:
- id: ot-efr32
version: 0.0.1
77 changes: 77 additions & 0 deletions src/src/crypto.c
Original file line number Diff line number Diff line change
Expand Up @@ -555,4 +555,81 @@ otError otPlatCryptoEcdsaVerifyUsingKeyRef(otCryptoKeyRef aKe
return error;
}

otError otPlatCryptoPbkdf2GenerateKey(const uint8_t *aPassword,
uint16_t aPasswordLen,
const uint8_t *aSalt,
uint16_t aSaltLen,
uint32_t aIterationCounter,
uint16_t aKeyLen,
uint8_t *aKey)
{
psa_status_t status;
size_t outSize;
psa_key_id_t passwordKeyId = 0;
psa_key_id_t saltKeyId = 0;
psa_key_id_t keyId = 0;

// Algorithm is PBKDF2-AES-CMAC-PRF-128
psa_algorithm_t algo = PSA_ALG_PBKDF2_AES_CMAC_PRF_128;

// Initialize key derivation
psa_key_derivation_operation_t operation = psa_key_derivation_operation_init();
status = psa_key_derivation_setup(&operation, algo);
assert(status == PSA_SUCCESS);

// Set capacity
status = psa_key_derivation_set_capacity(&operation, aKeyLen);
assert(status == PSA_SUCCESS);

// Set iteration count as cost
status = psa_key_derivation_input_integer(&operation, PSA_KEY_DERIVATION_INPUT_COST, aIterationCounter);
assert(status == PSA_SUCCESS);

// Create salt as a key
psa_key_attributes_t saltKeyAttr = psa_key_attributes_init();
psa_set_key_usage_flags(&saltKeyAttr, PSA_KEY_USAGE_DERIVE);
psa_set_key_type(&saltKeyAttr, PSA_KEY_TYPE_RAW_DATA);
psa_set_key_algorithm(&saltKeyAttr, algo);
assert(status == PSA_SUCCESS);

status = psa_import_key(&saltKeyAttr, aSalt, aSaltLen, &saltKeyId);
assert(status == PSA_SUCCESS);

// Provide salt
status = psa_key_derivation_input_key(&operation, PSA_KEY_DERIVATION_INPUT_SALT, saltKeyId);
assert(status == PSA_SUCCESS);

// Create key for password (key)
psa_key_attributes_t passwordKeyAttr = psa_key_attributes_init();
psa_set_key_usage_flags(&passwordKeyAttr, PSA_KEY_USAGE_DERIVE);
psa_set_key_type(&passwordKeyAttr, PSA_KEY_TYPE_PASSWORD);
psa_set_key_algorithm(&passwordKeyAttr, algo);

status = psa_import_key(&passwordKeyAttr, aPassword, aPasswordLen, &passwordKeyId);
assert(status == PSA_SUCCESS);

// Provide password (key)
status = psa_key_derivation_input_key(&operation, PSA_KEY_DERIVATION_INPUT_PASSWORD, passwordKeyId);
assert(status == PSA_SUCCESS);

// Configure output as a key
psa_key_attributes_t keyAttrResult = psa_key_attributes_init();
psa_set_key_bits(&keyAttrResult, (8 * aKeyLen));
psa_set_key_usage_flags(&keyAttrResult, PSA_KEY_USAGE_EXPORT);
psa_set_key_type(&keyAttrResult, PSA_KEY_TYPE_RAW_DATA);
psa_set_key_algorithm(&keyAttrResult, PSA_ALG_CTR);

status = psa_key_derivation_output_key(&keyAttrResult, &operation, &keyId);
assert(status == PSA_SUCCESS);

// Export output key
status = psa_export_key(keyId, aKey, aKeyLen, &outSize);
assert(status == PSA_SUCCESS);

// Release keys used
psa_destroy_key(keyId);
psa_destroy_key(saltKeyId);
psa_destroy_key(passwordKeyId);
}

#endif // OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE

0 comments on commit 75d467d

Please sign in to comment.