From 39e07350bb0a9f87b960f44d0cbd3e6c54c94b33 Mon Sep 17 00:00:00 2001 From: "Ye Ying (IFAP CSS SMD AP TM SAE ITS)" Date: Fri, 12 Jul 2024 14:24:45 +0800 Subject: [PATCH] [Infineon] Trust M Code clean up and improve crypto performance Details : - Code clean up - Improve crypto performance - Minor bug fixes --- .../trustm/CHIPCryptoPALHsm_P256_trustm.cpp | 5 +- .../trustm/CHIPCryptoPALHsm_utils_trustm.cpp | 659 +++++++----------- 2 files changed, 244 insertions(+), 420 deletions(-) diff --git a/src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_P256_trustm.cpp b/src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_P256_trustm.cpp index 895b53222672b4..23856be89d93c1 100644 --- a/src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_P256_trustm.cpp +++ b/src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_P256_trustm.cpp @@ -277,8 +277,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_hash_signature(const uint8_t * hash, si size_t signature_trustm_len = sizeof(signature_trustm); MutableByteSpan out_der_sig_span(signature_trustm, signature_trustm_len); - uint8_t hash_length_u8 = static_cast(hash_length); - uint16_t signature_trustm_len_u16 = static_cast(signature_trustm_len); + uint8_t hash_length_u8 = static_cast(hash_length); VerifyOrReturnError(hash != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(hash_length > 0, CHIP_ERROR_INVALID_ARGUMENT); @@ -292,7 +291,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_hash_signature(const uint8_t * hash, si signature_trustm_len = out_der_sig_span.size(); // ECC verify - return_status = trustm_ecdsa_verify((uint8_t *) hash, hash_length_u8, (uint8_t *) signature_trustm, signature_trustm_len_u16, + return_status = trustm_ecdsa_verify((uint8_t *) hash, hash_length_u8, (uint8_t *) signature_trustm, signature_trustm_len, (uint8_t *) bytes, (uint8_t) kP256_PublicKey_Length); VerifyOrExit(return_status == OPTIGA_LIB_SUCCESS, error = CHIP_ERROR_INTERNAL); diff --git a/src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_utils_trustm.cpp b/src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_utils_trustm.cpp index be25fd89b824d6..4623c3f852ff18 100644 --- a/src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_utils_trustm.cpp +++ b/src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_utils_trustm.cpp @@ -36,9 +36,9 @@ #include "pal_os_timer.h" #include -optiga_crypt_t * p_local_crypt = NULL; -optiga_util_t * p_local_util = NULL; -static bool trustm_isOpen = false; +optiga_crypt_t * me_crypt = NULL; +optiga_util_t * me_util = NULL; +static bool trustm_isOpen = false; #define ENABLE_HMAC_MULTI_STEP (0) #define OPTIGA_UTIL_DER_BITSTRING_TAG (0x03) #define OPTIGA_UTIL_DER_NUM_UNUSED_BITS (0x00) @@ -55,10 +55,7 @@ static bool trustm_isOpen = false; void vApplicationTickHook(void); -void vApplicationTickHook(void) -{ - pal_os_event_trigger_registered_callback(); -} +void vApplicationTickHook(void) {} #define WAIT_FOR_COMPLETION(ret) \ if (OPTIGA_LIB_SUCCESS != ret) \ @@ -67,9 +64,7 @@ void vApplicationTickHook(void) } \ while (optiga_lib_status == OPTIGA_LIB_BUSY) \ { \ - pal_os_event_trigger_registered_callback(); \ } \ - \ if (OPTIGA_LIB_SUCCESS != optiga_lib_status) \ { \ ret = optiga_lib_status; \ @@ -113,7 +108,6 @@ static void optiga_crypt_callback(void * context, optiga_lib_status_t return_sta static bool init = false; void trustm_Open(void) { - optiga_lib_status_t xResult; uint16_t dOptigaOID = 0xE0C4; // Maximum Power, Minimum Current limitation uint8_t cCurrentLimit = 15; @@ -123,75 +117,74 @@ void trustm_Open(void) optiga_lib_status_t return_status; do { - /** - * 1. Create OPTIGA Crypt Instance - */ - p_local_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); - if (NULL == p_local_crypt) + // Create Optiga crypt instance + if (me_crypt == NULL) { - break; + me_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); + if (NULL == me_crypt) + { + break; + } } - // printf("trustm created crypt Instance \r\n"); - /** - * 1. Create OPTIGA Util Instance - */ - p_local_util = optiga_util_create(0, optiga_util_callback, NULL); - if (NULL == p_local_util) + else { - break; + printf("Error: me_crypt already initialised\n"); + } + // Create Optiga Util instance + if (me_util == NULL) + { + me_util = optiga_util_create(0, optiga_util_callback, NULL); + if (NULL == me_util) + { + break; + } + } + else + { + printf("Error: me_crypt already initialised\n"); } - // printf("trustm created util Instance \r\n"); /** * Open the application on OPTIGA which is a precondition to perform any other operations * using optiga_util_open_application */ optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_util_open_application(p_local_util, 0); // skip restore - while (optiga_lib_status == OPTIGA_LIB_BUSY) - - // Only run once for initialisation - if (init) - { - xResult = optiga_util_write_data(p_local_util, dOptigaOID, OPTIGA_UTIL_WRITE_ONLY, 0, &cCurrentLimit, 1); - - if (OPTIGA_LIB_SUCCESS != xResult) - { - break; - } - while (optiga_lib_status == OPTIGA_LIB_BUSY) - ; - // Set init to true - init = true; - } - + return_status = optiga_util_open_application(me_util, 0); // skip restore if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_util_open_application api returns error !!! - printf("optiga_util_open_application api returns error !!!\n"); + printf("optiga_util_open_application api returns error %02X\n", return_status); break; } + // Wait until the optiga_util_open_application is completed + WAIT_FOR_COMPLETION(return_status); - while (optiga_lib_status == OPTIGA_LIB_BUSY) - ; - if (OPTIGA_LIB_SUCCESS != optiga_lib_status) + if (OPTIGA_LIB_SUCCESS != return_status) { // optiga_util_open_application failed printf("optiga_util_open_application failed\n"); break; } + trustm_isOpen = true; - // printf("trustm open application successful \r\n"); - + // Only run once for initialisation + if (!init) + { + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = optiga_util_write_data(me_util, dOptigaOID, OPTIGA_UTIL_ERASE_AND_WRITE, 0, &cCurrentLimit, 1); + if (OPTIGA_LIB_SUCCESS != return_status) + { + printf("optiga_util_write_data api returns error %02X\n", return_status); + break; + } + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) + { + printf("optiga_util_write_data returns error\n"); + break; + } + // Set init to true + init = true; + } } while (0); - - // p_local_util and p_local_crypt instance can be destroyed - // if no close_application w.r.t hibernate is required to be performed - if (p_local_util || p_local_crypt) - { - optiga_util_destroy(p_local_util); - optiga_crypt_destroy(p_local_crypt); - } - trustm_isOpen = true; } } @@ -206,19 +199,28 @@ void trustm_close(void) * using optiga_util_close_application */ optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_util_close_application(p_local_util, 0); + return_status = optiga_util_close_application(me_util, 0); if (OPTIGA_LIB_SUCCESS != return_status) + { + printf("optiga_util_close_application api returns error %02X\n", return_status); break; + } + + WAIT_FOR_COMPLETION(return_status); - while (optiga_lib_status == OPTIGA_LIB_BUSY) + if (OPTIGA_LIB_SUCCESS != return_status) { - pal_os_event_trigger_registered_callback(); + // optiga_util_close_application failed + printf("optiga_util_close_application failed\n"); + break; } // destroy util and crypt instances - optiga_util_destroy(p_local_util); - optiga_crypt_destroy(p_local_crypt); + optiga_util_destroy(me_util); + optiga_crypt_destroy(me_crypt); pal_os_event_destroy(NULL); + me_util = NULL; + me_crypt = NULL; trustm_isOpen = false; return_status = OPTIGA_LIB_SUCCESS; } while (0); @@ -232,37 +234,25 @@ void read_certificate_from_optiga(uint16_t optiga_oid, char * cert_pem, uint16_t uint16_t size_to_copy = 0; optiga_lib_status_t return_status; - optiga_util_t * me_util = NULL; uint8_t ifx_cert_hex[1024]; uint16_t ifx_cert_hex_len = sizeof(ifx_cert_hex); do { - // Create an instance of optiga_util to read the certificate from OPTIGA. - me_util = optiga_util_create(0, optiga_util_callback, NULL); - if (!me_util) - { - optiga_lib_print_message("optiga_util_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - break; - } optiga_lib_status = OPTIGA_LIB_BUSY; return_status = optiga_util_read_data(me_util, optiga_oid, 0, ifx_cert_hex, &ifx_cert_hex_len); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_util_read_data api returns error !!! - optiga_lib_print_message("optiga_util_read_data api returns error !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + printf("optiga_util_read_data api returns error %02X\n", return_status); break; } - - while (optiga_lib_status == OPTIGA_LIB_BUSY) - ; - if (OPTIGA_LIB_SUCCESS != optiga_lib_status) + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_util_read_data failed - optiga_lib_print_message("optiga_util_read_data failed", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_util_read_data returns error + printf("read_certificate_from_optiga failed\n"); break; } - // convert to PEM format // If the first byte is TLS Identity Tag, than we need to skip 9 first bytes offset_to_read = ifx_cert_hex[0] == 0xc0 ? 9 : 0; @@ -292,113 +282,52 @@ void read_certificate_from_optiga(uint16_t optiga_oid, char * cert_pem, uint16_t *cert_pem_length = offset_to_write + 27; } while (0); - - // me_util instance to be destroyed - if (me_util) - { - optiga_util_destroy(me_util); - } } + void write_data(uint16_t optiga_oid, const uint8_t * p_data, uint16_t length) { - optiga_util_t * me_util = NULL; optiga_lib_status_t return_status; do { - // Create an instance of optiga_util to open the application on OPTIGA. - me_util = optiga_util_create(0, optiga_util_callback, NULL); - if (!me_util) + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = optiga_util_write_data(me_util, optiga_oid, OPTIGA_UTIL_ERASE_AND_WRITE, 0, p_data, length); + if (OPTIGA_LIB_SUCCESS != return_status) { - optiga_lib_print_message("optiga_util_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + printf("optiga_util_write_data api returns error %02X\n", return_status); break; } + WAIT_FOR_COMPLETION(return_status); - optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_util_write_data(me_util, optiga_oid, OPTIGA_UTIL_ERASE_AND_WRITE, 0, p_data, length); + if (OPTIGA_LIB_SUCCESS != return_status) { - if (OPTIGA_LIB_SUCCESS != return_status) - { - optiga_lib_print_message("optiga_util_wirte_data api returns error !!!", OPTIGA_UTIL_SERVICE, - OPTIGA_UTIL_SERVICE_COLOR); - break; - } - - while (OPTIGA_LIB_BUSY == optiga_lib_status) - { - // Wait until the optiga_util_write_data operation is completed - } - - if (OPTIGA_LIB_SUCCESS != optiga_lib_status) - { - optiga_lib_print_message("optiga_util_write_data failed", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - return_status = optiga_lib_status; - break; - } - else - { - optiga_lib_print_message("optiga_util_write_data successful", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - } + printf("write_data failed\n"); + return_status = optiga_lib_status; + break; } } while (0); - - // me_util instance can be destroyed - // if no close_application w.r.t hibernate is required to be performed - if (me_util) - { - optiga_util_destroy(me_util); - } } void write_metadata(uint16_t optiga_oid, const uint8_t * p_data, uint8_t length) { - optiga_util_t * me_util = NULL; optiga_lib_status_t return_status; do { - // Create an instance of optiga_util to open the application on OPTIGA. - me_util = optiga_util_create(0, optiga_util_callback, NULL); - if (!me_util) + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = optiga_util_write_metadata(me_util, optiga_oid, p_data, length); + if (OPTIGA_LIB_SUCCESS != return_status) { - optiga_lib_print_message("optiga_util_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + printf("optiga_util_write_metadata api returns error %02X\n", return_status); break; } - - optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_util_write_metadata(me_util, optiga_oid, p_data, length); + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) { - if (OPTIGA_LIB_SUCCESS != return_status) - { - optiga_lib_print_message("optiga_util_wirte_data api returns error !!!", OPTIGA_UTIL_SERVICE, - OPTIGA_UTIL_SERVICE_COLOR); - break; - } - - while (OPTIGA_LIB_BUSY == optiga_lib_status) - { - // Wait until the optiga_util_write_metadata operation is completed - } - - if (OPTIGA_LIB_SUCCESS != optiga_lib_status) - { - optiga_lib_print_message("optiga_util_write_metadata failed", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - return_status = optiga_lib_status; - break; - } - else - { - optiga_lib_print_message("optiga_util_write_metadata successful", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - } + printf("optiga_util_write_metadata failed\n"); + break; } } while (0); - - // me_util instance can be destroyed - // if no close_application w.r.t hibernate is required to be performed - if (me_util) - { - optiga_util_destroy(me_util); - } } optiga_lib_status_t deriveKey_HKDF(const uint8_t * salt, uint16_t salt_length, const uint8_t * info, uint16_t info_length, @@ -408,39 +337,22 @@ optiga_lib_status_t deriveKey_HKDF(const uint8_t * salt, uint16_t salt_length, c do { - // Create an instance of optiga_crypt_t - p_local_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); - if (NULL == p_local_crypt) - { - optiga_lib_print_message("optiga_crypt_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - break; - } - optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_crypt_hkdf(p_local_crypt, OPTIGA_HKDF_SHA_256, TRUSTM_HKDF_OID_KEY, /* Input secret OID */ + return_status = optiga_crypt_hkdf(me_crypt, OPTIGA_HKDF_SHA_256, TRUSTM_HKDF_OID_KEY, /* Input secret OID */ salt, salt_length, info, info_length, derived_key_length, TRUE, derived_key); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_hkdf api returns error !!! - optiga_lib_print_message("optiga_crypt_hkdf api returns error !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + printf("optiga_crypt_hkdf api returns error %02X\n", return_status); break; } - - while (p_local_crypt->instance_state != OPTIGA_LIB_INSTANCE_FREE) - ; - - if (OPTIGA_LIB_SUCCESS != optiga_lib_status) + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_hkdf failed - optiga_lib_print_message("optiga_crypt_hkdf failed", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + printf("optiga_crypt_hkdf failed\n"); break; } } while (0); - if (p_local_crypt) - { - optiga_crypt_destroy(p_local_crypt); - } return return_status; } @@ -451,25 +363,24 @@ optiga_lib_status_t hmac_sha256(optiga_hmac_type_t type, const uint8_t * input_d do { - // Create an instance of optiga_crypt_t - p_local_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); - if (NULL == p_local_crypt) - { - optiga_lib_print_message("optiga_crypt_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - break; - } - - return_status = OPTIGA_LIB_BUSY; + optiga_lib_status = OPTIGA_LIB_BUSY; #if ENABLE_HMAC_MULTI_STEP // If the size is less than the max length supported if (input_data_length <= MAX_MAC_DATA_LEN) { - return_status = - optiga_crypt_hmac(p_local_crypt, type, TRUSTM_HMAC_OID_KEY, input_data, input_data_length, mac, mac_length); + return_status = optiga_crypt_hmac(me_crypt, type, TRUSTM_HMAC_OID_KEY, input_data, input_data_length, mac, mac_length); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_hmac api returns error !!! - optiga_lib_print_message("optiga_crypt_hmac api returns error !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_hmac returns error !!! + printf("optiga_crypt_hmac api error %02X\n", return_status); + break; + } + + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) + { + // optiga_crypt_hmac returns error !!! + printf("optiga_crypt_hmac returns error\n"); break; } } @@ -479,13 +390,18 @@ optiga_lib_status_t hmac_sha256(optiga_hmac_type_t type, const uint8_t * input_d uint32_t dataLenTemp = 0; uint32_t remainingLen = input_data_length; // Start the HMAC Operation - return_status = optiga_crypt_hmac_start(p_local_crypt, type, TRUSTM_HMAC_OID_KEY, input_data, MAX_MAC_DATA_LEN); - + return_status = optiga_crypt_hmac_start(me_crypt, type, TRUSTM_HMAC_OID_KEY, input_data, MAX_MAC_DATA_LEN); + if (OPTIGA_LIB_SUCCESS != return_status) + { + // optiga_crypt_hmac returns error !!! + printf("optiga_crypt_hmac_start api error %02X\n", return_status); + break; + } + WAIT_FOR_COMPLETION(return_status); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_hmac_start api returns error !!! - optiga_lib_print_message("optiga_crypt_hmac_start api returns error !!!", OPTIGA_UTIL_SERVICE, - OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_hmac_start returns error !!! + printf("optiga_crypt_hmac_start returns error\n"); break; } remainingLen = input_data_length - MAX_MAC_DATA_LEN; @@ -496,18 +412,21 @@ optiga_lib_status_t hmac_sha256(optiga_hmac_type_t type, const uint8_t * input_d if (remainingLen > MAX_MAC_DATA_LEN) { - return_status = OPTIGA_LIB_BUSY; - // printf("HMAC Update\n"); - // Continue HMAC operation on input data + optiga_lib_status = OPTIGA_LIB_BUSY; return_status = - optiga_crypt_hmac_update(p_local_crypt, (input_data + (input_data_length - remainingLen)), dataLenTemp); + optiga_crypt_hmac_update(me_crypt, (input_data + (input_data_length - remainingLen)), dataLenTemp); + if (OPTIGA_LIB_SUCCESS != return_status) + { + // optiga_crypt_hmac_update returns error !!! + printf("optiga_crypt_hmac_update api error %02X\n", return_status); + break; + } + WAIT_FOR_COMPLETION(return_status); remainingLen = remainingLen - dataLenTemp; - if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_hmac_update api returns error !!! - optiga_lib_print_message("optiga_crypt_hmac_update api returns error !!!", OPTIGA_UTIL_SERVICE, - OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_hmac_update returns error !!! + printf("optiga_crypt_hmac_update returns error\n"); break; } } @@ -515,15 +434,20 @@ optiga_lib_status_t hmac_sha256(optiga_hmac_type_t type, const uint8_t * input_d { // End HMAC sequence and return the MAC generated // printf("HMAC Finalize\n"); - return_status = OPTIGA_LIB_BUSY; - return_status = optiga_crypt_hmac_finalize(p_local_crypt, (input_data + (input_data_length - remainingLen)), - dataLenTemp, mac, mac_length); - + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = optiga_crypt_hmac_finalize(me_crypt, (input_data + (input_data_length - remainingLen)), + dataLenTemp, mac, mac_length); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_hmac_finalize api returns error !!! - optiga_lib_print_message("optiga_crypt_hmac_finalize api returns error !!!", OPTIGA_UTIL_SERVICE, - OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_hmac_finalize returns error !!! + printf("optiga_crypt_hmac_finalize api error %02X\n", return_status); + break; + } + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) + { + // optiga_crypt_hmac_finalize returns error !!! + printf("optiga_crypt_hmac_finalize returns error\n"); break; } } @@ -531,70 +455,48 @@ optiga_lib_status_t hmac_sha256(optiga_hmac_type_t type, const uint8_t * input_d } #else - return_status = optiga_crypt_hmac(p_local_crypt, type, TRUSTM_HMAC_OID_KEY, input_data, input_data_length, mac, mac_length); - // printf("Output Length %ld Input Length %ld \n", *mac_length, input_data_length); + return_status = optiga_crypt_hmac(me_crypt, type, TRUSTM_HMAC_OID_KEY, input_data, input_data_length, mac, mac_length); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_hmac api returns error !!! - optiga_lib_print_message("optiga_crypt_hmac api returns error !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_hmac returns error !!! + printf("optiga_crypt_hmac api error %02X\n", return_status); break; } - - while (p_local_crypt->instance_state != OPTIGA_LIB_INSTANCE_FREE) - ; - - if (OPTIGA_LIB_SUCCESS != optiga_lib_status) + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_hkdf failed - optiga_lib_print_message("optiga_crypt_hkdf failed", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_hmac returns error !!! + printf("optiga_crypt_hmac returns error\n"); break; } #endif } while (0); - if (p_local_crypt) - { - optiga_crypt_destroy(p_local_crypt); - } return return_status; } + optiga_lib_status_t optiga_crypt_rng(uint8_t * random_data, uint16_t random_data_length) { optiga_lib_status_t return_status; do { - // Create an instance of optiga_crypt_t - p_local_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); - if (NULL == p_local_crypt) - { - optiga_lib_print_message("optiga_crypt_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - break; - } - - return_status = OPTIGA_LIB_BUSY; - return_status = optiga_crypt_random(p_local_crypt, OPTIGA_RNG_TYPE_DRNG, random_data, random_data_length); + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = optiga_crypt_random(me_crypt, OPTIGA_RNG_TYPE_DRNG, random_data, random_data_length); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_random api returns error !!! - optiga_lib_print_message("optiga_crypt_random api returns error !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_random returns error !!! + printf("optiga_crypt_random api error %02X\n", return_status); break; } - - while (p_local_crypt->instance_state != OPTIGA_LIB_INSTANCE_FREE) - ; - - if (OPTIGA_LIB_SUCCESS != optiga_lib_status) + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) { // optiga_crypt_random failed - optiga_lib_print_message("optiga_crypt_random failed", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + printf("optiga_crypt_random returns error\n"); break; } } while (0); - if (p_local_crypt) - { - optiga_crypt_destroy(p_local_crypt); - } return return_status; } optiga_lib_status_t trustm_ecc_keygen(uint16_t optiga_key_id, uint8_t key_type, optiga_ecc_curve_t curve_id, uint8_t * pubkey, @@ -610,35 +512,24 @@ optiga_lib_status_t trustm_ecc_keygen(uint16_t optiga_key_id, uint8_t key_type, } do { - // Create an instance of optiga_crypt_t - p_local_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); - if (NULL == p_local_crypt) + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = + optiga_crypt_ecc_generate_keypair(me_crypt, curve_id, key_type, FALSE, &optiga_key_id, (pubkey + i), pubkey_length); + if (OPTIGA_LIB_SUCCESS != return_status) { - optiga_lib_print_message("optiga_crypt_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_ecc_generate_keypair api returns error !!! + printf("optiga_crypt_ecc_generate_keypair api error %02X\n", return_status); break; } - - optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_crypt_ecc_generate_keypair(p_local_crypt, curve_id, key_type, FALSE, &optiga_key_id, (pubkey + i), - pubkey_length); + WAIT_FOR_COMPLETION(return_status); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_ecc_generate_keypair api returns error !!! - optiga_lib_print_message("optiga_crypt_ecc_generate_keypair api returns error !!!", OPTIGA_UTIL_SERVICE, - OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_ecc_generate_keypair returns error !!! + printf("optiga_crypt_ecc_generate_keypair returns error\n"); break; } - - while (p_local_crypt->instance_state != OPTIGA_LIB_INSTANCE_FREE) - ; - } while (0); - if (p_local_crypt) - { - optiga_crypt_destroy(p_local_crypt); - } - *pubkey_length += sizeof(header256); return return_status; } @@ -648,32 +539,22 @@ void trustmGetKey(uint16_t optiga_oid, uint8_t * pubkey, uint16_t * pubkeyLen) uint16_t offset = 0; do { - // Create an instance of optiga_crypt_t - p_local_util = optiga_util_create(0, optiga_util_callback, NULL); - if (NULL == p_local_util) + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = optiga_util_read_data(me_util, optiga_oid, offset, pubkey, pubkeyLen); + if (OPTIGA_LIB_SUCCESS != return_status) { - optiga_lib_print_message("optiga_util_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_util_read_data api returns error !!! + printf("optiga_util_read_data api error %02X\n", return_status); break; } - - optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_util_read_data(p_local_util, optiga_oid, offset, pubkey, pubkeyLen); + WAIT_FOR_COMPLETION(return_status); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_util_read_pubkey api returns error !!! - optiga_lib_print_message("optiga_util_read_pubkey returns error !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_util_read_pubkey returns error !!! + printf("optiga_util_read_pubkey returns error\n"); break; } - - while (optiga_lib_status == OPTIGA_LIB_BUSY) - ; - } while (0); - - if (p_local_util) - { - optiga_util_destroy(p_local_util); - } } optiga_lib_status_t trustm_hash(uint8_t * msg, uint16_t msg_length, uint8_t * digest, uint8_t digest_length) { @@ -681,34 +562,25 @@ optiga_lib_status_t trustm_hash(uint8_t * msg, uint16_t msg_length, uint8_t * di hash_data_from_host_t hash_data_host; do { - // Create an instance of optiga_crypt_t - p_local_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); - if (NULL == p_local_crypt) - { - optiga_lib_print_message("optiga_crypt_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - break; - } hash_data_host.buffer = msg; hash_data_host.length = msg_length; optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_crypt_hash(p_local_crypt, OPTIGA_HASH_TYPE_SHA_256, OPTIGA_CRYPT_HOST_DATA, &hash_data_host, digest); - + return_status = optiga_crypt_hash(me_crypt, OPTIGA_HASH_TYPE_SHA_256, OPTIGA_CRYPT_HOST_DATA, &hash_data_host, digest); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_ecdsa_sign api returns error !!! - optiga_lib_print_message("optiga_crypt_hash api returns error !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_hash api returns error !!! + printf("optiga_crypt_hash api error %02X\n", return_status); + break; + } + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) + { + // optiga_crypt_hash api returns error !!! + printf("optiga_crypt_hash returns error\n"); break; } - - while (p_local_crypt->instance_state != OPTIGA_LIB_INSTANCE_FREE) - ; - } while (0); - if (p_local_crypt) - { - optiga_crypt_destroy(p_local_crypt); - } return return_status; } optiga_lib_status_t trustm_ecdsa_sign(optiga_key_id_t optiga_key_id, uint8_t * digest, uint8_t digest_length, uint8_t * signature, @@ -718,26 +590,21 @@ optiga_lib_status_t trustm_ecdsa_sign(optiga_key_id_t optiga_key_id, uint8_t * d int i; do { - // Create an instance of optiga_crypt_t - p_local_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); - if (NULL == p_local_crypt) + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = optiga_crypt_ecdsa_sign(me_crypt, digest, digest_length, optiga_key_id, signature, signature_length); + if (OPTIGA_LIB_SUCCESS != return_status) { - optiga_lib_print_message("optiga_crypt_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_ecdsa_sign api returns error !!! + printf("optiga_crypt_ecdsa_sign api error %02X\n", return_status); break; } - optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_crypt_ecdsa_sign(p_local_crypt, digest, digest_length, optiga_key_id, signature, signature_length); + WAIT_FOR_COMPLETION(return_status); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_ecdsa_sign api returns error !!! - optiga_lib_print_message("optiga_crypt_ecdsa_sign api returns error !!!", OPTIGA_UTIL_SERVICE, - OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_ecdsa_sign returns error !!! + printf("optiga_crypt_ecdsa_sign returns error\n"); break; } - - while (p_local_crypt->instance_state != OPTIGA_LIB_INSTANCE_FREE) - ; - for (i = (*signature_length - 1); i >= 0; i--) { signature[i + 2] = signature[i]; @@ -749,23 +616,18 @@ optiga_lib_status_t trustm_ecdsa_sign(optiga_key_id_t optiga_key_id, uint8_t * d } while (0); - if (p_local_crypt) - { - optiga_crypt_destroy(p_local_crypt); - } return return_status; } + void ecc_pub_key_bit(uint8_t * q_buffer, uint8_t q_length, uint8_t * pub_key_buffer, uint16_t * pub_key_length) { -#define OPTIGA_UTIL_ECC_DER_ADDITIONAL_LENGTH (0x02) +#define OPTIGA_UTIL_ECC_DER_ADDITIONAL_LENGTH (0x01) uint16_t index = 0; pub_key_buffer[index++] = OPTIGA_UTIL_DER_BITSTRING_TAG; pub_key_buffer[index++] = q_length + OPTIGA_UTIL_ECC_DER_ADDITIONAL_LENGTH; pub_key_buffer[index++] = OPTIGA_UTIL_DER_NUM_UNUSED_BITS; - // Compression format. Supports only 04 [uncompressed] - pub_key_buffer[index++] = 0x04; pal_os_memcpy(&pub_key_buffer[index], q_buffer, q_length); index += q_length; @@ -781,44 +643,36 @@ optiga_lib_status_t trustm_ecdsa_verify(uint8_t * digest, uint8_t digest_length, uint8_t ecc_public_key[70] = { 0x00 }; uint16_t i; uint16_t ecc_public_key_length = 0; + ecc_pub_key_bit(ecc_pubkey, ecc_pubkey_length, ecc_public_key, &ecc_public_key_length); public_key_from_host_t public_key_details = { ecc_public_key, ecc_public_key_length, (uint8_t) OPTIGA_ECC_CURVE_NIST_P_256 }; do { - // Create an instance of optiga_crypt_t - p_local_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); - - if (NULL == p_local_crypt) - { - optiga_lib_print_message("optiga_crypt_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - break; - } signature_length = signature[1]; for (i = 0; i < signature_length; i++) { signature[i] = signature[i + 2]; } - return_status = OPTIGA_LIB_BUSY; - return_status = optiga_crypt_ecdsa_verify(p_local_crypt, digest, digest_length, signature, signature_length, - OPTIGA_CRYPT_HOST_DATA, &public_key_details); + + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = optiga_crypt_ecdsa_verify(me_crypt, digest, digest_length, signature, signature_length, + OPTIGA_CRYPT_HOST_DATA, &public_key_details); if (OPTIGA_LIB_SUCCESS != return_status) { // optiga_crypt_ecdsa_verify api returns error !!! - optiga_lib_print_message("optiga_crypt_ecdsa_verify api returns error !!!", OPTIGA_UTIL_SERVICE, - OPTIGA_UTIL_SERVICE_COLOR); + printf("optiga_crypt_ecdsa_verify api error %02X\n", return_status); + break; + } + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) + { + // optiga_crypt_ecdsa_verify returns error !!! + printf("optiga_crypt_ecdsa_verify returns error\n"); break; } - - while (p_local_crypt->instance_state != OPTIGA_LIB_INSTANCE_FREE) - ; - } while (0); - if (p_local_crypt) - { - optiga_crypt_destroy(p_local_crypt); - } return return_status; } @@ -834,40 +688,35 @@ CHIP_ERROR trustmGetCertificate(uint16_t optiga_oid, uint8_t * buf, uint16_t * b trustm_Open(); do { - // Create an instance of optiga_util to read the certificate from OPTIGA. - p_local_util = optiga_util_create(0, optiga_util_callback, NULL); - if (!p_local_util) - { - optiga_lib_print_message("optiga_util_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - break; - } optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_util_read_data(p_local_util, optiga_oid, 0, ifx_cert_hex, &ifx_cert_hex_len); + return_status = optiga_util_read_data(me_util, optiga_oid, 0, ifx_cert_hex, &ifx_cert_hex_len); if (OPTIGA_LIB_SUCCESS != return_status) { // optiga_util_read_data api returns error !!! - optiga_lib_print_message("optiga_util_read_data api returns error !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + printf("optiga_util_read_data api error %02X\n", return_status); break; } - while (optiga_lib_status == OPTIGA_LIB_BUSY) - ; - if (OPTIGA_LIB_SUCCESS != optiga_lib_status) + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) { // optiga_util_read_data failed - optiga_lib_print_message("optiga_util_read_data failed", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + printf("trustmGetCertificate failed\n"); break; } - memcpy(buf, ifx_cert_hex, ifx_cert_hex_len); *buflen = ifx_cert_hex_len; } while (0); - if (p_local_util) + if (return_status == OPTIGA_LIB_SUCCESS) + { + return CHIP_NO_ERROR; + } + else { - optiga_util_destroy(p_local_util); + return CHIP_ERROR_INTERNAL; } - return CHIP_NO_ERROR; } + optiga_lib_status_t trustm_ecdh_derive_secret(optiga_key_id_t optiga_key_id, uint8_t * public_key, uint16_t public_key_length, uint8_t * shared_secret, uint8_t shared_secret_length) { @@ -879,33 +728,23 @@ optiga_lib_status_t trustm_ecdh_derive_secret(optiga_key_id_t optiga_key_id, uin }; do { - // Create an instance of optiga_crypt_t - p_local_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); - - if (NULL == p_local_crypt) + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = optiga_crypt_ecdh(me_crypt, optiga_key_id, &public_key_details, TRUE, shared_secret); + if (OPTIGA_LIB_SUCCESS != return_status) { - optiga_lib_print_message("optiga_crypt_create failed !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_util_read_data api returns error !!! + printf("optiga_crypt_ecdh api error %02X\n", return_status); break; } - - optiga_lib_status = OPTIGA_LIB_BUSY; - return_status = optiga_crypt_ecdh(p_local_crypt, optiga_key_id, &public_key_details, TRUE, shared_secret); + WAIT_FOR_COMPLETION(return_status); if (OPTIGA_LIB_SUCCESS != return_status) { - // optiga_crypt_ecdh api returns error !!! - optiga_lib_print_message("optiga_crypt_ecdh api returns error !!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_ecdh returns error !!! + printf("optiga_crypt_ecdh returns error\n"); break; } - - while (p_local_crypt->instance_state != OPTIGA_LIB_INSTANCE_FREE) - ; - } while (0); - if (p_local_crypt) - { - optiga_crypt_destroy(p_local_crypt); - } return return_status; } @@ -921,37 +760,40 @@ optiga_lib_status_t trustm_PBKDF2_HMAC(const unsigned char * salt, size_t slen, unsigned char * out_p = output; do { - // Create an instance of optiga_crypt_t - p_local_crypt = optiga_crypt_create(0, optiga_crypt_callback, NULL); - if (NULL == p_local_crypt) + // Calculate U1, U1 ends up in work + optiga_lib_status = OPTIGA_LIB_BUSY; + return_status = + optiga_crypt_hmac(me_crypt, OPTIGA_HMAC_SHA_256, TRUSTM_HMAC_OID_KEY, salt, (uint32_t) slen, work, &work_len); + if (OPTIGA_LIB_SUCCESS != return_status) { - optiga_lib_print_message("optiga_crypt_create failed!!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_hmac api returns error !!! + printf("optiga_crypt_hmac api 1 error %02X\n", return_status); break; } - - // Calculate U1, U1 ends up in work - return_status = - optiga_crypt_hmac(p_local_crypt, OPTIGA_HMAC_SHA_256, TRUSTM_HMAC_OID_KEY, salt, (uint32_t) slen, work, &work_len); - + WAIT_FOR_COMPLETION(return_status); if (OPTIGA_LIB_SUCCESS != return_status) { - optiga_lib_print_message("optiga_crypt_hmac api returns error!!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + printf("optiga_crypt_hmac 1 returns error\n"); break; } - return_status = OPTIGA_LIB_BUSY; memcpy(md1, work, md1_len); for (unsigned int i = 1; i < iteration_count; i++) { + optiga_lib_status = OPTIGA_LIB_BUSY; // Calculated subsequent U, which ends up in md1 - return_status = optiga_crypt_hmac(p_local_crypt, OPTIGA_HMAC_SHA_256, TRUSTM_HMAC_OID_KEY, md1, md1_len, md1, &md1_len); - + return_status = optiga_crypt_hmac(me_crypt, OPTIGA_HMAC_SHA_256, TRUSTM_HMAC_OID_KEY, md1, md1_len, md1, &md1_len); if (OPTIGA_LIB_SUCCESS != return_status) { - optiga_lib_print_message("optiga_crypt_hmac api returns error!!!", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); + // optiga_crypt_hmac api returns error !!! + printf("optiga_crypt_hmac api 2 error %02X\n", return_status); + break; + } + WAIT_FOR_COMPLETION(return_status); + if (OPTIGA_LIB_SUCCESS != return_status) + { + printf("optiga_crypt_hmac 2 returns error\n"); break; } - return_status = OPTIGA_LIB_BUSY; - // U1 xor U2 for (int j = 0; j < (int) md1_len; j++) { @@ -959,25 +801,8 @@ optiga_lib_status_t trustm_PBKDF2_HMAC(const unsigned char * salt, size_t slen, } } - while (p_local_crypt->instance_state != OPTIGA_LIB_INSTANCE_FREE) - ; - - if (OPTIGA_LIB_SUCCESS != optiga_lib_status) - - { - - // optiga_crypt_hkdf failed - - optiga_lib_print_message("optiga_crypt_pbkdf_hmac failed failed", OPTIGA_UTIL_SERVICE, OPTIGA_UTIL_SERVICE_COLOR); - - break; - } memcpy(out_p, work, key_length); } while (0); - if (p_local_crypt) - { - optiga_crypt_destroy(p_local_crypt); - } return return_status; }