Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v1.2-branch][Infineon] Cherry-pick #34770 Provision to enable/disable NOC key-pair generation using HSM #34924 #34943

Merged
merged 1 commit into from
Aug 30, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,6 @@ extern CHIP_ERROR ECDSA_validate_msg_signature_H(const P256PublicKey * public_ke
extern CHIP_ERROR ECDSA_validate_hash_signature_H(const P256PublicKey * public_key, const uint8_t * hash, const size_t hash_length,
const P256ECDSASignature & signature);

#if (ENABLE_TRUSTM_GENERATE_EC_KEY || ENABLE_TRUSTM_ECDSA_VERIFY)
static CHIP_ERROR get_trustm_keyid_from_keypair(const P256KeypairContext mKeypair, uint32_t * key_id)
{
if (0 != memcmp(&mKeypair.mBytes[0], trustm_magic_no, sizeof(trustm_magic_no)))
Expand All @@ -87,36 +86,21 @@ static CHIP_ERROR get_trustm_keyid_from_keypair(const P256KeypairContext mKeypai
}

*key_id += (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET]) | (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET + 1] << 8);

return CHIP_NO_ERROR;
}
#endif // #if (ENABLE_TRUSTM_GENERATE_EC_KEY || ENABLE_TRUSTM_ECDSA_VERIFY)

P256Keypair::~P256Keypair()
{
// Add method to get the keyid
if (CHIP_NO_ERROR != get_trustm_keyid_from_keypair(mKeypair, &keyid))
{
Clear();
}
else
{
// Delete the key in SE
}
}

CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
{
CHIP_ERROR error = CHIP_ERROR_INTERNAL;

#if !ENABLE_TRUSTM_GENERATE_EC_KEY
if (CHIP_NO_ERROR == Initialize_H(this, &mPublicKey, &mKeypair))
{
mInitialized = true;
}
error = CHIP_NO_ERROR;
return error;
#else
uint8_t pubkey[128] = {
0,
};
Expand All @@ -136,11 +120,20 @@ CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
}
else
{
#if !ENABLE_TRUSTM_NOC_KEYGEN
error = Initialize_H(this, &mPublicKey, &mKeypair);
if (CHIP_NO_ERROR == error)
{
mInitialized = true;
}
return error;
#else
// Add the logic to use different keyid
keyid = TRUSTM_NODE_OID_KEY_START;
// Trust M ECC 256 Key Gen
ChipLogDetail(Crypto, "Generating NIST256 key in TrustM !");
key_usage = (optiga_key_usage_t) (OPTIGA_KEY_USAGE_SIGN | OPTIGA_KEY_USAGE_AUTHENTICATION);
#endif //! ENABLE_TRUSTM_NOC_KEYGEN
}
// Trust M init
trustm_Open();
Expand All @@ -167,14 +160,13 @@ CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
trustm_close();
}
return error;
#endif
}

CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P256ECDSASignature & out_signature) const
{
#if !ENABLE_TRUSTM_GENERATE_EC_KEY
return ECDSA_sign_msg_H(&mKeypair, msg, msg_length, out_signature);
#else
VerifyOrReturnError(mInitialized, CHIP_ERROR_WELL_UNINITIALIZED);
uint16_t keyid = (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET]) | (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET + 1] << 8);

CHIP_ERROR error = CHIP_ERROR_INTERNAL;
optiga_lib_status_t return_status = OPTIGA_LIB_BUSY;

Expand All @@ -188,20 +180,31 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P

VerifyOrReturnError(msg != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(msg_length > 0, CHIP_ERROR_INVALID_ARGUMENT);
ChipLogDetail(Crypto, "TrustM: ECDSA_sign_msg");
// Trust M Init
trustm_Open();
// Hash to get the digest
Hash_SHA256(msg, msg_length, &digest[0]);
uint16_t keyid = (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET]) | (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET + 1] << 8);
// Api call to calculate the signature
if (keyid == OPTIGA_KEY_ID_E0F2)

if (keyid == OPTIGA_KEY_ID_E0F0)
{
return_status = trustm_ecdsa_sign(OPTIGA_KEY_ID_E0F2, digest, digest_length, signature_trustm, &signature_trustm_len);
ChipLogDetail(Crypto, "TrustM: ECDSA_sign_msg");

// Api call to calculate the signature
return_status = trustm_ecdsa_sign(OPTIGA_KEY_ID_E0F0, digest, digest_length, signature_trustm, &signature_trustm_len);
}
else
{
return_status = trustm_ecdsa_sign(OPTIGA_KEY_ID_E0F0, digest, digest_length, signature_trustm, &signature_trustm_len);
#if !ENABLE_TRUSTM_NOC_KEYGEN
// Use the mbedtls based method
ChipLogDetail(Crypto, "ECDSA sing msg mbedtls");
return ECDSA_sign_msg_H(&mKeypair, msg, msg_length, out_signature);
#else
if (keyid == OPTIGA_KEY_ID_E0F2)
{
ChipLogDetail(Crypto, "TrustM: ECDSA_sign_msg");
return_status = trustm_ecdsa_sign(OPTIGA_KEY_ID_E0F2, digest, digest_length, signature_trustm, &signature_trustm_len);
}
#endif //! ENABLE_TRUSTM_NOC_KEYGEN
}

VerifyOrExit(return_status == OPTIGA_LIB_SUCCESS, error = CHIP_ERROR_INTERNAL);
Expand All @@ -220,14 +223,10 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P
trustm_close();
}
return error;
#endif
}

CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_key, P256ECDHDerivedSecret & out_secret) const
{
#if !ENABLE_TRUSTM_GENERATE_EC_KEY
return ECDH_derive_secret_H(&mKeypair, remote_public_key, out_secret);
#else
CHIP_ERROR error = CHIP_ERROR_INTERNAL;
optiga_lib_status_t return_status = OPTIGA_LIB_BUSY;
size_t secret_length = (out_secret.Length() == 0) ? out_secret.Capacity() : out_secret.Length();
Expand Down Expand Up @@ -262,7 +261,6 @@ CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_k
trustm_close();
}
return error;
#endif
}

CHIP_ERROR P256PublicKey::ECDSA_validate_hash_signature(const uint8_t * hash, size_t hash_length,
Expand Down Expand Up @@ -313,6 +311,12 @@ CHIP_ERROR P256Keypair::Serialize(P256SerializedKeypair & output) const
0,
};

if (0 != memcmp(&mKeypair.mBytes[0], trustm_magic_no, sizeof(trustm_magic_no)))
{
VerifyOrReturnError(mInitialized, CHIP_ERROR_WELL_UNINITIALIZED);
return Serialize_H(mKeypair, mPublicKey, output);
}

/* Set the public key */
P256PublicKey & public_key = const_cast<P256PublicKey &>(Pubkey());
bbuf.Put(Uint8::to_uchar(public_key), public_key.Length());
Expand Down Expand Up @@ -358,16 +362,11 @@ CHIP_ERROR P256Keypair::Deserialize(P256SerializedKeypair & input)
}
else
{
#if !ENABLE_TRUSTM_KEY_IMPORT
if (CHIP_NO_ERROR == (error = Deserialize_H(this, &mPublicKey, &mKeypair, input)))
{
mInitialized = true;
}
return error;
#else
// Add in code for Trust M
return CHIP_NO_ERROR;
#endif
}
}

Expand Down Expand Up @@ -430,9 +429,6 @@ static void add_tlv(uint8_t * buf, size_t buf_index, uint8_t tag, size_t len, ui

CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) const
{
#if !ENABLE_TRUSTM_GENERATE_EC_KEY
return NewCertificateSigningRequest_H(&mKeypair, csr, csr_length);
#else
CHIP_ERROR error = CHIP_ERROR_INTERNAL;
optiga_lib_status_t return_status = OPTIGA_LIB_BUSY;

Expand Down Expand Up @@ -585,8 +581,6 @@ CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * csr, size_t & csr
trustm_close();
}
return error;

#endif
}

} // namespace Crypto
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,6 @@
*/
#define ENABLE_TRUSTM_ECDSA_VERIFY 1

/*
* Enable Key Import for trustm
*/
#define ENABLE_TRUSTM_KEY_IMPORT 0

/*
* Enable trustm for HKDF SHA256
*/
Expand All @@ -51,3 +46,8 @@
* Enable trustm for DA
*/
#define ENABLE_TRUSTM_DEVICE_ATTESTATION 1

/*
* Enable trustm for NOC key-pair generation
*/
#define ENABLE_TRUSTM_NOC_KEYGEN 0
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ extern optiga_util_t * p_local_util;
}

static const uint8_t trustm_magic_no[] = IFX_CRYPTO_KEY_MAGIC;
static const uint8_t DA_KEY_ID[] = { 0xE0, 0xF0 };
static const uint8_t DA_KEY_ID[] = { 0xF0, 0xE0 }; // OID --> 0xE0F0
/* Open session to trustm */
void trustm_Open(void);
void read_certificate_from_optiga(uint16_t optiga_oid, char * cert_pem, uint16_t * cert_pem_length);
Expand Down
34 changes: 20 additions & 14 deletions third_party/infineon/psoc6/psoc6_sdk/configs/mbedtls_user_config.h
Original file line number Diff line number Diff line change
Expand Up @@ -73,13 +73,13 @@
* Uncomment a macro to enable alternate implementation of specific base
* platform function
*/
//#define MBEDTLS_PLATFORM_EXIT_ALT
// #define MBEDTLS_PLATFORM_EXIT_ALT
#define MBEDTLS_PLATFORM_TIME_ALT
//#define MBEDTLS_PLATFORM_FPRINTF_ALT
//#define MBEDTLS_PLATFORM_PRINTF_ALT
//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
//#define MBEDTLS_PLATFORM_NV_SEED_ALT
//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
// #define MBEDTLS_PLATFORM_FPRINTF_ALT
// #define MBEDTLS_PLATFORM_PRINTF_ALT
// #define MBEDTLS_PLATFORM_SNPRINTF_ALT
// #define MBEDTLS_PLATFORM_NV_SEED_ALT
// #define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT

/**
* \def MBEDTLS_ENTROPY_HARDWARE_ALT
Expand All @@ -103,7 +103,7 @@
*/
#undef MBEDTLS_ECP_DP_SECP192R1_ENABLED
#undef MBEDTLS_ECP_DP_SECP224R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
// #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#undef MBEDTLS_ECP_DP_SECP384R1_ENABLED
#undef MBEDTLS_ECP_DP_SECP521R1_ENABLED
#undef MBEDTLS_ECP_DP_SECP192K1_ENABLED
Expand All @@ -112,7 +112,7 @@
#undef MBEDTLS_ECP_DP_BP256R1_ENABLED
#undef MBEDTLS_ECP_DP_BP384R1_ENABLED
#undef MBEDTLS_ECP_DP_BP512R1_ENABLED
//#undef MBEDTLS_ECP_DP_CURVE25519_ENABLED
// #undef MBEDTLS_ECP_DP_CURVE25519_ENABLED
#undef MBEDTLS_ECP_DP_CURVE448_ENABLED

/**
Expand Down Expand Up @@ -246,7 +246,7 @@
*
* Uncomment this macro to enable support for SSLv2 Client Hello messages.
*/
//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
// #define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO

/**
* \def MBEDTLS_SSL_PROTO_TLS1
Expand Down Expand Up @@ -468,7 +468,7 @@
*
* This module is required for X.509 CRL parsing.
*/
//#undef MBEDTLS_X509_CRL_PARSE_C
// #undef MBEDTLS_X509_CRL_PARSE_C

/**
* \def MBEDTLS_X509_CSR_PARSE_C
Expand All @@ -482,7 +482,7 @@
*
* This module is used for reading X.509 certificate request.
*/
//#undef MBEDTLS_X509_CSR_PARSE_C
// #undef MBEDTLS_X509_CSR_PARSE_C

/**
* \def MBEDTLS_X509_CREATE_C
Expand All @@ -495,7 +495,7 @@
*
* This module is the basis for creating X.509 certificates and CSRs.
*/
//#undef MBEDTLS_X509_CREATE_C
// #undef MBEDTLS_X509_CREATE_C

/**
* \def MBEDTLS_X509_CSR_WRITE_C
Expand All @@ -508,7 +508,7 @@
*
* This module is required for X.509 certificate request writing.
*/
//#undef MBEDTLS_X509_CSR_WRITE_C
// #undef MBEDTLS_X509_CSR_WRITE_C

/**
* \def MBEDTLS_X509_CRT_WRITE_C
Expand All @@ -521,7 +521,7 @@
*
* This module is required for X.509 certificate creation.
*/
//#undef MBEDTLS_X509_CRT_WRITE_C
// #undef MBEDTLS_X509_CRT_WRITE_C

/**
* \def MBEDTLS_CERTS_C
Expand Down Expand Up @@ -779,4 +779,10 @@
*/
#define MBEDTLS_DEPRECATED_REMOVED

#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_ECDSA_C
#define MBEDTLS_PK_WRITE_C
#define MBEDTLS_X509_CREATE_C
#define MBEDTLS_X509_CSR_WRITE_C

#endif /* MBEDTLS_USER_CONFIG_HEADER */
Loading