Skip to content

Commit 798b576

Browse files
authored
[Infineon] Provision to enable/disable NOC key-pair generation using HSM (#34770)
* Provision to select NOC key-pair generation using Trust M MTR or fw. * Added the flag ENABLE_TRUSTM_NOC_KEYGEN in the config. * Updated the functions to support NOC keygen with and without trustm. * Restyled changes * Minor bug fixes.
1 parent 681f951 commit 798b576

File tree

4 files changed

+61
-61
lines changed

4 files changed

+61
-61
lines changed

src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_P256_trustm.cpp

+35-41
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,6 @@ extern CHIP_ERROR ECDSA_validate_msg_signature_H(const P256PublicKey * public_ke
7878
extern CHIP_ERROR ECDSA_validate_hash_signature_H(const P256PublicKey * public_key, const uint8_t * hash, const size_t hash_length,
7979
const P256ECDSASignature & signature);
8080

81-
#if (ENABLE_TRUSTM_GENERATE_EC_KEY || ENABLE_TRUSTM_ECDSA_VERIFY)
8281
static CHIP_ERROR get_trustm_keyid_from_keypair(const P256KeypairContext mKeypair, uint32_t * key_id)
8382
{
8483
if (0 != memcmp(&mKeypair.mBytes[0], trustm_magic_no, sizeof(trustm_magic_no)))
@@ -87,36 +86,21 @@ static CHIP_ERROR get_trustm_keyid_from_keypair(const P256KeypairContext mKeypai
8786
}
8887

8988
*key_id += (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET]) | (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET + 1] << 8);
90-
9189
return CHIP_NO_ERROR;
9290
}
93-
#endif // #if (ENABLE_TRUSTM_GENERATE_EC_KEY || ENABLE_TRUSTM_ECDSA_VERIFY)
9491

9592
P256Keypair::~P256Keypair()
9693
{
97-
// Add method to get the keyid
9894
if (CHIP_NO_ERROR != get_trustm_keyid_from_keypair(mKeypair, &keyid))
9995
{
10096
Clear();
10197
}
102-
else
103-
{
104-
// Delete the key in SE
105-
}
10698
}
10799

108100
CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
109101
{
110102
CHIP_ERROR error = CHIP_ERROR_INTERNAL;
111103

112-
#if !ENABLE_TRUSTM_GENERATE_EC_KEY
113-
if (CHIP_NO_ERROR == Initialize_H(this, &mPublicKey, &mKeypair))
114-
{
115-
mInitialized = true;
116-
}
117-
error = CHIP_NO_ERROR;
118-
return error;
119-
#else
120104
uint8_t pubkey[128] = {
121105
0,
122106
};
@@ -136,11 +120,20 @@ CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
136120
}
137121
else
138122
{
123+
#if !ENABLE_TRUSTM_NOC_KEYGEN
124+
error = Initialize_H(this, &mPublicKey, &mKeypair);
125+
if (CHIP_NO_ERROR == error)
126+
{
127+
mInitialized = true;
128+
}
129+
return error;
130+
#else
139131
// Add the logic to use different keyid
140132
keyid = TRUSTM_NODE_OID_KEY_START;
141133
// Trust M ECC 256 Key Gen
142134
ChipLogDetail(Crypto, "Generating NIST256 key in TrustM !");
143135
key_usage = (optiga_key_usage_t) (OPTIGA_KEY_USAGE_SIGN | OPTIGA_KEY_USAGE_AUTHENTICATION);
136+
#endif //! ENABLE_TRUSTM_NOC_KEYGEN
144137
}
145138
// Trust M init
146139
trustm_Open();
@@ -167,14 +160,13 @@ CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
167160
trustm_close();
168161
}
169162
return error;
170-
#endif
171163
}
172164

173165
CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P256ECDSASignature & out_signature) const
174166
{
175-
#if !ENABLE_TRUSTM_GENERATE_EC_KEY
176-
return ECDSA_sign_msg_H(&mKeypair, msg, msg_length, out_signature);
177-
#else
167+
VerifyOrReturnError(mInitialized, CHIP_ERROR_UNINITIALIZED);
168+
uint16_t keyid = (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET]) | (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET + 1] << 8);
169+
178170
CHIP_ERROR error = CHIP_ERROR_INTERNAL;
179171
optiga_lib_status_t return_status = OPTIGA_LIB_BUSY;
180172

@@ -188,20 +180,31 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P
188180

189181
VerifyOrReturnError(msg != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
190182
VerifyOrReturnError(msg_length > 0, CHIP_ERROR_INVALID_ARGUMENT);
191-
ChipLogDetail(Crypto, "TrustM: ECDSA_sign_msg");
192183
// Trust M Init
193184
trustm_Open();
194185
// Hash to get the digest
195186
Hash_SHA256(msg, msg_length, &digest[0]);
196-
uint16_t keyid = (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET]) | (mKeypair.mBytes[CRYPTO_KEYPAIR_KEYID_OFFSET + 1] << 8);
197-
// Api call to calculate the signature
198-
if (keyid == OPTIGA_KEY_ID_E0F2)
187+
188+
if (keyid == OPTIGA_KEY_ID_E0F0)
199189
{
200-
return_status = trustm_ecdsa_sign(OPTIGA_KEY_ID_E0F2, digest, digest_length, signature_trustm, &signature_trustm_len);
190+
ChipLogDetail(Crypto, "TrustM: ECDSA_sign_msg");
191+
192+
// Api call to calculate the signature
193+
return_status = trustm_ecdsa_sign(OPTIGA_KEY_ID_E0F0, digest, digest_length, signature_trustm, &signature_trustm_len);
201194
}
202195
else
203196
{
204-
return_status = trustm_ecdsa_sign(OPTIGA_KEY_ID_E0F0, digest, digest_length, signature_trustm, &signature_trustm_len);
197+
#if !ENABLE_TRUSTM_NOC_KEYGEN
198+
// Use the mbedtls based method
199+
ChipLogDetail(Crypto, "ECDSA sing msg mbedtls");
200+
return ECDSA_sign_msg_H(&mKeypair, msg, msg_length, out_signature);
201+
#else
202+
if (keyid == OPTIGA_KEY_ID_E0F2)
203+
{
204+
ChipLogDetail(Crypto, "TrustM: ECDSA_sign_msg");
205+
return_status = trustm_ecdsa_sign(OPTIGA_KEY_ID_E0F2, digest, digest_length, signature_trustm, &signature_trustm_len);
206+
}
207+
#endif //! ENABLE_TRUSTM_NOC_KEYGEN
205208
}
206209

207210
VerifyOrExit(return_status == OPTIGA_LIB_SUCCESS, error = CHIP_ERROR_INTERNAL);
@@ -220,14 +223,10 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P
220223
trustm_close();
221224
}
222225
return error;
223-
#endif
224226
}
225227

226228
CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_key, P256ECDHDerivedSecret & out_secret) const
227229
{
228-
#if !ENABLE_TRUSTM_GENERATE_EC_KEY
229-
return ECDH_derive_secret_H(&mKeypair, remote_public_key, out_secret);
230-
#else
231230
CHIP_ERROR error = CHIP_ERROR_INTERNAL;
232231
optiga_lib_status_t return_status = OPTIGA_LIB_BUSY;
233232
size_t secret_length = (out_secret.Length() == 0) ? out_secret.Capacity() : out_secret.Length();
@@ -262,7 +261,6 @@ CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_k
262261
trustm_close();
263262
}
264263
return error;
265-
#endif
266264
}
267265

268266
CHIP_ERROR P256PublicKey::ECDSA_validate_hash_signature(const uint8_t * hash, size_t hash_length,
@@ -313,6 +311,12 @@ CHIP_ERROR P256Keypair::Serialize(P256SerializedKeypair & output) const
313311
0,
314312
};
315313

314+
if (0 != memcmp(&mKeypair.mBytes[0], trustm_magic_no, sizeof(trustm_magic_no)))
315+
{
316+
VerifyOrReturnError(mInitialized, CHIP_ERROR_UNINITIALIZED);
317+
return Serialize_H(mKeypair, mPublicKey, output);
318+
}
319+
316320
/* Set the public key */
317321
P256PublicKey & public_key = const_cast<P256PublicKey &>(Pubkey());
318322
bbuf.Put(Uint8::to_uchar(public_key), public_key.Length());
@@ -358,16 +362,11 @@ CHIP_ERROR P256Keypair::Deserialize(P256SerializedKeypair & input)
358362
}
359363
else
360364
{
361-
#if !ENABLE_TRUSTM_KEY_IMPORT
362365
if (CHIP_NO_ERROR == (error = Deserialize_H(this, &mPublicKey, &mKeypair, input)))
363366
{
364367
mInitialized = true;
365368
}
366369
return error;
367-
#else
368-
// Add in code for Trust M
369-
return CHIP_NO_ERROR;
370-
#endif
371370
}
372371
}
373372

@@ -430,9 +429,6 @@ static void add_tlv(uint8_t * buf, size_t buf_index, uint8_t tag, size_t len, ui
430429

431430
CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) const
432431
{
433-
#if !ENABLE_TRUSTM_GENERATE_EC_KEY
434-
return NewCertificateSigningRequest_H(&mKeypair, csr, csr_length);
435-
#else
436432
CHIP_ERROR error = CHIP_ERROR_INTERNAL;
437433
optiga_lib_status_t return_status = OPTIGA_LIB_BUSY;
438434

@@ -585,8 +581,6 @@ CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * csr, size_t & csr
585581
trustm_close();
586582
}
587583
return error;
588-
589-
#endif
590584
}
591585

592586
} // namespace Crypto

src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_config_trustm.h

+5-5
Original file line numberDiff line numberDiff line change
@@ -32,11 +32,6 @@
3232
*/
3333
#define ENABLE_TRUSTM_ECDSA_VERIFY 1
3434

35-
/*
36-
* Enable Key Import for trustm
37-
*/
38-
#define ENABLE_TRUSTM_KEY_IMPORT 0
39-
4035
/*
4136
* Enable trustm for HKDF SHA256
4237
*/
@@ -51,3 +46,8 @@
5146
* Enable trustm for DA
5247
*/
5348
#define ENABLE_TRUSTM_DEVICE_ATTESTATION 1
49+
50+
/*
51+
* Enable trustm for NOC key-pair generation
52+
*/
53+
#define ENABLE_TRUSTM_NOC_KEYGEN 0

src/platform/Infineon/crypto/trustm/CHIPCryptoPALHsm_utils_trustm.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ extern optiga_util_t * p_local_util;
5151
}
5252

5353
static const uint8_t trustm_magic_no[] = IFX_CRYPTO_KEY_MAGIC;
54-
static const uint8_t DA_KEY_ID[] = { 0xE0, 0xF0 };
54+
static const uint8_t DA_KEY_ID[] = { 0xF0, 0xE0 }; // OID --> 0xE0F0
5555
/* Open session to trustm */
5656
void trustm_Open(void);
5757
void read_certificate_from_optiga(uint16_t optiga_oid, char * cert_pem, uint16_t * cert_pem_length);

third_party/infineon/psoc6/psoc6_sdk/configs/mbedtls_user_config.h

+20-14
Original file line numberDiff line numberDiff line change
@@ -73,13 +73,13 @@
7373
* Uncomment a macro to enable alternate implementation of specific base
7474
* platform function
7575
*/
76-
//#define MBEDTLS_PLATFORM_EXIT_ALT
76+
// #define MBEDTLS_PLATFORM_EXIT_ALT
7777
#define MBEDTLS_PLATFORM_TIME_ALT
78-
//#define MBEDTLS_PLATFORM_FPRINTF_ALT
79-
//#define MBEDTLS_PLATFORM_PRINTF_ALT
80-
//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
81-
//#define MBEDTLS_PLATFORM_NV_SEED_ALT
82-
//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
78+
// #define MBEDTLS_PLATFORM_FPRINTF_ALT
79+
// #define MBEDTLS_PLATFORM_PRINTF_ALT
80+
// #define MBEDTLS_PLATFORM_SNPRINTF_ALT
81+
// #define MBEDTLS_PLATFORM_NV_SEED_ALT
82+
// #define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
8383

8484
/**
8585
* \def MBEDTLS_ENTROPY_HARDWARE_ALT
@@ -103,7 +103,7 @@
103103
*/
104104
#undef MBEDTLS_ECP_DP_SECP192R1_ENABLED
105105
#undef MBEDTLS_ECP_DP_SECP224R1_ENABLED
106-
//#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
106+
// #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
107107
#undef MBEDTLS_ECP_DP_SECP384R1_ENABLED
108108
#undef MBEDTLS_ECP_DP_SECP521R1_ENABLED
109109
#undef MBEDTLS_ECP_DP_SECP192K1_ENABLED
@@ -112,7 +112,7 @@
112112
#undef MBEDTLS_ECP_DP_BP256R1_ENABLED
113113
#undef MBEDTLS_ECP_DP_BP384R1_ENABLED
114114
#undef MBEDTLS_ECP_DP_BP512R1_ENABLED
115-
//#undef MBEDTLS_ECP_DP_CURVE25519_ENABLED
115+
// #undef MBEDTLS_ECP_DP_CURVE25519_ENABLED
116116
#undef MBEDTLS_ECP_DP_CURVE448_ENABLED
117117

118118
/**
@@ -246,7 +246,7 @@
246246
*
247247
* Uncomment this macro to enable support for SSLv2 Client Hello messages.
248248
*/
249-
//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
249+
// #define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
250250

251251
/**
252252
* \def MBEDTLS_SSL_PROTO_TLS1
@@ -468,7 +468,7 @@
468468
*
469469
* This module is required for X.509 CRL parsing.
470470
*/
471-
//#undef MBEDTLS_X509_CRL_PARSE_C
471+
// #undef MBEDTLS_X509_CRL_PARSE_C
472472

473473
/**
474474
* \def MBEDTLS_X509_CSR_PARSE_C
@@ -482,7 +482,7 @@
482482
*
483483
* This module is used for reading X.509 certificate request.
484484
*/
485-
//#undef MBEDTLS_X509_CSR_PARSE_C
485+
// #undef MBEDTLS_X509_CSR_PARSE_C
486486

487487
/**
488488
* \def MBEDTLS_X509_CREATE_C
@@ -495,7 +495,7 @@
495495
*
496496
* This module is the basis for creating X.509 certificates and CSRs.
497497
*/
498-
//#undef MBEDTLS_X509_CREATE_C
498+
// #undef MBEDTLS_X509_CREATE_C
499499

500500
/**
501501
* \def MBEDTLS_X509_CSR_WRITE_C
@@ -508,7 +508,7 @@
508508
*
509509
* This module is required for X.509 certificate request writing.
510510
*/
511-
//#undef MBEDTLS_X509_CSR_WRITE_C
511+
// #undef MBEDTLS_X509_CSR_WRITE_C
512512

513513
/**
514514
* \def MBEDTLS_X509_CRT_WRITE_C
@@ -521,7 +521,7 @@
521521
*
522522
* This module is required for X.509 certificate creation.
523523
*/
524-
//#undef MBEDTLS_X509_CRT_WRITE_C
524+
// #undef MBEDTLS_X509_CRT_WRITE_C
525525

526526
/**
527527
* \def MBEDTLS_CERTS_C
@@ -779,4 +779,10 @@
779779
*/
780780
#define MBEDTLS_DEPRECATED_REMOVED
781781

782+
#define MBEDTLS_ASN1_WRITE_C
783+
#define MBEDTLS_ECDSA_C
784+
#define MBEDTLS_PK_WRITE_C
785+
#define MBEDTLS_X509_CREATE_C
786+
#define MBEDTLS_X509_CSR_WRITE_C
787+
782788
#endif /* MBEDTLS_USER_CONFIG_HEADER */

0 commit comments

Comments
 (0)