From 423e600d4605a5ca0fdcdf6bd36f53bac07072e7 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Mon, 6 Apr 2020 20:12:52 +0530 Subject: [PATCH] secure_element: atecc608_ecdsa example * Replaced crypotoauthlib with esp-cryptoauthlib * Added menuconfig option for esp-tls about using HSM * Added error codes for HSM in esp-tls, * Added support to select different type of ATECC608A chips * Added README, updated docs * tcp_transport: Added option to enable secure_element for ssl Closes https://github.com/espressif/esp-idf/issues/4432 --- .gitmodules | 6 +- components/cryptoauthlib/Kconfig | 29 --- components/cryptoauthlib/component.mk | 41 --- components/cryptoauthlib/cryptoauthlib | 1 - .../cryptoauthlib/port/atca_cfgs_port.c | 50 ---- .../cryptoauthlib/port/cert_def_1_signer.c | 151 ----------- .../cryptoauthlib/port/cert_def_1_signer.h | 18 -- .../cryptoauthlib/port/cert_def_2_device.c | 109 -------- .../cryptoauthlib/port/cert_def_2_device.h | 16 -- components/esp-tls/CMakeLists.txt | 5 + components/esp-tls/Kconfig | 11 + components/esp-tls/esp_tls.h | 5 +- components/esp-tls/esp_tls_mbedtls.c | 133 +++++++--- components/esp_common/src/esp_err_to_name.c | 3 + components/mbedtls/CMakeLists.txt | 6 +- components/mbedtls/Kconfig | 33 +-- .../mbedtls/port/include/mbedtls/esp_config.h | 9 +- .../tcp_transport/include/esp_transport_ssl.h | 9 + components/tcp_transport/transport_ssl.c | 8 + docs/conf_common.py | 1 + docs/en/COPYRIGHT.rst | 3 +- docs/en/api-reference/peripherals/index.rst | 1 + .../peripherals/secure_element.rst | 24 ++ docs/en/api-reference/protocols/esp_tls.rst | 32 +++ .../zh_CN/api-reference/peripherals/index.rst | 1 + .../peripherals/secure_element.rst | 1 + .../atecc608_ecdsa/CMakeLists.txt | 0 .../atecc608_ecdsa/Makefile | 0 .../secure_element/atecc608_ecdsa/README.md | 34 +++ .../components/esp-cryptoauthlib | 1 + .../atecc608_ecdsa/main/CMakeLists.txt | 5 + .../atecc608_ecdsa/main/component.mk | 0 .../atecc608_ecdsa/main/ecdsa_example_main.c | 241 ++++++++++++++++++ .../atecc608_ecdsa/sdkconfig.defaults | 1 - .../atecc608_ecdsa/main/ecdsa_example_main.c | 233 ----------------- 35 files changed, 505 insertions(+), 716 deletions(-) delete mode 100644 components/cryptoauthlib/Kconfig delete mode 100644 components/cryptoauthlib/component.mk delete mode 160000 components/cryptoauthlib/cryptoauthlib delete mode 100644 components/cryptoauthlib/port/atca_cfgs_port.c delete mode 100644 components/cryptoauthlib/port/cert_def_1_signer.c delete mode 100644 components/cryptoauthlib/port/cert_def_1_signer.h delete mode 100644 components/cryptoauthlib/port/cert_def_2_device.c delete mode 100644 components/cryptoauthlib/port/cert_def_2_device.h create mode 100644 docs/en/api-reference/peripherals/secure_element.rst create mode 100644 docs/zh_CN/api-reference/peripherals/secure_element.rst rename examples/peripherals/{security => secure_element}/atecc608_ecdsa/CMakeLists.txt (100%) rename examples/peripherals/{security => secure_element}/atecc608_ecdsa/Makefile (100%) create mode 100644 examples/peripherals/secure_element/atecc608_ecdsa/README.md create mode 160000 examples/peripherals/secure_element/atecc608_ecdsa/components/esp-cryptoauthlib create mode 100644 examples/peripherals/secure_element/atecc608_ecdsa/main/CMakeLists.txt rename examples/peripherals/{security => secure_element}/atecc608_ecdsa/main/component.mk (100%) create mode 100644 examples/peripherals/secure_element/atecc608_ecdsa/main/ecdsa_example_main.c rename examples/peripherals/{security => secure_element}/atecc608_ecdsa/sdkconfig.defaults (63%) delete mode 100644 examples/peripherals/security/atecc608_ecdsa/main/ecdsa_example_main.c diff --git a/.gitmodules b/.gitmodules index 121b4886f7..64828e742c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -83,6 +83,6 @@ path = components/tinyusb/tinyusb url = ../../espressif/tinyusb.git -[submodule "components/cryptoauthlib/cryptoauthlib"] - path = components/cryptoauthlib/cryptoauthlib - url = https://github.com/MicrochipTech/cryptoauthlib.git +[submodule "examples/peripherals/secure_element/atecc608_ecdsa/components/esp-cryptoauthlib"] + path = examples/peripherals/secure_element/atecc608_ecdsa/components/esp-cryptoauthlib + url = ../../espressif/esp-cryptoauthlib.git diff --git a/components/cryptoauthlib/Kconfig b/components/cryptoauthlib/Kconfig deleted file mode 100644 index d17f4f82eb..0000000000 --- a/components/cryptoauthlib/Kconfig +++ /dev/null @@ -1,29 +0,0 @@ -menu "Cryptoauthlib" - -config ATCA_MBEDTLS_ECDH - bool "Enable Hardware ECDH with ATECC608A" - depends on MBEDTLS_ECDH_C - select MBEDTLS_HARDWARE_ECDH - select MBEDTLS_ECP_DP_SECP256R1_ENABLED - help - Enable hardware ECDH operations on an ATECC608A device - -config ATCA_MBEDTLS_ECDSA - bool "Enable Hardware ECDSA keys for mbedTLS" - depends on MBEDTLS_ECDSA_C - help - Enable Hardware ECDSA - -config ATCA_MBEDTLS_ECDSA_SIGN - bool "Enable ATECC608A sign operations in mbedTLS" - depends on ATCA_MBEDTLS_ECDSA - select MBEDTLS_HARDWARE_ECDSA_SIGN - select MBEDTLS_ECP_DP_SECP256R1_ENABLED - -config ATCA_MBEDTLS_ECDSA_VERIFY - bool "Enable ATECC608A verify operations in mbedTLS" - depends on ATCA_MBEDTLS_ECDSA - select MBEDTLS_HARDWARE_ECDSA_VERIFY - select MBEDTLS_ECP_DP_SECP256R1_ENABLED - -endmenu # cryptoauthlib diff --git a/components/cryptoauthlib/component.mk b/components/cryptoauthlib/component.mk deleted file mode 100644 index 596f8d8b9c..0000000000 --- a/components/cryptoauthlib/component.mk +++ /dev/null @@ -1,41 +0,0 @@ -# -# Component Makefile -# -COMPONENT_SUBMODULES += cryptoauthlib - -CRYPTOAUTHLIB_DIR := cryptoauthlib/lib - -COMPONENT_SRCDIRS := $(CRYPTOAUTHLIB_DIR)/atcacert \ - $(CRYPTOAUTHLIB_DIR)/basic \ - $(CRYPTOAUTHLIB_DIR)/crypto \ - $(CRYPTOAUTHLIB_DIR)/crypto/hashes \ - $(CRYPTOAUTHLIB_DIR)/host \ - $(CRYPTOAUTHLIB_DIR)/mbedtls \ - $(CRYPTOAUTHLIB_DIR) \ - port - -COMPONENT_OBJS := $(foreach compsrcdir,$(COMPONENT_SRCDIRS),$(patsubst %.c,%.o,$(wildcard $(COMPONENT_PATH)/$(compsrcdir)/*.c))) \ - $(CRYPTOAUTHLIB_DIR)/hal/atca_hal.o \ - $(CRYPTOAUTHLIB_DIR)/hal/hal_freertos.o \ - $(CRYPTOAUTHLIB_DIR)/hal/hal_esp32_i2c.o \ - $(CRYPTOAUTHLIB_DIR)/hal/hal_esp32_timer.o - -# Make relative by removing COMPONENT_PATH from all found object paths -COMPONENT_OBJS := $(patsubst $(COMPONENT_PATH)/%,%,$(COMPONENT_OBJS)) - -# Don't include the default interface configurations from cryptoauthlib -COMPONENT_OBJEXCLUDE := $(CRYPTOAUTHLIB_DIR)/atca_cfgs.o - -# Add the hal directory back in for source search paths -COMPONENT_SRCDIRS += $(CRYPTOAUTHLIB_DIR)/hal - -COMPONENT_ADD_INCLUDEDIRS := $(CRYPTOAUTHLIB_DIR) $(CRYPTOAUTHLIB_DIR)/hal port - -# Library requires some global defines -CFLAGS+=-DESP32 -DATCA_HAL_I2C -DATCA_USE_RTOS_TIMER - -$(CRYPTOAUTHLIB_DIR)/hal/hal_freertos.o: CFLAGS+= -I$(IDF_PATH)/components/freertos/include/freertos - -# Turn off some warnings for some files that have been checked -$(CRYPTOAUTHLIB_DIR)/hal/hal_esp32_i2c.o: CFLAGS+= -Wno-unused-but-set-variable -Wno-unused-variable -$(CRYPTOAUTHLIB_DIR)/basic/atca_helpers.o: CFLAGS+= -Wno-type-limits diff --git a/components/cryptoauthlib/cryptoauthlib b/components/cryptoauthlib/cryptoauthlib deleted file mode 160000 index 3bc5e245c6..0000000000 --- a/components/cryptoauthlib/cryptoauthlib +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 3bc5e245c68ca9f25e8fada393d059304b4adecb diff --git a/components/cryptoauthlib/port/atca_cfgs_port.c b/components/cryptoauthlib/port/atca_cfgs_port.c deleted file mode 100644 index 326dd73410..0000000000 --- a/components/cryptoauthlib/port/atca_cfgs_port.c +++ /dev/null @@ -1,50 +0,0 @@ -/** - * \file - * \brief a set of default configurations for various ATCA devices and interfaces - * - * \copyright (c) 2015-2018 Microchip Technology Inc. and its subsidiaries. - * - * \page License - * - * Subject to your compliance with these terms, you may use Microchip software - * and any derivatives exclusively with Microchip products. It is your - * responsibility to comply with third party license terms applicable to your - * use of third party software (including open source software) that may - * accompany Microchip software. - * - * THIS SOFTWARE IS SUPPLIED BY MICROCHIP "AS IS". NO WARRANTIES, WHETHER - * EXPRESS, IMPLIED OR STATUTORY, APPLY TO THIS SOFTWARE, INCLUDING ANY IMPLIED - * WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A - * PARTICULAR PURPOSE. IN NO EVENT WILL MICROCHIP BE LIABLE FOR ANY INDIRECT, - * SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL LOSS, DAMAGE, COST OR EXPENSE - * OF ANY KIND WHATSOEVER RELATED TO THE SOFTWARE, HOWEVER CAUSED, EVEN IF - * MICROCHIP HAS BEEN ADVISED OF THE POSSIBILITY OR THE DAMAGES ARE - * FORESEEABLE. TO THE FULLEST EXTENT ALLOWED BY LAW, MICROCHIP'S TOTAL - * LIABILITY ON ALL CLAIMS IN ANY WAY RELATED TO THIS SOFTWARE WILL NOT EXCEED - * THE AMOUNT OF FEES, IF ANY, THAT YOU HAVE PAID DIRECTLY TO MICROCHIP FOR - * THIS SOFTWARE. - */ - -#include -#include "atca_cfgs.h" -#include "atca_iface.h" -#include "atca_device.h" - -/** \defgroup config Configuration (cfg_) - * \brief Logical device configurations describe the CryptoAuth device type and logical interface. - @{ */ - -/* if the number of these configurations grows large, we can #ifdef them based on required device support */ - -/** \brief default configuration for an ECCx08A device */ -ATCAIfaceCfg cfg_ateccx08a_i2c_default = { - .iface_type = ATCA_I2C_IFACE, - .devtype = ATECC608A, - .atcai2c.slave_address = 0xC0, - .atcai2c.bus = 0, - .atcai2c.baud = 100000, - .wake_delay = 1500, - .rx_retries = 20 -}; - -/** @} */ diff --git a/components/cryptoauthlib/port/cert_def_1_signer.c b/components/cryptoauthlib/port/cert_def_1_signer.c deleted file mode 100644 index 92ebf50925..0000000000 --- a/components/cryptoauthlib/port/cert_def_1_signer.c +++ /dev/null @@ -1,151 +0,0 @@ - -#include "atcacert/atcacert_def.h" - -const atcacert_def_t g_cert_def_0_root = { - .public_key_dev_loc = { - .zone = DEVZONE_DATA, - .slot = 15, - .is_genkey = 0, - .offset = 0, - .count = 72 - } -}; - -const atcacert_cert_element_t g_cert_elements_1_signer[] = { - { - .id = "IssueDate", - .device_loc = { - .zone = DEVZONE_DATA, - .slot = 14, - .is_genkey = 0, - .offset = 35-13, - .count = 13 - }, - .cert_loc = { - .offset = 97, - .count = 13 - } - }, - { - .id = "ExpireDate", - .device_loc = { - .zone = DEVZONE_DATA, - .slot = 14, - .is_genkey = 0, - .offset = 50-13, - .count = 13 - }, - .cert_loc = { - .offset = 112, - .count = 13 - } - } -}; - -const uint8_t g_cert_template_1_signer[] = { - 0x30, 0x82, 0x01, 0xc8, 0x30, 0x82, 0x01, 0x6e, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x57, - 0x06, 0x2e, 0xf0, 0x05, 0xea, 0x8a, 0x70, 0x44, 0xff, 0x1b, 0x90, 0x00, 0x21, 0x78, 0xd6, 0x30, - 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x30, 0x31, 0x14, 0x30, - 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, - 0x49, 0x6e, 0x63, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x45, 0x78, - 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, - 0x0d, 0x31, 0x37, 0x30, 0x36, 0x30, 0x37, 0x31, 0x37, 0x35, 0x36, 0x31, 0x32, 0x5a, 0x17, 0x0d, - 0x32, 0x37, 0x30, 0x36, 0x30, 0x37, 0x31, 0x37, 0x35, 0x36, 0x31, 0x32, 0x5a, 0x30, 0x34, 0x31, - 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, - 0x65, 0x20, 0x49, 0x6e, 0x63, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, - 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x20, 0x46, - 0x46, 0x46, 0x46, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xb1, 0xf5, - 0x9c, 0xbe, 0x22, 0x11, 0x7f, 0x28, 0x2f, 0x7f, 0x2e, 0xcb, 0xa2, 0x8c, 0x30, 0x3b, 0xae, 0x59, - 0x45, 0xb9, 0x5c, 0x0e, 0xba, 0xaa, 0x9b, 0x81, 0x73, 0x52, 0x63, 0x41, 0xbf, 0x37, 0x3c, 0x2e, - 0xdd, 0xcd, 0xea, 0x0e, 0x7c, 0x9d, 0x90, 0xea, 0x25, 0x9c, 0x64, 0xeb, 0xc6, 0x54, 0x47, 0x32, - 0x81, 0x63, 0xbf, 0x42, 0x5f, 0xdd, 0x5a, 0x3f, 0xd5, 0x71, 0x81, 0x9b, 0x77, 0x44, 0xa3, 0x66, - 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, - 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, - 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, - 0x14, 0x81, 0x1d, 0xc6, 0x7c, 0x0f, 0x18, 0x2b, 0x65, 0x96, 0xeb, 0x22, 0x73, 0xdb, 0xf3, 0x23, - 0x63, 0x6d, 0x79, 0x0f, 0xc8, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, - 0x80, 0x14, 0xdb, 0x2a, 0x0d, 0x06, 0x05, 0xc7, 0x98, 0xbc, 0xda, 0xc0, 0x34, 0x67, 0x66, 0xf4, - 0xe2, 0xb0, 0x61, 0xa3, 0xd2, 0xc8, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, - 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x49, 0xfe, 0xdf, 0xc9, 0x94, 0xe3, 0x07, - 0xdb, 0x08, 0xb3, 0x99, 0x9e, 0x04, 0xe4, 0x78, 0xe5, 0xf8, 0xb9, 0x09, 0xa9, 0xf0, 0x41, 0x66, - 0xc6, 0x69, 0x1b, 0x87, 0x30, 0x86, 0x10, 0xaf, 0x64, 0x02, 0x21, 0x00, 0xc8, 0xd6, 0x86, 0x61, - 0x94, 0x95, 0xdb, 0x45, 0xb3, 0x40, 0x8e, 0xac, 0x14, 0x9a, 0x19, 0xb6, 0x8c, 0x5c, 0x79, 0x9d, - 0x06, 0xcb, 0x52, 0x08, 0xa0, 0x1f, 0x49, 0x8b, 0x22, 0x4e, 0x52, 0x71 -}; - -const atcacert_def_t g_cert_def_1_signer = { - .type = CERTTYPE_X509, - .template_id = 1, - .chain_id = 0, - .private_key_slot = 0, - .sn_source = SNSRC_STORED, - .cert_sn_dev_loc = { - .zone = DEVZONE_DATA, - .slot = 14, - .is_genkey = 0, - .offset = 20-16, - .count = 16 - }, - .issue_date_format = DATEFMT_RFC5280_UTC, - .expire_date_format = DATEFMT_RFC5280_UTC, - .tbs_cert_loc = { - .offset = 4, - .count = 370 - }, - .expire_years = 10, - .public_key_dev_loc = { - .zone = DEVZONE_DATA, - .slot = 11, - .is_genkey = 0, - .offset = 0, - .count = 72 - }, - .comp_cert_dev_loc = { - .zone = DEVZONE_DATA, - .slot = 12, - .is_genkey = 0, - .offset = 0, - .count = 72 - }, - .std_cert_elements = { - { // STDCERT_PUBLIC_KEY - .offset = 206, - .count = 64 - }, - { // STDCERT_SIGNATURE - .offset = 386, - .count = 74 - }, - { // STDCERT_ISSUE_DATE - .offset = 97, - .count = 13 - }, - { // STDCERT_EXPIRE_DATE - .offset = 112, - .count = 13 - }, - { // STDCERT_SIGNER_ID - .offset = 175, - .count = 4 - }, - { // STDCERT_CERT_SN - .offset = 15, - .count = 16 - }, - { // STDCERT_AUTH_KEY_ID - .offset = 354, - .count = 20 - }, - { // STDCERT_SUBJ_KEY_ID - .offset = 321, - .count = 20 - } - }, - .cert_elements = g_cert_elements_1_signer, - .cert_elements_count = sizeof(g_cert_elements_1_signer) / sizeof(g_cert_elements_1_signer[0]), - .cert_template = g_cert_template_1_signer, - .cert_template_size = sizeof(g_cert_template_1_signer), - .ca_cert_def = &g_cert_def_0_root -}; - diff --git a/components/cryptoauthlib/port/cert_def_1_signer.h b/components/cryptoauthlib/port/cert_def_1_signer.h deleted file mode 100644 index 49438af6ca..0000000000 --- a/components/cryptoauthlib/port/cert_def_1_signer.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef CERT_DEF_1_SIGNER_H -#define CERT_DEF_1_SIGNER_H - -#include "atcacert/atcacert_def.h" - -#ifdef __cplusplus -extern "C" { -#endif - -extern const atcacert_def_t g_cert_def_0_root; - -extern const atcacert_def_t g_cert_def_1_signer; - -#ifdef __cplusplus -} -#endif - -#endif // CERT_DEF_1_SIGNER_H diff --git a/components/cryptoauthlib/port/cert_def_2_device.c b/components/cryptoauthlib/port/cert_def_2_device.c deleted file mode 100644 index b4bb483e02..0000000000 --- a/components/cryptoauthlib/port/cert_def_2_device.c +++ /dev/null @@ -1,109 +0,0 @@ - -#include "atcacert/atcacert_def.h" -#include "cert_def_1_signer.h" - -const uint8_t g_cert_template_2_device[] = { - 0x30, 0x82, 0x01, 0xa6, 0x30, 0x82, 0x01, 0x4b, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x41, - 0xa6, 0x8b, 0xe4, 0x36, 0xdd, 0xc3, 0xd8, 0x39, 0xfa, 0xbd, 0xd7, 0x27, 0xd9, 0x74, 0xe7, 0x30, - 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x34, 0x31, 0x14, 0x30, - 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, - 0x49, 0x6e, 0x63, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x45, 0x78, - 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x20, 0x46, 0x46, 0x46, - 0x46, 0x30, 0x20, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x37, 0x31, 0x30, 0x32, 0x30, 0x30, 0x30, 0x30, - 0x30, 0x5a, 0x18, 0x0f, 0x33, 0x30, 0x30, 0x30, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, - 0x35, 0x39, 0x5a, 0x30, 0x2f, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, - 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x31, 0x17, 0x30, 0x15, 0x06, - 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, 0x44, 0x65, - 0x76, 0x69, 0x63, 0x65, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, - 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x96, - 0x27, 0xf1, 0x3e, 0x80, 0xac, 0xf9, 0xd4, 0x12, 0xce, 0x3b, 0x0d, 0x68, 0xf7, 0x4e, 0xb2, 0xc6, - 0x07, 0x35, 0x00, 0xb7, 0x78, 0x5b, 0xac, 0xe6, 0x50, 0x30, 0x54, 0x77, 0x7f, 0xc8, 0x62, 0x21, - 0xce, 0xf2, 0x5a, 0x9a, 0x9e, 0x86, 0x40, 0xc2, 0x29, 0xd6, 0x4a, 0x32, 0x1e, 0xb9, 0x4a, 0x1b, - 0x1c, 0x94, 0xf5, 0x39, 0x88, 0xae, 0xfe, 0x49, 0xcc, 0xfd, 0xbf, 0x8a, 0x0d, 0x34, 0xb8, 0xa3, - 0x42, 0x30, 0x40, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x2d, 0xda, - 0x6c, 0x36, 0xd5, 0xa5, 0x5a, 0xce, 0x97, 0x10, 0x3d, 0xbb, 0xaf, 0x9c, 0x66, 0x2a, 0xcd, 0x3e, - 0xe6, 0xcf, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xc6, - 0x70, 0xe0, 0x5e, 0x8a, 0x45, 0x0d, 0xb8, 0x2c, 0x00, 0x2a, 0x40, 0x06, 0x39, 0x4c, 0x19, 0x58, - 0x04, 0x35, 0x76, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, - 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0xe1, 0xfc, 0x00, 0x23, 0xc1, 0x3d, 0x01, 0x3f, 0x22, - 0x31, 0x0b, 0xf0, 0xb8, 0xf4, 0xf4, 0x22, 0xfc, 0x95, 0x96, 0x33, 0x9c, 0xb9, 0x62, 0xb1, 0xfc, - 0x8a, 0x2d, 0xa8, 0x5c, 0xee, 0x67, 0x72, 0x02, 0x21, 0x00, 0xa1, 0x0d, 0x47, 0xe4, 0xfd, 0x0d, - 0x15, 0xd8, 0xde, 0xa1, 0xb5, 0x96, 0x28, 0x4e, 0x7a, 0x0b, 0xbe, 0xcc, 0xec, 0xe8, 0x8e, 0xcc, - 0x7a, 0x31, 0xb3, 0x00, 0x8b, 0xc0, 0x2e, 0x4f, 0x99, 0xc5 -}; - -const atcacert_def_t g_cert_def_2_device = { - .type = CERTTYPE_X509, - .template_id = 2, - .chain_id = 0, - .private_key_slot = 0, - .sn_source = SNSRC_PUB_KEY_HASH, - .cert_sn_dev_loc = { - .zone = DEVZONE_NONE, - .slot = 0, - .is_genkey = 0, - .offset = 0, - .count = 0 - }, - .issue_date_format = DATEFMT_RFC5280_UTC, - .expire_date_format = DATEFMT_RFC5280_GEN, - .tbs_cert_loc = { - .offset = 4, - .count = 335 - }, - .expire_years = 0, - .public_key_dev_loc = { - .zone = DEVZONE_DATA, - .slot = 0, - .is_genkey = 1, - .offset = 0, - .count = 64 - }, - .comp_cert_dev_loc = { - .zone = DEVZONE_DATA, - .slot = 10, - .is_genkey = 0, - .offset = 0, - .count = 72 - }, - .std_cert_elements = { - { // STDCERT_PUBLIC_KEY - .offset = 207, - .count = 64 - }, - { // STDCERT_SIGNATURE - .offset = 351, - .count = 75 - }, - { // STDCERT_ISSUE_DATE - .offset = 101, - .count = 13 - }, - { // STDCERT_EXPIRE_DATE - .offset = 0, - .count = 0 - }, - { // STDCERT_SIGNER_ID - .offset = 93, - .count = 4 - }, - { // STDCERT_CERT_SN - .offset = 15, - .count = 16 - }, - { // STDCERT_AUTH_KEY_ID - .offset = 319, - .count = 20 - }, - { // STDCERT_SUBJ_KEY_ID - .offset = 286, - .count = 20 - } - }, - .cert_elements = NULL, - .cert_elements_count = 0, - .cert_template = g_cert_template_2_device, - .cert_template_size = sizeof(g_cert_template_2_device), - .ca_cert_def = &g_cert_def_1_signer -}; - diff --git a/components/cryptoauthlib/port/cert_def_2_device.h b/components/cryptoauthlib/port/cert_def_2_device.h deleted file mode 100644 index c108b65166..0000000000 --- a/components/cryptoauthlib/port/cert_def_2_device.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef CERT_DEF_2_DEVICE_H -#define CERT_DEF_2_DEVICE_H - -#include "atcacert/atcacert_def.h" - -#ifdef __cplusplus -extern "C" { -#endif - -extern const atcacert_def_t g_cert_def_2_device; - -#ifdef __cplusplus -} -#endif - -#endif // CERT_DEF_2_DEVICE_H diff --git a/components/esp-tls/CMakeLists.txt b/components/esp-tls/CMakeLists.txt index bf32e96ea4..d8a73c1451 100644 --- a/components/esp-tls/CMakeLists.txt +++ b/components/esp-tls/CMakeLists.txt @@ -19,3 +19,8 @@ if(CONFIG_ESP_TLS_USING_WOLFSSL) idf_component_get_property(wolfssl esp-wolfssl COMPONENT_LIB) target_link_libraries(${COMPONENT_LIB} PUBLIC ${wolfssl}) endif() + +if(CONFIG_ESP_TLS_USE_SE) + idf_component_get_property(cryptoauthlib esp-cryptoauthlib COMPONENT_LIB) + target_link_libraries(${COMPONENT_LIB} PUBLIC ${cryptoauthlib}) +endif() diff --git a/components/esp-tls/Kconfig b/components/esp-tls/Kconfig index 2ae7a07274..1f20cc6cfd 100644 --- a/components/esp-tls/Kconfig +++ b/components/esp-tls/Kconfig @@ -13,6 +13,17 @@ menu "ESP-TLS" bool "wolfSSL (License info in wolfSSL directory README)" endchoice + config ESP_TLS_USE_SECURE_ELEMENT + bool "Use Secure Element (ATECC608A) with ESP-TLS" + depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS + select ATCA_MBEDTLS_ECDSA + select ATCA_MBEDTLS_ECDSA_SIGN + select ATCA_MBEDTLS_ECDSA_VERIFY + default n + help + Enable use of Secure Element for ESP-TLS, this enables internal support for + ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection. + config ESP_TLS_SERVER bool "Enable ESP-TLS Server" default n diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index 441377cb21..1094170046 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -64,6 +64,7 @@ extern "C" { #define ESP_ERR_WOLFSSL_SSL_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x19) /*!< wolfSSL api returned failed */ #define ESP_ERR_WOLFSSL_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1A) /*!< wolfSSL api returned failed */ +#define ESP_ERR_ESP_TLS_SE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1B) /*< esp-tls use Secure Element returned failed */ #ifdef CONFIG_ESP_TLS_USING_MBEDTLS #define ESP_TLS_ERR_SSL_WANT_READ MBEDTLS_ERR_SSL_WANT_READ #define ESP_TLS_ERR_SSL_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE @@ -183,8 +184,8 @@ typedef struct esp_tls_cfg { underneath socket will be configured in non blocking mode after tls session is established */ - bool use_hsm; /*!< Enable this option to use Hardware Security Module or ATECC chip - ( available on WROOM32SE )*/ + bool use_secure_element; /*!< Enable this option to use secure element or + atecc608a chip ( Integrated with ESP32-WROOM-32SE ) */ int timeout_ms; /*!< Network timeout in milliseconds */ diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index b917c45d05..2b6e697b85 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -30,12 +30,19 @@ #include "esp_crt_bundle.h" #endif +#ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT + +#define ATECC608A_TNG_SLAVE_ADDR 0x6A +#define ATECC608A_TFLEX_SLAVE_ADDR 0x6C +#define ATECC608A_TCUSTOM_SLAVE_ADDR 0xC0 /* cryptoauthlib includes */ #include "mbedtls/atca_mbedtls_wrap.h" +#include "tng_atca.h" #include "cryptoauthlib.h" -#include "cert_def_1_signer.h" -#include "cert_def_2_device.h" - +static const atcacert_def_t* cert_def = NULL; +/* Prototypes for functions */ +static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cfg); +#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */ static const char *TAG = "esp-tls-mbedtls"; static mbedtls_x509_crt *global_cacert = NULL; @@ -237,6 +244,9 @@ void esp_mbedtls_cleanup(esp_tls_t *tls) mbedtls_ssl_config_free(&tls->conf); mbedtls_ctr_drbg_free(&tls->ctr_drbg); mbedtls_ssl_free(&tls->ssl); +#ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT + atcab_release(); +#endif } static esp_err_t set_ca_cert(esp_tls_t *tls, const unsigned char *cacert, size_t cacert_len) @@ -454,37 +464,16 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE); } - if (cfg->use_hsm) { - ESP_LOGI(TAG, "Initialize the ATECC interface..."); - if(0 != (ret = atcab_init(&cfg_ateccx08a_i2c_default))) { - ESP_LOGE(TAG, "Failed\n !atcab_init returned %02x\n", ret); - goto exit; - } - - /* Convert to an mbedtls key */ - if (0 != atca_mbedtls_pk_init(&tls->clientkey, 0)) { - ESP_LOGE(TAG, "Failed to parse key from device\n"); - goto exit; - } - - mbedtls_x509_crt_init(&tls->clientcert); - /* Extract the device certificate and convert to mbedtls cert */ - if (0 != atca_mbedtls_cert_add(&tls->clientcert, &g_cert_def_2_device)) { - ESP_LOGE(TAG, "Failed to parse cert from device\n"); - goto exit; - } - - /* Extract the signer certificate, convert, then attach to the chain */ - if (0 != atca_mbedtls_cert_add(&tls->clientcert, &g_cert_def_1_signer)) { - ESP_LOGE(TAG, "Failed to parse cert from device\n"); - goto exit; - } - - if (0 != (ret = mbedtls_ssl_conf_own_cert(&tls->conf, &tls->clientcert, &tls->clientkey))) { - ESP_LOGE(TAG, "Failed\n ! mbedtls_ssl_conf_own_cert returned %d\r\n", ret); - goto exit; - + if (cfg->use_secure_element) { +#ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT + ret = esp_set_atecc608a_pki_context(tls, (esp_tls_cfg_t *)cfg); + if (ret != ESP_OK) { + return ret; } +#else + ESP_LOGE(TAG, "Please enable secure element support for ESP-TLS in menuconfig"); + return ESP_FAIL; +#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */ } else if (cfg->clientcert_pem_buf != NULL && cfg->clientkey_pem_buf != NULL) { esp_tls_pki_t pki = { .public_cert = &tls->clientcert, @@ -601,3 +590,81 @@ void esp_mbedtls_free_global_ca_store(void) global_cacert = NULL; } } + +#ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT +static esp_err_t esp_init_atecc608a(uint8_t slave_addr) +{ + cfg_ateccx08a_i2c_default.atcai2c.slave_address = slave_addr; + int ret = atcab_init(&cfg_ateccx08a_i2c_default); + if(ret != 0) { + ESP_LOGE(TAG, "Failed\n !atcab_init returned %02x", ret); + return ESP_FAIL; + } + return ESP_OK; +} + +static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cfg) +{ + int ret = 0; + int esp_ret = ESP_FAIL; + ESP_LOGI(TAG, "Initialize the ATECC interface..."); +#if defined(CONFIG_ATECC608A_TNG) || defined(CONFIG_ATECC608A_TFLEX) +#ifdef CONFIG_ATECC608A_TNG + esp_ret = esp_init_atecc608a(ATECC608A_TNG_SLAVE_ADDR); + if (ret != ESP_OK) { + return ESP_ERR_ESP_TLS_SE_FAILED; + } +#elif CONFIG_ATECC608A_TFLEX /* CONFIG_ATECC608A_TNG */ + esp_ret = esp_init_atecc608a(ATECC608A_TFLEX_SLAVE_ADDR); + if (ret != ESP_OK) { + return ESP_ERR_ESP_TLS_SE_FAILED; + } +#endif /* CONFIG_ATECC608A_TFLEX */ + mbedtls_x509_crt_init(&tls->clientcert); + ret = tng_get_device_cert_def(&cert_def); + if (ret != 0) { + ESP_LOGE(TAG, "Failed to get device cert def"); + return ESP_ERR_ESP_TLS_SE_FAILED; + } + + /* Extract the device certificate and convert to mbedtls cert */ + ret = atca_mbedtls_cert_add(&tls->clientcert, cert_def); + if (ret != 0) { + ESP_LOGE(TAG, "Failed to parse cert from device, return %02x", ret); + return ESP_ERR_ESP_TLS_SE_FAILED; + } +#elif CONFIG_ATECC608A_TCUSTOM + esp_ret = esp_init_atecc608a(ATECC608A_TCUSTOM_SLAVE_ADDR); + if (ret != ESP_OK) { + return ESP_ERR_ESP_TLS_SE_FAILED; + } + mbedtls_x509_crt_init(&tls->clientcert); + + if(cfg->clientcert_buf != NULL) { + ret = mbedtls_x509_crt_parse(&tls->clientcert, (const unsigned char*)cfg->clientcert_buf, cfg->clientcert_bytes); + if (ret < 0) { + ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x", -ret); + ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret); + return ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED; + } + } else { + ESP_LOGE(TAG, "Device certificate must be provided for TrustCustom Certs"); + return ESP_FAIL; + } +#endif /* CONFIG_ATECC608A_TCUSTOM */ + ret = atca_mbedtls_pk_init(&tls->clientkey, 0); + if (ret != 0) { + ESP_LOGE(TAG, "Failed to parse key from device"); + ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret); + return ESP_ERR_ESP_TLS_SE_FAILED; + } + + ret = mbedtls_ssl_conf_own_cert(&tls->conf, &tls->clientcert, &tls->clientkey); + if (ret != 0) { + ESP_LOGE(TAG, "Failed\n ! mbedtls_ssl_conf_own_cert returned -0x%x", ret); + ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret); + return ESP_ERR_ESP_TLS_SE_FAILED; + } + return ESP_OK; +} +#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */ diff --git a/components/esp_common/src/esp_err_to_name.c b/components/esp_common/src/esp_err_to_name.c index cf05b05df4..daf22a1ecd 100644 --- a/components/esp_common/src/esp_err_to_name.c +++ b/components/esp_common/src/esp_err_to_name.c @@ -643,6 +643,9 @@ static const esp_err_msg_t esp_err_msg_table[] = { # endif # ifdef ESP_ERR_WOLFSSL_SSL_WRITE_FAILED ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_WRITE_FAILED), /* 32794 0x801a wolfSSL api returned failed */ +# endif +# ifdef ESP_ERR_ESP_TLS_SE_FAILED + ERR_TBL_IT(ESP_ERR_ESP_TLS_SE_FAILED), /* 32795 0x801b */ # endif // components/esp_https_ota/include/esp_https_ota.h # ifdef ESP_ERR_HTTPS_OTA_BASE diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt index 0eac1a12d0..597c70495b 100644 --- a/components/mbedtls/CMakeLists.txt +++ b/components/mbedtls/CMakeLists.txt @@ -122,4 +122,8 @@ set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls) # Link mbedtls libraries to component library target_link_libraries(${COMPONENT_LIB} INTERFACE ${mbedtls_targets}) - +# Link esp-cryptoauthlib to mbedtls +if(CONFIG_ATCA_MBEDTLS_ECDSA) + idf_component_get_property(cryptoauthlib esp-cryptoauthlib COMPONENT_LIB) + target_link_libraries(${COMPONENT_LIB} PUBLIC ${cryptoauthlib}) +endif() diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 2edeca40c8..6c7a203220 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -280,21 +280,14 @@ menu "mbedTLS" SHA hardware acceleration is faster than software in some situations but slower in others. You should benchmark to find the best setting for you. - config MBEDTLS_ATCA_HARDWARE_ECDH - bool "Enable hardware ECDH acceleration when using ATECC608A cryptoauth chip" - default n - help - This option enables hardware acceleration for ECDH, only when using - ATECC608A cryptoauth chip (integrated with ESP32-WROOM-32SE) - - config MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN + config MBEDTLS_ATCA_HW_ECDSA_SIGN bool "Enable hardware ECDSA sign acceleration when using ATECC608A" default n help This option enables hardware acceleration for ECDSA sign function, only when using ATECC608A cryptoauth chip (integrated with ESP32-WROOM-32SE) - config MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY + config MBEDTLS_ATCA_HW_ECDSA_VERIFY bool "Enable hardware ECDSA verify acceleration when using ATECC608A" default n help @@ -671,14 +664,14 @@ menu "mbedTLS" config MBEDTLS_ECP_DP_SECP192R1_ENABLED bool "Enable SECP192R1 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help Enable support for SECP192R1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP224R1_ENABLED bool "Enable SECP224R1 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help Enable support for SECP224R1 Elliptic Curve. @@ -692,63 +685,63 @@ menu "mbedTLS" config MBEDTLS_ECP_DP_SECP384R1_ENABLED bool "Enable SECP384R1 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help Enable support for SECP384R1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP521R1_ENABLED bool "Enable SECP521R1 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help Enable support for SECP521R1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP192K1_ENABLED bool "Enable SECP192K1 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help Enable support for SECP192K1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP224K1_ENABLED bool "Enable SECP224K1 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help Enable support for SECP224K1 Elliptic Curve. config MBEDTLS_ECP_DP_SECP256K1_ENABLED bool "Enable SECP256K1 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help Enable support for SECP256K1 Elliptic Curve. config MBEDTLS_ECP_DP_BP256R1_ENABLED bool "Enable BP256R1 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help support for DP Elliptic Curve. config MBEDTLS_ECP_DP_BP384R1_ENABLED bool "Enable BP384R1 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help support for DP Elliptic Curve. config MBEDTLS_ECP_DP_BP512R1_ENABLED bool "Enable BP512R1 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help support for DP Elliptic Curve. config MBEDTLS_ECP_DP_CURVE25519_ENABLED bool "Enable CURVE25519 curve" depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HARDWARE_ECDH || MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN || MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY) + default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) help Enable support for CURVE25519 Elliptic Curve. diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 3d7ef767d6..93c8ce285a 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -149,16 +149,11 @@ #undef MBEDTLS_MPI_MUL_MPI_ALT #endif -#ifdef CONFIG_MBEDTLS_ATCA_HARDWARE_ECDH -#define MBEDTLS_ECDH_GEN_PUBLIC_ALT -#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT -#endif - -#ifdef CONFIG_MBEDTLS_ATCA_HARDWARE_ECDSA_SIGN +#ifdef CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN #define MBEDTLS_ECDSA_SIGN_ALT #endif -#ifdef CONFIG_MBEDTLS_ATCA_HARDWARE_ECDSA_VERIFY +#ifdef CONFIG_MBEDTLS_ATCA_HW_ECDSA_VERIFY #define MBEDTLS_ECDSA_VERIFY_ALT #endif diff --git a/components/tcp_transport/include/esp_transport_ssl.h b/components/tcp_transport/include/esp_transport_ssl.h index 9ce0b19c31..ff3f9d6231 100644 --- a/components/tcp_transport/include/esp_transport_ssl.h +++ b/components/tcp_transport/include/esp_transport_ssl.h @@ -132,6 +132,15 @@ void esp_transport_ssl_set_alpn_protocol(esp_transport_handle_t t, const char ** */ void esp_transport_ssl_skip_common_name_check(esp_transport_handle_t t); +/** + * @brief Set the ssl context to use secure element (atecc608a) for client(device) private key and certificate + * + * @note Recommended to be used with ESP32-WROOM-32SE (which has inbuilt ATECC608A a.k.a Secure Element) + * + * @param t ssl transport + */ +void esp_transport_ssl_use_secure_element(esp_transport_handle_t t); + /** * @brief Set PSK key and hint for PSK server/client verification in esp-tls component. * Important notes: diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c index 98bda19a0c..a413c84617 100644 --- a/components/tcp_transport/transport_ssl.c +++ b/components/tcp_transport/transport_ssl.c @@ -280,6 +280,14 @@ void esp_transport_ssl_skip_common_name_check(esp_transport_handle_t t) } } +void esp_transport_ssl_use_secure_element(esp_transport_handle_t t) +{ + transport_ssl_t *ssl = esp_transport_get_context_data(t); + if (t && ssl) { + ssl->cfg.use_secure_element = true; + } +} + esp_transport_handle_t esp_transport_ssl_init(void) { esp_transport_handle_t t = esp_transport_init(); diff --git a/docs/conf_common.py b/docs/conf_common.py index 84cbef64be..7148eacfb5 100644 --- a/docs/conf_common.py +++ b/docs/conf_common.py @@ -152,6 +152,7 @@ ESP32_DOCS = ['api-guides/ulp_instruction_set.rst', 'api-reference/system/ipc.rst', 'security/secure-boot-v1.rst', 'security/secure-boot-v2.rst', + 'api-reference/peripherals/secure_element.rst', 'hw-reference/esp32/**'] + LEGACY_DOCS ESP32S2_DOCS = ['esp32s2.rst', diff --git a/docs/en/COPYRIGHT.rst b/docs/en/COPYRIGHT.rst index 8b4aacbd0b..3cbd5844cd 100644 --- a/docs/en/COPYRIGHT.rst +++ b/docs/en/COPYRIGHT.rst @@ -63,6 +63,7 @@ These third party libraries can be included into the application (firmware) prod * `mynewt-nimble`_ Apache Mynewt NimBLE, Copyright 2015-2018, The Apache Software Foundation, is licensed under Apache License 2.0 as described in :component_file:`LICENSE file`. +* `cryptoauthlib`_ Microchip CryptoAuthentication Library - Copyright (c) 2015 - 2018 Microchip Technology Inc, is licensed under common Microchip software License as described in :example_file:`LICENSE file ` Build Tools ----------- @@ -180,4 +181,4 @@ Copyright (C) 2011, ChaN, all right reserved. .. _ESP-IDF Programming Guide: https://docs.espressif.com/projects/esp-idf/en/latest/ .. _sphinx_idf_theme: https://github.com/espressif/sphinx_idf_theme .. _sphinx_rtd_theme: https://github.com/readthedocs/sphinx_rtd_theme - +.. _cryptoauthlib: https://github.com/MicrochipTech/cryptoauthlib diff --git a/docs/en/api-reference/peripherals/index.rst b/docs/en/api-reference/peripherals/index.rst index 77de48111a..6da97bc378 100644 --- a/docs/en/api-reference/peripherals/index.rst +++ b/docs/en/api-reference/peripherals/index.rst @@ -25,6 +25,7 @@ Peripherals API Sigma-delta Modulation SPI Master SPI Slave + :esp32: Secure Element :esp32s2: Temp sensor Timer Touch Sensor diff --git a/docs/en/api-reference/peripherals/secure_element.rst b/docs/en/api-reference/peripherals/secure_element.rst new file mode 100644 index 0000000000..f315f1ac1d --- /dev/null +++ b/docs/en/api-reference/peripherals/secure_element.rst @@ -0,0 +1,24 @@ +ESP32-WROOM-32SE (Secure Element) +================================= + +Overview +-------- + +The ESP32-WROOM-32SE has integrated Microchip's ATECC608A cryptoauth chip in the module. ATECC608A is secure element +which would generate and store ECC private key in the hardware.The ECC private key can be used to enhance security +to connect to IoT cloud services with use of X.509 based mutual authentication. +The application example demonstrates ECDSA sign and verify functions using ECC private key stored in ATECC608A + +Application Example +------------------- + +Secure Element ECDSA Sign/Verify example: :example:`peripherals/secure_element/atecc608_ecdsa`. + +How to configure and provision ESP32-WROOM-32SE for TLS +------------------------------------------------------- +To configure and provision ATECC608A chip on ESP32-WROOM-32SE please visit `esp_cryptoauth_utility `_ + +How to use ATECC608A of ESP32-WROOM-32SE for TLS +------------------------------------------------ +ATECC608A can be used for TLS connections using ESP-TLS. +To configure ESP-TLS for using secure element please refer `ATECC608A with ESP-TLS` in :doc:`ESP-TLS documentation.<../protocols/esp_tls>` diff --git a/docs/en/api-reference/protocols/esp_tls.rst b/docs/en/api-reference/protocols/esp_tls.rst index 13a27c7a9d..a46911e439 100644 --- a/docs/en/api-reference/protocols/esp_tls.rst +++ b/docs/en/api-reference/protocols/esp_tls.rst @@ -88,6 +88,38 @@ SSL/TLS libraries and with all respective configurations set to default. .. note:: `These values are subject to change with change in configuration options and version of respective libraries`. +ATECC608A (Secure Element) with ESP-TLS +-------------------------------------------------- + +ESP-TLS provides support for using ATECC608A cryptoauth chip with ESP32-WROOM-32SE. +Use of ATECC608A is supported only when ESP-TLS is used with mbedTLS as its underlying SSL/TLS stack. +ESP-TLS uses mbedtls as its underlying TLS/SSL stack by default unless changed manually. + +.. note:: ATECC608A chip on ESP32-WROOM-32SE must be already configured and provisioned, for details refer `esp_cryptoauth_utility `_ + +To enable the secure element support, and use it in you project for TLS connection, you will have to follow below steps + +1) Add `esp-cryptoauthlib `_ in your project, for details please refer `esp-cryptoauthlib with ESP_IDF `_ + +2) Enable following menuconfig option:: + + menuconfig->Component config->ESP-TLS->Use Secure Element (ATECC608A) with ESP-TLS + +3) Select type of ATECC608A chip with following option:: + + menuconfig->Component config->esp-cryptoauthlib->Choose Type of ATECC608A chip + +to know more about different types of ATECC608A chips and how to obtain type of ATECC608A connected to your ESP module please visit `ATECC608A chip type `_ + +4) Enable use of ATECC608A in ESP-TLS by providing following config option in `esp_tls_cfg_t` + +.. code-block:: c + + esp_tls_cfg_t cfg = { + /* other configurations options */ + .use_secure_element = true, + }; + API Reference ------------- diff --git a/docs/zh_CN/api-reference/peripherals/index.rst b/docs/zh_CN/api-reference/peripherals/index.rst index 0c27a6fedb..18a3708691 100644 --- a/docs/zh_CN/api-reference/peripherals/index.rst +++ b/docs/zh_CN/api-reference/peripherals/index.rst @@ -23,6 +23,7 @@ Sigma-delta Modulation SPI Master SPI Slave + :esp32: Secure Element :esp32s2: Temp sensor Timer Touch Sensor diff --git a/docs/zh_CN/api-reference/peripherals/secure_element.rst b/docs/zh_CN/api-reference/peripherals/secure_element.rst new file mode 100644 index 0000000000..67c4480917 --- /dev/null +++ b/docs/zh_CN/api-reference/peripherals/secure_element.rst @@ -0,0 +1 @@ +.. include:: ../../../en/api-reference/peripherals/secure_element.rst diff --git a/examples/peripherals/security/atecc608_ecdsa/CMakeLists.txt b/examples/peripherals/secure_element/atecc608_ecdsa/CMakeLists.txt similarity index 100% rename from examples/peripherals/security/atecc608_ecdsa/CMakeLists.txt rename to examples/peripherals/secure_element/atecc608_ecdsa/CMakeLists.txt diff --git a/examples/peripherals/security/atecc608_ecdsa/Makefile b/examples/peripherals/secure_element/atecc608_ecdsa/Makefile similarity index 100% rename from examples/peripherals/security/atecc608_ecdsa/Makefile rename to examples/peripherals/secure_element/atecc608_ecdsa/Makefile diff --git a/examples/peripherals/secure_element/atecc608_ecdsa/README.md b/examples/peripherals/secure_element/atecc608_ecdsa/README.md new file mode 100644 index 0000000000..4df1b89647 --- /dev/null +++ b/examples/peripherals/secure_element/atecc608_ecdsa/README.md @@ -0,0 +1,34 @@ +| Supported Targets | ESP32 | +| ----------------- | ----- | + +# ESP32-WROOM-32SE ECDSA sign/verify example +## Description +This example requires [ESP32-WROOM-32SE](https://www.espressif.com/sites/default/files/documentation/esp32-wroom-32se_datasheet_en.pdf) which has Microchip's [ATECC608A](https://www.microchip.com/wwwproducts/en/ATECC608A) (Secure Element) integrated on the module. The example performs `ECDSA sign/verify` functions on sample data using hardware private key stored in ATECC608A chip.If you want to use bare `ATECC608A` chip (Secure Element) with `ESP32-WROOM-32` module by making external connections, please refer [this](https://github.com/espressif/esp-cryptoauthlib/blob/master/esp_cryptoauth_utility/README.md#using-atecc608a-with-esp32-wroom-32) for details. +See the README.md file in the upper level examples directory for more information about examples. +## Hardware +To get started you will need a `ESP32-WROOM-32SE` development board which integrates Microchip’s ATECC608A CryptoAuth chip in the module. + +## Configuration +ATECC608A chip on ESP32-WROOM-32SE should be configured to run the example, for details on configuration of ATECC608A chip, please refer [esp_cryptoauth_utility](https://github.com/espressif/esp-cryptoauthlib/blob/master/esp_cryptoauth_utility/README.md#esp_cryptoauth_utility) + +1) Set type of `ATECC608A` chip in menuconfig. + +* `menuconfig->Component config->esp-cryptoauthlib->Choose Type of ATECC608A chip`. +for more details refer [Find ATECC608A chip type](https://github.com/espressif/esp-cryptoauthlib/blob/master/esp_cryptoauth_utility/README.md#find-type-of-atecc608a-chip-connected-to-esp32-wroom32-se). + +2) Enable `Hardware ECDSA sign/verify` in menuconfig as by enabling following. (Enabled by default for this example) + +* `menuconfig->Component config->esp-cryptoauthlib->Enable Hardware ECDSA keys for mbedTLS` +* `menuconfig->Component config->esp-cryptoauthlib->Enable ATECC608A sign operations in mbedTLS` +* `menuconfig->Component config->esp-cryptoauthlib->Enable ATECC608A verify operations in mbedTLS` + +## Build and Flash + +Run following command to build and flash the project. +``` +idf.py -p PORT flash monitor +``` + +(To exit the serial monitor, type ``Ctrl-]``.) + +See the [Getting Started Guide](https://docs.espressif.com/projects/esp-idf/en/latest/get-started/index.html) for full steps to configure and use ESP-IDF to build projects. diff --git a/examples/peripherals/secure_element/atecc608_ecdsa/components/esp-cryptoauthlib b/examples/peripherals/secure_element/atecc608_ecdsa/components/esp-cryptoauthlib new file mode 160000 index 0000000000..f31ff0b125 --- /dev/null +++ b/examples/peripherals/secure_element/atecc608_ecdsa/components/esp-cryptoauthlib @@ -0,0 +1 @@ +Subproject commit f31ff0b1252158b9a19a0494d7dc6f81313c6ef0 diff --git a/examples/peripherals/secure_element/atecc608_ecdsa/main/CMakeLists.txt b/examples/peripherals/secure_element/atecc608_ecdsa/main/CMakeLists.txt new file mode 100644 index 0000000000..0122eb9541 --- /dev/null +++ b/examples/peripherals/secure_element/atecc608_ecdsa/main/CMakeLists.txt @@ -0,0 +1,5 @@ +# Main component CMakeLists.txt +idf_component_register( + SRC_DIRS "." + INCLUDE_DIRS "." + ) diff --git a/examples/peripherals/security/atecc608_ecdsa/main/component.mk b/examples/peripherals/secure_element/atecc608_ecdsa/main/component.mk similarity index 100% rename from examples/peripherals/security/atecc608_ecdsa/main/component.mk rename to examples/peripherals/secure_element/atecc608_ecdsa/main/component.mk diff --git a/examples/peripherals/secure_element/atecc608_ecdsa/main/ecdsa_example_main.c b/examples/peripherals/secure_element/atecc608_ecdsa/main/ecdsa_example_main.c new file mode 100644 index 0000000000..c6d0738f83 --- /dev/null +++ b/examples/peripherals/secure_element/atecc608_ecdsa/main/ecdsa_example_main.c @@ -0,0 +1,241 @@ +/** + * atecc608a_ecdsa example + * + * Original Copyright (C) 2006-2016, ARM Limited, All Rights Reserved, Apache 2.0 License. + * Additions Copyright (C) Copyright 2015-2020 Espressif Systems (Shanghai) PTE LTD, Apache 2.0 License. + * + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* This is mbedtls boilerplate for library configuration */ +#include "mbedtls/config.h" + +/* System Includes*/ +#include +#include "freertos/FreeRTOS.h" +#include "freertos/task.h" +#include "esp_system.h" +#include "esp_spi_flash.h" +#include "esp_log.h" + +/* Cryptoauthlib includes */ +#include "cryptoauthlib.h" +#include "mbedtls/atca_mbedtls_wrap.h" + +/* mbedTLS includes */ +#include "mbedtls/platform.h" +#include "mbedtls/debug.h" +#include "mbedtls/ssl.h" +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/pk.h" + +static const char *TAG = "atecc_example"; +/* globals for mbedtls RNG */ +static mbedtls_entropy_context entropy; +static mbedtls_ctr_drbg_context ctr_drbg; + +static int configure_mbedtls_rng(void) +{ + int ret; + const char * seed = "some random seed string"; + mbedtls_ctr_drbg_init(&ctr_drbg); + + ESP_LOGI(TAG, "Seeding the random number generator..."); + + mbedtls_entropy_init(&entropy); + ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, + (const unsigned char *)seed, strlen(seed)); + if (ret != 0) { + ESP_LOGI(TAG, " failed ! mbedtls_ctr_drbg_seed returned %d", ret); + } else { + ESP_LOGI(TAG, " ok"); + } + return ret; +} + +static void close_mbedtls_rng(void) +{ + mbedtls_ctr_drbg_free(&ctr_drbg); + mbedtls_entropy_free(&entropy); +} + +/* An example hash */ +static unsigned char hash[32] = { + 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, + 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad +}; + +static const uint8_t public_key_x509_header[] = { + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, + 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04 +}; + +static void print_public_key(uint8_t *pubkey) +{ + uint8_t buf[128]; + uint8_t * tmp; + size_t buf_len = sizeof(buf); + + /* Calculate where the raw data will fit into the buffer */ + tmp = buf + sizeof(buf) - ATCA_PUB_KEY_SIZE - sizeof(public_key_x509_header); + + /* Copy the header */ + memcpy(tmp, public_key_x509_header, sizeof(public_key_x509_header)); + + /* Copy the key bytes */ + memcpy(tmp + sizeof(public_key_x509_header), pubkey, ATCA_PUB_KEY_SIZE); + + /* Convert to base 64 */ + (void)atcab_base64encode(tmp, ATCA_PUB_KEY_SIZE + sizeof(public_key_x509_header), (char*)buf, &buf_len); + + /* Add a null terminator */ + buf[buf_len] = '\0'; + + /* Print out the key */ + ESP_LOGI(TAG, "\r\n-----BEGIN PUBLIC KEY-----\r\n%s\r\n-----END PUBLIC KEY-----", buf); +} + +static int atca_ecdsa_test(void) +{ + mbedtls_pk_context pkey; + int ret; + unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; + size_t olen = 0; + + /* ECDSA Sign/Verify */ + +#ifdef MBEDTLS_ECDSA_SIGN_ALT + /* Convert to an mbedtls key */ + ESP_LOGI(TAG, " Using a hardware private key ..." ); + ret = atca_mbedtls_pk_init(&pkey, 0); + if (ret != 0) { + ESP_LOGI(TAG, " failed ! atca_mbedtls_pk_init returned %02x", ret); + goto exit; + } + ESP_LOGI(TAG, " ok"); +#else + ESP_LOGI(TAG, " Generating a software private key ..." ); + mbedtls_pk_init(&pkey); + ret = mbedtls_pk_setup(&pkey, + mbedtls_pk_info_from_type( MBEDTLS_PK_ECDSA )); + if (ret != 0) { + ESP_LOGI(TAG, " failed ! mbedtls_pk_setup returned -0x%04x", -ret ); + goto exit; + } + + ret = mbedtls_ecp_gen_key( MBEDTLS_ECP_DP_SECP256R1, + mbedtls_pk_ec( pkey ), + mbedtls_ctr_drbg_random, &ctr_drbg ); + if (ret != 0) { + ESP_LOGI(TAG, " failed ! mbedtls_ecp_gen_key returned -0x%04x", -ret ); + goto exit; + } + ESP_LOGI(TAG, " ok"); +#endif + + ESP_LOGI(TAG, " Generating ECDSA Signature..."); + ret = mbedtls_pk_sign(&pkey, MBEDTLS_MD_SHA256, hash, 0, buf, &olen, + mbedtls_ctr_drbg_random, &ctr_drbg); + if (ret != 0) { + ESP_LOGI(TAG, " failed ! mbedtls_pk_sign returned -0x%04x", -ret); + goto exit; + } + ESP_LOGI(TAG, " ok"); + + ESP_LOGI(TAG, " Verifying ECDSA Signature..."); + ret = mbedtls_pk_verify(&pkey, MBEDTLS_MD_SHA256, hash, 0, + buf, olen); + if (ret != 0) { + ESP_LOGI(TAG, " failed ! mbedtls_pk_verify returned -0x%04x", -ret); + goto exit; + } + ESP_LOGI(TAG, " ok"); + +exit: + fflush(stdout); + return ret; +} + +void app_main(void) +{ + int ret = 0; + bool lock; + uint8_t buf[ATCA_ECC_CONFIG_SIZE]; + uint8_t pubkey[ATCA_PUB_KEY_SIZE]; + + /* Initialize the mbedtls library */ + ret = configure_mbedtls_rng(); +#ifdef CONFIG_ATECC608A_TNG + ESP_LOGI(TAG, " . Initialize the ATECC interface for Trust & GO ..."); + cfg_ateccx08a_i2c_default.atcai2c.slave_address = 0x6A; +#elif CONFIG_ATECC608A_TFLEX /* CONFIG_ATECC608A_TNGO */ + ESP_LOGI(TAG, " . Initialize the ATECC interface for TrustFlex ..."); + cfg_ateccx08a_i2c_default.atcai2c.slave_address = 0x6C; +#elif CONFIG_ATECC608A_TCUSTOM /* CONFIG_ATECC608A_TFLEX */ + ESP_LOGI(TAG, " . Initialize the ATECC interface for TrustCustom ..."); + /* Default slave address is same as that of TCUSTOM ATECC608A chips */ +#endif /* CONFIG_ATECC608A_TCUSTOM */ + ret = atcab_init(&cfg_ateccx08a_i2c_default); + if (ret != 0) { + ESP_LOGI(TAG, " failed ! atcab_init returned %02x", ret); + goto exit; + } + ESP_LOGI(TAG, " ok"); + + lock = 0; + ESP_LOGI(TAG, " Check the data zone lock status..."); + ret = atcab_is_locked(LOCK_ZONE_DATA, &lock); + if (ret != 0) { + ESP_LOGI(TAG, " failed\n ! atcab_is_locked returned %02x", ret); + goto exit; + } + + if (lock) { + ESP_LOGI(TAG, " ok: locked"); + } else { + ESP_LOGE(TAG, "unlocked, please lock(configure) the ATECC608A chip with help of esp_cryptoauth_utility and try again"); + goto exit; + } + + ESP_LOGI(TAG, " Get the device info (type)..."); + ret = atcab_info(buf); + if (ret != 0) { + ESP_LOGI(TAG, " failed\n ! atcab_info returned %02x", ret); + goto exit; + } + ESP_LOGI(TAG, " ok: %02x %02x", buf[2], buf[3]); + + ESP_LOGI(TAG, " Get the public key..."); + ret = atcab_get_pubkey(0, pubkey); + if (ret != 0) { + ESP_LOGI(TAG, " failed\n ! atcab_get_pubkey returned %02x", ret); + goto exit; + } + ESP_LOGI(TAG, " ok"); + print_public_key(pubkey); + + /* Perform a Sign/Verify Test */ + ret = atca_ecdsa_test(); + if (ret != 0) { + ESP_LOGE(TAG, " ECDSA sign/verify failed"); + goto exit; + } + +exit: + fflush(stdout); + close_mbedtls_rng(); + +} + diff --git a/examples/peripherals/security/atecc608_ecdsa/sdkconfig.defaults b/examples/peripherals/secure_element/atecc608_ecdsa/sdkconfig.defaults similarity index 63% rename from examples/peripherals/security/atecc608_ecdsa/sdkconfig.defaults rename to examples/peripherals/secure_element/atecc608_ecdsa/sdkconfig.defaults index 59a302a9f5..b704bedeff 100644 --- a/examples/peripherals/security/atecc608_ecdsa/sdkconfig.defaults +++ b/examples/peripherals/secure_element/atecc608_ecdsa/sdkconfig.defaults @@ -1,4 +1,3 @@ -# Enable Cryptoauthlib hardware acceleration of mbedtls CONFIG_ATCA_MBEDTLS_ECDSA=y CONFIG_ATCA_MBEDTLS_ECDSA_SIGN=y CONFIG_ATCA_MBEDTLS_ECDSA_VERIFY=y diff --git a/examples/peripherals/security/atecc608_ecdsa/main/ecdsa_example_main.c b/examples/peripherals/security/atecc608_ecdsa/main/ecdsa_example_main.c deleted file mode 100644 index a835f9afed..0000000000 --- a/examples/peripherals/security/atecc608_ecdsa/main/ecdsa_example_main.c +++ /dev/null @@ -1,233 +0,0 @@ -/* Hello World Example - - This example code is in the Public Domain (or CC0 licensed, at your option.) - - Unless required by applicable law or agreed to in writing, this - software is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR - CONDITIONS OF ANY KIND, either express or implied. -*/ - -/* This is mbedtls boilerplate for library configuration */ -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif - -/* System Includes*/ -#include -#include "freertos/FreeRTOS.h" -#include "freertos/task.h" -#include "esp_system.h" -#include "esp_spi_flash.h" - -/* Cryptoauthlib includes */ -#include "cryptoauthlib.h" -#include "mbedtls/atca_mbedtls_wrap.h" - -/* mbedTLS includes */ -#include "mbedtls/platform.h" -#include "mbedtls/debug.h" -#include "mbedtls/ssl.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/pk.h" - -/* globals for mbedtls RNG */ -static mbedtls_entropy_context entropy; -static mbedtls_ctr_drbg_context ctr_drbg; - -static int configure_mbedtls_rng(void) -{ - int ret; - const char * seed = "some random seed string"; - mbedtls_ctr_drbg_init(&ctr_drbg); - - printf("\n . Seeding the random number generator..."); - - mbedtls_entropy_init(&entropy); - if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, - (const unsigned char *)seed, strlen(seed))) != 0) - { - printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret); - } - else - { - printf(" ok\n"); - } - return ret; -} - -static void close_mbedtls_rng(void) -{ - mbedtls_ctr_drbg_free(&ctr_drbg); - mbedtls_entropy_free(&entropy); -} - -/* An example hash */ -static unsigned char hash[32] = { - 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, - 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad -}; - -static const uint8_t public_key_x509_header[] = { - 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, - 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04 -}; - -static void print_public_key(uint8_t pubkey[ATCA_PUB_KEY_SIZE]) -{ - uint8_t buf[128]; - uint8_t * tmp; - size_t buf_len = sizeof(buf); - - /* Calculate where the raw data will fit into the buffer */ - tmp = buf + sizeof(buf) - ATCA_PUB_KEY_SIZE - sizeof(public_key_x509_header); - - /* Copy the header */ - memcpy(tmp, public_key_x509_header, sizeof(public_key_x509_header)); - - /* Copy the key bytes */ - memcpy(tmp + sizeof(public_key_x509_header), pubkey, ATCA_PUB_KEY_SIZE); - - /* Convert to base 64 */ - (void)atcab_base64encode(tmp, ATCA_PUB_KEY_SIZE + sizeof(public_key_x509_header), (char*)buf, &buf_len); - - /* Add a null terminator */ - buf[buf_len] = 0; - - /* Print out the key */ - printf("-----BEGIN PUBLIC KEY-----\r\n%s\r\n-----END PUBLIC KEY-----\r\n", buf); -} - - -extern int atca_connect(const char * endpoint, const char * port); -extern int atca_provision(void); - -static int atca_ecdsa_test(void) -{ - mbedtls_pk_context pkey; - int ret; - unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; - size_t olen = 0; - - /* ECDSA Sign/Verify */ - -#ifdef MBEDTLS_ECDSA_SIGN_ALT - /* Convert to an mbedtls key */ - printf( "\n . Using a hardware private key ..." ); - if (0 != (ret = atca_mbedtls_pk_init(&pkey, 0))) - { - printf(" failed\n ! atca_mbedtls_pk_init returned %02x\n", ret); - goto exit; - } - printf(" ok\n"); -#else - printf( "\n . Generating a software private key ..." ); - mbedtls_pk_init(&pkey); - if( ( ret = mbedtls_pk_setup( &pkey, - mbedtls_pk_info_from_type( MBEDTLS_PK_ECDSA ) ) ) != 0 ) - { - printf( " failed\n ! mbedtls_pk_setup returned -0x%04x", -ret ); - goto exit; - } - - ret = mbedtls_ecp_gen_key( MBEDTLS_ECP_DP_SECP256R1, - mbedtls_pk_ec( pkey ), - mbedtls_ctr_drbg_random, &ctr_drbg ); - if( ret != 0 ) - { - printf( " failed\n ! mbedtls_ecp_gen_key returned -0x%04x", -ret ); - goto exit; - } - printf(" ok\n"); -#endif - - printf(" . Generating ECDSA Signature..."); - if ((ret = mbedtls_pk_sign(&pkey, MBEDTLS_MD_SHA256, hash, 0, buf, &olen, - mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) - { - printf(" failed\n ! mbedtls_pk_sign returned -0x%04x\n", -ret); - goto exit; - } - printf(" ok\n"); - - printf(" . Verifying ECDSA Signature..."); - if ((ret = mbedtls_pk_verify(&pkey, MBEDTLS_MD_SHA256, hash, 0, - buf, olen)) != 0) - { - printf(" failed\n ! mbedtls_pk_verify returned -0x%04x\n", -ret); - goto exit; - } - printf(" ok\n"); - -exit: - fflush(stdout); - return ret; -} - - -void app_main(void) -{ - int ret = 0; - bool lock; - uint8_t buf[ATCA_ECC_CONFIG_SIZE]; - uint8_t pubkey[ATCA_PUB_KEY_SIZE]; - - /* Initialize the mbedtls library */ - if (!ret) - { - ret = configure_mbedtls_rng(); - } - - printf(" . Initialize the ATECC interface..."); - if(0 != (ret = atcab_init(&cfg_ateccx08a_i2c_default))) - { - printf(" failed\n ! atcab_init returned %02x\n", ret); - goto exit; - } - printf(" ok\n"); - - lock = 0; - printf(" . Check the data zone lock status..."); - if (0 != (ret = atcab_is_locked(LOCK_ZONE_DATA, &lock))) - { - printf(" failed\n ! atcab_is_locked returned %02x\n", ret); - goto exit; - } - printf(" ok: %s\n", lock ? "locked" : "unlocked"); - - printf(" . Get the device info (type)..."); - if (0 != (ret = atcab_info(buf))) - { - printf(" failed\n ! atcab_info returned %02x\n", ret); - goto exit; - } - printf(" ok: %02x %02x\n", buf[2], buf[3]); - - /* If the data zone is not locked (i.e. the configuration is not activated - then if these were run they would simply return execution errors */ - if (!ret && lock) - { - printf(" . Get the public key..."); - if (0 != (ret = atcab_get_pubkey(0, pubkey))) - { - printf(" failed\n ! atcab_get_pubkey returned %02x\n", ret); - goto exit; - } - printf(" ok\n\n"); - print_public_key(pubkey); - - if(!ret) - { - /* Perform a Sign/Verify Test */ - ret = atca_ecdsa_test(); - } - } - -exit: - fflush(stdout); - close_mbedtls_rng(); - -} -