Adds ATECC608 secure element support for esp32 - DPS registration works correctly for device certificate and registration ID generated at runtime using added functions

Author: sckulkarni246

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "libs/azure-iot-middleware-freertos"]
 	path = libs/azure-iot-middleware-freertos
 	url = https://github.com/Azure/azure-iot-middleware-freertos.git
+[submodule "demos/projects/ESPRESSIF/esp32/components/esp-cryptoauthlib"]
+	path = demos/projects/ESPRESSIF/esp32/components/esp-cryptoauthlib
+	url = https://github.com/espressif/esp-cryptoauthlib

demos/projects/ESPRESSIF/esp32/components/esp-cryptoauthlib

@@ -90,6 +90,11 @@ TlsTransportStatus_t TLS_Socket_Connect( NetworkContext_t * pNetworkContext,
     {
         esp_transport_ssl_set_cert_data_der( pNetworkContext->xTransport, ( const char * ) pNetworkCredentials->pucRootCa, pNetworkCredentials->xRootCaSize );
     }
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+
+    esp_transport_ssl_use_secure_element( pNetworkContext->xTransport );
+
+#else
 
     if ( pNetworkCredentials->pucClientCert )
     {
@@ -101,6 +106,8 @@ TlsTransportStatus_t TLS_Socket_Connect( NetworkContext_t * pNetworkContext,
         esp_transport_ssl_set_client_key_data_der( pNetworkContext->xTransport, (const char *) pNetworkCredentials->pucPrivateKey, pNetworkCredentials->xPrivateKeySize );
     }
 
+#endif
+
     if ( esp_transport_connect( pNetworkContext->xTransport, pHostName, usPort, ulReceiveTimeoutMs ) < 0 )
     {
         ESP_LOGE( TAG, "Failed establishing TLS connection (esp_transport_connect failed)" );

demos/projects/ESPRESSIF/esp32/components/sample-azure-iot/transport_tls_esp32.c

@@ -25,6 +25,11 @@
 /* Crypto helper header. */
 #include "crypto.h"
 
+/* For using the ATECC608 secure element if support is configured */
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT && CONFIG_ATCA_MBEDTLS_ECDSA
+    #include "cryptoauthlib.h"
+#endif
+
 /*-----------------------------------------------------------*/
 
 /* Compile time error for undefined configs. */
@@ -145,6 +150,20 @@ struct NetworkContext
 static AzureIoTHubClient_t xAzureIoTHubClient;
 /*-----------------------------------------------------------*/
 
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+/**
+ * @brief Generates the registration ID using the ATECC608 chip dynamically using 
+ *          cryptoauthlib API
+ *
+ *
+ * @param[out] pucSecureElementSerNum  An unsigned char buffer to hold the 9-byte serial number of the ATECC608 chip
+ * @param[out] pcRegistrationID  The string that will hold the registration ID - should be 21 bytes or more
+ */
+    static uint32_t prvPrepareRegistrationIdFromATECC608( uint8_t *sernum,
+                                                          char *registration_id_string );
+
+#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
+
 #ifdef democonfigENABLE_DPS_SAMPLE
 
 /**
@@ -471,6 +490,33 @@ static void prvAzureDemoTask( void * pvParameters )
 }
 /*-----------------------------------------------------------*/
 
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+/**
+ * @brief Get the serial number of the ATECC608 chip and the registration ID that will be used
+ * by the DPS client
+ * 
+ */
+    static uint32_t prvPrepareRegistrationIdFromATECC608(uint8_t *sernum, char *registration_id_string) {
+        if(sernum == NULL || registration_id_string == NULL || (strlen(registration_id_string) < 21)) {
+            return -1; // improper parameters
+        }
+
+        ATCA_STATUS s;
+        s = atcab_read_serial_number(sernum);
+        if(s != ATCA_SUCCESS) {
+            return -3;
+        }
+        sprintf(registration_id_string,"sn%02X%02X%02X%02X%02X%02X%02X%02X%02X",sernum[0],sernum[1],\
+        sernum[2],sernum[3],sernum[4],sernum[5],sernum[6],sernum[7],sernum[8]);
+        registration_id_string[20] = '\0';
+
+        return 0;
+
+    }
+
+#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
+
+
 #ifdef democonfigENABLE_DPS_SAMPLE
 
 /**
@@ -503,6 +549,16 @@ static void prvAzureDemoTask( void * pvParameters )
         xTransport.xSend = TLS_Socket_Send;
         xTransport.xRecv = TLS_Socket_Recv;
 
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+        /* Redefine the democonfigREGISTRATION_ID macro dynamically */
+        #undef democonfigREGISTRATION_ID
+        char registration_id_string[21];
+        uint8_t sernum[9];
+        ulStatus = prvPrepareRegistrationIdFromATECC608(sernum,registration_id_string);
+        configASSERT( ulStatus == 0);
+        #define democonfigREGISTRATION_ID    registration_id_string
+#endif
+
         xResult = AzureIoTProvisioningClient_Init( &xAzureIoTProvisioningClient,
                                                    ( const uint8_t * ) democonfigENDPOINT,
                                                    sizeof( democonfigENDPOINT ) - 1,

demos/sample_azure_iot/sample_azure_iot.c

@@ -32,6 +32,12 @@
 
 /* Board specific implementation */
 #include "sample_gsg_device.h"
+
+/* For using the ATECC608 secure element if support is configured */
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT && CONFIG_ATCA_MBEDTLS_ECDSA
+    #include "cryptoauthlib.h"
+#endif
+
 /*-----------------------------------------------------------*/
 
 /* Compile time error for undefined configs. */
@@ -128,6 +134,21 @@ struct NetworkContext
 };
 /*-----------------------------------------------------------*/
 
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+/**
+ * @brief Generates the registration ID using the ATECC608 chip dynamically using 
+ *          cryptoauthlib API
+ *
+ *
+ * @param[out] pucSecureElementSerNum  An unsigned char buffer to hold the 9-byte serial number of the ATECC608 chip
+ * @param[out] pcRegistrationID  The string that will hold the registration ID - should be 21 bytes or more
+ */
+    static uint32_t prvPrepareRegistrationIdFromATECC608( uint8_t *sernum,
+                                                          char *registration_id_string );
+
+#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
+
+
 /* Define buffer for IoT Hub info.  */
 #ifdef democonfigENABLE_DPS_SAMPLE
 
@@ -603,6 +624,33 @@ static uint32_t prvConnectToServerWithBackoffRetries( const char * pcHostName,
 }
 /*-----------------------------------------------------------*/
 
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+/**
+ * @brief Get the serial number of the ATECC608 chip and the registration ID that will be used
+ * by the DPS client
+ * 
+ */
+    static uint32_t prvPrepareRegistrationIdFromATECC608(uint8_t *sernum, char *registration_id_string) {
+        if(sernum == NULL || registration_id_string == NULL || (strlen(registration_id_string) < 21)) {
+            return -1; // improper parameters
+        }
+
+        ATCA_STATUS s;
+        s = atcab_read_serial_number(sernum);
+        if(s != ATCA_SUCCESS) {
+            return -3;
+        }
+        sprintf(registration_id_string,"sn%02X%02X%02X%02X%02X%02X%02X%02X%02X",sernum[0],sernum[1],\
+        sernum[2],sernum[3],sernum[4],sernum[5],sernum[6],sernum[7],sernum[8]);
+        registration_id_string[20] = '\0';
+
+        return 0;
+
+    }
+
+#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
+
+
 #ifdef democonfigENABLE_DPS_SAMPLE
 
 /**
@@ -643,6 +691,16 @@ static uint32_t prvConnectToServerWithBackoffRetries( const char * pcHostName,
         xTransport.xSend = TLS_Socket_Send;
         xTransport.xRecv = TLS_Socket_Recv;
 
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+        /* Redefine the democonfigREGISTRATION_ID macro dynamically */
+        #undef democonfigREGISTRATION_ID
+        char registration_id_string[21];
+        uint8_t sernum[9];
+        ulStatus = prvPrepareRegistrationIdFromATECC608(sernum,registration_id_string);
+        configASSERT( ulStatus == 0);
+        #define democonfigREGISTRATION_ID    registration_id_string
+#endif
+
         xResult = AzureIoTProvisioningClient_Init( &xAzureIoTProvisioningClient,
                                                    ( const uint8_t * ) democonfigENDPOINT,
                                                    sizeof( democonfigENDPOINT ) - 1,

demos/sample_azure_iot_gsg/sample_azure_iot_gsg.c

@@ -32,6 +32,11 @@
 
 /* Data Interface Definition */
 #include "sample_azure_iot_pnp_data_if.h"
+
+/* For using the ATECC608 secure element if support is configured */
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT && CONFIG_ATCA_MBEDTLS_ECDSA
+    #include "cryptoauthlib.h"
+#endif
 /*-----------------------------------------------------------*/
 
 /* Compile time error for undefined configs. */
@@ -153,6 +158,20 @@ static uint8_t ucReportedPropertiesUpdate[ 320 ];
 static uint32_t ulReportedPropertiesUpdateLength;
 /*-----------------------------------------------------------*/
 
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+/**
+ * @brief Generates the registration ID using the ATECC608 chip dynamically using 
+ *          cryptoauthlib API
+ *
+ *
+ * @param[out] pucSecureElementSerNum  An unsigned char buffer to hold the 9-byte serial number of the ATECC608 chip
+ * @param[out] pcRegistrationID  The string that will hold the registration ID - should be 21 bytes or more
+ */
+    static uint32_t prvPrepareRegistrationIdFromATECC608( uint8_t *sernum,
+                                                          char *registration_id_string );
+
+#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
+
 #ifdef democonfigENABLE_DPS_SAMPLE
 
 /**
@@ -486,6 +505,33 @@ static void prvAzureDemoTask( void * pvParameters )
 }
 /*-----------------------------------------------------------*/
 
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+/**
+ * @brief Get the serial number of the ATECC608 chip and the registration ID that will be used
+ * by the DPS client
+ * 
+ */
+    static uint32_t prvPrepareRegistrationIdFromATECC608(uint8_t *sernum, char *registration_id_string) {
+        if(sernum == NULL || registration_id_string == NULL || (strlen(registration_id_string) < 21)) {
+            return -1; // improper parameters
+        }
+
+        ATCA_STATUS s;
+        s = atcab_read_serial_number(sernum);
+        if(s != ATCA_SUCCESS) {
+            return -3;
+        }
+        sprintf(registration_id_string,"sn%02X%02X%02X%02X%02X%02X%02X%02X%02X",sernum[0],sernum[1],\
+        sernum[2],sernum[3],sernum[4],sernum[5],sernum[6],sernum[7],sernum[8]);
+        registration_id_string[20] = '\0';
+
+        return 0;
+
+    }
+
+#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
+
+
 #ifdef democonfigENABLE_DPS_SAMPLE
 
 /**
@@ -518,6 +564,16 @@ static void prvAzureDemoTask( void * pvParameters )
         xTransport.xSend = TLS_Socket_Send;
         xTransport.xRecv = TLS_Socket_Recv;
 
+#if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+        /* Redefine the democonfigREGISTRATION_ID macro dynamically */
+        #undef democonfigREGISTRATION_ID
+        char registration_id_string[21];
+        uint8_t sernum[9];
+        ulStatus = prvPrepareRegistrationIdFromATECC608(sernum,registration_id_string);
+        configASSERT( ulStatus == 0);
+        #define democonfigREGISTRATION_ID    registration_id_string
+#endif
+
         xResult = AzureIoTProvisioningClient_Init( &xAzureIoTProvisioningClient,
                                                    ( const uint8_t * ) democonfigENDPOINT,
                                                    sizeof( democonfigENDPOINT ) - 1,