CryptoUtil: extend class in order to abstract hardware crypto

Author: pennam

src/ArduinoIoTCloudTCP.cpp

@@ -204,30 +204,30 @@ int ArduinoIoTCloudTCP::begin(bool const enable_watchdog, String brokerAddress,
 #endif /* OTA_ENABLED */
 
   #ifdef BOARD_HAS_OFFLOADED_ECCX08
-  if (!ECCX08.begin())
+  if (!_crypto.begin())
   {
-    DEBUG_ERROR("ECCX08.begin() failed.");
+    DEBUG_ERROR("_crypto.begin() failed.");
     return 0;
   }
-  if (!CryptoUtil::readDeviceId(ECCX08, getDeviceId(), ECCX08Slot::DeviceId))
+  if (!_crypto.readDeviceId(getDeviceId(), CryptoSlot::DeviceId))
   {
-    DEBUG_ERROR("CryptoUtil::readDeviceId(...) failed.");
+    DEBUG_ERROR("_crypto.readDeviceId(...) failed.");
     return 0;
   }
   #endif
 
   #ifdef BOARD_HAS_ECCX08
-  if (!ECCX08.begin())
+  if (!_crypto::beginCrypto())
   {
     DEBUG_ERROR("Cryptography processor failure. Make sure you have a compatible board.");
     return 0;
   }
-  if (!CryptoUtil::readDeviceId(ECCX08, getDeviceId(), ECCX08Slot::DeviceId))
+  if (!_crypto.readDeviceId(getDeviceId(), CryptoSlot::DeviceId))
   {
     DEBUG_ERROR("Cryptography processor read failure.");
     return 0;
   }
-  if (!CryptoUtil::reconstructCertificate(_eccx08_cert, getDeviceId(), ECCX08Slot::Key, ECCX08Slot::CompressedCertificate, ECCX08Slot::SerialNumberAndAuthorityKeyIdentifier))
+  if (!_crypto.readCert(_cert, CryptoSlot::CompressedCertificate))
   {
     DEBUG_ERROR("Cryptography certificate reconstruction failure.");
     return 0;

src/ArduinoIoTCloudTCP.h

@@ -29,12 +29,14 @@
 #ifdef BOARD_HAS_ECCX08
   #include "tls/BearSSLClient.h"
   #include "tls/utility/ECCX08Cert.h"
+  #include "tls/utility/CryptoUtil.h"
 #elif defined(BOARD_ESP)
   #include <WiFiClientSecure.h>
 #endif
 
 #ifdef BOARD_HAS_OFFLOADED_ECCX08
 #include "tls/utility/ECCX08Cert.h"
+#include "tls/utility/CryptoUtil.h"
 #include <WiFiSSLClient.h>
 #endif
 
@@ -135,9 +137,11 @@ class ArduinoIoTCloudTCP: public ArduinoIoTCloudClass
     #if defined(BOARD_HAS_ECCX08)
     ECCX08CertClass _eccx08_cert;
     BearSSLClient _sslClient;
+    CryptoUtil _crypto;
     #elif defined(BOARD_HAS_OFFLOADED_ECCX08)
     ECCX08CertClass _eccx08_cert;
     WiFiBearSSLClient _sslClient;
+    CryptoUtil _crypto;
     #elif defined(BOARD_ESP)
     WiFiClientSecure _sslClient;
     String _password;

src/tls/utility/CryptoUtil.cpp

@@ -19,43 +19,171 @@
  * INCLUDE
  ******************************************************************************/
 
+#include <AIoTC_Config.h>
+
+#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08)
+
 #include "CryptoUtil.h"
+#include "SHA256.h"
+
+/******************************************************************************
+ * DEFINE
+ ******************************************************************************/
+#define CRYPTO_SHA256_BUFFER_LENGTH  32
+#define CRYPTO_CERT_BUFFER_LENGTH  1024
+
+/**************************************************************************************
+ * CTOR/DTOR
+ **************************************************************************************/
+CryptoUtil::CryptoUtil()
+: _crypto {ECCX08}
+{
 
-#if defined(BOARD_HAS_ECCX08) || defined (BOARD_HAS_OFFLOADED_ECCX08)
+}
 
 /******************************************************************************
  * PUBLIC MEMBER FUNCTIONS
  ******************************************************************************/
 
-bool CryptoUtil::readDeviceId(ECCX08Class & eccx08, String & device_id, ECCX08Slot const device_id_slot)
+int CryptoUtil::buildCSR(ArduinoIoTCloudCertClass & cert, const CryptoSlot keySlot, bool newPrivateKey)
+{
+  byte publicKey[CERT_PUBLIC_KEY_LENGTH];
+  byte signature[CERT_SIGNATURE_LENGTH];
+
+  if (newPrivateKey) {
+    if (!_crypto.generatePrivateKey(static_cast<int>(keySlot), publicKey)) {
+      return 0;
+    }
+  } else {
+    if (!_crypto.generatePublicKey(static_cast<int>(keySlot), publicKey)) {
+      return 0;
+    }
+  }
+
+  /* Store public key in csr */
+  if (!cert.setPublicKey(publicKey, CERT_PUBLIC_KEY_LENGTH)) {
+    return 0;
+  }
+  
+  /* Build CSR */
+  if (!cert.buildCSR()) {
+    return 0;
+  }
+
+  /* compute CSR SHA256 */
+  SHA256 sha256;
+  byte sha256buf[CRYPTO_SHA256_BUFFER_LENGTH];
+  sha256.begin();
+  sha256.update(cert.bytes(), cert.length());
+  sha256.finalize(sha256buf);
+
+  if (!_crypto.ecSign(static_cast<int>(keySlot), sha256buf, signature)) {
+    return 0;
+  }
+
+  /* sign CSR */
+  return cert.signCSR(signature);
+}
+
+int CryptoUtil::buildCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot keySlot)
+{
+  byte publicKey[CERT_PUBLIC_KEY_LENGTH];
+
+  if (!_crypto.generatePublicKey(static_cast<int>(keySlot), publicKey)) {
+    return 0;
+  }
+
+  /* Store public key in csr */
+  if (!cert.setPublicKey(publicKey, CERT_PUBLIC_KEY_LENGTH)) {
+    return 0;
+  }
+
+  /* Build CSR */
+  if (!cert.buildCert()) {
+    return 0;
+  }
+
+  /* sign CSR */
+  return cert.signCert();
+}
+
+int CryptoUtil::readDeviceId(String & device_id, const CryptoSlot device_id_slot)
+{
+  byte device_id_bytes[CERT_COMPRESSED_CERT_SLOT_LENGTH] = {0};
+
+  if (!_crypto.readSlot(static_cast<int>(device_id_slot), device_id_bytes, sizeof(device_id_bytes))) {
+    return 0;
+  }
+
+  device_id = String(reinterpret_cast<char *>(device_id_bytes));
+  return 1;
+}
+
+int CryptoUtil::writeDeviceId(String & device_id, const CryptoSlot device_id_slot)
 {
-  byte device_id_bytes[72] = {0};
+  byte device_id_bytes[CERT_COMPRESSED_CERT_SLOT_LENGTH] = {0};
+
+  device_id.getBytes(device_id_bytes, sizeof(device_id_bytes));
 
-  if (eccx08.readSlot(static_cast<int>(device_id_slot), device_id_bytes, sizeof(device_id_bytes))) {
-   device_id = String(reinterpret_cast<char *>(device_id_bytes));
-   return true;
+  if (!_crypto.writeSlot(static_cast<int>(device_id_slot), device_id_bytes, sizeof(device_id_bytes))) {
+    return 0;
   }
-  else
-  {
-   return false;
+  return 1;
+}
+
+int CryptoUtil::writeCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot certSlot)
+{
+  if (!_crypto.writeSlot(static_cast<int>(certSlot), cert.compressedCertSignatureAndDatesBytes(), cert.compressedCertSignatureAndDatesLength())) {
+    return 0;
   }
+
+  if (!_crypto.writeSlot(static_cast<int>(certSlot) + 1, cert.compressedCertSerialAndAuthorityKeyIdBytes(), cert.compressedCertSerialAndAuthorityKeyIdLenght())) {
+    return 0;
+  }
+  return 1;
 }
 
-bool CryptoUtil::reconstructCertificate(ECCX08CertClass & cert, String const & device_id, ECCX08Slot const key, ECCX08Slot const compressed_certificate, ECCX08Slot const serial_number_and_authority_key)
+int CryptoUtil::readCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot certSlot)
 {
-  if (cert.beginReconstruction(static_cast<int>(key), static_cast<int>(compressed_certificate), static_cast<int>(serial_number_and_authority_key)))
-  {
-    cert.setSubjectCommonName(device_id);
-    cert.setIssuerCountryName("US");
-    cert.setIssuerOrganizationName("Arduino LLC US");
-    cert.setIssuerOrganizationalUnitName("IT");
-    cert.setIssuerCommonName("Arduino");
-    return cert.endReconstruction();
-  }
-  else
-  {
-   return false;
+  String deviceId;
+  byte publicKey[CERT_PUBLIC_KEY_LENGTH];
+
+  cert.begin();
+
+  if (!readDeviceId(deviceId, CryptoSlot::DeviceId)) {
+    return 0;
+  }
+
+  if (!_crypto.readSlot(static_cast<int>(certSlot), cert.compressedCertSignatureAndDatesBytes(), cert.compressedCertSignatureAndDatesLength())) {
+    return 0;
+  }
+
+  if (!_crypto.readSlot(static_cast<int>(certSlot) + 1, cert.compressedCertSerialAndAuthorityKeyIdBytes(), cert.compressedCertSerialAndAuthorityKeyIdLenght())) {
+    return 0;
+  }
+
+  if (!_crypto.generatePublicKey(static_cast<int>(CryptoSlot::Key), publicKey)) {
+    return 0;
+  }
+
+  cert.setSubjectCommonName(deviceId);
+  cert.setIssuerCountryName("US");
+  cert.setIssuerOrganizationName("Arduino LLC US");
+  cert.setIssuerOrganizationalUnitName("IT");
+  cert.setIssuerCommonName("Arduino");
+
+  if (!cert.setPublicKey(publicKey, CERT_PUBLIC_KEY_LENGTH)) {
+    return 0;
+  }
+
+  if (!cert.buildCert()) {
+    return 0;
+  }
+
+  if (!cert.signCert()) {
+    return 0;
   }
+  return 1;
 }
 
-#endif /* BOARD_HAS_ECCX08 */
+#endif /* (BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) */

src/tls/utility/CryptoUtil.h

@@ -24,17 +24,15 @@
 
 #include <AIoTC_Config.h>
 
-#if defined(BOARD_HAS_ECCX08) || defined (BOARD_HAS_OFFLOADED_ECCX08)
-
+#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08)
 #include <Arduino.h>
+#include "Cert.h"
 #include <ArduinoECCX08.h>
-#include "ECCX08Cert.h"
 
 /******************************************************************************
    TYPEDEF
  ******************************************************************************/
-
-enum class ECCX08Slot : int
+enum class CryptoSlot : int
 {
   Key                                   = 0,
   CompressedCertificate                 = 10,
@@ -50,17 +48,26 @@ class CryptoUtil
 {
 public:
 
-  static bool readDeviceId(ECCX08Class & eccx08, String & device_id, ECCX08Slot const device_id_slot);
-  static bool reconstructCertificate(ECCX08CertClass & cert, String const & device_id, ECCX08Slot const key, ECCX08Slot const compressed_certificate, ECCX08Slot const serial_number_and_authority_key);
+  CryptoUtil();
 
+  inline int begin() { return _crypto.begin(); }
+  inline int locked() { return _crypto.locked(); }
+  inline int writeConfiguration(const byte config[]) { return _crypto.writeConfiguration(config); }
+  inline int lock() { return _crypto.lock(); }
 
-private:
+  int buildCSR(ArduinoIoTCloudCertClass & cert, const CryptoSlot keySlot, bool newPrivateKey);
+  int buildCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot keySlot);
 
-  CryptoUtil() { }
-  CryptoUtil(CryptoUtil const & other) { }
+  int readDeviceId(String & device_id, const CryptoSlot device_id_slot);
+  int writeDeviceId(String & device_id, const CryptoSlot device_id_slot);
+  int writeCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot certSlot);
+  int readCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot certSlot);
+
+private:
+  ECCX08Class & _crypto;
 
 };
 
-#endif /* BOARD_HAS_ECCX08 */
+#endif /* BOARD_HAS_ECCX08 || BOARD_HAS_OFFLOADED_ECCX08 */
 
 #endif /* ARDUINO_IOT_CLOUD_UTILITY_CRYPTO_CRYPTO_UTIL_H_ */