Use ECCX08 slot to store Authority Key Identifier, and request in provisioning sketch

sandeepmistry · sandeepmistry · commit 1e3b0234c5c7 · 2018-08-28T13:30:28.000-04:00
diff --git a/examples/utility/Provisioning/Provisioning.ino b/examples/utility/Provisioning/Provisioning.ino
@@ -3,12 +3,13 @@
 #include <utility/ECCX08TLSConfig.h>
 
 #include <ArduinoBearSSL.h>
-#include <utility/ECCX08.h>
+#include <ArduinoECCX08.h>
 
-const int keySlot            = 0;
-const int compressedCertSlot = 10;
-const int serialNumberSlot   = 11;
-const int thingIdSlot        = 12;
+const int keySlot                    = 0;
+const int compressedCertSlot         = 10;
+const int serialNumberSlot           = 11;
+const int authorityKeyIdentifierSlot = 12;
+const int thingIdSlot                = 13;
 
 void setup() {
   Serial.begin(9600);
@@ -68,37 +69,41 @@ void setup() {
   Serial.println();
   Serial.println(csr);
 
-  String thingId      = promptAndReadLine("Please enter the thing id: ");
-  String issueYear    = promptAndReadLine("Please enter the issue year of the certificate (2000 - 2031): ");
-  String issueMonth   = promptAndReadLine("Please enter the issue month of the certificate (1 - 12): ");
-  String issueDay     = promptAndReadLine("Please enter the issue day of the certificate (1 - 31): ");
-  String issueHour    = promptAndReadLine("Please enter the issue hour of the certificate (0 - 23): ");
-  String expireYears  = promptAndReadLine("Please enter how many years the certificate is valid for (0 - 31): ");
-  String serialNumber = promptAndReadLine("Please enter the certificates serial number: ");
-  String signature    = promptAndReadLine("Please enter the certificates signature: ");
+  String thingId                = promptAndReadLine("Please enter the thing id: ");
+  String issueYear              = promptAndReadLine("Please enter the issue year of the certificate (2000 - 2031): ");
+  String issueMonth             = promptAndReadLine("Please enter the issue month of the certificate (1 - 12): ");
+  String issueDay               = promptAndReadLine("Please enter the issue day of the certificate (1 - 31): ");
+  String issueHour              = promptAndReadLine("Please enter the issue hour of the certificate (0 - 23): ");
+  String expireYears            = promptAndReadLine("Please enter how many years the certificate is valid for (0 - 31): ");
+  String serialNumber           = promptAndReadLine("Please enter the certificates serial number: ");
+  String authorityKeyIdentifier = promptAndReadLine("Please enter the certificates authority key identifier: ");
+  String signature              = promptAndReadLine("Please enter the certificates signature: ");
 
   serialNumber.toUpperCase();
   signature.toUpperCase();
 
   byte thingIdBytes[72];
   byte serialNumberBytes[16];
+  byte authorityKeyIdentifierBytes[20];
   byte signatureBytes[64];
 
   thingId.getBytes(thingIdBytes, sizeof(thingIdBytes));
   hexStringToBytes(serialNumber, serialNumberBytes, sizeof(serialNumberBytes));
-  hexStringToBytes(signature, signatureBytes, 64);
+  hexStringToBytes(authorityKeyIdentifier, authorityKeyIdentifierBytes, sizeof(authorityKeyIdentifierBytes));
+  hexStringToBytes(signature, signatureBytes, sizeof(signatureBytes));
 
   if (!ECCX08.writeSlot(thingIdSlot, thingIdBytes, sizeof(thingIdBytes))) {
     Serial.println("Error storing thing id!");
     while (1);
   }
 
-  if (!ECCX08Cert.beginStorage(compressedCertSlot, serialNumberSlot)) {
+  if (!ECCX08Cert.beginStorage(compressedCertSlot, serialNumberSlot, authorityKeyIdentifierSlot)) {
     Serial.println("Error starting ECCX08 storage!");
     while (1);
   }
 
   ECCX08Cert.setSignature(signatureBytes);
+  ECCX08Cert.setAuthorityKeyIdentifier(authorityKeyIdentifierBytes);
   ECCX08Cert.setSerialNumber(serialNumberBytes);
   ECCX08Cert.setIssueYear(issueYear.toInt());
   ECCX08Cert.setIssueMonth(issueMonth.toInt());
@@ -111,7 +116,7 @@ void setup() {
     while (1);
   }
 
-  if (!ECCX08Cert.beginReconstruction(keySlot, compressedCertSlot, serialNumberSlot)) {
+  if (!ECCX08Cert.beginReconstruction(keySlot, compressedCertSlot, serialNumberSlot, authorityKeyIdentifierSlot)) {
     Serial.println("Error starting ECCX08 cert reconstruction!");
     while (1);
   }
@@ -189,4 +194,3 @@ void hexStringToBytes(const String& in, byte out[], int length) {
     out[outLength++] = (highByte << 4) | lowByte;
   }
 }
-
diff --git a/src/ArduinoCloud.cpp b/src/ArduinoCloud.cpp
@@ -7,10 +7,11 @@
 
 const static char server[] = "a19g5nbe27wn47.iot.us-east-1.amazonaws.com"; //"xxxxxxxxxxxxxx.iot.xx-xxxx-x.amazonaws.com";
 
-const static int keySlot            = 0;
-const static int compressedCertSlot = 10;
-const static int serialNumberSlot   = 11;
-const static int thingIdSlot        = 12;
+const static int keySlot                    = 0;
+const static int compressedCertSlot         = 10;
+const static int serialNumberSlot           = 11;
+const static int authorityKeyIdentifierSlot = 12;
+const static int thingIdSlot                = 13;
 
 ArduinoCloudClass::ArduinoCloudClass() :
   _bearSslClient(NULL),
@@ -38,7 +39,7 @@ int ArduinoCloudClass::begin(Client& net)
   }
   _id = (char*)thingIdBytes;
 
-  if (!ECCX08Cert.beginReconstruction(keySlot, compressedCertSlot, serialNumberSlot)) {
+  if (!ECCX08Cert.beginReconstruction(keySlot, compressedCertSlot, serialNumberSlot, authorityKeyIdentifierSlot)) {
     return 0;
   }
 
@@ -48,12 +49,6 @@ int ArduinoCloudClass::begin(Client& net)
   ECCX08Cert.setIssuerOrganizationalUnitName("IT");
   ECCX08Cert.setIssuerCommonName("Arduino");
 
-  const byte authorityKeyIdentifier[20] = {
-    0xb2, 0xed, 0xef, 0xed, 0x3b, 0xbf, 0xc7, 0x71, 0x75, 0x24, 0x33, 0xd1, 0xae, 0x8b, 0x54, 0xed, 0x97, 0x14, 0x7a, 0x1d
-  };
-
-  ECCX08Cert.setAuthorityKeyIdentifier(authorityKeyIdentifier);
-
   if (!ECCX08Cert.endReconstruction()) {
     return 0;
   }
diff --git a/src/utility/ECCX08Cert.cpp b/src/utility/ECCX08Cert.cpp
@@ -18,7 +18,8 @@ struct __attribute__((__packed__)) CompressedCert {
   byte unused[5];
 };
 
-#define SERIAL_NUMBER_LENGTH 16
+#define SERIAL_NUMBER_LENGTH            16
+#define AUTHORITY_KEY_IDENTIFIER_LENGTH 20
 
 static String base64Encode(const byte in[], unsigned int length, const char* prefix, const char* suffix)
 {
@@ -73,7 +74,7 @@ ECCX08CertClass::ECCX08CertClass() :
   _keySlot(-1),
   _compressedCertSlot(-1),
   _serialNumberSlot(-1),
-  _authorityKeyIdentifier(NULL),
+  _authorityKeyIdentifierSlot(-1),
   _bytes(NULL),
   _length(0)
 {
@@ -185,7 +186,7 @@ String ECCX08CertClass::endCSR()
   return base64Encode(csr, csrLen + csrHeaderLen, "-----BEGIN CERTIFICATE REQUEST-----\n", "\n-----END CERTIFICATE REQUEST-----\n");
 }
 
-int ECCX08CertClass::beginStorage(int compressedCertSlot, int serialNumberSlot)
+int ECCX08CertClass::beginStorage(int compressedCertSlot, int serialNumberSlot, int authorityKeyIdentifierSlot)
 {
   if (compressedCertSlot < 8 || compressedCertSlot > 15) {
     return 0;
@@ -195,8 +196,15 @@ int ECCX08CertClass::beginStorage(int compressedCertSlot, int serialNumberSlot)
     return 0;
   }
 
+  if (authorityKeyIdentifierSlot > -1) {
+    if (authorityKeyIdentifierSlot < 8 || authorityKeyIdentifierSlot > 15) {
+      return 0;
+    }
+  }
+
   _compressedCertSlot = compressedCertSlot;
   _serialNumberSlot = serialNumberSlot;
+  _authorityKeyIdentifierSlot = authorityKeyIdentifierSlot;
 
   memset(_temp, 0x00, sizeof(_temp));
 
@@ -256,11 +264,16 @@ void ECCX08CertClass::setExpireYears(int expireYears)
   compressedCert->dates[2] |= expireYears;
 }
 
-void ECCX08CertClass::setSerialNumber(byte serialNumber[])
+void ECCX08CertClass::setSerialNumber(const byte serialNumber[])
 {
   memcpy(&_temp[72], serialNumber, SERIAL_NUMBER_LENGTH);
 }
 
+void ECCX08CertClass::setAuthorityKeyIdentifier(const byte authorityKeyIdentifier[])
+{
+  memcpy(&_temp[88], authorityKeyIdentifier, AUTHORITY_KEY_IDENTIFIER_LENGTH);
+}
+
 int ECCX08CertClass::endStorage()
 {
   if (!ECCX08.writeSlot(_compressedCertSlot, &_temp[0], 72)) {
@@ -271,10 +284,14 @@ int ECCX08CertClass::endStorage()
     return 0;
   }
 
+  if (!ECCX08.writeSlot(_authorityKeyIdentifierSlot, &_temp[88], AUTHORITY_KEY_IDENTIFIER_LENGTH)) {
+    return 0;
+  }
+
   return 1;
 }
 
-int ECCX08CertClass::beginReconstruction(int keySlot, int compressedCertSlot, int serialNumberSlot)
+int ECCX08CertClass::beginReconstruction(int keySlot, int compressedCertSlot, int serialNumberSlot, int authorityKeyIdentifierSlot)
 {
   if (keySlot < 0 || keySlot > 8) {
     return 0;
@@ -288,9 +305,16 @@ int ECCX08CertClass::beginReconstruction(int keySlot, int compressedCertSlot, in
     return 0;
   }
 
+  if (authorityKeyIdentifierSlot > -1) {
+    if (authorityKeyIdentifierSlot < 8 || authorityKeyIdentifierSlot > 15) {
+      return 0;
+    }
+  }
+
   _keySlot = keySlot;
   _compressedCertSlot = compressedCertSlot;
   _serialNumberSlot = serialNumberSlot;
+  _authorityKeyIdentifierSlot = authorityKeyIdentifierSlot;
 
   return 1;
 }
@@ -300,6 +324,7 @@ int ECCX08CertClass::endReconstruction()
   byte publicKey[64];
   struct CompressedCert compressedCert;
   byte serialNumber[SERIAL_NUMBER_LENGTH];
+  byte authorityKeyIdentifier[AUTHORITY_KEY_IDENTIFIER_LENGTH];
 
   if (!ECCX08.generatePublicKey(_keySlot, publicKey)) {
     return 0;
@@ -313,6 +338,11 @@ int ECCX08CertClass::endReconstruction()
     return 0;
   }
 
+  if (_authorityKeyIdentifierSlot > -1 &&
+      !ECCX08.readSlot(_authorityKeyIdentifierSlot, authorityKeyIdentifier, sizeof(authorityKeyIdentifier))) {
+    return 0;
+  }
+
   int serialNumberLen = serialNumberLength(serialNumber);
 
   int issuerLen = issuerOrSubjectLength(_issuerCountryName,
@@ -335,7 +365,11 @@ int ECCX08CertClass::endReconstruction()
 
   int publicKeyLen = publicKeyLength();
 
-  int authorityKeyIdentifierLen = authorityKeyIdentifierLength(_authorityKeyIdentifier);
+  int authorityKeyIdentifierLen = 0;
+
+  if (_authorityKeyIdentifierSlot > -1) {
+    authorityKeyIdentifierLen = authorityKeyIdentifierLength();
+  }
 
   int signatureLen = signatureLength(compressedCert.signature);
 
@@ -422,7 +456,7 @@ int ECCX08CertClass::endReconstruction()
   out += publicKeyLen;
 
   if (authorityKeyIdentifierLen) {
-    appendAuthorityKeyIdentifier(_authorityKeyIdentifier, out);
+    appendAuthorityKeyIdentifier(authorityKeyIdentifier, out);
     out += authorityKeyIdentifierLen;
   } else {
     // null sequence
@@ -509,11 +543,6 @@ void ECCX08CertClass::setSubjectCommonName(const String& commonName)
   _subjectCommonName = commonName;
 }
 
-void ECCX08CertClass::setAuthorityKeyIdentifier(const byte authorityKeyIdentifier[])
-{
-  _authorityKeyIdentifier = authorityKeyIdentifier;
-}
-
 int ECCX08CertClass::versionLength()
 {
   return 3;
@@ -566,9 +595,9 @@ int ECCX08CertClass::publicKeyLength()
   return (2 + 2 + 9 + 10 + 4 + 64);
 }
 
-int ECCX08CertClass::authorityKeyIdentifierLength(const byte authorityKeyIdentifier[])
+int ECCX08CertClass::authorityKeyIdentifierLength()
 {
-  return (authorityKeyIdentifier == NULL) ? 0 : 37;
+  return 37;
 }
 
 int ECCX08CertClass::signatureLength(const byte signature[])
diff --git a/src/utility/ECCX08Cert.h b/src/utility/ECCX08Cert.h
@@ -12,17 +12,18 @@ class ECCX08CertClass {
   int beginCSR(int keySlot, bool newPrivateKey = true);
   String endCSR();
 
-  int beginStorage(int compressedCertSlot, int serialNumberSlot);
+  int beginStorage(int compressedCertSlot, int serialNumberSlot, int authorityKeyIdentifierSlot);
   void setSignature(byte signature[]);
   void setIssueYear(int issueYear);
   void setIssueMonth(int issueMonth);
   void setIssueDay(int issueDay);
   void setIssueHour(int issueHour);
   void setExpireYears(int expireYears);
-  void setSerialNumber(byte serialNumber[]);
+  void setSerialNumber(const byte serialNumber[]);
+  void setAuthorityKeyIdentifier(const byte authorityKeyIdentifier[]);
   int endStorage();
 
-  int beginReconstruction(int keySlot, int compressedCertSlot, int serialNumberSlot);
+  int beginReconstruction(int keySlot, int compressedCertSlot, int serialNumberSlot, int authorityKeyIdentifierSlot);
   int endReconstruction();
 
   byte* bytes();
@@ -42,8 +43,6 @@ class ECCX08CertClass {
   void setSubjectOrganizationalUnitName(const String& organizationalUnitName);
   void setSubjectCommonName(const String& commonName);
 
-  void setAuthorityKeyIdentifier(const byte authorityKeyIdentifier[]);
-
 private:
   int versionLength();
 
@@ -56,7 +55,7 @@ class ECCX08CertClass {
 
   int publicKeyLength();
 
-  int authorityKeyIdentifierLength(const byte authorityKeyIdentifier[]);
+  int authorityKeyIdentifierLength();
 
   int signatureLength(const byte signature[]);
 
@@ -94,6 +93,7 @@ class ECCX08CertClass {
   int _keySlot;
   int _compressedCertSlot;
   int _serialNumberSlot;
+  int _authorityKeyIdentifierSlot;
 
   String _issuerCountryName;
   String _issuerStateProvinceName;
@@ -109,9 +109,7 @@ class ECCX08CertClass {
   String _subjectOrganizationalUnitName;
   String _subjectCommonName;
 
-  const byte* _authorityKeyIdentifier;
-
-  byte _temp[88];
+  byte _temp[108];
   byte* _bytes;
   int _length;
 };
