alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-09-23 09:13:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

secure_element: atecc608_ecdsa example

Browse Source 
* Replaced crypotoauthlib with esp-cryptoauthlib
* Added menuconfig option for esp-tls about using HSM
* Added error codes for HSM in esp-tls,
* Added support to select different type of ATECC608A chips
* Added README, updated docs
* tcp_transport: Added option to enable secure_element for ssl

Closes https://github.com/espressif/esp-idf/issues/4432
This commit is contained in:
Aditya Patwardhan
2020-04-06 20:12:52 +05:30
parent 7a2ea9b7f7
commit 423e600d46
35 changed files with 505 additions and 716 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
components/esp-tls/esp_tls_mbedtls.c
View File

@@ -30,12 +30,19 @@
#include "esp_crt_bundle.h"
#endif
#ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
#define ATECC608A_TNG_SLAVE_ADDR 0x6A
#define ATECC608A_TFLEX_SLAVE_ADDR 0x6C
#define ATECC608A_TCUSTOM_SLAVE_ADDR 0xC0
/* cryptoauthlib includes */
#include "mbedtls/atca_mbedtls_wrap.h"
#include "tng_atca.h"
#include "cryptoauthlib.h"
#include "cert_def_1_signer.h"
#include "cert_def_2_device.h"
static const atcacert_def_t* cert_def = NULL;
/* Prototypes for functions */
static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cfg);
#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
static const char *TAG = "esp-tls-mbedtls";
static mbedtls_x509_crt *global_cacert = NULL;
@@ -237,6 +244,9 @@ void esp_mbedtls_cleanup(esp_tls_t *tls)
mbedtls_ssl_config_free(&tls->conf);
mbedtls_ctr_drbg_free(&tls->ctr_drbg);
mbedtls_ssl_free(&tls->ssl);
#ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
atcab_release();
#endif
}
static esp_err_t set_ca_cert(esp_tls_t *tls, const unsigned char *cacert, size_t cacert_len)
@@ -454,37 +464,16 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
}
if (cfg->use_hsm) {
ESP_LOGI(TAG, "Initialize the ATECC interface...");
if(0 != (ret = atcab_init(&cfg_ateccx08a_i2c_default))) {
ESP_LOGE(TAG, "Failed\n !atcab_init returned %02x\n", ret);
goto exit;
}
/* Convert to an mbedtls key */
if (0 != atca_mbedtls_pk_init(&tls->clientkey, 0)) {
ESP_LOGE(TAG, "Failed to parse key from device\n");
goto exit;
}
mbedtls_x509_crt_init(&tls->clientcert);
/* Extract the device certificate and convert to mbedtls cert */
if (0 != atca_mbedtls_cert_add(&tls->clientcert, &g_cert_def_2_device)) {
ESP_LOGE(TAG, "Failed to parse cert from device\n");
goto exit;
}
/* Extract the signer certificate, convert, then attach to the chain */
if (0 != atca_mbedtls_cert_add(&tls->clientcert, &g_cert_def_1_signer)) {
ESP_LOGE(TAG, "Failed to parse cert from device\n");
goto exit;
}
if (0 != (ret = mbedtls_ssl_conf_own_cert(&tls->conf, &tls->clientcert, &tls->clientkey))) {
ESP_LOGE(TAG, "Failed\n ! mbedtls_ssl_conf_own_cert returned %d\r\n", ret);
goto exit;
if (cfg->use_secure_element) {
#ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
ret = esp_set_atecc608a_pki_context(tls, (esp_tls_cfg_t *)cfg);
if (ret != ESP_OK) {
return ret;
}
#else
ESP_LOGE(TAG, "Please enable secure element support for ESP-TLS in menuconfig");
return ESP_FAIL;
#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
} else if (cfg->clientcert_pem_buf != NULL && cfg->clientkey_pem_buf != NULL) {
esp_tls_pki_t pki = {
.public_cert = &tls->clientcert,
@@ -601,3 +590,81 @@ void esp_mbedtls_free_global_ca_store(void)
global_cacert = NULL;
}
}
#ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
static esp_err_t esp_init_atecc608a(uint8_t slave_addr)
{
cfg_ateccx08a_i2c_default.atcai2c.slave_address = slave_addr;
int ret = atcab_init(&cfg_ateccx08a_i2c_default);
if(ret != 0) {
ESP_LOGE(TAG, "Failed\n !atcab_init returned %02x", ret);
return ESP_FAIL;
}
return ESP_OK;
}
static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cfg)
{
int ret = 0;
int esp_ret = ESP_FAIL;
ESP_LOGI(TAG, "Initialize the ATECC interface...");
#if defined(CONFIG_ATECC608A_TNG) || defined(CONFIG_ATECC608A_TFLEX)
#ifdef CONFIG_ATECC608A_TNG
esp_ret = esp_init_atecc608a(ATECC608A_TNG_SLAVE_ADDR);
if (ret != ESP_OK) {
return ESP_ERR_ESP_TLS_SE_FAILED;
}
#elif CONFIG_ATECC608A_TFLEX /* CONFIG_ATECC608A_TNG */
esp_ret = esp_init_atecc608a(ATECC608A_TFLEX_SLAVE_ADDR);
if (ret != ESP_OK) {
return ESP_ERR_ESP_TLS_SE_FAILED;
}
#endif /* CONFIG_ATECC608A_TFLEX */
mbedtls_x509_crt_init(&tls->clientcert);
ret = tng_get_device_cert_def(&cert_def);
if (ret != 0) {
ESP_LOGE(TAG, "Failed to get device cert def");
return ESP_ERR_ESP_TLS_SE_FAILED;
}
/* Extract the device certificate and convert to mbedtls cert */
ret = atca_mbedtls_cert_add(&tls->clientcert, cert_def);
if (ret != 0) {
ESP_LOGE(TAG, "Failed to parse cert from device, return %02x", ret);
return ESP_ERR_ESP_TLS_SE_FAILED;
}
#elif CONFIG_ATECC608A_TCUSTOM
esp_ret = esp_init_atecc608a(ATECC608A_TCUSTOM_SLAVE_ADDR);
if (ret != ESP_OK) {
return ESP_ERR_ESP_TLS_SE_FAILED;
}
mbedtls_x509_crt_init(&tls->clientcert);
if(cfg->clientcert_buf != NULL) {
ret = mbedtls_x509_crt_parse(&tls->clientcert, (const unsigned char*)cfg->clientcert_buf, cfg->clientcert_bytes);
if (ret < 0) {
ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x", -ret);
ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret);
return ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED;
}
} else {
ESP_LOGE(TAG, "Device certificate must be provided for TrustCustom Certs");
return ESP_FAIL;
}
#endif /* CONFIG_ATECC608A_TCUSTOM */
ret = atca_mbedtls_pk_init(&tls->clientkey, 0);
if (ret != 0) {
ESP_LOGE(TAG, "Failed to parse key from device");
ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret);
return ESP_ERR_ESP_TLS_SE_FAILED;
}
ret = mbedtls_ssl_conf_own_cert(&tls->conf, &tls->clientcert, &tls->clientkey);
if (ret != 0) {
ESP_LOGE(TAG, "Failed\n ! mbedtls_ssl_conf_own_cert returned -0x%x", ret);
ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret);
return ESP_ERR_ESP_TLS_SE_FAILED;
}
return ESP_OK;
}
#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */