Skip to content

Commit

Permalink
[crypto] Added target type to the P256KeyPair initialize method (#23771)
Browse files Browse the repository at this point in the history
Some of the crypto PAL implementations, like PSA require
information about the target usage algoritm for the key
at the moment of its generation. Current P256KeyPair API
doesn't allow to pass such information

Summary of changes:
* Added target enum type to P256KeyPair Initialize() method
* Aligned all places that Initialize() is invoked to pass
ECDSA or ECDH (basically only for the CASE) type.
* In CryptoPALPSA implementation removed method converting
ECDSA to ECDH key and added generating ECDH or ECDSA key
in the Initialize() method based on passed target.
  • Loading branch information
kkasperczyk-no authored and pull[bot] committed Jul 22, 2024
1 parent 48ecefc commit 1462172
Show file tree
Hide file tree
Showing 33 changed files with 92 additions and 103 deletions.
2 changes: 1 addition & 1 deletion examples/chip-tool/commands/common/CHIPCommand.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -421,7 +421,7 @@ CHIP_ERROR CHIPCommand::InitializeCommissioner(const CommissionerIdentity & iden
chip::MutableByteSpan icacSpan(icac.Get(), chip::Controller::kMaxCHIPDERCertLength);
chip::MutableByteSpan rcacSpan(rcac.Get(), chip::Controller::kMaxCHIPDERCertLength);

ReturnLogErrorOnFailure(ephemeralKey.Initialize());
ReturnLogErrorOnFailure(ephemeralKey.Initialize(chip::Crypto::ECPKeyTarget::ECDSA));

ReturnLogErrorOnFailure(mCredIssuerCmds->GenerateControllerNOCChain(identity.mLocalNodeId, fabricId,
mCommissionerStorage.GetCommissionerCATs(),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ - (instancetype)init

- (BOOL)initialize
{
return _mKeyPair.Initialize() == CHIP_NO_ERROR;
return _mKeyPair.Initialize(chip::Crypto::ECPKeyTarget::ECDSA) == CHIP_NO_ERROR;
}

- (NSData *)signMessageECDSA_RAW:(NSData *)message
Expand Down
2 changes: 1 addition & 1 deletion examples/platform/linux/CommissionerMain.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ CHIP_ERROR InitCommissioner(uint16_t commissionerPort, uint16_t udcListenPort, F
MutableByteSpan rcacSpan(rcac.Get(), Controller::kMaxCHIPDERCertLength);

Crypto::P256Keypair ephemeralKey;
ReturnErrorOnFailure(ephemeralKey.Initialize());
ReturnErrorOnFailure(ephemeralKey.Initialize(Crypto::ECPKeyTarget::ECDSA));

ReturnErrorOnFailure(gOpCredsIssuer.GenerateNOCChainAfterValidation(gLocalId, /* fabricId = */ 1, chip::kUndefinedCATs,
ephemeralKey.Pubkey(), rcacSpan, icacSpan, nocSpan));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ CHIP_ERROR ExampleSe05xDACProvider::SignWithDeviceAttestationKey(const ByteSpan

keypair.SetKeyId(DEV_ATTESTATION_KEY_SE05X_ID);
keypair.provisioned_key = true;
keypair.Initialize();
keypair.Initialize(Crypto::ECPKeyTarget::ECDSA);

ReturnErrorOnFailure(keypair.ECDSA_sign_msg(message_to_sign.data(), message_to_sign.size(), signature));

Expand Down
4 changes: 2 additions & 2 deletions src/controller/ExampleOperationalCredentialsIssuer.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::Initialize(PersistentStorageDele
{
ChipLogProgress(Controller, "Couldn't get %s from storage: %s", kOperationalCredentialsIssuerKeypairStorage, ErrorStr(err));
// Storage doesn't have an existing keypair. Let's create one and add it to the storage.
ReturnErrorOnFailure(mIssuer.Initialize());
ReturnErrorOnFailure(mIssuer.Initialize(Crypto::ECPKeyTarget::ECDSA));
ReturnErrorOnFailure(mIssuer.Serialize(serializedKey));

PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsIssuerKeypairStorage, key,
Expand All @@ -209,7 +209,7 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::Initialize(PersistentStorageDele
ChipLogProgress(Controller, "Couldn't get %s from storage: %s", kOperationalCredentialsIntermediateIssuerKeypairStorage,
ErrorStr(err));
// Storage doesn't have an existing keypair. Let's create one and add it to the storage.
ReturnErrorOnFailure(mIntermediateIssuer.Initialize());
ReturnErrorOnFailure(mIntermediateIssuer.Initialize(Crypto::ECPKeyTarget::ECDSA));
ReturnErrorOnFailure(mIntermediateIssuer.Serialize(serializedKey));

PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsIntermediateIssuerKeypairStorage, key,
Expand Down
4 changes: 2 additions & 2 deletions src/controller/java/AndroidDeviceControllerWrapper.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
{
CHIPP256KeypairBridge * nativeKeypairBridge = wrapper->GetP256KeypairBridge();
nativeKeypairBridge->SetDelegate(keypairDelegate);
*errInfoOnFailure = nativeKeypairBridge->Initialize();
*errInfoOnFailure = nativeKeypairBridge->Initialize(Crypto::ECPKeyTarget::ECDSA);
if (*errInfoOnFailure != CHIP_NO_ERROR)
{
return nullptr;
Expand Down Expand Up @@ -272,7 +272,7 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
ChipLogProgress(Controller,
"No existing credentials provided: generating ephemeral local NOC chain with OperationalCredentialsIssuer");

*errInfoOnFailure = ephemeralKey.Initialize();
*errInfoOnFailure = ephemeralKey.Initialize(Crypto::ECPKeyTarget::ECDSA);
if (*errInfoOnFailure != CHIP_NO_ERROR)
{
return nullptr;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::Initialize(PersistentStorageDele
if (storage.SyncGetKeyValue(kOperationalCredentialsIssuerKeypairStorage, &serializedKey, keySize) != CHIP_NO_ERROR)
{
// Storage doesn't have an existing keypair. Let's create one and add it to the storage.
ReturnErrorOnFailure(mIssuer.Initialize());
ReturnErrorOnFailure(mIssuer.Initialize(Crypto::ECPKeyTarget::ECDSA));
ReturnErrorOnFailure(mIssuer.Serialize(serializedKey));

keySize = static_cast<uint16_t>(sizeof(serializedKey));
Expand Down
2 changes: 1 addition & 1 deletion src/controller/python/OpCredsBinding.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -343,7 +343,7 @@ PyChipError pychip_OpCreds_AllocateController(OpCredsContext * context, chip::Co
SetDeviceAttestationVerifier(GetDefaultDACVerifier(testingRootStore));

chip::Crypto::P256Keypair ephemeralKey;
CHIP_ERROR err = ephemeralKey.Initialize();
CHIP_ERROR err = ephemeralKey.Initialize(chip::Crypto::ECPKeyTarget::ECDSA);
VerifyOrReturnError(err == CHIP_NO_ERROR, ToPyChipError(err));

chip::Platform::ScopedMemoryBuffer<uint8_t> noc;
Expand Down
2 changes: 1 addition & 1 deletion src/controller/python/chip/internal/CommissionerImpl.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ extern "C" chip::Controller::DeviceCommissioner * pychip_internal_Commissioner_N

commissionerParams.pairingDelegate = &gPairingDelegate;

err = ephemeralKey.Initialize();
err = ephemeralKey.Initialize(chip::Crypto::ECPKeyTarget::ECDSA);
SuccessOrExit(err);

err = gOperationalCredentialsIssuer.Initialize(gServerStorage);
Expand Down
4 changes: 2 additions & 2 deletions src/credentials/TestOnlyLocalCertificateAuthority.h
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ class TestOnlyLocalCertificateAuthority
}
else
{
mRootKeypair->Initialize();
mRootKeypair->Initialize(Crypto::ECPKeyTarget::ECDSA);
}
mCurrentStatus = GenerateRootCert(*mRootKeypair.get());
SuccessOrExit(mCurrentStatus);
Expand Down Expand Up @@ -155,7 +155,7 @@ class TestOnlyLocalCertificateAuthority
ReturnErrorOnFailure(ExtractSubjectDNFromChipCert(ByteSpan{ mLastRcac.Get(), mLastRcac.AllocatedSize() }, rcac_dn));

Crypto::P256Keypair icacKeypair;
ReturnErrorOnFailure(icacKeypair.Initialize()); // Maybe we won't use it, but it's OK
ReturnErrorOnFailure(icacKeypair.Initialize(Crypto::ECPKeyTarget::ECDSA)); // Maybe we won't use it, but it's OK

Crypto::P256Keypair * nocIssuerKeypair = mRootKeypair.get();
ChipDN * issuer_dn = &rcac_dn;
Expand Down
2 changes: 1 addition & 1 deletion src/credentials/tests/TestCertificationDeclaration.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -355,7 +355,7 @@ static void TestCD_CMSSignAndVerify(nlTestSuite * inSuite, void * inContext)

// Test with random key
P256Keypair keypair;
NL_TEST_ASSERT(inSuite, keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, CMS_Sign(cdContentIn, signerKeyId, keypair, signedMessage) == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, CMS_Verify(signedMessage, keypair.Pubkey(), cdContentOut) == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, cdContentIn.data_equal(cdContentOut));
Expand Down
26 changes: 13 additions & 13 deletions src/credentials/tests/TestChipCert.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1234,7 +1234,7 @@ static void TestChipCert_GenerateRootCert(nlTestSuite * inSuite, void * inContex
{
// Generate a new keypair for cert signing
P256Keypair keypair;
NL_TEST_ASSERT(inSuite, keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

uint8_t signed_cert[kMaxDERCertLength];

Expand Down Expand Up @@ -1289,7 +1289,7 @@ static void TestChipCert_GenerateRootFabCert(nlTestSuite * inSuite, void * inCon
{
// Generate a new keypair for cert signing
P256Keypair keypair;
NL_TEST_ASSERT(inSuite, keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

uint8_t signed_cert[kMaxDERCertLength];

Expand All @@ -1316,7 +1316,7 @@ static void TestChipCert_GenerateICACert(nlTestSuite * inSuite, void * inContext
{
// Generate a new keypair for cert signing
P256Keypair keypair;
NL_TEST_ASSERT(inSuite, keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

uint8_t signed_cert[kMaxDERCertLength];

Expand All @@ -1332,7 +1332,7 @@ static void TestChipCert_GenerateICACert(nlTestSuite * inSuite, void * inContext

X509CertRequestParams ica_params = { 1234, 631161876, 729942000, ica_dn, issuer_dn };
P256Keypair ica_keypair;
NL_TEST_ASSERT(inSuite, ica_keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, ica_keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

MutableByteSpan signed_cert_span(signed_cert);
NL_TEST_ASSERT(inSuite, NewICAX509Cert(ica_params, ica_keypair.Pubkey(), keypair, signed_cert_span) == CHIP_NO_ERROR);
Expand Down Expand Up @@ -1370,7 +1370,7 @@ static void TestChipCert_GenerateNOCRoot(nlTestSuite * inSuite, void * inContext
{
// Generate a new keypair for cert signing
P256Keypair keypair;
NL_TEST_ASSERT(inSuite, keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

uint8_t signed_cert[kMaxDERCertLength];

Expand All @@ -1387,7 +1387,7 @@ static void TestChipCert_GenerateNOCRoot(nlTestSuite * inSuite, void * inContext

X509CertRequestParams noc_params = { 123456, 631161876, 729942000, noc_dn, issuer_dn };
P256Keypair noc_keypair;
NL_TEST_ASSERT(inSuite, noc_keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, noc_keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

MutableByteSpan signed_cert_span(signed_cert, sizeof(signed_cert));
NL_TEST_ASSERT(inSuite,
Expand Down Expand Up @@ -1441,7 +1441,7 @@ static void TestChipCert_GenerateNOCICA(nlTestSuite * inSuite, void * inContext)
{
// Generate a new keypair for cert signing
P256Keypair keypair;
NL_TEST_ASSERT(inSuite, keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

uint8_t signed_cert[kMaxDERCertLength];

Expand Down Expand Up @@ -1471,7 +1471,7 @@ static void TestChipCert_GenerateNOCICA(nlTestSuite * inSuite, void * inContext)

X509CertRequestParams noc_params = { 12348765, 631161876, 729942000, noc_dn, ica_dn };
P256Keypair noc_keypair;
NL_TEST_ASSERT(inSuite, noc_keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, noc_keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

MutableByteSpan signed_cert_span(signed_cert);
NL_TEST_ASSERT(inSuite,
Expand All @@ -1489,7 +1489,7 @@ static void TestChipCert_VerifyGeneratedCerts(nlTestSuite * inSuite, void * inCo
{
// Generate a new keypair for cert signing
P256Keypair keypair;
NL_TEST_ASSERT(inSuite, keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

static uint8_t root_cert[kMaxDERCertLength];

Expand All @@ -1509,7 +1509,7 @@ static void TestChipCert_VerifyGeneratedCerts(nlTestSuite * inSuite, void * inCo

X509CertRequestParams ica_params = { 12345, 631161876, 729942000, ica_dn, root_dn };
P256Keypair ica_keypair;
NL_TEST_ASSERT(inSuite, ica_keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, ica_keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

MutableByteSpan ica_cert_span(ica_cert);
NL_TEST_ASSERT(inSuite, NewICAX509Cert(ica_params, ica_keypair.Pubkey(), keypair, ica_cert_span) == CHIP_NO_ERROR);
Expand All @@ -1522,7 +1522,7 @@ static void TestChipCert_VerifyGeneratedCerts(nlTestSuite * inSuite, void * inCo

X509CertRequestParams noc_params = { 123456, 631161876, 729942000, noc_dn, ica_dn };
P256Keypair noc_keypair;
NL_TEST_ASSERT(inSuite, noc_keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, noc_keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

MutableByteSpan noc_cert_span(noc_cert, sizeof(noc_cert));
NL_TEST_ASSERT(inSuite,
Expand Down Expand Up @@ -1567,7 +1567,7 @@ static void TestChipCert_VerifyGeneratedCertsNoICA(nlTestSuite * inSuite, void *
{
// Generate a new keypair for cert signing
P256Keypair keypair;
NL_TEST_ASSERT(inSuite, keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

static uint8_t root_cert[kMaxDERCertLength];

Expand All @@ -1594,7 +1594,7 @@ static void TestChipCert_VerifyGeneratedCertsNoICA(nlTestSuite * inSuite, void *

X509CertRequestParams noc_params = { 1234, 631161876, 729942000, noc_dn, root_dn };
P256Keypair noc_keypair;
NL_TEST_ASSERT(inSuite, noc_keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, noc_keypair.Initialize(ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

MutableByteSpan noc_cert_span(noc_cert);
NL_TEST_ASSERT(inSuite, NewNodeOperationalX509Cert(noc_params, noc_keypair.Pubkey(), keypair, noc_cert_span) == CHIP_NO_ERROR);
Expand Down
6 changes: 3 additions & 3 deletions src/credentials/tests/TestFabricTable.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -514,7 +514,7 @@ void TestBasicAddNocUpdateNocFlow(nlTestSuite * inSuite, void * inContext)
constexpr uint16_t kVendorId = 0xFFF1u;

chip::Crypto::P256Keypair fabric11Node55Keypair; // Fabric ID 11,
NL_TEST_ASSERT(inSuite, fabric11Node55Keypair.Initialize() == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, fabric11Node55Keypair.Initialize(Crypto::ECPKeyTarget::ECDSA) == CHIP_NO_ERROR);

// Initialize a fabric table.
ScopedFabricTable fabricTableHolder;
Expand Down Expand Up @@ -2523,7 +2523,7 @@ void TestEphemeralKeys(nlTestSuite * inSuite, void * inContext)

Crypto::P256Keypair * ephemeralKeypair = fabricTable.AllocateEphemeralKeypairForCASE();
NL_TEST_ASSERT(inSuite, ephemeralKeypair != nullptr);
NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Initialize());
NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Initialize(Crypto::ECPKeyTarget::ECDSA));

NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->ECDSA_sign_msg(message, sizeof(message), sig));
NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Pubkey().ECDSA_validate_msg_signature(message, sizeof(message), sig));
Expand All @@ -2550,7 +2550,7 @@ void TestEphemeralKeys(nlTestSuite * inSuite, void * inContext)

Crypto::P256Keypair * ephemeralKeypair = fabricTable.AllocateEphemeralKeypairForCASE();
NL_TEST_ASSERT(inSuite, ephemeralKeypair != nullptr);
NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Initialize());
NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Initialize(Crypto::ECPKeyTarget::ECDSA));

NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->ECDSA_sign_msg(message, sizeof(message), sig));
NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Pubkey().ECDSA_validate_msg_signature(message, sizeof(message), sig));
Expand Down
10 changes: 8 additions & 2 deletions src/crypto/CHIPCryptoPAL.h
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,12 @@ enum class SupportedECPKeyTypes : uint8_t
ECP256R1 = 0,
};

enum class ECPKeyTarget : uint8_t
{
ECDH = 0,
ECDSA = 1,
};

/** @brief Safely clears the first `len` bytes of memory area `buf`.
* @param buf Pointer to a memory buffer holding secret data that must be cleared.
* @param len Specifies secret data size in bytes.
Expand Down Expand Up @@ -385,7 +391,7 @@ class P256KeypairBase : public ECPKeypair<P256PublicKey, P256ECDHDerivedSecret,
* @brief Initialize the keypair.
* @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
**/
virtual CHIP_ERROR Initialize() = 0;
virtual CHIP_ERROR Initialize(ECPKeyTarget key_target) = 0;

/**
* @brief Serialize the keypair.
Expand All @@ -410,7 +416,7 @@ class P256Keypair : public P256KeypairBase
* @brief Initialize the keypair.
* @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
**/
CHIP_ERROR Initialize() override;
CHIP_ERROR Initialize(ECPKeyTarget key_target) override;

/**
* @brief Serialize the keypair.
Expand Down
2 changes: 1 addition & 1 deletion src/crypto/CHIPCryptoPALOpenSSL.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1020,7 +1020,7 @@ static CHIP_ERROR P256PublicKeyFromECKey(EC_KEY * ec_key, P256PublicKey & pubkey
return error;
}

CHIP_ERROR P256Keypair::Initialize()
CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
{
ERR_clear_error();

Expand Down
Loading

0 comments on commit 1462172

Please sign in to comment.