WolfSSL
/
wolfssl-examples
mirror of https://github.com/wolfSSL/wolfssl-examples.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #346 from cconlon/se050 

Add NXP SE050 EdgeLock examples for use on Raspberry Pi
pull/348/head
David Garske 2022-11-14 07:23:55 -08:00 committed by GitHub
parent c3491327ed 05efd4a4ee
commit 27bb621e35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 1776 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -283,6 +283,16 @@ This directory contains a wolfCrypt benchmark test application for i.MX RT1060-E
Please see the [RT1060/README.md](RT1060/README.md) for further usage and details. Please see the [RT1060/README.md](RT1060/README.md) for further usage and details.
<br />
#### NXP SE050
This directory contains example applications for NXP's SE050. The examples
have been tested on a Raspberry Pi with SE050 EdgeLock.
Please see the [SE050/README.md](SE050/README.md) for further details.
<br /> <br />
#### SGX_Linux (Linux Enclave) #### SGX_Linux (Linux Enclave)

111
SE050/README.md 100644
View File

@ -0,0 +1,111 @@
# wolfSSL NXP SE050 Examples
wolfSSL includes support for the NXP SE050 Plug & Trust Secure Element. For
details about the NXP SE050, see [NXP's SE050 page](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050).
This directory contains wolfSSL examples for NXP SE050. The examples have been
written for and tested on a Raspberry Pi with NXP SE050 EdgeLock development
kit.
For complete details on wolfSSL's support for NXP SE050, see
[README_SE050.md](https://www.github.com/wolfssl/wolfssl/wolfcrypt/src/port/nxp/README_SE050.md).
That document also describes how to download, build, and compile the SE05x
Middleware. It should be followed first before moving on to installing and
running these examples.
## Installing Example Applications
These instructions assume that the SE050 middleware has already been installed
in Raspbian and is located at `/home/pi/se_mw/simw-top`.
Before building these demo, the "wolfssl" folder which contains these demos
should be copied into the SE05x middleware source tree at:
```
/home/pi/se_mw/simw-top/demos/wolfssl
```
This will mean the wolfSSL demo applications will be at:
```
/home/pi/se_mw/simw-top/demos/wolfssl/wolfcrypt_benchmark
/home/pi/se_mw/simw-top/demos/wolfssl/wolfcrypt_generate_csr
/home/pi/se_mw/simw-top/demos/wolfssl/wolfcrypt_key_cert_insert
/home/pi/se_mw/simw-top/demos/wolfssl/wolfcrypt_test
```
The 'wolfssl' demo directory needs to be tied into the CMake build system. Open
the following file:
```
/home/pi/se_mw/simw-top/demos/CMakeLists.txt
```
Add the following at the bottom of this file:
```
ADD_SUBDIRECTORY(wolfssl)
```
If the SE05x middleware has not yet been set up for compilation:
```
$ cd /home/pi/se_mw/simw-top/scripts
$ ./create_cmake_projects.py rpi
$ cd /home/pi/se_mw/simw-top_build/raspbian_native_se050_t1oi2c
$ ccmake .
< adjust options to match SE050 dev kit >
< 'c', to configure >
< 'g', to generate >
$ cmake --build .
```
This will build the SE05x middleware along with demos, including the wolfCrypt
test application.
**IMPORTANT:** Note that the wolfCrypt test and benchmark application examples
included here need benchmark.c, benchmark.h, test.c, and test.h copied over
from a valid wolfSSL source tree. See notes in those example README.md files
for more information.
## NXP SE050 EdgeLock Configuration
wolfSSL most recently tested these examples on a Raspberry Pi with NXP
EdgeLock development kit. The following CMake options were used. This uses
OpenSSL as the HostCrypto Provider and enables SCP03 authentication.
![CMake Configuration](images/se05x_middleware_cmake_openssl_scp03.png)
## Example Applications
### wolfCrypt Test Application
This application will run the wolfCrypt test application, running cryptography
test vectors through all algorithms enabled in wolfSSL. For details, see
[README.md](./wolfssl/wolfcrypt_test/README.md).
### wolfCrypt Benchmark Application
This application will run the wolfCrypt benchmark application, benchmarking
all enabled algorithms in wolfSSL. For details, see
[README.md](./wolfssl/wolfcrypt_benchmark/README.md).
### wolfCrypt SE050 Key and Certificate Insertion and Use Example
This example inserts and uses certificates and keys into the SE050. It does an
ECDSA verify operation of an ASCII-encoded {R,S} signature, reads back out the
RSA and ECC certificates imported and verifies they match the original ones,
then erases keys and certificates that were imported into the SE050. For
details, see [README.md](./wolfssl/wolfcrypt_key_cert_insert/README.md).
### wolfCrypt CSR Generation Example
This example generates a Certificate Signing Request (CSR) using a key
generated and stored in the SE050. This examples requires that wolfSSL be
compiled with `--enable-certgen --enable-certreq`. For details, see
[README.md](./wolfssl/wolfcrypt_generate_csr/README.md).
## Support
For support questions and issues, please email wolfSSL at support@wolfssl.com.

BIN
SE050/images/se05x_middleware_cmake_openssl_scp03.png 100644
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 190 KiB

4
SE050/wolfssl/CMakeLists.txt 100644
View File

@ -0,0 +1,4 @@
ADD_SUBDIRECTORY(wolfcrypt_benchmark)
ADD_SUBDIRECTORY(wolfcrypt_test)
ADD_SUBDIRECTORY(wolfcrypt_key_cert_insert)
ADD_SUBDIRECTORY(wolfcrypt_generate_csr)

34
SE050/wolfssl/wolfcrypt_benchmark/CMakeLists.txt 100644
View File

@ -0,0 +1,34 @@
PROJECT(wolfcrypt_benchmark)
FILE(
GLOB
files
*.c
)
ADD_EXECUTABLE(
${PROJECT_NAME}
${KSDK_STARTUP_FILE} ${files}
)
TARGET_COMPILE_DEFINITIONS(
${PROJECT_NAME}
PRIVATE SIMW_DEMO_ENABLE__DEMO_WOLFCRYPTBENCHMARK NO_MAIN_DRIVER BENCH_EMBEDDED USE_CERT_BUFFERS_2048 USE_CERT_BUFFERS_256
)
TARGET_INCLUDE_DIRECTORIES(
${PROJECT_NAME}
PRIVATE ${SIMW_TOP_DIR}/sss/ex/inc /home/pi/se_mw/wolfssl
)
TARGET_LINK_LIBRARIES(
${PROJECT_NAME}
SSS_APIs
ex_common
wolfssl
)
CREATE_BINARY(${PROJECT_NAME})
IF(SSS_HAVE_HOST_LINUX_LIKE)
INSTALL(TARGETS ${PROJECT_NAME} DESTINATION bin)
ENDIF()

145
SE050/wolfssl/wolfcrypt_benchmark/README.md 100644
View File

@ -0,0 +1,145 @@
# wolfCrypt Benchmark Demo Application
This demo application runs the wolfCrypt benchmark app. It benchmarks all
algorithms enabled in wolfCrypt. It has been tested using a Raspberry Pi
and SE050 EdgeLock development kit.
## Building the Demo
Before building this demo, follow initial setup instructions in the parent
[README.md](../../README.md).
**IMPORTANT:** This example requires the benchmark.c and benchmark.h files from
a wolfSSL source package be copied into this directory before compiling and
running the example. There are stub files included in this example directory
that should be overwritten:
```
$ cp wolfssl-X.X.X/wolfcrypt/benchmark/benchmark.c ./
$ cp wolfssl-X.X.X/wolfcrypt/benchmark/benchmark.h ./
```
Once this example directory has been copied into the SE05x middleware directory
tree in the correct location, compiling the middleware will also compile this
demo application:
```
$ cd /home/pi/se_mw/simw-top_build/raspbian_native_se050_t1oi2c
$ cmake --build .
```
## Running the Demo
To run the demo:
```
$ cd /home/pi/se_mw/simw-top_build/raspbian_native_se050_t1oi2c/bin
$ ./wolfcrypt_benchmark
```
On successful run, output similar to the following will print out:
```
App :INFO :PlugAndTrust_v04.02.00_20220524
App :INFO :Running ./wolfcrypt_benchmark
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
App :INFO :running setconfig
App :INFO :Ran setconfig successfully
wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
RNG 12 MiB took 1.001 seconds, 11.928 MiB/s
AES-128-CBC-enc 20 MiB took 1.000 seconds, 19.724 MiB/s
AES-128-CBC-dec 19 MiB took 1.001 seconds, 19.438 MiB/s
AES-192-CBC-enc 17 MiB took 1.001 seconds, 16.982 MiB/s
AES-192-CBC-dec 17 MiB took 1.001 seconds, 16.612 MiB/s
AES-256-CBC-enc 15 MiB took 1.001 seconds, 14.755 MiB/s
AES-256-CBC-dec 15 MiB took 1.001 seconds, 14.580 MiB/s
AES-128-GCM-enc 10 MiB took 1.002 seconds, 9.967 MiB/s
AES-128-GCM-dec 10 MiB took 1.002 seconds, 9.965 MiB/s
AES-192-GCM-enc 9 MiB took 1.002 seconds, 9.208 MiB/s
AES-192-GCM-dec 9 MiB took 1.000 seconds, 9.202 MiB/s
AES-256-GCM-enc 8 MiB took 1.001 seconds, 8.492 MiB/s
AES-256-GCM-dec 8 MiB took 1.000 seconds, 8.495 MiB/s
AES-128-GCM-enc-no_AAD 10 MiB took 1.001 seconds, 9.975 MiB/s
AES-128-GCM-dec-no_AAD 10 MiB took 1.002 seconds, 10.035 MiB/s
AES-192-GCM-enc-no_AAD 9 MiB took 1.001 seconds, 9.269 MiB/s
AES-192-GCM-dec-no_AAD 9 MiB took 1.002 seconds, 9.262 MiB/s
AES-256-GCM-enc-no_AAD 9 MiB took 1.002 seconds, 8.554 MiB/s
AES-256-GCM-dec-no_AAD 9 MiB took 1.003 seconds, 8.545 MiB/s
GMAC Table 4-bit 22 MiB took 1.000 seconds, 21.581 MiB/s
AES-128-ECB-enc 15 MiB took 1.000 seconds, 14.996 MiB/s
AES-128-ECB-dec 15 MiB took 1.000 seconds, 14.983 MiB/s
AES-192-ECB-enc 13 MiB took 1.000 seconds, 13.356 MiB/s
AES-192-ECB-dec 13 MiB took 1.000 seconds, 13.240 MiB/s
AES-256-ECB-enc 12 MiB took 1.000 seconds, 11.929 MiB/s
AES-256-ECB-dec 12 MiB took 1.000 seconds, 11.921 MiB/s
CHACHA 38 MiB took 1.000 seconds, 37.518 MiB/s
CHA-POLY 26 MiB took 1.000 seconds, 26.211 MiB/s
MD5 129 MiB took 1.000 seconds, 129.068 MiB/s
POLY1305 118 MiB took 1.000 seconds, 118.446 MiB/s
SHA 66 MiB took 1.000 seconds, 66.223 MiB/s
SHA-256 31 MiB took 1.001 seconds, 31.328 MiB/s
SHA-384 16 MiB took 1.000 seconds, 15.918 MiB/s
SHA-512 16 MiB took 1.000 seconds, 15.914 MiB/s
HMAC-MD5 127 MiB took 1.000 seconds, 126.965 MiB/s
HMAC-SHA 65 MiB took 1.000 seconds, 65.453 MiB/s
HMAC-SHA256 31 MiB took 1.001 seconds, 30.983 MiB/s
HMAC-SHA384 16 MiB took 1.000 seconds, 15.551 MiB/s
HMAC-SHA512 16 MiB took 1.001 seconds, 15.653 MiB/s
PBKDF2 4 KiB took 1.002 seconds, 3.618 KiB/s
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id FFFF
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10000
RSA 1024 key gen 2 ops took 1.377 sec, avg 688.364 ms, 1.453 ops/sec
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10001
RSA 2048 key gen 1 ops took 7.441 sec, avg 7440.538 ms, 0.134 ops/sec
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10002
RSA 2048 public 10 ops took 1.133 sec, avg 113.271 ms, 8.828 ops/sec
RSA 2048 private 6 ops took 1.278 sec, avg 212.942 ms, 4.696 ops/sec
DH 2048 key gen 46 ops took 1.002 sec, avg 21.780 ms, 45.915 ops/sec
DH 2048 agree 22 ops took 1.027 sec, avg 46.693 ms, 21.416 ops/sec
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10003
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10004
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10005
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10006
ECC [ SECP256R1] 256 key gen 4 ops took 1.149 sec, avg 287.259 ms, 3.481 ops/sec
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10007
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10008
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10009
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1000A
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1000B
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1000C
ECDHE [ SECP256R1] 256 agree 4 ops took 1.710 sec, avg 427.612 ms, 2.339 ops/sec
ECDSA [ SECP256R1] 256 sign 10 ops took 1.010 sec, avg 100.953 ms, 9.906 ops/sec
ECDSA [ SECP256R1] 256 verify 10 ops took 1.010 sec, avg 100.998 ms, 9.901 ops/sec
Benchmark complete
```
## Demo Notes
The `benchmark.c` and `benchmark.h` file in this directory have been copied
directly from the wolfSSL download directory, at:
```
wolfssl-X.X.X/wolfcrypt/benchmark/benchmark.c
wolfssl-X.X.X/wolfcrypt/benchmark/benchmark.h
```

23
SE050/wolfssl/wolfcrypt_benchmark/benchmark.c 100644
View File

@ -0,0 +1,23 @@
/* benchmark.c
*
* Copyright (C) 2006-2022 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#error "Overwrite this file with wolfcrypt/benchmark/benchmark.c from wolfSSL"

23
SE050/wolfssl/wolfcrypt_benchmark/benchmark.h 100644
View File

@ -0,0 +1,23 @@
/* benchmark.h
*
* Copyright (C) 2006-2022 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#error "Overwrite this file with wolfcrypt/benchmark/benchmark.h from wolfSSL"

73
SE050/wolfssl/wolfcrypt_benchmark/wolfcrypt_benchmark.c 100644
View File

@ -0,0 +1,73 @@
/* wolfcrypt_benchmark.c
*
* Copyright (C) 2006-2022 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifdef __cplusplus
extern "C" {
#endif
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
#include <wolfssl/ssl.h>
#include "benchmark.h"
#include <ex_sss_boot.h>
#include <fsl_sss_se05x_apis.h>
#include <nxLog_App.h>
#ifdef __cplusplus
}
#endif
#if defined(SIMW_DEMO_ENABLE__DEMO_WOLFCRYPTBENCHMARK)
static ex_sss_boot_ctx_t gex_sss_boot_ctx;
#define EX_SSS_BOOT_PCONTEXT (&gex_sss_boot_ctx)
#define EX_SSS_BOOT_DO_ERASE 1
#define EX_SSS_BOOT_EXPOSE_ARGC_ARGV 0
#include <ex_sss_main_inc.h>
sss_status_t ex_sss_entry(ex_sss_boot_ctx_t *pCtx)
{
int ret = 0;
sss_status_t status = kStatus_SSS_Success;
sss_session_t *pSession = (sss_session_t*)&pCtx->session;
sss_key_store_t *pKeyStore = (sss_key_store_t*)&pCtx->ks;
LOG_I("running setconfig");
ret = wc_se050_set_config(pSession, NULL, pKeyStore);
if (ret != 0) {
LOG_E("wc_se050_set_config failed");
return kStatus_SSS_Fail;
}
LOG_I("Ran setconfig successfully");
wolfSSL_Init();
benchmark_test(NULL);
wolfSSL_Cleanup();
LOG_I("Finished wolfCrypt Benchmark");
return status;
}
#endif /* SIMW_DEMO_ENABLE__DEMO_WOLFCRYPTBENCHMARK */

34
SE050/wolfssl/wolfcrypt_generate_csr/CMakeLists.txt 100644
View File

@ -0,0 +1,34 @@
PROJECT(wolfcrypt_generate_csr)
FILE(
GLOB
files
wolfcrypt_generate_csr.c
)
ADD_EXECUTABLE(
${PROJECT_NAME}
${KSDK_STARTUP_FILE} ${files}
)
TARGET_COMPILE_DEFINITIONS(
${PROJECT_NAME}
PRIVATE SIMW_DEMO_ENABLE__DEMO_WOLFCRYPT_GENERATE_CSR
)
TARGET_INCLUDE_DIRECTORIES(
${PROJECT_NAME}
PRIVATE ${SIMW_TOP_DIR}/sss/ex/inc
)
TARGET_LINK_LIBRARIES(
${PROJECT_NAME}
SSS_APIs
ex_common
wolfssl
)
CREATE_BINARY(${PROJECT_NAME})
IF(SSS_HAVE_HOST_LINUX_LIKE)
INSTALL(TARGETS ${PROJECT_NAME} DESTINATION bin)
ENDIF()

74
SE050/wolfssl/wolfcrypt_generate_csr/README.md 100644
View File

@ -0,0 +1,74 @@
# wolfCrypt SE050 Certificate Signing Request (CSR) Example
This example uses wolfSSL to generate a Certificate Signing Request (CSR) using
a key that is generated and stored in the SE050:
1. Generates a 256 bit ECC key pair in SE050.
2. Generates a certificate request with wolfCrypt and signs it with the
ECC private key from step 1.
3. Converts the CSR from DER to PEM format and prints that to the console.
4. Deletes the generated key in SE050 (for example cleanup), and cleans up
wolfSSL library resources.
## Building the Demo
Before building this demo, follow initial setup instructions in the parent
[README.md](../../README.md).
Once this example directory has been copied into the SE05x middleware directory
tree in the correct location, compiling the middleware will also compile this
demo application:
```
$ cd /home/pi/se_mw/simw-top_build/raspbian_native_se050_t1oi2c
$ cmake --build .
```
## Running the Demo
To run the demo:
```
$ cd /home/pi/se_mw/simw-top_build/raspbian_native_se050_t1oi2c/bin
$ ./wolfcrypt_generate_csr
```
On successful run, output similar to the following will print out:
```
App :INFO :PlugAndTrust_v04.02.00_20220524
App :INFO :Running ./wolfcrypt_generate_csr
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
App :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
App :INFO :Running wc_se050_set_config()
App :INFO :SE050 config successfully set in wolfSSL
App :INFO :wolfCrypt example of CSR generation
App :INFO :Initializing RNG
App :INFO :Generating ECC key in SE050
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id FFFF
App :INFO :Generated ECC key in SE050 ID: 0x0000ffff
App :INFO :Generated CSR (530 bytes)
App :INFO :-----BEGIN CERTIFICATE REQUEST-----
MIIBTjCB8wIBAjCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1UMRAwDgYDVQQH
DAdCb3plbWFuMREwDwYDVQQKDAhUZXN0IE9yZzEUMBIGA1UECwwLRGV2ZWxvcG1l
bnQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m
b0BleGFtcGxlLmNvbTBZMBM
App :INFO :Erasing ECC key stored in SE050 slot: 0x0000ffff
App :INFO :Done with sample app
App :INFO :ex_sss Finished
```

201
SE050/wolfssl/wolfcrypt_generate_csr/wolfcrypt_generate_csr.c 100644
View File

@ -0,0 +1,201 @@
/* wolfcrypt_generate_csr.c
*
* Copyright (C) 2006-2022 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* wolfCrypt example that generates a CSR using key generated in SE050. */
#ifdef __cplusplus
extern "C" {
#endif
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/asn_public.h>
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
#include <wolfssl/ssl.h>
#include <ex_sss_boot.h>
#include <fsl_sss_se05x_apis.h>
#include <nxLog_App.h>
#ifdef __cplusplus
}
#endif
#if defined(SIMW_DEMO_ENABLE__DEMO_WOLFCRYPT_GENERATE_CSR)
static ex_sss_boot_ctx_t gex_sss_boot_ctx;
#define EX_SSS_BOOT_PCONTEXT (&gex_sss_boot_ctx)
#define EX_SSS_BOOT_DO_ERASE 1
#define EX_SSS_BOOT_EXPOSE_ARGC_ARGV 0
#include <ex_sss_main_inc.h>
sss_status_t ex_sss_entry(ex_sss_boot_ctx_t *pCtx)
{
#if defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ)
int ret = 0;
sss_status_t status = kStatus_SSS_Success;
sss_session_t *pSession = (sss_session_t*)&pCtx->session;
sss_key_store_t *pKeyStore = (sss_key_store_t*)&pCtx->ks;
word32 keyId = 0;
WC_RNG rng;
ecc_key ecc;
Cert req;
byte der[1024];
byte pem[1024];
int derSz;
int pemSz;
LOG_I("Running wc_se050_set_config()");
ret = wc_se050_set_config(pSession, NULL, pKeyStore);
if (ret != 0) {
LOG_E("wc_se050_set_config failed");
return kStatus_SSS_Fail;
}
LOG_I("SE050 config successfully set in wolfSSL");
/* Initialize wolfSSL library */
wolfSSL_Init();
LOG_I("wolfCrypt example of CSR generation\n");
XMEMSET(der, 0, sizeof(der));
XMEMSET(pem, 0, sizeof(pem));
LOG_I("Initializing RNG\n");
ret = wc_InitRng(&rng);
if (ret != 0) {
LOG_I("wc_RngInit() error, ret = %d\n", ret);
}
/* Generate ECC key, stored in SE050 */
if (ret == 0) {
LOG_I("Generating ECC key in SE050\n");
ret = wc_ecc_init(&ecc);
if (ret != 0) {
LOG_I("wc_ecc_init error, ret = %d\n", ret);
}
}
if (ret == 0) {
ret = wc_ecc_make_key(&rng, 32, &ecc);
if (ret != 0) {
LOG_I("wc_ecc_make_key error, ret = %d\n", ret);
} else {
ret = wc_ecc_get_key_id(&ecc, &keyId);
if (ret != 0) {
LOG_I("wc_ecc_get_key_id error, ret = %d\n", ret);
} else {
LOG_I("Generated ECC key in SE050 ID: 0x%08x\n", keyId);
}
}
}
if (ret == 0) {
ret = wc_InitCert(&req);
if (ret != 0) {
LOG_I("wc_InitCert error, ret = %d\n", ret);
}
}
if (ret == 0) {
strncpy(req.subject.country, "US", CTC_NAME_SIZE);
strncpy(req.subject.state, "MT", CTC_NAME_SIZE);
strncpy(req.subject.locality, "Bozeman", CTC_NAME_SIZE);
strncpy(req.subject.org, "Test Org", CTC_NAME_SIZE);
strncpy(req.subject.unit, "Development", CTC_NAME_SIZE);
strncpy(req.subject.commonName, "www.example.com", CTC_NAME_SIZE);
strncpy(req.subject.email, "info@example.com", CTC_NAME_SIZE);
ret = wc_MakeCertReq_ex(&req, der, sizeof(der), ECC_TYPE,
(void*)&ecc);
if (ret <= 0) {
LOG_I("wc_MakeCertReq_ex error, ret = %d\n", ret);
} else {
derSz = ret;
ret = 0;
}
}
if (ret == 0) {
ret = wc_SignCert_ex(req.bodySz, req.sigType, der, sizeof(der),
ECC_TYPE, (void*)&ecc, &rng);
if (ret <= 0) {
LOG_I("wc_SignCert_ex error, ret = %d\n", ret);
} else {
derSz = ret;
ret = 0;
}
}
if (ret == 0) {
XMEMSET(pem, 0, sizeof(pem));
ret = wc_DerToPem(der, derSz, pem, sizeof(pem), CERTREQ_TYPE);
if (ret <= 0) {
LOG_I("wc_DerToPem error, ret = %d\n", ret);
} else {
pemSz = ret;
LOG_I("Generated CSR (%d bytes)\n", pemSz);
ret = 0;
LOG_I("%s", pem);
}
}
/* Delete generated key in SE050 */
if (ret == 0) {
LOG_I("Erasing ECC key stored in SE050 slot: 0x%08x\n", keyId);
ret = wc_se050_erase_object(keyId);
if (ret != 0) {
LOG_I("Failed to erase ECC key in SE050\n");
}
}
/* Free ECC key and RNG */
if (ret == 0) {
ret = wc_ecc_free(&ecc);
if (ret != 0) {
LOG_I("wc_ecc_free error, ret = %d\n", ret);
}
}
if (ret == 0) {
ret = wc_FreeRng(&rng);
if (ret != 0) {
LOG_I("wc_FreeRng error, ret = %d\n", ret);
}
}
/* Cleanup wolfSSL library resources */
wolfSSL_Cleanup();
LOG_I("Done with sample app");
return status;
#else
LOG_E("Examples requires wolfSSL be compiled with WOLFSSL_CERT_GEN "
"and WOLFSSL_CERT_REQ");
return kStatus_SSS_Fail;
#endif /* WOLFSSL_CERT_GEN && WOLFSSL_CERT_REQ */
}
#endif /* SIMW_DEMO_ENABLE__DEMO_WOLFCRYPT_GENERATE_CSR */

34
SE050/wolfssl/wolfcrypt_key_cert_insert/CMakeLists.txt 100644
View File

@ -0,0 +1,34 @@
PROJECT(wolfcrypt_key_cert_insert)
FILE(
GLOB
files
*.c
)
ADD_EXECUTABLE(
${PROJECT_NAME}
${KSDK_STARTUP_FILE} ${files}
)
TARGET_COMPILE_DEFINITIONS(
${PROJECT_NAME}
PRIVATE SIMW_DEMO_ENABLE__DEMO_WOLFCRYPT_KEY_CERT_INSERT USE_CERT_BUFFERS_2048 USE_CERT_BUFFERS_256
)
TARGET_INCLUDE_DIRECTORIES(
${PROJECT_NAME}
PRIVATE ${SIMW_TOP_DIR}/sss/ex/inc
)
TARGET_LINK_LIBRARIES(
${PROJECT_NAME}
SSS_APIs
ex_common
wolfssl
)
CREATE_BINARY(${PROJECT_NAME})
IF(SSS_HAVE_HOST_LINUX_LIKE)
INSTALL(TARGETS ${PROJECT_NAME} DESTINATION bin)
ENDIF()

106
SE050/wolfssl/wolfcrypt_key_cert_insert/README.md 100644
View File

@ -0,0 +1,106 @@
# wolfCrypt SE050 Key and Certificate Insertion and Use Example
This example inserts and uses keys and certificates into SE050, including:
1. Inserts sample RSA and ECC certs and keys into SE050 key IDs. Sample keys
and certs used are from wolfSSL's `<wolfssl/certs_test.h>` header and are demo
certs/keys that ship with wolfSSL:
```
server_key_der_2048 RSA private key (2048-bit)
server_cert_der_2048 RSA cert (2048-bit), matches above key
public key from above RSA public key extracted from above cert
ecc_key_der_256 ECC private key (NIST P-256)
serv_ecc_der_256 ECC cert (NIST P-256), matches above key
public key from above ECC public key extracted from above cert
```
2. Does an ECDSA verify using one of the ECC public keys and a ECDSA signature
in the form of ASCII R and S components.
3. Reads back out the RSA and ECC certificate inserted, verifies they match the
original inserted.
4. Erases the keys and certs from the SE050.
## Building the Demo
Before building this demo, follow initial setup instructions in the parent
[README.md](../../README.md).
Once this example directory has been copied into the SE05x middleware directory
tree in the correct location, compiling the middleware will also compile this
demo application:
```
$ cd /home/pi/se_mw/simw-top_build/raspbian_native_se050_t1oi2c
$ cmake --build .
```
## Running the Demo
To run the demo:
```
$ cd /home/pi/se_mw/simw-top_build/raspbian_native_se050_t1oi2c/bin
$ ./wolfcrypt_key_cert_insert
```
On successful run, output similar to the following will print out:
```
App :INFO :PlugAndTrust_v04.02.00_20220524
App :INFO :Running ./wolfcrypt_key_cert_insert
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
App :INFO :Running wc_se050_set_config()
App :INFO :SE050 config successfully set in wolfSSL
App :INFO :Inserted RSA private key into SE050 key ID: 0x00005002
App :INFO :Inserted RSA certificate into SE050 key ID: 0x00005003
App :INFO :RSA key written to DER, 294 bytes
App :INFO :Inserted RSA public key into SE050 key ID: 0x00005004
App :INFO :Inserted ECC private key into SE050 key ID: 0x00005005
App :INFO :Inserted ECC certificate into SE050 key ID: 0x00005006
App :INFO :Inserted ECC public key into SE050 key ID: 0x00005007
App :INFO :Setting ecc_key to use ID from SE050
App :INFO :Verifying ECDSA signature with SE050 key ID: 0x00005007
App :INFO :ECDSA verify success!
App :INFO :Read RSA certificate (1260 bytes)
App :INFO :RSA cert matches original loaded
App :INFO :Read ECC certificate (677 bytes)
App :INFO :ECC cert matches original loaded
App :INFO :Erased RSA private key, key ID: 0x00005002
App :INFO :Erased RSA certificate, key ID: 0x00005003
App :INFO :Erased RSA public key, key ID: 0x00005004
App :INFO :Erased ECC private key, key ID: 0x00005005
App :INFO :Erased ECC certificate, key ID: 0x00005006
App :INFO :Erased ECC public key, key ID: 0x00005007
App :INFO :Done with sample app
App :INFO :ex_sss Finished
```

532
SE050/wolfssl/wolfcrypt_key_cert_insert/wolfcrypt_key_cert_insert.c 100644
View File

@ -0,0 +1,532 @@
/* wolfcrypt_key_cert_insert.c
*
* Copyright (C) 2006-2022 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
* Example app inserts and uses keys and certificates into SE050.
*
* 1. Inserts sample RSA and ECC certs and keys into SE050 key IDs.
* Sample keys and certs used are from wolfSSL's <wolfssl/certs_test.h>
* header and are demo certs/keys that ship with wolfSSL:
* server_key_der_2048 RSA private key (2048-bit)
* server_cert_der_2048 RSA cert (2048-bit), matches above key
* public key from above RSA public key extracted from above cert
* ecc_key_der_256 ECC private key (NIST P-256)
* serv_ecc_der_256 ECC cert (NIST P-256), matches above key
* public key from above ECC public key extracted from above cert
* 2. Does an ECDSA verify using one of the ECC public keys and a
* ECDSA signature in the form of ASCII R and S components.
* 3. Reads back out the RSA and ECC certificate inserted, verifies
* they match the original inserted.
* 4. Erases the keys and certs from the SE050.
*/
#ifdef __cplusplus
extern "C" {
#endif
#include <wolfssl/options.h>
#include <wolfssl/ssl.h>
#include <wolfssl/certs_test.h>
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/rsa.h>
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/sha256.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/asn_public.h>
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
#include <ex_sss_boot.h>
#include <fsl_sss_se05x_apis.h>
#include <nxLog_App.h>
#ifdef __cplusplus
}
#endif
#if defined(SIMW_DEMO_ENABLE__DEMO_WOLFCRYPT_KEY_CERT_INSERT)
static ex_sss_boot_ctx_t gex_sss_boot_ctx;
#define EX_SSS_BOOT_PCONTEXT (&gex_sss_boot_ctx)
#define EX_SSS_BOOT_DO_ERASE 1
#define EX_SSS_BOOT_EXPOSE_ARGC_ARGV 0
#define KEYID_RSA_PRIVATE 0x00005002 /* stores server_key_der_2048 */
#define KEYID_RSA_CERT 0x00005003 /* stores server_cert_der_2048 */
#define KEYID_RSA_PUBLIC 0x00005004 /* stores server_cert_der_2048 pub key */
#define KEYID_ECC_PRIVATE 0x00005005 /* stores ecc_key_der_256 */
#define KEYID_ECC_CERT 0x00005006 /* stores serv_ecc_der_256 */
#define KEYID_ECC_PUBLIC 0x00005007 /* stores serv_ecc_der_256 public key */
#include <ex_sss_main_inc.h>
static int se050_verify_ecc_sig_rs(const char* sigR, const char* sigS,
byte* digest, word32 digestSz, word32 keyId)
{
int ret = 0;
int res = 0;
byte eccSig[ECC_MAX_SIG_SIZE];
word32 eccSigSz;
ecc_key eccKey;
if (sigR == NULL || sigS == NULL || digest == NULL || digestSz == 0) {
return -1;
}
eccSigSz = sizeof(eccSig);
memset(eccSig, 0, eccSigSz);
ret = wc_ecc_rs_to_sig(sigR, sigS, eccSig, &eccSigSz);
if (ret != 0) {
LOG_I("wc_ecc_rs_to_sig() failed, ret = %d\n", ret);
}
/* Create ecc_key struct with SE050 key ID */
if (ret == 0) {
ret = wc_ecc_init(&eccKey);
if (ret != 0) {
LOG_I("wc_ecc_init error, ret = %d\n", ret);
}
}
if (ret == 0) {
LOG_I("Setting ecc_key to use ID from SE050\n");
ret = wc_ecc_use_key_id(&eccKey, keyId, 0);
if (ret != 0) {
LOG_I("wc_ecc_use_key_id error, ret = %d\n", ret);
}
}
if (ret == 0) {
LOG_I("Verifying ECDSA signature with SE050 key ID: 0x%08x\n", keyId);
ret = wc_ecc_verify_hash(eccSig, eccSigSz, digest, digestSz, &res,
&eccKey);
if (ret != 0 || res != 1) {
LOG_I("wc_ecc_verify_hash failed, ret = %d\n", ret);
}
}
if (ret == 0) {
if (res != 1) {
LOG_I("ECDSA verify failed!\n");
} else {
LOG_I("ECDSA verify success!\n");
}
}
/* Free ECC key and RNG */
if (ret == 0) {
ret = wc_ecc_free(&eccKey);
if (ret != 0) {
LOG_I("wc_ecc_free error, ret = %d\n", ret);
}
}
return ret;
}
/**
* Insert sample certs/keys into SE050 key IDs:
*
* Key ID Credential
* ------ --------------------------------
* KEYID_RSA_PRIVATE RSA private key
* KEYID_RSA_CERT RSA certificate
* KEYID_ECC_PRIVATE ECC private key
* KEYID_ECC_CERT ECC certificate
* KEYID_ECC_PUBLIC ECC public key (from cert above)
*
* Return 0 on success, negative on error.
*/
static int write_certs_keys_to_se050(void)
{
int ret = 0;
DecodedCert cert;
byte derKey[1024];
word32 derKeySz = 0;
word32 idx = 0;
RsaKey rsaKey;
/* Insert RSA private key */
ret = wc_se050_rsa_insert_private_key(KEYID_RSA_PRIVATE,
server_key_der_2048,
sizeof_server_key_der_2048);
if (ret != 0) {
LOG_I("Error in se050_rsa_insert_private_key, ret = %d\n", ret);
} else {
LOG_I("Inserted RSA private key into SE050 key ID: 0x%08x\n",
KEYID_RSA_PRIVATE);
}
/* Insert RSA certificate */
ret = wc_se050_insert_binary_object(KEYID_RSA_CERT,
server_cert_der_2048,
sizeof_server_cert_der_2048);
if (ret != 0) {
LOG_I("Error in wc_se050_insert_binary_object, ret = %d\n", ret);
} else {
LOG_I("Inserted RSA certificate into SE050 key ID: 0x%08x\n",
KEYID_RSA_CERT);
}
/* Extract RSA public key from cert DER */
if (ret == 0) {
wc_InitDecodedCert(&cert, server_cert_der_2048,
sizeof_server_cert_der_2048, NULL);
ret = wc_ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
if (ret != 0) {
LOG_I("wc_ParseCert failed, ret = %d\n", ret);
}
else {
derKeySz = sizeof(derKey);
ret = wc_GetPubKeyDerFromCert(&cert, derKey, &derKeySz);
if (ret != 0) {
LOG_I("wc_GetPubKeyDerFromCert failed, ret = %d\n", ret);
}
}
wc_FreeDecodedCert(&cert);
}
/* Convert RSA public key DER to format for SE050, needs header added */
if (ret == 0) {
ret = wc_InitRsaKey(&rsaKey, NULL);
if (ret != 0) {
LOG_I("wc_InitRsaKey failed, ret = %d\n", ret);
}
else {
idx = 0;
ret = wc_RsaPublicKeyDecode(derKey, &idx, &rsaKey, derKeySz);
if (ret != 0) {
LOG_I("wc_RsaPublicKeyDecode failed, ret = %d\n", ret);
}
else {
derKeySz = sizeof(derKey);
ret = wc_RsaKeyToPublicDer_ex(&rsaKey, derKey, derKeySz, 1);
if (ret <= 0) {
LOG_I("wc_RsaKeyToDer failed, ret = %d\n", ret);
} else {
LOG_I("RSA key written to DER, %d bytes\n", ret);
derKeySz = ret;
ret = 0;
}
}
}
wc_FreeRsaKey(&rsaKey);
}
/* Insert RSA public key from cert into SE050 */
if (ret == 0) {
ret = wc_se050_rsa_insert_public_key(KEYID_RSA_PUBLIC, derKey, derKeySz);
if (ret != 0) {
LOG_I("Error in se050_rsa_insert_public_key, ret = %d\n", ret);
} else {
LOG_I("Inserted RSA public key into SE050 key ID: 0x%08x\n",
KEYID_RSA_PUBLIC);
}
}
/* Insert ECC private key */
ret = wc_se050_ecc_insert_private_key(KEYID_ECC_PRIVATE, ecc_key_der_256,
sizeof_ecc_key_der_256);
if (ret != 0) {
LOG_I("Error in se050_ecc_insert_private_key, ret = %d\n", ret);
} else {
LOG_I("Inserted ECC private key into SE050 key ID: 0x%08x\n",
KEYID_ECC_PRIVATE);
}
/* Insert ECC certificate */
ret = wc_se050_insert_binary_object(KEYID_ECC_CERT, serv_ecc_der_256,
sizeof_serv_ecc_der_256);
if (ret != 0) {
LOG_I("Error in wc_se050_insert_binary_object, ret = %d\n", ret);
} else {
LOG_I("Inserted ECC certificate into SE050 key ID: 0x%08x\n",
KEYID_ECC_CERT);
}
/* Extract ECC public key from cert DER */
if (ret == 0) {
wc_InitDecodedCert(&cert, serv_ecc_der_256,
sizeof_serv_ecc_der_256, NULL);
ret = wc_ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
if (ret != 0) {
LOG_I("wc_ParseCert failed, ret = %d\n", ret);
}
else {
derKeySz = sizeof(derKey);
ret = wc_GetPubKeyDerFromCert(&cert, derKey, &derKeySz);
if (ret != 0) {
LOG_I("wc_GetPubKeyDerFromCert failed, ret = %d\n", ret);
}
}
wc_FreeDecodedCert(&cert);
}
/* Insert ECC public key from cert into SE050 */
if (ret == 0) {
ret = wc_se050_ecc_insert_public_key(KEYID_ECC_PUBLIC, derKey,
derKeySz);
if (ret != 0) {
LOG_I("Error in se050_ecc_insert_public_key, ret = %d\n", ret);
} else {
LOG_I("Inserted ECC public key into SE050 key ID: 0x%08x\n",
KEYID_ECC_PUBLIC);
}
}
return ret;
}
/**
* Test reading certificates back out of SE050.
*
* Read sample certificates stored into the following key IDs:
* - KEYID_RSA_CERT
* - KEYID_ECC_CERT
*
* Return 0 on success, negative on error.
*/
static int read_certs_from_se050(void)
{
int err = 0;
int ret = -1;
byte* tmp = NULL;
word32 tmpSz = 0;
/* get object size, to allocate memory */
ret = wc_se050_get_binary_object(KEYID_RSA_CERT, tmp, &tmpSz);
if (ret != LENGTH_ONLY_E) {
LOG_I("wc_se050_get_binary_object did not return length only "
"like expected\n");
err = 1;
}
if (err == 0) {
/* allocate memory to read RSA cert */
tmp = (byte*)XMALLOC(tmpSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (tmp == NULL) {
LOG_I("Failed to allocate memory to read RSA cert\n");
err = 1;
}
}
if (err == 0) {
/* read RSA cert into tmp buffer */
XMEMSET(tmp, 0, tmpSz);
ret = wc_se050_get_binary_object(KEYID_RSA_CERT, tmp, &tmpSz);
if (ret != 0) {
LOG_I("wc_se050_get_binary_object failed, ret = %d\n", ret);
err = 1;
} else {
LOG_I("Read RSA certificate (%d bytes)\n", tmpSz);
}
}
if (err == 0) {
/* make sure RSA cert is same as one we originally wrote */
if ((tmpSz != sizeof_server_cert_der_2048) ||
(memcmp(tmp, server_cert_der_2048, tmpSz) != 0)) {
LOG_I("Error: RSA cert differs from original!\n");
err = 1;
} else {
LOG_I("RSA cert matches original loaded\n");
}
}
if (err == 0) {
XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
tmp = NULL;
tmpSz = 0;
ret = wc_se050_get_binary_object(KEYID_ECC_CERT, tmp, &tmpSz);
if (ret != LENGTH_ONLY_E) {
LOG_I("wc_se050_get_binary_object did not return length only "
"like expected\n");
err = 1;
}
}
if (err == 0) {
/* allocate memory to read ECC cert */
tmp = (byte*)XMALLOC(tmpSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (tmp == NULL) {
LOG_I("Failed to allocate memory to read ECC cert\n");
err = 1;
}
}
if (err == 0) {
/* read ECC cert into tmp buffer */
XMEMSET(tmp, 0, tmpSz);
ret = wc_se050_get_binary_object(KEYID_ECC_CERT, tmp, &tmpSz);
if (ret != 0) {
LOG_I("wc_se050_get_binary_object failed, ret = %d\n", ret);
err = 1;
} else {
LOG_I("Read ECC certificate (%d bytes)\n", tmpSz);
}
}
if (err == 0) {
/* make sure ECC cert is same as one we originally wrote */
if ((tmpSz != sizeof_serv_ecc_der_256) ||
(memcmp(tmp, serv_ecc_der_256, tmpSz) != 0)) {
LOG_I("Error: ECC cert differs from original!\n");
err = 1;
} else {
LOG_I("ECC cert matches original loaded\n");
}
}
if (tmp != NULL) {
XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
}
if (err == 0) {
ret = 0;
}
return ret;
}
/**
* Erase sample certs/keys from SE050
*
* Returns 0 on success, negative on error.
*/
static int erase_certs_keys_from_se050(void)
{
int ret = 0;
ret = wc_se050_erase_object(KEYID_RSA_PRIVATE);
if (ret != 0) {
LOG_I("Failed to erase RSA private key, ret = %d\n", ret);
} else {
LOG_I("Erased RSA private key, key ID: 0x%08x\n", KEYID_RSA_PRIVATE);
}
ret = wc_se050_erase_object(KEYID_RSA_CERT);
if (ret != 0) {
LOG_I("Failed to erase RSA certificate, ret = %d\n", ret);
} else {
LOG_I("Erased RSA certificate, key ID: 0x%08x\n", KEYID_RSA_CERT);
}
ret = wc_se050_erase_object(KEYID_RSA_PUBLIC);
if (ret != 0) {
LOG_I("Failed to erase RSA public key, ret = %d\n", ret);
} else {
LOG_I("Erased RSA public key, key ID: 0x%08x\n", KEYID_RSA_PUBLIC);
}
ret = wc_se050_erase_object(KEYID_ECC_PRIVATE);
if (ret != 0) {
LOG_I("Failed to erase ECC private key, ret = %d\n", ret);
} else {
LOG_I("Erased ECC private key, key ID: 0x%08x\n", KEYID_ECC_PRIVATE);
}
ret = wc_se050_erase_object(KEYID_ECC_CERT);
if (ret != 0) {
LOG_I("Failed to erase ECC certificate, ret = %d\n", ret);
} else {
LOG_I("Erased ECC certificate, key ID: 0x%08x\n", KEYID_ECC_CERT);
}
ret = wc_se050_erase_object(KEYID_ECC_PUBLIC);
if (ret != 0) {
LOG_I("Failed to erase ECC public key, ret = %d\n", ret);
} else {
LOG_I("Erased ECC public key, key ID: 0x%08x\n", KEYID_ECC_PUBLIC);
}
return ret;
}
sss_status_t ex_sss_entry(ex_sss_boot_ctx_t *pCtx)
{
int ret = 0;
sss_status_t status = kStatus_SSS_Success;
sss_session_t *pSession = (sss_session_t*)&pCtx->session;
sss_key_store_t *pKeyStore = (sss_key_store_t*)&pCtx->ks;
const char* sigR =
"ccfaa12a0aa1b9aa9f1fd107865c8ab5b21f36ce6ca8fe5b2c8154280009f74e";
const char* sigS =
"c09defd7a7c67a61ce1099dceaf840054351e199bf1a405675bf3ccb1939b024";
/* Test "hash" value, used to pre-generate the above R,S signature */
const byte hashData[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
LOG_I("Running wc_se050_set_config()");
ret = wc_se050_set_config(pSession, NULL, pKeyStore);
if (ret != 0) {
LOG_E("wc_se050_set_config failed");
return kStatus_SSS_Fail;
}
LOG_I("SE050 config successfully set in wolfSSL");
/* Initialize wolfSSL library */
wolfSSL_Init();
/* Write sample keys/certs to SE050 */
ret = write_certs_keys_to_se050();
if (ret != 0) {
LOG_E("Failed to write sample keys/certs to SE050\n");
}
/* Test verifying ECDSA {r,s} signature with KEYID_ECC_PUBLIC.
* NOTE: The R and S values here were pre-generated using wolfSSL
* and the private ECC key named "ecc_key_der_256" in the
* <wolfssl/certs_test.h> header. The certificate which wraps the
* public key for "ecc_key_der_256" is "serv_ecc_der_256". The public
* key from that certificate has been extracted and stored into key ID
* KEYID_ECC_PUBLIC. */
if (ret == 0) {
ret = se050_verify_ecc_sig_rs(sigR, sigS, (byte*)hashData,
sizeof(hashData), KEYID_ECC_PUBLIC);
}
/* Test reading back certs from SE050 */
if (ret == 0) {
ret = read_certs_from_se050();
}
/* Erase sample keys/certs from SE050 */
ret = erase_certs_keys_from_se050();
if (ret != 0) {
LOG_E("Failed to erase sample certs/keys from SE050\n");
}
/* Cleanup wolfSSL library resources */
wolfSSL_Cleanup();
LOG_I("Done with sample app");
return status;
}
#endif /* SIMW_DEMO_ENABLE__DEMO_WOLFCRYPT_KEY_CERT_INSERT */

34
SE050/wolfssl/wolfcrypt_test/CMakeLists.txt 100644
View File

@ -0,0 +1,34 @@
PROJECT(wolfcrypt_test)
FILE(
GLOB
files
*.c
)
ADD_EXECUTABLE(
${PROJECT_NAME}
${KSDK_STARTUP_FILE} ${files}
)
TARGET_COMPILE_DEFINITIONS(
${PROJECT_NAME}
PRIVATE SIMW_DEMO_ENABLE__DEMO_WOLFCRYPTTEST NO_MAIN_DRIVER BENCH_EMBEDDED USE_CERT_BUFFERS_2048 USE_CERT_BUFFERS_256
)
TARGET_INCLUDE_DIRECTORIES(
${PROJECT_NAME}
PRIVATE ${SIMW_TOP_DIR}/sss/ex/inc /home/pi/se_mw/wolfssl
)
TARGET_LINK_LIBRARIES(
${PROJECT_NAME}
SSS_APIs
ex_common
wolfssl
)
CREATE_BINARY(${PROJECT_NAME})
IF(SSS_HAVE_HOST_LINUX_LIKE)
INSTALL(TARGETS ${PROJECT_NAME} DESTINATION bin)
ENDIF()

219
SE050/wolfssl/wolfcrypt_test/README.md 100644
View File

@ -0,0 +1,219 @@
# wolfCrypt Test Demo Application
This demo application runs the wolfCrypt test app. It tests all
algorithms enabled in wolfCrypt. It has been tested using a Raspberry Pi
and SE050 EdgeLock development kit.
## Building the Demo
Before building this demo, follow initial setup instructions in the parent
[README.md](../../README.md).
**IMPORTANT:** This example requires the test.c and test.h files from a
wolfSSL source package be copied into this directory before compiling and
running the example. There are stub files included in this example directory
that should be overwritten:
```
$ cp wolfssl-X.X.X/wolfcrypt/test/test.c ./
$ cp wolfssl-X.X.X/wolfcrypt/test/test.h ./
```
Once this example directory has been copied into the SE05x middleware directory
tree in the correct location, compiling the middleware will also compile this
demo application:
```
$ cd /home/pi/se_mw/simw-top_build/raspbian_native_se050_t1oi2c
$ cmake --build .
```
## Running the Demo
To run the demo:
```
$ cd /home/pi/se_mw/simw-top_build/raspbian_native_se050_t1oi2c/bin
$ ./wolfcrypt_test
```
On successful run, output similar to the following will print out:
```
App :INFO :PlugAndTrust_v04.02.00_20220524
App :INFO :Running ./wolfcrypt_test
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
App :INFO :running setconfig
App :INFO :Ran setconfig successfully
------------------------------------------------------------------------------
wolfSSL version 5.5.1
------------------------------------------------------------------------------
error test passed!
MEMORY test passed!
base64 test passed!
asn test passed!
RANDOM test passed!
MD5 test passed!
SHA test passed!
SHA-256 test passed!
SHA-384 test passed!
SHA-512 test passed!
Hash test passed!
HMAC-MD5 test passed!
HMAC-SHA test passed!
HMAC-SHA256 test passed!
HMAC-SHA384 test passed!
HMAC-SHA512 test passed!
HMAC-KDF test passed!
TLSv1.3 KDF test passed!
GMAC test passed!
Chacha test passed!
POLY1305 test passed!
ChaCha20-Poly1305 AEAD test passed!
AES test passed!
AES192 test passed!
AES256 test passed!
AES-GCM test passed!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id FFFF
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10000
RSA test passed!
DH test passed!
PWDBASED test passed!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10001
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10002
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10003
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10004
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10005
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10006
CHRIS: before ecc_sign_hash call, ret = 0
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10007
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10008
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10009
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1000A
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1000B
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1000C
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1000D
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1000E
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1000F
CHRIS: before ecc_sign_hash call, ret = 0
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10010
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10011
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10012
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10013
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10014
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10015
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10016
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10017
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10018
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10019
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1001A
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1001B
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1001C
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1001D
CHRIS: before ecc_sign_hash call, ret = 0
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1001E
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1001F
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10020
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10021
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10022
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10023
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10024
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10025
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10026
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10027
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10028
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10029
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1002A
CHRIS: before ecc_sign_hash call, ret = 0
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1002B
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1002C
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1002D
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1002E
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 1002F
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10030
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10031
ECC test passed!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :Could not delete Key id 10032
ECC buffer test passed!
logging test passed!
time test passed!
mutex test passed!
memcb test passed!
Test complete
App :INFO :Ran wolfCrypt test
App :INFO :ex_sss Finished
```
## Demo Notes
The `test.c` and `test.h` file in this directory have been copied
directly from the wolfSSL download directory, at:
```
wolfssl-X.X.X/wolfcrypt/test/test.c
wolfssl-X.X.X/wolfcrypt/test/test.h
```
It is expected to see warning messages in the console log about failures to
delete key ids. wolfCrypt internally tries to delete temporary/test keys,
and if those keys have not been stored in the SE050 the debug logs will show
these messages.

23
SE050/wolfssl/wolfcrypt_test/test.c 100644
View File

@ -0,0 +1,23 @@
/* test.c
*
* Copyright (C) 2006-2022 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#error "Overwrite this file with wolfcrypt/test/test.c from wolfSSL"

23
SE050/wolfssl/wolfcrypt_test/test.h 100644
View File

@ -0,0 +1,23 @@
/* test.h
*
* Copyright (C) 2006-2022 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#error "Overwrite this file with wolfcrypt/test/test.h from wolfSSL"

73
SE050/wolfssl/wolfcrypt_test/wolfcrypt_test.c 100644
View File

@ -0,0 +1,73 @@
/* wolfcrypt_test.c
*
* Copyright (C) 2006-2022 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifdef __cplusplus
extern "C" {
#endif
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
#include <wolfssl/ssl.h>
#include "test.h"
#include <ex_sss_boot.h>
#include <fsl_sss_se05x_apis.h>
#include <nxLog_App.h>
#ifdef __cplusplus
}
#endif
#if defined(SIMW_DEMO_ENABLE__DEMO_WOLFCRYPTTEST)
static ex_sss_boot_ctx_t gex_sss_boot_ctx;
#define EX_SSS_BOOT_PCONTEXT (&gex_sss_boot_ctx)
#define EX_SSS_BOOT_DO_ERASE 1
#define EX_SSS_BOOT_EXPOSE_ARGC_ARGV 0
#include <ex_sss_main_inc.h>
sss_status_t ex_sss_entry(ex_sss_boot_ctx_t *pCtx)
{
int ret = 0;
sss_status_t status = kStatus_SSS_Success;
sss_session_t *pSession = (sss_session_t*)&pCtx->session;
sss_key_store_t *pKeyStore = (sss_key_store_t*)&pCtx->ks;
LOG_I("running setconfig");
ret = wc_se050_set_config(pSession, NULL, pKeyStore);
if (ret != 0) {
LOG_E("wc_se050_set_config failed");
return kStatus_SSS_Fail;
}
LOG_I("Ran setconfig successfully");
wolfSSL_Init();
wolfcrypt_test(NULL);
wolfSSL_Cleanup();
LOG_I("Ran wolfCrypt test");
return status;
}
#endif /* SIMW_DEMO_ENABLE__DEMO_WOLFCRYPTTEST */