Digital Signature HW: adding S2 support
This commit is contained in:
parent
c9f29e0b59
commit
0b02e5358e
9 changed files with 1128 additions and 2 deletions
|
@ -25,7 +25,8 @@ else()
|
||||||
"spiram_psram.c"
|
"spiram_psram.c"
|
||||||
"system_api_esp32s2.c"
|
"system_api_esp32s2.c"
|
||||||
"esp_crypto_lock.c"
|
"esp_crypto_lock.c"
|
||||||
"esp_hmac.c")
|
"esp_hmac.c"
|
||||||
|
"esp_ds.c")
|
||||||
|
|
||||||
set(include_dirs "include")
|
set(include_dirs "include")
|
||||||
|
|
||||||
|
|
196
components/esp32s2/esp_ds.c
Normal file
196
components/esp32s2/esp_ds.c
Normal file
|
@ -0,0 +1,196 @@
|
||||||
|
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <assert.h>
|
||||||
|
|
||||||
|
#include "esp32s2/rom/aes.h"
|
||||||
|
#include "esp32s2/rom/sha.h"
|
||||||
|
#include "esp32s2/rom/hmac.h"
|
||||||
|
#include "esp32s2/rom/digital_signature.h"
|
||||||
|
|
||||||
|
#include "freertos/FreeRTOS.h"
|
||||||
|
#include "freertos/task.h"
|
||||||
|
#include "soc/soc_memory_layout.h"
|
||||||
|
#include "esp_crypto_lock.h"
|
||||||
|
#include "esp_hmac.h"
|
||||||
|
|
||||||
|
#include "esp_ds.h"
|
||||||
|
|
||||||
|
struct esp_ds_context {
|
||||||
|
const ets_ds_data_t *data;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The vtask delay \c esp_ds_sign() is using while waiting for completion of the signing operation.
|
||||||
|
*/
|
||||||
|
#define ESP_DS_SIGN_TASK_DELAY_MS 10
|
||||||
|
|
||||||
|
#define RSA_LEN_MAX 127
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check that the size of esp_ds_data_t and ets_ds_data_t is the same because both structs are converted using
|
||||||
|
* raw casts.
|
||||||
|
*/
|
||||||
|
_Static_assert(sizeof(esp_ds_data_t) == sizeof(ets_ds_data_t),
|
||||||
|
"The size and structure of esp_ds_data_t and ets_ds_data_t must match exactly, they're used in raw casts");
|
||||||
|
|
||||||
|
/*
|
||||||
|
* esp_digital_signature_length_t is used in esp_ds_data_t in contrast to ets_ds_data_t, where unsigned is used.
|
||||||
|
* Check esp_digital_signature_length_t's width here because it's converted to unsigned using raw casts.
|
||||||
|
*/
|
||||||
|
_Static_assert(sizeof(esp_digital_signature_length_t) == sizeof(unsigned),
|
||||||
|
"The size of esp_digital_signature_length_t and unsigned has to be the same");
|
||||||
|
|
||||||
|
static void ds_acquire_enable(void) {
|
||||||
|
esp_crypto_lock_acquire();
|
||||||
|
ets_hmac_enable();
|
||||||
|
ets_ds_enable();
|
||||||
|
}
|
||||||
|
|
||||||
|
static void ds_disable_release(void) {
|
||||||
|
ets_ds_disable();
|
||||||
|
ets_hmac_disable();
|
||||||
|
esp_crypto_lock_release();
|
||||||
|
}
|
||||||
|
|
||||||
|
esp_err_t esp_ds_sign(const void *message,
|
||||||
|
const esp_ds_data_t *data,
|
||||||
|
hmac_key_id_t key_id,
|
||||||
|
void *signature)
|
||||||
|
{
|
||||||
|
// Need to check signature here, otherwise the signature is only checked when the signing has finished and fails
|
||||||
|
// but the signing isn't uninitialized and the mutex is still locked.
|
||||||
|
if (!signature) return ESP_ERR_INVALID_ARG;
|
||||||
|
|
||||||
|
esp_ds_context_t *context;
|
||||||
|
esp_err_t result = esp_ds_start_sign(message, data, key_id, &context);
|
||||||
|
if (result != ESP_OK) return result;
|
||||||
|
|
||||||
|
while (esp_ds_is_busy())
|
||||||
|
vTaskDelay(ESP_DS_SIGN_TASK_DELAY_MS / portTICK_PERIOD_MS);
|
||||||
|
|
||||||
|
return esp_ds_finish_sign(signature, context);
|
||||||
|
}
|
||||||
|
|
||||||
|
esp_err_t esp_ds_start_sign(const void *message,
|
||||||
|
const esp_ds_data_t *data,
|
||||||
|
hmac_key_id_t key_id,
|
||||||
|
esp_ds_context_t **esp_ds_ctx)
|
||||||
|
{
|
||||||
|
if (!message || !data || !esp_ds_ctx) return ESP_ERR_INVALID_ARG;
|
||||||
|
if (key_id >= HMAC_KEY_MAX) return ESP_ERR_INVALID_ARG;
|
||||||
|
if (!(data->rsa_length == ESP_DS_RSA_1024
|
||||||
|
|| data->rsa_length == ESP_DS_RSA_2048
|
||||||
|
|| data->rsa_length == ESP_DS_RSA_3072
|
||||||
|
|| data->rsa_length == ESP_DS_RSA_4096)) {
|
||||||
|
return ESP_ERR_INVALID_ARG;
|
||||||
|
}
|
||||||
|
|
||||||
|
ds_acquire_enable();
|
||||||
|
|
||||||
|
// initiate hmac
|
||||||
|
int r = ets_hmac_calculate_downstream(ETS_EFUSE_BLOCK_KEY0 + (ets_efuse_block_t) key_id,
|
||||||
|
ETS_EFUSE_KEY_PURPOSE_HMAC_DOWN_DIGITAL_SIGNATURE);
|
||||||
|
if (r != ETS_OK) {
|
||||||
|
ds_disable_release();
|
||||||
|
return ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL;
|
||||||
|
}
|
||||||
|
|
||||||
|
esp_ds_context_t *context = malloc(sizeof(esp_ds_context_t));
|
||||||
|
if (!context) {
|
||||||
|
ds_disable_release();
|
||||||
|
return ESP_ERR_NO_MEM;
|
||||||
|
}
|
||||||
|
|
||||||
|
ets_ds_data_t *ds_data = (ets_ds_data_t*) data;
|
||||||
|
|
||||||
|
// initiate signing
|
||||||
|
ets_ds_result_t result = ets_ds_start_sign(message, ds_data);
|
||||||
|
|
||||||
|
// ETS_DS_INVALID_PARAM only happens if a parameter is NULL or data->rsa_length is wrong
|
||||||
|
// We checked all of that already
|
||||||
|
assert(result != ETS_DS_INVALID_PARAM);
|
||||||
|
|
||||||
|
if (result == ETS_DS_INVALID_KEY) {
|
||||||
|
ds_disable_release();
|
||||||
|
return ESP_ERR_HW_CRYPTO_DS_INVALID_KEY;
|
||||||
|
}
|
||||||
|
|
||||||
|
context->data = ds_data;
|
||||||
|
*esp_ds_ctx = context;
|
||||||
|
|
||||||
|
return ESP_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool esp_ds_is_busy(void)
|
||||||
|
{
|
||||||
|
return ets_ds_is_busy();
|
||||||
|
}
|
||||||
|
|
||||||
|
esp_err_t esp_ds_finish_sign(void *signature, esp_ds_context_t *esp_ds_ctx)
|
||||||
|
{
|
||||||
|
if (!signature || !esp_ds_ctx) return ESP_ERR_INVALID_ARG;
|
||||||
|
|
||||||
|
const ets_ds_data_t *ds_data = esp_ds_ctx->data;
|
||||||
|
|
||||||
|
ets_ds_result_t result = ets_ds_finish_sign(signature, ds_data);
|
||||||
|
|
||||||
|
esp_err_t return_value = ESP_OK;
|
||||||
|
|
||||||
|
// we checked all the parameters
|
||||||
|
assert(result != ETS_DS_INVALID_PARAM);
|
||||||
|
|
||||||
|
if (result == ETS_DS_INVALID_DIGEST) return_value = ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST;
|
||||||
|
if (result == ETS_DS_INVALID_PADDING) return_value = ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING;
|
||||||
|
|
||||||
|
free(esp_ds_ctx);
|
||||||
|
|
||||||
|
// should not fail if called with correct purpose
|
||||||
|
assert(ets_hmac_invalidate_downstream(ETS_EFUSE_KEY_PURPOSE_HMAC_DOWN_DIGITAL_SIGNATURE) == ETS_OK);
|
||||||
|
|
||||||
|
ds_disable_release();
|
||||||
|
|
||||||
|
return return_value;
|
||||||
|
}
|
||||||
|
|
||||||
|
esp_err_t esp_ds_encrypt_params(esp_ds_data_t *data,
|
||||||
|
const void *iv,
|
||||||
|
const esp_ds_p_data_t *p_data,
|
||||||
|
const void *key)
|
||||||
|
{
|
||||||
|
// p_data has to be valid, in internal memory and word aligned
|
||||||
|
if (!p_data) return ESP_ERR_INVALID_ARG;
|
||||||
|
assert(esp_ptr_internal(p_data) && esp_ptr_word_aligned(p_data));
|
||||||
|
|
||||||
|
esp_err_t result = ESP_OK;
|
||||||
|
|
||||||
|
esp_crypto_lock_acquire();
|
||||||
|
ets_aes_enable();
|
||||||
|
ets_sha_enable();
|
||||||
|
|
||||||
|
ets_ds_data_t *ds_data = (ets_ds_data_t*) data;
|
||||||
|
const ets_ds_p_data_t *ds_plain_data = (const ets_ds_p_data_t*) p_data;
|
||||||
|
|
||||||
|
ets_ds_result_t ets_result = ets_ds_encrypt_params(ds_data, iv, ds_plain_data, key, ETS_DS_KEY_HMAC);
|
||||||
|
|
||||||
|
if (ets_result == ETS_DS_INVALID_PARAM) result = ESP_ERR_INVALID_ARG;
|
||||||
|
|
||||||
|
ets_sha_disable();
|
||||||
|
ets_aes_disable();
|
||||||
|
esp_crypto_lock_release();
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
196
components/esp32s2/include/esp_ds.h
Normal file
196
components/esp32s2/include/esp_ds.h
Normal file
|
@ -0,0 +1,196 @@
|
||||||
|
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
#pragma once
|
||||||
|
|
||||||
|
#include "esp_hmac.h"
|
||||||
|
#include "esp_err.h"
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#define ESP_ERR_HW_CRYPTO_DS_BASE 0xc000 /*!< Starting number of HW cryptography module error codes */
|
||||||
|
#define ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL ESP_ERR_HW_CRYPTO_DS_BASE + 0x1 /*!< HMAC peripheral problem */
|
||||||
|
#define ESP_ERR_HW_CRYPTO_DS_INVALID_KEY ESP_ERR_HW_CRYPTO_DS_BASE + 0x2 /*!< given HMAC key isn't correct,
|
||||||
|
HMAC peripheral problem */
|
||||||
|
#define ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST ESP_ERR_HW_CRYPTO_DS_BASE + 0x4 /*!< message digest check failed,
|
||||||
|
result is invalid */
|
||||||
|
#define ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING ESP_ERR_HW_CRYPTO_DS_BASE + 0x5 /*!< padding check failed, but result
|
||||||
|
is produced anyway and can be read*/
|
||||||
|
|
||||||
|
#define ESP_DS_IV_LEN 16
|
||||||
|
|
||||||
|
/* Length of parameter 'C' stored in flash */
|
||||||
|
#define ESP_DS_C_LEN (12672 / 8)
|
||||||
|
|
||||||
|
typedef struct esp_ds_context esp_ds_context_t;
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
ESP_DS_RSA_1024 = (1024 / 32) - 1,
|
||||||
|
ESP_DS_RSA_2048 = (2048 / 32) - 1,
|
||||||
|
ESP_DS_RSA_3072 = (3072 / 32) - 1,
|
||||||
|
ESP_DS_RSA_4096 = (4096 / 32) - 1
|
||||||
|
} esp_digital_signature_length_t;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Encrypted private key data. Recommended to store in flash in this format.
|
||||||
|
*
|
||||||
|
* @note This struct has to match to one from the ROM code! This documentation is mostly taken from there.
|
||||||
|
*/
|
||||||
|
typedef struct esp_digital_signature_data {
|
||||||
|
/* RSA LENGTH register parameters
|
||||||
|
* (number of words in RSA key & operands, minus one).
|
||||||
|
*
|
||||||
|
* Max value 127 (for RSA 4096).
|
||||||
|
*
|
||||||
|
* This value must match the length field encrypted and stored in 'c',
|
||||||
|
* or invalid results will be returned. (The DS peripheral will
|
||||||
|
* always use the value in 'c', not this value, so an attacker can't
|
||||||
|
* alter the DS peripheral results this way, it will just truncate or
|
||||||
|
* extend the message and the resulting signature in software.)
|
||||||
|
*
|
||||||
|
* @note In IDF, the enum type length is the same as of type unsigned, so they can be used interchangably.
|
||||||
|
* See the ROM code for the original declaration of struct \c ets_ds_data_t.
|
||||||
|
*/
|
||||||
|
esp_digital_signature_length_t rsa_length;
|
||||||
|
|
||||||
|
/* IV value used to encrypt 'c' */
|
||||||
|
uint8_t iv[ESP_DS_IV_LEN];
|
||||||
|
|
||||||
|
/* Encrypted Digital Signature parameters. Result of AES-CBC encryption
|
||||||
|
of plaintext values. Includes an encrypted message digest.
|
||||||
|
*/
|
||||||
|
uint8_t c[ESP_DS_C_LEN];
|
||||||
|
} esp_ds_data_t;
|
||||||
|
|
||||||
|
/* Plaintext parameters used by Digital Signature.
|
||||||
|
*
|
||||||
|
* Not used for signing with DS peripheral, but can be encrypted
|
||||||
|
* in-device by calling esp_ds_encrypt_params()
|
||||||
|
*
|
||||||
|
* @note This documentation is mostly taken from the ROM code.
|
||||||
|
*/
|
||||||
|
typedef struct {
|
||||||
|
uint32_t Y[4096/32];
|
||||||
|
uint32_t M[4096/32];
|
||||||
|
uint32_t Rb[4096/32];
|
||||||
|
uint32_t M_prime;
|
||||||
|
esp_digital_signature_length_t length;
|
||||||
|
} esp_ds_p_data_t;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sign the message.
|
||||||
|
*
|
||||||
|
* This function is a wrapper around \c esp_ds_finish_sign() and \c esp_ds_start_sign(), so do not use them
|
||||||
|
* in parallel.
|
||||||
|
* It blocks until the signing is finished and then returns the signature.
|
||||||
|
*
|
||||||
|
* @note This function locks the HMAC, SHA and AES components during its entire execution time.
|
||||||
|
*
|
||||||
|
* @param message the message to be signed; its length is determined by data->rsa_length
|
||||||
|
* @param data the encrypted signing key data (AES encrypted RSA key + IV)
|
||||||
|
* @param key_id the HMAC key ID determining the HMAC key of the HMAC which will be used to decrypt the
|
||||||
|
* signing key data
|
||||||
|
* @param signature the destination of the signature, should be (data->rsa_length + 1)*4 bytes long
|
||||||
|
*
|
||||||
|
* @return
|
||||||
|
* - ESP_OK if successful, the signature was written to the parameter \c signature.
|
||||||
|
* - ESP_ERR_INVALID_ARG if one of the parameters is NULL or data->rsa_length is too long or 0
|
||||||
|
* - ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL if there was an HMAC failure during retrieval of the decryption key
|
||||||
|
* - ESP_ERR_NO_MEM if there hasn't been enough memory to allocate the context object
|
||||||
|
* - ESP_ERR_HW_CRYPTO_DS_INVALID_KEY if there's a problem with passing the HMAC key to the DS component
|
||||||
|
* - ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST if the message digest didn't match; the signature is invalid.
|
||||||
|
* - ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING if the message padding is incorrect, the signature can be read though
|
||||||
|
* since the message digest matches.
|
||||||
|
*/
|
||||||
|
esp_err_t esp_ds_sign(const void *message,
|
||||||
|
const esp_ds_data_t *data,
|
||||||
|
hmac_key_id_t key_id,
|
||||||
|
void *signature);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Start the signing process.
|
||||||
|
*
|
||||||
|
* This function yields a context object which needs to be passed to \c esp_ds_finish_sign() to finish the signing
|
||||||
|
* process.
|
||||||
|
*
|
||||||
|
* @note This function locks the HMAC, SHA and AES components, so the user has to ensure to call
|
||||||
|
* \c esp_ds_finish_sign() in a timely manner.
|
||||||
|
*
|
||||||
|
* @param message the message to be signed; its length is determined by data->rsa_length
|
||||||
|
* @param data the encrypted signing key data (AES encrypted RSA key + IV)
|
||||||
|
* @param key_id the HMAC key ID determining the HMAC key of the HMAC which will be used to decrypt the
|
||||||
|
* signing key data
|
||||||
|
* @param esp_ds_ctx the context object which is needed for finishing the signing process later
|
||||||
|
*
|
||||||
|
* @return
|
||||||
|
* - ESP_OK if successful, the ds operation was started now and has to be finished with \c esp_ds_finish_sign()
|
||||||
|
* - ESP_ERR_INVALID_ARG if one of the parameters is NULL or data->rsa_length is too long or 0
|
||||||
|
* - ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL if there was an HMAC failure during retrieval of the decryption key
|
||||||
|
* - ESP_ERR_NO_MEM if there hasn't been enough memory to allocate the context object
|
||||||
|
* - ESP_ERR_HW_CRYPTO_DS_INVALID_KEY if there's a problem with passing the HMAC key to the DS component
|
||||||
|
*/
|
||||||
|
esp_err_t esp_ds_start_sign(const void *message,
|
||||||
|
const esp_ds_data_t *data,
|
||||||
|
hmac_key_id_t key_id,
|
||||||
|
esp_ds_context_t **esp_ds_ctx);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return true if the DS peripheral is busy, otherwise false.
|
||||||
|
*
|
||||||
|
* @note Only valid if \c esp_ds_start_sign() was called before.
|
||||||
|
*/
|
||||||
|
bool esp_ds_is_busy(void);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Finish the signing process.
|
||||||
|
*
|
||||||
|
* @param signature the destination of the signature, should be (data->rsa_length + 1)*4 bytes long
|
||||||
|
* @param esp_ds_ctx the context object retreived by \c esp_ds_start_sign()
|
||||||
|
*
|
||||||
|
* @return
|
||||||
|
* - ESP_OK if successful, the ds operation has been finished and the result is written to signature.
|
||||||
|
* - ESP_ERR_INVALID_ARG if one of the parameters is NULL
|
||||||
|
* - ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST if the message digest didn't match; the signature is invalid.
|
||||||
|
* - ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING if the message padding is incorrect, the signature can be read though
|
||||||
|
* since the message digest matches.
|
||||||
|
*/
|
||||||
|
esp_err_t esp_ds_finish_sign(void *signature, esp_ds_context_t *esp_ds_ctx);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Encrypt the private key parameters.
|
||||||
|
*
|
||||||
|
* @param data Output buffer to store encrypted data, suitable for later use generating signatures.
|
||||||
|
* The allocated memory must be in internal memory and word aligned since it's filled by DMA. Both is asserted
|
||||||
|
* at run time.
|
||||||
|
* @param iv Pointer to 16 byte IV buffer, will be copied into 'data'. Should be randomly generated bytes each time.
|
||||||
|
* @param p_data Pointer to input plaintext key data. The expectation is this data will be deleted after this process
|
||||||
|
* is done and 'data' is stored.
|
||||||
|
* @param key Pointer to 32 bytes of key data. Type determined by key_type parameter. The expectation is the
|
||||||
|
* corresponding HMAC key will be stored to efuse and then permanently erased.
|
||||||
|
*
|
||||||
|
* @return
|
||||||
|
* - ESP_OK if successful, the ds operation has been finished and the result is written to signature.
|
||||||
|
* - ESP_ERR_INVALID_ARG if one of the parameters is NULL or p_data->rsa_length is too long
|
||||||
|
*/
|
||||||
|
esp_err_t esp_ds_encrypt_params(esp_ds_data_t *data,
|
||||||
|
const void *iv,
|
||||||
|
const esp_ds_p_data_t *p_data,
|
||||||
|
const void *key);
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
166
components/esp32s2/test/digital_signature_test_cases.h
Normal file
166
components/esp32s2/test/digital_signature_test_cases.h
Normal file
File diff suppressed because one or more lines are too long
150
components/esp32s2/test/gen_digital_signature_tests.py
Normal file
150
components/esp32s2/test/gen_digital_signature_tests.py
Normal file
|
@ -0,0 +1,150 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
import hashlib
|
||||||
|
import hmac
|
||||||
|
import struct
|
||||||
|
import os
|
||||||
|
import random
|
||||||
|
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
|
||||||
|
|
||||||
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||||
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
from cryptography.utils import int_to_bytes
|
||||||
|
|
||||||
|
|
||||||
|
def number_as_bignum_words(number):
|
||||||
|
"""
|
||||||
|
Given a number, format result as a C array of words
|
||||||
|
(little-endian, same as ESP32 RSA peripheral or mbedTLS)
|
||||||
|
"""
|
||||||
|
result = []
|
||||||
|
while number != 0:
|
||||||
|
result.append("0x%08x" % (number & 0xFFFFFFFF))
|
||||||
|
number >>= 32
|
||||||
|
return "{ " + ", ".join(result) + " }"
|
||||||
|
|
||||||
|
|
||||||
|
def number_as_bytes(number, pad_bits=None):
|
||||||
|
"""
|
||||||
|
Given a number, format as a little endian array of bytes
|
||||||
|
"""
|
||||||
|
result = int_to_bytes(number)[::-1]
|
||||||
|
while pad_bits is not None and len(result) < (pad_bits // 8):
|
||||||
|
result += b'\x00'
|
||||||
|
return result
|
||||||
|
|
||||||
|
|
||||||
|
def bytes_as_char_array(b):
|
||||||
|
"""
|
||||||
|
Given a sequence of bytes, format as a char array
|
||||||
|
"""
|
||||||
|
return "{ " + ", ".join("0x%02x" % x for x in b) + " }"
|
||||||
|
|
||||||
|
|
||||||
|
NUM_HMAC_KEYS = 3
|
||||||
|
NUM_MESSAGES = 10
|
||||||
|
NUM_CASES = 6
|
||||||
|
|
||||||
|
|
||||||
|
hmac_keys = [os.urandom(32) for x in range(NUM_HMAC_KEYS)]
|
||||||
|
|
||||||
|
messages = [random.randrange(0, 1 << 4096) for x in range(NUM_MESSAGES)]
|
||||||
|
|
||||||
|
with open("digital_signature_test_cases.h", "w") as f:
|
||||||
|
f.write("/* File generated by gen_digital_signature_tests.py */\n\n")
|
||||||
|
|
||||||
|
# Write out HMAC keys
|
||||||
|
f.write("#define NUM_HMAC_KEYS %d\n\n" % NUM_HMAC_KEYS)
|
||||||
|
f.write("static const uint8_t test_hmac_keys[NUM_HMAC_KEYS][32] = {\n")
|
||||||
|
for h in hmac_keys:
|
||||||
|
f.write(" %s,\n" % bytes_as_char_array(h))
|
||||||
|
f.write("};\n\n")
|
||||||
|
|
||||||
|
# Write out messages
|
||||||
|
f.write("#define NUM_MESSAGES %d\n\n" % NUM_MESSAGES)
|
||||||
|
f.write("static const uint32_t test_messages[NUM_MESSAGES][4096/32] = {\n")
|
||||||
|
for m in messages:
|
||||||
|
f.write(" // Message %d\n" % messages.index(m))
|
||||||
|
f.write(" %s,\n" % number_as_bignum_words(m))
|
||||||
|
f.write(" };\n")
|
||||||
|
f.write("\n\n\n")
|
||||||
|
|
||||||
|
f.write("#define NUM_CASES %d\n\n" % NUM_CASES)
|
||||||
|
f.write("static const encrypt_testcase_t test_cases[NUM_CASES] = {\n")
|
||||||
|
|
||||||
|
for case in range(NUM_CASES):
|
||||||
|
f.write(" { /* Case %d */\n" % case)
|
||||||
|
|
||||||
|
iv = os.urandom(16)
|
||||||
|
f.write(" .iv = %s,\n" % (bytes_as_char_array(iv)))
|
||||||
|
|
||||||
|
hmac_key_idx = random.randrange(0, NUM_HMAC_KEYS)
|
||||||
|
aes_key = hmac.HMAC(hmac_keys[hmac_key_idx], b"\xFF" * 32, hashlib.sha256).digest()
|
||||||
|
|
||||||
|
sizes = [4096, 3072, 2048, 1024, 512]
|
||||||
|
key_size = sizes[case % len(sizes)]
|
||||||
|
|
||||||
|
private_key = rsa.generate_private_key(
|
||||||
|
public_exponent=65537,
|
||||||
|
key_size=key_size,
|
||||||
|
backend=default_backend())
|
||||||
|
|
||||||
|
priv_numbers = private_key.private_numbers()
|
||||||
|
pub_numbers = private_key.public_key().public_numbers()
|
||||||
|
Y = priv_numbers.d
|
||||||
|
M = pub_numbers.n
|
||||||
|
|
||||||
|
rr = 1 << (key_size * 2)
|
||||||
|
rinv = rr % pub_numbers.n
|
||||||
|
mprime = - rsa._modinv(M, 1 << 32)
|
||||||
|
mprime &= 0xFFFFFFFF
|
||||||
|
length = key_size // 32 - 1
|
||||||
|
|
||||||
|
f.write(" .p_data = {\n")
|
||||||
|
f.write(" .Y = %s,\n" % number_as_bignum_words(Y))
|
||||||
|
f.write(" .M = %s,\n" % number_as_bignum_words(M))
|
||||||
|
f.write(" .Rb = %s,\n" % number_as_bignum_words(rinv))
|
||||||
|
f.write(" .M_prime = 0x%08x,\n" % mprime)
|
||||||
|
f.write(" .length = %d, // %d bit\n" % (length, key_size))
|
||||||
|
f.write(" },\n")
|
||||||
|
|
||||||
|
# calculate MD from preceding values and IV
|
||||||
|
|
||||||
|
# Y4096 || M4096 || Rb4096 || M_prime32 || LENGTH32 || IV128
|
||||||
|
md_in = number_as_bytes(Y, 4096) + \
|
||||||
|
number_as_bytes(M, 4096) + \
|
||||||
|
number_as_bytes(rinv, 4096) + \
|
||||||
|
struct.pack("<II", mprime, length) + \
|
||||||
|
iv
|
||||||
|
assert len(md_in) == 12480 / 8
|
||||||
|
md = hashlib.sha256(md_in).digest()
|
||||||
|
|
||||||
|
# generate expected C value from P bitstring
|
||||||
|
#
|
||||||
|
# Y4096 || M4096 || Rb4096 || M_prime32 || LENGTH32 || MD256 || 0x08*8
|
||||||
|
p = number_as_bytes(Y, 4096) + \
|
||||||
|
number_as_bytes(M, 4096) + \
|
||||||
|
number_as_bytes(rinv, 4096) + \
|
||||||
|
md + \
|
||||||
|
struct.pack("<II", mprime, length) + \
|
||||||
|
b'\x08' * 8
|
||||||
|
|
||||||
|
assert len(p) == 12672 / 8
|
||||||
|
|
||||||
|
cipher = Cipher(algorithms.AES(aes_key), modes.CBC(iv), backend=default_backend())
|
||||||
|
encryptor = cipher.encryptor()
|
||||||
|
c = encryptor.update(p) + encryptor.finalize()
|
||||||
|
|
||||||
|
f.write(" .expected_c = %s,\n" % bytes_as_char_array(c))
|
||||||
|
f.write(" .hmac_key_idx = %d,\n" % (hmac_key_idx))
|
||||||
|
|
||||||
|
f.write(" // results of message array encrypted with these keys\n")
|
||||||
|
f.write(" .expected_results = {\n")
|
||||||
|
mask = (1 << key_size) - 1 # truncate messages if needed
|
||||||
|
for m in messages:
|
||||||
|
f.write(" // Message %d\n" % messages.index(m))
|
||||||
|
f.write(" %s," % (number_as_bignum_words(pow(m & mask, Y, M))))
|
||||||
|
f.write(" },\n")
|
||||||
|
f.write(" },\n")
|
||||||
|
|
||||||
|
f.write("};\n")
|
383
components/esp32s2/test/test_ds.c
Normal file
383
components/esp32s2/test/test_ds.c
Normal file
|
@ -0,0 +1,383 @@
|
||||||
|
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
#include "unity.h"
|
||||||
|
#include "esp32s2/rom/efuse.h"
|
||||||
|
#include "esp32s2/rom/digital_signature.h"
|
||||||
|
#include "esp32s2/rom/aes.h"
|
||||||
|
#include "esp32s2/rom/sha.h"
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#include "esp_ds.h"
|
||||||
|
|
||||||
|
#if CONFIG_IDF_TARGET_ESP32S2
|
||||||
|
|
||||||
|
#define NUM_RESULTS 10
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
uint8_t iv[ETS_DS_IV_LEN];
|
||||||
|
ets_ds_p_data_t p_data;
|
||||||
|
uint8_t expected_c[ETS_DS_C_LEN];
|
||||||
|
uint8_t hmac_key_idx;
|
||||||
|
uint32_t expected_results[NUM_RESULTS][4096/32];
|
||||||
|
} encrypt_testcase_t;
|
||||||
|
|
||||||
|
// Generated header (gen_digital_signature_tests.py) defines
|
||||||
|
// NUM_HMAC_KEYS, test_hmac_keys, NUM_MESSAGES, NUM_CASES, test_messages[], test_cases[]
|
||||||
|
// Some adaptations were made: removed the 512 bit case and changed RSA lengths to the enums from esp_ds.h
|
||||||
|
#include "digital_signature_test_cases.h"
|
||||||
|
|
||||||
|
_Static_assert(NUM_RESULTS == NUM_MESSAGES, "expected_results size should be the same as NUM_MESSAGES in generated header");
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Parameter Encryption data NULL", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
const char iv [32];
|
||||||
|
esp_ds_p_data_t p_data;
|
||||||
|
const char key [32];
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_encrypt_params(NULL, iv, &p_data, key));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Parameter Encryption iv NULL", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t data;
|
||||||
|
esp_ds_p_data_t p_data;
|
||||||
|
const char key [32];
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_encrypt_params(&data, NULL, &p_data, key));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Parameter Encryption p_data NULL", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t data;
|
||||||
|
const char iv [32];
|
||||||
|
const char key [32];
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_encrypt_params(&data, iv, NULL, key));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Parameter Encryption key NULL", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t data;
|
||||||
|
const char iv [32];
|
||||||
|
esp_ds_p_data_t p_data;
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_encrypt_params(&data, iv, &p_data, NULL));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Parameter Encryption", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
for (int i = 0; i < NUM_CASES; i++) {
|
||||||
|
printf("Encrypting test case %d...\n", i);
|
||||||
|
const encrypt_testcase_t *t = &test_cases[i];
|
||||||
|
esp_ds_data_t result = { };
|
||||||
|
esp_ds_p_data_t p_data;
|
||||||
|
|
||||||
|
memcpy(p_data.Y, t->p_data.Y, 4096/8);
|
||||||
|
memcpy(p_data.M, t->p_data.M, 4096/8);
|
||||||
|
memcpy(p_data.Rb, t->p_data.Rb, 4096/8);
|
||||||
|
p_data.M_prime = t->p_data.M_prime;
|
||||||
|
p_data.length = t->p_data.length;
|
||||||
|
|
||||||
|
esp_err_t r = esp_ds_encrypt_params(&result, t->iv, &p_data,
|
||||||
|
test_hmac_keys[t->hmac_key_idx]);
|
||||||
|
printf("Encrypting test case %d done\n", i);
|
||||||
|
TEST_ASSERT_EQUAL(ESP_OK, r);
|
||||||
|
TEST_ASSERT_EQUAL(t->p_data.length, result.rsa_length);
|
||||||
|
TEST_ASSERT_EQUAL_HEX8_ARRAY(t->iv, result.iv, ETS_DS_IV_LEN);
|
||||||
|
TEST_ASSERT_EQUAL_HEX8_ARRAY(t->expected_c, result.c, ETS_DS_C_LEN);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature start Invalid message", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = { };
|
||||||
|
ds_data.rsa_length = ESP_DS_RSA_4096;
|
||||||
|
esp_ds_context_t *ctx;
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_start_sign(NULL, &ds_data, HMAC_KEY1, &ctx));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature start Invalid data", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
const char *message = "test";
|
||||||
|
esp_ds_context_t *ctx;
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_start_sign(message, NULL, HMAC_KEY1, &ctx));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature start Invalid context", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = {};
|
||||||
|
ds_data.rsa_length = ESP_DS_RSA_4096;
|
||||||
|
const char *message = "test";
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_start_sign(message, &ds_data, HMAC_KEY1, NULL));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature RSA length 0", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = {};
|
||||||
|
ds_data.rsa_length = 0;
|
||||||
|
const char *message = "test";
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_start_sign(message, &ds_data, HMAC_KEY1, NULL));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature RSA length too long", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = {};
|
||||||
|
ds_data.rsa_length = 128;
|
||||||
|
const char *message = "test";
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_start_sign(message, &ds_data, HMAC_KEY1, NULL));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature start HMAC key out of range", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = {};
|
||||||
|
ds_data.rsa_length = ESP_DS_RSA_4096;
|
||||||
|
esp_ds_context_t *ctx;
|
||||||
|
const char *message = "test";
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_start_sign(message, &ds_data, HMAC_KEY5 + 1, &ctx));
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_start_sign(message, &ds_data, HMAC_KEY0 - 1, &ctx));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature finish Invalid signature ptr", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_context_t *ctx = NULL;
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_finish_sign(NULL, ctx));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature finish Invalid context", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
uint8_t signature_data [128 * 4];
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_finish_sign(signature_data, NULL));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Blocking Invalid message", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = { };
|
||||||
|
ds_data.rsa_length = ESP_DS_RSA_4096;
|
||||||
|
uint8_t signature_data [128 * 4];
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_sign(NULL, &ds_data, HMAC_KEY1, signature_data));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Blocking Invalid data", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
const char *message = "test";
|
||||||
|
uint8_t signature_data [128 * 4];
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_sign(message, NULL, HMAC_KEY1, signature_data));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Blocking Invalid signature ptr", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = {};
|
||||||
|
ds_data.rsa_length = ESP_DS_RSA_4096;
|
||||||
|
const char *message = "test";
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_sign(message, &ds_data, HMAC_KEY1, NULL));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Blocking RSA length 0", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = {};
|
||||||
|
ds_data.rsa_length = 0;
|
||||||
|
const char *message = "test";
|
||||||
|
uint8_t signature_data [128 * 4];
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_sign(message, &ds_data, HMAC_KEY1, signature_data));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Blocking RSA length too long", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = {};
|
||||||
|
ds_data.rsa_length = 128;
|
||||||
|
const char *message = "test";
|
||||||
|
uint8_t signature_data [128 * 4];
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_sign(message, &ds_data, HMAC_KEY1, signature_data));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Blocking HMAC key out of range", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = {};
|
||||||
|
ds_data.rsa_length = 127;
|
||||||
|
const char *message = "test";
|
||||||
|
uint8_t signature_data [128 * 4];
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_sign(message, &ds_data, HMAC_KEY5 + 1, signature_data));
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_sign(message, &ds_data, HMAC_KEY0 - 1, signature_data));
|
||||||
|
}
|
||||||
|
|
||||||
|
#if CONFIG_IDF_ENV_FPGA
|
||||||
|
|
||||||
|
static void burn_hmac_keys(void)
|
||||||
|
{
|
||||||
|
printf("Burning %d HMAC keys to efuse...\n", NUM_HMAC_KEYS);
|
||||||
|
for (int i = 0; i < NUM_HMAC_KEYS; i++) {
|
||||||
|
// TODO: vary the purpose across the keys
|
||||||
|
ets_efuse_purpose_t purpose = ETS_EFUSE_KEY_PURPOSE_HMAC_DOWN_DIGITAL_SIGNATURE;
|
||||||
|
|
||||||
|
// starting from block 1, block 0 occupied with HMAC upstream test key
|
||||||
|
int ets_status = ets_efuse_write_key(ETS_EFUSE_BLOCK_KEY1 + i,
|
||||||
|
purpose,
|
||||||
|
test_hmac_keys[i], 32);
|
||||||
|
|
||||||
|
if (ets_status == ESP_OK) {
|
||||||
|
printf("written DS test key to block [%d]!\n", ETS_EFUSE_BLOCK_KEY1 + i);
|
||||||
|
} else {
|
||||||
|
printf("writing DS test key to block [%d] failed, maybe written already\n", ETS_EFUSE_BLOCK_KEY1 + i);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature wrong HMAC key purpose (FPGA only)", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = {};
|
||||||
|
ds_data.rsa_length = ESP_DS_RSA_4096;
|
||||||
|
esp_ds_context_t *ctx;
|
||||||
|
const char *message = "test";
|
||||||
|
|
||||||
|
// HMAC fails in that case because it checks for the correct purpose
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL, esp_ds_start_sign(message, &ds_data, HMAC_KEY0, &ctx));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Blocking wrong HMAC key purpose (FPGA only)", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
esp_ds_data_t ds_data = {};
|
||||||
|
ds_data.rsa_length = ESP_DS_RSA_4096;
|
||||||
|
const char *message = "test";
|
||||||
|
uint8_t signature_data [128 * 4];
|
||||||
|
|
||||||
|
// HMAC fails in that case because it checks for the correct purpose
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL, esp_ds_sign(message, &ds_data, HMAC_KEY0, signature_data));
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Operation (FPGA only)", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
burn_hmac_keys();
|
||||||
|
|
||||||
|
for (int i = 0; i < NUM_CASES; i++) {
|
||||||
|
printf("Running test case %d...\n", i);
|
||||||
|
const encrypt_testcase_t *t = &test_cases[i];
|
||||||
|
|
||||||
|
// copy encrypt parameter test case into ds_data structure
|
||||||
|
esp_ds_data_t ds_data = { };
|
||||||
|
memcpy(ds_data.iv, t->iv, ETS_DS_IV_LEN);
|
||||||
|
memcpy(ds_data.c, t->expected_c, ETS_DS_C_LEN);
|
||||||
|
ds_data.rsa_length = t->p_data.length;
|
||||||
|
|
||||||
|
for (int j = 0; j < NUM_MESSAGES; j++) {
|
||||||
|
uint8_t signature[4096/8] = { 0 };
|
||||||
|
printf(" ... message %d\n", j);
|
||||||
|
esp_ds_context_t *esp_ds_ctx;
|
||||||
|
|
||||||
|
esp_err_t ds_r = esp_ds_start_sign(test_messages[j],
|
||||||
|
&ds_data,
|
||||||
|
t->hmac_key_idx + 1,
|
||||||
|
&esp_ds_ctx);
|
||||||
|
TEST_ASSERT_EQUAL(ESP_OK, ds_r);
|
||||||
|
|
||||||
|
ds_r = esp_ds_finish_sign(signature, esp_ds_ctx);
|
||||||
|
TEST_ASSERT_EQUAL(ESP_OK, ds_r);
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL_HEX8_ARRAY(t->expected_results[j], signature, sizeof(signature));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_CASE("Digital Signature Blocking Operation (FPGA only)", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
burn_hmac_keys();
|
||||||
|
|
||||||
|
for (int i = 0; i < NUM_CASES; i++) {
|
||||||
|
printf("Running test case %d...\n", i);
|
||||||
|
const encrypt_testcase_t *t = &test_cases[i];
|
||||||
|
|
||||||
|
// copy encrypt parameter test case into ds_data structure
|
||||||
|
esp_ds_data_t ds_data = { };
|
||||||
|
memcpy(ds_data.iv, t->iv, ETS_DS_IV_LEN);
|
||||||
|
memcpy(ds_data.c, t->expected_c, ETS_DS_C_LEN);
|
||||||
|
ds_data.rsa_length = t->p_data.length;
|
||||||
|
|
||||||
|
uint8_t signature[4096/8] = { 0 };
|
||||||
|
esp_ds_context_t *esp_ds_ctx;
|
||||||
|
|
||||||
|
esp_err_t ds_r = esp_ds_start_sign(test_messages[0],
|
||||||
|
&ds_data,
|
||||||
|
t->hmac_key_idx + 1,
|
||||||
|
&esp_ds_ctx);
|
||||||
|
TEST_ASSERT_EQUAL(ESP_OK, ds_r);
|
||||||
|
|
||||||
|
ds_r = esp_ds_finish_sign(signature, esp_ds_ctx);
|
||||||
|
TEST_ASSERT_EQUAL(ESP_OK, ds_r);
|
||||||
|
|
||||||
|
TEST_ASSERT_EQUAL_HEX8_ARRAY(t->expected_results[0], signature, sizeof(signature));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
TEST_CASE("Digital Signature Invalid Data (FPGA only)", "[hw_crypto]")
|
||||||
|
{
|
||||||
|
burn_hmac_keys();
|
||||||
|
|
||||||
|
// Set up a valid test case
|
||||||
|
const encrypt_testcase_t *t = &test_cases[0];
|
||||||
|
esp_ds_data_t ds_data = { };
|
||||||
|
memcpy(ds_data.iv, t->iv, ETS_DS_IV_LEN);
|
||||||
|
memcpy(ds_data.c, t->expected_c, ETS_DS_C_LEN);
|
||||||
|
ds_data.rsa_length = t->p_data.length;
|
||||||
|
|
||||||
|
uint8_t signature[4096/8] = { 0 };
|
||||||
|
const uint8_t zero[4096/8] = { 0 };
|
||||||
|
|
||||||
|
// Corrupt the IV one bit at a time, rerun and expect failure
|
||||||
|
for (int bit = 0; bit < 128; bit++) {
|
||||||
|
printf("Corrupting IV bit %d...\n", bit);
|
||||||
|
ds_data.iv[bit / 8] ^= 1 << (bit % 8);
|
||||||
|
esp_ds_context_t *esp_ds_ctx;
|
||||||
|
|
||||||
|
esp_err_t ds_r = esp_ds_start_sign(test_messages[0], &ds_data, t->hmac_key_idx + 1, &esp_ds_ctx);
|
||||||
|
TEST_ASSERT_EQUAL(ESP_OK, ds_r);
|
||||||
|
ds_r = esp_ds_finish_sign(signature, esp_ds_ctx);
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST, ds_r);
|
||||||
|
TEST_ASSERT_EQUAL_HEX8_ARRAY(zero, signature, 4096/8);
|
||||||
|
|
||||||
|
ds_data.iv[bit / 8] ^= 1 << (bit % 8);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Corrupt encrypted key data one bit at a time, rerun and expect failure
|
||||||
|
printf("Corrupting C...\n");
|
||||||
|
for (int bit = 0; bit < ETS_DS_C_LEN * 8; bit++) {
|
||||||
|
printf("Corrupting C bit %d...\n", bit);
|
||||||
|
ds_data.c[bit / 8] ^= 1 << (bit % 8);
|
||||||
|
esp_ds_context_t *esp_ds_ctx;
|
||||||
|
|
||||||
|
esp_err_t ds_r = esp_ds_start_sign(test_messages[0], &ds_data, t->hmac_key_idx + 1, &esp_ds_ctx);
|
||||||
|
TEST_ASSERT_EQUAL(ESP_OK, ds_r);
|
||||||
|
ds_r = esp_ds_finish_sign(signature, esp_ds_ctx);
|
||||||
|
TEST_ASSERT_EQUAL(ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST, ds_r);
|
||||||
|
TEST_ASSERT_EQUAL_HEX8_ARRAY(zero, signature, 4096/8);
|
||||||
|
|
||||||
|
ds_data.c[bit / 8] ^= 1 << (bit % 8);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif // CONFIG_IDF_ENV_FPGA
|
||||||
|
|
||||||
|
#endif // CONFIG_IDF_TARGET_ESP32S2
|
|
@ -1,3 +1,17 @@
|
||||||
|
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
#include "esp_hmac.h"
|
#include "esp_hmac.h"
|
||||||
#include "unity.h"
|
#include "unity.h"
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,9 @@
|
||||||
#if __has_include("soc/soc.h")
|
#if __has_include("soc/soc.h")
|
||||||
#include "soc/soc.h"
|
#include "soc/soc.h"
|
||||||
#endif
|
#endif
|
||||||
|
#if __has_include("esp_ds.h")
|
||||||
|
#include "esp_ds.h"
|
||||||
|
#endif
|
||||||
#if __has_include("esp_efuse.h")
|
#if __has_include("esp_efuse.h")
|
||||||
#include "esp_efuse.h"
|
#include "esp_efuse.h"
|
||||||
#endif
|
#endif
|
||||||
|
@ -676,6 +679,23 @@ static const esp_err_msg_t esp_err_msg_table[] = {
|
||||||
# endif
|
# endif
|
||||||
# ifdef ESP_ERR_HTTPD_TASK
|
# ifdef ESP_ERR_HTTPD_TASK
|
||||||
ERR_TBL_IT(ESP_ERR_HTTPD_TASK), /* 45064 0xb008 Failed to launch server task/thread */
|
ERR_TBL_IT(ESP_ERR_HTTPD_TASK), /* 45064 0xb008 Failed to launch server task/thread */
|
||||||
|
# endif
|
||||||
|
// components/esp32s2/include/esp_ds.h
|
||||||
|
# ifdef ESP_ERR_HW_CRYPTO_DS_BASE
|
||||||
|
ERR_TBL_IT(ESP_ERR_HW_CRYPTO_DS_BASE), /* 49152 0xc000 Starting number of HW cryptography
|
||||||
|
module error codes */
|
||||||
|
# endif
|
||||||
|
# ifdef ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL
|
||||||
|
ERR_TBL_IT(ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL), /* 49153 0xc001 HMAC peripheral problem */
|
||||||
|
# endif
|
||||||
|
# ifdef ESP_ERR_HW_CRYPTO_DS_INVALID_KEY
|
||||||
|
ERR_TBL_IT(ESP_ERR_HW_CRYPTO_DS_INVALID_KEY), /* 49154 0xc002 */
|
||||||
|
# endif
|
||||||
|
# ifdef ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST
|
||||||
|
ERR_TBL_IT(ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST), /* 49156 0xc004 */
|
||||||
|
# endif
|
||||||
|
# ifdef ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING
|
||||||
|
ERR_TBL_IT(ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING), /* 49157 0xc005 */
|
||||||
# endif
|
# endif
|
||||||
};
|
};
|
||||||
#endif //CONFIG_ESP_ERR_TO_NAME_LOOKUP
|
#endif //CONFIG_ESP_ERR_TO_NAME_LOOKUP
|
||||||
|
|
|
@ -495,7 +495,7 @@ UT_034:
|
||||||
|
|
||||||
UT_035:
|
UT_035:
|
||||||
extends: .unit_test_s2_template
|
extends: .unit_test_s2_template
|
||||||
parallel: 31
|
parallel: 32
|
||||||
tags:
|
tags:
|
||||||
- ESP32S2_IDF
|
- ESP32S2_IDF
|
||||||
- UT_T1_1
|
- UT_T1_1
|
||||||
|
|
Loading…
Reference in a new issue