From 3215020fe6ddc494e527295eb4530b37e02464fa Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 2 Mar 2022 14:49:05 +0100 Subject: [PATCH 1/8] Bearssl: Include bearssl sha256 functions in the build also for devices using SE050 crypto --- src/tls/bearssl/dec32be.c | 2 +- src/tls/bearssl/enc32be.c | 2 +- src/tls/bearssl/sha2small.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/tls/bearssl/dec32be.c b/src/tls/bearssl/dec32be.c index 1ba0968e4..064f9bf98 100644 --- a/src/tls/bearssl/dec32be.c +++ b/src/tls/bearssl/dec32be.c @@ -23,7 +23,7 @@ */ #include -#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) +#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) #include "inner.h" diff --git a/src/tls/bearssl/enc32be.c b/src/tls/bearssl/enc32be.c index dde2295d1..b6be4e13f 100644 --- a/src/tls/bearssl/enc32be.c +++ b/src/tls/bearssl/enc32be.c @@ -23,7 +23,7 @@ */ #include -#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) +#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) #include "inner.h" diff --git a/src/tls/bearssl/sha2small.c b/src/tls/bearssl/sha2small.c index c17638706..789623de0 100644 --- a/src/tls/bearssl/sha2small.c +++ b/src/tls/bearssl/sha2small.c @@ -23,7 +23,7 @@ */ #include -#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) +#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) #include "inner.h" From 4d34ba1c7f9a55feac3665f1cc35023e3666a91d Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 2 Mar 2022 14:50:56 +0100 Subject: [PATCH 2/8] ArduinoIoTCloudCertClass: include certificate class in the build also for devices using SE050 crypto --- src/tls/utility/Cert.cpp | 4 ++-- src/tls/utility/Cert.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/tls/utility/Cert.cpp b/src/tls/utility/Cert.cpp index 9a32bc97e..f4ce3b42b 100644 --- a/src/tls/utility/Cert.cpp +++ b/src/tls/utility/Cert.cpp @@ -23,7 +23,7 @@ #include -#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) +#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) #include "Cert.h" @@ -915,4 +915,4 @@ int ArduinoIoTCloudCertClass::appendAuthorityKeyId(const byte authorityKeyId[], return length + 17; } -#endif /* (BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) */ +#endif /* (BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) */ diff --git a/src/tls/utility/Cert.h b/src/tls/utility/Cert.h index 756747473..45f531869 100644 --- a/src/tls/utility/Cert.h +++ b/src/tls/utility/Cert.h @@ -24,7 +24,7 @@ #include -#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) +#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) /****************************************************************************** * DEFINE @@ -182,6 +182,6 @@ class ArduinoIoTCloudCertClass { }; -#endif /* BOARD_HAS_ECCX08 || BOARD_HAS_OFFLOADED_ECCX08 */ +#endif /* BOARD_HAS_ECCX08 || BOARD_HAS_OFFLOADED_ECCX08 || BOARD_HAS_SE050*/ #endif /* ARDUINO_IOT_CLOUD_CERT_H */ From 7f72d757c8051a09ec0ae1a1aeaa9f6ccfecb61a Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 2 Mar 2022 14:53:32 +0100 Subject: [PATCH 3/8] CryptoUtil: include in the build and add support for devices using SE050 crypto --- src/tls/utility/CryptoUtil.cpp | 26 ++++++++++++++++++++++++-- src/tls/utility/CryptoUtil.h | 30 ++++++++++++++++++++++++------ 2 files changed, 48 insertions(+), 8 deletions(-) diff --git a/src/tls/utility/CryptoUtil.cpp b/src/tls/utility/CryptoUtil.cpp index 3d1fdf880..24f03121d 100644 --- a/src/tls/utility/CryptoUtil.cpp +++ b/src/tls/utility/CryptoUtil.cpp @@ -21,7 +21,7 @@ #include -#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) +#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) #include "CryptoUtil.h" #include "SHA256.h" @@ -36,7 +36,11 @@ * CTOR/DTOR **************************************************************************************/ CryptoUtil::CryptoUtil() +#if defined(BOARD_HAS_SE050) +: _crypto {SE05X} +#else : _crypto {ECCX08} +#endif { } @@ -133,6 +137,11 @@ int CryptoUtil::writeDeviceId(String & device_id, const CryptoSlot device_id_slo int CryptoUtil::writeCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot certSlot) { +#if defined(BOARD_HAS_SE050) + if (!_crypto.writeSlot(static_cast(certSlot), cert.bytes(), cert.length())) { + return 0; + } +#else if (!_crypto.writeSlot(static_cast(certSlot), cert.compressedCertSignatureAndDatesBytes(), cert.compressedCertSignatureAndDatesLength())) { return 0; } @@ -140,11 +149,23 @@ int CryptoUtil::writeCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot cert if (!_crypto.writeSlot(static_cast(certSlot) + 1, cert.compressedCertSerialAndAuthorityKeyIdBytes(), cert.compressedCertSerialAndAuthorityKeyIdLenght())) { return 0; } +#endif return 1; } int CryptoUtil::readCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot certSlot) { +#if defined(BOARD_HAS_SE050) + byte derBuffer[CRYPTO_CERT_BUFFER_LENGTH]; + size_t derLen; + if (!_crypto.readBinaryObject(static_cast(certSlot), derBuffer, sizeof(derBuffer), &derLen)) { + return 0; + } + + if (!cert.importCert(derBuffer, derLen)) { + return 0; + } +#else String deviceId; byte publicKey[CERT_PUBLIC_KEY_LENGTH]; @@ -183,7 +204,8 @@ int CryptoUtil::readCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot certS if (!cert.signCert()) { return 0; } +#endif return 1; } -#endif /* (BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) */ +#endif /* (BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) */ diff --git a/src/tls/utility/CryptoUtil.h b/src/tls/utility/CryptoUtil.h index 35da6b81e..ba75f7021 100644 --- a/src/tls/utility/CryptoUtil.h +++ b/src/tls/utility/CryptoUtil.h @@ -24,20 +24,34 @@ #include -#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) +#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) #include #include "Cert.h" + +#if defined(BOARD_HAS_SE050) +#include +#else #include +#endif + +/****************************************************************************** + * DEFINE + ******************************************************************************/ +#if defined(BOARD_HAS_SE050) +#define CRYPTO_SLOT_OFFSET 100 +#else +#define CRYPTO_SLOT_OFFSET 0 +#endif /****************************************************************************** TYPEDEF ******************************************************************************/ enum class CryptoSlot : int { - Key = 0, - CompressedCertificate = 10, - SerialNumberAndAuthorityKeyIdentifier = 11, - DeviceId = 12 + Key = (0 + CRYPTO_SLOT_OFFSET), + CompressedCertificate = (10 + CRYPTO_SLOT_OFFSET), + SerialNumberAndAuthorityKeyIdentifier = (11 + CRYPTO_SLOT_OFFSET), + DeviceId = (12 + CRYPTO_SLOT_OFFSET) }; /****************************************************************************** @@ -64,10 +78,14 @@ class CryptoUtil int readCert(ArduinoIoTCloudCertClass & cert, const CryptoSlot certSlot); private: +#if defined(BOARD_HAS_SE050) + SE05XClass & _crypto; +#else ECCX08Class & _crypto; +#endif }; -#endif /* BOARD_HAS_ECCX08 || BOARD_HAS_OFFLOADED_ECCX08 */ +#endif /* BOARD_HAS_ECCX08 || BOARD_HAS_OFFLOADED_ECCX08 || BOARD_HAS_SE050 */ #endif /* ARDUINO_IOT_CLOUD_UTILITY_CRYPTO_CRYPTO_UTIL_H_ */ From 0d4e7904c8fb290698285d139952c850808bed39 Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 2 Mar 2022 14:55:41 +0100 Subject: [PATCH 4/8] ArduinoIoTCloud: Add certificate used to verify cloud server identity. Equivalent to BearSSLTrustAnchors.h file. --- src/tls/AIoTCSSCert.h | 48 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 src/tls/AIoTCSSCert.h diff --git a/src/tls/AIoTCSSCert.h b/src/tls/AIoTCSSCert.h new file mode 100644 index 000000000..1dc8206d9 --- /dev/null +++ b/src/tls/AIoTCSSCert.h @@ -0,0 +1,48 @@ +/* + This file is part of ArduinoIoTBearSSL. + + Copyright 2019 ARDUINO SA (http://www.arduino.cc/) + + This software is released under the GNU General Public License version 3, + which covers the main part of ArduinoIoTBearSSL. + The terms of this license can be found at: + https://www.gnu.org/licenses/gpl-3.0.en.html + + You can be released from the requirements of the above licenses by purchasing + a commercial license. Buying such a license is mandatory if you want to modify or + otherwise use the software for commercial activities involving the Arduino + software without disclosing the source code of your own applications. To purchase + a commercial license, send an email to license@arduino.cc. + +*/ + +#ifndef _AIOTC_SS_CERT_H_ +#define _AIOTC_SS_CERT_H_ + +/****************************************************************************** + * INCLUDE + ******************************************************************************/ + +#include +#ifdef BOARD_HAS_SE050 + +/****************************************************************************** + * CONSTANTS + ******************************************************************************/ +static const char AIoTSSCert[] = +"-----BEGIN CERTIFICATE-----\n" +"MIIBzzCCAXSgAwIBAgIUHxAd66fhJecnwaOR4+wNF03tSlkwCgYIKoZIzj0EAwIw\n" +"RTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkFyZHVpbm8gTExDIFVTMQswCQYDVQQL\n" +"EwJJVDEQMA4GA1UEAxMHQXJkdWlubzAeFw0xODA3MjQwOTQ3MDBaFw00ODA3MTYw\n" +"OTQ3MDBaMEUxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5BcmR1aW5vIExMQyBVUzEL\n" +"MAkGA1UECxMCSVQxEDAOBgNVBAMTB0FyZHVpbm8wWTATBgcqhkjOPQIBBggqhkjO\n" +"PQMBBwNCAARtd2xaz2EcfUSYUfJe4QJAd7ecvUmio4xOq16YrIL8aVtEIne0TS6O\n" +"3ypxwTls1jkUvdlrGEtL7LPV7kKJiVUio0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD\n" +"VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWz4qa47JsBqoVOY2m4wJ+fzhuYAwCgYI\n" +"KoZIzj0EAwIDSQAwRgIhAL/T3CNmaLUK3D8NDsNz4grH92CqEA3TIL/hApabawXY\n" +"AiEA6tnZ2lrNElKXCajtZg/hjWRE/+giFzBP8riar8qOz2w=\n" +"-----END CERTIFICATE-----\n"; + +#endif /* #ifdef BOARD_HAS_SE050 */ + +#endif /* _AIOTC_SS_CERT_H_ */ From ad8fa555b97d330ceffbce12620b6f817ead2a41 Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 2 Mar 2022 14:58:49 +0100 Subject: [PATCH 5/8] ArduinoIoTCloudTCP: Add support for devices using SE050 crypto and WiFiSSLSE050Client --- src/ArduinoIoTCloudTCP.cpp | 11 ++++++++++- src/ArduinoIoTCloudTCP.h | 6 ++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/ArduinoIoTCloudTCP.cpp b/src/ArduinoIoTCloudTCP.cpp index 00c416c87..a2f42ea4a 100644 --- a/src/ArduinoIoTCloudTCP.cpp +++ b/src/ArduinoIoTCloudTCP.cpp @@ -28,6 +28,11 @@ #include "tls/utility/CryptoUtil.h" #endif +#ifdef BOARD_HAS_SE050 + #include "tls/AIoTCSSCert.h" + #include "tls/utility/CryptoUtil.h" +#endif + #ifdef BOARD_HAS_OFFLOADED_ECCX08 #include #include "tls/utility/CryptoUtil.h" @@ -216,7 +221,7 @@ int ArduinoIoTCloudTCP::begin(bool const enable_watchdog, String brokerAddress, } #endif - #ifdef BOARD_HAS_ECCX08 + #if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_SE050) if (!_crypto.begin()) { DEBUG_ERROR("Cryptography processor failure. Make sure you have a compatible board."); @@ -232,7 +237,11 @@ int ArduinoIoTCloudTCP::begin(bool const enable_watchdog, String brokerAddress, DEBUG_ERROR("Cryptography certificate reconstruction failure."); return 0; } + #ifndef BOARD_HAS_SE050 _sslClient.setClient(_connection->getClient()); + #else + _sslClient.appendCustomCACert(AIoTSSCert); + #endif _sslClient.setEccSlot(static_cast(CryptoSlot::Key), _cert.bytes(), _cert.length()); #elif defined(BOARD_ESP) _sslClient.setInsecure(); diff --git a/src/ArduinoIoTCloudTCP.h b/src/ArduinoIoTCloudTCP.h index 2167b4d19..0104e8c92 100644 --- a/src/ArduinoIoTCloudTCP.h +++ b/src/ArduinoIoTCloudTCP.h @@ -31,6 +31,8 @@ #include "tls/utility/CryptoUtil.h" #elif defined(BOARD_ESP) #include +#elif defined(BOARD_HAS_SE050) + #include "tls/utility/CryptoUtil.h" #endif #ifdef BOARD_HAS_OFFLOADED_ECCX08 @@ -143,6 +145,10 @@ class ArduinoIoTCloudTCP: public ArduinoIoTCloudClass #elif defined(BOARD_ESP) WiFiClientSecure _sslClient; String _password; + #elif defined(BOARD_HAS_SE050) + ArduinoIoTCloudCertClass _cert; + WiFiSSLSE050Client _sslClient; + CryptoUtil _crypto; #endif MqttClient _mqttClient; From f55081815872caa076d0412744b3cbd0f603d608 Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 2 Mar 2022 16:13:41 +0100 Subject: [PATCH 6/8] ArduinoIoTCloudTCP: simplify ifdefs for _sslClient initialization --- src/ArduinoIoTCloudTCP.cpp | 33 ++++++++++++--------------------- 1 file changed, 12 insertions(+), 21 deletions(-) diff --git a/src/ArduinoIoTCloudTCP.cpp b/src/ArduinoIoTCloudTCP.cpp index a2f42ea4a..79cfcc341 100644 --- a/src/ArduinoIoTCloudTCP.cpp +++ b/src/ArduinoIoTCloudTCP.cpp @@ -208,7 +208,7 @@ int ArduinoIoTCloudTCP::begin(bool const enable_watchdog, String brokerAddress, _ota_img_sha256 = sha256_str; #endif /* OTA_ENABLED */ - #ifdef BOARD_HAS_OFFLOADED_ECCX08 +#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) if (!_crypto.begin()) { DEBUG_ERROR("_crypto.begin() failed."); @@ -219,38 +219,29 @@ int ArduinoIoTCloudTCP::begin(bool const enable_watchdog, String brokerAddress, DEBUG_ERROR("_crypto.readDeviceId(...) failed."); return 0; } - #endif +#endif - #if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_SE050) - if (!_crypto.begin()) - { - DEBUG_ERROR("Cryptography processor failure. Make sure you have a compatible board."); - return 0; - } - if (!_crypto.readDeviceId(getDeviceId(), CryptoSlot::DeviceId)) - { - DEBUG_ERROR("Cryptography processor read failure."); - return 0; - } +#if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_SE050) if (!_crypto.readCert(_cert, CryptoSlot::CompressedCertificate)) { DEBUG_ERROR("Cryptography certificate reconstruction failure."); return 0; } - #ifndef BOARD_HAS_SE050 + _sslClient.setEccSlot(static_cast(CryptoSlot::Key), _cert.bytes(), _cert.length()); +#endif + +#if defined(BOARD_HAS_ECCX08) _sslClient.setClient(_connection->getClient()); - #else +#elif defined(BOARD_HAS_SE050) _sslClient.appendCustomCACert(AIoTSSCert); - #endif - _sslClient.setEccSlot(static_cast(CryptoSlot::Key), _cert.bytes(), _cert.length()); - #elif defined(BOARD_ESP) +#elif defined(BOARD_ESP) _sslClient.setInsecure(); - #endif +#endif _mqttClient.setClient(_sslClient); - #ifdef BOARD_ESP +#ifdef BOARD_ESP _mqttClient.setUsernamePassword(getDeviceId(), _password); - #endif +#endif _mqttClient.onMessage(ArduinoIoTCloudTCP::onMessage); _mqttClient.setKeepAliveInterval(30 * 1000); _mqttClient.setConnectionTimeout(1500); From a27021c6491291054b57a2875df1044a289a33a8 Mon Sep 17 00:00:00 2001 From: pennam Date: Thu, 3 Mar 2022 12:50:41 +0100 Subject: [PATCH 7/8] ArduinoIoTCloudTCP: Add missing build option to correctly configure connection --- src/ArduinoIoTCloudTCP.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ArduinoIoTCloudTCP.h b/src/ArduinoIoTCloudTCP.h index 0104e8c92..94f5dfd54 100644 --- a/src/ArduinoIoTCloudTCP.h +++ b/src/ArduinoIoTCloudTCP.h @@ -73,7 +73,7 @@ class ArduinoIoTCloudTCP: public ArduinoIoTCloudClass virtual int connected () override; virtual void printDebugInfo() override; - #if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) + #if defined(BOARD_HAS_ECCX08) || defined(BOARD_HAS_OFFLOADED_ECCX08) || defined(BOARD_HAS_SE050) int begin(ConnectionHandler & connection, bool const enable_watchdog = true, String brokerAddress = DEFAULT_BROKER_ADDRESS_SECURE_AUTH, uint16_t brokerPort = DEFAULT_BROKER_PORT_SECURE_AUTH); #else int begin(ConnectionHandler & connection, bool const enable_watchdog = true, String brokerAddress = DEFAULT_BROKER_ADDRESS_USER_PASS_AUTH, uint16_t brokerPort = DEFAULT_BROKER_PORT_USER_PASS_AUTH); From 6aad61667d21875faf9e0a3a7a952dd5bc61131e Mon Sep 17 00:00:00 2001 From: pennam Date: Fri, 4 Mar 2022 10:17:05 +0100 Subject: [PATCH 8/8] ArduinoIoTCloudTCP: Add missing include to WiFiSSLSE050Client --- src/ArduinoIoTCloudTCP.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ArduinoIoTCloudTCP.h b/src/ArduinoIoTCloudTCP.h index 94f5dfd54..28c6315be 100644 --- a/src/ArduinoIoTCloudTCP.h +++ b/src/ArduinoIoTCloudTCP.h @@ -33,6 +33,7 @@ #include #elif defined(BOARD_HAS_SE050) #include "tls/utility/CryptoUtil.h" + #include #endif #ifdef BOARD_HAS_OFFLOADED_ECCX08