MCU8MASS-1777 Use TNG to extract certificates, include functionality in ECC608 to extract certificates and update cryptoauthlib

Author: M65649

examples/extract_certificates/extract_certificates.ino

@@ -1,24 +1,22 @@
 #include <Arduino.h>
-#include <atca_helpers.h>
-#include <atcacert/atcacert_client.h>
-#include <cryptoauthlib.h>
+
+#include <ecc608.h>
 #include <log.h>
 
-#include "cert_def_1_signer.h"
-#include "cert_def_3_device.h"
+static void printCertificate(const uint8_t* certificate, const size_t size) {
+
+    size_t buffer_size = ECC608.calculateBase64EncodedCertificateSize(size);
+
+    char buffer[buffer_size];
 
-void printCertificate(uint8_t* certificate, uint16_t size) {
-    char buffer[1024];
-    size_t buffer_size = sizeof(buffer);
-    ATCA_STATUS result =
-        atcab_base64encode(certificate, size, buffer, &buffer_size);
+    ATCA_STATUS status =
+        ECC608.base64EncodeCertificate(certificate, size, buffer, &buffer_size);
 
-    if (result != ATCA_SUCCESS) {
-        Log.errorf("Failed to encode into base64: %x\r\n", result);
+    if (status != ATCA_SUCCESS) {
+        Log.errorf("Failed to encode into base64: %x\r\n", status);
         return;
     }
 
-    buffer[buffer_size] = 0;
     Log.rawf(
         "-----BEGIN CERTIFICATE-----\r\n%s\r\n-----END CERTIFICATE-----\r\n",
         buffer);
@@ -27,62 +25,113 @@ void printCertificate(uint8_t* certificate, uint16_t size) {
 void setup() {
     Log.begin(115200);
 
-    int status;
-
-    static ATCAIfaceCfg cfg_atecc608b_i2c = {ATCA_I2C_IFACE,
-                                             ATECC608B,
-                                             {
-                                                 0x58,  // 7 bit address of ECC
-                                                 2,     // Bus number
-                                                 100000 // Baud rate
-                                             },
-                                             1560,
-                                             20,
-                                             NULL};
-
-    if (ATCA_SUCCESS != (status = atcab_init(&cfg_atecc608b_i2c))) {
-        Log.errorf("Failed to init: %d\r\n", status);
+    ATCA_STATUS atca_status = ECC608.begin();
+
+    if (atca_status != ATCA_SUCCESS) {
+        Log.errorf("Failed to initialize ECC608, status code: 0x%X\r\n",
+                   atca_status);
+    }
+
+    // Extract the max size of the certificates first
+
+    size_t max_root_certificate_size = 0, max_signer_certificate_size = 0,
+           max_device_certificate_size = 0;
+
+    int atca_cert_status = ATCACERT_E_SUCCESS;
+
+    if ((atca_cert_status = ECC608.getRootCertificateSize(
+             &max_root_certificate_size)) != ATCACERT_E_SUCCESS) {
+
+        Log.errorf("Failed to get root certificate's max size, status code: "
+                   "0x%X\r\n",
+                   atca_cert_status);
         return;
-    } else {
-        Log.info("Initialized ECC\r\n");
     }
 
-    // Retrieve public root key
-    uint8_t public_key[ATCA_PUB_KEY_SIZE];
-    if (ATCA_SUCCESS != (status = atcab_get_pubkey(0, public_key))) {
-        Log.errorf("Failed to get public key: %x\r\n", status);
+    if ((atca_cert_status = ECC608.getSignerCertificateSize(
+             &max_signer_certificate_size)) != ATCACERT_E_SUCCESS) {
+
+        Log.errorf("Failed to get signer certificate's max size, status code: "
+                   "0x%X\r\n",
+                   atca_cert_status);
         return;
     }
 
+    if ((atca_cert_status = ECC608.getDeviceCertificateSize(
+             &max_device_certificate_size)) != ATCACERT_E_SUCCESS) {
+
+        Log.errorf("Failed to get device certificate's max size, status code: "
+                   "0x%X\r\n",
+                   atca_cert_status);
+        return;
+    }
+
+    // We reuse the buffer for the certificates, so have to find the max
+    // size of them so we have enough space for the biggest certificate
+    const size_t certificate_buffer_size = max(
+        max(max_root_certificate_size, max_signer_certificate_size),
+        max_device_certificate_size);
+
+    uint8_t certificate_buffer[certificate_buffer_size];
+
+    // --- Root certificate ---
+
+    size_t root_certificate_size = certificate_buffer_size;
+
     Log.raw("\r\n\r\n");
 
-    // Retrive sign certificate
-    uint8_t buffer[g_cert_def_1_signer.cert_template_size + 4];
-    size_t size = sizeof(buffer);
+    if ((atca_cert_status = ECC608.getRootCertificate(
+             certificate_buffer,
+             &root_certificate_size)) != ATCACERT_E_SUCCESS) {
 
-    if (ATCA_SUCCESS != (status = atcacert_read_cert(&g_cert_def_1_signer,
-                                                     public_key,
-                                                     buffer,
-                                                     &size))) {
-        Log.errorf("Failed to read signing certificate: %d\r\n", status);
+        Log.errorf("Failed to get root certificate, status code: "
+                   "0x%X\r\n",
+                   atca_cert_status);
         return;
     } else {
-        Log.info("Printing signing certificate...\r\n");
-        printCertificate(buffer, size);
+
+        Log.info("Printing root certificate...\r\n");
+        printCertificate(certificate_buffer, root_certificate_size);
     }
 
+    // --- Signer certificate ---
+
+    size_t signer_certificate_size = max_signer_certificate_size;
+
     Log.raw("\r\n\r\n");
 
-    // Retrive device certificate
-    if (ATCA_SUCCESS != (status = atcacert_read_cert(&g_cert_def_3_device,
-                                                     public_key,
-                                                     buffer,
-                                                     &size))) {
-        Log.errorf("Failed to read device certificate: %d\r\n", status);
+    if ((atca_cert_status = ECC608.getSignerCertificate(
+             certificate_buffer,
+             &signer_certificate_size)) != ATCACERT_E_SUCCESS) {
+
+        Log.errorf("Failed to get signer certificate, status code: "
+                   "0x%X\r\n",
+                   atca_cert_status);
         return;
     } else {
+
+        Log.info("Printing signer certificate...\r\n");
+        printCertificate(certificate_buffer, signer_certificate_size);
+    }
+
+    // --- Device certificate ---
+
+    size_t device_certificate_size = max_device_certificate_size;
+
+    Log.raw("\r\n\r\n");
+
+    if ((atca_cert_status = ECC608.getDeviceCertificate(
+             certificate_buffer,
+             &device_certificate_size)) != ATCACERT_E_SUCCESS) {
+
+        Log.errorf("Failed to get device certificate, status code: "
+                   "0x%X\r\n",
+                   atca_cert_status);
+        return;
+    } else {
+
         Log.info("Printing device certificate...\r\n");
-        printCertificate(buffer, size);
+        printCertificate(certificate_buffer, device_certificate_size);
     }
 }
 

examples/mqtt_low_power/mqtt_low_power.ino

@@ -22,11 +22,11 @@ bool initMQTTTopics() {
 
     // Find the thing ID and set the publish and subscription topics
     uint8_t thingName[128];
-    uint8_t thingNameLen = sizeof(thingName);
+    size_t thingNameLen = sizeof(thingName);
 
     // -- Get the thingname
-    uint8_t err = ECC608.getThingName(thingName, &thingNameLen);
-    if (err != ECC608.ERR_OK) {
+    ATCA_STATUS status = ECC608.getThingName(thingName, &thingNameLen);
+    if (status != ATCA_SUCCESS) {
         Log.error("Could not retrieve thingname from the ECC");
         return false;
     }

examples/mqtt_polling_aws/mqtt_polling_aws.ino

@@ -27,11 +27,11 @@ bool initMQTTTopics() {
 
     // Find the thing ID and set the publish and subscription topics
     uint8_t thingName[128];
-    uint8_t thingNameLen = sizeof(thingName);
+    size_t thingNameLen = sizeof(thingName);
 
     // -- Get the thingname
-    uint8_t err = ECC608.getThingName(thingName, &thingNameLen);
-    if (err != ECC608.ERR_OK) {
+    ATCA_STATUS status = ECC608.getThingName(thingName, &thingNameLen);
+    if (status != ATCA_SUCCESS) {
         Log.error("Could not retrieve thingname from the ECC");
         return false;
     }

examples/mqtt_with_connection_loss_handling/mqtt_with_connection_loss_handling.ino

@@ -29,11 +29,11 @@ bool initMQTTTopics() {
 
     // Find the thing ID and set the publish and subscription topics
     uint8_t thingName[128];
-    uint8_t thingNameLen = sizeof(thingName);
+    size_t thingNameLen = sizeof(thingName);
 
     // -- Get the thingname
-    uint8_t err = ECC608.getThingName(thingName, &thingNameLen);
-    if (err != ECC608.ERR_OK) {
+    ATCA_STATUS status = ECC608.getThingName(thingName, &thingNameLen);
+    if (status != ATCA_SUCCESS) {
         Log.error("Could not retrieve thingname from the ECC");
         return false;
     }

examples/provision/provision.ino

@@ -737,10 +737,9 @@ static ATCA_STATUS constructCSR(char* pem, size_t* pem_size) {
     // Retrieve the thing name from the ECC and use that as the common name
     // field
     uint8_t common_name[128];
-    uint8_t common_name_length = sizeof(common_name);
+    size_t common_name_length = sizeof(common_name);
 
-    if (ECC608.getThingName(common_name, &common_name_length) !=
-        ECC608.ERR_OK) {
+    if (ECC608.getThingName(common_name, &common_name_length) != ATCA_SUCCES) {
         const char* default_identifier = "AVR-IoT Cellular Mini";
         common_name_length             = strlen(default_identifier);
         memcpy(common_name, default_identifier, common_name_length);

examples/sandbox/sandbox.ino

@@ -308,10 +308,10 @@ void setup() {
 
     // Find the thing ID and set the publish and subscription topics
     uint8_t thing_name[128];
-    uint8_t thing_name_len = sizeof(thing_name);
+    size_t thing_name_len = sizeof(thing_name);
 
-    uint8_t err = ECC608.getThingName(thing_name, &thing_name_len);
-    if (err != ECC608.ERR_OK) {
+    ATCA_STATUS status = ECC608.getThingName(thing_name, &thing_name_len);
+    if (status != ATCA_SUCCESS) {
         Log.error("Could not retrieve thing name from the ECC");
         Log.error("Unable to initialize the MQTT topics. Stopping...");
         LedCtrl.on(Led::ERROR);

lib/cryptoauth/CMakeLists.txt

@@ -1,12 +1,16 @@
-/* Auto-generated config file atca_config.h */
 #ifndef ATCA_CONFIG_H
 #define ATCA_CONFIG_H
 
+#define __DELAY_BACKWARD_COMPATIBLE__
+
+#include <util/delay.h>
+
+#define atca_delay_ms _delay_ms
+#define atca_delay_us _delay_us
+
 /* Included HALS */
 #define ATCA_HAL_I2C
 
-#define ATCA_ATECC608_SUPPORT
-
 /* \brief How long to wait after an initial wake failure for the POST to
  *         complete.
  * If Power-on self test (POST) is enabled, the self test will run on waking
@@ -20,21 +24,16 @@
 
 /** Enable debug messages */
 // #define ATCA_PRINTF
-//
 
 /******************** Platform Configuration Section ***********************/
 
+#define ATCA_ATECC608_SUPPORT FEATURE_ENABLED
+#define ATCA_TFLEX_SUPPORT    FEATURE_ENABLED
+
 /** Define platform malloc/free */
 #define ATCA_PLATFORM_MALLOC malloc
 #define ATCA_PLATFORM_FREE   free
 
-#define __DELAY_BACKWARD_COMPATIBLE__
-
-#include <util/delay.h>
-
-#define atca_delay_ms _delay_ms
-#define atca_delay_us _delay_us
-
 /* API Configuration Options */
 #define ATCAB_AES_EN                      FEATURE_DISABLED
 #define ATCAB_AES_GCM_EN                  FEATURE_DISABLED
@@ -55,6 +54,7 @@
 #define ATCAB_AES_CBC_ENCRYPT_EN          FEATURE_DISABLED
 #define ATCAB_RANDOM_EN                   FEATURE_DISABLED
 #define ATCAB_READ_ENC_EN                 FEATURE_DISABLED
+#define ATCAB_WRITE_ENC_EN                FEATURE_DISABLED
 #define ATCAB_SECUREBOOT_EN               FEATURE_DISABLED
 #define ATCAB_SECUREBOOT_MAC_EN           FEATURE_DISABLED
 #define ATCAB_SELFTEST_EN                 FEATURE_DISABLED
@@ -72,12 +72,18 @@
 #define TALIB_AES_EN      FEATURE_DISABLED
 #define TALIB_SHA_HMAC_EN FEATURE_DISABLED
 
+#define CALIB_SHA104_EN FEATURE_DISABLED
+#define CALIB_SHA105_EN FEATURE_DISABLED
+#define CALIB_SHA204_EN FEATURE_DISABLED
+#define CALIB_SHA206_EN FEATURE_DISABLED
 #define CALIB_ECC108_EN FEATURE_DISABLED
 #define CALIB_ECC204_EN FEATURE_DISABLED
 #define CALIB_ECC508_EN FEATURE_DISABLED
+#define CALIB_TA010_EN  FEATURE_DISABLED
 #define CALIB_ECDH_ENC  FEATURE_DISABLED
-#define CALIB_SHA204_EN FEATURE_DISABLED
-#define CALIB_SHA206_EN FEATURE_DISABLED
+
+#define CALIB_WRITE_ENC_CA2_EN    FEATURE_DISABLED
+#define CALIB_WRITE_ENC_ECC204_EN FEATURE_DISABLED
 
 #define WPC_MSG_PR_EN FEATURE_DISABLED
 
@@ -87,4 +93,4 @@
 #define ATCACERT_DATEFMT_ISO_EN   FEATURE_DISABLED
 #define ATCACERT_DATEFMT_POSIX_EN FEATURE_DISABLED
 
-#endif // ATCA_CONFIG_H
+#endif // ATCA_CONFIG_H