From 8bf8c256f486a0c6e650e5f08d7a1a08a1a16842 Mon Sep 17 00:00:00 2001 From: Arkadiusz Balys Date: Mon, 11 Mar 2024 16:00:23 +0100 Subject: [PATCH] [nrfconnect] Switch to PSA Crypto API Enabled PSA Crypto API by default in nrfconnect platform --- config/nrfconnect/chip-module/CMakeLists.txt | 4 +- config/nrfconnect/chip-module/Kconfig | 16 + .../nrfconnect/chip-module/Kconfig.defaults | 373 +++++++++--------- src/platform/Zephyr/PlatformManagerImpl.cpp | 16 +- src/platform/nrfconnect/CHIPPlatformConfig.h | 11 + .../nrfconnect/FactoryDataProvider.cpp | 64 ++- src/platform/nrfconnect/FactoryDataProvider.h | 4 + 7 files changed, 285 insertions(+), 203 deletions(-) diff --git a/config/nrfconnect/chip-module/CMakeLists.txt b/config/nrfconnect/chip-module/CMakeLists.txt index 9b81d7cf30282e..d132d8249d76b1 100644 --- a/config/nrfconnect/chip-module/CMakeLists.txt +++ b/config/nrfconnect/chip-module/CMakeLists.txt @@ -60,13 +60,15 @@ if (CONFIG_ARM) matter_add_cflags(--specs=nosys.specs) endif() -if (CONFIG_NORDIC_SECURITY_BACKEND) +if (CONFIG_NRF_SECURITY) zephyr_include_directories($) zephyr_include_directories($) if(TARGET platform_cc3xx) zephyr_include_directories($) endif() matter_add_flags(-DMBEDTLS_CONFIG_FILE=) + matter_add_flags(-DMBEDTLS_PSA_CRYPTO_CONFIG_FILE=) + matter_add_flags(-DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE=) elseif(CONFIG_MBEDTLS) zephyr_include_directories($) zephyr_compile_definitions($) diff --git a/config/nrfconnect/chip-module/Kconfig b/config/nrfconnect/chip-module/Kconfig index c72080b7005409..db1b990e80beb4 100644 --- a/config/nrfconnect/chip-module/Kconfig +++ b/config/nrfconnect/chip-module/Kconfig @@ -286,4 +286,20 @@ config CHIP_ENABLE_READ_CLIENT This config can be disabled for device types that do not require Read Client functionality. Disabling this config can save flash and RAM space. +config CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + bool "Operational keys migration feature" + depends on CHIP_CRYPTO_PSA + help + Enables migration of the operational keys stored in the persistent storage to the PSA ITS secure storage. + Enable this feature while updating the firmware of in-field devices that run Mbed TLS cryptography backend + to the firmware based on PSA Crypto API. + +config CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE + bool "Perform factory reset if the operational key migration failed" + default y + depends on CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + help + Allow device to perform factory reset if the operational key for Fabric has not been migrated + properly to PSA ITS storage. + endif # CHIP diff --git a/config/nrfconnect/chip-module/Kconfig.defaults b/config/nrfconnect/chip-module/Kconfig.defaults index 581b5619757bca..f1c1f71e49acaf 100644 --- a/config/nrfconnect/chip-module/Kconfig.defaults +++ b/config/nrfconnect/chip-module/Kconfig.defaults @@ -20,32 +20,9 @@ if CHIP -config LOG - default y - -if LOG - -choice LOG_MODE - default LOG_MODE_MINIMAL -endchoice - -choice MATTER_LOG_LEVEL_CHOICE - default MATTER_LOG_LEVEL_DBG -endchoice - -config CHIP_APP_LOG_LEVEL - default 4 # debug - -config LOG_DEFAULT_LEVEL - default 1 # error - -config CHIP_LOG_SIZE_OPTIMIZATION - default y - -endif - -config PRINTK_SYNC - default y +# ============================================================================== +# System configuration +# ============================================================================== config ASSERT default y @@ -62,43 +39,52 @@ config HW_STACK_PROTECTION config FPU default y -config SHELL - default y - -config SHELL_MINIMAL - default y - -# Enable getting reboot reasons information -config HWINFO - bool - default y - -config HWINFO_SHELL - bool - default n - -config PTHREAD_IPC - bool - default n - config POSIX_MAX_FDS - int default 16 -# Application stack size config MAIN_STACK_SIZE default 6144 config INIT_STACKS default y +config SYSTEM_WORKQUEUE_STACK_SIZE + default 2560 if CHIP_WIFI + +config HEAP_MEM_POOL_SIZE + default 80000 if CHIP_WIFI + +config CHIP_MALLOC_SYS_HEAP_SIZE + default 30720 if CHIP_WIFI + default 8192 if NET_L2_OPENTHREAD + +# We use sys_heap based allocators, so make sure we don't reserve unused libc heap anyway +config COMMON_LIBC_MALLOC_ARENA_SIZE + default -1 + +config NVS_LOOKUP_CACHE_SIZE + default 512 + +# ============================================================================== +# Zephyr networking configuration +# ============================================================================== + config NET_IPV6_MLD default y +config NET_IPV6_NBR_CACHE + default y if CHIP_WIFI + default n if NET_L2_OPENTHREAD + +config NET_IF_UNICAST_IPV6_ADDR_COUNT + default 6 + config NET_IF_MCAST_IPV6_ADDR_COUNT default 14 -# Network buffers +config NET_IF_IPV6_PREFIX_COUNT + default NET_IF_UNICAST_IPV6_ADDR_COUNT if CHIP_WIFI + config NET_PKT_RX_COUNT default 8 @@ -111,7 +97,12 @@ config NET_BUF_RX_COUNT config NET_BUF_TX_COUNT default 16 -# Bluetooth Low Energy configs +config NET_SOCKETS_POLL_MAX + default 6 if CHIP_WIFI + +# ============================================================================== +# Bluetooth Low Energy configuration +# ============================================================================== config BT default y @@ -162,99 +153,95 @@ config BT_BUF_ACL_TX_SIZE config BT_RX_STACK_SIZE default 1200 +# Increase maximum data length of PDU supported in the Controller +config BT_CTLR_DATA_LENGTH_MAX + default 251 if SOC_SERIES_NRF52X + config BT_CTLR_ECDH - bool default n config BT_CTLR_LE_ENC - bool default n config BT_DEVICE_NAME_GATT_WRITABLE - bool default n config BT_GATT_CACHING - bool default n # Disable 2M PHY due to interoperability issues. config BT_CTLR_PHY_2M default n -# Enable NFC support +config MPSL_FEM_NRF21540_RUNTIME_PA_GAIN_CONTROL + default y if MPSL_FEM + +# ============================================================================== +# NFC configuration +# ============================================================================== config CHIP_NFC_COMMISSIONING default y # Disable not needed NFC callback to save flash config NFC_THREAD_CALLBACK - bool default n +# ============================================================================== +# DFU configuration +# ============================================================================== + config CHIP_OTA_REQUESTOR default y -# All boards besides nRF7002DK use QSPI NOR external flash -if BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF52840DK_NRF52840 - +# All boards except nRF7002DK use QSPI NOR external flash config CHIP_QSPI_NOR - default y - -endif # BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF52840DK_NRF52840 + default y if BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF52840DK_NRF52840 # nRF7002DK uses SPI NOR external flash - -if BOARD_NRF7002DK_NRF5340_CPUAPP - config CHIP_SPI_NOR - default y - -endif # BOARD_NRF7002DK_NRF5340_CPUAPP + default y if BOARD_NRF7002DK_NRF5340_CPUAPP -# Enable extended discovery -config CHIP_EXTENDED_DISCOVERY - default n +config BOOT_IMAGE_ACCESS_HOOKS + default y if SOC_SERIES_NRF53X -config NVS_LOOKUP_CACHE_SIZE - default 512 +config UPDATEABLE_IMAGE_NUMBER + default 2 if SOC_SERIES_NRF53X -# Enable OpenThread +# ============================================================================== +# OpenThread configuration +# ============================================================================== config NET_L2_OPENTHREAD default y if !WIFI_NRF700X if NET_L2_OPENTHREAD -# Disable OpenThread shell -config OPENTHREAD_SHELL - default n - -# Disable certain parts of Zephyr IPv6 stack -config NET_IPV6_NBR_CACHE - bool - default n - # Increase the default RX stack size config IEEE802154_NRF5_RX_STACK_SIZE default 1024 config OPENTHREAD_THREAD_STACK_SIZE - default 4096 + default 6144 if PSA_CRYPTO_DRIVER_CC3XX && PSA_CRYPTO_DRIVER_OBERON + default 4096 -endif +config OPENTHREAD_DEFAULT_TX_POWER + default 20 if MPSL_FEM + default 3 if SOC_SERIES_NRF53X + default 8 if SOC_SERIES_NRF52X + +endif # NET_L2_OPENTHREAD + +# ============================================================================== +# Wi-Fi configuration +# ============================================================================== if CHIP_WIFI choice WPA_SUPP_LOG_LEVEL_CHOICE - default WPA_SUPP_LOG_LEVEL_ERR + default WPA_SUPP_LOG_LEVEL_ERR endchoice -# increase the prefixes limit to match -# maximum number of IPv6 addresses per interface -config NET_IF_IPV6_PREFIX_COUNT - default 6 - # it saves us 20kB of FLASH config WPA_SUPP_NO_DEBUG default y @@ -272,74 +259,73 @@ config NRF_WIFI_LOW_POWER config NRF700X_RX_NUM_BUFS default 16 -config NRF700X_TX_MAX_DATA_SIZE - default 1280 - -config NRF700X_RX_MAX_DATA_SIZE - default 1280 - config NRF700X_MAX_TX_TOKENS default 10 config NRF700X_MAX_TX_AGGREGATION default 1 -config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG +# it saves 25kB of FLASH +config WPA_SUPP_ADVANCED_FEATURES default n -config SYSTEM_WORKQUEUE_STACK_SIZE - default 2560 +endif # CHIP_WIFI -# align these numbers to match the OpenThread config -config NET_IF_UNICAST_IPV6_ADDR_COUNT - default 6 +# ============================================================================== +# Crypto configuration +# ============================================================================== -config NET_IF_MCAST_IPV6_ADDR_COUNT - default 8 +choice OPENTHREAD_SECURITY + default OPENTHREAD_NRF_SECURITY_PSA_CHOICE if CHIP_CRYPTO_PSA + default OPENTHREAD_NRF_SECURITY_CHOICE + +endchoice -config NET_SOCKETS_POLL_MAX - default 6 +choice RNG_GENERATOR_CHOICE + default XOSHIRO_RANDOM_GENERATOR if SOC_SERIES_NRF53X +endchoice -config MBEDTLS_SSL_OUT_CONTENT_LEN - default 900 +config OBERON_BACKEND + default y -# options managed by IP4/IP6 simultaneous support -# aligned here to match OpenThread config -config NET_MAX_ROUTERS - default 1 +config MBEDTLS_ENABLE_HEAP + default y -config NET_MAX_CONN - default 4 +config MBEDTLS_HEAP_SIZE + default 8192 + +# Enable PSA Crypto dependencies for Matter -config SHELL_STACK_SIZE - default 2616 +config CHIP_CRYPTO_PSA + default y if !CHIP_WIFI -config HEAP_MEM_POOL_SIZE - default 80000 +if CHIP_CRYPTO_PSA -endif +config PSA_CRYPTO_DRIVER_CC3XX + default n -config CHIP_MALLOC_SYS_HEAP_SIZE - default 28672 if CHIP_WIFI - default 8192 if NET_L2_OPENTHREAD +config PSA_WANT_ALG_SHA_224 + default n -# Enable mbedTLS from nrf_security library +# Extend the maximum number of PSA key slots to fit Matter requirements +config MBEDTLS_PSA_KEY_SLOT_COUNT + default 64 -choice OPENTHREAD_SECURITY - default OPENTHREAD_NRF_SECURITY_CHOICE -endchoice +if PSA_CRYPTO_DRIVER_CC3XX && PSA_CRYPTO_DRIVER_OBERON -config PSA_CRYPTO_DRIVER_CC3XX - default n +# Do not use CC3XX hash driver when both Oberon and CC3xx are enabled. +config PSA_USE_CC3XX_HASH_DRIVER + default n -config OBERON_BACKEND - default y +endif -config MBEDTLS_ENABLE_HEAP +# Spake2+ support +config MBEDTLS_MD_C default y -config MBEDTLS_HEAP_SIZE - default 8192 +endif + +if !CHIP_CRYPTO_PSA config NRF_SECURITY_ADVANCED default y @@ -347,32 +333,46 @@ config NRF_SECURITY_ADVANCED config MBEDTLS_AES_C default y -config MBEDTLS_ECP_C - default y - -config MBEDTLS_ECP_DP_SECP256R1_ENABLED - default y - config MBEDTLS_CTR_DRBG_C default y config MBEDTLS_CIPHER_MODE_CTR default y +config MBEDTLS_SHA1_C + default y if CHIP_WIFI + config MBEDTLS_SHA256_C default y config MBEDTLS_PK_C default y +config MBEDTLS_PKCS5_C + default y + config MBEDTLS_PK_WRITE_C default y config MBEDTLS_X509_CREATE_C - default y if !CHIP_CRYPTO_PSA + default y config MBEDTLS_X509_CSR_WRITE_C - default y if !CHIP_CRYPTO_PSA + default y + +config MBEDTLS_ECP_C + default y + +config MBEDTLS_ECP_DP_SECP256R1_ENABLED + default y + +endif + +config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + default n if CHIP_WIFI + +config MBEDTLS_SSL_OUT_CONTENT_LEN + default 900 if CHIP_WIFI # Disable unneeded crypto operations @@ -406,17 +406,54 @@ config MBEDTLS_SSL_SRV_C config MBEDTLS_SSL_COOKIE_C default n -# Disable not used shell modules +# ============================================================================== +# Logging configuration +# ============================================================================== -config SHELL_WILDCARD - default n +config LOG + default y -config SHELL_VT100_COLORS - default n +if LOG + +choice LOG_MODE + default LOG_MODE_MINIMAL +endchoice + +choice MATTER_LOG_LEVEL_CHOICE + default MATTER_LOG_LEVEL_DBG +endchoice + +config CHIP_APP_LOG_LEVEL + default 4 # debug -config SHELL_STATS +config LOG_DEFAULT_LEVEL + default 1 # error + +config CHIP_LOG_SIZE_OPTIMIZATION + default y + +# disable synchronous printk to avoid blocking IRQs which +# may affect time sensitive components +config PRINTK_SYNC default n +endif # LOG + +# ============================================================================== +# Shell configuration +# ============================================================================== + +config SHELL + default y + +if SHELL + +config SHELL_STACK_SIZE + default 2616 if CHIP_WIFI + +config SHELL_MINIMAL + default y + config KERNEL_SHELL default n @@ -441,42 +478,12 @@ config CLOCK_CONTROL_NRF_SHELL config FLASH_SHELL default n -if MPSL_FEM - -config MPSL_FEM_NRF21540_RUNTIME_PA_GAIN_CONTROL - default y - -endif # MPSL_FEM - -config OPENTHREAD_DEFAULT_TX_POWER - default 20 if MPSL_FEM - default 3 if SOC_SERIES_NRF53X && !MPSL_FEM - default 8 if SOC_SERIES_NRF52X && !MPSL_FEM - -# SoC series related configuration - -if SOC_SERIES_NRF52X - -# Increase maximum data length of PDU supported in the Controller -config BT_CTLR_DATA_LENGTH_MAX - default 251 - -endif # SOC_SERIES_NRF52X - -if SOC_SERIES_NRF53X - -config BOOT_IMAGE_ACCESS_HOOKS - default y - -config UPDATEABLE_IMAGE_NUMBER - default 2 +config HWINFO_SHELL + default n -# Generate random numbers using Xoroshiro algorithm instead of direct calls -# to the cryptocell library to workaround firmware hangs. -choice RNG_GENERATOR_CHOICE - default XOSHIRO_RANDOM_GENERATOR if SOC_SERIES_NRF53X -endchoice +config OPENTHREAD_SHELL + default n -endif # SOC_SERIES_NRF53X +endif # SHELL -endif +endif \ No newline at end of file diff --git a/src/platform/Zephyr/PlatformManagerImpl.cpp b/src/platform/Zephyr/PlatformManagerImpl.cpp index 59f3a0df45314b..df8a40a55d15cd 100644 --- a/src/platform/Zephyr/PlatformManagerImpl.cpp +++ b/src/platform/Zephyr/PlatformManagerImpl.cpp @@ -21,9 +21,9 @@ * for Zephyr platforms. */ -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) +#if !defined(CONFIG_NRF_SECURITY) #include // nogncheck -#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) +#endif // !defined(CONFIG_NRF_SECURITY) #include @@ -45,7 +45,7 @@ PlatformManagerImpl PlatformManagerImpl::sInstance{ sChipThreadStack }; static k_timer sOperationalHoursSavingTimer; -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) static bool sChipStackEntropySourceAdded = false; static int app_entropy_source(void * data, unsigned char * output, size_t len, size_t * olen) { @@ -72,7 +72,7 @@ static int app_entropy_source(void * data, unsigned char * output, size_t len, s return ret; } -#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#endif // !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) void PlatformManagerImpl::OperationalHoursSavingTimerEventHandler(k_timer * timer) { @@ -109,16 +109,16 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void) { CHIP_ERROR err; -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) // Minimum required from source before entropy is released ( with mbedtls_entropy_func() ) (in bytes) const size_t kThreshold = 16; -#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#endif // !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) // Initialize the configuration system. err = Internal::ZephyrConfig::Init(); SuccessOrExit(err); -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) if (!sChipStackEntropySourceAdded) { // Add entropy source based on Zephyr entropy driver @@ -126,7 +126,7 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void) SuccessOrExit(err); sChipStackEntropySourceAdded = true; } -#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#endif // !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) // Call _InitChipStack() on the generic implementation base class to finish the initialization process. err = Internal::GenericPlatformManagerImpl_Zephyr::_InitChipStack(); diff --git a/src/platform/nrfconnect/CHIPPlatformConfig.h b/src/platform/nrfconnect/CHIPPlatformConfig.h index 90af43c0a10c6b..58ef76f9b9390e 100644 --- a/src/platform/nrfconnect/CHIPPlatformConfig.h +++ b/src/platform/nrfconnect/CHIPPlatformConfig.h @@ -49,6 +49,17 @@ #define CHIP_CONFIG_SHA256_CONTEXT_SIZE 208 #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#ifndef CHIP_CONFIG_SHA256_CONTEXT_ALIGN +#define CHIP_CONFIG_SHA256_CONTEXT_ALIGN psa_hash_operation_t +#endif // CHIP_CONFIG_SHA256_CONTEXT_ALIGN +#endif // CONFIG_CHIP_CRYPTO_PSA + +#ifndef CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE +#define CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE 0x30000 +#endif // CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE + + // ==================== General Configuration Overrides ==================== #ifndef CHIP_CONFIG_MAX_UNSOLICITED_MESSAGE_HANDLERS diff --git a/src/platform/nrfconnect/FactoryDataProvider.cpp b/src/platform/nrfconnect/FactoryDataProvider.cpp index caa1ad434f9254..11995faccd8272 100644 --- a/src/platform/nrfconnect/FactoryDataProvider.cpp +++ b/src/platform/nrfconnect/FactoryDataProvider.cpp @@ -157,20 +157,62 @@ CHIP_ERROR FactoryDataProvider::SignWithDeviceAttestationKey(c { Crypto::P256ECDSASignature signature; Crypto::P256Keypair keypair; + CHIP_ERROR err = CHIP_NO_ERROR; +#ifdef CONFIG_CHIP_CRYPTO_PSA + psa_key_id_t keyId = 0; +#endif - VerifyOrReturnError(outSignBuffer.size() >= signature.Capacity(), CHIP_ERROR_BUFFER_TOO_SMALL); - ReturnErrorCodeIf(!mFactoryData.dac_cert.data, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND); - ReturnErrorCodeIf(!mFactoryData.dac_priv_key.data, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND); + VerifyOrExit(outSignBuffer.size() >= signature.Capacity(), err = CHIP_ERROR_BUFFER_TOO_SMALL); + VerifyOrExit(mFactoryData.dac_cert.data, err = CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND); + VerifyOrExit(mFactoryData.dac_priv_key.data, err = CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND); + +#ifdef CONFIG_CHIP_CRYPTO_PSA + { + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_reset_key_attributes(&attributes); + psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); + psa_set_key_bits(&attributes, kDACPrivateKeyLength * 8); + psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256)); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); + VerifyOrExit(psa_import_key(&attributes, reinterpret_cast(mFactoryData.dac_priv_key.data), kDACPrivateKeyLength, + &keyId) == PSA_SUCCESS, + err = CHIP_ERROR_INTERNAL); + + size_t outputLen = 0; + psa_status_t status = psa_sign_message(keyId, PSA_ALG_ECDSA(PSA_ALG_SHA_256), messageToSign.data(), messageToSign.size(), + signature.Bytes(), signature.Capacity(), &outputLen); + VerifyOrExit(!status, err = CHIP_ERROR_INTERNAL); + VerifyOrExit(outputLen == chip::Crypto::kP256_ECDSA_Signature_Length_Raw, err = CHIP_ERROR_INTERNAL); + err = signature.SetLength(outputLen); + VerifyOrExit(err == CHIP_NO_ERROR, ); + } +#else + { + // Extract public key from DAC cert. + ByteSpan dacCertSpan{ reinterpret_cast(mFactoryData.dac_cert.data), mFactoryData.dac_cert.len }; + chip::Crypto::P256PublicKey dacPublicKey; + + err = chip::Crypto::ExtractPubkeyFromX509Cert(dacCertSpan, dacPublicKey); + VerifyOrExit(err == CHIP_NO_ERROR, ); + err = + LoadKeypairFromRaw(ByteSpan(reinterpret_cast(mFactoryData.dac_priv_key.data), mFactoryData.dac_priv_key.len), + ByteSpan(dacPublicKey.Bytes(), dacPublicKey.Length()), keypair); + VerifyOrExit(err == CHIP_NO_ERROR, ); + err = keypair.ECDSA_sign_msg(messageToSign.data(), messageToSign.size(), signature); + VerifyOrExit(err == CHIP_NO_ERROR, ); + } +#endif + +exit: - // Extract public key from DAC cert. - ByteSpan dacCertSpan{ reinterpret_cast(mFactoryData.dac_cert.data), mFactoryData.dac_cert.len }; - chip::Crypto::P256PublicKey dacPublicKey; +#ifdef CONFIG_CHIP_CRYPTO_PSA + psa_destroy_key(keyId); +#endif - ReturnErrorOnFailure(chip::Crypto::ExtractPubkeyFromX509Cert(dacCertSpan, dacPublicKey)); - ReturnErrorOnFailure( - LoadKeypairFromRaw(ByteSpan(reinterpret_cast(mFactoryData.dac_priv_key.data), mFactoryData.dac_priv_key.len), - ByteSpan(dacPublicKey.Bytes(), dacPublicKey.Length()), keypair)); - ReturnErrorOnFailure(keypair.ECDSA_sign_msg(messageToSign.data(), messageToSign.size(), signature)); + if (err != CHIP_NO_ERROR) + { + return err; + } return CopySpanToMutableSpan(ByteSpan{ signature.ConstBytes(), signature.Length() }, outSignBuffer); } diff --git a/src/platform/nrfconnect/FactoryDataProvider.h b/src/platform/nrfconnect/FactoryDataProvider.h index 15dae3ab7e3a0e..bc1ef16ee6d161 100644 --- a/src/platform/nrfconnect/FactoryDataProvider.h +++ b/src/platform/nrfconnect/FactoryDataProvider.h @@ -21,6 +21,10 @@ #include #include +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#endif + #include #include #include