int client_rebuild_certs(void)
{
int ret = 0;
char disp_str[1500];
int disp_size = sizeof(disp_str);
uint8_t signer_public_key[64];
g_signer_cert_size = sizeof(g_signer_cert);
ret = atcacert_read_cert(&g_cert_def_1_signer, g_signer_ca_public_key, g_signer_cert, &g_signer_cert_size);
if (ret != ATCACERT_E_SUCCESS) return ret;
disp_size = sizeof(disp_str);
atcab_bin2hex( g_signer_cert, g_signer_cert_size, disp_str, &disp_size);
printf("CLIENT: Rebuilt Signer Certificate:\r\n%s\r\n", disp_str);
ret = atcacert_get_subj_public_key(&g_cert_def_1_signer, g_signer_cert, g_signer_cert_size, signer_public_key);
if (ret != ATCACERT_E_SUCCESS) return ret;
g_device_cert_size = sizeof(g_device_cert);
ret = atcacert_read_cert(&g_cert_def_2_device, signer_public_key, g_device_cert, &g_device_cert_size);
if (ret != ATCACERT_E_SUCCESS) return ret;
disp_size = sizeof(disp_str);
atcab_bin2hex( g_device_cert, g_device_cert_size, disp_str, &disp_size);
printf("CLIENT: Rebuilt Device Certificate:\r\n%s\r\n", disp_str);
return 0;
}
/** \brief This host role method verifies the signature of the challenge. This step insures that
* the device can prove it owns the private key associated with the public key of its certificate.
* Since the certificate is verified to be in a root of trust certificate chain, this ECDSA verification
* step makes sure the public key the device says it has is truly owned by the device and not a forgery.
*/
int host_verify_response(void)
{
int ret = 0;
uint8_t device_public_key[64];
char disp_str[256];
int disp_size = sizeof(disp_str);
ret = atcacert_get_subj_public_key(&g_cert_def_2_device, g_device_cert, g_device_cert_size, device_public_key);
if (ret != ATCACERT_E_SUCCESS) return ret;
disp_size = sizeof(disp_str);
atcab_bin2hex(device_public_key, sizeof(device_public_key), disp_str, &disp_size);
printf("HOST: Device public key from certificate:\r\n%s\r\n", disp_str);
ret = atcacert_verify_response_hw(device_public_key, g_challenge, g_response);
if (ret != ATCACERT_E_SUCCESS) return ret;
printf("HOST: Device response to challenge verified!\r\n");
return 0;
}
int host_verify_cert_chain(void)
{
int ret = 0;
uint8_t signer_public_key[64];
// Validate signer cert against its certificate authority (CA) public key
ret = atcacert_verify_cert_hw(&g_cert_def_1_signer, g_signer_cert, g_signer_cert_size, g_signer_ca_public_key);
if (ret != ATCACERT_E_SUCCESS) return ret;
printf("HOST: Signer certificate verified against signer certificate authority (CA) public key!\r\n");
// Get the signer's public key from its certificate
ret = atcacert_get_subj_public_key(&g_cert_def_1_signer, g_signer_cert, g_signer_cert_size, signer_public_key);
if (ret != ATCACERT_E_SUCCESS) return ret;
// Validate the device cert against its certificate authority (CA) which is the signer
ret = atcacert_verify_cert_hw(&g_cert_def_2_device, g_device_cert, g_device_cert_size, signer_public_key);
if (ret != ATCACERT_E_SUCCESS) return ret;
printf("HOST: Device certificate verified against signer public key!\r\n");
return 0;
}
/** \brief Test chain verification using certificates that were read from a properly configured ECC508.
* The device certificate and signer certificate are verified.
* \return void
*/
void test_atcatls_verify_cert_chain(void)
{
ATCA_STATUS status = ATCA_GEN_FAIL;
uint8_t signerPubkey[64] = { 0 };
uint8_t caPubkey[64] = { 0 };
uint8_t signerCert[1024] = { 0 };
uint8_t deviceCert[1024] = { 0 };
size_t signerCertSize = 1024;
size_t deviceCertSize = 1024;
status = atcatls_init(g_pCfg);
TEST_ASSERT_EQUAL(ATCA_SUCCESS, status);
// Get the CA public key
memcpy(caPubkey, g_signer_1_ca_public_key_t, sizeof(caPubkey));
// Get the signer certificate
status = atcatls_get_cert(&g_cert_def_1_signer_t, g_signer_1_ca_public_key_t, signerCert, &signerCertSize);
TEST_ASSERT_EQUAL(ATCA_SUCCESS, status);
// Get the signer public key from the signer certificate
status = atcacert_get_subj_public_key(&g_cert_def_1_signer_t, signerCert, signerCertSize, signerPubkey);
TEST_ASSERT_EQUAL(ATCA_SUCCESS, status);
// Get the device certificate
status = atcatls_get_cert(&g_cert_def_0_device_t, signerPubkey, deviceCert, &deviceCertSize);
TEST_ASSERT_EQUAL(ATCA_SUCCESS, status);
// Verify the signer certificate
status = atcacert_verify_cert_hw(&g_cert_def_1_signer_t, signerCert, signerCertSize, caPubkey);
TEST_ASSERT_EQUAL(ATCA_SUCCESS, status);
// Verify the device certificate
status = atcacert_verify_cert_hw(&g_cert_def_0_device_t, deviceCert, deviceCertSize, signerPubkey);
TEST_ASSERT_EQUAL(ATCA_SUCCESS, status);
status = atcatls_finish();
TEST_ASSERT_EQUAL(ATCA_SUCCESS, status);
}
int atcacert_get_device_data( const atcacert_def_t* cert_def,
const uint8_t* cert,
size_t cert_size,
const atcacert_device_loc_t* device_loc,
uint8_t* device_data)
{
int ret = 0;
int i = 0;
uint8_t temp_buf[256]; // Must be at least 72 bytes
size_t temp_buf_size = sizeof(temp_buf);
if (cert_def == NULL || cert == NULL || device_loc == NULL || device_data == NULL)
return ATCACERT_E_BAD_PARAMS;
// Certificate serial number
if (atcacert_is_device_loc_overlap(&cert_def->cert_sn_dev_loc, device_loc)) {
temp_buf_size = sizeof(temp_buf);
ret = atcacert_get_cert_sn(cert_def, cert, cert_size, temp_buf, &temp_buf_size);
if (ret != ATCACERT_E_SUCCESS)
return ret;
atcacert_copy_device_loc_data(&cert_def->cert_sn_dev_loc, temp_buf, device_loc, device_data);
}
// Subject public key
if (atcacert_is_device_loc_overlap(&cert_def->public_key_dev_loc, device_loc)) {
ret = atcacert_get_subj_public_key(cert_def, cert, cert_size, temp_buf);
if (ret != ATCACERT_E_SUCCESS)
return ret;
if (cert_def->public_key_dev_loc.count == 72)
// Public key is formatted with padding bytes in front of the X and Y components
atcacert_public_key_add_padding(temp_buf, temp_buf);
else if (cert_def->public_key_dev_loc.count != 64)
return ATCACERT_E_BAD_CERT; // Unexpected public key size
atcacert_copy_device_loc_data(&cert_def->public_key_dev_loc, temp_buf, device_loc, device_data);
}
// Compressed certificate
if (atcacert_is_device_loc_overlap(&cert_def->comp_cert_dev_loc, device_loc)) {
ret = atcacert_get_comp_cert(cert_def, cert, cert_size, temp_buf);
if (ret != ATCACERT_E_SUCCESS)
return ret;
if (cert_def->comp_cert_dev_loc.count != 72)
return ATCACERT_E_BAD_CERT; // Unexpected compressed certificate size
atcacert_copy_device_loc_data(&cert_def->comp_cert_dev_loc, temp_buf, device_loc, device_data);
}
// Additional custom certificate elements
if (cert_def->cert_elements_count > 0 && cert_def->cert_elements == NULL)
return ATCACERT_E_BAD_CERT;
for (i = 0; i < cert_def->cert_elements_count; i++) {
if (atcacert_is_device_loc_overlap(&cert_def->cert_elements[i].device_loc, device_loc)) {
if (sizeof(temp_buf) < cert_def->cert_elements[i].device_loc.count)
return ATCACERT_E_BUFFER_TOO_SMALL;
ret = atcacert_get_cert_element(
&cert_def->cert_elements[i].cert_loc,
cert,
cert_size,
temp_buf,
cert_def->cert_elements[i].device_loc.count);
if (ret != ATCACERT_E_SUCCESS)
return ret;
atcacert_copy_device_loc_data(&cert_def->cert_elements[i].device_loc, temp_buf, device_loc, device_data);
}
}
return ATCACERT_E_SUCCESS;
}
