Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need help to configure optiga trustM as HSM during aws device tester(device qualification process) #18

Open
Darsh-Dev opened this issue Jan 8, 2021 · 12 comments
Open

Need help to configure optiga trustM as HSM during aws device tester(device qualification process) #18

Darsh-Dev opened this issue Jan 8, 2021 · 12 comments
Labels
help wanted Extra attention is needed

Comments

@Darsh-Dev
Copy link

Darsh-Dev commented Jan 8, 2021
edited
Loading

Hi,

I am porting the OPTIGA TrustM and AWS FreeRTOS in stm32wb55.
I also port the pkcs11 for OPTIGA trusm and run the aws_test code with testrunnerFULL_PKCS11_ENABLED config set to 1 and it passes all the test cases.

Now, I want to qualify our kit(STM32WB55 + OPTIGA trustM) with HSM(OPTIGA trustM) into the AWS FreeRTOS catalog.
I follow this qualification steps.
I set the below parameter in device.json for pkcs11

{
"name": "PKCS11",
"value": "ecc"
},
{
"name": "KeyProvisioning",
"value": "Onboard"
}

Now I need help to configure secureElementConfig

"secureElementConfig" : {
"publicKeyAsciiHexFilePath": "absolute-path-to/public-key-txt-file: contains-the-hex-bytes-public-key-extracted-from-onboard-private-key",
"secureElementSerialNumber": "secure-element-serialNo-value"
}

Query:
How to extract and provide a PublicKey path into the above parameter(secureElementConfig).

As the "XMC4800 IoT Connectivity Kit with OPTIGA Trust X" was qualified for AWS FreeRTOS, It really helps if possible to share device.json file of XMC4800 IoT Connectivity Kit with OPTIGA Trust X for reference or give proper guidance on secureElementConfig parameter for OPTIGA trustM.
@Darsh-Dev Darsh-Dev added the bug Something isn't working label Jan 8, 2021
@ayushev ayushev added help wanted Extra attention is needed and removed bug Something isn't working labels Jan 8, 2021
@ayushev
Copy link
Member

ayushev commented Jan 8, 2021

Hi @Darsh-Dev

if I recall corectly the IDT doesn't require from you to have the corresponding certificate, only the corresponding private key stored on the chip (referenced inthe pkcs11 config file) and the public key stored externally (in the file which you should feed to the IDT). For the key generation you can follow the steps here (Option #2), the resulting output; e.g.

3059 3013 0607 2a86 48ce 3d02 0106 082a
8648 ce3d 0301 0703 4200 04cd 6569 ceb8
1bb9 1e72 339f e8cf 60ef 0f9f b473 33ac
6f19 1813 6999 3fa0 c293 5fae 08f1 1ad0
41b7 345c e746 1046 228e 5a5f d787 d571
dcb2 4e8d 75b3 2586 e2cc 0c

should be stored in the file
But please construct you setup in the qway, that the key generation happens only once, otherwise you will loose the generated key pair.
I wrote here a function, which can help to block the private key object you have used to generate the key pair. https://github.com/Infineon/amazon-freertos/blob/feature/infineon/vendors/infineon/boards/xmc4700_relaxkit/aws_demos/application_code/infineon_code/update_metadata.c.sample

Alternativly we do have a managmenet UI tool for OPTIGA Trust device which can help to manage access conditions for objects. You can ask you contact at Infineon to get it.

@Darsh-Dev
Copy link
Author

Hi @ayushev

On other note while working with optiga's pre-provisioned credentials (not performing onBoard key genration) and using pkcs11testLABEL_DEVICE_PRIVATE_KEY_FOR_TLS "0xE0F0"
,
What I observed is while performing FullPKCS11_ECC IDT test , it performs test for prvDestroyTestCredentials and uses xDestroyProvidedObjects().

But then it doesn't come out of the while loop here,
and hence IDT test fails.

I also tried disabling pkcs11configPAL_DESTROY_SUPPORTED but not helping.

Below are other configs which works with pre-provisoned configs while running the aws_demo and can communicate


#define pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS       "0xE0F0"//"0xE0F1" 
#define pkcs11configLABEL_DEVICE_PUBLIC_KEY_FOR_TLS        "0xF1D2"
#define pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS       "0xE0E0"//"0xE0E1"
#define pkcs11configLABEL_CODE_VERIFICATION_KEY            "0xE0EF"

Any thoughts on this ?

Thanks

@ayushev
Copy link
Member

ayushev commented Jul 27, 2021

Hello @Darsh-Dev
first thing, the IDT can be performed only with non-locked credentials, thus I'd propose to configure the iot_test_pkcs11_config.h with the E2/F2 credentials. Additionally the IDT uses as well a different set of credentisl called test to examine the communication.

@Darsh-Dev
Copy link
Author

After iot_test_pkcs11_config.h configured with the E2/F2 credentials and OnBoard ket generation process done.
While performing same test it fails with saying "Invalid object handle found for private key." at here.

May be I am missing something ?!

@Darsh-Dev
Copy link
Author

Darsh-Dev commented Oct 14, 2021
edited
Loading

Hi @ayushev,

On changing E2/F2 credentials with onBoard key generation process, AWS communication is not working, server closes socket at TLS handshake stage - MBEDTLS_SSL_CLIENT_FINISHED.

keyCLIENT_CERTIFICATE_PEM and keyJITR_DEVICE_CERTIFICATE_AUTHORITY_PEM are filled with after OnBoard generated details.

Now if i change pkcs11 configs to work with per-privisioned certifications communication is working fine.
i.e
#define pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS "0xE0F0"
#define pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS "0xE0E0"

I am currently performing this on aws_demo not on aws_test.

Below are my mbedtls logs for E0/F0 - working as well as ,E2/F2 - Non-working logs

Non-working-logs-debug-OnBoardKey.txt
working_mbedtls_logs_with-preprovisined_cert.txt

And here is my pkcs11 configs (bit messy)
core_pkcs11_config.txt

So, any guidance on what could be configured wrong for OnBoard certification exchanges ?

@ayushev
Copy link
Member

ayushev commented Oct 14, 2021

Hi @Darsh-Dev

great that you have provided the log, that make it way easier.

The certificate you have installed in the slot is RSA based,

mbedTLS: |3| 0x2000dde4: expires on        : 2024-06-06 10:09:29
mbedTLS: |3| 0x2000dde4: signed using      : RSA with SHA-256
mbedTLS: |3| 0x2000dde4: RSA key size      : 2048 bits
mbedTLS: |3| 0x2000dde4: basic constraints : CA=true
mbedTLS: |3| 0x2000dde4: value of 'crt->rsa.N' (2048 bits) is:

whereas the default certificate is EC256 based

mbedTLS: |3| 0x2000da44: expires on        : 2039-06-18 06:30:14
mbedTLS: |3| 0x2000da44: signed using      : ECDSA with SHA256
mbedTLS: |3| 0x2000da44: EC key size       : 256 bits
mbedTLS: |3| 0x2000da44: basic constraints : CA=false
mbedTLS: |3| 0x2000da44: key usage         : Digital Signature

mbedtls wrapper doesn't have a function to handle the RSA private key installed in optiga
The most recent optiga-trust-m hostlib has this RSA handlers in place though there were not qualified to work with Amazon FreeRTOS (means it might work out of the box, or might require some changes)

@Darsh-Dev
Copy link
Author

@ayushev,
That is a great catch, I missed that.
I will try generating EC256 based certificate and update yo.

Appreciate your help.

@Rutvij-dev
Copy link

After iot_test_pkcs11_config.h configured with the E2/F2 credentials and OnBoard ket generation process done. While performing same test it fails with saying "Invalid object handle found for private key." at here.

May be I am missing something ?!

Hi @Darsh-Dev and @ayushev ,
I am also following the same device testing and having same issue what is mentioned here.
Did you get your resolution @Darsh-Dev ?

Can you help @ayushev ?

--
Thanks,
Rutvij

@Rutvij-dev
Copy link

Hi @ayushev and @Darsh-Dev ,

To provide an update, if I followed below link and added

xResult = prvDestroyTestCredentials();
before xProvisionGenerateKeyPairEC operation

amazon-freertos/libraries/abstractions/pkcs11/test/iot_test_pkcs11.c

Line 1771 in 034588c

xResult = prvDestroyTestCredentials();

Tests are passing.

Any thoughts ?

--
Thanks,
Rutvij

@ayushev
Copy link
Member

ayushev commented Nov 29, 2021

Can you help @ayushev ?

Hello @Rutvij-dev ,

I believe the problem of @Darsh-Dev might be already resolved and if I understand this correctly it was in the setup he had.
If you results are failing how does it look like, can you please provide a log similar to what the author of the issue did?

Thanks in advance

@Rutvij-dev
Copy link

Hello @ayushev,

Certainly We both the different setup for the hardware, but from the top level of debugging I found that these both are the different repos.

Where In Infineon's repo I found xResult = prvDestroyTestCredentials(); but not in AWS repo for the device validation.

After applying that snippt from Infineon's repo, I could pass my result,I believe this is more of a implementation differences rather then setup.

Kindly correct me if i m wrong.

--
Thanks,
Rutvij

@ayushev
Copy link
Member

ayushev commented Dec 10, 2021

Hello @Rutvij-dev
Trust M was officially qualified against a standard set of tests for the 202002.00 version of the software. whereas you are looking into the more recent 202107.00 version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ayushev @Darsh-Dev @Rutvij-dev