Skip to content

PKCS11 TNGTLS

Rathan Chandavath Rajagopal edited this page Oct 28, 2020 · 10 revisions

Build and Install cryptoauthlib with PKCS11 support

  • Clone Cryptoauthlib on Linux system

    • Get the latest version of cryptoauthlib
    $ git clone https://github.com/MicrochipTech/cryptoauthlib.git
  • Build the Cryptoauthlib

    $ cd cryptoauthlib
    $ mkdir build
    $ cd build
    $ cmake -DBUILD_TESTS=ON -DATCA_HAL_I2C=ON -DATCA_PKCS11=ON -DATCA_TNGTLS_SUPPORT=ON -DATCA_ATECC608A_SUPPORT=ON -DATCA_OPENSSL=ON ../         
    $ cmake --build .
    $ sudo make install

Here -DBUILD_TESTS=ON is optional, which required to test the library. In case of TNG legacy support required, can include -DATCA_TNG_LEGACY_SUPPORT=ON For more information about cryptoauthlib configuration, check https://github.com/MicrochipTech/cryptoauthlib/wiki/Configuration

NOTE: i) If need to select particular device i2c address, can update ./lib/atca_cfgs.c file ii) if need to build a different configuration, can remove cmake cache and delete build directory. Then re-build the libary.

Testing the Cryptoauthlib

  • The test application can found under ./test/
$ ./cryptoauth_test
  • Select a device ATECC608, interface as i2c, bus number as 1 and address 6A (TNGTLS)
$ 608 -i i2c 1 -a 0x6A

In Cryptoauthlib, default interface is USB HID. By providing interface, bus number and address will select proper interface and communicate with same.

  • Run info command to get device revision number
$ info 

On successful execution of command, will display device revision number.

Configuration the cryptoauthlib PKCS11 Library

  • The config file template is available under /var/lib/cryptoauthlib/slot.conf.tmpl and rename the file to 0.conf.
    # Set a label for this slot (optional)
    # will default to <slot>ABC so
    # 0.conf will have a default label 00ABC
    label = MCHP
    
    # Configure the device interface for an enabled HAL
    # hid,i2c,<address>
    # i2c,<address>,<bus>
    # spi,<select_line>,<baud>
    interface = i2c,0x6A,1
    
    # Configure the device type - base part number (optional)
    # device = ATECC608A-TFLXTLS
    device = ATECC608A-TNGTLS
    
    #Configure open slots for additional pkcs11 objects (optional)
    #freeslots = 1,2,3
    
    # Manually configure keys into device locations (slots/handles)
    # Slot 0 is the primary private key
    #object = private,device,0
    # Slot 10 is the certificate data for the device’s pub key
    #object = certificate,device,10
    # Slot 12 is the intermediate/signer certificate data
    #object = certificate,signer,12
    # Slot 15 is a public key
    #object = public,root,15
    

Please note that if you select a Trust Platform device such as TFLXTLS or TNGTLS you should not define objects!

Refer https://github.com/MicrochipTech/cryptoauthlib/wiki/Configuration for further configuration required

Testing the Cryptoauthlib PKCS11

Before testing the PKCS11 i) make sure you have installed the relevant tools and software packages. Check PKCS11-Linux-Setup guide page: https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11-Linux-Setup

  • List your token using the following command:
$ p11tool --list-tokens
  • Output Example:
  • Getting the Public key of slot 0 using P11-Kit and decoding using OpenSSL
$ p11tool --export-pubkey "pkcs11:token=MCHP;object=device;type=private" | openssl pkey -pubin -text -noout
  • Getting Public key using OpenSSL
$ openssl ec -engine pkcs11 -in "pkcs11:token=MCHP;object=device;type=private" -inform engine -pubin -noout -text
  • Creating CSR
$ openssl req -engine pkcs11 -key "pkcs11:token=MCHP;object=device;type=private" -keyform engine -new -text -noout -sha256 -subj "/CN=0123xxxxxxxxxxxx01_ATECC" 

ATECC608 stores certificates but here for simplicity we just use the file system.

Create a message.txt file to test a sign and verify commands using OpenSSL

  • ECDSA Sign
$ openssl dgst -sha256 -engine pkcs11 -sign "pkcs11:token=MCHP;object=device;type=private" -keyform engine -out signature.der message.txt
  • ECDSA Verify
$ openssl dgst -sha256 -engine pkcs11 -verify "pkcs11:token=MCHP;object=device;type=private" -keyform engine -signature signature.der message.txt

Verify the signature on host using device public key

  • Read device public key
$ openssl ec -engine pkcs11 -in "pkcs11:token=MCHP;object=device;type=private" -inform engine -pubin -pubout -out pub-key.pem
  • Verify on host
$ openssl dgst -sha256 -verify pub-key.pem -signature signature.der message.txt

Reading Certificates from TNGTLS device using PKCS11

  • Set the PKCS11 configuration properly for TNGTLS device in 0.conf file
# Set a label for this slot (optional)
# will default to <slot>ABC so
# 0.conf will have a default label 00ABC
label = MCHP

# Configure the device interface for an enabled HAL
# hid,i2c,<address>
# i2c,<address>,<bus>
# spi,<select_line>,<baud>
interface = i2c,0x6A,1

# Configure the device type - base part number (optional)
device = ATECC608A-TNGTLS
  • Certificates can be accessible now using p11tool
$ p11tool --list-all-certs 'pkcs11:token=MCHP;type=cert'

or 

$ p11tool --list-all-certs 'pkcs11:manufacturer=Microchip%20Technology%20Inc'
  • Read signer certificate from device and decoding
$ p11tool --export-stapled 'pkcs11:token=MCHP;object=signer;type=cert' | openssl x509 -text -noout
  • Read device certificate from device and decoding
$ p11tool --export-stapled 'pkcs11:token=MCHP;object=device;type=cert' | openssl x509 -text -noout

Connecting to the AWS Cloud using TNGTLS

AWS IoT Core example

Install trustplatform design suite https://www.microchip.com/design-centers/security-ics/trust-platform

  • Create your manifest file Run /TrustnGO/00_resource_generation/TNGTLS_manifest_file_generation.ipynb jupyter notebook

  • Upload your manifest file to AWS IoT Run /TrustnGO/05_cloud_connect/notebook/aws/TNGTLS_aws_connect.ipynb jupyter notebook

On successful aws cli configure, will provide iot endpoint address, which will be used later here.

The command suggested by AWS team is available here: https://docs.aws.amazon.com/iot/latest/developerguide/http.html#codeexample https://docs.aws.amazon.com/it_it/iot/latest/developerguide/protocols.html#protocol-port-mapping

Notes about SNI: https://docs.aws.amazon.com/it_it/iot/latest/developerguide/protocols.html#protocol-port-mapping https://hacksbrain.com/2018/08/27/testing-sni-enabled-servers-with-curl/

Make sure that the publish command is in line with the policy assigned to the thing. In this case we used a simple “open all” policy applicable for testing purposes (see example below).

  • To Publish message to AWS IoT Cloud using PKCS11
# Replace iot_endpoint with actual iot endpoint address (got in previous step)
$ curl --verbose --tlsv1.2 \
    --cacert AmazonRootCA3.pem \
    --engine pkcs11 \
    --cert "pkcs11:token=MCHP;object=device;type=cert" \
    --key "pkcs11:token=MCHP;object=device;type=private" \
    --request POST --data "{ \"message\": \"Hello, world\" }" \
    --resolve <iot_endpoint>:8443:<iot_endpoint>
    https://<iot_endpoint>:8443/topics/test/topic?qos=1
  • Example output:
  • On AWS web console

Hardware setup details

  • I2C Check Checking the i2c connection is working TFLX device example
$ sudo i2cdetect -y 1
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- 36 -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --
  • Note on atca_cfgs.c The bus number is not in the text configuration files yet so to change that you have to change the default in atca_cfgs.c. This setting is not required, the bus and address can be specified as per previous paragraphs.

  • Trust Platform I2C addresses On a spi the i2c bus should be set to 1, default is instead set to 2 (see following picture). Also, the slave address shall be changed if you are using pre-provisioned devices, example: • TNGTLS 0x6A 0x35 = 0011 0101 << 0110 1010 = 0x6A • TFLX 0x6C 0x36 = 0011 0110 << 0110 1100 = 0x6C • TCUSTOM 0xC0

Clone this wiki locally