IoT-Safe Module
Functions
Name | |
---|---|
int | wolfSSL_CTX_iotsafe_enable(WOLFSSL_CTX * ctx) This function enables the IoT-Safe support on the given context. |
int | wolfSSL_iotsafe_on(WOLFSSL * ssl, byte privkey_id, byte ecdh_keypair_slot, byte peer_pubkey_slot, byte peer_cert_slot) This function connects the IoT-Safe TLS callbacks to the given SSL session. |
int | wolfSSL_iotsafe_on_ex(WOLFSSL * ssl, byte * privkey_id, byte * ecdh_keypair_slot, byte * peer_pubkey_slot, byte * peer_cert_slot, word16 id_size) This function connects the IoT_Safe TLS callbacks to the given SSL session. This is equivalent to wolfSSL_iotsafe_on except that the IDs for the IoT-SAFE slots can be passed by reference, and the length of the ID fields can be specified via the parameter "id_size". |
void | wolfIoTSafe_SetCSIM_read_cb(wolfSSL_IOTSafe_CSIM_read_cb rf) Associates a read callback for the AT+CSIM commands. This input function is usually associated to a read event of a UART channel communicating with the modem. The read callback associated is global and changes for all the contexts that use IoT-safe support at the same time. |
void | wolfIoTSafe_SetCSIM_write_cb(wolfSSL_IOTSafe_CSIM_write_cb wf) Associates a write callback for the AT+CSIM commands. This output function is usually associated to a write event on a UART channel communicating with the modem. The write callback associated is global and changes for all the contexts that use IoT-safe support at the same time. |
int | wolfIoTSafe_GetRandom(unsigned char * out, word32 sz) Generate a random buffer of given size, using the IoT-Safe function GetRandom. This function is automatically used by the wolfCrypt RNG object. |
int | wolfIoTSafe_GetCert(uint8_t id, unsigned char * output, unsigned long sz) Import a certificate stored in a file on IoT-Safe applet, and store it locally in memory. Works with one-byte file ID field. |
int | wolfIoTSafe_GetCert_ex(uint8_t * id, uint16_t id_sz, unsigned char * output, unsigned long sz) Import a certificate stored in a file on IoT_Safe applet, and store it locally in memory. Equivalent to wolfIoTSafe_GetCert, except that it can be invoked with a file ID of two or more bytes. |
int | wc_iotsafe_ecc_import_public(ecc_key * key, byte key_id) Import an ECC 256-bit public key, stored in the IoT-Safe applet, into an ecc_key object. |
int | wc_iotsafe_ecc_export_public(ecc_key * key, byte key_id) Export an ECC 256-bit public key, from ecc_key object to a writable public-key slot into the IoT-Safe applet. |
int | wc_iotsafe_ecc_import_public_ex(ecc_key * key, byte * key_id, word16 id_size) Export an ECC 256_bit public key, from ecc_key object to a writable public_key slot into the IoT_Safe applet. Equivalent to wc_iotsafe_ecc_import_public, except that it can be invoked with a key ID of two or more bytes. |
int | wc_iotsafe_ecc_export_private(ecc_key * key, byte key_id) Export an ECC 256-bit key, from ecc_key object to a writable private-key slot into the IoT-Safe applet. |
int | wc_iotsafe_ecc_export_private_ex(ecc_key * key, byte * key_id, word16 id_size) Export an ECC 256_bit key, from ecc_key object to a writable private_key slot into the IoT_Safe applet. Equivalent to wc_iotsafe_ecc_export_private, except that it can be invoked with a key ID of two or more bytes. |
int | wc_iotsafe_ecc_sign_hash(byte * in, word32 inlen, byte * out, word32 * outlen, byte key_id) Sign a pre-computed HASH, using a private key previously stored, or pre-provisioned, in the IoT-Safe applet. |
int | wc_iotsafe_ecc_sign_hash_ex(byte * in, word32 inlen, byte * out, word32 * outlen, byte * key_id, word16 id_size) Sign a pre_computed HASH, using a private key previously stored, or pre_provisioned, in the IoT_Safe applet. Equivalent to wc_iotsafe_ecc_sign_hash, except that it can be invoked with a key ID of two or more bytes. |
int | wc_iotsafe_ecc_verify_hash(byte * sig, word32 siglen, byte * hash, word32 hashlen, int * res, byte key_id) Verify an ECC signature against a pre-computed HASH, using a public key previously stored, or pre-provisioned, in the IoT-Safe applet. Result is written to res. 1 is valid, 0 is invalid. Note: Do not use the return value to test for valid. Only use res. |
int | wc_iotsafe_ecc_verify_hash_ex(byte * sig, word32 siglen, byte * hash, word32 hashlen, int * res, byte * key_id, word16 id_size) Verify an ECC signature against a pre_computed HASH, using a public key previously stored, or pre_provisioned, in the IoT_Safe applet. Result is written to res. 1 is valid, 0 is invalid. Note: Do not use the return value to test for valid. Only use res. Equivalent to wc_iotsafe_ecc_verify_hash, except that it can be invoked with a key ID of two or more bytes. |
int | wc_iotsafe_ecc_gen_k(byte key_id) Generate an ECC 256_bit keypair and store it in a (writable) slot into the IoT-Safe applet. |
Detailed Description
IoT-Safe (IoT-SIM Applet For Secure End-2-End Communication) is a technology that leverage the SIM as robust, scalable and standardized hardware Root of Trust to protect data communication.
IoT-Safe SSL sessions use the SIM as Hardware Security Module, offloading all the crypto public key operations and reducing the attack surface by restricting access to certificate and keys to the SIM.
IoT-Safe support can be enabled on an existing WOLFSSL_CTX context, using wolfSSL_CTX_iotsafe_enable().
Session created within the context can set the parameters for IoT-Safe key and files usage, and enable the public keys callback, with wolfSSL_iotsafe_on().
If compiled in, the module supports IoT-Safe random number generator as source of entropy for wolfCrypt.
Functions Documentation
function wolfSSL_CTX_iotsafe_enable
int wolfSSL_CTX_iotsafe_enable(
WOLFSSL_CTX * ctx
)
This function enables the IoT-Safe support on the given context.
Parameters:
- ctx pointer to the WOLFSSL_CTX object on which the IoT-safe support must be enabled
See:
Return:
- 0 on success
- WC_HW_E on hardware error
Example
WOLFSSL_CTX *ctx;
ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
if (!ctx)
return NULL;
wolfSSL_CTX_iotsafe_enable(ctx);
function wolfSSL_iotsafe_on
int wolfSSL_iotsafe_on(
WOLFSSL * ssl,
byte privkey_id,
byte ecdh_keypair_slot,
byte peer_pubkey_slot,
byte peer_cert_slot
)
This function connects the IoT-Safe TLS callbacks to the given SSL session.
Parameters:
- ssl pointer to the WOLFSSL object where the callbacks will be enabled
- privkey_id id of the iot-safe applet slot containing the private key for the host
- ecdh_keypair_slot id of the iot-safe applet slot to store the ECDH keypair
- peer_pubkey_slot id of the iot-safe applet slot to store the other endpoint's public key for ECDH
- peer_cert_slot id of the iot-safe applet slot to store the other endpoint's public key for verification
See:
Return:
- 0 upon success
- NOT_COMPILED_IN if HAVE_PK_CALLBACKS is disabled
- BAD_FUNC_ARG if the ssl pointer is invalid
This should be called to connect a SSL session to IoT-Safe applet when the ID of the slots are one-byte long. If IoT-SAFE slots have an ID of two or more bytes, wolfSSL_iotsafe_on_ex() should be used instead.
Example
// Define key ids for IoT-Safe
#define PRIVKEY_ID 0x02
#define ECDH_KEYPAIR_ID 0x03
#define PEER_PUBKEY_ID 0x04
#define PEER_CERT_ID 0x05
// Create new ssl session
WOLFSSL *ssl;
ssl = wolfSSL_new(ctx);
if (!ssl)
return NULL;
// Enable IoT-Safe and associate key slots
ret = wolfSSL_CTX_iotsafe_enable(ctx);
if (ret == 0) {
ret = wolfSSL_iotsafe_on(ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID, PEER_PUBKEY_ID, PEER_CERT_ID);
}
function wolfSSL_iotsafe_on_ex
int wolfSSL_iotsafe_on_ex(
WOLFSSL * ssl,
byte * privkey_id,
byte * ecdh_keypair_slot,
byte * peer_pubkey_slot,
byte * peer_cert_slot,
word16 id_size
)
This function connects the IoT-Safe TLS callbacks to the given SSL session. This is equivalent to wolfSSL_iotsafe_on except that the IDs for the IoT-SAFE slots can be passed by reference, and the length of the ID fields can be specified via the parameter "id_size".
Parameters:
- ssl pointer to the WOLFSSL object where the callbacks will be enabled
- privkey_id pointer to the id of the iot-safe applet slot containing the private key for the host
- ecdh_keypair_slot pointer to the id of the iot-safe applet slot to store the ECDH keypair
- peer_pubkey_slot pointer to the of id the iot-safe applet slot to store the other endpoint's public key for ECDH
- peer_cert_slot pointer to the id of the iot-safe applet slot to store the other endpoint's public key for verification
- id_size size of each slot ID
See:
Return:
- 0 upon success
- NOT_COMPILED_IN if HAVE_PK_CALLBACKS is disabled
- BAD_FUNC_ARG if the ssl pointer is invalid
Example
// Define key ids for IoT-Safe (16 bit, little endian)
#define PRIVKEY_ID 0x0201
#define ECDH_KEYPAIR_ID 0x0301
#define PEER_PUBKEY_ID 0x0401
#define PEER_CERT_ID 0x0501
#define ID_SIZE (sizeof(word16))
word16 privkey = PRIVKEY_ID,
ecdh_keypair = ECDH_KEYPAIR_ID,
peer_pubkey = PEER_PUBKEY_ID,
peer_cert = PEER_CERT_ID;
// Create new ssl session
WOLFSSL *ssl;
ssl = wolfSSL_new(ctx);
if (!ssl)
return NULL;
// Enable IoT-Safe and associate key slots
ret = wolfSSL_CTX_iotsafe_enable(ctx);
if (ret == 0) {
ret = wolfSSL_CTX_iotsafe_on_ex(ssl, &privkey, &ecdh_keypair, &peer_pubkey, &peer_cert, ID_SIZE);
}
function wolfIoTSafe_SetCSIM_read_cb
void wolfIoTSafe_SetCSIM_read_cb(
wolfSSL_IOTSafe_CSIM_read_cb rf
)
Associates a read callback for the AT+CSIM commands. This input function is usually associated to a read event of a UART channel communicating with the modem. The read callback associated is global and changes for all the contexts that use IoT-safe support at the same time.
Parameters:
- rf Read callback associated to a UART read event. The callback function takes two arguments (buf, len) and return the number of characters read, up to len. When a newline is encountered, the callback should return the number of characters received so far, including the newline character.
See: wolfIoTSafe_SetCSIM_write_cb
Example
// USART read function, defined elsewhere
int usart_read(char *buf, int len);
wolfIoTSafe_SetCSIM_read_cb(usart_read);
function wolfIoTSafe_SetCSIM_write_cb
void wolfIoTSafe_SetCSIM_write_cb(
wolfSSL_IOTSafe_CSIM_write_cb wf
)
Associates a write callback for the AT+CSIM commands. This output function is usually associated to a write event on a UART channel communicating with the modem. The write callback associated is global and changes for all the contexts that use IoT-safe support at the same time.
Parameters:
- rf Write callback associated to a UART write event. The callback function takes two arguments (buf, len) and return the number of characters written, up to len.
See: wolfIoTSafe_SetCSIM_read_cb
Example
// USART write function, defined elsewhere
int usart_write(const char *buf, int len);
wolfIoTSafe_SetCSIM_write_cb(usart_write);
function wolfIoTSafe_GetRandom
int wolfIoTSafe_GetRandom(
unsigned char * out,
word32 sz
)
Generate a random buffer of given size, using the IoT-Safe function GetRandom. This function is automatically used by the wolfCrypt RNG object.
Parameters:
- out the buffer where the random sequence of bytes is stored.
- sz the size of the random sequence to generate, in bytes
Return: 0 upon success
function wolfIoTSafe_GetCert
int wolfIoTSafe_GetCert(
uint8_t id,
unsigned char * output,
unsigned long sz
)
Import a certificate stored in a file on IoT-Safe applet, and store it locally in memory. Works with one-byte file ID field.
Parameters:
- id The file id in the IoT-Safe applet where the certificate is stored
- output the buffer where the certificate will be imported
- sz the maximum size available in the buffer output
Return:
- the length of the certificate imported
- < 0 in case of failure
Example
#define CRT_CLIENT_FILE_ID 0x03
unsigned char cert_buffer[2048];
// Get the certificate into the buffer
cert_buffer_size = wolfIoTSafe_GetCert(CRT_CLIENT_FILE_ID, cert_buffer, 2048);
if (cert_buffer_size < 1) {
printf("Bad cli cert\n");
return -1;
}
printf("Loaded Client certificate from IoT-Safe, size = %lu\n", cert_buffer_size);
// Use the certificate buffer as identity for the TLS client context
if (wolfSSL_CTX_use_certificate_buffer(cli_ctx, cert_buffer,
cert_buffer_size, SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("Cannot load client cert\n");
return -1;
}
printf("Client certificate successfully imported.\n");
function wolfIoTSafe_GetCert_ex
int wolfIoTSafe_GetCert_ex(
uint8_t * id,
uint16_t id_sz,
unsigned char * output,
unsigned long sz
)
Import a certificate stored in a file on IoT-Safe applet, and store it locally in memory. Equivalent to wolfIoTSafe_GetCert, except that it can be invoked with a file ID of two or more bytes.
Parameters:
- id Pointer to the file id in the IoT-Safe applet where the certificate is stored
- id_sz Size of the file id in bytes
- output the buffer where the certificate will be imported
- sz the maximum size available in the buffer output
Return:
- the length of the certificate imported
- < 0 in case of failure
Example
#define CRT_CLIENT_FILE_ID 0x0302
#define ID_SIZE (sizeof(word16))
unsigned char cert_buffer[2048];
word16 client_file_id = CRT_CLIENT_FILE_ID;
// Get the certificate into the buffer
cert_buffer_size = wolfIoTSafe_GetCert_ex(&client_file_id, ID_SIZE, cert_buffer, 2048);
if (cert_buffer_size < 1) {
printf("Bad cli cert\n");
return -1;
}
printf("Loaded Client certificate from IoT-Safe, size = %lu\n", cert_buffer_size);
// Use the certificate buffer as identity for the TLS client context
if (wolfSSL_CTX_use_certificate_buffer(cli_ctx, cert_buffer,
cert_buffer_size, SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("Cannot load client cert\n");
return -1;
}
printf("Client certificate successfully imported.\n");
function wc_iotsafe_ecc_import_public
int wc_iotsafe_ecc_import_public(
ecc_key * key,
byte key_id
)
Import an ECC 256-bit public key, stored in the IoT-Safe applet, into an ecc_key object.
Parameters:
- key the ecc_key object that will contain the key imported from the IoT-Safe applet
- id The key id in the IoT-Safe applet where the public key is stored
See:
Return:
- 0 upon success
- < 0 in case of failure
function wc_iotsafe_ecc_export_public
int wc_iotsafe_ecc_export_public(
ecc_key * key,
byte key_id
)
Export an ECC 256-bit public key, from ecc_key object to a writable public-key slot into the IoT-Safe applet.
Parameters:
- key the ecc_key object containing the key to be exported
- id The key id in the IoT-Safe applet where the public key will be stored
See:
Return:
- 0 upon success
- < 0 in case of failure
function wc_iotsafe_ecc_import_public_ex
int wc_iotsafe_ecc_import_public_ex(
ecc_key * key,
byte * key_id,
word16 id_size
)
Export an ECC 256-bit public key, from ecc_key object to a writable public-key slot into the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_import_public, except that it can be invoked with a key ID of two or more bytes.
Parameters:
- key the ecc_key object containing the key to be exported
- id The pointer to the key id in the IoT-Safe applet where the public key will be stored
- id_size The key id size
See:
Return:
- 0 upon success
- < 0 in case of failure
function wc_iotsafe_ecc_export_private
int wc_iotsafe_ecc_export_private(
ecc_key * key,
byte key_id
)
Export an ECC 256-bit key, from ecc_key object to a writable private-key slot into the IoT-Safe applet.
Parameters:
- key the ecc_key object containing the key to be exported
- id The key id in the IoT-Safe applet where the private key will be stored
See:
Return:
- 0 upon success
- < 0 in case of failure
function wc_iotsafe_ecc_export_private_ex
int wc_iotsafe_ecc_export_private_ex(
ecc_key * key,
byte * key_id,
word16 id_size
)
Export an ECC 256-bit key, from ecc_key object to a writable private-key slot into the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_export_private, except that it can be invoked with a key ID of two or more bytes.
Parameters:
- key the ecc_key object containing the key to be exported
- id The pointer to the key id in the IoT-Safe applet where the private key will be stored
- id_size The key id size
See:
Return:
- 0 upon success
- < 0 in case of failure
function wc_iotsafe_ecc_sign_hash
int wc_iotsafe_ecc_sign_hash(
byte * in,
word32 inlen,
byte * out,
word32 * outlen,
byte key_id
)
Sign a pre-computed HASH, using a private key previously stored, or pre-provisioned, in the IoT-Safe applet.
Parameters:
- in pointer to the buffer containing the message hash to sign
- inlen length of the message hash to sign
- out buffer in which to store the generated signature
- outlen max length of the output buffer. Will store the bytes
- id key id in the IoT-Safe applet for the slot containing the private key to sign the payload written to out upon successfully generating a message signature
See:
Return:
- 0 upon success
- < 0 in case of failure
function wc_iotsafe_ecc_sign_hash_ex
int wc_iotsafe_ecc_sign_hash_ex(
byte * in,
word32 inlen,
byte * out,
word32 * outlen,
byte * key_id,
word16 id_size
)
Sign a pre-computed HASH, using a private key previously stored, or pre-provisioned, in the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_sign_hash, except that it can be invoked with a key ID of two or more bytes.
Parameters:
- in pointer to the buffer containing the message hash to sign
- inlen length of the message hash to sign
- out buffer in which to store the generated signature
- outlen max length of the output buffer. Will store the bytes
- id pointer to a key id in the IoT-Safe applet for the slot containing the private key to sign the payload written to out upon successfully generating a message signature
- id_size The key id size
See:
Return:
- 0 upon success
- < 0 in case of failure
function wc_iotsafe_ecc_verify_hash
int wc_iotsafe_ecc_verify_hash(
byte * sig,
word32 siglen,
byte * hash,
word32 hashlen,
int * res,
byte key_id
)
Verify an ECC signature against a pre-computed HASH, using a public key previously stored, or pre-provisioned, in the IoT-Safe applet. Result is written to res. 1 is valid, 0 is invalid. Note: Do not use the return value to test for valid. Only use res.
Parameters:
- sig buffer containing the signature to verify
- hash The hash (message digest) that was signed
- hashlen The length of the hash (octets)
- res Result of signature, 1==valid, 0==invalid
- key_id The id of the slot where the public ECC key is stored in the IoT-Safe applet
See:
Return:
- 0 upon success (even if the signature is not valid)
- < 0 in case of failure.
function wc_iotsafe_ecc_verify_hash_ex
int wc_iotsafe_ecc_verify_hash_ex(
byte * sig,
word32 siglen,
byte * hash,
word32 hashlen,
int * res,
byte * key_id,
word16 id_size
)
Verify an ECC signature against a pre-computed HASH, using a public key previously stored, or pre-provisioned, in the IoT-Safe applet. Result is written to res. 1 is valid, 0 is invalid. Note: Do not use the return value to test for valid. Only use res. Equivalent to wc_iotsafe_ecc_verify_hash, except that it can be invoked with a key ID of two or more bytes.
Parameters:
- sig buffer containing the signature to verify
- hash The hash (message digest) that was signed
- hashlen The length of the hash (octets)
- res Result of signature, 1==valid, 0==invalid
- key_id The id of the slot where the public ECC key is stored in the IoT-Safe applet
- id_size The key id size
See:
Return:
- 0 upon success (even if the signature is not valid)
- < 0 in case of failure.
function wc_iotsafe_ecc_gen_k
int wc_iotsafe_ecc_gen_k(
byte key_id
)
Generate an ECC 256-bit keypair and store it in a (writable) slot into the IoT-Safe applet.
Parameters:
- key_id The id of the slot where the ECC key pair is stored in the IoT-Safe applet.
- key_id The id of the slot where the ECC key pair is stored in the IoT-Safe applet.
- id_size The key id size
See:
- wc_iotsafe_ecc_gen_k_ex
- wc_iotsafe_ecc_sign_hash
- wc_iotsafe_ecc_verify_hash
- wc_iotsafe_ecc_gen_k
- wc_iotsafe_ecc_sign_hash_ex
- wc_iotsafe_ecc_verify_hash_ex
Return:
- 0 upon success
- < 0 in case of failure.
- 0 upon success
- < 0 in case of failure.
Generate an ECC 256-bit keypair and store it in a (writable) slot into the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_gen_k, except that it can be invoked with a key ID of two or more bytes.
Updated on 2024-12-02 at 01:16:31 +0000