[FL-1826] Crypto: correct key provisioning procedure. (#709)
* Crypto: correct key provisioning procedure. * Format Sources * Cli: target for bootloder in device_info
This commit is contained in:
parent
f05153ed5c
commit
322bdf049d
@ -14,7 +14,7 @@ static const uint8_t enclave_signature_iv[16] =
|
||||
static const uint8_t enclave_signature_input[ENCLAVE_SIGNATURE_SIZE] =
|
||||
{0xdc, 0x76, 0x15, 0x1e, 0x69, 0xe8, 0xdc, 0xd3, 0x4a, 0x71, 0x0b, 0x42, 0x71, 0xe0, 0xa9, 0x78};
|
||||
static const uint8_t enclave_signature_expected[ENCLAVE_SIGNATURE_SIZE] =
|
||||
{0x6b, 0x31, 0xc, 0xac, 0x3f, 0x68, 0x79, 0x76, 0x43, 0xc4, 0xfe, 0xe0, 0x25, 0x53, 0x64, 0xc7};
|
||||
{0x1b, 0xb3, 0xcf, 0x16, 0xc, 0x27, 0xf7, 0xf2, 0xf0, 0x7e, 0x5f, 0xbe, 0xfe, 0x89, 0x52, 0xe1};
|
||||
|
||||
/*
|
||||
* Device Info Command
|
||||
@ -52,6 +52,7 @@ void cli_command_device_info(Cli* cli, string_t args, void* context) {
|
||||
const Version* boot_version = furi_hal_version_get_boot_version();
|
||||
if(boot_version) {
|
||||
printf("boot_version : %s\r\n", version_get_version(boot_version));
|
||||
printf("boot_target : %s\r\n", version_get_target(boot_version));
|
||||
printf("boot_commit : %s\r\n", version_get_githash(boot_version));
|
||||
printf("boot_branch : %s\r\n", version_get_gitbranch(boot_version));
|
||||
printf("boot_build_date : %s\r\n", version_get_builddate(boot_version));
|
||||
|
@ -14,7 +14,7 @@ void crypto_cli_print_usage() {
|
||||
"\tdecrypt <key_slot:int> <iv:hex>\t - Using key from secure enclave and IV decrypt hex encoded encrypted with AES256CBC data to plain text\r\n");
|
||||
printf("\thas_key <key_slot:int>\t - Check if secure enclave has key in slot\r\n");
|
||||
printf(
|
||||
"\tstore_key <key_type:str> <key_size:int> <key_data:hex>\t - Store key in secure enclave, returns allocated slot number !!! NON-REVERSABLE OPERATION - READ MANUAL FIRST !!!\r\n");
|
||||
"\tstore_key <key_slot:int> <key_type:str> <key_size:int> <key_data:hex>\t - Store key in secure enclave. !!! NON-REVERSABLE OPERATION - READ MANUAL FIRST !!!\r\n");
|
||||
};
|
||||
|
||||
void crypto_cli_encrypt(Cli* cli, string_t args) {
|
||||
@ -54,7 +54,7 @@ void crypto_cli_encrypt(Cli* cli, string_t args) {
|
||||
string_push_back(input, c);
|
||||
} else if(c == CliSymbolAsciiCR) {
|
||||
printf("\r\n");
|
||||
string_push_back(input, '\n');
|
||||
string_cat_str(input, "\r\n");
|
||||
}
|
||||
}
|
||||
|
||||
@ -73,6 +73,7 @@ void crypto_cli_encrypt(Cli* cli, string_t args) {
|
||||
} else {
|
||||
printf("Hex-encoded encrypted data:\r\n");
|
||||
for(size_t i = 0; i < size; i++) {
|
||||
if(i % 80 == 0) printf("\r\n");
|
||||
printf("%02x", output[i]);
|
||||
}
|
||||
printf("\r\n");
|
||||
@ -127,7 +128,6 @@ void crypto_cli_decrypt(Cli* cli, string_t args) {
|
||||
string_push_back(hex_input, c);
|
||||
} else if(c == CliSymbolAsciiCR) {
|
||||
printf("\r\n");
|
||||
string_push_back(hex_input, '\n');
|
||||
}
|
||||
}
|
||||
|
||||
@ -138,13 +138,15 @@ void crypto_cli_decrypt(Cli* cli, string_t args) {
|
||||
uint8_t* input = furi_alloc(size);
|
||||
uint8_t* output = furi_alloc(size);
|
||||
|
||||
if(args_read_hex_bytes(hex_input, input, size) &&
|
||||
furi_hal_crypto_decrypt(input, output, size)) {
|
||||
printf("Decrypted data:\r\n");
|
||||
printf("%s\r\n", output);
|
||||
|
||||
if(args_read_hex_bytes(hex_input, input, size)) {
|
||||
if(furi_hal_crypto_decrypt(input, output, size)) {
|
||||
printf("Decrypted data:\r\n");
|
||||
printf("%s\r\n", output);
|
||||
} else {
|
||||
printf("Failed to decrypt\r\n");
|
||||
}
|
||||
} else {
|
||||
printf("Failed to decrypt input");
|
||||
printf("Failed to parse input");
|
||||
}
|
||||
|
||||
free(input);
|
||||
@ -183,6 +185,7 @@ void crypto_cli_has_key(Cli* cli, string_t args) {
|
||||
}
|
||||
|
||||
void crypto_cli_store_key(Cli* cli, string_t args) {
|
||||
int key_slot = 0;
|
||||
int key_size = 0;
|
||||
string_t key_type;
|
||||
string_init(key_type);
|
||||
@ -193,14 +196,26 @@ void crypto_cli_store_key(Cli* cli, string_t args) {
|
||||
size_t data_size = 0;
|
||||
|
||||
do {
|
||||
if(!args_read_int_and_trim(args, &key_slot)) {
|
||||
printf("Incorrect or missing key type, expected master, simple or encrypted");
|
||||
break;
|
||||
}
|
||||
if(!args_read_string_and_trim(args, key_type)) {
|
||||
printf("Incorrect or missing key type, expected master, simple or encrypted");
|
||||
break;
|
||||
}
|
||||
|
||||
if(string_cmp_str(key_type, "master") == 0) {
|
||||
if(key_slot != 0) {
|
||||
printf("Master keyslot must be is 0");
|
||||
break;
|
||||
}
|
||||
key.type = FuriHalCryptoKeyTypeMaster;
|
||||
} else if(string_cmp_str(key_type, "simple") == 0) {
|
||||
if(key_slot < 1 || key_slot > 99) {
|
||||
printf("Simple keyslot must be in range");
|
||||
break;
|
||||
}
|
||||
key.type = FuriHalCryptoKeyTypeSimple;
|
||||
} else if(string_cmp_str(key_type, "encrypted") == 0) {
|
||||
key.type = FuriHalCryptoKeyTypeEncrypted;
|
||||
@ -230,6 +245,26 @@ void crypto_cli_store_key(Cli* cli, string_t args) {
|
||||
break;
|
||||
}
|
||||
|
||||
if(key_slot > 0) {
|
||||
uint8_t iv[16];
|
||||
if(key_slot > 1) {
|
||||
if(!furi_hal_crypto_store_load_key(key_slot - 1, iv)) {
|
||||
printf(
|
||||
"Slot %d before %d is empty, which is not allowed",
|
||||
key_slot - 1,
|
||||
key_slot);
|
||||
break;
|
||||
}
|
||||
furi_hal_crypto_store_unload_key(key_slot - 1);
|
||||
}
|
||||
|
||||
if(furi_hal_crypto_store_load_key(key_slot, iv)) {
|
||||
furi_hal_crypto_store_unload_key(key_slot);
|
||||
printf("Key slot %d is already used", key_slot);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
uint8_t slot;
|
||||
if(furi_hal_crypto_store_add_key(&key, &slot)) {
|
||||
printf("Success. Stored to slot: %d", slot);
|
||||
|
@ -13,6 +13,7 @@ bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot) {
|
||||
furi_assert(slot);
|
||||
|
||||
SHCI_C2_FUS_StoreUsrKey_Cmd_Param_t pParam;
|
||||
size_t key_data_size = 0;
|
||||
|
||||
if (key->type == FuriHalCryptoKeyTypeMaster) {
|
||||
pParam.KeyType = KEYTYPE_MASTER;
|
||||
@ -20,18 +21,23 @@ bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot) {
|
||||
pParam.KeyType = KEYTYPE_SIMPLE;
|
||||
} else if (key->type == FuriHalCryptoKeyTypeEncrypted) {
|
||||
pParam.KeyType = KEYTYPE_ENCRYPTED;
|
||||
key_data_size += 12;
|
||||
} else {
|
||||
furi_crash("Incorrect key type");
|
||||
}
|
||||
|
||||
if (key->size == FuriHalCryptoKeySize128) {
|
||||
pParam.KeySize = KEYSIZE_16;
|
||||
key_data_size += 16;
|
||||
} else if (key->size == FuriHalCryptoKeySize256) {
|
||||
pParam.KeySize = KEYSIZE_32;
|
||||
key_data_size += 32;
|
||||
} else {
|
||||
furi_crash("Incorrect key size");
|
||||
}
|
||||
|
||||
memcpy(pParam.KeyData, key->data, key_data_size);
|
||||
|
||||
return SHCI_C2_FUS_StoreUsrKey(&pParam, slot) == SHCI_Success;
|
||||
}
|
||||
|
||||
|
@ -13,6 +13,7 @@ bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot) {
|
||||
furi_assert(slot);
|
||||
|
||||
SHCI_C2_FUS_StoreUsrKey_Cmd_Param_t pParam;
|
||||
size_t key_data_size = 0;
|
||||
|
||||
if (key->type == FuriHalCryptoKeyTypeMaster) {
|
||||
pParam.KeyType = KEYTYPE_MASTER;
|
||||
@ -20,18 +21,23 @@ bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot) {
|
||||
pParam.KeyType = KEYTYPE_SIMPLE;
|
||||
} else if (key->type == FuriHalCryptoKeyTypeEncrypted) {
|
||||
pParam.KeyType = KEYTYPE_ENCRYPTED;
|
||||
key_data_size += 12;
|
||||
} else {
|
||||
furi_crash("Incorrect key type");
|
||||
}
|
||||
|
||||
if (key->size == FuriHalCryptoKeySize128) {
|
||||
pParam.KeySize = KEYSIZE_16;
|
||||
key_data_size += 16;
|
||||
} else if (key->size == FuriHalCryptoKeySize256) {
|
||||
pParam.KeySize = KEYSIZE_32;
|
||||
key_data_size += 32;
|
||||
} else {
|
||||
furi_crash("Incorrect key size");
|
||||
}
|
||||
|
||||
memcpy(pParam.KeyData, key->data, key_data_size);
|
||||
|
||||
return SHCI_C2_FUS_StoreUsrKey(&pParam, slot) == SHCI_Success;
|
||||
}
|
||||
|
||||
|
@ -76,12 +76,12 @@ bool args_char_to_hex(char hi_nibble, char low_nibble, uint8_t* byte) {
|
||||
return result;
|
||||
}
|
||||
|
||||
bool args_read_hex_bytes(string_t args, uint8_t* bytes, uint8_t bytes_count) {
|
||||
bool args_read_hex_bytes(string_t args, uint8_t* bytes, size_t bytes_count) {
|
||||
bool result = true;
|
||||
const char* str_pointer = string_get_cstr(args);
|
||||
|
||||
if(args_get_first_word_length(args) == (bytes_count * 2)) {
|
||||
for(uint8_t i = 0; i < bytes_count; i++) {
|
||||
for(size_t i = 0; i < bytes_count; i++) {
|
||||
if(!args_char_to_hex(str_pointer[i * 2], str_pointer[i * 2 + 1], &(bytes[i]))) {
|
||||
result = false;
|
||||
break;
|
||||
|
@ -46,7 +46,7 @@ bool args_read_probably_quoted_string_and_trim(string_t args, string_t word);
|
||||
* @return true - success
|
||||
* @return false - arguments string does not contain enough values, or contain non-hex ASCII values
|
||||
*/
|
||||
bool args_read_hex_bytes(string_t args, uint8_t* bytes, uint8_t bytes_count);
|
||||
bool args_read_hex_bytes(string_t args, uint8_t* bytes, size_t bytes_count);
|
||||
|
||||
/************************************ HELPERS ***************************************/
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user