PKCS11 TNGTLS

Build and Install cryptoauthlib with PKCS11 support

• Clone Cryptoauthlib on Linux system

  • Get the latest version of cryptoauthlib

  $ git clone https://github.com/MicrochipTech/cryptoauthlib.git

• Build the Cryptoauthlib

  $ cd cryptoauthlib
  $ mkdir build
  $ cd build
  $ cmake -DBUILD_TESTS=ON -DATCA_HAL_I2C=ON -DATCA_PKCS11=ON -DATCA_TNGTLS_SUPPORT=ON -DATCA_ATECC608A_SUPPORT=ON -DATCA_OPENSSL=ON ../         
  $ cmake --build .
  $ sudo make install

Here -DBUILD_TESTS=ON is optional, which required to test the library. In case of TNG legacy support required, can include -DATCA_TNG_LEGACY_SUPPORT=ON For more information about cryptoauthlib configuration, check https://github.com/MicrochipTech/cryptoauthlib/wiki/Configuration

• You can build and install with following command also

  $ sudo cmake --build . --target install

NOTE: i) If need to select particular device i2c address, can update cryptoauthlib/lib/atca_cfgs.c file ii) if need to build a different configuration, can remove cmake cache and delete the content of the build directory and you are good to re-run the commands.

Testing the Cryptoauthlib

• The test application can found under cryptoauthlib/test/

$ ./cryptoauth_test

• Select a device ATECC608, interface as i2c, bus number as 1 and address 6A (TNGTLS)

$ 608 -i i2c 1 -a 0x6A

In Cryptoauthlib, default interface is USB HID. By providing interface, bus number and address will select proper interface and communicate with same.

• Run info command to get device revision number

$ info 

On successful execution of command, will display device revision number.

Testing the Cryptoauthlib PKCS#11 integration

Before testing the PKCS11 i) Make sure you have installed the relevant tools and software packages. Check PKCS11-Linux-Setup guide page: https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11-Linux-Setup

ii) Make sure the configuration is properly set. The file template is available under /varlib/cryptoauthlib/slot.conf.tmpl and rename the file to 0.conf

Please note that if you select a Trust Platform device such as TFLXTLS or TNGTLS you should not define objects!

```
# Set a label for this slot (optional)
# will default to <slot>ABC so
# 0.conf will have a default label 00ABC
label = MCHP

# Configure the device interface for an enabled HAL
# hid,i2c,<address>
# i2c,<address>,<bus>
# spi,<select_line>,<baud>
interface = i2c,0x6A,1

# Configure the device type - base part number (optional)
# device = ATECC608A-TFLXTLS
device = ATECC608A-TNGTLS

#Configure open slots for additional pkcs11 objects (optional)
#freeslots = 1,2,3

# Manually configure keys into device locations (slots/handles)
# Slot 0 is the primary private key
#object = private,device,0
# Slot 10 is the certificate data for the device’s pub key
#object = certificate,device,10
# Slot 12 is the intermediate/signer certificate data
#object = certificate,signer,12
# Slot 15 is a public key
#object = public,root,15
```

NOTE: I2C bus id shall be added after the device address

if your pkcs#11 setup is correct now, you should be able to list your token.

• List your token using the following command:

$ p11tool --list-tokens

• Output Example:

• Getting the Public key of slot 0 using P11-Kit

$ p11tool --export-pubkey "pkcs11:token=MCHP;object=device;type=private" 

• Decoding the key with OpenSSL canbe done piping the two commands:

$ p11tool --export-pubkey "pkcs11:token=MCHP;object=device;type=private" | openssl pkey -pubin -text -noout

Using OpenSSL

• OpenSSL can use directly the PCKS#11 engine. For example, the following command can be used to read the ECC public key of the given token:

$ openssl ec -engine pkcs11 -in "pkcs11:token=MCHP;object=device;type=private" -inform engine -pubin -noout -text

• For creating a csr (ATECC608 stores certificates but here for simplicity we just use the file system) the following command can be used:

$ openssl req -engine pkcs11 -key "pkcs11:token=MCHP;object=device;type=private" -keyform engine -new -text -noout -sha256 -subj "/CN=0123xxxxxxxxxxxx01_ATECC" 

ECDSA sign and verify of a message using OpenSSL command line:

Create a message.txt file to test a sign and verify commands using OpenSSL. Use any txt editor such as vi or nano.

• ECDSA Sign

$ openssl dgst -sha256 -engine pkcs11 -sign "pkcs11:token=MCHP;object=device;type=private" -keyform engine -out signature.der message.txt

• ECDSA Verify

$ openssl dgst -sha256 -engine pkcs11 -verify "pkcs11:token=MCHP;object=device;type=private" -keyform engine -signature signature.der message.txt

• Output Example of sign and verify:

You can modify slightly the message and show that the verify will fail. In this case openssl output is "Verification Failure"

• The public key of the given device can be taken from the manifest fileor it can be extracted from the device usingthe following command:

$ openssl ec -engine pkcs11 -in "pkcs11:token=MCHP;object=device;type=private" -inform engine -pubin -pubout -out pub-key.pem

• The public key can be read to double check from the device:

$ openssl ec -engine pkcs11 -in "pkcs11:token=MCHP;object=device;type=private" -inform engine -pubin -pubout -noout -text

• Public key from saved file:

$ openssl ec -in pub-key.pem -pubin -pubout -noout -text

• The pub-key.pem file can be used to verify the message on any other host using the following command:

$ openssl dgst -sha256 -verify pub-key.pem -signature signature.der message.txt

Reading Certificates from TNGTLS device using PKCS11

• Set the PKCS11 configuration properly for TNGTLS device in 0.conf file

# Set a label for this slot (optional)
# will default to <slot>ABC so
# 0.conf will have a default label 00ABC
label = MCHP

# Configure the device interface for an enabled HAL
# hid,i2c,<address>
# i2c,<address>,<bus>
# spi,<select_line>,<baud>
interface = i2c,0x6A,1

# Configure the device type - base part number (optional)
device = ATECC608A-TNGTLS

NOTE: The label configuration helps referring to the device in a much easier way, by just specifying ..."pkcs11:token=MCHP;ob... or any other string you want to use.

ECC Key pair available on slot0 can be used as described in the previous sections.

• Certificates can be accessible now using p11tool

$ p11tool --list-all-certs 'pkcs11:token=MCHP;type=cert'

or 

$ p11tool --list-all-certs 'pkcs11:manufacturer=Microchip%20Technology%20Inc'

• Full certificate chain can be extracted with following command:

$ p11tool --export-chain "pkcs11:token=MCHP;object=device;type=cert"

• Decoding the signer certificate

$ p11tool --export-stapled 'pkcs11:token=MCHP;object=signer;type=cert' | openssl x509 -text -noout

• Decoding the device certificate

$ p11tool --export-stapled 'pkcs11:token=MCHP;object=device;type=cert' | openssl x509 -text -noout

Connecting to the AWS Cloud using TNGTLS

AWS IoT Core example

Install trustplatform design suite https://www.microchip.com/design-centers/security-ics/trust-platform

• Create your manifest file Run /TrustnGO/00_resource_generation/TNGTLS_manifest_file_generation.ipynb jupyter notebook

• Upload your manifest file to AWS IoT Run /TrustnGO/05_cloud_connect/notebook/aws/TNGTLS_aws_connect.ipynb jupyter notebook

On successful aws cli configure, will provide iot endpoint address, which will be used later here.

The command suggested by AWS team is available here: https://docs.aws.amazon.com/iot/latest/developerguide/http.html#codeexample https://docs.aws.amazon.com/it_it/iot/latest/developerguide/protocols.html#protocol-port-mapping

• Get the certificate for server authentication $ curl https://www.amazontrust.com/repository/AmazonRootCA3.pem --output AmazonRootCA3.pem

Notes about SNI: https://docs.aws.amazon.com/it_it/iot/latest/developerguide/protocols.html#protocol-port-mapping https://hacksbrain.com/2018/08/27/testing-sni-enabled-servers-with-curl/

Make sure that the publish command is in line with the policy assigned to the thing. In this case we used a simple “open all” policy applicable for testing purposes (see example below).

• To Publish message to AWS IoT Cloud using PKCS11

# Replace iot_endpoint with actual iot endpoint address (got in previous step)
$ curl --verbose --tlsv1.2 \
    --cacert AmazonRootCA3.pem \
    --engine pkcs11 \
    --cert "pkcs11:token=MCHP;object=device;type=cert" \
    --key "pkcs11:token=MCHP;object=device;type=private" \
    --request POST --data "{ \"message\": \"Hello, world\" }" \
    --resolve <iot_endpoint>:8443:<iot_endpoint>
    https://<iot_endpoint>:8443/topics/test/topic?qos=1

• Example output:

• On AWS web console

Hardware setup details

• I2C Check Checking the i2c connection is working TFLX device example

$ sudo i2cdetect -y 1
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- 36 -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

• Note on atca_cfgs.c The bus number is not in the text configuration files yet so to change that you have to change the default in atca_cfgs.c. This setting is not required, the bus and address can be specified as per previous paragraphs.

• Trust Platform I2C addresses On a spi the i2c bus should be set to 1, default is instead set to 2 (see following picture). Also, the slave address shall be changed if you are using pre-provisioned devices, example: • TNGTLS 0x6A 0x35 = 0011 0101 << 0110 1010 = 0x6A • TFLX 0x6C 0x36 = 0011 0110 << 0110 1100 = 0x6C • TCUSTOM 0xC0