cryptnox-sdk-cpp 1.0.0
Platform-independent C++ core SDK for Cryptnox Hardware Wallet
Loading...
Searching...
No Matches
CW_SecureChannel.cpp File Reference

Implementation of the Cryptnox secure channel protocol. More...

#include "CW_SecureChannel.h"
#include "CW_Utils.h"
#include "CW_TrustedKeys.h"
Include dependency graph for CW_SecureChannel.cpp:

Go to the source code of this file.

Macros

#define RESPONSE_GETCARDCERTIFICATE_IN_BYTES   148U
#define RESPONSE_SELECT_IN_BYTES   40U
#define RESPONSE_GETMANUFACTURERCERT_PAGE_IN_BYTES   420U
#define RESPONSE_OPENSECURECHANNEL_IN_BYTES   34U
#define REQUEST_MUTUALLYAUTHENTICATE_IN_BYTES   69U
#define RESPONSE_MUTUALLYAUTHENTICATE_IN_BYTES   66U
#define RESPONSE_STATUS_WORDS_IN_BYTES   2U
#define OPENSECURECHANNEL_SALT_IN_BYTES   (RESPONSE_OPENSECURECHANNEL_IN_BYTES - RESPONSE_STATUS_WORDS_IN_BYTES)
#define GETCARDCERTIFICATE_IN_BYTES   (RESPONSE_GETCARDCERTIFICATE_IN_BYTES - RESPONSE_STATUS_WORDS_IN_BYTES)
#define RANDOM_BYTES   8U
#define COMMON_PAIRING_DATA   CW_PAIRING_DATA
#define CLIENT_PRIVATE_KEY_SIZE   32U
#define CLIENT_PUBLIC_KEY_SIZE   64U
#define CARDEPHEMERALPUBKEY_SIZE   64U
#define AES_BLOCK_SIZE   16U
#define APDU_HEADER_LEN   (4U)
#define APDU_LC_LEN   (1U)
#define MAC_APDU_LEN   (12U)
#define INPUT_BUFFER_LIMIT   (CW_USER_DATA_PAGE_SIZE)
#define ENC_BUF_MAX_LEN   (INPUT_BUFFER_LIMIT + AES_BLOCK_SIZE)
#define MAX_MAC_DATA_LEN   (APDU_HEADER_LEN + MAC_APDU_LEN + ENC_BUF_MAX_LEN)
#define SEND_APDU_MAX_LEN   (APDU_HEADER_LEN + APDU_LC_LEN + AES_BLOCK_SIZE + ENC_BUF_MAX_LEN)
#define DER_TAG_SEQUENCE   (0x30U) /* SEQUENCE (universal, constructed) */
#define DER_TAG_BIT_STRING   (0x03U) /* BIT STRING */
#define DER_TAG_CTX0   (0xA0U) /* [0] EXPLICIT — version in v3 TBSCertificate */
#define DER_LEN_LONG_FLAG   (0x80U) /* set = long-form length */
#define DER_LEN_LONG_1   (0x81U) /* long form, 1 following byte */
#define DER_LEN_LONG_2   (0x82U) /* long form, 2 following bytes */
#define DER_EC_UNCOMPRESSED   (0x04U) /* uncompressed point prefix */
#define DER_EC_POINT_BYTES   (65U) /* 0x04 || X[32] || Y[32] */
#define DER_BIT_UNUSED_ZERO   (0x00U) /* BIT STRING unused-bits field must be 0 */

Functions

static bool derReadLength (const uint8_t *buf, uint16_t bufLen, uint16_t &pos, uint16_t &fieldLen)
static bool derSkipField (const uint8_t *buf, uint16_t bufLen, uint16_t &pos)
static bool derWalkMfCert (const uint8_t *buf, uint16_t bufLen, uint16_t &tbsMsgStart, uint16_t &tbsMsgLen, const uint8_t *&pubKey65Ptr, const uint8_t *&sigPtr, uint8_t &sigLen)

Variables

static uint8_t s_apduBuf [SEND_APDU_MAX_LEN]
static uint8_t s_macBuf [MAX_MAC_DATA_LEN]
static uint8_t s_dataBuf [ENC_BUF_MAX_LEN]
static uint8_t s_mfCertBuf [CW_MANUF_CERT_MAX_BYTES]

Detailed Description

Implementation of the Cryptnox secure channel protocol.

Implements the methods declared in CW_SecureChannel.h: APDU framing, certificate chain verification against the trusted CA keys (CW_TrustedKeys.h), ECDH session key derivation, AES-CBC encrypted messaging with rolling IV, and MAC verification on every response.

Module-level static scratch buffers are reused across calls to keep the stack footprint small; secret material is wiped after use.

Definition in file CW_SecureChannel.cpp.

Macro Definition Documentation

◆ AES_BLOCK_SIZE

#define AES_BLOCK_SIZE   16U

Definition at line 45 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::aesCbcDecrypt(), CW_SecureChannel::aesCbcEncrypt(), and CW_SecureChannel::mutuallyAuthenticate().

◆ APDU_HEADER_LEN

#define APDU_HEADER_LEN   (4U)

Definition at line 46 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::mutuallyAuthenticate().

◆ APDU_LC_LEN

#define APDU_LC_LEN   (1U)

Definition at line 47 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::aesCbcEncrypt(), and CW_SecureChannel::mutuallyAuthenticate().

◆ CARDEPHEMERALPUBKEY_SIZE

#define CARDEPHEMERALPUBKEY_SIZE   64U

Definition at line 44 of file CW_SecureChannel.cpp.

◆ CLIENT_PRIVATE_KEY_SIZE

#define CLIENT_PRIVATE_KEY_SIZE   32U

Definition at line 42 of file CW_SecureChannel.cpp.

◆ CLIENT_PUBLIC_KEY_SIZE

#define CLIENT_PUBLIC_KEY_SIZE   64U

Definition at line 43 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::openSecureChannel().

◆ COMMON_PAIRING_DATA

#define COMMON_PAIRING_DATA   CW_PAIRING_DATA

Definition at line 41 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::mutuallyAuthenticate().

◆ DER_BIT_UNUSED_ZERO

#define DER_BIT_UNUSED_ZERO   (0x00U) /* BIT STRING unused-bits field must be 0 */

Definition at line 80 of file CW_SecureChannel.cpp.

Referenced by derWalkMfCert().

◆ DER_EC_POINT_BYTES

#define DER_EC_POINT_BYTES   (65U) /* 0x04 || X[32] || Y[32] */

Definition at line 79 of file CW_SecureChannel.cpp.

Referenced by derWalkMfCert().

◆ DER_EC_UNCOMPRESSED

#define DER_EC_UNCOMPRESSED   (0x04U) /* uncompressed point prefix */

Definition at line 78 of file CW_SecureChannel.cpp.

Referenced by derWalkMfCert().

◆ DER_LEN_LONG_1

#define DER_LEN_LONG_1   (0x81U) /* long form, 1 following byte */

Definition at line 74 of file CW_SecureChannel.cpp.

Referenced by derReadLength().

◆ DER_LEN_LONG_2

#define DER_LEN_LONG_2   (0x82U) /* long form, 2 following bytes */

Definition at line 75 of file CW_SecureChannel.cpp.

Referenced by derReadLength().

◆ DER_LEN_LONG_FLAG

#define DER_LEN_LONG_FLAG   (0x80U) /* set = long-form length */

Definition at line 73 of file CW_SecureChannel.cpp.

Referenced by derReadLength().

◆ DER_TAG_BIT_STRING

#define DER_TAG_BIT_STRING   (0x03U) /* BIT STRING */

Definition at line 69 of file CW_SecureChannel.cpp.

Referenced by derWalkMfCert().

◆ DER_TAG_CTX0

#define DER_TAG_CTX0   (0xA0U) /* [0] EXPLICIT — version in v3 TBSCertificate */

Definition at line 70 of file CW_SecureChannel.cpp.

Referenced by derWalkMfCert().

◆ DER_TAG_SEQUENCE

#define DER_TAG_SEQUENCE   (0x30U) /* SEQUENCE (universal, constructed) */

Definition at line 68 of file CW_SecureChannel.cpp.

Referenced by derWalkMfCert().

◆ ENC_BUF_MAX_LEN

#define ENC_BUF_MAX_LEN   (INPUT_BUFFER_LIMIT + AES_BLOCK_SIZE)

Definition at line 50 of file CW_SecureChannel.cpp.

◆ GETCARDCERTIFICATE_IN_BYTES

#define GETCARDCERTIFICATE_IN_BYTES   (RESPONSE_GETCARDCERTIFICATE_IN_BYTES - RESPONSE_STATUS_WORDS_IN_BYTES)

Definition at line 38 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::getCardCertificate().

◆ INPUT_BUFFER_LIMIT

#define INPUT_BUFFER_LIMIT   (CW_USER_DATA_PAGE_SIZE)

Definition at line 49 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::aesCbcEncrypt().

◆ MAC_APDU_LEN

#define MAC_APDU_LEN   (12U)

Definition at line 48 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::aesCbcEncrypt().

◆ MAX_MAC_DATA_LEN

#define MAX_MAC_DATA_LEN   (APDU_HEADER_LEN + MAC_APDU_LEN + ENC_BUF_MAX_LEN)

Definition at line 51 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::aesCbcEncrypt().

◆ OPENSECURECHANNEL_SALT_IN_BYTES

#define OPENSECURECHANNEL_SALT_IN_BYTES   (RESPONSE_OPENSECURECHANNEL_IN_BYTES - RESPONSE_STATUS_WORDS_IN_BYTES)

Definition at line 37 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::openSecureChannel().

◆ RANDOM_BYTES

#define RANDOM_BYTES   8U

Definition at line 40 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::getCardCertificate().

◆ REQUEST_MUTUALLYAUTHENTICATE_IN_BYTES

#define REQUEST_MUTUALLYAUTHENTICATE_IN_BYTES   69U

Definition at line 33 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::mutuallyAuthenticate().

◆ RESPONSE_GETCARDCERTIFICATE_IN_BYTES

#define RESPONSE_GETCARDCERTIFICATE_IN_BYTES   148U

Definition at line 27 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::getCardCertificate().

◆ RESPONSE_GETMANUFACTURERCERT_PAGE_IN_BYTES

#define RESPONSE_GETMANUFACTURERCERT_PAGE_IN_BYTES   420U

Definition at line 31 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::getManufacturerCertificate().

◆ RESPONSE_MUTUALLYAUTHENTICATE_IN_BYTES

#define RESPONSE_MUTUALLYAUTHENTICATE_IN_BYTES   66U

Definition at line 34 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::mutuallyAuthenticate().

◆ RESPONSE_OPENSECURECHANNEL_IN_BYTES

#define RESPONSE_OPENSECURECHANNEL_IN_BYTES   34U

Definition at line 32 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::openSecureChannel().

◆ RESPONSE_SELECT_IN_BYTES

#define RESPONSE_SELECT_IN_BYTES   40U

Definition at line 29 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::selectApdu().

◆ RESPONSE_STATUS_WORDS_IN_BYTES

#define RESPONSE_STATUS_WORDS_IN_BYTES   2U

Definition at line 35 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::getCardCertificate(), and CW_SecureChannel::getManufacturerCertificate().

◆ SEND_APDU_MAX_LEN

#define SEND_APDU_MAX_LEN   (APDU_HEADER_LEN + APDU_LC_LEN + AES_BLOCK_SIZE + ENC_BUF_MAX_LEN)

Definition at line 52 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::aesCbcEncrypt().

Function Documentation

◆ derReadLength()

bool derReadLength ( const uint8_t * buf,
uint16_t bufLen,
uint16_t & pos,
uint16_t & fieldLen )
static

Definition at line 732 of file CW_SecureChannel.cpp.

References DER_LEN_LONG_1, DER_LEN_LONG_2, and DER_LEN_LONG_FLAG.

Referenced by derSkipField(), and derWalkMfCert().

◆ derSkipField()

bool derSkipField ( const uint8_t * buf,
uint16_t bufLen,
uint16_t & pos )
static

Definition at line 767 of file CW_SecureChannel.cpp.

References derReadLength().

Referenced by derWalkMfCert().

◆ derWalkMfCert()

bool derWalkMfCert ( const uint8_t * buf,
uint16_t bufLen,
uint16_t & tbsMsgStart,
uint16_t & tbsMsgLen,
const uint8_t *& pubKey65Ptr,
const uint8_t *& sigPtr,
uint8_t & sigLen )
static

Definition at line 791 of file CW_SecureChannel.cpp.

References DER_BIT_UNUSED_ZERO, DER_EC_POINT_BYTES, DER_EC_UNCOMPRESSED, DER_TAG_BIT_STRING, DER_TAG_CTX0, DER_TAG_SEQUENCE, derReadLength(), and derSkipField().

Referenced by CW_SecureChannel::verifyCertificateChain().

Variable Documentation

◆ s_apduBuf

uint8_t s_apduBuf[SEND_APDU_MAX_LEN]
static

Definition at line 60 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::aesCbcDecrypt(), and CW_SecureChannel::aesCbcEncrypt().

◆ s_dataBuf

uint8_t s_dataBuf[ENC_BUF_MAX_LEN]
static

Definition at line 62 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::aesCbcDecrypt(), and CW_SecureChannel::aesCbcEncrypt().

◆ s_macBuf

uint8_t s_macBuf[MAX_MAC_DATA_LEN]
static

Definition at line 61 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::aesCbcDecrypt(), and CW_SecureChannel::aesCbcEncrypt().

◆ s_mfCertBuf

uint8_t s_mfCertBuf[CW_MANUF_CERT_MAX_BYTES]
static

Definition at line 65 of file CW_SecureChannel.cpp.

Referenced by CW_SecureChannel::preFetchManufacturerCert(), and CW_SecureChannel::verifyCertificateChain().