cryptnox-sdk-cpp/CW__SecureChannel_8h_source.html

/*

 * SPDX-License-Identifier: LGPL-3.0-or-later

 * Copyright (c) 2026 Cryptnox SA

 */


#ifndef CW_SECURECHANNEL_H

#define CW_SECURECHANNEL_H


/******************************************************************

 * 1. Public constants

 ******************************************************************/


#define CW_PAIRING_DATA       "Cryptnox Basic CommonPairingData"

#define CW_PAIRING_DATA_BYTES (sizeof(CW_PAIRING_DATA) - 1U)


/******************************************************************

 * 2. Included files

 ******************************************************************/


#include "platform_compat.h"

#include "CW_NfcTransport.h"

#include "CW_Logger.h"

#include "CW_CryptoProvider.h"

#include "CW_Platform.h"

#include "CW_Defs.h"          /* for CW_SecureSession, CW_Curve, and constants */


/******************************************************************

 * 2. Class declaration

 ******************************************************************/


class CW_SecureChannel {

public:

    CW_SecureChannel(CW_NfcTransport& driver, CW_Logger& logger,

                     CW_CryptoProvider& crypto, CW_Platform& platform);


    CW_SecureChannel(const CW_SecureChannel&) = delete;

    CW_SecureChannel& operator=(const CW_SecureChannel&) = delete;


    bool begin();


    bool inListPassiveTarget();


    void resetReader();


    bool printFirmwareVersion();


    bool selectApdu();


    bool getCardCertificate(uint8_t* cardCertificate, uint8_t& cardCertificateLength);


    bool extractCardEphemeralKey(const uint8_t* cardCertificate,

                                 uint8_t* cardEphemeralPubKey,

                                 uint8_t* fullEphemeralPubKey65 = NULL);


    bool openSecureChannel(uint8_t* salt,

                           uint8_t* clientPublicKey,

                           uint8_t* clientPrivateKey,

                           CW_Curve sessionCurve);


    bool mutuallyAuthenticate(CW_SecureSession& session,

                              const uint8_t* salt,

                              uint8_t* clientPublicKey,

                              const uint8_t* clientPrivateKey,

                              CW_Curve sessionCurve,

                              const uint8_t* cardEphemeralPubKey);


    bool getManufacturerCertificate(uint8_t* cert, uint16_t& certLen);


    bool preFetchManufacturerCert();


    uint8_t verifyCertificateChain(const uint8_t* cardCert, uint8_t cardCertLen);


    bool aesCbcEncrypt(CW_SecureSession& session,

                       const uint8_t apdu[], uint16_t apduLength,

                       const uint8_t data[], uint16_t dataLength,

                       uint8_t* decryptedOutput = NULL,

                       uint16_t* decryptedOutputLength = NULL);


    bool aesCbcDecrypt(const CW_SecureSession& session,

                       uint8_t* response, size_t responseLen,

                       uint8_t* macValue,

                       uint8_t* decryptedOutput = NULL,

                       uint16_t* decryptedOutputLength = NULL);


    bool checkStatusWord(const uint8_t* response, uint16_t responseLength,

                         uint8_t sw1Expected, uint8_t sw2Expected);


private:

    CW_NfcTransport&   _driver;

    CW_Logger&         _logger;

    CW_CryptoProvider& _crypto;

    CW_Platform&       _platform;


    uint8_t _lastNonce[CW_CERT_NONCE_SIZE];


    uint16_t _cachedMfCertLen;


    static bool parseDerSigToRaw(const uint8_t* der, uint8_t derLen,

                                 uint8_t* raw64);


    bool verifyEcdsaSha256(const uint8_t* pubKey64,

                           const uint8_t* message, uint16_t msgLen,

                           const uint8_t* derSig, uint8_t derSigLen);


#ifdef CW_FUZZ_BUILD

    friend struct DerFuzzTarget;

#endif

};


#endif // CW_SECURECHANNEL_H

CW_CryptoProvider.h
Abstract cryptographic primitives interface.

CW_Defs.h
Shared constants, error codes, and session state for the SDK.

CW_CERT_NONCE_SIZE
#define CW_CERT_NONCE_SIZE
Definition CW_Defs.h:124

CW_Logger.h
Abstract logging interface.

CW_NfcTransport.h
Abstract NFC transport interface.

CW_Platform.h
Abstract platform interface for timing primitives.

CW_CryptoProvider
Abstract interface for cryptographic operations used by CW_SecureChannel.
Definition CW_CryptoProvider.h:45

CW_Logger
Abstract interface for serial/debug output.
Definition CW_Logger.h:48

CW_NfcTransport
Abstract interface for NFC transport operations.
Definition CW_NfcTransport.h:40

CW_Platform
Abstract interface for platform-specific operations used by the SDK.
Definition CW_Platform.h:39

CW_SecureChannel::CW_SecureChannel
CW_SecureChannel(CW_NfcTransport &driver, CW_Logger &logger, CW_CryptoProvider &crypto, CW_Platform &platform)
Construct a CW_SecureChannel.
Definition CW_SecureChannel.cpp:87

CW_SecureChannel::operator=
CW_SecureChannel & operator=(const CW_SecureChannel &)=delete

CW_SecureChannel::parseDerSigToRaw
static bool parseDerSigToRaw(const uint8_t *der, uint8_t derLen, uint8_t *raw64)
Definition CW_SecureChannel.cpp:1018

CW_SecureChannel::_logger
CW_Logger & _logger
Logging interface.
Definition CW_SecureChannel.h:314

CW_SecureChannel::openSecureChannel
bool openSecureChannel(uint8_t *salt, uint8_t *clientPublicKey, uint8_t *clientPrivateKey, CW_Curve sessionCurve)
Send OPEN SECURE CHANNEL and retrieve the session salt.
Definition CW_SecureChannel.cpp:265

CW_SecureChannel::_driver
CW_NfcTransport & _driver
NFC transport for APDU exchange.
Definition CW_SecureChannel.h:313

CW_SecureChannel::mutuallyAuthenticate
bool mutuallyAuthenticate(CW_SecureSession &session, const uint8_t *salt, uint8_t *clientPublicKey, const uint8_t *clientPrivateKey, CW_Curve sessionCurve, const uint8_t *cardEphemeralPubKey)
Perform ECDH derivation and MUTUALLY AUTHENTICATE with the card.
Definition CW_SecureChannel.cpp:334

CW_SecureChannel::aesCbcEncrypt
bool aesCbcEncrypt(CW_SecureSession &session, const uint8_t apdu[], uint16_t apduLength, const uint8_t data[], uint16_t dataLength, uint8_t *decryptedOutput=NULL, uint16_t *decryptedOutputLength=NULL)
AES-CBC encrypt + MAC, send APDU, and decrypt response.
Definition CW_SecureChannel.cpp:501

CW_SecureChannel::inListPassiveTarget
bool inListPassiveTarget()
Detect a passive NFC target (ISO-DEP card).
Definition CW_SecureChannel.cpp:104

CW_SecureChannel::aesCbcDecrypt
bool aesCbcDecrypt(const CW_SecureSession &session, uint8_t *response, size_t responseLen, uint8_t *macValue, uint8_t *decryptedOutput=NULL, uint16_t *decryptedOutputLength=NULL)
Verify MAC and decrypt an encrypted APDU response.
Definition CW_SecureChannel.cpp:625

CW_SecureChannel::begin
bool begin()
Initialize the NFC transport module.
Definition CW_SecureChannel.cpp:100

CW_SecureChannel::verifyEcdsaSha256
bool verifyEcdsaSha256(const uint8_t *pubKey64, const uint8_t *message, uint16_t msgLen, const uint8_t *derSig, uint8_t derSigLen)
Definition CW_SecureChannel.cpp:1082

CW_SecureChannel::checkStatusWord
bool checkStatusWord(const uint8_t *response, uint16_t responseLength, uint8_t sw1Expected, uint8_t sw2Expected)
Verify the SW1/SW2 status word at the end of an APDU response.
Definition CW_SecureChannel.cpp:120

CW_SecureChannel::preFetchManufacturerCert
bool preFetchManufacturerCert()
Fetch and cache the manufacturer certificate before getCardCertificate().
Definition CW_SecureChannel.cpp:1194

CW_SecureChannel::getCardCertificate
bool getCardCertificate(uint8_t *cardCertificate, uint8_t &cardCertificateLength)
Retrieve the card's ephemeral public key via GET CARD CERTIFICATE.
Definition CW_SecureChannel.cpp:184

CW_SecureChannel::CW_SecureChannel
CW_SecureChannel(const CW_SecureChannel &)=delete

CW_SecureChannel::_cachedMfCertLen
uint16_t _cachedMfCertLen
Non-zero when s_mfCertBuf holds a valid pre-fetched manufacturer certificate.
Definition CW_SecureChannel.h:322

CW_SecureChannel::selectApdu
bool selectApdu()
Send the SELECT APDU to activate the Cryptnox application.
Definition CW_SecureChannel.cpp:155

CW_SecureChannel::_platform
CW_Platform & _platform
Platform abstraction (sleep_ms).
Definition CW_SecureChannel.h:316

CW_SecureChannel::verifyCertificateChain
uint8_t verifyCertificateChain(const uint8_t *cardCert, uint8_t cardCertLen)
Verify the full card certificate chain against the trusted CA.
Definition CW_SecureChannel.cpp:1227

CW_SecureChannel::resetReader
void resetReader()
Reset the NFC reader hardware.
Definition CW_SecureChannel.cpp:108

CW_SecureChannel::_lastNonce
uint8_t _lastNonce[CW_CERT_NONCE_SIZE]
Nonce sent in the last getCardCertificate() call; checked in verifyCertificateChain().
Definition CW_SecureChannel.h:319

CW_SecureChannel::extractCardEphemeralKey
bool extractCardEphemeralKey(const uint8_t *cardCertificate, uint8_t *cardEphemeralPubKey, uint8_t *fullEphemeralPubKey65=NULL)
Extract the card's ephemeral EC P-256 public key from a certificate.
Definition CW_SecureChannel.cpp:232

CW_SecureChannel::_crypto
CW_CryptoProvider & _crypto
Crypto operations (AES, SHA, ECDH, RNG).
Definition CW_SecureChannel.h:315

CW_SecureChannel::getManufacturerCertificate
bool getManufacturerCertificate(uint8_t *cert, uint16_t &certLen)
Retrieve the manufacturer certificate stored in card flash.
Definition CW_SecureChannel.cpp:1098

CW_SecureChannel::printFirmwareVersion
bool printFirmwareVersion()
Print the NFC reader firmware version to the logger.
Definition CW_SecureChannel.cpp:112

CW_Curve
CW_Curve
Portable curve identifier used throughout the SDK.
Definition CW_Defs.h:151

platform_compat.h
Arduino compatibility shims for non-Arduino (plain C++) builds.

CW_SecureSession
Holds cryptographic session state for reentrant secure channel operations.
Definition CW_Defs.h:168