cryptotronix / eclet Goto Github PK

View Code? Open in Web Editor NEW

35.0 6.0 16.0 166 KB

Driver for the Cryptotronix EClet containing an Atmel ATECC108

License: GNU General Public License v3.0

Shell 1.78% Eagle 64.78% C 33.44%

eclet's Introduction

EClet

Driver for the Cryptotronix EClet containing an Atmel ATECC108

Status

This software is in BETA. I have tested the below commands, but some there are some features and documentation that I would like to finish. If you use this software, it will configure your ECC108 in a non-reversible way. It will allow you to sign and verify with P256 keys but future features may be incompatible.

Releases

You can download the latest release here. You will also need this release of libcryptoauth.

Building

Install build-essential, autotools-dev, automake, autoconf, libtool, libxml2-dev, check, texinfo, and libgcrypt (libgcrypt11-dev on Debian variants)

Run ./autogen.sh. This will generate the required README file from README.md as well as installing the required BETA version of libcryptoauth-0.2 (sudo is used to install this library)

You can run eclet locally, or install it to the system by running sudo make install

Hardware

The Hardware folder has an example board layout. This software will also work on the CryptoCape.

Running

see ./eclet --help for full details. The default I2C bus is /dev/i2c-1 and this can be changed with the -b option.

Kernel option

If you build libcryptoauth with the -DUSE_KERNEL flag and install the kernel module, this utility will use that module if you pass in: -b /dev/atsha0.

Root

You'll need to run as root to access /dev/i2c* initially. You can change this by adding your user to the i2c group with:

sudo usermod -aG i2c user

Or:

sudo chmod o+rw /dev/i2c*

Currently supported commands:

state

eclet state
Factory

This is the first command you should run and verify it's in the Factory state. This provides the assurance that the device has not been tampered during transit.

personalize

eclet personalize

This is the second command you should run. On success it will not output anything. It configures all slots (0-16) to be holders for P-256 ECC private keys, except slot 8, which is reserved for future use. Keys are not generated at this time. Each key must be individually generated with the gen-key command.

WARNING

Until you personalize your device, the random number generator will produce a fixed test patterns of FFs and 00s. This is by design. However, it can be a bit suprising to see if you aren't expecting it.

random

eclet random
62F95589AC76855A8F9204C9C6B8B85F06E6477D17C3888266AEE8E1CBD65319

serial-num

eclet serial-num
0123XXXXXXXXXXXXEE

X's indicate the unique serial number.

gen-key

eclet gen-key
04EED1CB629CF87F8BF6419986F990B92EA3DFA14CDAF70EB3E8DA8F9C9504DBC5B040D6480E88F895E9E1D4477970329B060450C80E1816EFED7B0FA49868CAEB

The device will internally create an P-256 ECC key and return the public key. The format of the public key is 0x04 + X + Y. Specify which slot to create a key (0-7, 9-15) with the -k option. Currently running this command multiple times will overwrite the public key, see this issue.

sign

eclet sign -f ChangeLog
3BAEB5705D8765B34B389F1768BAC783FCA786AB64A760D10DD133C86E5892A7A790E424C8E1540551C99FBE4F9F531B504A6004F08F3E0D4E42E96BBDE5C179

Performs an ECDSA signature. Data can be specified as a file with the -f option or passed via stdin. The data will be SHA256 hashed prior to signing. The result is the signature in the format: R + S.

verify

eclet verify -f ChangeLog --signature C650D1A30194AD68F60F40C321FB084F6177BEDAC74D0F0C276ED35B00249AC8CF3E96FB7AB14AA48223FBA2E5DD9BCAE232BF963755C42F8FD9BD77FC145D41 --public-key 049B4A517704E16F3C99C6973E29F882EAF840DCD125C725C9552148A74349EB77BECB37AA2DB8056BAF0E236F6DCFEC2C5A9A0F23CEFD8A9DC1F4693718E725D2

Verifies an ECDSA signature using the device. You specify the data (which will be SHA256 hashed), the signature (R+S), and the public key (0x04+X+Y). Returns a 0 exit code on success.

offline-verify-sign

eclet offline-verify-sign -f ChangeLog --signature C650D1A30194AD68F60F40C321FB084F6177BEDAC74D0F0C276ED35B00249AC8CF3E96FB7AB14AA48223FBA2E5DD9BCAE232BF963755C42F8FD9BD77FC145D41 --public-key 049B4A517704E16F3C99C6973E29F882EAF840DCD125C725C9552148A74349EB77BECB37AA2DB8056BAF0E236F6DCFEC2C5A9A0F23CEFD8A9DC1F4693718E725D2

Same as verify except it does not use the device and can be run on a system with one. It uses the software ECDSA implementation provided by libcrypti2c.

Options

Options are listed in the --help command, but a useful one, if there are issues, is the -v option. This will dump all the data that travels across the I2C bus with the device.

Support

IRC: Join the #cryptotronix channel on freenode.

Mailing lists: hashlet-announce and hashlet-users are open for subscriptions here.

eclet's People

Contributors

Stargazers

Watchers

Forkers

saideeptiku thiseldo wensunshine martymacgyver lparth firstlinkconsulting paclema wujansin radu7 riddleandcode leoribg pccr10001 krish2487 zerovectorti

eclet's Issues

Sign command fails on CryptoCape

The sign command fails on some devices and passes on others. On a dedicated breakout board, w/o a bypass cap, the sign passes. It's failing on the CryptoCape currently.

There could be some I2C timeout issues.

Sparkfun Cryptoshield Testing Problem (I2C bus problem)

I am testing my Sparkfun Cyptoshield on Arduino UNO board following the official guide which askes us to personalize the ATECC108 chip on the cryptoshield under Linux (The beginnings of the ATECC108 ECDSA Linux driver). However, when we install the EClet packet on linux and then type './eclet state' on terminal, it will show the message

"Failed to open I2C bus
: No such file or directory".

We then found that the directory /dev/I2C does not exist in our system. Could you please tell us how to solve this problem?

ATECC108 Chip stopped working after personalizing chip

Hello,
I have successfully compiled EClet on my raspberry pi .
I have soldered ATECC108 to my own PCB and i don’t use any development board, after connecting i2c pins and 3.3v and GND to chip i was able to find the chip at address 60 using i2cdetect -y 1,then i ran sudo ./eclet state and got "Factory" as response. But after that all commands got stuck in terminal and nothing happens sudo ./eclet personalize and sudo ./eclet random returns nothing and also i2cdetect -y 1 command is not finding the chip anymore.I think its burned i have more chips i can test but i just want to know your opinion why the chip is not recognized anymore after running state command.
I can see in your PCB you have used 1uf cap between GND and Vcc do you think it has something to do with that ?

Release 0.1.0 of libcrypti2c

This is a no-op issue. The 0.1.0 release of EClet requires the 0.1.0 release of libcrypti2c.

Crash when public key not specified

As shown on the screencast, the software crashes when the public key is not specified for a verify signature.

"Remote I/O" error while signing bigger files

The following issue was reported

eclet sign -f /opt/tmp/file.pdf -v
Device is awake.
crc : 0x33 0x43
Calculated crc : 0x33 0x43
SHA256 file digest : 0x60 0x24 0x68 0x5B 0xEA 0x16 0xEC 0x48 0xA9 0x81 0xB9 0x3E 0x85 0x8B 0x12 0x00 0x47 0x1E 0x36 0xCC 0x61 0xB0 0xFB 0xDF 0x5D 0xC3 0x13 0xB2 0x58 0x65 0x8E 0x63
*** Printing Command ***
Command: 0x03
Count: 0x07
OpCode: 0x1B
Command Random
param1: 0x00
param2: 0x00 0x00
CRC: 0x00 0x00
Wait time: 0 seconds 11000000 nanoseconds
Total len: 8, count: 7, CRC_LEN: 5, CRC_OFFSET: 6

Sending : 0x03 0x07 0x1B 0x00 0x00 0x00 0x24 0xCD
Send failed
: Remote I/O error


I also tried this, but similar results:

eclet sign < /opt/tmp/file.pdf -v
Device is awake.
crc : 0x33 0x43
Calculated crc : 0x33 0x43
SHA256 file digest : 0x60 0x24 0x68 0x5B 0xEA 0x16 0xEC 0x48 0xA9 0x81 0xB9 0x3E 0x85 0x8B 0x12 0x00 0x47 0x1E 0x36 0xCC 0x61 0xB0 0xFB 0xDF 0x5D 0xC3 0x13 0xB2 0x58 0x65 0x8E 0x63
*** Printing Command ***
Command: 0x03
Count: 0x07
OpCode: 0x1B
Command Random
param1: 0x00
param2: 0x00 0x00
CRC: 0x00 0x00
Wait time: 0 seconds 11000000 nanoseconds
Total len: 8, count: 7, CRC_LEN: 5, CRC_OFFSET: 6

Sending : 0x03 0x07 0x1B 0x00 0x00 0x00 0x24 0xCD
Send failed
: Remote I/O error

Assertion when trying to check state of ECC508A

Hi,
I'm trying to use EClet on Raspberry Pi 2 I was able compile and run both master and develop branch, but without luck. I use Atmel CryptoAuth Xplained Pro and i2cdetect see 3 chips.

pi@raspberrypi:~/EClet $ i2cdetect -y 1
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- -- -- -- -- -- -- -- -- 
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
50: 50 -- -- -- -- -- -- -- 58 -- -- -- -- -- -- -- 
60: -- -- -- -- 64 -- -- -- -- -- -- -- -- -- -- -- 
70: -- -- -- -- -- -- -- --

When I checked state I'm getting 2 chips (I assume those are ATSHA204A and ATAES132A) in Personalized state and ECC508A throws assertion:

pi@raspberrypi:~/EClet $ ./eclet -a 0x50 state
eclet: src/i2c.c:100: lca_wakeup: Assertion `lca_is_crc_16_valid(buf, 2, buf+2)' failed.
Aborted
pi@raspberrypi:~/EClet $ ./eclet -a 0x58 state
Personalized
pi@raspberrypi:~/EClet $ ./eclet -a 0x64 state
Personalized

Using develop branch I cannot communicate with devices. Any idea what's wrong with 0x50 ?

Comment does not match reality

Slot 7 is not an ECC key but setup as a symmetric key despite what this says: https://github.com/cryptotronix/EClet/blob/master/src/driver/config_zone.c#L405

-Reported via IRC

No package 'cryptoauth-0.2' found during installation on Debian

Unfortunately, I keep getting an error about a missing package cryptoauth-0.2 during install:

configure: error: Package requirements (cryptoauth-0.2) were not met:

No package 'cryptoauth-0.2' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables DEPS_CFLAGS
and DEPS_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.

My problem can be reconstructed by the following commands:

docker run -it --rm debian:buster-slim
$> apt update
$> apt install -y wget
$> wget https://github.com/cryptotronix/EClet/releases/download/0.1.1/eclet-0.1.1.tar.gz
$> tar -xzvf eclet-0.1.1.tar.gz
$> apt install -y build-essential autotools-dev automake autoconf libtool libxml2-dev check texinfo libgcrypt20-dev
$> apt install -y pkg-config
$> cd eclet-0.1.1
$> ./autogen.sh

The shell then starts to run until it stops with the aforementioned error message. Unfortunately, I'm not able to locate the package cryptoauth-0.2.

How am I supposed to install the missing package?
Could somebody please help me install this package?

Add key import feature

ECC keys can be imported but this must be done prior to personalization. Like internally generated keys, they can never be read.

Fix coverity scan issues

3 issues listed here need to be resolved.

Add ability to update I2C address before locking the config

The default I2C address can be changed on the various ATECC108A/ECC508A/SHA204A/AES132A devices. This must happen before personalization is complete. Adding the ability to change the address would increase the flexibility of this tool.

Note that the address would need to be converted from the 7-bit format typically used on the Linux host to the 8-bit format on the device (i2c_addr_linux << 1 == i2c_addr_atmel).

Suggest 'n' (new-address) as the command, since 'a' (address) cannot be overloaded for this purpose.