GpgStorage.cpp

Go to the documentation of this file.

 
#include "mod_gpg/GpgStorage.h"
#include "cdc_hal/ISecureElement.h"
#include "cdc_core/Crypto.h"
#include "cdc_log.h"
#include <mbedtls/sha256.h>
#include <mbedtls/hkdf.h>
#include <mbedtls/md.h>
#include <mbedtls/platform_util.h>
#include <esp_random.h>
#include <string.h>
 
static const char* TAG = "GPGStorage";
 
// Relative offsets within the mod_gpg R-Memory range. Each offset is the
// metadata slot for the matching ECC key slot (RMEM slot N pairs with ECC
// slot N). The range starts at slot 1 (= ECC slot 1 = SIG), which is
// hardware-only and needs no software metadata, so offset 0 is unused.
static constexpr uint16_t RMEM_SLOT_DEC_KEY = 1;

static constexpr uint16_t RMEM_SLOT_AES_KEY = 2;

static constexpr uint8_t DEC_KEY_MAGIC[4] = {'E', 'C', 'D', 'H'};

static constexpr uint8_t AES_KEY_MAGIC[4] = {'A', 'E', 'S', '1'};
 
static constexpr size_t MAGIC_SIZE = 4;
static constexpr size_t NONCE_SIZE = 12;
static constexpr size_t TAG_SIZE = 16;
static constexpr size_t PRIVKEY_SIZE = 32;
static constexpr size_t AES_MAX_KEY_SIZE = 32;
static constexpr size_t DEC_TOTAL_SIZE = MAGIC_SIZE + NONCE_SIZE + PRIVKEY_SIZE + TAG_SIZE;
static constexpr size_t AES_RECORD_PAYLOAD = 1 + AES_MAX_KEY_SIZE;
static constexpr size_t AES_TOTAL_SIZE = MAGIC_SIZE + NONCE_SIZE + AES_RECORD_PAYLOAD + TAG_SIZE;

static constexpr char HKDF_INFO[] = "GPG-STORAGE-V2";
 
#ifdef __DOXYGEN__
namespace cdc::mod_gpg {
#endif
 
#pragma pack(push, 1)
struct DecKeyStorage {
    uint8_t magic[MAGIC_SIZE];
    uint8_t nonce[NONCE_SIZE];
    uint8_t encrypted[PRIVKEY_SIZE];
    uint8_t tag[TAG_SIZE];
};
 
struct AesKeyStorage {
    uint8_t magic[MAGIC_SIZE];
    uint8_t nonce[NONCE_SIZE];
    uint8_t encrypted[AES_RECORD_PAYLOAD];
    uint8_t tag[TAG_SIZE];
};
#pragma pack(pop)
 
#ifdef __DOXYGEN__
} // namespace cdc::mod_gpg
#endif
 
static_assert(sizeof(DecKeyStorage) == DEC_TOTAL_SIZE, "DecKeyStorage size mismatch");
static_assert(sizeof(AesKeyStorage) == AES_TOTAL_SIZE, "AesKeyStorage size mismatch");
 
namespace {
 
template <size_t N>
inline void secureWipe(uint8_t (&buf)[N]) {
    mbedtls_platform_zeroize(buf, N);
}
 
template <typename T>
inline void secureWipeObject(T& obj) {
    mbedtls_platform_zeroize(&obj, sizeof(obj));
}
 
} // namespace
 
static struct {
    bool ready = false;
    uint16_t eccStart = 0;
    uint16_t eccEnd = 0;
    uint16_t rmemStart = 0;
    uint16_t rmemEnd = 0;
    uint8_t sigSlot = 0;
    uint8_t decSlot = 0;
    uint8_t autSlot = 0;
 
    bool sessionActive = false;
    uint8_t sessionKey[32];
} s_storage;
 
static cdc::hal::ISecureElement* get_se() {
    return cdc::hal::getSecureElementInstance();
}

static bool pin_to_hash(const char* pin, uint8_t* hash_out) {
    if (!hash_out) return false;
    const uint8_t* in = pin ? reinterpret_cast<const uint8_t*>(pin) : reinterpret_cast<const uint8_t*>("");
    size_t in_len = pin ? strlen(pin) : 0;
    return mbedtls_sha256(in, in_len, hash_out, 0) == 0;
}

static bool derive_storage_key(uint16_t slot_id, const uint8_t* pin_hash, uint8_t* key_out) {
    if (!key_out) return false;
 
    uint8_t ikm[16 + 32] = {};
    size_t ikm_len = 16;
    auto* se = get_se();
    if (se) {
        se->getChipId(ikm, 16);
    }
    if (pin_hash) {
        memcpy(ikm + 16, pin_hash, 32);
        ikm_len = 16 + 32;
    }
 
    uint8_t salt[2];
    salt[0] = static_cast<uint8_t>((slot_id >> 8) & 0xFF);
    salt[1] = static_cast<uint8_t>(slot_id & 0xFF);
 
    const mbedtls_md_info_t* md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
    if (!md) {
        mbedtls_platform_zeroize(ikm, sizeof(ikm));
        return false;
    }
 
    int ret = mbedtls_hkdf(
        md,
        salt, sizeof(salt),
        ikm, ikm_len,
        reinterpret_cast<const uint8_t*>(HKDF_INFO), strlen(HKDF_INFO),
        key_out, 32
    );
 
    mbedtls_platform_zeroize(ikm, sizeof(ikm));
    return ret == 0;
}

static void build_aad(uint16_t slot_id, const uint8_t magic[MAGIC_SIZE], uint8_t aad_out[6]) {
    aad_out[0] = static_cast<uint8_t>((slot_id >> 8) & 0xFF);
    aad_out[1] = static_cast<uint8_t>(slot_id & 0xFF);
    memcpy(aad_out + 2, magic, MAGIC_SIZE);
}

static uint16_t resolve_slot(uint16_t rel_index) {
    return static_cast<uint16_t>(s_storage.rmemStart + rel_index);
}
 
void gpg_storage_set_slot_range(uint16_t eccStart, uint16_t eccEnd) {
    s_storage.ready = false;
    s_storage.eccStart = eccStart;
    s_storage.eccEnd = eccEnd;
 
    if (eccStart == 0 || eccEnd == 0 || eccStart > eccEnd || (eccEnd - eccStart + 1) < 3) {
        return;
    }
 
    s_storage.sigSlot = static_cast<uint8_t>(eccStart);
    s_storage.decSlot = static_cast<uint8_t>(eccStart + 1);
    s_storage.autSlot = static_cast<uint8_t>(eccStart + 2);
    s_storage.ready = true;
}
 
void gpg_storage_set_rmem_range(uint16_t rmemStart, uint16_t rmemEnd) {
    s_storage.rmemStart = rmemStart;
    s_storage.rmemEnd = rmemEnd;
}
 
bool gpg_storage_ready(void) { return s_storage.ready; }
uint8_t gpg_storage_sig_slot(void) { return s_storage.sigSlot; }
uint8_t gpg_storage_dec_slot(void) { return s_storage.decSlot; }
uint8_t gpg_storage_aut_slot(void) { return s_storage.autSlot; }

static bool save_slot_encrypted(uint16_t slot_id,
                                const uint8_t magic[MAGIC_SIZE],
                                const uint8_t* payload, size_t payload_len,
                                uint8_t* record_buf, size_t record_buf_len,
                                const char* pin) {
    auto* se = get_se();
    if (!se) return false;
    if (record_buf_len < MAGIC_SIZE + NONCE_SIZE + payload_len + TAG_SIZE) return false;
 
    uint8_t pin_hash[32];
    bool have_pin = (pin && pin[0] != '\0');
    if (have_pin && !pin_to_hash(pin, pin_hash)) {
        mbedtls_platform_zeroize(pin_hash, sizeof(pin_hash));
        return false;
    }
 
    uint8_t enc_key[32];
    bool ok = derive_storage_key(slot_id, have_pin ? pin_hash : nullptr, enc_key);
    mbedtls_platform_zeroize(pin_hash, sizeof(pin_hash));
    if (!ok) {
        secureWipe(enc_key);
        return false;
    }
 
    uint8_t* p_magic = record_buf;
    uint8_t* p_nonce = record_buf + MAGIC_SIZE;
    uint8_t* p_ct    = record_buf + MAGIC_SIZE + NONCE_SIZE;
    uint8_t* p_tag   = p_ct + payload_len;
 
    memcpy(p_magic, magic, MAGIC_SIZE);
    if (!se->getRandomStrict(p_nonce, NONCE_SIZE)) {
        secureWipe(enc_key);
        LOG_E(TAG, "Cannot get hardware entropy for nonce on slot %u", slot_id);
        return false;
    }
 
    uint8_t aad[6];
    build_aad(slot_id, magic, aad);
 
    bool enc_ok = cdc::core::aesGcm256Seal(
        enc_key, p_nonce, NONCE_SIZE,
        aad, sizeof(aad),
        payload, payload_len,
        p_ct, p_tag);
    secureWipe(enc_key);
    if (!enc_ok) {
        LOG_E(TAG, "GCM encrypt failed");
        return false;
    }
 
    se->rmemErase(slot_id);
    size_t total_len = MAGIC_SIZE + NONCE_SIZE + payload_len + TAG_SIZE;
    if (se->rmemWrite(slot_id, record_buf, static_cast<uint16_t>(total_len)) != cdc::hal::SeResult::OK) {
        LOG_E(TAG, "rmemWrite slot %u failed", slot_id);
        return false;
    }
    return true;
}

static bool load_slot_decrypted(uint16_t slot_id,
                                const uint8_t magic[MAGIC_SIZE],
                                uint8_t* payload_out, size_t payload_len,
                                const char* pin) {
    auto* se = get_se();
    if (!se) return false;
 
    uint8_t buf[128];
    uint16_t buf_len = 0;
    size_t expected = MAGIC_SIZE + NONCE_SIZE + payload_len + TAG_SIZE;
    if (expected > sizeof(buf)) return false;
 
    if (se->rmemRead(slot_id, buf, sizeof(buf), &buf_len) != cdc::hal::SeResult::OK || buf_len < expected) {
        return false;
    }
    if (memcmp(buf, magic, MAGIC_SIZE) != 0) {
        return false;
    }
 
    uint8_t pin_hash[32];
    bool have_pin = (pin && pin[0] != '\0');
    if (have_pin && !pin_to_hash(pin, pin_hash)) {
        mbedtls_platform_zeroize(pin_hash, sizeof(pin_hash));
        mbedtls_platform_zeroize(buf, sizeof(buf));
        return false;
    }
 
    uint8_t dec_key[32];
    bool ok = derive_storage_key(slot_id, have_pin ? pin_hash : nullptr, dec_key);
    mbedtls_platform_zeroize(pin_hash, sizeof(pin_hash));
    if (!ok) {
        secureWipe(dec_key);
        mbedtls_platform_zeroize(buf, sizeof(buf));
        return false;
    }
 
    const uint8_t* p_nonce = buf + MAGIC_SIZE;
    const uint8_t* p_ct    = buf + MAGIC_SIZE + NONCE_SIZE;
    const uint8_t* p_tag   = p_ct + payload_len;
 
    uint8_t aad[6];
    build_aad(slot_id, magic, aad);
 
    bool dec_ok = cdc::core::aesGcm256Open(
        dec_key, p_nonce, NONCE_SIZE,
        aad, sizeof(aad),
        p_ct, payload_len,
        p_tag, payload_out);
    secureWipe(dec_key);
    mbedtls_platform_zeroize(buf, sizeof(buf));
    if (!dec_ok) {
        mbedtls_platform_zeroize(payload_out, payload_len);
        return false;
    }
    return true;
}
 
bool gpg_storage_save_dec_privkey(const uint8_t* privkey, const char* pin) {
    if (!privkey) return false;
    uint16_t slot = resolve_slot(RMEM_SLOT_DEC_KEY);
    uint8_t record[DEC_TOTAL_SIZE];
    bool ok = save_slot_encrypted(slot, DEC_KEY_MAGIC, privkey, PRIVKEY_SIZE,
                                  record, sizeof(record), pin);
    secureWipe(record);
    if (ok) {
        LOG_I(TAG, "Saved DEC private key (slot %u)", slot);
    }
    return ok;
}
 
bool gpg_storage_load_dec_privkey(uint8_t* privkey_out, const char* pin) {
    if (!privkey_out) return false;
    uint16_t slot = resolve_slot(RMEM_SLOT_DEC_KEY);
    return load_slot_decrypted(slot, DEC_KEY_MAGIC, privkey_out, PRIVKEY_SIZE, pin);
}
 
bool gpg_storage_has_dec_privkey(void) {
    auto* se = get_se();
    if (!se) return false;
    uint16_t slot = resolve_slot(RMEM_SLOT_DEC_KEY);
    uint8_t buf[DEC_TOTAL_SIZE];
    uint16_t buf_len = 0;
    if (se->rmemRead(slot, buf, sizeof(buf), &buf_len) != cdc::hal::SeResult::OK || buf_len < MAGIC_SIZE) {
        return false;
    }
    return memcmp(buf, DEC_KEY_MAGIC, MAGIC_SIZE) == 0;
}
 
bool gpg_storage_delete_dec_privkey(void) {
    auto* se = get_se();
    if (!se) return false;
    uint16_t slot = resolve_slot(RMEM_SLOT_DEC_KEY);
    return se->rmemErase(slot) == cdc::hal::SeResult::OK;
}
 
bool gpg_storage_save_aes_key(const uint8_t* key, size_t key_len, const char* pin) {
    if (!key) return false;
    if (key_len != 16 && key_len != 32) return false;
    uint16_t slot = resolve_slot(RMEM_SLOT_AES_KEY);
 
    uint8_t payload[AES_RECORD_PAYLOAD];
    payload[0] = static_cast<uint8_t>(key_len);
    memcpy(payload + 1, key, key_len);
    if (key_len < AES_MAX_KEY_SIZE) {
        memset(payload + 1 + key_len, 0, AES_MAX_KEY_SIZE - key_len);
    }
 
    uint8_t record[AES_TOTAL_SIZE];
    bool ok = save_slot_encrypted(slot, AES_KEY_MAGIC, payload, sizeof(payload),
                                  record, sizeof(record), pin);
    secureWipe(payload);
    secureWipe(record);
    if (ok) {
        LOG_I(TAG, "Saved AES key (slot %u, %zu bytes)", slot, key_len);
    }
    return ok;
}
 
bool gpg_storage_load_aes_key(uint8_t* key_out, size_t* key_len_out, const char* pin) {
    if (!key_out || !key_len_out) return false;
    uint16_t slot = resolve_slot(RMEM_SLOT_AES_KEY);
 
    uint8_t payload[AES_RECORD_PAYLOAD];
    if (!load_slot_decrypted(slot, AES_KEY_MAGIC, payload, sizeof(payload), pin)) {
        return false;
    }
    size_t len = payload[0];
    if (len != 16 && len != 32) {
        secureWipe(payload);
        return false;
    }
    memcpy(key_out, payload + 1, len);
    *key_len_out = len;
    secureWipe(payload);
    return true;
}
 
bool gpg_storage_has_aes_key(void) {
    auto* se = get_se();
    if (!se) return false;
    uint16_t slot = resolve_slot(RMEM_SLOT_AES_KEY);
    uint8_t buf[MAGIC_SIZE];
    uint16_t buf_len = 0;
    if (se->rmemRead(slot, buf, sizeof(buf), &buf_len) != cdc::hal::SeResult::OK || buf_len < MAGIC_SIZE) {
        return false;
    }
    return memcmp(buf, AES_KEY_MAGIC, MAGIC_SIZE) == 0;
}
 
bool gpg_storage_delete_aes_key(void) {
    auto* se = get_se();
    if (!se) return false;
    uint16_t slot = resolve_slot(RMEM_SLOT_AES_KEY);
    return se->rmemErase(slot) == cdc::hal::SeResult::OK;
}
 
void gpg_storage_set_session_pin(const char* pin) {
    if (!pin) {
        gpg_storage_clear_session();
        return;
    }
    uint8_t hash[32];
    if (pin_to_hash(pin, hash)) {
        memcpy(s_storage.sessionKey, hash, sizeof(hash));
        s_storage.sessionActive = true;
    }
    mbedtls_platform_zeroize(hash, sizeof(hash));
}
 
bool gpg_storage_get_session_key(uint8_t* key_out) {
    if (!s_storage.sessionActive || !key_out) {
        return false;
    }
    memcpy(key_out, s_storage.sessionKey, 32);
    return true;
}
 
void gpg_storage_clear_session(void) {
    mbedtls_platform_zeroize(s_storage.sessionKey, sizeof(s_storage.sessionKey));
    s_storage.sessionActive = false;
}