Release v3.7.7 (20250213)

Author: Srinivas-E

CMakeLists.txt

@@ -1,11 +1,11 @@
-cmake_minimum_required(VERSION 3.1.0)
+cmake_minimum_required(VERSION 3.10.0)
 project (cryptoauthlib C)
 
 # Set the current release version
-set(VERSION "3.7.6")
+set(VERSION "3.7.7")
 set(VERSION_MAJOR 3)
 set(VERSION_MINOR 7)
-set(VERSION_PATCH 6)
+set(VERSION_PATCH 7)
 
 # Build Options
 option(BUILD_TESTS "Create Test Application with library" OFF)

README.md

@@ -8,12 +8,13 @@ device. The family of devices supported currently are:
 
 |CryptoAuth                                      |CryptoAuth2                               |
 |-----------------------------------------------:|:-----------------------------------------|
-|[ATECC608B](https://www.microchip.com/ATECC608B)|[ECC204](https://www.microchip.com/ECC204)|
-|[ATECC608A](http://www.microchip.com/ATECC608A) |[ECC206](https://www.microchip.com/ECC206)|
-|[ATECC508A](http://www.microchip.com/ATECC508A) |[SHA104](https://www.microchip.com/SHA104)|
-|[ATECC108A](http://www.microchip.com/ATECC108A) |[SHA105](https://www.microchip.com/SHA105)|
-|[ATSHA204A](http://www.microchip.com/ATSHA204A) |[SHA106](https://www.microchip.com/SHA106)|
-|[ATSHA206A](https://www.microchip.com/ATSHA206A)|[RNG90](https://www.microchip.com/RNG90)  |
+|[ATECC608C](https://www.microchip.com/ATECC608C)|[ECC204](https://www.microchip.com/ECC204)|
+|[ATECC608B](https://www.microchip.com/ATECC608B)|[ECC206](https://www.microchip.com/ECC206)|
+|[ATECC608A](http://www.microchip.com/ATECC608A) |[SHA104](https://www.microchip.com/SHA104)|
+|[ATECC508A](http://www.microchip.com/ATECC508A) |[SHA105](https://www.microchip.com/SHA105)|
+|[ATECC108A](http://www.microchip.com/ATECC108A) |[SHA106](https://www.microchip.com/SHA106)|
+|[ATSHA204A](http://www.microchip.com/ATSHA204A) |[RNG90](https://www.microchip.com/RNG90)  |
+|[ATSHA206A](https://www.microchip.com/ATSHA206A)|                                          |
 
 The best place to start is with the [Microchip Trust Platform](https://www.microchip.com/design-centers/security-ics/trust-platform)
 

app/tng/tflxtls_cert_def_4_device.c

@@ -29,6 +29,8 @@
 #include "tngtls_cert_def_1_signer.h"
 #include "tflxtls_cert_def_4_device.h"
 
+#if ATCACERT_COMPCERT_EN
+
 const uint8_t g_tflxtls_cert_template_4_device[500] = {
     0x30, 0x82, 0x01, 0xF0, 0x30, 0x82, 0x01, 0x97, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x55,
     0xCE, 0x2E, 0x8F, 0xF6, 0x1C, 0x62, 0x50, 0xB7, 0xE1, 0x68, 0x03, 0x54, 0x14, 0x1C, 0x94, 0x30,
@@ -177,3 +179,4 @@ const atcacert_def_t g_tflxtls_cert_def_4_device = {
     .cert_template_size  = (uint16_t)(sizeof(g_tflxtls_cert_template_4_device)),
     .ca_cert_def         = &g_tngtls_cert_def_1_signer
 };
+#endif

app/tng/tng_atca.c

@@ -35,6 +35,7 @@
 #include "tflxtls_cert_def_4_device.h"
 #include "atcacert/atcacert_def.h"
 
+#if ATCACERT_COMPCERT_EN
 
 typedef struct
 {
@@ -129,3 +130,5 @@ ATCA_STATUS tng_get_device_pubkey(uint8_t *public_key)
 
     return status;
 }
+
+#endif

app/tng/tng_atca.h

@@ -37,6 +37,11 @@ extern "C" {
 
 #define ATCA_OTP_CODE_SIZE              (8u)
 
+#if ((defined(ATCA_TNG_LEGACY_SUPPORT) || defined(ATCA_TFLEX_SUPPORT) ||                          \
+          defined(ATCA_TNGTLS_SUPPORT) || defined(ATCA_TNGLORA_SUPPORT)) && !ATCACERT_COMPCERT_EN)
+#error "Enable ATCACERT_COMPCERT_EN to handle TNG"
+#endif
+
 /** \defgroup tng_ TNG API (tng_)
  *
  * \brief These methods provide some convenience functions (mostly around

app/tng/tng_atcacert_client.c

@@ -32,6 +32,8 @@
 #include "tng_root_cert.h"
 #include <limits.h>
 
+#if ATCACERT_COMPCERT_EN
+
 int tng_atcacert_max_device_cert_size(size_t* max_cert_size)
 {
     int ret = ATCACERT_E_WRONG_CERT_DEF;
@@ -48,10 +50,14 @@ int tng_atcacert_max_device_cert_size(size_t* max_cert_size)
             if (NULL != cert_def)
             {
                 ret = atcacert_max_cert_size(cert_def, &cert_size);
-                if (cert_size > *max_cert_size)
+                if (ATCACERT_E_SUCCESS == ret)
                 {
                     *max_cert_size = cert_size;
                 }
+                else
+                {
+                    break;
+                }
 
                 if (index < INT_MAX)
                 {
@@ -110,7 +116,7 @@ int tng_atcacert_read_device_cert(uint8_t* cert, size_t* cert_size, const uint8_
         }
     }
 
-    return atcacert_read_cert(cert_def, ca_public_key, cert, cert_size);
+    return atcacert_read_cert(cert_def, &ca_pubkey, cert, cert_size);
 }
 
 int tng_atcacert_device_public_key(uint8_t* public_key, uint8_t* cert)
@@ -159,7 +165,8 @@ int tng_atcacert_read_signer_cert(uint8_t* cert, size_t* cert_size)
 {
     int ret;
     const atcacert_def_t* cert_def = NULL;
-    const uint8_t* ca_public_key = NULL;
+    uint8_t* ca_public_key = NULL;
+    cal_buffer ca_pubkey = CAL_BUF_INIT(ATCA_ECCP256_PUBKEY_SIZE, NULL);
 
     ret = tng_get_device_cert_def(&cert_def);
     if (ATCA_SUCCESS == ret)
@@ -169,7 +176,8 @@ int tng_atcacert_read_signer_cert(uint8_t* cert, size_t* cert_size)
         // Get the CA (root) public key
         ca_public_key = &g_cryptoauth_root_ca_002_cert[CRYPTOAUTH_ROOT_CA_002_PUBLIC_KEY_OFFSET];
 
-        ret = atcacert_read_cert(cert_def, ca_public_key, cert, cert_size);
+        ca_pubkey.buf = ca_public_key;
+        ret = atcacert_read_cert(cert_def, &ca_pubkey, cert, cert_size);
     }
 
     return ret;
@@ -263,3 +271,5 @@ int tng_atcacert_root_public_key(uint8_t* public_key)
 
     return ATCACERT_E_SUCCESS;
 }
+
+#endif

app/tng/tnglora_cert_def_1_signer.c

@@ -29,6 +29,8 @@
 #include "tngtls_cert_def_1_signer.h"
 #include "tnglora_cert_def_1_signer.h"
 
+#if ATCACERT_COMPCERT_EN
+
 SHARED_LIB_EXPORT const atcacert_def_t g_tnglora_cert_def_1_signer = {
     .type                = CERTTYPE_X509,
     .template_id         = 1,
@@ -103,3 +105,5 @@ SHARED_LIB_EXPORT const atcacert_def_t g_tnglora_cert_def_1_signer = {
     .cert_template_size  = TNGTLS_CERT_TEMPLATE_1_SIGNER_SIZE,
     .ca_cert_def         = NULL
 };
+
+#endif

app/tng/tnglora_cert_def_2_device.c

@@ -31,6 +31,8 @@
 #include "tnglora_cert_def_1_signer.h"
 #include "tnglora_cert_def_2_device.h"
 
+#if ATCACERT_COMPCERT_EN
+
 SHARED_LIB_EXPORT const atcacert_def_t g_tnglora_cert_def_2_device = {
     .type                = CERTTYPE_X509,
     .template_id         = 2,
@@ -105,3 +107,5 @@ SHARED_LIB_EXPORT const atcacert_def_t g_tnglora_cert_def_2_device = {
     .cert_template_size  = TNGTLS_CERT_TEMPLATE_2_DEVICE_SIZE,
     .ca_cert_def         = &g_tnglora_cert_def_1_signer
 };
+
+#endif

app/tng/tnglora_cert_def_4_device.c

@@ -29,6 +29,8 @@
 #include "tnglora_cert_def_4_device.h"
 #include "tnglora_cert_def_1_signer.h"
 
+#if ATCACERT_COMPCERT_EN
+
 SHARED_LIB_EXPORT const uint8_t g_tnglora_cert_template_4_device[TNGLORA_CERT_TEMPLATE_4_DEVICE_SIZE] = {
     0x30, 0x82, 0x02, 0x24, 0x30, 0x82, 0x01, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x55,
     0xce, 0x2e, 0x8f, 0xf6, 0x1c, 0x62, 0x50, 0xb7, 0xe1, 0x68, 0x03, 0x54, 0x14, 0x1c, 0x94, 0x30,
@@ -198,3 +200,5 @@ SHARED_LIB_EXPORT const atcacert_def_t g_tnglora_cert_def_4_device = {
     .cert_template_size  = (uint16_t)(sizeof(g_tnglora_cert_template_4_device)),
     .ca_cert_def         = &g_tnglora_cert_def_1_signer
 };
+
+#endif

app/tng/tngtls_cert_def_1_signer.c

@@ -28,6 +28,8 @@
 #include "atcacert/atcacert_def.h"
 #include "tngtls_cert_def_1_signer.h"
 
+#if ATCACERT_COMPCERT_EN
+
 SHARED_LIB_EXPORT const uint8_t g_tngtls_cert_template_1_signer[TNGTLS_CERT_TEMPLATE_1_SIGNER_SIZE] = {
     0x30, 0x82, 0x02, 0x04, 0x30, 0x82, 0x01, 0xaa, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x44,
     0x0e, 0xe4, 0x17, 0x0c, 0xb5, 0x45, 0xce, 0x59, 0x69, 0x8e, 0x30, 0x56, 0x99, 0x0a, 0x5d, 0x30,
@@ -151,3 +153,5 @@ SHARED_LIB_EXPORT const atcacert_def_t g_tngtls_cert_def_1_signer = {
     .cert_template_size  = (uint16_t)(sizeof(g_tngtls_cert_template_1_signer)),
     .ca_cert_def         = NULL
 };
+
+#endif

app/tng/tngtls_cert_def_2_device.c

@@ -29,6 +29,8 @@
 #include "tngtls_cert_def_2_device.h"
 #include "tngtls_cert_def_1_signer.h"
 
+#if ATCACERT_COMPCERT_EN
+
 SHARED_LIB_EXPORT const uint8_t g_tngtls_cert_template_2_device[TNGTLS_CERT_TEMPLATE_2_DEVICE_SIZE] = {
     0x30, 0x82, 0x01, 0xf5, 0x30, 0x82, 0x01, 0x9b, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x55,
     0xce, 0x2e, 0x8f, 0xf6, 0x1c, 0x62, 0x50, 0xb7, 0xe1, 0x68, 0x03, 0x54, 0x14, 0x1c, 0x94, 0x30,
@@ -177,3 +179,5 @@ SHARED_LIB_EXPORT const atcacert_def_t g_tngtls_cert_def_2_device = {
     .cert_template_size  = (uint16_t)(sizeof(g_tngtls_cert_template_2_device)),
     .ca_cert_def         = &g_tngtls_cert_def_1_signer
 };
+
+#endif

app/tng/tngtls_cert_def_3_device.c

@@ -29,6 +29,8 @@
 #include "tngtls_cert_def_3_device.h"
 #include "tngtls_cert_def_1_signer.h"
 
+#if ATCACERT_COMPCERT_EN
+
 SHARED_LIB_EXPORT const uint8_t g_tngtls_cert_template_3_device[TNGTLS_CERT_TEMPLATE_3_DEVICE_SIZE] = {
     0x30, 0x82, 0x02, 0x1e, 0x30, 0x82, 0x01, 0xc5, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x55,
     0xce, 0x2e, 0x8f, 0xf6, 0x1c, 0x62, 0x50, 0xb7, 0xe1, 0x68, 0x03, 0x54, 0x14, 0x1c, 0x94, 0x30,
@@ -198,3 +200,5 @@ SHARED_LIB_EXPORT const atcacert_def_t g_tngtls_cert_def_3_device = {
     .cert_template_size  = (uint16_t)(sizeof(g_tngtls_cert_template_3_device)),
     .ca_cert_def         = &g_tngtls_cert_def_1_signer
 };
+
+#endif

app/wpc/wpc_apis.c

@@ -32,7 +32,7 @@
 
 #if WPC_MSG_PR_EN
 
-#define CA2_TRANSPORT_KEY		0x8000
+#define CA2_TRANSPORT_KEY       0x8000
 
 /** \brief WPC API - Builds the CHALLENGE message
  *
@@ -46,7 +46,7 @@ ATCA_STATUS wpc_msg_challenge(
     )
 {
     ATCA_STATUS status = ATCA_BAD_PARAM;
-    uint8_t nonce[32] = {0U};
+    uint8_t nonce[32] = { 0U };
 
     ATCA_CHECK_INVALID_MSG((!message || !msg_len), ATCA_BAD_PARAM, "NULL pointer received");
 
@@ -61,16 +61,16 @@ ATCA_STATUS wpc_msg_challenge(
     else
 #endif
     {
-        if(true == atcab_is_ca2_device(atcab_get_device_type_ext(device)))
+        if (true == atcab_is_ca2_device(atcab_get_device_type_ext(device)))
         {
 #if ATCA_CA2_SUPPORT
-            uint8_t num_in[20] = {0u};
-            status = ATCA_TRACE(calib_nonce_gen_session_key(device, CA2_TRANSPORT_KEY, num_in ,nonce), "atcab_nonce_rand failed");
+            uint8_t num_in[20] = { 0u };
+            status = ATCA_TRACE(calib_nonce_gen_session_key(device, CA2_TRANSPORT_KEY, num_in, nonce), "atcab_nonce_rand failed");
 #endif
         }
         else
         {
-#if ATCA_ECC_SUPPORT
+#if (ATCA_ECC_SUPPORT || ATCA_TA_SUPPORT)
             status = ATCA_TRACE(atcab_random_ext(device, nonce), "atcab_random failed");
 #endif
         }
@@ -181,12 +181,12 @@ ATCA_STATUS wpc_msg_challenge_auth(
     response[0] = WPC_CHALLENGE_AUTH_HEADER;
     response[1] = (WPC_PROTOCOL_MAX_VERSION << 4) | wpccert_get_slots_populated();
 
-    if (ATCA_SUCCESS != (status = wpccert_get_slot_info(&handle, &cert_def, NULL, NULL, slot)))
+    if (ATCA_SUCCESS != (status = wpccert_get_slot_info(&handle, &cert_def, NULL, NULL, NULL, slot)))
     {
         return wpc_msg_error(response, resp_len, WPC_ERROR_INVALID_REQUEST, 0);
     }
 
-    if(NULL == cert_def)
+    if (NULL == cert_def)
     {
         status = ATCA_TRACE(ATCA_BAD_PARAM, "NULL pointer received for cert def");
         return status;
@@ -238,7 +238,7 @@ ATCA_STATUS wpc_msg_digests(
         uint8_t slot_mask = (1 << slot);
         if (request[1] & slot_mask)
         {
-            if (ATCA_SUCCESS == wpccert_get_slot_info(&handle, NULL, NULL, NULL, slot))
+            if (ATCA_SUCCESS == wpccert_get_slot_info(&handle, NULL, NULL, NULL, NULL, slot))
             {
                 if (ATCA_SUCCESS != (status = atcab_read_bytes_zone_ext(device, ATCA_ZONE_DATA, handle, 0,
                                                                         digest, ATCA_SHA256_DIGEST_SIZE)))
@@ -288,18 +288,32 @@ ATCA_STATUS wpc_msg_certificate(
     uint16_t length;
     uint8_t * data;
     const atcacert_def_t * cert_def;
-    uint8_t* mfg_cert;
-    uint8_t root_digest[32] = {0};
+    uint8_t* mfg_cert = NULL;
+    uint8_t root_digest[32] = { 0 };
+    uint16_t root_digest_handle = 0;
 
     ATCA_CHECK_INVALID_MSG((!buffer || !request || !response || !resp_len),
                            ATCA_BAD_PARAM, "NULL pointer received");
 
-    if (ATCA_SUCCESS != (status = wpccert_get_slot_info(NULL, &cert_def, &mfg_cert, root_digest, request[1] & 0x03)))
+#if (ATCA_TA_SUPPORT)
+    if (ATCA_SUCCESS != (status = wpccert_get_slot_info(NULL, &cert_def, NULL, NULL, &root_digest_handle, request[1] & 0x03)))
+#else
+    if (ATCA_SUCCESS != (status = wpccert_get_slot_info(NULL, &cert_def, &mfg_cert, root_digest, NULL, request[1] & 0x03)))
+#endif
     {
         return wpc_msg_error(response, resp_len, WPC_ERROR_INVALID_REQUEST, 0);
     }
 
-    if(NULL == cert_def)
+#if ATCA_TA_SUPPORT
+    if (ATCA_SUCCESS != (status = atcab_read_bytes_zone_ext(device, ATCA_ZONE_DATA, root_digest_handle, 0,
+                                                            root_digest, ATCA_SHA256_DIGEST_SIZE)))
+    {
+        ATCA_TRACE(status, "atcab_read_bytes_zone execution failed");
+        return wpc_msg_error(response, resp_len, WPC_ERROR_UNSPECIFIED, 0);
+    }
+#endif
+
+    if (NULL == cert_def)
     {
         status = ATCA_TRACE(ATCA_BAD_PARAM, "NULL pointer received for Product cert def");
         return status;
@@ -331,10 +345,10 @@ ATCA_STATUS wpc_msg_certificate(
     /* Get the product certificate length if the read will include it or the total chain length */
     if ((length == 0) || (offset < 2) || ((WPC_CONST_OS_MC < offset) && ((0x600 <= offset) || (n_mc < offset + length))))
     {
-        if(ATCA_SUCCESS != wpccert_read_cert_size(device, cert_def, &n_puc))
+        if (ATCA_SUCCESS != wpccert_read_cert_size(device, cert_def, &n_puc))
         {
-           	status = ATCA_TRACE(status, "wpccert_read_cert_size execution is failed for pdu cert");
-           	return status;
+            status = ATCA_TRACE(status, "wpccert_read_cert_size execution is failed for pdu cert");
+            return status;
         }
     }
     ATCA_CHECK_INVALID_MSG((n_puc > buflen || n_mc > buflen), ATCA_SMALL_BUFFER, "temporary buffer is too small for certificates");
@@ -394,7 +408,7 @@ ATCA_STATUS wpc_msg_certificate(
         {
             uint16_t mc_length = length < n_mc ? length : n_mc;
 
-            if((NULL != mfg_cert) && (NULL == cert_def->ca_cert_def))
+            if ((NULL != mfg_cert) && (NULL == cert_def->ca_cert_def))
             {
                 memcpy(buffer, mfg_cert, mc_length);
             }
@@ -459,12 +473,12 @@ ATCA_STATUS wpc_msg_certificate(
  *  \return ATCA_SUCCESS on success, otherwise an error code.
  */
 ATCA_STATUS wpc_auth_signature(
-    ATCADevice     device,           /**< [in] Device Context */
-    const uint8_t *chain_digest,     /**< [in] WPC Authentication Cert Chain digest*/
-    const uint16_t private_key_slot, /**< [in] WPC Authentication private key slot*/
-    const uint8_t *request,          /**< [in] WPC authentication challenge request from host */
-    const uint8_t *other_data,       /**< [in] Challegen response b0, b1 and Digest LSB*/
-    uint8_t *const signature         /**< [out] Signature for WPC authentication TBS */
+    ATCADevice      device,             /**< [in] Device Context */
+    const uint8_t * chain_digest,       /**< [in] WPC Authentication Cert Chain digest*/
+    const uint16_t  private_key_slot,   /**< [in] WPC Authentication private key slot*/
+    const uint8_t * request,            /**< [in] WPC authentication challenge request from host */
+    const uint8_t * other_data,         /**< [in] Challegen response b0, b1 and Digest LSB*/
+    uint8_t *const  signature           /**< [out] Signature for WPC authentication TBS */
     )
 {
     ATCA_STATUS status;