# # Copyright 2019 NXP # SPDX-License-Identifier: Apache-2.0 # """ Validation of ECDH with OpenSSL engine using EC keys This example showcases ECDH between openssl engine and openssl. Precondition: - Inject keys using ``openssl_provisionEC.py``. """ import argparse from openssl_util import * example_text = ''' Example invocation:: python %s --key_type prime256v1 python %s --key_type secp160k1 --connection_data 127.0.0.1:8050 ''' % (__file__, __file__,) def parse_in_args(): parser = argparse.ArgumentParser( description=__doc__, epilog=example_text, formatter_class=argparse.RawTextHelpFormatter) required = parser.add_argument_group('required arguments') optional = parser.add_argument_group('optional arguments') required.add_argument( '--key_type', default="", help='Supported key types => ``%s``' % ("``, ``".join(SUPPORTED_EC_KEY_TYPES)), required=True) optional.add_argument( '--connection_data', default="none", help='Parameter to connect to SE => eg. ``COM3``, ``127.0.0.1:8050``, ``none``. Default: ``none``') optional.add_argument( '--disable_sha1', default="False", help='Parameter to disable SHA1 => eg. ``True``, ``False``. Default: ``False``') optional.add_argument( '--output_dirname', default="output", help='Directory name of directory storing calculated signatures (used in case of concurrent invocation)') if len(sys.argv) == 1: parser.print_help(sys.stderr) return None args = parser.parse_args() if args.key_type not in SUPPORTED_EC_KEY_TYPES: parser.print_help(sys.stderr) return None if args.disable_sha1 not in ["True", "False"]: parser.print_help(sys.stderr) return None if args.connection_data.find(':') >= 0: port_data = args.connection_data.split(':') jrcp_host_name = port_data[0] jrcp_port = port_data[1] os.environ['JRCP_HOSTNAME'] = jrcp_host_name os.environ['JRCP_PORT'] = jrcp_port os.environ['EX_SSS_BOOT_SSS_PORT'] = args.connection_data log.info("JRCP_HOSTNAME: %s" % jrcp_host_name) log.info("JRCP_PORT: %s" % jrcp_port) log.info("EX_SSS_BOOT_SSS_PORT: %s" % args.connection_data) return args def main(): args = parse_in_args() if args is None: return keys_dir = os.path.join(cur_dir, '..', 'keys', args.key_type) output_dir = cur_dir + os.sep + args.output_dirname if not os.path.exists(output_dir): os.mkdir(output_dir) KEYPAIR_REF_0 = keys_dir + os.sep + "ecc_key_kp_0_ref.pem" KEYPAIR_0 = keys_dir + os.sep + "ecc_key_kp_0.pem" KEYPAIR_REF_1 = keys_dir + os.sep + "ecc_key_kp_1_ref.pem" KEYPAIR_1 = keys_dir + os.sep + "ecc_key_kp_1.pem" KEYPAIR_REF_2 = keys_dir + os.sep + "ecc_key_kp_2_ref.pem" KEYPAIR_2 = keys_dir + os.sep + "ecc_key_kp_2.pem" KEYPAIR_REF_3 = keys_dir + os.sep + "ecc_key_kp_3_ref.pem" KEYPAIR_3 = keys_dir + os.sep + "ecc_key_kp_3.pem" ECC_KEY_KP_A = keys_dir + os.sep + "ecc_key_kp_A.pem" ECC_KEY_KP_PUBONLY_A = keys_dir + os.sep + "ecc_key_kp_pubonly_A.pem" PUBKEY_0 = keys_dir + os.sep + "ecc_key_pub_pubonly_0.pem" PUBKEY_1 = keys_dir + os.sep + "ecc_key_pub_pubonly_1.pem" PUBKEY_2 = keys_dir + os.sep + "ecc_key_pub_pubonly_2.pem" ECC_KEY_PUB_A = keys_dir + os.sep + "ecc_key_pub_A.pem" ECC_KEY_PUB_PUBONLY_A = keys_dir + os.sep + "ecc_key_pub_pubonly_A.pem" SHARED_SECRET_HOST_0 = output_dir + os.sep + "ecdh_host_0.bin" SHARED_SECRET_ENGINE_0 = output_dir + os.sep + "ecdh_engine_0.bin" SHARED_SECRET_HOST_1 = output_dir + os.sep + "ecdh_host_1.bin" SHARED_SECRET_ENGINE_1 = output_dir + os.sep + "ecdh_engine_1.bin" SHARED_SECRET_HOST_2 = output_dir + os.sep + "ecdh_host_2.bin" SHARED_SECRET_ENGINE_2 = output_dir + os.sep + "ecdh_engine_2.bin" SHARED_SECRET_HANDOVER_A = output_dir + os.sep + "ecdh_handover_A.bin" SHARED_SECRET_HOST_A = output_dir + os.sep + "ecdh_host_A.bin" log.info("## Clean up %s, %s etc." % (SHARED_SECRET_HOST_0, SHARED_SECRET_ENGINE_0)) log.info("######################################################") if sys.platform.startswith("win"): run("del -f %s" % (SHARED_SECRET_HOST_0,)) run("del -f %s" % (SHARED_SECRET_ENGINE_0,)) run("del -f %s" % (SHARED_SECRET_HOST_1,)) run("del -f %s" % (SHARED_SECRET_ENGINE_1,)) run("del -f %s" % (SHARED_SECRET_HOST_2,)) run("del -f %s" % (SHARED_SECRET_ENGINE_2,)) run("del -f %s" % (SHARED_SECRET_HANDOVER_A,)) run("del -f %s" % (SHARED_SECRET_HOST_A,)) else: run("rm -f %s %s" % (SHARED_SECRET_HOST_0, SHARED_SECRET_ENGINE_0)) run("rm -f %s %s %s %s" % (SHARED_SECRET_HOST_1, SHARED_SECRET_ENGINE_1, SHARED_SECRET_HOST_2, SHARED_SECRET_ENGINE_2)) run("rm -f %s %s" % (SHARED_SECRET_HANDOVER_A, SHARED_SECRET_HOST_A)) log.info("## Do ECDH on Host (%s)" % (KEYPAIR_0,)) log.info("######################################") run("%s pkeyutl -inkey %s -peerkey %s -derive -hexdump -out %s" % (openssl, KEYPAIR_0, PUBKEY_0, SHARED_SECRET_HOST_0)) log.info("## Do ECDH with Engine (%s)" % (KEYPAIR_REF_0,)) log.info("##############################################") run("%s pkeyutl -engine %s -inkey %s -peerkey %s -derive -hexdump -out %s" % (openssl, openssl_engine, KEYPAIR_REF_0, PUBKEY_0, SHARED_SECRET_ENGINE_0)) log.info("## Confirm the two calculations are the same") log.info("############################################") compare(SHARED_SECRET_HOST_0, SHARED_SECRET_ENGINE_0) log.info("## Do ECDH on Host (%s) " % (KEYPAIR_1,)) log.info("############################################") run("%s pkeyutl -inkey %s -peerkey %s -derive -hexdump -out %s" % (openssl, KEYPAIR_1, PUBKEY_1, SHARED_SECRET_HOST_1)) log.info("## Do ECDH with Engine (%s) " % (KEYPAIR_REF_1,)) log.info("############################################") run("%s pkeyutl -engine %s -inkey %s -peerkey %s -derive -hexdump -out %s" % (openssl, openssl_engine, KEYPAIR_REF_1, PUBKEY_1, SHARED_SECRET_ENGINE_1)) compare(SHARED_SECRET_HOST_1, SHARED_SECRET_ENGINE_1) log.info("## Do ECDH on Host (%s) " % (KEYPAIR_2,)) log.info("############################################") run("%s pkeyutl -inkey %s -peerkey %s -derive -hexdump -out %s" % (openssl, KEYPAIR_2, PUBKEY_2, SHARED_SECRET_HOST_2)) log.info("## Do ECDH with Engine (%s) " % (KEYPAIR_REF_2,)) log.info("############################################") run("%s pkeyutl -engine %s -inkey %s -peerkey %s -derive -hexdump -out %s" % (openssl, openssl_engine, KEYPAIR_REF_2, PUBKEY_2, SHARED_SECRET_ENGINE_2)) compare(SHARED_SECRET_HOST_2, SHARED_SECRET_ENGINE_2) log.info("## #################################################################") log.info("## Validate Key Handover from Engine to OpenSSL SW implementation") log.info("## Do ECDH (%s) with Handover" % (ECC_KEY_KP_A)) log.info("## #################################") run("%s pkeyutl -engine %s -inkey %s -peerkey %s -derive -hexdump -out %s" % (openssl, openssl_engine, ECC_KEY_KP_A, ECC_KEY_PUB_PUBONLY_A, SHARED_SECRET_HANDOVER_A)) log.info("## Do ECDH (%s) on Host" % (ECC_KEY_KP_A,)) log.info("## #################################") run("%s pkeyutl -inkey %s -peerkey %s -derive -hexdump -out %s" % (openssl, ECC_KEY_KP_A, ECC_KEY_PUB_PUBONLY_A, SHARED_SECRET_HOST_A)) compare(SHARED_SECRET_HOST_A, SHARED_SECRET_HANDOVER_A) log.info("##############################################################") log.info("# #") log.info("# Program completed successfully #") log.info("# #") log.info("##############################################################") if __name__ == '__main__': logging.basicConfig(level=logging.DEBUG) main()