From 6dd47dc2d93148dc0231c88f02696dbbf81365a6 Mon Sep 17 00:00:00 2001 From: Edwin Heerschap Date: Thu, 30 Mar 2023 16:03:31 +1030 Subject: [PATCH 1/3] Extended UID support --- libraries/provisioning/provisioning.c | 2 +- libraries/provisioning/provisioning.h | 1 + libraries/provisioning/provisioning_int.h | 4 +-- .../provisioning_joining_node/config.yml | 19 +++++++++--- .../config_insecure.yml | 19 ++++++++++++ .../config_secure.yml | 20 ++++++++++++ .../provisioning_joining_node/genConfigHex.py | 31 ++++++++++++------- .../storage_memarea.c | 7 +++-- 8 files changed, 80 insertions(+), 23 deletions(-) create mode 100644 source/unitary_apps/provisioning_joining_node/config_insecure.yml create mode 100644 source/unitary_apps/provisioning_joining_node/config_secure.yml diff --git a/libraries/provisioning/provisioning.c b/libraries/provisioning/provisioning.c index b8da2270..61c21acf 100644 --- a/libraries/provisioning/provisioning.c +++ b/libraries/provisioning/provisioning.c @@ -291,7 +291,7 @@ provisioning_res_e process_data_packet(void) } } - else if (m_conf.method == PROV_METHOD_SECURED) + else if (m_conf.method == PROV_METHOD_SECURED || m_conf.method == PROV_METHOD_EXTENDED_UID) { if (pdu->data.key_index == 1) { diff --git a/libraries/provisioning/provisioning.h b/libraries/provisioning/provisioning.h index 16e06475..df0ee271 100644 --- a/libraries/provisioning/provisioning.h +++ b/libraries/provisioning/provisioning.h @@ -44,6 +44,7 @@ typedef enum { PROV_METHOD_UNSECURED = 0, /**< Unsecured provisioning method. */ PROV_METHOD_SECURED = 1, /**< Secured provisioning method. */ + PROV_METHOD_EXTENDED_UID = 3 /**< Extended UID provisioning method. */ } provisioning_method_e; /** diff --git a/libraries/provisioning/provisioning_int.h b/libraries/provisioning/provisioning_int.h index 5c898446..538b4d63 100644 --- a/libraries/provisioning/provisioning_int.h +++ b/libraries/provisioning/provisioning_int.h @@ -43,10 +43,10 @@ #define PROV_DATA_MAX_USER_ID 255 /** Network address for sending and receiving joining beacons */ -#define JOINING_NETWORK_ADDRESS 0x89d3b8 // "JBTX" +#define JOINING_NETWORK_ADDRESS 0x9E4ADC // "JBTX" /** Network channel for sending and receiving joining beacons */ -#define JOINING_NETWORK_CHANNEL 4 +#define JOINING_NETWORK_CHANNEL 36 /** Time to scan for joining beacons, in milliseconds. * \ref JOINING_RX_TIMEOUT and \ref JOINING_TX_INTERVAL needs to diff --git a/source/unitary_apps/provisioning_joining_node/config.yml b/source/unitary_apps/provisioning_joining_node/config.yml index 2157e48b..9b82725b 100644 --- a/source/unitary_apps/provisioning_joining_node/config.yml +++ b/source/unitary_apps/provisioning_joining_node/config.yml @@ -5,11 +5,20 @@ # Format is: # # provisioning : -# uid : Ex: test_node -# factory_key : (32 bytes string, [0:15 Auth key][16:31 Enc Key]) Needed for sercured method. -# method : (Unsecured:0 or Secured:1) Ex: 0 +# device_uid: (16 bytes string, Representing the UID of the device to be provisioned) +# device_uid_type: (1 byte string, Representing the UID type of device_uid) +# authenticator_uid: (16 bytes string, Representing the UID of the authenticator) +# authenticator_uid_type: (1 byte string, Representing the UID type of authenticator_uid) +# Instead of specifying uid components individually, you can specify the whole uid as follows: +# uid: (34 bytes string, [0:1 device_uid_type][1:16 device_uid][16:17 authenticator_uid_type][17:33 authenticator_uid]) +# factory_key : (32 bytes string, [0:15 Auth key][16:31 Enc Key]) Needed for secured method. +# method : (Unsecured:0, Secured:1, Extended:3) Ex: 0 provisioning: - uid: test_node + uid: 0x01 0xb3 0x43 0x33 0x00 0x93 0x81 0x08 0x4a 0x8d 0xb3 0xaa 0x9e 0x53 0xd2 0x2a 0x1e 0x01 0x7e 0x71 0xe5 0xd7 0x22 0xef 0x0f 0x4b 0xa8 0x7d 0x44 0xd4 0xe0 0xe5 0xb5 0x7d + node_uid: 0x7e 0x71 0xe5 0xd7 0x22 0xef 0x0f 0x4b 0xa8 0x7d 0x44 0xd4 0xe0 0xe5 0xb5 0x7d + node_uid_type: 0x01 + authenticator_uid: 0xb3 0x43 0x33 0x00 0x93 0x81 0x08 0x4a 0x8d 0xb3 0xaa 0x9e 0x53 0xd2 0x2a 0x1e + authenticator_uid_type: 0x01 factory_key : 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0X09 0X0A 0X0B 0X0C 0X0D 0X0E 0X0F 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0X09 0X0A 0X0B 0X0C 0X0D 0X0E 0X0F - method: 1 + method: 0x03 diff --git a/source/unitary_apps/provisioning_joining_node/config_insecure.yml b/source/unitary_apps/provisioning_joining_node/config_insecure.yml new file mode 100644 index 00000000..a1f0265b --- /dev/null +++ b/source/unitary_apps/provisioning_joining_node/config_insecure.yml @@ -0,0 +1,19 @@ +# This is an example file to customize a node running the provisioning joining node appliation + +# Hex array must start with 0x otherwise it is treated as a string. + +# Format is: +# +# provisioning : +# device_uid: (16 bytes string, Representing the UID of the device to be provisioned) +# device_uid_type: (1 byte string, Representing the UID type of device_uid) +# authenticator_uid: (16 bytes string, Representing the UID of the authenticator) +# authenticator_uid_type: (1 byte string, Representing the UID type of authenticator_uid) +# Instead of specifying uid components individually, you can specify the whole uid as follows: +# uid: (34 bytes string, [0:1 device_uid_type][1:16 device_uid][16:17 authenticator_uid_type][17:33 authenticator_uid]) +# factory_key : (32 bytes string, [0:15 Auth key][16:31 Enc Key]) Needed for secured method. +# method : (Unsecured:0, Secured:1, Extended:3) Ex: 0 + +provisioning: + uid: 0x41 0xb1 0x85 0x7a 0x0f 0xb6 0xb1 0x48 0xa5 0xe4 0xb9 0xb6 0x03 0x53 0x1b 0x3b + method: 0x00 diff --git a/source/unitary_apps/provisioning_joining_node/config_secure.yml b/source/unitary_apps/provisioning_joining_node/config_secure.yml new file mode 100644 index 00000000..1965e4da --- /dev/null +++ b/source/unitary_apps/provisioning_joining_node/config_secure.yml @@ -0,0 +1,20 @@ +# This is an example file to customize a node running the provisioning joining node appliation + +# Hex array must start with 0x otherwise it is treated as a string. + +# Format is: +# +# provisioning : +# device_uid: (16 bytes string, Representing the UID of the device to be provisioned) +# device_uid_type: (1 byte string, Representing the UID type of device_uid) +# authenticator_uid: (16 bytes string, Representing the UID of the authenticator) +# authenticator_uid_type: (1 byte string, Representing the UID type of authenticator_uid) +# Instead of specifying uid components individually, you can specify the whole uid as follows: +# uid: (34 bytes string, [0:1 device_uid_type][1:16 device_uid][16:17 authenticator_uid_type][17:33 authenticator_uid]) +# factory_key : (32 bytes string, [0:15 Auth key][16:31 Enc Key]) Needed for secured method. +# method : (Unsecured:0, Secured:1, Extended:3) Ex: 0 + +provisioning: + uid: 0x58 0xc8 0x12 0xad 0x37 0xe8 0x36 0x4a 0xa1 0x1f 0x1c 0xbc 0x63 0x3e 0x8e 0x34 + factory_key : 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0X09 0X0A 0X0B 0X0C 0X0D 0X0E 0X0F 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0X09 0X0A 0X0B 0X0C 0X0D 0X0E 0X0F + method: 0x01 diff --git a/source/unitary_apps/provisioning_joining_node/genConfigHex.py b/source/unitary_apps/provisioning_joining_node/genConfigHex.py index 7092c730..39fd4bee 100644 --- a/source/unitary_apps/provisioning_joining_node/genConfigHex.py +++ b/source/unitary_apps/provisioning_joining_node/genConfigHex.py @@ -41,7 +41,7 @@ def to_bytes(param): else: param = bytes(param, 'utf-8') elif type(param) is int: - param.to_bytes((param.bit_length() + 7) // 8, byteorder='big') + param = param.to_bytes(max(1, (param.bit_length() + 7) // 8), byteorder='big') else: if type(param) is str: if param.upper().startswith("0X"): @@ -79,7 +79,7 @@ def main(): provisioning.")) parser.add_argument("infilespec", - metavar="INFILESPEC", help="yml personalization file") + metavar="INFILESPEC", default="config.yml", help="yml personalization file") parser.add_argument("--output", "-o", metavar="OUTFILESPEC", help="The output file") @@ -116,7 +116,17 @@ def main(): return -1 try: - uid = to_bytes(cfg['provisioning']['uid']) + if "uid" in cfg['provisioning'].keys(): + uid = to_bytes(cfg['provisioning']["uid"]) + elif cfg['provisioning']["method"] == 3: + node_uid = to_bytes(cfg['provisioning']['node_uid']) + node_uid_type = to_bytes(cfg['provisioning']['node_uid_type']) + authenticator_uid = to_bytes(cfg['provisioning']['authenticator_uid']) + authenticator_uid_type = to_bytes(cfg['provisioning']['authenticator_uid_type']) + uid = authenticator_uid_type + authenticator_uid + node_uid_type + node_uid + else: + raise KeyError + method = to_bytes(cfg['provisioning']['method']) except KeyError: sys.stdout.write("%s: UID and Method are mandatory\n" % (pgmname)) @@ -126,14 +136,14 @@ def main(): except KeyError: key = b'' - sys.stdout.write("%s - UID: %s (len: %d)\n" % (pgmname, uid, len(uid))) + sys.stdout.write("%s - UID: %s (len: %d)\n" % (pgmname, uid.hex(), len(uid))) sys.stdout.write( "%s - KEY: %s (len: %d)\n" % (pgmname, "".join("{:02X}".format(to_int(x)) for x in key), len(key))) - sys.stdout.write("%s - Method: %d\n" % (pgmname, method)) + sys.stdout.write("%s - Method: %d\n" % (pgmname, int.from_bytes(method, byteorder='big'))) data = struct.pack(" Date: Mon, 3 Apr 2023 11:36:11 +0930 Subject: [PATCH 2/3] Documentation update --- source/unitary_apps/provisioning_joining_node/config.yml | 1 + .../provisioning_joining_node/config_insecure.yml | 9 ++------- .../provisioning_joining_node/config_secure.yml | 8 ++------ 3 files changed, 5 insertions(+), 13 deletions(-) diff --git a/source/unitary_apps/provisioning_joining_node/config.yml b/source/unitary_apps/provisioning_joining_node/config.yml index 9b82725b..72635a8b 100644 --- a/source/unitary_apps/provisioning_joining_node/config.yml +++ b/source/unitary_apps/provisioning_joining_node/config.yml @@ -1,4 +1,5 @@ # This is an example file to customize a node running the provisioning joining node appliation +# using the ExtendedUID method. # Hex array must start with 0x otherwise it is treated as a string. diff --git a/source/unitary_apps/provisioning_joining_node/config_insecure.yml b/source/unitary_apps/provisioning_joining_node/config_insecure.yml index a1f0265b..5a4b4f2b 100644 --- a/source/unitary_apps/provisioning_joining_node/config_insecure.yml +++ b/source/unitary_apps/provisioning_joining_node/config_insecure.yml @@ -1,17 +1,12 @@ # This is an example file to customize a node running the provisioning joining node appliation +# using the insecure method. # Hex array must start with 0x otherwise it is treated as a string. # Format is: # # provisioning : -# device_uid: (16 bytes string, Representing the UID of the device to be provisioned) -# device_uid_type: (1 byte string, Representing the UID type of device_uid) -# authenticator_uid: (16 bytes string, Representing the UID of the authenticator) -# authenticator_uid_type: (1 byte string, Representing the UID type of authenticator_uid) -# Instead of specifying uid components individually, you can specify the whole uid as follows: -# uid: (34 bytes string, [0:1 device_uid_type][1:16 device_uid][16:17 authenticator_uid_type][17:33 authenticator_uid]) -# factory_key : (32 bytes string, [0:15 Auth key][16:31 Enc Key]) Needed for secured method. +# uid: (bytes string, less than 79 bytes long) # method : (Unsecured:0, Secured:1, Extended:3) Ex: 0 provisioning: diff --git a/source/unitary_apps/provisioning_joining_node/config_secure.yml b/source/unitary_apps/provisioning_joining_node/config_secure.yml index 1965e4da..d52968ce 100644 --- a/source/unitary_apps/provisioning_joining_node/config_secure.yml +++ b/source/unitary_apps/provisioning_joining_node/config_secure.yml @@ -1,16 +1,12 @@ # This is an example file to customize a node running the provisioning joining node appliation +# using the secure method. # Hex array must start with 0x otherwise it is treated as a string. # Format is: # # provisioning : -# device_uid: (16 bytes string, Representing the UID of the device to be provisioned) -# device_uid_type: (1 byte string, Representing the UID type of device_uid) -# authenticator_uid: (16 bytes string, Representing the UID of the authenticator) -# authenticator_uid_type: (1 byte string, Representing the UID type of authenticator_uid) -# Instead of specifying uid components individually, you can specify the whole uid as follows: -# uid: (34 bytes string, [0:1 device_uid_type][1:16 device_uid][16:17 authenticator_uid_type][17:33 authenticator_uid]) +# uid: (bytes string, less than 79 bytes long) # factory_key : (32 bytes string, [0:15 Auth key][16:31 Enc Key]) Needed for secured method. # method : (Unsecured:0, Secured:1, Extended:3) Ex: 0 From f6ba8524b101bce870f7ddc28d9496cc675e6761 Mon Sep 17 00:00:00 2001 From: Edwin Heerschap Date: Thu, 6 Jul 2023 13:27:31 +0930 Subject: [PATCH 3/3] fix: IV initialized correctly when using extended UID method. --- libraries/provisioning/provisioning.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/provisioning/provisioning.c b/libraries/provisioning/provisioning.c index 61c21acf..2a3a0580 100644 --- a/libraries/provisioning/provisioning.c +++ b/libraries/provisioning/provisioning.c @@ -415,7 +415,7 @@ static uint32_t state_idle(void) /* Generate IV for Secured method. The same IV will be used even * for retries. */ - if (m_conf.method == PROV_METHOD_SECURED) + if (m_conf.method == PROV_METHOD_SECURED || m_conf.method == PROV_METHOD_EXTENDED_UID) { for(int i=0; i < AES_128_KEY_BLOCK_SIZE; i++) {