Add support for passing ECC508 key slot and cert. byte array + length in constructor

sandeepmistry · sandeepmistry · commit 9c217628ef12 · 2017-12-14T15:19:14.000-05:00
diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp
@@ -9,6 +9,24 @@
 BearSSLClient::BearSSLClient(Client& client) :
   _client(&client)
 {
+  _ecKey.curve = 0;
+  _ecKey.x = NULL;
+  _ecKey.xlen = 0;
+
+  _ecCert.data = NULL;
+  _ecCert.data_len = 0;
+}
+
+BearSSLClient::BearSSLClient(Client& client, int ecc508KeySlot, const byte cert[], int certLength) :
+  BearSSLClient(client)
+{
+  // HACK: put the key slot info. in the br_ec_private_key structure
+  _ecKey.curve = 23;
+  _ecKey.x = (unsigned char*)ecc508KeySlot;
+  _ecKey.xlen = 32;
+
+  _ecCert.data = (unsigned char*)cert;
+  _ecCert.data_len = certLength;
 }
 
 BearSSLClient::~BearSSLClient()
@@ -166,7 +184,10 @@ int BearSSLClient::connectSSL(const char* host)
     br_ssl_engine_set_ecdsa(&_sc.eng, ecc508_vrfy_asn1);
     br_x509_minimal_set_ecdsa(&_xc, br_ssl_engine_get_ec(&_sc.eng), br_ssl_engine_get_ecdsa(&_sc.eng));
     
-    // br_ssl_client_set_single_ec(&_sc, CHAIN, CHAIN_LEN, &EC, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, BR_KEYTYPE_EC, br_ec_get_default(), ecc508_sign_asn1);
+    // enable client auth using the ECC508
+    if (_ecCert.data_len && _ecKey.xlen) {
+      br_ssl_client_set_single_ec(&_sc, &_ecCert, 1, &_ecKey, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, BR_KEYTYPE_EC, br_ec_get_default(), ecc508_sign_asn1);
+    }
   } else {
     // no ECC508 or random failed, fallback to pseudo random
     for (size_t i = 0; i < sizeof(entropy); i++) {
diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h
@@ -10,6 +10,7 @@ class BearSSLClient : public Client {
 
 public:
   BearSSLClient(Client& client);
+  BearSSLClient(Client& client, int ecc508KeySlot, const byte cert[], int certLength);
   virtual ~BearSSLClient();
 
   virtual int connect(IPAddress ip, uint16_t port);
@@ -34,6 +35,8 @@ class BearSSLClient : public Client {
 
 private:
   Client* _client;
+  br_ec_private_key _ecKey;
+  br_x509_certificate _ecCert;
 
   br_ssl_client_context _sc;
   br_x509_minimal_context _xc;
diff --git a/src/utility/ecc508_sign_asn1.cpp b/src/utility/ecc508_sign_asn1.cpp
@@ -17,7 +17,7 @@ ecc508_sign_asn1(const br_ec_impl * /*impl*/,
     return 0;
   }
 
-  if (!ECC508.ecSign(0, (const uint8_t*)hash_value, (uint8_t*)rsig)) {
+  if (!ECC508.ecSign((int)(sk->x), (const uint8_t*)hash_value, (uint8_t*)rsig)) {
     return 0;
   }
   sig_len = 64;

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ ecc508_sign_asn1(const br_ec_impl * /impl/,`
`17`	`17`	`return 0;`
`18`	`18`	`}`
`19`	`19`
`20`		`- if (!ECC508.ecSign(0, (const uint8_t)hash_value, (uint8_t)rsig)) {`
	`20`	`+ if (!ECC508.ecSign((int)(sk->x), (const uint8_t)hash_value, (uint8_t)rsig)) {`
`21`	`21`	`return 0;`
`22`	`22`	`}`
`23`	`23`	`sig_len = 64;`