From fe7b23e0e63fff367e5f13aef23e1ae5dfa3e2ac Mon Sep 17 00:00:00 2001 From: wyhong Date: Mon, 26 Aug 2024 14:39:06 +0800 Subject: [PATCH] fix restyle --- .../guides/bouffalolab/matter_factory_data.md | 231 ++++++++++-------- examples/lighting-app/bouffalolab/README.md | 9 +- .../bouffalolab/generate_factory_data.py | 59 +++-- 3 files changed, 160 insertions(+), 139 deletions(-) diff --git a/docs/guides/bouffalolab/matter_factory_data.md b/docs/guides/bouffalolab/matter_factory_data.md index dc8a95d4bef514..eeb5fe0cc6149b 100644 --- a/docs/guides/bouffalolab/matter_factory_data.md +++ b/docs/guides/bouffalolab/matter_factory_data.md @@ -1,18 +1,19 @@ # Introduction to Matter factory data -Each Matter device should have it own unique factory data manufactured. +Each Matter device should have it own unique factory data manufactured. This guide demonstrates what `Bouffalo Lab` provides to support factory data: -- credential factory data protected by hardware security engine -- reference tool to generate factory data -- tool/method to program factory data +- credential factory data protected by hardware security engine +- reference tool to generate factory data +- tool/method to program factory data # Matter factory data ## How to enable -One dedicate flash region allocates for factory data as below which is read-only for firmware. +One dedicate flash region allocates for factory data as below which is read-only +for firmware. ```toml name = "MFD" @@ -20,7 +21,8 @@ address0 = 0x3FE000 size0 = 0x1000 ``` -To enable matter factory data feature, please append `-mfd` option at end of target name. Take BL616 Wi-Fi Matter Light as example. +To enable matter factory data feature, please append `-mfd` option at end of +target name. Take BL616 Wi-Fi Matter Light as example. ``` ./scripts/build/build_examples.py --target bouffalolab-bl616dk-light-wifi-mfd build @@ -30,13 +32,15 @@ To enable matter factory data feature, please append `-mfd` option at end of tar This flash region is divided to two parts: -- One is plain text data, such as Vendor ID, Product ID, Serial number and so on. +- One is plain text data, such as Vendor ID, Product ID, Serial number and so + on. - > For development/test purpose, all data can put in plain text data. + > For development/test purpose, all data can put in plain text data. -- Other is cipher text data, such as private key for device attestation data. +- Other is cipher text data, such as private key for device attestation data. - `Bouffalo Lab` provides hardware security engine to decrypt this part data with **only hardware access** efuse key. + `Bouffalo Lab` provides hardware security engine to decrypt this part data + with **only hardware access** efuse key. Current supported data @@ -55,13 +59,19 @@ Current supported data - Serial Number - Unique identifier -> Note, it is available to add customer/product own information in factory data, please reference to `bl_mfd.h`/`bl_mfd.c` in SDK and reference generation script [generate_factory_data.py](../../../scripts/tools/bouffalolab/generate_factory_data.py) +> Note, it is available to add customer/product own information in factory data, +> please reference to `bl_mfd.h`/`bl_mfd.c` in SDK and reference generation +> script +> [generate_factory_data.py](../../../scripts/tools/bouffalolab/generate_factory_data.py) # Generate Matter factory data -Script tool [generate_factory_data.py](../../../scripts/tools/bouffalolab/generate_factory_data.py) call `chip-cert` to generate test certificates and verify certificates. +Script tool +[generate_factory_data.py](../../../scripts/tools/bouffalolab/generate_factory_data.py) +call `chip-cert` to generate test certificates and verify certificates. -Please run below command to compile `chip-cert` tool under `connnectedhomeip` repo. +Please run below command to compile `chip-cert` tool under `connnectedhomeip` +repo. ```shell ./scripts/build/build_examples.py --target linux-x64-chip-cert build @@ -69,154 +79,169 @@ Please run below command to compile `chip-cert` tool under `connnectedhomeip` re ## Command options -- `--cd`, certificate declare +- `--cd`, certificate declare - If not specified, `Chip-Test-CD-Signing-Cert.pem` and `Chip-Test-CD-Signing-Key.pem` will sign a test certificate declare for development and test purpose + If not specified, `Chip-Test-CD-Signing-Cert.pem` and + `Chip-Test-CD-Signing-Key.pem` will sign a test certificate declare for + development and test purpose -- `--pai_cert` and `--pai-key`, PAI certificate and PAI private key +- `--pai_cert` and `--pai-key`, PAI certificate and PAI private key - If not specified, `Chip-Test-PAI-FFF1-8000-Cert.pem` and `Chip-Test-PAI-FFF1-8000-Key.pem` will be used for development and test purpose. + If not specified, `Chip-Test-PAI-FFF1-8000-Cert.pem` and + `Chip-Test-PAI-FFF1-8000-Key.pem` will be used for development and test + purpose. -- `--dac_cert` and `--dac_key`, DAC certificate and DAC private key. +- `--dac_cert` and `--dac_key`, DAC certificate and DAC private key. - If not specified, script will use PAI certificate and key specified by`--pai_cert` and `--pai-key` to generate DAC certificate and private key for development and test prupose. + If not specified, script will use PAI certificate and key specified + by`--pai_cert` and `--pai-key` to generate DAC certificate and private key + for development and test prupose. -- `--discriminator`, discriminator ID +- `--discriminator`, discriminator ID - If not specified, script will generate for user. + If not specified, script will generate for user. -- `--passcode`, passcode +- `--passcode`, passcode - If not specified, script will generate for user. + If not specified, script will generate for user. -- `--spake2p_it` and `--spake2p_salt` +- `--spake2p_it` and `--spake2p_salt` - If not specified, script will generate and calculate verifier for user. + If not specified, script will generate and calculate verifier for user. Please reference to `--help` for more detail. ## Generate with default test certificates -- Run following command to generate all plain text factory data +- Run following command to generate all plain text factory data - ```shell - ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert - ``` + ```shell + ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert + ``` -- Run following command to generate factory data which encrypt private of device attestation data +- Run following command to generate factory data which encrypt private of + device attestation data - ```shell - ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --key - ``` - - > An example of hex string of 16 bytes: 12345678123456781234567812345678 + ```shell + ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --key + ``` + + > An example of hex string of 16 bytes: 12345678123456781234567812345678 After command executes successfully, the output folder will has files as below: -- Test certificate declare file which file name ends with `cd.der` +- Test certificate declare file which file name ends with `cd.der` - If user wants to reuse CD generated before, please specify CD with option `--cd` as below. + If user wants to reuse CD generated before, please specify CD with option + `--cd` as below. - ```shell - ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --cd - ``` + ```shell + ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --cd + ``` -- Test DAC certificate and DAC certificate key which file names ends with `dac_cert.pem` and `dac_key.pem` separately. +- Test DAC certificate and DAC certificate key which file names ends with + `dac_cert.pem` and `dac_key.pem` separately. -- QR code picture which file name ends with `onboard.png` -- On board information which file name ends with `onboard.txt` -- Matter factory data which file name ends with `mfd.bin`. +- QR code picture which file name ends with `onboard.png` +- On board information which file name ends with `onboard.txt` +- Matter factory data which file name ends with `mfd.bin`. ## Generate with self-defined PAA/PAI certificates -Self-defined PAA/PAI certificates may use in development and test scenario. But, user should know it has limit to work with real ecosystem. +Self-defined PAA/PAI certificates may use in development and test scenario. But, +user should know it has limit to work with real ecosystem. -- Export environment variables in terminal for easy operations +- Export environment variables in terminal for easy operations - ``` - export TEST_CERT_VENDOR_ID=130D # Vendor ID hex string - export TEST_CERT_CN=BFLB # Common Name - ``` + ``` + export TEST_CERT_VENDOR_ID=130D # Vendor ID hex string + export TEST_CERT_CN=BFLB # Common Name + ``` -- Generate PAA certificate and key to `out/cert` folder. +- Generate PAA certificate and key to `out/cert` folder. - ```shell - mkdir out/test-cert - ./out/linux-x64-chip-cert/chip-cert gen-att-cert --type a --subject-cn "${TEST_CERT_CN} PAA 01" --valid-from "2020-10-15 14:23:43" --lifetime 7305 --out-key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --out out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --subject-vid ${TEST_CERT_VENDOR_ID} - ``` + ```shell + mkdir out/test-cert + ./out/linux-x64-chip-cert/chip-cert gen-att-cert --type a --subject-cn "${TEST_CERT_CN} PAA 01" --valid-from "2020-10-15 14:23:43" --lifetime 7305 --out-key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --out out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --subject-vid ${TEST_CERT_VENDOR_ID} + ``` -- Convert PAA PEM format file to PAA DER format file +- Convert PAA PEM format file to PAA DER format file - ```shell - ./out/linux-x64-chip-cert/chip-cert convert-cert -d out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.der - ``` + ```shell + ./out/linux-x64-chip-cert/chip-cert convert-cert -d out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.der + ``` - > Please save this PAA DER format file which will be used by `chip-tool` during commissioning. + > Please save this PAA DER format file which will be used by `chip-tool` + > during commissioning. -- Generate PAI certificate and key: +- Generate PAI certificate and key: - ```shell - ./out/linux-x64-chip-cert/chip-cert gen-att-cert --type i --subject-cn "${TEST_CERT_CN} PAI 01" --subject-vid ${TEST_CERT_VENDOR_ID} --valid-from "2020-10-15 14:23:43" --lifetime 7305 --ca-key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --ca-cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --out-key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --out out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem - ``` + ```shell + ./out/linux-x64-chip-cert/chip-cert gen-att-cert --type i --subject-cn "${TEST_CERT_CN} PAI 01" --subject-vid ${TEST_CERT_VENDOR_ID} --valid-from "2020-10-15 14:23:43" --lifetime 7305 --ca-key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --ca-cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --out-key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --out out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem + ``` -- Generate MFD in plain text data +- Generate MFD in plain text data - ```shell - ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --paa_cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --paa_key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --pai_cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --pai_key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem - ``` + ```shell + ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --paa_cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --paa_key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --pai_cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --pai_key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem + ``` - > Appending `--key ` option to enable encrypt private key of attestation device data. + > Appending `--key ` option to enable encrypt + > private key of attestation device data. ## Generate with self-defined DAC certificate and key -Self-defined DAC certificates may use in development and test scenario. But, user should know it has limit to work with real ecosystem. - -- Export environment variables in terminal for easy operations +Self-defined DAC certificates may use in development and test scenario. But, +user should know it has limit to work with real ecosystem. - ``` - export TEST_CERT_VENDOR_ID=130D # Vendor ID hex string - export TEST_CERT_PRODUCT_ID=1001 # Vendor ID hex string - export TEST_CERT_CN=BFLB # Common Name - ``` +- Export environment variables in terminal for easy operations -- Generate DAC certificate and key + ``` + export TEST_CERT_VENDOR_ID=130D # Vendor ID hex string + export TEST_CERT_PRODUCT_ID=1001 # Vendor ID hex string + export TEST_CERT_CN=BFLB # Common Name + ``` - ```shell - out/linux-x64-chip-cert/chip-cert gen-att-cert --type d --subject-cn "${TEST_CERT_CN} PAI 01" --subject-vid ${TEST_CERT_VENDOR_ID} --subject-pid ${TEST_CERT_VENDOR_ID} --valid-from "2020-10-16 14:23:43" --lifetime 5946 --ca-key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --ca-cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --out-key out/test-cert/Chip-DAC-Key-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem --out out/test-cert/Chip-DAC-Cert-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem - ``` +- Generate DAC certificate and key - > **Note**, `--valid-from` and `--lifetime` should be in `--valid-from` and `--lifetime` of PAI certificate. + ```shell + out/linux-x64-chip-cert/chip-cert gen-att-cert --type d --subject-cn "${TEST_CERT_CN} PAI 01" --subject-vid ${TEST_CERT_VENDOR_ID} --subject-pid ${TEST_CERT_VENDOR_ID} --valid-from "2020-10-16 14:23:43" --lifetime 5946 --ca-key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --ca-cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --out-key out/test-cert/Chip-DAC-Key-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem --out out/test-cert/Chip-DAC-Cert-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem + ``` -- Generate MFD in plain text data + > **Note**, `--valid-from` and `--lifetime` should be in `--valid-from` and + > `--lifetime` of PAI certificate. - ```shell - ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --pai_cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --dac_cert out/test-cert/Chip-DAC-Cert-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem --dac_key out/test-cert/Chip-DAC-Key-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem - ``` +- Generate MFD in plain text data - > Appending `--key ` option to enable encrypt private key of attestation device data. + ```shell + ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --pai_cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --dac_cert out/test-cert/Chip-DAC-Cert-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem --dac_key out/test-cert/Chip-DAC-Key-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem + ``` + > Appending `--key ` option to enable encrypt + > private key of attestation device data. # Program factory data -After each target built successfully, a flash programming python script will be generated under out folder. - -Take BL616 Wi-Fi Matter Light as example, `chip-bl616-lighting-example.flash.py` is using to program firmware, and also for factory data and factory decryption key. - - ```shell - /out/bouffalolab-bl616dk-light-wifi-mfd/chip-bl616-lighting-example.flash.py --port --mfd out/test-cert/ - ``` +After each target built successfully, a flash programming python script will be +generated under out folder. - > If mfd file has cipher text data, please append `--key ` option to program to this key to efuse. +Take BL616 Wi-Fi Matter Light as example, `chip-bl616-lighting-example.flash.py` +is using to program firmware, and also for factory data and factory decryption +key. -- Limits on BL IOT SDK - - If developer would like to program MFD with all plain text data, option `--key ` needs pass to script, otherwise, flash tool will raise an error. And SoC BL602, BL702 and BL702L use BL IOT SDK for Matter Application. - -Please free contact to `Bouffalo Lab` for DAC provider service and higher security solution, such as SoC inside certificate requesting. +```shell +/out/bouffalolab-bl616dk-light-wifi-mfd/chip-bl616-lighting-example.flash.py --port --mfd out/test-cert/ +``` - +> If mfd file has cipher text data, please append +> `--key ` option to program to this key to efuse. - +- Limits on BL IOT SDK - + If developer would like to program MFD with all plain text data, option + `--key ` needs pass to script, otherwise, flash tool + will raise an error. And SoC BL602, BL702 and BL702L use BL IOT SDK for + Matter Application. +Please free contact to `Bouffalo Lab` for DAC provider service and higher +security solution, such as SoC inside certificate requesting. diff --git a/examples/lighting-app/bouffalolab/README.md b/examples/lighting-app/bouffalolab/README.md index afad893c37a1ac..83e9bba4ecae18 100644 --- a/examples/lighting-app/bouffalolab/README.md +++ b/examples/lighting-app/bouffalolab/README.md @@ -17,8 +17,6 @@ Legacy supported boards: - `BL602-NIGHT-LIGHT` - `XT-ZB6-DevKit` - `BL706-NIGHT-LIGHT` -- `BL706DK` -- `BL704LDK` > Warning: Changing the VID/PID may cause compilation problems, we recommend > leaving it as the default while using this example. @@ -119,8 +117,7 @@ The following steps take examples for `BL602DK`, `BL704LDK` and `BL706DK`. - BL602 uses Wi-Fi by defualt. `-wifi` could be elided. - BL702 needs it to specify to use BL706 + BL602 for Wi-Fi. -- `-thread`, specifies to use Thread for Matter - application. +- `-thread`, specifies to use Thread for Matter application. - BL70X uses Thread by defualt. `-thread` could be elided. @@ -130,9 +127,11 @@ The following steps take examples for `BL602DK`, `BL704LDK` and `BL706DK`. - `-littlefs`, specifies to use littlefs for flash access. - `-easyflash`, specifies to use `easyflash` for flash access. - - for platform BL602/BL70X, it is necessary to specify one of `-easyflash` and `-littlefs`. + - for platform BL602/BL70X, it is necessary to specify one of `-easyflash` + and `-littlefs`. - `-mfd`, enable Matter factory data feature, which load factory data from `MFD` partition + - Please refer to [Bouffalo Lab Matter factory data guide](../../../docs/guides/bouffalolab/matter_factory_data.md) or contact to `Bouffalo Lab` for support. - `-shell`, enable command line - `-rpc`, enable Pigweed RPC feature - `-115200`, set UART baudrate to 115200 for log and command line diff --git a/scripts/tools/bouffalolab/generate_factory_data.py b/scripts/tools/bouffalolab/generate_factory_data.py index 5bf6feccf378d8..600aa4c61726d2 100755 --- a/scripts/tools/bouffalolab/generate_factory_data.py +++ b/scripts/tools/bouffalolab/generate_factory_data.py @@ -17,27 +17,24 @@ import argparse import base64 +import binascii import logging as log import os +import random import secrets +import ssl import subprocess import sys -import random -import ssl -import binascii - -from pathlib import Path from datetime import datetime, timedelta -from Crypto.Cipher import AES +from pathlib import Path +from Crypto.Cipher import AES from cryptography import x509 -from cryptography.x509.oid import ObjectIdentifier - from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.serialization import load_der_private_key - +from cryptography.x509.oid import ObjectIdentifier MATTER_ROOT = os.path.dirname(os.path.realpath(__file__))[:-len("/scripts/tools/bouffalolab")] @@ -48,13 +45,13 @@ TEST_PAI_CERT = MATTER_ROOT + "/credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Cert.pem" TEST_PAI_KEY = MATTER_ROOT + "/credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Key.pem" TEST_CHIP_CERT = MATTER_ROOT + "/out/linux-x64-chip-cert/chip-cert" -TEST_CD_TYPE = 1 # 0 - development, 1 - provisional, 2 - official +TEST_CD_TYPE = 1 # 0 - development, 1 - provisional, 2 - official def gen_test_passcode(passcode): INVALID_PASSCODES = [0, 11111111, 22222222, 33333333, 44444444, - 55555555, 66666666, 77777777, 88888888, 99999999, + 55555555, 66666666, 77777777, 88888888, 99999999, 12345678, 87654321] def check_passcode(passcode): @@ -95,7 +92,7 @@ def gen_test_unique_id(unique_id): return unique_id -def gen_test_spake2(passcode, spake2p_it, spake2p_salt, spake2p_verifier = None): +def gen_test_spake2(passcode, spake2p_it, spake2p_salt, spake2p_verifier=None): sys.path.insert(0, os.path.join(MATTER_ROOT, 'scripts', 'tools', 'spake2p')) from spake2p import generate_verifier @@ -150,7 +147,7 @@ def get_subject_attr(subject, oid): return None, None, None, None, None ctx = ssl.create_default_context() - + with open(cert, 'rb') as cert_file: cert = x509.load_pem_x509_certificate(cert_file.read(), default_backend()) @@ -184,14 +181,13 @@ def verify_certificates(chip_cert, paa_cert, pai_cert, dac_cert): except Exception as e: raise Exception("Failed to verify DAC signature with PAI certificate.") - if (pai_cert != TEST_PAI_CERT and paa_cert != TEST_PAA_CERT) or (pai_cert == TEST_PAI_CERT and paa_cert == TEST_PAA_CERT): if os.path.isfile(paa_cert): - cmd = [chip_cert, "validate-att-cert", + cmd = [chip_cert, "validate-att-cert", "--dac", dac_cert, "--pai", pai_cert, "--paa", paa_cert, - ] + ] log.info("Verify Certificate Chain: {}".format(" ".join(cmd))) subprocess.run(cmd) @@ -210,7 +206,7 @@ def gen_valid_times(issue_date, expire_date): valid_from, lifetime = gen_valid_times(pai_issue_date, pai_expire_date) cmd = [chip_cert, "gen-att-cert", - "--type", "d", # device attestation certificate + "--type", "d", # device attestation certificate "--subject-cn", device_name + " Test DAC 0", "--subject-vid", hex(vendor_id), "--subject-pid", hex(product_id), @@ -259,18 +255,18 @@ def gen_cd(chip_cert, dac_vendor_id, dac_product_id, vendor_id, product_id, cd_c if dac_vendor_id != vendor_id or dac_product_id != product_id: cmd += ["--dac-origin-vendor-id", hex(dac_vendor_id), "--dac-origin-product-id", hex(dac_product_id), - ] + ] log.info("Generate CD: {}".format(" ".join(cmd))) subprocess.run(cmd) - pai_vendor_id, pai_product_id, pai_issue_date, pai_expire_date = parse_cert_file(pai_cert) dac_vendor_id = pai_vendor_id if pai_vendor_id else vendor_id dac_product_id = pai_product_id if pai_product_id else product_id - gen_dac_certificate(chip_cert, device_name, dac_vendor_id, dac_product_id, pai_cert, pai_key, dac_cert, dac_key, pai_issue_date, pai_expire_date) - + gen_dac_certificate(chip_cert, device_name, dac_vendor_id, dac_product_id, pai_cert, + pai_key, dac_cert, dac_key, pai_issue_date, pai_expire_date) + dac_cert_der = convert_pem_to_der(chip_cert, "convert-cert", dac_cert) dac_key_der = convert_pem_to_der(chip_cert, "convert-key", dac_key) pai_cert_der = convert_pem_to_der(chip_cert, "convert-cert", pai_cert) @@ -306,7 +302,7 @@ def gen_efuse_aes_iv(): def read_file(rfile): with open(rfile, 'rb') as _f: - return _f.read() + return _f.read() def get_private_key(der): with open(der, 'rb') as file: @@ -316,7 +312,7 @@ def get_private_key(der): return private_key def encrypt_data(data_bytearray, key_bytearray, iv_bytearray): - data_bytearray += bytes([0] * (16 - (len(data_bytearray) % 16) )) + data_bytearray += bytes([0] * (16 - (len(data_bytearray) % 16))) cryptor = AES.new(key_bytearray, AES.MODE_CBC, iv_bytearray) ciphertext = cryptor.encrypt(data_bytearray) return ciphertext @@ -403,7 +399,7 @@ def gen_tlvs(mfdDict, need_sec): fp.write(output) -def gen_onboarding_data(args, onboard_txt, onboard_png, rendez = 6): +def gen_onboarding_data(args, onboard_txt, onboard_png, rendez=6): try: import qrcode @@ -465,7 +461,7 @@ def to_bytes(input): parser.add_argument("--unique_id", type=base64.b64decode, help="Rotating Unique ID in hex string, optional.") parser.add_argument("--spake2p_it", type=int, default=None, help="Spake2+ iteration count, optional.") parser.add_argument("--spake2p_salt", type=base64.b64decode, help="Spake2+ salt in hex string, optional.") - + parser.add_argument("--vendor_id", type=int, default=0x130D, help="Vendor Identification, mandatory.") parser.add_argument("--vendor_name", type=str, default="Bouffalo Lab", help="Vendor Name string, optional.") parser.add_argument("--product_id", type=int, default=0x1001, help="Product Identification, mandatory.") @@ -504,12 +500,12 @@ def to_bytes(input): vp_disc_info = "{}_{}_{}".format(hex(args.vendor_id), hex(args.product_id), discriminator) if args.dac_cert is None: args.dac_cert = os.path.join(args.output, "out_{}_dac_cert.pem".format(vp_disc_info)) - args.dac_key = os.path.join(args.output, "out_{}_dac_key.pem".format(vp_disc_info)) + args.dac_key = os.path.join(args.output, "out_{}_dac_key.pem".format(vp_disc_info)) if args.cd is None: - args.cd = os.path.join(args.output, "out_{}_cd.der".format(vp_info)) + args.cd = os.path.join(args.output, "out_{}_cd.der".format(vp_info)) - cd, pai_cert_der, dac_cert_der, dac_key_der = gen_test_certs(args.chip_cert, + cd, pai_cert_der, dac_cert_der, dac_key_der = gen_test_certs(args.chip_cert, args.output, args.vendor_id, args.product_id, @@ -524,7 +520,7 @@ def to_bytes(input): args.dac_cert, args.dac_key) - mfd_output = os.path.join(args.output, "out_{}_mfd.bin".format(vp_disc_info)) + mfd_output = os.path.join(args.output, "out_{}_mfd.bin".format(vp_disc_info)) args.dac_cert = dac_cert_der args.dac_key = dac_key_der args.passcode = passcode @@ -538,8 +534,8 @@ def to_bytes(input): args.key = to_bytes(args.key) gen_mfd_partition(args, mfd_output) - onboard_txt = os.path.join(args.output, "out_{}_onboard.txt".format(vp_disc_info)) - onboard_png = os.path.join(args.output, "out_{}_onboard.png".format(vp_disc_info)) + onboard_txt = os.path.join(args.output, "out_{}_onboard.txt".format(vp_disc_info)) + onboard_png = os.path.join(args.output, "out_{}_onboard.png".format(vp_disc_info)) manualcode, qrcode = gen_onboarding_data(args, onboard_txt, onboard_png, args.rendezvous) log.info("") @@ -558,5 +554,6 @@ def to_bytes(input): log.info("MFD partition file: {}".format(mfd_output)) log.info("QR code PNG file: {}".format(onboard_png)) + if __name__ == "__main__": main()