sample: tfm_psa_template: Print attestation pubkey

Print the public key for attestation, which can be used for verifying the attestation token. Ref: NCSDK-31111 Signed-off-by: Sigurd Hellesvik <[email protected]>
nrfconnect · Dec 19, 2024 · 6c28e28 · 6c28e28
1 parent ef172cd
commit 6c28e28
Showing 1 changed file with 43 additions and 0 deletions.
diff --git a/samples/tfm/tfm_psa_template/src/main.c b/samples/tfm/tfm_psa_template/src/main.c
@@ -12,6 +12,10 @@
 #include <tfm_ioctl_api.h>
 #include <pm_config.h>
 #include <ctype.h>
+#include <psa/crypto.h>
+#include <tfm_builtin_key_ids.h>
+
+#define ATTEST_PUBKEY_LEN 65
 
 /* Define an example stats group; approximates seconds since boot. */
 STATS_SECT_START(smp_svr_stats)
@@ -63,6 +67,42 @@ void dump_hex_ascii(const uint8_t *data, size_t size)
 	printk("\n");
 }
 
+
+static void print_attest_pubkey(void)
+{
+	psa_status_t status;
+	psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+	size_t data_length;
+	uint8_t m_pub_key[ATTEST_PUBKEY_LEN];
+	psa_key_handle_t key_handle;
+
+	key_handle = mbedtls_svc_key_id_make(0, TFM_BUILTIN_KEY_ID_IAK);
+	psa_key_attributes_t attr = key_attributes;
+
+	status = psa_crypto_init();
+	if (status != PSA_SUCCESS) {
+		printf("crypto_init failed: %d\n", status);
+		return;
+	}
+
+	status = psa_get_key_attributes(key_handle, &attr);
+	if (status != 0) {
+		return;
+	}
+
+	status = psa_export_public_key(key_handle,
+			m_pub_key,
+			sizeof(m_pub_key),
+			&data_length);
+
+	if (status != PSA_SUCCESS) {
+		printf("psa_export_public_key failed: %d\n", status);
+	} else {
+		printf("Attestation public key:\n");
+		dump_hex_ascii(m_pub_key, sizeof(m_pub_key));
+	}
+}
+
 static void get_fw_info_address(uint32_t fw_address)
 {
 	struct fw_info info;
@@ -145,6 +185,7 @@ static void get_attestation_token(void)
 	} else {
 		printk("Received initial attestation token of %zu bytes.\n", token_size);
 
+		printf("Attestation token:\n");
 		dump_hex_ascii(token_buf, token_size);
 	}
 }
@@ -165,6 +206,8 @@ int main(void)
 
 	get_fw_info();
 	get_attestation_token();
+	/* Print public key so it can be used to verify attestation token. */
+	print_attest_pubkey();
 
 	/* The system work queue handles all incoming mcumgr requests.  Let the
 	 * main thread idle while the mcumgr server runs.