cryptoauthlib 20180718

Python Wrapper Library for Microchip Security Products

Python CryptoAuthLib module

Introduction

This module provides a thin python ctypes layer to evaluate the cryptoauthlib interface to Microchip CryptoAuthentication devices.

Code Examples

Code examples for python are available on github as part of CryptoAuthTools under the python/examples directory

Installation

CryptoAuthLib python module can be installed through Python’s pip tool:

pip install cryptoauthlib

To upgrade your installation when new releases are made:

pip install –U cryptoauthlib

If you ever need to remove your installation:

pip uninstall cryptoauthlib

What does python CryptoAuthLib package do?

CryptoAuthLib module gives access to most functions available as part of standard cryptoauthlib (which is written in ‘C’). These python functions for the most part are very similar to ‘C’ functions. The module in short acts as a wrapper over the ‘C’ cryptoauth library functions.

Microchip cryptoauthlib product page: Link

Supported hardware

• AT88CK101
• CryptoAuth-XSTK

Supported devices

The family of devices supported currently are:

• ATSHA204A
• ATECC108A
• ATECC508A
• ATECC608A

Using cryptoauthlib python module

The following is a 'C' code made using cryptoauthlib 'C' library.

#include "cryptoauthlib.h"

void main()
{
    ATCA_STATUS status;
    uint8_t revision[4];
    uint8_t randomnum[32];

    status = atcab_init(cfg_ateccx08a_kitcdc_default)
    if (status != ATCA_SUCCESS)
    {
        printf("Error");
    }

    status = atcab_info(revision);
    if (status != ATCA_SUCCESS)
    {
        printf("Error");
    }

    status = atcab_random(randomnum);
    if (status != ATCA_SUCCESS)
    {
        printf("Error");
    }

}

The same code in python 3.x would be:

from cryptoauthlib import *
from cryptoauthlib.iface import *

ATCA_SUCCESS = 0x00
revision = bytearray(4)
randomnum = bytearray(32)

# dll/so gets loaded into ctypes here
load_cryptoauthlib()

status = atcab_init(cfg_ateccx08a_kitcdc_default())
if not status == ATCA_SUCCESS:
    print("Error")

status = atcab_info(revision)
if not status == ATCA_SUCCESS:
    print("Error")

status = atcab_random(randomnum)
if not status == ATCA_SUCCESS:
    print("Error")

In the above python code, "import cryptoauthlib" imports the python module. load_cryptoauthlib() function loads the dll/so using ctypes. The load_cryptoauthlib() is a function that you will not see in the 'C' library, this is a pyhon specific function and will be used in all the python scripts that use cryptoauthlib python module.

The whole process can be summerized in three simple steps:

Step I: Import the module

from cryptoauthlib import * The above line can be used to import all the functions available in the python module. If you don't want to use wildcard imports you can just import the required functions.

Step II: Initilize the module

load_cryptoauthlib() function initilizes the python crptoauthlib module.

Step III: Using Cryptoauthlib APIs

Once Step I and Step II are done all available cryptoauthlib APIs can be accessed.

Code portability

Microchip's CryptoAuthentication products can be evaluated very easily with the power and flexibility of python, once the evaluation stage is done the python code can be ported to 'C' code. As seen in the abouve example, other than some language related differences there will be very little functional changes between the 'C' library and python module, this helps very much with code portability.

Cryptoauthlib module API documentation

help() command

All of the python function's documentation can be viewed through python's built in help() function.

For example, to get the documentation of atcab_info() function:

>>> help(cryptoauthlib.atcab_info)
Help on function atcab_info in module cryptoauthlib.atcab:

atcab_info(revision)
Used to get the device revision number. (DevRev)

Args:
    revision            4-byte bytearray receiving the revision number
                        from the device. (Expects bytearray)

Returns:
    Status code

dir() command

The dir command without arguments, return the list of names in the current local scope. With an argument, attempt to return a list of valid attributes for that object. For example dir(cryptoauthlib) will return all the methods available in the cryptoauthlib module.

Code Examples

Code examples for python are available on github as part of CryptoAuthTools under the python/examples directory

Link for latest cryptoauthlib library:- Cryptoauthlib

Release notes

07/18/2018

• Added ATCA_NO_HEAP define to remove use of malloc/free.
• Moved PEM functions to their own file in atcacert.
• Added wake retry to accomodate power on self test delay.
• Added ca_cert_def member to atcacert_def_s so cert chains can be traversed as a linked list. 03/29/2018
• Added support for response polling by default, which will make commands return faster (define ATCA_NO_POLL to use old delay method).
• Removed atcatls related files as they were of limited value.
• Test framework generates a prompt before locking test configuration.
• Test framework puts device to sleep between tests.
• Fixed mode parameter issue in atcah_gen_key_msg().
• ATECC608A health test error code added.

01/15/2018

• Added AES-128 CBC implementation using AES command
• Added AES-128 CMAC implementation using AES command

11/22/2017

• Added support for FLEXCOM6 on SAMG55 driver

11/17/2017

• Added library support for the ATECC608A device
• Added support for Counter command
• atca_basic functions and tests now split into multiple files based on command
• Added support for multiple base64 encoding rules
• Added support for JSON Web Tokens (jwt)
• Fixed atcab_write_enc() function to encrypt the data even when the device is unlocked
• Fixed atcab_base64encode_() for the extra newline
• Updated atcab_ecdh_enc() to work more consistently

07/01/2017

• Removed assumption of SN[0:1]=0123, SN[8]=EE. SN now needs to be passed in for functions in atca_host and atca_basic functions will now read the config zone for the SN if needed.
• Renamed atcab_gendig_host() to atcab_gendig() since it's not a host function. Removed original atcab_gendig(), which had limited scope.
• Fixed atcah_hmac() for host side HMAC calculations. Added atcab_hmac().
• Removed unnecessary ATCADeviceType parameters from some atca_basic functions.
• Added atcacert_create_csr() to create a signed CSR.
• New HAL implementation for Kit protocol over HID on Linux. Please see the Incorporating CryptoAuthLib in a Linux project using USB HID devices section in this file for more information.
• Added atcacert_write_cert() for writing certificates to the device.
• Added support for dynamic length certificate serial numbers in atcacert.
• Added atcab_write() for lower level write commands.
• Fixed atcah_write_auth_mac(), which had wrong OpCode.
• Added atcab_verify() command for lower level verify commands.
• Added atcab_verify_stored() for verifying data with a stored public key.
• Removed atcab_write_bytes_slot(). Use atcab_write_bytes_zone() instead.
• Modified atcab_write_bytes_zone() and atcab_read_bytes_zone() to specify a slot
• Added atcab_verify_validate() and atcab_verify_invalidate()
• Improvements to host functions to handle more cases.
• Added atcab_updateextra(), atcab_derive_key()
• Added support for more certificate formats.
• Added general purpose hardware SHA256 functions. See atcab_hw_sha2_256().
• Removed device specific config read/write. Generic now handles both.
• Removed unnecessary response parameter from lock commands.
• Enhanced and added unit tests.
• Encrypted read and write functions now handle keys with SlotConfig.NoMac set
• atcab_cmp_config_zone() handles all devices now.
• Fixed some edge cases in atcab_read_bytes_zone().
• Updated atSHA() to work with all devices.
• Fixed atcacert_get_device_locs() when using stored sn.

01/08/2016

• New HAL implementations for
  • Single Wire interface for SAMD21 / SAMR21
  • SAMV71 I2C HAL implementation
  • XMega A3Bu HAL implementation
• Added atcab_version() method to return current version string of libary to application
• New Bus and Discovery API
  • returns a list of ATCA device configurations for each CryptoAuth device found
  • currently implemented on SAMD21/R21 I2C, SAMV71
  • additional discovery implementations to come
• TLS APIs solidified and documented
• Added missing doxygen documentation for some CryptoAuthLib methods
• Stubs for HAL SPI removed as they are unused for SHA204A and ECC508A support
• bug fixes
• updated atcab_sha() to accept a variable length message that is > 64 bytes and not a multiple of 64 bytes (the SHA block size).
• refactored Cert I/O and Cert Data tests to be smaller
• 'uncrustify' source formatting
• published on GitHub

9/19/2015

• Kit protocol over HID on Windows
• Kit protocol over CDC on Linux
• TLS integration with ATECC508A
• Certificate I/O and reconstruction
• New SHA2 implementation
• Major update to API docs, Doxygen files found in cryptoauthlib/docs
• load cryptoauthlib/docs/index.html with your browser