grisp_cryptoauth
================

Secure Element (Microchip ATECC608B) support for GRiSP2 based on cryptoauthlib.

Build
-----

This is meant to be build within the GRiSP2 toolchain or on a linux distribution
with cryptoauthlib installed, build within the `grisp_linux_builder`.

Just add it as dependency in rebar3 in your main application.


Support
-------

This library follows the ATECC608B-TFLXTLS configuration, that means in particular:

* one unchangable primary private key
* three changable secondary private keys
* sign and verify operations on the keys above
* two (primary and secondary) changable slots for compressed certificates
* possibility to lock slots if you really want to

More to come :).


Writing Certificates
--------------------

```
PrivateKey = public_key:generate_key({namedCurve, secp256r1}).
Cert = grisp_cryptoauth_cert:sign(test, PrivateKey).
grisp_cryptoauth:write_cert(primary, test, Cert).
```


Reading Certificates
--------------------

```
grisp_cryptoauth:read_cert(primary, plain).
grisp_cryptoauth:read_cert(primary, der).
```


Notes
-----

* We follow Microchips compressed certificate format [1] and OpenSSL 'best practice'
* The signature size is 64 bytes max, hence you should sign the device certificate over the P-256 curve
* The above point means that you need to use a P-256 based CA key
* The validity dates must align with an expire time of years, e.g. multiples of 365 days
* Like OpenSSL we use utcTime before (including) 2049 and generalTime afterwards for certificate validity

[1] https://ww1.microchip.com/downloads/en/Appnotes/20006367A.pdf