nerves-hub / nerves_key Goto Github PK

Both https://shop.nitrokey.com/shop/product/nk-hsm-2-nitrokey-hsm-2-7 and https://github.com/opendnssec/SoftHSMv2 should be usable with nerves.

Usecase: instead of using nerveskey, once should be able to use a standard HSM module to act as a certificate authority and to sign keys.

I'm not sure of the status of this. Apologies if this is the wrong place.

I'm trying the Udoo bolt as a nerves platform.

Thoughts on
iot-hsm.pdf being compatible with this code.

The UDOO bolt has a grove connector and it's possible to go from grove to qwiic.

Currently signatures are returned as raw bits. It's also common to need DER-encoded signatures. These are a few bytes longer, and it can be confusing since other APIs often assume one or the other without going into the details. It would be nice to have better documentation in this area and a helper function to return the DER-encoded version.

Here's some code from https://gist.githubusercontent.com/voltone/d3c0bb3ee821703f52d439e00262cb88/raw/e90117c60dceb07f3a674cbf5102ef6f2722e0c8/ecdsa_signature.ex:

defmodule ECDSASignature do
  require Record

  Record.defrecord(
    :ecdsa_signature,
    :"ECDSA-Sig-Value",
    Record.extract(:"ECDSA-Sig-Value", from_lib: "public_key/include/OTP-PUB-KEY.hrl")
  )

  def new(r, s) when is_integer(r) and is_integer(s) do
    ecdsa_signature(r: r, s: s)
  end

  def new(raw) when is_binary(raw) do
    size = raw |> byte_size() |> div(2)
    <<r::size(size)-unit(8), s::size(size)-unit(8)>> = raw
    new(r, s)
  end

  # Export to DER binary format, for use with :public_key.verify/4
  def to_der(ecdsa_signature() = signature) do
    :public_key.der_encode(:"ECDSA-Sig-Value", signature)
  end
end

It's confusing to find out via a crash deep in OTP about the certificates being invalid.

are there any plans to adapt ATECC608B for nerves-key?

https://www.microchip.com/wwwproducts/ProductCompare/ATECC608A/ATECC608B