Get started

This guide provides a general overview to get you started using DigiCert®TrustCore SDK on various Linux systems. Ensure your host system meets the system requirements and has downloaded the necessary tools for your target platform.

System requirements

Notice

All sample scripts in this guide have been built and tested on a host using Ubuntu 18.04 with x86_64 architecture.

For Ubuntu 18.04 x86_64 hosts, ensure these prerequisites are met:

CMake Version 3.5 or higher.
```
cmake --version
```
- If CMake is not installed:
```
sudo apt-get update && sudo apt-get install cmake
```
- If CMake version is less than 3.5:
```
sudo apt-get remove cmake
sudo apt-get update && sudo apt-get install cmake
```
Note
For more CMake versions, go to https://cmake.org/download/.

Required packages are gcc-multilib, build-essential, libc6, libc6-dev, libc6-dev-i386.

sudo apt-get update && sudo apt-get install gcc-multilib build-essential libc6 libc6-dev libc6-dev-i386

Set required environment variables.

# Replace <path/to/mocn-mss> with the actual path to your mocn-mss directory
export MSS_SRC_PKG=<path/to/mocn-mss>

Symmetric key encryption

TrustCore SDK provides robust support for various symmetric encryption algorithms, ensuring a versatile and secure framework for cryptographic operations.

Supported Algorithms

TrustCore SDK includes support for numerous symmetric key encryption algorithms such as AES in different modes (CBC, ECB, GCM, etc.), DES, 3DES, and more. These algorithms provide a strong foundation for securing data across various applications and systems.

Example: AES Encryption in CBC Mode

This section demonstrates the implementation of symmetric key encryption and decryption using the AES algorithm in CBC mode. While the example focuses on AES, the principles can be applied to other symmetric algorithms supported by TrustCore SDK.

Source Code

For practical implementation, refer to the example source code provided in TrustCore SDK:

${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_aes_example.c

This example includes detailed code snippets showing how to initialize the encryption settings, perform the encryption and decryption processes, and clean up resources.

Additional Information

For a deeper understanding of how to utilize these encryption capabilities, please visit the detailed guide at:

Symmetric Key Encryption Algorithms

This guide provides comprehensive information on setting up and using the various encryption algorithms within the TrustCore SDK.

Info: For specific API details and additional cryptographic parameters, refer to the Crypto Interface API reference.

Building and Verifying Examples

To build and run the AES encryption example, follow the steps outlined in the Build and Verify Crypto Interface example section. This will ensure that you can verify the correct implementation of the cryptographic operations in your environment.

AEAD Algorithms

In addition to standard symmetric encryption, TrustCore SDK supports Advanced Encryption Standard (AES) algorithms for Authenticated Encryption with Associated Data (AEAD), such as AES-GCM. These algorithms provide both encryption and authentication, ensuring the integrity and confidentiality of the data.

For more details on AEAD implementation using AES-GCM, including setting up and processing Additional Authenticated Data (AAD), refer to:

AEAD algorithms

Explore the example source code in the file:

${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_aes_gcm_example.c

Asymmetric key encryption

TrustCore SDK offers comprehensive support for asymmetric key algorithms, including RSA, ECC, and DSA, and provides essential tools for secure encryption, digital signatures, and key management.

Note: For all examples and more detailed operations, follow the steps outlined in the Build and Verify Crypto Interface example section to compile and test the provided examples.

Obtaining keys

This section guides you through various methods of obtaining keys for asymmetric encryption, including key generation, key setting, key deserialization, or using a custom key BLOB from DigiCert.

For detailed steps on key management and instantiation, refer to the Obtaining Key section.

Example source code for generating ECC, RSA, and DSA keys is available at:

${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_keygen_example.c

For comprehensive API documentation, consult the Crypto Interface API reference.

RSA encryption and decryption

Learn how to execute RSA encryption and decryption using PKCS #1 v1.5 and PKCS-OAEP padding modes. Detailed guidance and example codes are provided in TrustCore SDK documentation.

The source code for RSA encryption and decryption can be found at:

${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_rsa_example.c

RSA signature and verification

Explore the methods for RSA signature creation and verification in PKCS #1 v1.5 and EMSA-PSS modes. This section provides insights into the secure signing and verification processes.

Source code for RSA signature and verification is available at:

${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_rsa_example.c
${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_rsa_pss_example.c

ECC supported curves

Selecting the appropriate domain parameters and defining the curve are crucial steps in ECC. For guidance on selecting and using ECC supported curves, refer to ECC Supported Curves.

ECDSA signature and verification

The section on ECDSA covers both the signing and verification processes. It provides details on APIs that facilitate raw ECDSA signing and those that include message hashing in addition to signing.

For API details and example usage, refer to the Crypto Interface API reference.

Source code for ECDSA operations is located at:

${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_ecc_example.c

ECDH key exchange

ECDH key exchange allows two parties to establish a shared secret securely. This section guides you through generating a shared secret using your private key and the public key of another party.

Example source code for ECDH key exchange is available at:

${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_ecdh_example.c

DSA signature and verification

Understanding DSA signature creation and verification is essential for secure digital communications. This section provides detailed information on the process and APIs involved.

For more information on DSA operations, refer to the DSA Signature and Verification section.

Diffie-Hellman key exchange

The Diffie-Hellman key exchange section explains how two parties can securely establish a shared secret to enable encrypted communication. This process is vital for secure exchanges in various cryptographic protocols.

The source code for Diffie-Hellman key exchange can be found at:

${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_dh_example.c

Advanced encryption and key exchange techniques

For advanced topics like AEAD algorithms, ECDSA, and ECDH key exchange, refer to the detailed sections in the TrustCore SDK documentation. Example codes and API references are provided to facilitate implementation.

For more specific operations like certificate enrollment and SCEP client setup, follow the detailed instructions provided in the respective sections. Remember to configure and utilize the environment variables and scripts correctly for successful execution.

Build and verify Crypto Interface example

TrustCore SDK provides a comprehensive example implementation of Crypto Interface, complete with a runnable executable. This allows you to see the practical application of the cryptographic functionalities offered by TrustCore SDK.

Location of source code

Source code for all cryptographic examples can be found in the package directory, detailed below:

${MSS_SRC_PKG}/src/crypto_interface/example

Build the examples

To compile Crypto Interface examples, use the provided script. This script sets up the necessary environment and compiles the source files into an executable. Run the following command in a Linux environment or its equivalent .bat script in a Windows environment:

${MSS_SRC_PKG}/scripts/build_cryptointerface_example.sh

Run the examples

Once the build is complete, you can run the examples to see the Crypto Interface in action. To execute the compiled examples, use the following script:

${MSS_SRC_PKG}/scripts/run_cryptointerface_example.sh

This script initiates the example executable, allowing you to test various cryptographic operations and see the results in real-time. Upon running the examples, the output will be displayed in the console. This output demonstrates how the cryptographic operations are performed using the TrustCore SDK, providing a clear insight into the functionality and performance of the cryptographic implementations.

Additional resources

For additional help and troubleshooting, refer to the detailed documentation provided with the TrustCore SDK or contact DigiCert support for more in-depth guidance and technical assistance.

This hands-on approach ensures that developers can effectively understand and implement the cryptographic features offered by the TrustCore SDK in their own applications, reinforcing security and functionality.

NanoCert SCEP client

Build and verify SCEP client example

To compile the NanoCert Client using the src/scep/tools/scepc.c sample, execute the following script:

${MSS_SRC_PKG}/scripts/scep/build_scep_client_ncrypto_sw.sh --gdb --debug --digicert

Download and extract the scep_certs_digicert_iot.zip into the appropriate directory by running:

unzip scep_certs_digicert_iot.zip -d <path to ${MSS_SRC_PKG}>

Configuring DigiCert ONE® IOT SCEP server

Set the following environment variables for your SCEP service:

SERVER_URL = ${Set with your SCEP service URL}
CHALLENGE_PW = ${Set to SCEP service credentials}

In DigiCert® IoT Trust Manager, navigate to the enrollment profile, locate the SCEP enroll/re-enroll URI, and find the challenge password in manage passcode.

To view all available command-line options for the SCEP client, run:

${MSS_SRC_PKG}/bin/scep_client --help

# Example output
LOG_OUTPUT: MSS WARNING NOT A PRODUCTION BUILD: MOCANA DEBUG CONSOLE HAS BEEN ENABLED.
Usage: ./bin/scep_client <options>
options:
    -scepc_serverURL <URL>                specifies the scep server url
    -scepc_serverType <server type>       specifies the scep server type
                                           <MOC | EBCA | ECDSA | WIN2003 | WIN2008 | WIN2012 | WIN2016>
    -scepc_challengePass <password>       specifies the challenge password
    -scepc_filePath <path to files>       specifies the directory path to the cert files
    -scepc_genKey                         specifies that the private key is to be generated
    -scepc_keyType <key type>             specifies key type to be used for key generation
                                           <RSA | ECDSA>
    -scepc_keySize <key size>             specifies key size to be used for key generation
    -scepc_csr_conf                       specifies the configuration file name to generate CSR
    -scepc_oldCert                        specifies the earlier issued certificate which is used to sign the CSR
    -scepc_oldKey                         specifies the private key blob file file name which is used to sign CSR
    -scepc_pkiOperation                   specifies the PKI operation <enroll | renew | rekey |
                                           getca | getcacaps | getcacertchain | getcrl |
                                           publishcrl | revokecert>

# Default operation for scepc_pkiOperation is enroll

Note: The default operation for scepc_pkiOperation is enroll.

Get a copy of the CA certificate

To fetch a copy of the Certificate Authority (CA) certificate, use the scepc_serverURL option and set the scepc_pkiOperation to getca. An example command is:

${MSS_SRC_PKG}/bin/scep_client -scepc_serverURL ${set_server_URL} -scepc_serverType GEN_POST -scepc_filePath scep_certs_digicert_iot -scepc_pkiOperation getca

Certificate enrollment

For certificate enrollment, connect to the server using the scepc_serverURL option and provide the challenge password:

${MSS_SRC_PKG}/bin/scep_client -scepc_serverURL ${set_server_URL} -scepc_serverType GEN_POST -scepc_filePath scep_certs_digicert_iot -scepc_keyType RSA -scepc_keySize 2048 -scepc_csr_conf sample_scep_csr.cnf -scepc_genKey -scepc_challengePass ${set_challenge_password}

Other PKI Operations

Perform other PKI operations by specifying the required operation in the command. This includes renewing and rekeying certificates, where you should set the scepc_oldCert and scepc_oldPemKey as needed.

Build and verify SCEP sample

To build the NanoCert using src/scep/tools/scep_sample_api.c, run:

${MSS_SRC_PKG}/scripts/scep/build_scep_sample_ncrypto_sw.sh --gdb --debug --digicert

Again, ensure the scep_certs_digicert_iot.zip is downloaded and unzipped in the correct directory as previously described.

SCEP sample: Certificate enrollment and other operations

The sample facilitates the certificate enrollment process by connecting to the SCEP server and handling the necessary PKI operations. Generate a key pair and CSR using the specified configuration file, then submit the enrollment request. Upon successful completion, a DER-formatted certificate is received.

Note: When dealing with “renew” and “rekey” PKI operations, ensure to set the scepc_oldCert and scepc_oldPemKey accordingly to facilitate these operations.

An example command for certificate enrollment would look similar to this:

${MSS_SRC_PKG}/bin/scep_sample -scepc_serverURL ${set_server_URL} -scepc_serverType GEN_POST -scepc_filePath scep_certs_digicert_iot -scepc_keyType RSA -scepc_keySize 2048 -scepc_csr_conf sample_scep_csr.cnf -scepc_challengePass ${set_challenge_password}

In this section: