简介
spake2p 工具提供命令行界面 (CLI) 实用程序,用于生成设备制造配置的 spake 参数(PIN code and verifier)。具体用途可以见先前文章:Matter如何共享设备示例代码中的 pakePasscodeVerifier 参数。
编译运行
参考 Building Matter 编译Matter, 在out/host目录可以看到已编译完成的 spake2p 二进制文件。
具体操作
查看验证器生成命令用法的详细说明:
./spake2p gen-verifier --help
Usage: spake2p gen-verifier [ <options...> ]
Generate a CHIP certificate
COMMAND OPTIONS
-c, --count <int>
The number of pin-code/verifier parameter sets to be generated. If not specified,
one set will be generated.
-p, --pin-code <int>
SPAKE2P setup PIN code. The value should be positive integer in range [1..99999998].
If not specified, the PIN code value will be randomly generated.
When count is more than one, only first set will use the specified PIN code value
and others will be randomly generated.
The following PIN codes SHALL NOT be used due to their trivial, insecure nature:
* 00000000
* 11111111
* 22222222
* 33333333
* 44444444
* 55555555
* 66666666
* 77777777
* 88888888
* 99999999
* 12345678
* 87654321
-f, --pin-code-file <file>
A file which contains all the PIN codes to generate verifiers.
Each line in this file should be a valid PIN code in the decimal number format. If the row count
of this file is less than the number of pin-code/verifier parameter sets to be generated, the
first few verifier sets will be generated using the PIN codes in this file, and the next will
use the random PIN codes.
The following file is a example with 5 PIN codes:
1234
2345
3456
4567
5678
-i, --iteration-count <int>
SPAKE2P PBKDF iteration count. The value should be positive integer in range [1000..100000].
-l, --salt-len <int>
SPAKE2P PBKDF salt input length. The value should be in range [16..32].
If not specified, the 'salt' input should be specified and the length will be
extracted from 'salt'. When both 'salt-len' and 'salt' are specified, the length
should match the length of the specified 'salt' string.
-s, --salt <string>
SPAKE2P PBKDF salt input value. Length of salt string should be in range [16..32].
If not specified, the 'salt-len' input should be specified and the 'salt' velue will be
randomly generated. When 'count' is more than one, only first set will use the specified
'salt' value and others will be randomly generated.
-o, --out <file>
File to contain the generated SPAKE2P PBKDF parameters. Specify '-' for stdout.
The format of the output file is:
Index,PIN Code,Iteration Count,Salt,Verifier
index of the parameter set in the list,'pin-code','iteration-count','salt'(Base-64 encoded),'verifier'(Base-64 encoded)
....
为给定 PIN Code 生成 spake2p 验证程序的示例命令:
./spake2p gen-verifier --pin-code 45502684 --iteration-count 1000 --salt "U1BBS0UyUCBLZXkgU2FsdA==" --out spake2p-provisioning-data.csv
iterations:
An integer value specifying the number of PBKDF2 iterations: CRYPTO_PBKDF_ITERATIONS_MIN <= iterations <= CRYPTO_PBKDF_ITERATIONS_MAX.salt:
A random value per device of at least 16 bytes and at most 32 bytes used as the PBKDF2 salt.
生成 100 组 spake2p 参数(随机 PIN Codes、Salts 和 Verifiers)的示例命令:
./spake2p gen-verifier --count 100 --iteration-count 15000 --salt-len 32 --out spake2p-provisioning-data.csv
生成 100 组 spake2p 参数(特定 PIN Codes、随机Salts 和 Verifiers)的示例命令:
./spake2p gen-verifier --count 100 --pin-code-file pincodes.csv --iteration-count 15000 --salt-len 32 --out spake2p-provisioning-data.csv
注意: pincodes.csv 的每一行都应该是有效的 PIN 码。您可以使用 spake2p --help 获取文件的示例内容。
