WolfSSL
/
wolfssl-examples
mirror of https://github.com/wolfSSL/wolfssl-examples.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #460 from anhu/client-tls-pkcs11 

Add in client examples that use PKCS11.
pull/464/head
JacobBarthelmeh 2024-09-26 09:38:43 -06:00 committed by GitHub
parent f935fd09f5 0f7a32e75c
commit 2f67b03800
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 261 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

245
pkcs11/client-tls-pkcs11.c 100644
View File

@ -0,0 +1,245 @@
/* client-tls-pkcs11.c
*
* Copyright (C) 2006-2020 wolfSSL Inc.
*
* This file is part of wolfSSL. (formerly known as CyaSSL)
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
/* the usual suspects */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* socket includes */
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <unistd.h>
/* wolfSSL */
#ifndef WOLFSSL_USER_SETTINGS
#include <wolfssl/options.h>
#endif
#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/wc_pkcs11.h>
#define DEFAULT_PORT 11111
int client_tls(const char *cacert, int devId, Pkcs11Token* token)
{
int sockfd;
struct sockaddr_in servAddr;
char buff[256];
size_t len;
int ret;
/* declare wolfSSL objects */
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
WOLFSSL_CIPHER* cipher;
/* Initialize wolfSSL */
wolfSSL_Init();
/* Create a socket that uses an internet IPv4 address,
* Sets the socket to be stream based (TCP),
* 0 means choose the default protocol. */
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
fprintf(stderr, "ERROR: failed to create the socket\n");
return -1;
}
/* Initialize the server address struct with zeros */
memset(&servAddr, 0, sizeof(servAddr));
/* Fill in the server address */
servAddr.sin_family = AF_INET; /* using IPv4 */
servAddr.sin_port = htons(DEFAULT_PORT); /* on DEFAULT_PORT */
/* IPv4 127.0.0.1 */
if (inet_pton(AF_INET, "127.0.0.1", &servAddr.sin_addr) != 1) {
fprintf(stderr, "ERROR: invalid address\n");
ret = -1;
goto exit;
}
/* Connect to the server */
if ((ret = connect(sockfd, (struct sockaddr*) &servAddr, sizeof(servAddr)))
== -1) {
fprintf(stderr, "ERROR: failed to connect\n");
goto exit;
}
#if 0
wolfSSL_Debugging_ON();
#endif
/* Initialize wolfSSL */
if ((ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL) {
fprintf(stderr, "ERROR: failed to create WOLFSSL_CTX\n");
return -1;
}
/* Set devId associated with the PKCS11 device. */
if (wolfSSL_CTX_SetDevId(ctx, devId) != WOLFSSL_SUCCESS) {
fprintf(stderr, "ERROR: failed to create WOLFSSL_CTX\n");
return -1;
}
/* Load CA certificate into WOLFSSL_CTX for validating peer */
if ((ret = wolfSSL_CTX_load_verify_locations(ctx, cacert, NULL))
!= WOLFSSL_SUCCESS) {
fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
cacert);
goto exit;
}
/* validate peer certificate */
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
/* Open the PKCS11 token. */
if ((ret = wc_Pkcs11Token_Open(token, 1)) != 0) {
fprintf(stderr, "ERROR: failed to open session on token (%d)\n", ret);
return -1;
}
/* Create a WOLFSSL object */
if ((ssl = wolfSSL_new(ctx)) == NULL) {
fprintf(stderr, "ERROR: failed to create WOLFSSL object\n");
return -1;
}
/* Attach wolfSSL to the socket */
if ((ret = wolfSSL_set_fd(ssl, sockfd)) != WOLFSSL_SUCCESS) {
fprintf(stderr, "ERROR: Failed to set the file descriptor\n");
goto exit;
}
/* Connect to wolfSSL on the server side */
if ((ret = wolfSSL_connect(ssl)) != WOLFSSL_SUCCESS) {
fprintf(stderr, "ERROR: failed to connect to wolfSSL\n");
goto exit;
}
cipher = wolfSSL_get_current_cipher(ssl);
printf("SSL cipher suite is %s\n", wolfSSL_CIPHER_get_name(cipher));
/* Get a message for the server from stdin */
printf("Message for server: ");
memset(buff, 0, sizeof(buff));
if (fgets(buff, sizeof(buff), stdin) == NULL) {
fprintf(stderr, "ERROR: failed to get message for server\n");
ret = -1;
goto exit;
}
len = strnlen(buff, sizeof(buff));
/* Send the message to the server */
if ((ret = wolfSSL_write(ssl, buff, len)) != len) {
fprintf(stderr, "ERROR: failed to write entire message\n");
fprintf(stderr, "%d bytes of %d bytes were sent", ret, (int) len);
goto exit;
}
/* Read the server data into our buff array */
memset(buff, 0, sizeof(buff));
if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) == -1) {
fprintf(stderr, "ERROR: failed to read\n");
goto exit;
}
/* Print to stdout any data the server sends */
printf("Server: %s\n", buff);
ret = 0; /* return success */
exit:
/* Cleanup after this connection */
wolfSSL_free(ssl);
wc_Pkcs11Token_Close(token);
wolfSSL_CTX_free(ctx);
if (sockfd != SOCKET_INVALID)
close(sockfd);
return ret;
}
int main(int argc, char* argv[])
{
int ret;
const char* library;
const char* slot;
const char* tokenName;
const char* userPin;
const char* cacert;
Pkcs11Dev dev;
Pkcs11Token token;
int slotId;
int devId = 1;
if (argc != 5 && argc != 6) {
fprintf(stderr,
"Usage: client_tls_pkcs11 <cacert> <libname> <slot> <tokenname> [userpin]\n");
return 1;
}
cacert = argv[1];
library = argv[2];
slot = argv[3];
tokenName = argv[4];
userPin = (argc == 5) ? NULL : argv[5];
slotId = atoi(slot);
#if defined(DEBUG_WOLFSSL)
wolfSSL_Debugging_ON();
#endif
wolfCrypt_Init();
ret = wc_Pkcs11_Initialize(&dev, library, NULL);
if (ret != 0) {
fprintf(stderr, "Failed to initialize PKCS#11 library\n");
ret = 2;
}
if (ret == 0) {
ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName,
(byte*)userPin, userPin == NULL ? 0 : strlen(userPin));
if (ret != 0) {
fprintf(stderr, "Failed to initialize PKCS#11 token\n");
ret = 2;
}
if (ret == 0) {
ret = wc_CryptoDev_RegisterDevice(devId, wc_Pkcs11_CryptoDevCb,
&token);
if (ret != 0) {
fprintf(stderr, "Failed to register PKCS#11 token\n");
ret = 2;
}
if (ret == 0) {
ret = client_tls(cacert, devId, &token);
if (ret != 0)
ret = 1;
}
wc_Pkcs11Token_Final(&token);
}
wc_Pkcs11_Finalize(&dev);
}
wolfCrypt_Cleanup();
return ret;
}

4
pkcs11/pkcs11_hmac.c
View File

@ -31,10 +31,10 @@
int hmac(int devId, Pkcs11Token* token)
{
Hmac hmac;
unsigned char key[SHA256_DIGEST_SIZE];
unsigned char key[WC_SHA256_DIGEST_SIZE];
int ret = 0;
unsigned char data[57];
unsigned char mac[SHA256_DIGEST_SIZE];
unsigned char mac[WC_SHA256_DIGEST_SIZE];
memset(key, 9, sizeof(key));
memset(data, 9, sizeof(data));

28
pkcs11/pkcs11_test.c
View File

@ -1083,20 +1083,20 @@ int hmac_test(int devId, Pkcs11Token* token)
unsigned char key[WC_MAX_DIGEST_SIZE];
unsigned char data[57];
#if !defined(NO_MD5)
unsigned char exp_md5[MD5_DIGEST_SIZE] = {
unsigned char exp_md5[WC_MD5_DIGEST_SIZE] = {
0x58, 0x8e, 0xd2, 0x4e, 0x04, 0x1f, 0xf4, 0xc6,
0x98, 0x7c, 0x8e, 0xdc, 0xe5, 0xb1, 0xbc, 0x4b
};
#endif
#if !defined(NO_SHA)
unsigned char exp_sha[SHA_DIGEST_SIZE] = {
unsigned char exp_sha[WC_SHA_DIGEST_SIZE] = {
0x2f, 0x69, 0xc1, 0xf9, 0xe1, 0x97, 0x04, 0xe4,
0x75, 0x9f, 0x1c, 0x2a, 0x85, 0x87, 0x7e, 0x6b,
0xa7, 0x9f, 0xe1, 0x13
};
#endif
#if defined(WOLFSSL_SHA224)
unsigned char exp_sha224[SHA224_DIGEST_SIZE] = {
unsigned char exp_sha224[WC_SHA224_DIGEST_SIZE] = {
0x86, 0xa8, 0xfc, 0xfd, 0xd5, 0x95, 0xf2, 0xa6,
0x45, 0x89, 0x3b, 0x8b, 0x4c, 0x0d, 0xd1, 0x81,
0x20, 0x6b, 0x71, 0x2d, 0x7c, 0x88, 0x31, 0xa8,
@ -1104,7 +1104,7 @@ int hmac_test(int devId, Pkcs11Token* token)
};
#endif
#if !defined(NO_SHA256)
unsigned char exp_sha256[SHA256_DIGEST_SIZE] = {
unsigned char exp_sha256[WC_SHA256_DIGEST_SIZE] = {
0x04, 0x9e, 0x43, 0x3c, 0x48, 0x7c, 0x31, 0x11,
0x54, 0x90, 0x43, 0xf6, 0x2f, 0x97, 0x42, 0x80,
0x3d, 0x22, 0x47, 0x1d, 0x4f, 0xc9, 0xb8, 0xa0,
@ -1112,7 +1112,7 @@ int hmac_test(int devId, Pkcs11Token* token)
};
#endif
#if defined(WOLFSSL_SHA384)
unsigned char exp_sha384[SHA384_DIGEST_SIZE] = {
unsigned char exp_sha384[WC_SHA384_DIGEST_SIZE] = {
0x0b, 0x4c, 0x32, 0x58, 0x7b, 0x00, 0xb7, 0xfa,
0x82, 0x9f, 0xf0, 0x1d, 0x10, 0x85, 0xbc, 0x2e,
0xe0, 0x4a, 0x71, 0x91, 0xd6, 0x9a, 0x93, 0xc2,
@ -1122,7 +1122,7 @@ int hmac_test(int devId, Pkcs11Token* token)
};
#endif
#if defined(WOLFSSL_SHA512)
unsigned char exp_sha512[SHA512_DIGEST_SIZE] = {
unsigned char exp_sha512[WC_SHA512_DIGEST_SIZE] = {
0x94, 0x7b, 0x97, 0x0f, 0x48, 0x68, 0xd1, 0x88,
0x08, 0x09, 0xcf, 0xea, 0xae, 0x3e, 0xba, 0xa2,
0x3f, 0xf4, 0x9d, 0x73, 0x78, 0x15, 0x34, 0x44,
@ -1140,42 +1140,42 @@ int hmac_test(int devId, Pkcs11Token* token)
#ifndef NO_MD5
if (ret == 0) {
fprintf(stderr, "HMAC-MD5\n");
ret = hmac_op(key, MD5_DIGEST_SIZE, WC_MD5, data, sizeof(data), exp_md5,
sizeof(exp_md5), devId, token);
ret = hmac_op(key, WC_MD5_DIGEST_SIZE, WC_MD5, data, sizeof(data),
exp_md5, sizeof(exp_md5), devId, token);
}
#endif
#ifndef NO_SHA
if (ret == 0) {
fprintf(stderr, "HMAC-SHA\n");
ret = hmac_op(key, SHA_DIGEST_SIZE, WC_SHA, data, sizeof(data), exp_sha,
sizeof(exp_sha), devId, token);
ret = hmac_op(key, WC_SHA_DIGEST_SIZE, WC_SHA, data, sizeof(data),
exp_sha, sizeof(exp_sha), devId, token);
}
#endif
#ifdef WOLFSSL_SHA224
if (ret == 0) {
fprintf(stderr, "HMAC-SHA224\n");
ret = hmac_op(key, SHA224_DIGEST_SIZE, WC_SHA224, data, sizeof(data),
ret = hmac_op(key, WC_SHA224_DIGEST_SIZE, WC_SHA224, data, sizeof(data),
exp_sha224, sizeof(exp_sha224), devId, token);
}
#endif
#ifndef NO_SHA256
if (ret == 0) {
fprintf(stderr, "HMAC-SHA256\n");
ret = hmac_op(key, SHA256_DIGEST_SIZE, WC_SHA256, data, sizeof(data),
ret = hmac_op(key, WC_SHA256_DIGEST_SIZE, WC_SHA256, data, sizeof(data),
exp_sha256, sizeof(exp_sha256), devId, token);
}
#endif
#ifdef WOLFSSL_SHA384
if (ret == 0) {
fprintf(stderr, "HMAC-SHA384\n");
ret = hmac_op(key, SHA384_DIGEST_SIZE, WC_SHA384, data, sizeof(data),
ret = hmac_op(key, WC_SHA384_DIGEST_SIZE, WC_SHA384, data, sizeof(data),
exp_sha384, sizeof(exp_sha384), devId, token);
}
#endif
#ifdef WOLFSSL_SHA512
if (ret == 0) {
fprintf(stderr, "HMAC-SHA512\n");
ret = hmac_op(key, SHA512_DIGEST_SIZE, WC_SHA512, data, sizeof(data),
ret = hmac_op(key, WC_SHA512_DIGEST_SIZE, WC_SHA512, data, sizeof(data),
exp_sha512, sizeof(exp_sha512), devId, token);
}
#endif