Fix for loading the client certificate/key used for TLS.

2018-04-30 11:08:52 -07:00 · 2018-04-30 11:08:52 -07:00 · f8f5d6aa1a
parent 34e57ce3c6
commit f8f5d6aa1a
3 changed files with 79 additions and 1 deletions
--- a/FreeRTOS-AWS/lib/include/aws_pkcs11.h
+++ b/FreeRTOS-AWS/lib/include/aws_pkcs11.h
@ -53,4 +53,12 @@
 /* Bring in the public header. */
 #include "pkcs11.h"

+#ifdef WOLF_AWSTLS
+/* key der, wolf vendor specific */
+typedef struct vedCliKey {
+    unsigned char* der;
+    unsigned int   derLen;
+} vedCliKey;
+#endif
+
 #endif /* ifndef _AWS_PKCS11_H_ */
--- a/FreeRTOS-AWS/lib/pkcs11/portable/pc/windows/wolf_pkcs11.c
+++ b/FreeRTOS-AWS/lib/pkcs11/portable/pc/windows/wolf_pkcs11.c
@ -97,6 +97,8 @@ typedef struct wolfSSL_pk_context {
    } key;
    int type;  /* wolfSSL_pk_type_t */
    int keyBits;
+    byte* der;
+    word32 derLen;
 } wolfSSL_pk_context;


@ -121,6 +123,26 @@ size_t wolfSSL_pk_get_bitlen( const wolfSSL_pk_context *pk )
    return 0;
 }

+void* wolfSSL_pk_get_key( const wolfSSL_pk_context *pk )
+{
+    if (pk)
+        return pk->key.ptr;
+    return NULL;
+}
+
+int wolfSSL_pk_get_key_der( const wolfSSL_pk_context *pk, byte* der, word32* derLen )
+{
+    int ret = -1;
+    if (pk && der && derLen) {
+        if (*derLen >= pk->derLen)
+            return BUFFER_E;
+        memcpy(der, pk->der, pk->derLen);
+        *derLen = pk->derLen;
+        ret = 0;
+    }
+    return ret;
+}
+
 void wolfSSL_pk_key_free( wolfSSL_pk_context *pk )
 {
    /* cleanup keys */
@ -224,6 +246,12 @@ int wolfSSL_pk_parse_key( wolfSSL_pk_context *pk,
        derLen = ret;
    }

+    pk->derLen = derLen;
+    pk->der = (byte*)pvPortMalloc(derLen);
+    if (pk->der) {
+        memcpy(pk->der, der, derLen);
+    }
+
    /* try RSA */
    pk->type = WOLFSSL_PK_RSA;
    ret = wolfSSL_pk_create_key(pk, der, derLen);
@ -366,8 +394,16 @@ int wolfSSL_pk_verify(wolfSSL_pk_context *pk,

 void wolfSSL_pk_free( wolfSSL_pk_context *pk )
 {
+    if (pk == NULL)
+        return;
+
    /* cleanup keys */
    wolfSSL_pk_key_free(pk);
+
+    if (pk->der) {
+        vPortFree(pk->der);
+        pk->der = NULL;
+    }
 }


@ -1062,6 +1098,7 @@ CK_DEFINE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE xSession,
    CK_ULONG ulAttrLength = 0;
    wolfSSL_pk_type_t xWolfPkType;
    CK_ULONG xP11KeyType, iAttrib, xKeyBitLen;
+    vedCliKey cliKey;

    ( void ) ( xObject );

@ -1132,6 +1169,19 @@ CK_DEFINE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE xSession,
                pvAttr = &xKeyBitLen;
                break;

+            case CKA_VENDOR_DEFINED:
+            {
+                /*
+                 * Return the key context for application-layer use.
+                 */
+                memset(&cliKey, 0, sizeof(cliKey));
+				cliKey.der = pxSession->pxCurrentKey->xWolfPkCtx.der;
+				cliKey.derLen = pxSession->pxCurrentKey->xWolfPkCtx.derLen;
+                ulAttrLength = sizeof(cliKey);
+                pvAttr = &cliKey;
+                break;
+            }
+
            default:
                xResult = CKR_ATTRIBUTE_TYPE_INVALID;
                break;
--- a/FreeRTOS-AWS/lib/tls/wolf_tls.c
+++ b/FreeRTOS-AWS/lib/tls/wolf_tls.c
@ -169,6 +169,7 @@ static int prvInitializeClientCredential( TLSContext_t * pCtx )
    CK_OBJECT_CLASS xObjClass = 0;
    CK_OBJECT_HANDLE xCertObj = 0;
    CK_BYTE * pucCertificate = NULL;
+    vedCliKey cliKey;

    /* Ensure that the PKCS#11 module is initialized. */
    if( 0 == xResult )
@ -218,6 +219,16 @@ static int prvInitializeClientCredential( TLSContext_t * pCtx )
        xResult = ( BaseType_t ) pCtx->pxP11FunctionList->C_FindObjectsFinal( pCtx->xP11Session );
    }

+    /* Get the internal key context. */
+    if( 0 == xResult )
+    {
+        xTemplate.type = CKA_VENDOR_DEFINED;
+        xTemplate.ulValueLen = sizeof( cliKey );
+        xTemplate.pValue = &cliKey;
+        xResult = ( BaseType_t ) pCtx->pxP11FunctionList->C_GetAttributeValue(
+            pCtx->xP11Session, pCtx->xP11PrivateKey, &xTemplate, 1 );
+    }
+
    /* Get the key size. */
    if( 0 == xResult )
    {
@ -281,11 +292,18 @@ static int prvInitializeClientCredential( TLSContext_t * pCtx )
    /* Decode the client certificate. */
    if( 0 == xResult )
    {
-        xResult = wolfSSL_CTX_load_verify_buffer(pCtx->ctx,
+        xResult = wolfSSL_CTX_use_certificate_buffer(pCtx->ctx,
                (const byte*)pucCertificate, xTemplate.ulValueLen,
                WOLFSSL_FILETYPE_ASN1);
 		if (xResult == WOLFSSL_SUCCESS)
 			xResult = 0;
+
+        /* Load certificate private key */
+        xResult = wolfSSL_CTX_use_PrivateKey_buffer(pCtx->ctx,
+                (const byte*)cliKey.der, cliKey.derLen,
+                WOLFSSL_FILETYPE_ASN1);
+        if (xResult == WOLFSSL_SUCCESS)
+            xResult = 0;
    }

    if( NULL != pucCertificate )
@ -449,6 +467,8 @@ BaseType_t TLS_Connect( void * pvContext )
                break;
            }
        }
+		if (xResult == WOLFSSL_SUCCESS)
+            xResult = 0;
    }

    return xResult;