WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Improve TLS1.2 client authentication to use TSIP

pull/5709/head
TakayukiMatsuo 2022-10-18 14:24:33 +09:00
parent c2384674d8
commit 0c771a93dc
22 changed files with 1232 additions and 227 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
IDE/Renesas/e2studio/RX65N/GR-ROSE/README_EN.md
View File

@ -299,9 +299,43 @@ If you want to use it for purposes beyond functional evaluation, you need to pre
3. The signature generated by the RootCA certificate with the private key in 2 above.
will become necessary. Please refer to the manual provided by Renesas for how to generate them.
<br>
## 10. Limitations
## 10. Requirements for client authentication
----
wolfSSL supports client authentication as follows:
- In TLS1.3, ECDSA certificates are handled by TSIP, RSA certificates are handled by software.
- In TLS1.2, both ECDSA and RSA certificates are handled by TSIP.
(1) Loading client certificate
Use wolfSSL_use_certificate_buffer or wolfSSL_CTX_use_certificate_buffer to load client certificate.
(2) Loading client private key/public key
Type of the client certificate decides the keys to be loaded.
a) ECDSA certificate:<br>
Load private key using tsip_use_PrivateKey_buffer.
b) RSA certificate:<br>
Load private key using tsip_use_PrivateKey_buffer.
Load public key using tsip_use_PublicKey_buffer.
Note. In case of RSA certificate, the public key will be used for internal verification of signature process.
(3) How to generate encrypted keys
The keys (private and public keys) to be loaded should be encrypted-key format. Those keys could be generated with Renesas Secure Flash Programmer or SecurityKeyManagementTool. Refer the section 7.5 and 7.6 of the application note named “RX Family TSIP Module Firmware Integration technology” how to operate above key wrapping tool.
(4) Macro to be defined
Define “WOLF_PRIVATE_KEY_ID” in your user_settings.h.
<br>
## 11. Limitations
----
<br>
wolfSSL, which supports TSIPv1.15, has the following functional restrictions.
@ -309,12 +343,10 @@ wolfSSL, which supports TSIPv1.15, has the following functional restrictions.
1. Handshake message packets exchanged with the server during the TLS handshake are stored in plaintext in memory. This is used to calculate the hash of handshake messages. The content will be deleted at the end of the session.
1. TLS1.2 does not support the client authentication function using TSIP.
Use wolfSSL_CTX_use_certificate_buffer or wolfSSL_CTX_use_certificate_chain_buffer_format to load the client certificate and wolfSSL_CTX_use_PrivateKey_buffer to load the private key. It is processed by software.
1. In TLS 1.3, the client authentication function using TSIP is supported only for ECDSA client certificates. In the case of RSA certificates, it will be processed by software.
1. In TLS 1.3, the client authentication function using TSIP is supported only for ECDSA client certificates. In the case of RSA certificate, it will be processed by software.
1. In TLS1.3, among the server authentication functions using TSIP, "Certificate Verify" message is processed by software.
1. In TLS1.3, among the server authentication functions, “CertificateVerify” message from the server is processed by software.
1. Session resumption and early data using TSIP are not supported.

47
IDE/Renesas/e2studio/RX65N/GR-ROSE/README_JP.md
View File

@ -300,19 +300,50 @@ Received: I hear you fa shizzle!
<br>
## 10. 制限事項
## 10. クライアント認証を行うための必要事項
-----
クライアント認証機能は以下のようにサポートしています。
- TLS1.3ではECDSA証明書はTSIPを使って処理し、RSA証明書はソフトウエアで処理します。
- TLS1.2ではECDSA証明書とRSA証明書は共にTSIPを使って処理します。
(1) クライアント証明書のロード
wolfSSL_CTX_use_certificate_buffer あるいはwolfSSL_CTX_use_certificate_chain_buffer_format を使ってクライアント証明書をロードしてください。
(2) クライアント秘密鍵/公開鍵のロード
クライアント証明書の種類に応じてロードすべき鍵が決まります。以下に従って必要な鍵をロードしてください。
a) ECDSA証明書の場合
- tsip_use_PrivateKey_bufferを使って秘密鍵をロードしてください。
b) RSA証明書の場合
- tsip_use_PrivateKey_bufferを使って秘密鍵をロードしてください。
- tsip_use_PublicKey_bufferを使って公開鍵をロードしてください。
RSA証明書の場合には署名処理を内部で検証する目的で公開鍵も使用します。その為に、公開鍵のロードが必要です。
(3) encrypted keyの作成
鍵ロードすべき秘密鍵あるいは公開鍵はRensas Secure Flash ProgrammerあるいはSecurityKeyManagementToolを使って出力されたencrypted keyを渡してください。encrypted keyの作成方法はアプリケーションート“RXファミリ TSIPモジュールFirmware Integration Technology” の7.1.4”encrypted key, encrypted provisioning keyの使用方法“に説明されています。
(4) 必要なマクロ定義
user_settings.hにWOLF_PRIVATE_KEY_IDの定義を行ってください。
<br>
## 11. 制限事項
-----
TSIPv1.15をサポートしたwolfSSLでは以下の機能制限があります。
1. TLSハンドシェーク中にサーバーと交換したメッセージパケットが平文でメモリ上に蓄積されています。これはハンドシェークメッセージのハッシュ計算に使用されます。内容はセッション終了時に削除されます。
1. TLS1.2ではTSIPを使ったクライアント認証機能をサポートしていません。
wolfSSL_CTX_use_certificate_buffer あるいはwolfSSL_CTX_use_certificate_chain_buffer_format を使ってクライアント証明書をロードし、wolfSSL_CTX_use_PrivateKey_bufferを使って秘密鍵をロードしてください。ソフトウエアで処理を行います。
2. TLS1.3ではTSIPを使ったクライアント認証機能はECDSAクライアント証明書の場合にのみサポートされます。RSA証明書の場合はソフトウエアでの処理となります。
1. TLS1.3ではTSIPを使ったクライアント認証機能はECDSAクライアント証明書の場合にのみサポートされます。RSA証明書の場合はソフトウエアでの処理となります。
3. TLS1.3ではTSIPを使ったサーバー認証機能のうち、CertificateVerifyメッセージの検証はソフトウエアでの処理となります。
1. TLS1.3ではTSIPを使ったサーバー認証機能のうち、CertificateVerifyメッセージの検証はソフトウエアでの処理となります。
4. TSIPを使ってのセッション再開およびearly dataはサポートされません
1. TSIPを使ってのセッション再開およびearly dataはサポートされません。
上記制限1 ~ 4は次版以降のTSIPによって改善が見込まれています。
上記制限事項1~4は次版以降のTSIPによって改善が見込まれています。

1
IDE/Renesas/e2studio/RX65N/GR-ROSE/common/user_settings.h
View File

@ -215,6 +215,7 @@
#define WOLFSSL_RENESAS_TSIP_TLS_AES_CRYPT
#define HAVE_PK_CALLBACKS
#define WOLF_CRYPTO_CB
#define WOLF_PRIVATE_KEY_ID
#endif
#else

43
IDE/Renesas/e2studio/RX65N/GR-ROSE/test/src/key_data.c
View File

@ -18,7 +18,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include "key_data.h"
@ -74,6 +74,35 @@ const st_key_block_data_t g_key_block_data =
{
0
},
/* uint8_t
* encrypted_user_rsa2048_public_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16]
*/
{
0x22, 0xEC, 0xE3, 0x79, 0xD1, 0x0C, 0xB4, 0xED, 0xE0, 0xA9, 0x0F, 0xBD,
0xC7, 0x0B, 0xB4, 0x1E, 0x82, 0x27, 0x79, 0x20, 0x6A, 0x15, 0x56, 0xD6,
0x0F, 0xFA, 0xE4, 0x61, 0x04, 0xDA, 0x81, 0x33, 0x42, 0xBA, 0x6D, 0xB9,
0x34, 0x81, 0xFD, 0x67, 0xDF, 0x1D, 0xCB, 0x52, 0x64, 0x9A, 0x2E, 0x30,
0x12, 0x60, 0xCB, 0x48, 0x27, 0xB6, 0x38, 0x0B, 0x54, 0x5A, 0x70, 0xCB,
0x6F, 0x05, 0x53, 0x46, 0x8B, 0x08, 0x86, 0x24, 0xCB, 0xA2, 0x36, 0x54,
0xCD, 0xC9, 0x61, 0x37, 0x43, 0xCB, 0xCC, 0x7C, 0x6B, 0x20, 0x07, 0xB6,
0x01, 0x96, 0x32, 0xF5, 0x30, 0x0E, 0x96, 0x05, 0xC4, 0xF5, 0xF0, 0xB0,
0xD3, 0x26, 0xAF, 0x6E, 0x39, 0x01, 0x2D, 0xAC, 0x7E, 0x39, 0xCF, 0x48,
0x74, 0x7D, 0x98, 0x00, 0xA6, 0x95, 0xDA, 0x4C, 0xAC, 0x81, 0xC7, 0x9A,
0x93, 0x69, 0x23, 0xD4, 0x39, 0xCD, 0xB3, 0x62, 0x4A, 0x4A, 0x26, 0x95,
0x51, 0xE1, 0x06, 0x8F, 0xB2, 0x3C, 0x8F, 0xDE, 0xF1, 0xC3, 0x69, 0xFC,
0xF5, 0xC3, 0xCE, 0x39, 0x3F, 0x7F, 0x2D, 0xA8, 0x8B, 0xB3, 0x2D, 0xE4,
0xB8, 0xA4, 0x19, 0x55, 0x29, 0xEC, 0x9C, 0x6A, 0xD7, 0xD7, 0x45, 0x3E,
0x1D, 0x18, 0x52, 0xB5, 0x8A, 0xB1, 0x26, 0x43, 0x8C, 0x7A, 0x65, 0xF1,
0x17, 0x5E, 0x75, 0x4A, 0x1A, 0x30, 0xD8, 0xEA, 0xC2, 0x19, 0x3C, 0x1E,
0x2E, 0xFB, 0xDB, 0xC9, 0x1F, 0x73, 0xC9, 0x95, 0x53, 0x8C, 0x99, 0x5D,
0x3B, 0x59, 0xFE, 0x8B, 0xA1, 0xD2, 0xBB, 0xBC, 0xBC, 0x4B, 0x78, 0x0A,
0x6B, 0xD8, 0xBE, 0x85, 0x60, 0x08, 0x1E, 0x2F, 0x38, 0x77, 0xA3, 0xC4,
0x46, 0xC1, 0x42, 0x39, 0xA6, 0x59, 0x98, 0x59, 0x21, 0x94, 0x1F, 0xDC,
0xB3, 0xAE, 0xA3, 0xB6, 0xCC, 0x35, 0x82, 0x6F, 0x87, 0x58, 0x91, 0x70,
0xEC, 0x3F, 0x05, 0x86, 0x5E, 0x04, 0x1E, 0xF4, 0xCD, 0xF5, 0xF9, 0x4C,
0x0D, 0x65, 0x5E, 0x92, 0x1B, 0x67, 0xC5, 0xC5, 0xB6, 0x18, 0x3E, 0x7F,
0xF7, 0x39, 0xCF, 0xA9, 0x32, 0x44, 0x2B, 0xB6, 0xCB, 0x52, 0x12, 0xAA
},
/* uint8_t
* encrypted_user_rsa2048_private_key[R_TSIP_RSA2048_ND_KEY_BYTE_SIZE + 16]
*/
@ -123,6 +152,18 @@ const st_key_block_data_t g_key_block_data =
0xCC, 0x09, 0x65, 0x34, 0xC0, 0x0F, 0x42, 0xF2, 0xE6, 0xDD, 0x2D, 0x8C,
0x93, 0x42, 0x09, 0xF6, 0xE4, 0xDF, 0xB2, 0x64, 0x2A, 0x12, 0x7A, 0x59
},
/* uint8_t
* encrypted_user_ecc256_public_key[R_TSIP_ECC_PUBLIC_KEY_BYTE_SIZE + 16];
*/
{
0xD5, 0xC3, 0x55, 0x9A, 0xA4, 0xFB, 0xB0, 0x86, 0x0A, 0x75, 0x20, 0x6A,
0xF9, 0x20, 0x63, 0xC6, 0xA0, 0xB8, 0xED, 0x91, 0xAF, 0x42, 0xD0, 0x23,
0x99, 0xF8, 0x21, 0xF1, 0x22, 0x6C, 0xB5, 0x42, 0x6A, 0x29, 0xB4, 0xC4,
0x96, 0xA4, 0x9C, 0xB2, 0xA2, 0x79, 0xC1, 0xAB, 0x55, 0xEE, 0xDE, 0xF6,
0xFE, 0xA1, 0xD7, 0x99, 0x3A, 0x91, 0xF7, 0x4E, 0xC1, 0xB2, 0xE0, 0x3F,
0x07, 0xD6, 0xA4, 0xFB, 0xF6, 0x61, 0x00, 0xAE, 0x52, 0x6B, 0x1A, 0xCC,
0x70, 0x2F, 0xC4, 0xE2, 0x60, 0x36, 0x01, 0x17
},
/* uint8_t
* encrypted_user_ecc256_private_key[R_TSIP_ECC_PRIVATE_KEY_BYTE_SIZE + 16];
*/

12
IDE/Renesas/e2studio/RX65N/GR-ROSE/test/src/key_data.h
View File

@ -18,7 +18,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
@ -35,11 +35,21 @@
typedef struct st_key_block_data
{
/* encrypted provisioning key */
uint8_t encrypted_provisioning_key[R_TSIP_AES_CBC_IV_BYTE_SIZE * 2];
/* iv */
uint8_t iv[R_TSIP_AES_CBC_IV_BYTE_SIZE];
/* RSA2048 public key for RootCA sign verification */
uint8_t encrypted_user_rsa2048_ne_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16];
/* update key (not used) */
uint8_t encrypted_user_update_key[R_TSIP_AES256_KEY_BYTE_SIZE + 16];
/* wrapped client RSA2048bit public key */
uint8_t encrypted_user_rsa2048_public_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16];
/* wrapped client RSA2048bit private key */
uint8_t encrypted_user_rsa2048_private_key[R_TSIP_RSA2048_ND_KEY_BYTE_SIZE + 16];
/* wrapped client ECC P256 public key */
uint8_t encrypted_user_ecc256_public_key[R_TSIP_ECC_PUBLIC_KEY_BYTE_SIZE + 16];
/* wrapped client ECC P256 private key */
uint8_t encrypted_user_ecc256_private_key[R_TSIP_ECC_PRIVATE_KEY_BYTE_SIZE + 16];
} st_key_block_data_t;

189
IDE/Renesas/e2studio/RX65N/GR-ROSE/test/src/wolf_client.c
View File

@ -128,6 +128,10 @@ void wolfSSL_TLS_client_init(const char* cipherlist)
wolfSSL_Debugging_ON();
#endif
/*---------------------------------------------*/
/* Allocate WOLFSSL_CTX */
/*---------------------------------------------*/
#if defined(WOLFSSL_STATIC_MEMORY)
if ((client_ctx = wolfSSL_CTX_new_ex(wolfSSLv23_client_method_ex(heapHint),
@ -152,77 +156,35 @@ void wolfSSL_TLS_client_init(const char* cipherlist)
}
#endif /* WOLFSSL_STATIC_MEMORY */
/*---------------------------------------------*/
/* Set up TSIP callbacks */
/*---------------------------------------------*/
#ifdef WOLFSSL_RENESAS_TSIP_TLS
tsip_set_callbacks(client_ctx);
#endif
#if !defined(NO_FILESYSTEM)
if (wolfSSL_CTX_load_verify_locations(client_ctx, cert, 0) != SSL_SUCCESS) {
printf("ERROR: can't load \"%s\"\n", cert);
return;
}
#else
/*---------------------------------------------*/
/* Root CA certificate */
/*---------------------------------------------*/
if (wolfSSL_CTX_load_verify_buffer(client_ctx, cert, SIZEOF_CERT,
SSL_FILETYPE_ASN1) != SSL_SUCCESS){
printf("ERROR: can't load certificate data\n");
return;
}
/*---------------------------------------------*/
/* Set up IO callbacks */
/*---------------------------------------------*/
/* load client certificate */
#ifdef USE_ECC_CERT
if (wolfSSL_CTX_use_certificate_chain_buffer_format(client_ctx,
cliecc_cert_der_256,
sizeof_cliecc_cert_der_256,
WOLFSSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("ERROR: can't load client-certificate\n");
return;
}
/* set client private key data */
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_RENESAS_TSIP_TLS) && \
(WOLFSSL_RENESAS_TSIP_VER >= 115 )
if (tsip_set_clientPrivateKeyEnc(
g_key_block_data.encrypted_user_ecc256_private_key,
TSIP_ECCP256) != 0) {
printf("ERROR: can't load client-private key\n");
return;
}
#endif
if (wolfSSL_CTX_use_PrivateKey_buffer(client_ctx,
ecc_clikey_der_256,
sizeof_ecc_clikey_der_256,
SSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("ERROR: can't load private-key data.\n");
return;
}
#else
if (wolfSSL_CTX_use_certificate_chain_buffer_format(client_ctx,
client_cert_der_2048,
sizeof_client_cert_der_2048,
WOLFSSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("ERROR: can't load client-certificate\n");
return;
}
/* set client private key data */
if (wolfSSL_CTX_use_PrivateKey_buffer(client_ctx, client_key_der_2048,
sizeof_client_key_der_2048, SSL_FILETYPE_ASN1)
!= WOLFSSL_SUCCESS) {
printf("ERROR: can't load private-key data.\n");
return;
}
#endif /* USE_ECC_CERT */
#endif /* !NO_FILESYSTEM */
/* Register callbacks */
wolfSSL_SetIORecv(client_ctx, my_IORecv);
wolfSSL_SetIOSend(client_ctx, my_IOSend);
/*---------------------------------------------*/
/* Set up cipher suites */
/*---------------------------------------------*/
/* use specific cipher */
if (cipherlist != NULL &&
wolfSSL_CTX_set_cipher_list(client_ctx, cipherlist) != WOLFSSL_SUCCESS) {
@ -272,19 +234,130 @@ void wolfSSL_TLS_client( )
goto out;
}
/*---------------------------------------------*/
/* Allocate WOLFSSL object */
/*---------------------------------------------*/
if((ssl = wolfSSL_new(ctx)) == NULL) {
printf("ERROR wolfSSL_new: %d\n", wolfSSL_get_error(ssl, 0));
goto out;
}
/*---------------------------------------------*/
/* Set up callback context for TSIP */
/*---------------------------------------------*/
#ifdef WOLFSSL_RENESAS_TSIP_TLS
tsip_set_callback_ctx(ssl, &userContext);
#endif
/* set callback context */
/*---------------------------------------------*/
/* Client Certificate */
/*---------------------------------------------*/
#ifdef USE_ECC_CERT
/* ECDSA client certificate */
if (wolfSSL_use_certificate_buffer(ssl, cliecc_cert_der_256,
sizeof_cliecc_cert_der_256, WOLFSSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("ERROR wolfSSL_use_certificate_buffer: %d\n",
wolfSSL_get_error(ssl, 0));
goto out;
}
#else
/* RSA client certificate */
if (wolfSSL_use_certificate_buffer(ssl, client_cert_der_2048,
sizeof_client_cert_der_2048, WOLFSSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("ERROR wolfSSL_use_certificate_buffer: %d\n",
wolfSSL_get_error(ssl, 0));
goto out;
}
#endif /* USE_ECC_CERT */
/*---------------------------------------------*/
/* Client Keys */
/*---------------------------------------------*/
#ifdef USE_ECC_CERT
#ifdef WOLFSSL_RENESAS_TSIP_TLS
/* TSIP specific ECC private key */
if (tsip_use_PrivateKey_buffer(ssl,
(const char*)g_key_block_data.encrypted_user_ecc256_private_key,
sizeof(g_key_block_data.encrypted_user_ecc256_private_key),
TSIP_ECCP256) != 0) {
printf("ERROR tsip_use_PrivateKey_buffer\n");
goto out;
}
#else
/* DER format ECC private key */
if (wolfSSL_use_PrivateKey_buffer(ssl,
ecc_clikey_der_256,
sizeof_ecc_clikey_der_256,
WOLFSSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("ERROR wolfSSL_use_PrivateKey_buffer: %d\n",
wolfSSL_get_error(ssl, 0));
goto out;
}
#endif
#else
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && !defined(WOLFSSL_TLS13)
/* Note 1: TSIP asks client key pair for client authentication.
* Note 2: as of TSIP v1.15, client authentication is not supported by TSIP
* for RSA certificate on TLS1.3.
*/
/* TSIP specific RSA private key */
if (tsip_use_PrivateKey_buffer(ssl,
(const char*)g_key_block_data.encrypted_user_rsa2048_private_key,
sizeof(g_key_block_data.encrypted_user_rsa2048_private_key),
TSIP_RSA2048) != 0) {
printf("ERROR tsip_use_PrivateKey_buffer\n");
goto out;
}
/* TSIP specific RSA public key */
if (tsip_use_PublicKey_buffer(ssl,
(const char*)g_key_block_data.encrypted_user_rsa2048_public_key,
sizeof(g_key_block_data.encrypted_user_rsa2048_public_key),
TSIP_RSA2048) != 0) {
printf("ERROR tsip_use_PublicKey_buffer\n");
goto out;
}
#else
if (wolfSSL_use_PrivateKey_buffer(ssl, client_key_der_2048,
sizeof_client_key_der_2048, WOLFSSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("ERROR wolfSSL_use_PrivateKey_buffer: %d\n",
wolfSSL_get_error(ssl, 0));
goto out;
}
#endif /* WOLFSSL_RENESAS_TSIP_TLS */
#endif /* USE_ECC_CERT */
/*---------------------------------------------*/
/* Set up IO callback context */
/*---------------------------------------------*/
wolfSSL_SetIOReadCtx(ssl, (void *)&cepid);
wolfSSL_SetIOWriteCtx(ssl, (void *)&cepid);
/*---------------------------------------------*/
/* TLS handshake */
/*---------------------------------------------*/
if(wolfSSL_connect(ssl) != SSL_SUCCESS) {
printf("ERROR SSL connect: %d\n", wolfSSL_get_error(ssl, 0));

BIN
IDE/Renesas/e2studio/RX65N/RSK/InstructionManualForExample_RSK+RX65N-2MB_EN.pdf
View File

Binary file not shown.

BIN
IDE/Renesas/e2studio/RX65N/RSK/InstructionManualForExample_RSK+RX65N-2MB_JP.pdf
View File

Binary file not shown.

43
IDE/Renesas/e2studio/RX65N/RSK/wolfssl_demo/key_data.c
View File

@ -18,7 +18,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include "key_data.h"
@ -74,6 +74,35 @@ const st_key_block_data_t g_key_block_data =
{
0
},
/* uint8_t
* encrypted_user_rsa2048_public_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16]
*/
{
0x22, 0xEC, 0xE3, 0x79, 0xD1, 0x0C, 0xB4, 0xED, 0xE0, 0xA9, 0x0F, 0xBD,
0xC7, 0x0B, 0xB4, 0x1E, 0x82, 0x27, 0x79, 0x20, 0x6A, 0x15, 0x56, 0xD6,
0x0F, 0xFA, 0xE4, 0x61, 0x04, 0xDA, 0x81, 0x33, 0x42, 0xBA, 0x6D, 0xB9,
0x34, 0x81, 0xFD, 0x67, 0xDF, 0x1D, 0xCB, 0x52, 0x64, 0x9A, 0x2E, 0x30,
0x12, 0x60, 0xCB, 0x48, 0x27, 0xB6, 0x38, 0x0B, 0x54, 0x5A, 0x70, 0xCB,
0x6F, 0x05, 0x53, 0x46, 0x8B, 0x08, 0x86, 0x24, 0xCB, 0xA2, 0x36, 0x54,
0xCD, 0xC9, 0x61, 0x37, 0x43, 0xCB, 0xCC, 0x7C, 0x6B, 0x20, 0x07, 0xB6,
0x01, 0x96, 0x32, 0xF5, 0x30, 0x0E, 0x96, 0x05, 0xC4, 0xF5, 0xF0, 0xB0,
0xD3, 0x26, 0xAF, 0x6E, 0x39, 0x01, 0x2D, 0xAC, 0x7E, 0x39, 0xCF, 0x48,
0x74, 0x7D, 0x98, 0x00, 0xA6, 0x95, 0xDA, 0x4C, 0xAC, 0x81, 0xC7, 0x9A,
0x93, 0x69, 0x23, 0xD4, 0x39, 0xCD, 0xB3, 0x62, 0x4A, 0x4A, 0x26, 0x95,
0x51, 0xE1, 0x06, 0x8F, 0xB2, 0x3C, 0x8F, 0xDE, 0xF1, 0xC3, 0x69, 0xFC,
0xF5, 0xC3, 0xCE, 0x39, 0x3F, 0x7F, 0x2D, 0xA8, 0x8B, 0xB3, 0x2D, 0xE4,
0xB8, 0xA4, 0x19, 0x55, 0x29, 0xEC, 0x9C, 0x6A, 0xD7, 0xD7, 0x45, 0x3E,
0x1D, 0x18, 0x52, 0xB5, 0x8A, 0xB1, 0x26, 0x43, 0x8C, 0x7A, 0x65, 0xF1,
0x17, 0x5E, 0x75, 0x4A, 0x1A, 0x30, 0xD8, 0xEA, 0xC2, 0x19, 0x3C, 0x1E,
0x2E, 0xFB, 0xDB, 0xC9, 0x1F, 0x73, 0xC9, 0x95, 0x53, 0x8C, 0x99, 0x5D,
0x3B, 0x59, 0xFE, 0x8B, 0xA1, 0xD2, 0xBB, 0xBC, 0xBC, 0x4B, 0x78, 0x0A,
0x6B, 0xD8, 0xBE, 0x85, 0x60, 0x08, 0x1E, 0x2F, 0x38, 0x77, 0xA3, 0xC4,
0x46, 0xC1, 0x42, 0x39, 0xA6, 0x59, 0x98, 0x59, 0x21, 0x94, 0x1F, 0xDC,
0xB3, 0xAE, 0xA3, 0xB6, 0xCC, 0x35, 0x82, 0x6F, 0x87, 0x58, 0x91, 0x70,
0xEC, 0x3F, 0x05, 0x86, 0x5E, 0x04, 0x1E, 0xF4, 0xCD, 0xF5, 0xF9, 0x4C,
0x0D, 0x65, 0x5E, 0x92, 0x1B, 0x67, 0xC5, 0xC5, 0xB6, 0x18, 0x3E, 0x7F,
0xF7, 0x39, 0xCF, 0xA9, 0x32, 0x44, 0x2B, 0xB6, 0xCB, 0x52, 0x12, 0xAA
},
/* uint8_t
* encrypted_user_rsa2048_private_key[R_TSIP_RSA2048_ND_KEY_BYTE_SIZE + 16]
*/
@ -123,6 +152,18 @@ const st_key_block_data_t g_key_block_data =
0xCC, 0x09, 0x65, 0x34, 0xC0, 0x0F, 0x42, 0xF2, 0xE6, 0xDD, 0x2D, 0x8C,
0x93, 0x42, 0x09, 0xF6, 0xE4, 0xDF, 0xB2, 0x64, 0x2A, 0x12, 0x7A, 0x59
},
/* uint8_t
* encrypted_user_ecc256_public_key[R_TSIP_ECC_PUBLIC_KEY_BYTE_SIZE + 16];
*/
{
0xD5, 0xC3, 0x55, 0x9A, 0xA4, 0xFB, 0xB0, 0x86, 0x0A, 0x75, 0x20, 0x6A,
0xF9, 0x20, 0x63, 0xC6, 0xA0, 0xB8, 0xED, 0x91, 0xAF, 0x42, 0xD0, 0x23,
0x99, 0xF8, 0x21, 0xF1, 0x22, 0x6C, 0xB5, 0x42, 0x6A, 0x29, 0xB4, 0xC4,
0x96, 0xA4, 0x9C, 0xB2, 0xA2, 0x79, 0xC1, 0xAB, 0x55, 0xEE, 0xDE, 0xF6,
0xFE, 0xA1, 0xD7, 0x99, 0x3A, 0x91, 0xF7, 0x4E, 0xC1, 0xB2, 0xE0, 0x3F,
0x07, 0xD6, 0xA4, 0xFB, 0xF6, 0x61, 0x00, 0xAE, 0x52, 0x6B, 0x1A, 0xCC,
0x70, 0x2F, 0xC4, 0xE2, 0x60, 0x36, 0x01, 0x17
},
/* uint8_t
* encrypted_user_ecc256_private_key[R_TSIP_ECC_PRIVATE_KEY_BYTE_SIZE + 16];
*/

12
IDE/Renesas/e2studio/RX65N/RSK/wolfssl_demo/key_data.h
View File

@ -18,7 +18,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
@ -35,11 +35,21 @@
typedef struct st_key_block_data
{
/* encrypted provisioning key */
uint8_t encrypted_provisioning_key[R_TSIP_AES_CBC_IV_BYTE_SIZE * 2];
/* iv */
uint8_t iv[R_TSIP_AES_CBC_IV_BYTE_SIZE];
/* RSA2048 public key for RootCA sign verification */
uint8_t encrypted_user_rsa2048_ne_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16];
/* update key (not used) */
uint8_t encrypted_user_update_key[R_TSIP_AES256_KEY_BYTE_SIZE + 16];
/* wrapped client RSA2048bit public key */
uint8_t encrypted_user_rsa2048_public_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16];
/* wrapped client RSA2048bit private key */
uint8_t encrypted_user_rsa2048_private_key[R_TSIP_RSA2048_ND_KEY_BYTE_SIZE + 16];
/* wrapped client ECC P256 public key */
uint8_t encrypted_user_ecc256_public_key[R_TSIP_ECC_PUBLIC_KEY_BYTE_SIZE + 16];
/* wrapped client ECC P256 private key */
uint8_t encrypted_user_ecc256_private_key[R_TSIP_ECC_PRIVATE_KEY_BYTE_SIZE + 16];
} st_key_block_data_t;

9
IDE/Renesas/e2studio/RX65N/RSK/wolfssl_demo/user_settings.h
View File

@ -145,7 +145,6 @@
#define WOLFSSL_LOG_PRINTF
#define WOLFSSL_HAVE_MIN
#define WOLFSSL_HAVE_MAX
#define WOLFSSL_SMALL_STACK
#define NO_WRITEV
@ -163,7 +162,12 @@
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define USE_FAST_MATH
#define FP_MAX_BITS 4096
#define WOLFSSL_SP_MATH
#define WOLFSSL_SP_MATH_ALL /* use SP math for all key sizes and curves */
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_HAVE_SP_DH
#define WOLFSSL_HAVE_SP_ECC
/*-- Debugging options ------------------------------------------------------
*
@ -209,6 +213,7 @@
#define WOLFSSL_RENESAS_TSIP_TLS_AES_CRYPT
#define HAVE_PK_CALLBACKS
#define WOLF_CRYPTO_CB
#define WOLF_PRIVATE_KEY_ID
#endif
#else

162
IDE/Renesas/e2studio/RX65N/RSK/wolfssl_demo/wolfssl_demo.c
View File

@ -174,7 +174,6 @@ static void Tls_client_init(const char* cipherlist)
tsip_set_callbacks(client_ctx);
#endif
/* load Root CA certificate */
#if defined(NO_FILESYSTEM)
if (wolfSSL_CTX_load_verify_buffer(client_ctx, cert,
SIZEOF_CERT, SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
@ -188,56 +187,6 @@ static void Tls_client_init(const char* cipherlist)
}
#endif
/* load client certificate */
#ifdef USE_ECC_CERT
if (wolfSSL_CTX_use_certificate_chain_buffer_format(client_ctx,
cliecc_cert_der_256,
sizeof_cliecc_cert_der_256,
WOLFSSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("ERROR: can't load client-certificate\n");
return;
}
#else
if (wolfSSL_CTX_use_certificate_chain_buffer_format(client_ctx,
client_cert_der_2048,
sizeof_client_cert_der_2048,
WOLFSSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("ERROR: can't load client-certificate\n");
return;
}
#endif /* USE_ECC_CERT */
/* load client private key */
#ifdef USE_ECC_CERT
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_RENESAS_TSIP_TLS) && \
(WOLFSSL_RENESAS_TSIP_VER >= 115 )
if (tsip_set_clientPrivateKeyEnc(
g_key_block_data.encrypted_user_ecc256_private_key,
TSIP_ECCP256) != 0) {
printf("ERROR: can't load client-private key\n");
return;
}
#endif
if (wolfSSL_CTX_use_PrivateKey_buffer(client_ctx,
ecc_clikey_der_256,
sizeof_ecc_clikey_der_256,
SSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("ERROR: can't load private-key data.\n");
return;
}
#else
if (wolfSSL_CTX_use_PrivateKey_buffer(client_ctx,
client_key_der_2048,
sizeof_client_key_der_2048,
SSL_FILETYPE_ASN1)
!= WOLFSSL_SUCCESS) {
printf("ERROR: can't load private-key data.\n");
return;
}
#endif /* USE_ECC_CERT */
/* use specific cipher */
if (cipherlist != NULL &&
@ -264,7 +213,8 @@ static void Tls_client()
{
#define BUFF_SIZE 256
#define ADDR_SIZE 16
int ret;
int ret = 0;
int err;
WOLFSSL_CTX* ctx = (WOLFSSL_CTX *)client_ctx;
WOLFSSL* ssl;
Socket_t socket;
@ -297,7 +247,6 @@ static void Tls_client()
printf("ERROR FreeRTOS_connect: %d\n",ret);
}
/* create WOLFSSL object */
if (ret == 0) {
ssl = wolfSSL_new(ctx);
if (ssl == NULL) {
@ -311,6 +260,113 @@ static void Tls_client()
#endif
}
#ifdef USE_ECC_CERT
if (ret == 0) {
err = wolfSSL_use_certificate_buffer(ssl,
cliecc_cert_der_256,
sizeof_cliecc_cert_der_256,
WOLFSSL_FILETYPE_ASN1);
if(err != SSL_SUCCESS) {
printf("ERROR: can't load client-certificate\n");
ret = -1;
}
}
#else
if (ret == 0) {
err = wolfSSL_use_certificate_buffer(ssl,
client_cert_der_2048,
sizeof_client_cert_der_2048,
WOLFSSL_FILETYPE_ASN1);
if (err != SSL_SUCCESS) {
printf("ERROR: can't load client-certificate\n");
ret = -1;
}
}
#endif /* USE_ECC_CERT */
#ifdef USE_ECC_CERT
#ifdef WOLFSSL_RENESAS_TSIP_TLS
/* TSIP specific ECC private key */
if (ret == 0){
ret = tsip_use_PrivateKey_buffer(ssl,
(const char*)g_key_block_data.encrypted_user_ecc256_private_key,
sizeof(g_key_block_data.encrypted_user_ecc256_private_key),
TSIP_ECCP256);
if (ret != 0) {
printf("ERROR tsip_use_PrivateKey_buffer\n");
}
}
#else
/* DER format ECC private key */
if (ret == 0) {
err = wolfSSL_use_PrivateKey_buffer(ssl,
ecc_clikey_der_256,
sizeof_ecc_clikey_der_256,
WOLFSSL_FILETYPE_ASN1);
if (err != SSL_SUCCESS) {
printf("ERROR wolfSSL_use_PrivateKey_buffer: %d\n",
wolfSSL_get_error(ssl, 0));
ret = -1;
}
}
#endif /* WOLFSSL_RENESAS_TSIP_TLS */
#else
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && !defined(WOLFSSL_TLS13)
/* Note 1: TSIP asks RSA client key pair for client authentication.
* Note 2: as of TSIP v1.15, client authentication is not supported by TSIP
* for RSA certificate on TLS1.3.
*/
/* TSIP specific RSA private key */
if (ret == 0) {
ret = tsip_use_PrivateKey_buffer(ssl,
(const char*)g_key_block_data.encrypted_user_rsa2048_private_key,
sizeof(g_key_block_data.encrypted_user_rsa2048_private_key),
TSIP_RSA2048);
if (ret != 0) {
printf("ERROR tsip_use_PrivateKey_buffer :%d\n", ret);
}
}
if (ret == 0) {
ret = tsip_use_PublicKey_buffer(ssl,
(const char*)g_key_block_data.encrypted_user_rsa2048_public_key,
sizeof(g_key_block_data.encrypted_user_rsa2048_public_key),
TSIP_RSA2048);
if (ret != 0) {
printf("ERROR tsip_use_PublicKey_buffer: %d\n", ret);
}
}
#else
if (ret == 0) {
err = wolfSSL_use_PrivateKey_buffer(ssl, client_key_der_2048,
sizeof_client_key_der_2048, WOLFSSL_FILETYPE_ASN1);
if (err != SSL_SUCCESS) {
printf("ERROR wolfSSL_use_PrivateKey_buffer: %d\n",
wolfSSL_get_error(ssl, 0));
ret = -1;
}
}
#endif /* WOLFSSL_RENESAS_TSIP_TLS && !WOLFSSL_TLS13 */
#endif /* USE_ECC_CERT */
if (ret == 0) {
/* associate socket with ssl object */
if (wolfSSL_set_fd(ssl, (int)socket) != WOLFSSL_SUCCESS) {

BIN
IDE/Renesas/e2studio/RX72N/EnvisionKit/InstructionManualForExample_RX72N_EnvisonKit_EN.pdf
View File

Binary file not shown.

BIN
IDE/Renesas/e2studio/RX72N/EnvisionKit/InstructionManualForExample_RX72N_EnvisonKit_JP.pdf
View File

Binary file not shown.

43
IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/key_data.c
View File

@ -18,7 +18,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include "key_data.h"
@ -73,6 +73,35 @@ const st_key_block_data_t g_key_block_data =
{
0
},
/* uint8_t
* encrypted_user_rsa2048_public_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16]
*/
{
0xAF, 0x8C, 0x78, 0xE3, 0x6C, 0x9E, 0xC6, 0x76, 0xE5, 0x86, 0x84, 0xBE,
0xF5, 0x6C, 0xD7, 0x2B, 0x46, 0x24, 0x35, 0x99, 0xA5, 0x64, 0xDD, 0xFA,
0x35, 0x22, 0x5A, 0xB8, 0x5F, 0xD8, 0x1E, 0xCF, 0xCC, 0x73, 0x10, 0xD6,
0x13, 0x69, 0x8F, 0x36, 0xA9, 0x8E, 0x09, 0xDF, 0x83, 0x20, 0x85, 0xBE,
0x81, 0x69, 0x51, 0x75, 0xCB, 0xA5, 0x90, 0x8C, 0xC1, 0x75, 0xBE, 0x0F,
0x8C, 0xB6, 0xFE, 0x73, 0x03, 0x37, 0x03, 0x41, 0xC0, 0x98, 0xC2, 0xEE,
0x2D, 0x1B, 0xDA, 0x10, 0x8B, 0xF6, 0xB6, 0x67, 0xE9, 0x29, 0xCD, 0xEC,
0x4C, 0x4D, 0x84, 0x28, 0x61, 0x3A, 0xF5, 0x6D, 0xEE, 0x78, 0x45, 0xF3,
0x17, 0xC9, 0x77, 0xAB, 0x56, 0x2C, 0x68, 0xCB, 0x14, 0x9F, 0x5A, 0xE7,
0x11, 0xC7, 0x13, 0x4B, 0xDC, 0x31, 0x60, 0x77, 0xDA, 0x56, 0x0C, 0x15,
0xB2, 0xA9, 0x73, 0x4C, 0xD3, 0x46, 0x29, 0x18, 0x1C, 0x8C, 0xFD, 0xCF,
0xAC, 0x4B, 0x55, 0x30, 0x96, 0xDC, 0xE9, 0xC0, 0x6A, 0x74, 0x68, 0x1D,
0x6B, 0x25, 0xB0, 0x8F, 0x0C, 0xD7, 0xDD, 0xFC, 0xA8, 0x15, 0x87, 0x3E,
0xA3, 0x91, 0x46, 0x25, 0x6C, 0x6F, 0xC4, 0xB2, 0xE1, 0xB8, 0x5F, 0xF3,
0x6A, 0x0D, 0x9C, 0x29, 0x08, 0x6F, 0x5E, 0xFF, 0xA0, 0x81, 0x34, 0xA5,
0x2B, 0x2B, 0x47, 0xE0, 0x6D, 0x56, 0xD2, 0x52, 0xC7, 0x19, 0x63, 0x72,
0x84, 0x96, 0x64, 0xA5, 0xF2, 0x92, 0x3C, 0x38, 0x37, 0x9F, 0x6A, 0x2D,
0x58, 0x33, 0x8C, 0x5C, 0x27, 0x05, 0xCB, 0x4F, 0x62, 0x2F, 0x40, 0xE9,
0x55, 0x2C, 0x75, 0x4B, 0x02, 0xB3, 0x61, 0xAD, 0x34, 0x14, 0x49, 0x26,
0x94, 0x45, 0x9B, 0xB8, 0xDB, 0x1F, 0xCE, 0xE9, 0xB1, 0xBF, 0x47, 0xF3,
0xD4, 0xAD, 0xEB, 0xBC, 0x4F, 0x61, 0xAD, 0x66, 0xAF, 0x10, 0x94, 0x5D,
0x25, 0x5B, 0x52, 0xF3, 0xBC, 0xCE, 0x10, 0x77, 0x76, 0xE4, 0x5C, 0xCF,
0xC3, 0xA4, 0xCC, 0x11, 0xD3, 0x1E, 0x02, 0x98, 0x33, 0xA5, 0xF7, 0xD9,
0x43, 0xAB, 0x45, 0x9A, 0x97, 0x0D, 0x08, 0x03, 0xBD, 0xB2, 0xAB, 0x50
},
/* uint8_t
* encrypted_user_rsa2048_private_key[R_TSIP_RSA2048_ND_KEY_BYTE_SIZE + 16]
*/
@ -122,6 +151,18 @@ const st_key_block_data_t g_key_block_data =
0xF9, 0xCC, 0xB4, 0xB4, 0xB7, 0x1A, 0x85, 0x38, 0x0B, 0x93, 0xD2, 0x1D,
0xD3, 0xDE, 0x7E, 0x45, 0xAF, 0x82, 0x46, 0x65, 0xFE, 0x59, 0x55, 0x83
},
/* uint8_t
* encrypted_user_ecc256_public_key[R_TSIP_ECC_PUBLIC_KEY_BYTE_SIZE + 16];
*/
{
0xAD, 0x59, 0x2A, 0x12, 0xAA, 0xA8, 0x34, 0x30, 0xD4, 0xC9, 0xA1, 0x5A,
0xD2, 0xD8, 0xF8, 0x99, 0xA0, 0x26, 0x87, 0x27, 0x90, 0x39, 0x00, 0xEA,
0x64, 0x8F, 0x70, 0xF8, 0x1A, 0xA7, 0x44, 0xC8, 0xE6, 0x66, 0xCB, 0xF6,
0x8B, 0x00, 0xC7, 0x86, 0x2B, 0x14, 0x98, 0xDB, 0x03, 0xE8, 0xD5, 0x02,
0xB8, 0x02, 0x6D, 0x73, 0x66, 0x19, 0x94, 0x83, 0xC4, 0xB9, 0x57, 0x3D,
0xFE, 0xA7, 0x19, 0xAC, 0xBC, 0xE3, 0x75, 0x40, 0xC2, 0x48, 0x5E, 0xEF,
0x1E, 0x9E, 0xCC, 0xE2, 0xAC, 0xE6, 0xC8, 0x08
},
/* uint8_t
* encrypted_user_ecc256_private_key[R_TSIP_ECC_PRIVATE_KEY_BYTE_SIZE + 16];
*/

12
IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/key_data.h
View File

@ -18,7 +18,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
@ -35,11 +35,21 @@
typedef struct st_key_block_data
{
/* encrypted provisioning key */
uint8_t encrypted_provisioning_key[R_TSIP_AES_CBC_IV_BYTE_SIZE * 2];
/* iv */
uint8_t iv[R_TSIP_AES_CBC_IV_BYTE_SIZE];
/* RSA2048 public key for RootCA sign verification */
uint8_t encrypted_user_rsa2048_ne_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16];
/* update key (not used) */
uint8_t encrypted_user_update_key[R_TSIP_AES256_KEY_BYTE_SIZE + 16];
/* wrapped client RSA2048bit public key */
uint8_t encrypted_user_rsa2048_public_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16];
/* wrapped client RSA2048bit private key */
uint8_t encrypted_user_rsa2048_private_key[R_TSIP_RSA2048_ND_KEY_BYTE_SIZE + 16];
/* wrapped client ECC P256 public key */
uint8_t encrypted_user_ecc256_public_key[R_TSIP_ECC_PUBLIC_KEY_BYTE_SIZE + 16];
/* wrapped client ECC P256 private key */
uint8_t encrypted_user_ecc256_private_key[R_TSIP_ECC_PRIVATE_KEY_BYTE_SIZE + 16];
} st_key_block_data_t;

9
IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/user_settings.h
View File

@ -157,7 +157,6 @@
#define WOLFSSL_LOG_PRINTF
#define WOLFSSL_HAVE_MIN
#define WOLFSSL_HAVE_MAX
#define WOLFSSL_SMALL_STACK
#define NO_WRITEV
@ -175,7 +174,12 @@
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define USE_FAST_MATH
#define FP_MAX_BITS 4096
#define WOLFSSL_SP_MATH
#define WOLFSSL_SP_MATH_ALL /* use SP math for all key sizes and curves */
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_HAVE_SP_DH
#define WOLFSSL_HAVE_SP_ECC
/*-- Debugging options ------------------------------------------------------
*
@ -221,6 +225,7 @@
#define WOLFSSL_RENESAS_TSIP_TLS_AES_CRYPT
#define HAVE_PK_CALLBACKS
#define WOLF_CRYPTO_CB
#define WOLF_PRIVATE_KEY_ID
#endif
#else

163
IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/wolfssl_demo.c
View File

@ -239,56 +239,6 @@ static void Tls_client_init()
return NULL;
}
#endif
/* load client certificate */
#ifdef USE_ECC_CERT
if (wolfSSL_CTX_use_certificate_chain_buffer_format(client_ctx,
cliecc_cert_der_256,
sizeof_cliecc_cert_der_256,
WOLFSSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("ERROR: can't load client-certificate\n");
return;
}
#else
if (wolfSSL_CTX_use_certificate_chain_buffer_format(client_ctx,
client_cert_der_2048,
sizeof_client_cert_der_2048,
WOLFSSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("ERROR: can't load client-certificate\n");
return;
}
#endif /* USE_ECC_CERT */
/* load client private key */
#ifdef USE_ECC_CERT
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_RENESAS_TSIP_TLS) && \
(WOLFSSL_RENESAS_TSIP_VER >= 115 )
if (tsip_set_clientPrivateKeyEnc(
g_key_block_data.encrypted_user_ecc256_private_key,
TSIP_ECCP256) != 0) {
printf("ERROR: can't load client-private key\n");
return;
}
#endif
if (wolfSSL_CTX_use_PrivateKey_buffer(client_ctx,
ecc_clikey_der_256,
sizeof_ecc_clikey_der_256,
SSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("ERROR: can't load private-key data.\n");
return;
}
#else
if (wolfSSL_CTX_use_PrivateKey_buffer(client_ctx,
client_key_der_2048,
sizeof_client_key_der_2048,
SSL_FILETYPE_ASN1)
!= WOLFSSL_SUCCESS) {
printf("ERROR: can't load private-key data.\n");
return;
}
#endif /* USE_ECC_CERT */
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_RENESAS_TSIP_TLS) && \
(WOLFSSL_RENESAS_TSIP_VER >= 115)
@ -307,6 +257,7 @@ static void Tls_client(void *pvParam)
#define BUFF_SIZE 256
#define ADDR_SIZE 16
int ret;
int err;
#if defined(TLS_MULTITHREAD_TEST)
BaseType_t xStatus;
#endif
@ -400,6 +351,118 @@ static void Tls_client(void *pvParam)
ret = -1;
}
}
/* set client certificate */
#if defined(USE_ECC_CERT)
if (ret == 0) {
err = wolfSSL_use_certificate_buffer(ssl,
cliecc_cert_der_256,
sizeof_cliecc_cert_der_256,
WOLFSSL_FILETYPE_ASN1);
if(err != SSL_SUCCESS) {
printf("ERROR: can't load client-certificate\n");
ret = -1;
}
}
#else
if (ret == 0) {
err = wolfSSL_use_certificate_buffer(ssl,
client_cert_der_2048,
sizeof_client_cert_der_2048,
WOLFSSL_FILETYPE_ASN1);
if (err != SSL_SUCCESS) {
printf("ERROR: can't load client-certificate\n");
ret = -1;
}
}
#endif /* USE_ECC_CERT */
/* set client key(s) */
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
#if defined(USE_ECC_CERT)
/* Client authentication using ECDSA certificate for TLS1.2 and 1.3 will be
* handled by TSIP. Therefore, the client private key should be
* TSIP-specific format and be set by tsip_use_PrivateKey_buffer.
*/
if (ret == 0){
ret = tsip_use_PrivateKey_buffer(ssl,
(const char*)g_key_block_data.encrypted_user_ecc256_private_key,
sizeof(g_key_block_data.encrypted_user_ecc256_private_key),
TSIP_ECCP256);
if (ret != 0) {
printf("ERROR tsip_use_PrivateKey_buffer\n");
}
}
#else
#if defined(WOLFSSL_TLS13)
/* Client authentication using RSA certificate for TLS1.3 cannot be
* handled by TSIP v1.15. Therefore, the client private key should be
* set using wolfSSL_use_PrivateKey_buffer for software processing.
*/
if (ret == 0) {
err = wolfSSL_use_PrivateKey_buffer(ssl, client_key_der_2048,
sizeof_client_key_der_2048, WOLFSSL_FILETYPE_ASN1);
if (err != SSL_SUCCESS) {
printf("ERROR wolfSSL_use_PrivateKey_buffer: %d\n",
wolfSSL_get_error(ssl, 0));
ret = -1;
}
}
#else
/* Client authentication using RSA certificate for TLS1.2 can be
* handled by TSIP. Note that the internal verification of
* the signature process requires not only the client's private key but
* also its public key, so pass them using tsip_use_PrivateKey_buffer
* and tsip_use_PublicKey_buffer respectively.
*/
if (ret == 0) {
ret = tsip_use_PrivateKey_buffer(ssl,
(const char*)g_key_block_data.encrypted_user_rsa2048_private_key,
sizeof(g_key_block_data.encrypted_user_rsa2048_private_key),
TSIP_RSA2048);
if (ret != 0) {
printf("ERROR tsip_use_PrivateKey_buffer :%d\n", ret);
}
}
if (ret == 0) {
ret = tsip_use_PublicKey_buffer(ssl,
(const char*)g_key_block_data.encrypted_user_rsa2048_public_key,
sizeof(g_key_block_data.encrypted_user_rsa2048_public_key),
TSIP_RSA2048);
if (ret != 0) {
printf("ERROR tsip_use_PublicKey_buffer: %d\n", ret);
}
}
#endif /* WOLFSSL_TLS13 */
#endif /* USE_ECC_CERT */
#else
#if defined(USE_ECC_CERT)
if (ret == 0) {
err = wolfSSL_use_PrivateKey_buffer(ssl,
ecc_clikey_der_256,
sizeof_ecc_clikey_der_256,
WOLFSSL_FILETYPE_ASN1);
if (err != SSL_SUCCESS) {
printf("ERROR wolfSSL_use_PrivateKey_buffer: %d\n",
wolfSSL_get_error(ssl, 0));
ret = -1;
}
}
#else
if (ret == 0) {
err = wolfSSL_use_PrivateKey_buffer(ssl, client_key_der_2048,
sizeof_client_key_der_2048, WOLFSSL_FILETYPE_ASN1);
if (err != SSL_SUCCESS) {
printf("ERROR wolfSSL_use_PrivateKey_buffer: %d\n",
wolfSSL_get_error(ssl, 0));
ret = -1;
}
}
#endif /* USE_ECC_CERT */
#endif /* WOLFSSL_RENESAS_TSIP_TLS */
#ifdef DEBUG_WOLFSSL
wolfSSL_Debugging_ON();
#endif

40
wolfcrypt/src/port/Renesas/renesas_common.c
View File

@ -74,6 +74,29 @@ WOLFSSL_LOCAL int Renesas_cmn_RsaSignCb(WOLFSSL* ssl,
WOLFSSL_LEAVE("Renesas_cmn_RsaSignCb", ret);
return ret;
}
/* This function is a callback passed to wolfSSL_CTX_SetRsaSignCheckCb.
* It tries to verify the signature passed to it by decrypting with a public
* key.
* returns 0 on success, CRYPTOCB_UNAVAILABLE when public key is not set.
*/
WOLFSSL_LOCAL int Renesas_cmn_RsaSignCheckCb(WOLFSSL* ssl,
unsigned char* sig, unsigned int sigSz,
unsigned char** out,
const unsigned char* keyDer, unsigned int keySz,
void* ctx)
{
int ret = CRYPTOCB_UNAVAILABLE;
WOLFSSL_ENTER("Renesas_cmn_RsaSignCheckCb");
#if defined(WOLFSSL_RENESAS_TSIP)
return tsip_VerifyRsaPkcsCb(ssl, sig, sigSz, out, keyDer, keySz, ctx);
#endif /* WOLFSSL_RENESAS_TSIP */
WOLFSSL_LEAVE("Renesas_cmn_RsaSignCheckCb", ret);
return ret;
}
WOLFSSL_LOCAL int Renesas_cmn_EccSignCb(WOLFSSL* ssl,
const unsigned char* in, unsigned int inSz,
@ -181,6 +204,23 @@ static int Renesas_cmn_CryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
#endif /* HAVE_AES_CBC */
#endif /* !NO_AES || !NO_DES3 */
}
/* Is called for signing
* Can handle only RSA PkCS#1v1.5 padding scheme here.
*/
if (info->algo_type == WC_ALGO_TYPE_PK) {
#if !defined(NO_RSA)
if (info->pk.type == WC_PK_TYPE_RSA) {
if (info->pk.rsa.type == RSA_PRIVATE_ENCRYPT) {
ret = tsip_SignRsaPkcs(info, ctx);
}
}
#endif /* NO_RSA */
#if defined(HAVE_ECC)
else if (info->pk.type == WC_PK_TYPE_ECDSA_SIGN) {
ret = tsip_SignEcdsa(info, ctx);
}
#endif /* HAVE_ECC */
}
#elif defined(WOLFSSL_RENESAS_SCEPROTECT)
if (info->algo_type == WC_ALGO_TYPE_CIPHER) {

563
wolfcrypt/src/port/Renesas/renesas_tsip_util.c
View File

@ -101,7 +101,77 @@ static int tsip_CryptHwMutexUnLock(wolfSSL_Mutex* mutex)
{
return wc_UnLockMutex(mutex);
}
#ifdef WOLF_PRIVATE_KEY_ID
/* Set client encrypted private key data.
* parameters:
* ssl WOLFSSL object
* keyBuf buffer holding wrapped key which Renesas key tool generated.
* keyBufLen buffer length
* keyType 0: RSA 2048bit, 1: RSA 4096bit, 2 ECC P256
* return 0 on success, others on failure.
*/
WOLFSSL_API int tsip_use_PrivateKey_buffer(struct WOLFSSL* ssl,
const char* keyBuf, int keyBufLen, int keyType)
{
int ret = 0;
TsipUserCtx* tuc = NULL;
WOLFSSL_ENTER("tsip_use_PrivateKey_buffer");
if (ssl == NULL || keyBuf == NULL || keyBufLen == 0 ) {
ret = BAD_FUNC_ARG;
}
if (ret == 0){
tuc = ssl->RenesasUserCtx;
tuc->wrappedPrivateKey = (uint8_t*)keyBuf;
tuc->wrappedKeyType = keyType;
/* store keyType as Id since Id capacity is 32 bytes */
ret = wolfSSL_use_PrivateKey_Id(ssl,
(const unsigned char*)keyBuf, 32, tuc->devId);
if (ret == WOLFSSL_SUCCESS) {
ret = 0;
}
}
WOLFSSL_LEAVE("tsip_use_PrivateKey_buffer", ret);
return ret;
}
/* Set client encrypted public key data.
* parameters:
* ssl WOLFSSL object
* keyBuf buffer holding wrapped key which Renesas key tool generated.
* keyBufLen buffer length
* keyType 0: RSA 2048bit, 1: RSA 4096bit, 2 ECC P256
* return 0 on success, others on failure.
*/
WOLFSSL_API int tsip_use_PublicKey_buffer(WOLFSSL* ssl,
const char* keyBuf, int keyBufLen, int keyType)
{
int ret = 0;
TsipUserCtx* tuc = NULL;
WOLFSSL_ENTER("tsip_use_PublicKey_buffer");
if (ssl == NULL || keyBuf == NULL || keyBufLen == 0) {
ret = BAD_FUNC_ARG;
}
if (ret == 0){
tuc = ssl->RenesasUserCtx;
tuc->wrappedPublicKey = (uint8_t*)keyBuf;
tuc->wrappedKeyType = keyType;
}
WOLFSSL_LEAVE("tsip_use_PublicKey_buffer", ret);
return ret;
}
#endif /* WOLF_PRIVATE_KEY_ID */
/* Obsolete function. Use tsip_use_PrivateKey_buffer instead.
* Set client encrypted private key data.
* parameters:
* key Renesas Secure Flash Programmer generated key.
* keyType 0: RSA 2048bit, 1: RSA 4096bit, 2 ECC P256
@ -1624,57 +1694,66 @@ WOLFSSL_LOCAL int tsip_Tls13CertificateVerify(struct WOLFSSL* ssl,
#endif /* WOLFSSL_TLS13 */
#endif /* WOLFSSL_RENESAS_TSIP_VER >= 115 */
#if (WOLFSSL_RENESAS_TSIP_VER >= 115)
#if defined(WOLFSSL_TLS13)
static int tsipImportPrivateKey(TsipUserCtx* tuc, const byte* encPrivKey,
int keyType)
static int tsipImportPrivateKey(TsipUserCtx* tuc)
{
int ret = 0;
e_tsip_err_t err = TSIP_SUCCESS;
uint8_t* provisioning_key = g_user_key_info.encrypted_provisioning_key;
uint8_t* iv = g_user_key_info.iv;
uint8_t* encPrivKey;
int keyType;
WOLFSSL_ENTER("tsipImportPrivateKey");
if (tuc == NULL || encPrivKey == NULL)
if (tuc == NULL)
return BAD_FUNC_ARG;
encPrivKey = tuc->wrappedPrivateKey;
keyType = tuc->wrappedKeyType;
if (encPrivKey == NULL || provisioning_key == NULL || iv == NULL) {
return CRYPTOCB_UNAVAILABLE;
}
if ((ret = tsip_hw_lock()) == 0) {
switch(keyType) {
case TSIP_RSA2048:
switch (keyType) {
#if !defined(NO_RSA)
case TSIP_KEY_TYPE_RSA2048:
tuc->ClientRsaPrivKey_set = 0;
tuc->ClientRsa2048PrivKey_set = 0;
err = R_TSIP_GenerateRsa2048PrivateKeyIndex(
g_user_key_info.encrypted_provisioning_key,
g_user_key_info.iv,
(uint8_t*)encPrivKey,
&(tuc->RsaPrivateKeyIdx));
provisioning_key, iv, (uint8_t*)encPrivKey,
&(tuc->Rsa2048PrivateKeyIdx));
if (err == TSIP_SUCCESS) {
tuc->ClientRsaPrivKey_set = 1;
tuc->ClientRsa2048PrivKey_set = 1;
}
else {
ret = WC_HW_E;
}
break;
#endif
case TSIP_RSA4096:
case TSIP_KEY_TYPE_RSA4096:
/* not supported as of TSIPv1.15 */
ret = NOT_COMPILED_IN;
ret = CRYPTOCB_UNAVAILABLE;
break;
case TSIP_ECCP256:
#if defined(HAVE_ECC)
case TSIP_KEY_TYPE_ECDSAP256:
tuc->ClientEccPrivKey_set = 0;
tuc->ClientEccP256PrivKey_set = 0;
err = R_TSIP_GenerateEccP256PrivateKeyIndex(
g_user_key_info.encrypted_provisioning_key,
g_user_key_info.iv,
(uint8_t*)encPrivKey,
&(tuc->EcdsaPrivateKeyIdx));
provisioning_key, iv, (uint8_t*)encPrivKey,
&(tuc->EcdsaP256PrivateKeyIdx));
if (err == TSIP_SUCCESS) {
tuc->ClientEccPrivKey_set = 1;
tuc->ClientEccP256PrivKey_set = 1;
}
else {
ret = WC_HW_E;
}
break;
#endif
default:
ret = BAD_FUNC_ARG;
@ -1688,8 +1767,83 @@ static int tsipImportPrivateKey(TsipUserCtx* tuc, const byte* encPrivKey,
WOLFSSL_LEAVE("tsipImportPrivateKey", ret);
return ret;
}
#endif /* WOLFSSL_TLS13 */
#endif /* WOLFSSL_RENESAS_TSIP_VER >= 115 */
static int tsipImportPublicKey(TsipUserCtx* tuc)
{
int ret = 0;
e_tsip_err_t err = TSIP_SUCCESS;
uint8_t* provisioning_key = g_user_key_info.encrypted_provisioning_key;
uint8_t* iv = g_user_key_info.iv;
uint8_t* encPubKey;
int keyType;
WOLFSSL_ENTER("tsipImportPublicKey");
if (tuc == NULL ) {
return BAD_FUNC_ARG;
}
encPubKey = tuc->wrappedPublicKey;
keyType = tuc->wrappedKeyType;
if (encPubKey == NULL || provisioning_key == NULL || iv == NULL) {
return CRYPTOCB_UNAVAILABLE;
}
if ((ret = tsip_hw_lock()) == 0) {
switch(keyType) {
#if !defined(NO_RSA)
case TSIP_KEY_TYPE_RSA2048:
tuc->ClientRsa2048PubKey_set = 0;
err = R_TSIP_GenerateRsa2048PublicKeyIndex(
provisioning_key, iv, (uint8_t*)encPubKey,
&(tuc->Rsa2048PublicKeyIdx));
if (err == TSIP_SUCCESS) {
tuc->ClientRsa2048PubKey_set = 1;
}
else {
ret = WC_HW_E;
}
break;
#endif
#if !defined(NO_RSA)
case TSIP_KEY_TYPE_RSA4096:
/* not supported as of TSIPv1.15 */
ret = CRYPTOCB_UNAVAILABLE;
break;
#endif
#if defined(HAVE_ECC)
case TSIP_KEY_TYPE_ECDSAP256:
tuc->ClientEccP256PubKey_set = 0;
err = R_TSIP_GenerateEccP256PublicKeyIndex(
provisioning_key, iv, (uint8_t*)encPubKey,
&(tuc->EcdsaP256PublicKeyIdx));
if (err == TSIP_SUCCESS) {
tuc->ClientEccP256PubKey_set = 1;
}
else {
ret = WC_HW_E;
}
break;
#endif
default:
ret = BAD_FUNC_ARG;
break;
}
tsip_hw_unlock();
}
else {
WOLFSSL_MSG("mutex locking error");
}
WOLFSSL_LEAVE("tsipImportPublicKey", ret);
return ret;
}
#if (WOLFSSL_RENESAS_TSIP_VER >= 115)
#if defined(WOLFSSL_TLS13)
@ -1739,14 +1893,10 @@ WOLFSSL_LOCAL int tsip_Tls13SendCertVerify(WOLFSSL* ssl)
}
if (ret == 0) {
/* check if private key index has been set. if not, import from
* g_user_key_info.encrypted_user_private_key
*/
if (!tuc->ClientRsaPrivKey_set && !tuc->ClientEccPrivKey_set) {
if (g_user_key_info.encrypted_user_private_key) {
ret = tsipImportPrivateKey(tuc,
g_user_key_info.encrypted_user_private_key,
g_user_key_info.encrypted_user_private_key_type);
/* check if private key index has been set */
if (!tuc->ClientRsa2048PrivKey_set && !tuc->ClientEccP256PrivKey_set) {
if (tuc->wrappedPrivateKey) {
ret = tsipImportPrivateKey(tuc);
}
else {
WOLFSSL_MSG("Private key is not set for client authentication");
@ -1756,12 +1906,17 @@ WOLFSSL_LOCAL int tsip_Tls13SendCertVerify(WOLFSSL* ssl)
}
if (ret == 0) {
if (tuc->ClientRsaPrivKey_set) {
#if !defined(NO_RSA)
if (tuc->ClientRsa2048PrivKey_set) {
isRsa = 1;
}
else if (tuc->ClientEccPrivKey_set) {
else
#endif /* !NO_RSA */
#if defined(HAVE_ECC)
if (tuc->ClientEccP256PrivKey_set) {
isRsa = 0;
}
#endif /* HAVE_ECC */
if (isRsa == -1) {
WOLFSSL_MSG("Private key is not set for client authentication");
@ -1809,7 +1964,7 @@ WOLFSSL_LOCAL int tsip_Tls13SendCertVerify(WOLFSSL* ssl)
else {
/* R_TSIP_Tls13CertificateVerifyGenerate outputs message body */
err = R_TSIP_Tls13CertificateVerifyGenerate(
(uint32_t*)&(tuc->EcdsaPrivateKeyIdx),
(uint32_t*)&(tuc->EcdsaP256PrivateKeyIdx),
TSIP_TLS13_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256,
sigData,
message + HANDSHAKE_HEADER_SZ,
@ -2199,6 +2354,8 @@ WOLFSSL_API void tsip_set_callbacks(WOLFSSL_CTX* ctx)
#endif
#endif /* WOLFSSL_TLS13 */
wolfSSL_CTX_SetRsaSignCheckCb(ctx, Renesas_cmn_RsaSignCheckCb);
/* set heap-hint to tsip_heap_hint so that tsip sha funcs can refer it */
if (ctx->heap != NULL) {
tsip_heap_hint = ctx->heap;
@ -2227,6 +2384,7 @@ WOLFSSL_API int tsip_set_callback_ctx(WOLFSSL* ssl, void* user_ctx)
wolfSSL_SetEccVerifyCtx(ssl, user_ctx);
wolfSSL_SetRsaEncCtx(ssl, user_ctx);
wolfSSL_SetRsaVerifyCtx(ssl, user_ctx);
wolfSSL_SetRsaSignCtx(ssl, user_ctx);
wolfSSL_SetGenPreMasterCtx(ssl, user_ctx);
wolfSSL_SetEccSharedSecretCtx(ssl, NULL);
#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY)
@ -3336,6 +3494,341 @@ int wc_tsip_tls_RootCertVerify(
return ret;
}
#endif /* WOLFSSL_RENESAS_TSIP_TLS */
#if !defined(NO_RSA)
/* Perform signing with the client's RSA private key on hash value of messages
* exchanged with server.
*
* parameters
* info->pk.rsa.in : not used
* info->pk.rsa.inlen : not used
* info->pk.rsa.out : the buffer where the signature data is output to
* info->pk.rsa.outlen: the length of the pk.rsa.out
* tuc: the pointer to the TsipUserCtx structure
* returns
* 0 on success, CRYPTOCB_UNAVAILABLE on unsupported key type specified.
*
*/
WOLFSSL_LOCAL int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc)
{
int ret = 0;
e_tsip_err_t err = TSIP_SUCCESS;
tsip_rsa_byte_data_t hashData, sigData;
WOLFSSL* ssl = NULL;
uint8_t tsip_hash_type;
WOLFSSL_ENTER("tsip_SignRsaPkcs");
if (info == NULL || tuc == NULL || tuc->ssl == NULL) {
ret = BAD_FUNC_ARG;
}
if (ret == 0) {
ssl = tuc->ssl;
if (ssl->version.major == SSLv3_MAJOR &&
ssl->version.minor == TLSv1_3_MINOR) {
ret = CRYPTOCB_UNAVAILABLE;
}
}
if (ret == 0) {
/* import private key_index from wrapped key */
ret = tsipImportPrivateKey(tuc);
}
if (ret == 0) {
if (ssl->suites->hashAlgo == md5_mac)
tsip_hash_type = R_TSIP_RSA_HASH_MD5;
else if (ssl->suites->hashAlgo == sha_mac)
tsip_hash_type = R_TSIP_RSA_HASH_SHA1;
else if (ssl->suites->hashAlgo == sha256_mac)
tsip_hash_type = R_TSIP_RSA_HASH_SHA256;
else
ret = CRYPTOCB_UNAVAILABLE;
}
if (ret == 0) {
hashData.pdata = (uint8_t*)ssl->buffers.digest.buffer;
hashData.data_type = 1;
sigData.pdata = (uint8_t*)info->pk.rsa.in;
sigData.data_length = 0; /* signature size will be returned here */
if ((ret = tsip_hw_lock()) == 0) {
switch (tuc->wrappedKeyType) {
case TSIP_KEY_TYPE_RSA2048:
err = R_TSIP_RsassaPkcs2048SignatureGenerate(
&hashData, &sigData,
&tuc->Rsa2048PrivateKeyIdx,
tsip_hash_type);
if (err != TSIP_SUCCESS) {
ret = WC_HW_E;
}
break;
case TSIP_KEY_TYPE_RSA4096:
ret = CRYPTOCB_UNAVAILABLE;
break;
default:
WOLFSSL_MSG("wrapped private key is not supported");
ret = CRYPTOCB_UNAVAILABLE;
break;
}
tsip_hw_unlock();
}
else {
WOLFSSL_MSG("mutex locking error");
}
}
WOLFSSL_LEAVE("tsip_SignRsaPkcs", ret);
return ret;
}
#endif /* !NO_RSA */
#if !defined(NO_RSA)
WOLFSSL_LOCAL int tsip_VerifyRsaPkcsCb(
WOLFSSL* ssl,
unsigned char* sig, unsigned int sigSz,
unsigned char** out,
const unsigned char* keyDer, unsigned int keySz,
void* ctx)
{
int ret = 0;
e_tsip_err_t err = TSIP_SUCCESS;
tsip_rsa_byte_data_t hashData, sigData;
TsipUserCtx* tuc = NULL;
uint8_t tsip_hash_type;
(void)keyDer;
(void)keySz;
WOLFSSL_ENTER("tsip_VerifyRsaPkcsCb");
if (sig == NULL || out == NULL || ctx == NULL) {
ret = BAD_FUNC_ARG;
}
if (ssl->version.major == SSLv3_MAJOR &&
ssl->version.minor == TLSv1_3_MINOR) {
ret = CRYPTOCB_UNAVAILABLE;
}
if (ret == 0) {
tuc = (TsipUserCtx*)ctx;
if (tuc == NULL)
ret = CRYPTOCB_UNAVAILABLE;
}
if (ret == 0) {
/* import public key_index from wrapped key */
ret = tsipImportPublicKey(tuc);
}
if (ret == 0) {
if (ssl->suites->hashAlgo == md5_mac)
tsip_hash_type = R_TSIP_RSA_HASH_MD5;
else if (ssl->suites->hashAlgo == sha_mac)
tsip_hash_type = R_TSIP_RSA_HASH_SHA1;
else if (ssl->suites->hashAlgo == sha256_mac)
tsip_hash_type = R_TSIP_RSA_HASH_SHA256;
else {
ret = CRYPTOCB_UNAVAILABLE;
}
}
if (ret == 0) {
sigData.pdata = (uint8_t*)sig;
hashData.pdata = (uint8_t*)ssl->buffers.digest.buffer;
hashData.data_type = 1; /* hash value */
if ((ret = tsip_hw_lock()) == 0) {
switch (tuc->wrappedKeyType) {
case TSIP_KEY_TYPE_RSA2048:
sigData.data_length = 256;
err = R_TSIP_RsassaPkcs2048SignatureVerification(
&sigData, &hashData,
&tuc->Rsa2048PublicKeyIdx,
tsip_hash_type);
if (err == TSIP_ERR_AUTHENTICATION) {
ret = VERIFY_CERT_ERROR;
}
else if (err == TSIP_SUCCESS) {
ret = 0;
}
else {
ret = WC_HW_E;
}
break;
case TSIP_KEY_TYPE_RSA4096:
ret = CRYPTOCB_UNAVAILABLE;
break;
default:
WOLFSSL_MSG("wrapped private key is not supported");
ret = CRYPTOCB_UNAVAILABLE;
break;
}
tsip_hw_unlock();
}
else {
WOLFSSL_MSG("mutex locking error");
}
}
WOLFSSL_LEAVE("tsip_VerifyRsaPkcsCb", ret);
return ret;
}
#endif /* !NO_RSA */
#if defined(HAVE_ECC)
/* Perform signing with the client's ECC private key on hash value of messages
* exchanged with server.
*
* parameters
* info->pk.eccsign.in : the buffer holding hash value of messages
* info->pk.eccsign.inlen : hash data size
* info->pk.eccsign.out : the buffer where the signature data is output to
* info->pk.eccsign.outlen: the length of the buffer pk.eccsign.out
* tuc: the pointer to the TsipUserCtx structure
* returns
* 0 on success, CRYPTOCB_UNAVAILABLE on unsupported key type specified.
* note
* signature will be DER encoded and stored into out buffer.
* the private key must be imported as TSIP specific format.
*/
WOLFSSL_LOCAL int tsip_SignEcdsa(wc_CryptoInfo* info, TsipUserCtx* tuc)
{
int ret = 0;
e_tsip_err_t err = TSIP_SUCCESS;
tsip_rsa_byte_data_t hashData, sigData;
byte offsetForWork;
byte* out = NULL;
byte* sig = NULL;
int rSz = 0;
int sSz = 0;
int idx = 0;
int sz = 0;
WOLFSSL* ssl = NULL;
WOLFSSL_ENTER("tsip_SignEcdsa");
if (info == NULL || tuc == NULL) {
ret = CRYPTOCB_UNAVAILABLE;
}
if (ret == 0) {
ssl = tuc->ssl;
if (ssl->version.major == SSLv3_MAJOR &&
ssl->version.minor == TLSv1_3_MINOR) {
ret = CRYPTOCB_UNAVAILABLE;
}
}
if (ret == 0) {
/* import private key_index from wrapped key */
ret = tsipImportPrivateKey(tuc);
}
if (ret == 0) {
hashData.pdata = (uint8_t*)info->pk.eccsign.in;
hashData.data_type = 1;
sigData.pdata = (uint8_t*)info->pk.eccsign.out;
sigData.data_length = 0; /* signature size will be returned here */
if ((ret = tsip_hw_lock()) == 0) {
switch (tuc->wrappedKeyType) {
#if defined(HAVE_ECC)
case TSIP_KEY_TYPE_ECDSAP256:
offsetForWork = R_TSIP_ECDSA_DATA_BYTE_SIZE + 32;
if (*(info->pk.eccsign.outlen) <
R_TSIP_ECDSA_DATA_BYTE_SIZE + offsetForWork) {
ret = BUFFER_E;
break;
}
sigData.pdata = (uint8_t*)info->pk.eccsign.out +
offsetForWork;
err = R_TSIP_EcdsaP256SignatureGenerate(
&hashData, &sigData,
&tuc->EcdsaP256PrivateKeyIdx);
if (err != TSIP_SUCCESS) {
ret = WC_HW_E;
break;
}
out = info->pk.eccsign.out;
sig = sigData.pdata;
rSz = sSz = R_TSIP_ECDSA_DATA_BYTE_SIZE / 2;
rSz += (sig[0] & 0x80)?1:0;
sSz += (sig[sSz] & 0x80)?1:0;
sz = (ASN_TAG_SZ + 1) * 2 + rSz + sSz;
/* encode ASN sequence */
out[idx++] = ASN_SEQUENCE | ASN_CONSTRUCTED;
out[idx++] = sz;
/* copy r part */
out[idx++] = ASN_INTEGER;
out[idx++] = rSz;
if (rSz > R_TSIP_ECDSA_DATA_BYTE_SIZE / 2)
out[idx++] = 0x00;
XMEMCPY(&out[idx], sig, R_TSIP_ECDSA_DATA_BYTE_SIZE / 2);
idx += R_TSIP_ECDSA_DATA_BYTE_SIZE / 2;
sig += R_TSIP_ECDSA_DATA_BYTE_SIZE / 2;
/* copy s part */
out[idx++] = ASN_INTEGER;
out[idx++] = sSz;
if (sSz > R_TSIP_ECDSA_DATA_BYTE_SIZE / 2)
out[idx++] = 0x00;
XMEMCPY(&out[idx], sig, R_TSIP_ECDSA_DATA_BYTE_SIZE / 2);
/* out size */
*(info->pk.eccsign.outlen) = ASN_TAG_SZ + 1 + sz;
break;
#endif
#if defined(HAVE_ECC192)
case TSIP_KEY_TYPE_ECDSAP192:
ret = CRYPTOCB_UNAVAILABLE;
break;
#endif
#if defined(HAVE_ECC224)
case TSIP_KEY_TYPE_ECDSAP224:
ret = CRYPTOCB_UNAVAILABLE;
break;
#endif
#if defined(HAVE_ECC384)
case TSIP_KEY_TYPE_ECDSAP384:
ret = CRYPTOCB_UNAVAILABLE;
break;
#endif
default:
WOLFSSL_MSG("wrapped private key is not supported");
ret = CRYPTOCB_UNAVAILABLE;
break;
}
tsip_hw_unlock();
}
else {
WOLFSSL_MSG("mutex locking error");
}
}
WOLFSSL_LEAVE("tsip_SignEcdsa", ret);
return ret;
}
#endif /* HAVE_ECC */
#ifdef WOLFSSL_RENESAS_TSIP_CRYPT_DEBUG

57
wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h
View File

@ -79,6 +79,12 @@ enum {
TSIP_TEMP_WORK_SIZE = 128,
};
typedef enum {
TSIP_KEY_TYPE_RSA2048 = 0,
TSIP_KEY_TYPE_RSA4096 = 1,
TSIP_KEY_TYPE_ECDSAP256 = 2,
} wolfssl_TSIP_KEY_TYPE;
struct WOLFSSL;
struct KeyShareEntry;
@ -130,11 +136,22 @@ typedef struct TsipUserCtx {
/* handle is used as work area for Tls13 handshake */
tsip_tls13_handle_t handle13;
/* RSA-2048bit private key-index for client authentication */
tsip_rsa2048_private_key_index_t RsaPrivateKeyIdx;
/* client key pair wrapped by provisioning key */
byte* wrappedPrivateKey;
byte* wrappedPublicKey;
int wrappedKeyType;
/* ECC P256 private key-index for client authentication */
tsip_ecc_private_key_index_t EcdsaPrivateKeyIdx;
#if !defined(NO_RSA)
/* RSA-2048bit private and public key-index for client authentication */
tsip_rsa2048_private_key_index_t Rsa2048PrivateKeyIdx;
tsip_rsa2048_public_key_index_t Rsa2048PublicKeyIdx;
#endif /* !NO_RSA */
#if defined(HAVE_ECC)
/* ECC P256 private and public key-index for client authentication */
tsip_ecc_private_key_index_t EcdsaP256PrivateKeyIdx;
tsip_ecc_public_key_index_t EcdsaP256PublicKeyIdx;
#endif /* HAVE_ECC */
/* ECDHE private key index for Tls13 handshake */
tsip_tls_p256_ecc_key_index_t EcdhPrivKey13Idx;
@ -224,8 +241,16 @@ typedef struct TsipUserCtx {
uint32_t tsip_cipher;
/* flags */
uint8_t ClientRsaPrivKey_set:1;
uint8_t ClientEccPrivKey_set:1;
#if !defined(NO_RSA)
uint8_t ClientRsa2048PrivKey_set:1;
uint8_t ClientRsa2048PubKey_set:1;
#endif
#if defined(HAVE_ECC)
uint8_t ClientEccP256PrivKey_set:1;
uint8_t ClientEccP256PubKey_set:1;
#endif
uint8_t HmacInitialized:1;
uint8_t RootCAverified:1;
uint8_t EcdsaPrivKey_set:1;
@ -265,6 +290,8 @@ typedef struct
uint32_t encrypted_user_tls_key_type;
uint8_t * encrypted_user_private_key;
uint32_t encrypted_user_private_key_type;
uint8_t * encrypted_user_public_key;
uint32_t encrypted_user_public_key_type;
tsip_ecc_private_key_index_t client_private_key_index;
tsip_tls_ca_certification_public_key_index_t user_rsa2048_tls_pubindex;
} tsip_key_data;
@ -296,6 +323,13 @@ WOLFSSL_API int tsip_set_callback_ctx(struct WOLFSSL* ssl, void* user_ctx);
WOLFSSL_API int tsip_set_clientPrivateKeyEnc(const byte* key, int keyType);
#if defined(WOLF_PRIVATE_KEY_ID)
WOLFSSL_API int tsip_use_PrivateKey_buffer(struct WOLFSSL* ssl,
const char* keyBuf, int keyBufLen, int keyType);
WOLFSSL_API int tsip_use_PublicKey_buffer(struct WOLFSSL* ssl,
const char* keyBuf, int keyBufLen, int keyType);
#endif /* WOLF_PRIVATE_KEY_ID */
#if (WOLFSSL_RENESAS_TSIP_VER >=109)
#define wc_tsip_inform_user_keys_ex tsip_inform_user_keys_ex
@ -318,6 +352,17 @@ WOLFSSL_API void tsip_inform_user_keys(
/*----------------------------------------------------*/
/* internal use functions */
/*----------------------------------------------------*/
WOLFSSL_LOCAL int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc);
WOLFSSL_LOCAL int tsip_VerifyRsaPkcsCb(
WOLFSSL* ssl,
unsigned char* sig, unsigned int sigSz,
unsigned char** out,
const unsigned char* keyDer, unsigned int keySz,
void* ctx);
WOLFSSL_LOCAL int tsip_SignEcdsa(wc_CryptoInfo* info, TsipUserCtx* tuc);
#if (WOLFSSL_RENESAS_TSIP_VER >=115)
#ifdef WOLF_CRYPTO_CB

12
wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h
View File

@ -46,8 +46,16 @@ WOLFSSL_LOCAL int Renesas_cmn_VerifyHmac(WOLFSSL *ssl, const byte* message,
WOLFSSL_LOCAL int Renesas_cmn_EccVerify(WOLFSSL* ssl, const unsigned char* sig,
unsigned int sigSz, const unsigned char* hash, unsigned int hashSz,
const unsigned char* key, unsigned int keySz, int* result, void* ctx);
WOLFSSL_LOCAL int Renesas_cmn_RsaVerify(WOLFSSL* ssl, unsigned char* sig, unsigned int sigSz,
unsigned char** out, const unsigned char* key, unsigned int keySz, void* ctx);
WOLFSSL_LOCAL int Renesas_cmn_RsaVerify(WOLFSSL* ssl,
unsigned char* sig, unsigned int sigSz,
unsigned char** out, const unsigned char* key,
unsigned int keySz, void* ctx);
WOLFSSL_LOCAL int Renesas_cmn_RsaSignCheckCb(WOLFSSL* ssl,
unsigned char* sig, unsigned int sigSz,
unsigned char** out,
const unsigned char* keyDer, unsigned int keySz,
void* ctx);
WOLFSSL_LOCAL int Renesas_cmn_TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in,
word32 sz, int padSz, int content, int verify, int epochOrder);
WOLFSSL_LOCAL int Renesas_cmn_usable(const WOLFSSL *ssl, byte seskey_gennerated);