WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

PKCS #11: implement identifying keys by label

pull/3523/head
Sean Parkinson 2020-10-23 13:57:46 +10:00
parent 84a9e16805
commit 19f10cd382
14 changed files with 456 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/internal.c
View File

@ -5349,6 +5349,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->buffers.key = ctx->privateKey;
ssl->buffers.keyType = ctx->privateKeyType;
ssl->buffers.keyId = ctx->privateKeyId;
ssl->buffers.keyLabel = ctx->privateKeyLabel;
ssl->buffers.keySz = ctx->privateKeySz;
ssl->buffers.keyDevId = ctx->privateKeyDevId;
#endif
@ -20077,7 +20078,8 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
}
#ifdef HAVE_PKCS11
if (ssl->buffers.keyDevId != INVALID_DEVID && ssl->buffers.keyId) {
if (ssl->buffers.keyDevId != INVALID_DEVID && (ssl->buffers.keyId ||
ssl->buffers.keyLabel)) {
if (ssl->buffers.keyType == rsa_sa_algo)
ssl->hsType = DYNAMIC_TYPE_RSA;
else if (ssl->buffers.keyType == ecc_dsa_sa_algo)
@ -20089,9 +20091,17 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
if (ssl->buffers.keyType == rsa_sa_algo) {
#ifndef NO_RSA
ret = wc_InitRsaKey_Id((RsaKey*)ssl->hsKey,
ssl->buffers.key->buffer, ssl->buffers.key->length,
ssl->heap, ssl->buffers.keyDevId);
if (ssl->buffers.keyLabel) {
ret = wc_InitRsaKey_Label((RsaKey*)ssl->hsKey,
(char*)ssl->buffers.key->buffer,
ssl->heap, ssl->buffers.keyDevId);
}
else if (ssl->buffers.keyId) {
ret = wc_InitRsaKey_Id((RsaKey*)ssl->hsKey,
ssl->buffers.key->buffer,
ssl->buffers.key->length, ssl->heap,
ssl->buffers.keyDevId);
}
if (ret == 0) {
if (ssl->buffers.keySz < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA key size too small");
@ -20107,9 +20117,17 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
}
else if (ssl->buffers.keyType == ecc_dsa_sa_algo) {
#ifdef HAVE_ECC
ret = wc_ecc_init_id((ecc_key*)ssl->hsKey, ssl->buffers.key->buffer,
ssl->buffers.key->length, ssl->heap,
ssl->buffers.keyDevId);
if (ssl->buffers.keyLabel) {
ret = wc_ecc_init_label((ecc_key*)ssl->hsKey,
(char*)ssl->buffers.key->buffer,
ssl->heap, ssl->buffers.keyDevId);
}
else if (ssl->buffers.keyId) {
ret = wc_ecc_init_id((ecc_key*)ssl->hsKey,
ssl->buffers.key->buffer,
ssl->buffers.key->length, ssl->heap,
ssl->buffers.keyDevId);
}
if (ret == 0) {
if (ssl->buffers.keySz < ssl->options.minEccKeySz) {
WOLFSSL_MSG("ECC key size too small");

48
src/ssl.c
View File

@ -14162,6 +14162,29 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ret;
}
int wolfSSL_CTX_use_PrivateKey_label(WOLFSSL_CTX* ctx, const char* label,
int devId, long keySz)
{
int ret = WOLFSSL_FAILURE;
word32 sz = XSTRLEN(label) + 1;
FreeDer(&ctx->privateKey);
if (AllocDer(&ctx->privateKey, (word32)sz, PRIVATEKEY_TYPE,
ctx->heap) == 0) {
XMEMCPY(ctx->privateKey->buffer, label, sz);
ctx->privateKeyLabel = 1;
ctx->privateKeySz = (word32)keySz;
if (devId != INVALID_DEVID)
ctx->privateKeyDevId = devId;
else
ctx->privateKeyDevId = ctx->devId;
ret = WOLFSSL_SUCCESS;
}
return ret;
}
#endif
int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
@ -14330,6 +14353,31 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ret;
}
int wolfSSL_use_PrivateKey_label(WOLFSSL* ssl, const char* label, int devId,
long keySz)
{
int ret = WOLFSSL_FAILURE;
word32 sz = XSTRLEN(label) + 1;
if (ssl->buffers.weOwnKey)
FreeDer(&ssl->buffers.key);
if (AllocDer(&ssl->buffers.key, (word32)sz, PRIVATEKEY_TYPE,
ssl->heap) == 0) {
XMEMCPY(ssl->buffers.key->buffer, label, sz);
ssl->buffers.weOwnKey = 1;
ssl->buffers.keyLabel = 1;
ssl->buffers.keySz = (word32)keySz;
if (devId != INVALID_DEVID)
ssl->buffers.keyDevId = devId;
else
ssl->buffers.keyDevId = ssl->devId;
ret = WOLFSSL_SUCCESS;
}
return ret;
}
#endif
int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl,

27
wolfcrypt/src/aes.c
View File

@ -8086,10 +8086,35 @@ int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId)
ret = BUFFER_E;
if (ret == 0)
ret = wc_AesInit(aes, heap, devId);
ret = wc_AesInit(aes, heap, devId);
if (ret == 0) {
XMEMCPY(aes->id, id, len);
aes->idLen = len;
aes->labelLen = 0;
}
return ret;
}
int wc_AesInit_Label(Aes* aes, char* label, void* heap, int devId)
{
int ret = 0;
int labelLen = 0;
if (aes == NULL || label == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0) {
labelLen = XSTRLEN(label);
if (labelLen == 0 || labelLen > AES_MAX_LABEL_LEN)
ret = BUFFER_E;
}
if (ret == 0)
ret = wc_AesInit(aes, heap, devId);
if (ret == 0) {
XMEMCPY(aes->label, label, labelLen);
aes->labelLen = labelLen;
aes->idLen = 0;
}
return ret;

24
wolfcrypt/src/ecc.c
View File

@ -4763,7 +4763,6 @@ int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
if (ret == 0)
ret = wc_ecc_init_ex(key, heap, devId);
if (ret == 0 && id != NULL && len != 0) {
XMEMCPY(key->id, id, len);
key->idLen = len;
@ -4771,6 +4770,29 @@ int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
return ret;
}
int wc_ecc_init_label(ecc_key* key, char* label, void* heap, int devId)
{
int ret = 0;
int labelLen = 0;
if (key == NULL || label == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0) {
labelLen = XSTRLEN(label);
if (labelLen == 0 || labelLen > ECC_MAX_LABEL_LEN)
ret = BUFFER_E;
}
if (ret == 0)
ret = wc_ecc_init_ex(key, heap, devId);
if (ret == 0) {
XMEMCPY(key->label, label, labelLen);
key->labelLen = labelLen;
}
return ret;
}
#endif
int wc_ecc_set_flags(ecc_key* key, word32 flags)

25
wolfcrypt/src/hmac.c
View File

@ -1014,7 +1014,7 @@ int wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap,
ret = BUFFER_E;
if (ret == 0)
ret = wc_HmacInit(hmac, heap, devId);
ret = wc_HmacInit(hmac, heap, devId);
if (ret == 0) {
XMEMCPY(hmac->id, id, len);
hmac->idLen = len;
@ -1022,6 +1022,29 @@ int wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap,
return ret;
}
int wc_HmacInit_Label(Hmac* hmac, char* label, void* heap, int devId)
{
int ret = 0;
int labelLen = 0;
if (hmac == NULL || label == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0) {
labelLen = XSTRLEN(label);
if (labelLen == 0 || labelLen > HMAC_MAX_LABEL_LEN)
ret = BUFFER_E;
}
if (ret == 0)
ret = wc_HmacInit(hmac, heap, devId);
if (ret == 0) {
XMEMCPY(hmac->label, label, labelLen);
hmac->labelLen = labelLen;
}
return ret;
}
#endif
/* Free Hmac from use with async device */

24
wolfcrypt/src/rsa.c
View File

@ -354,7 +354,6 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
if (ret == 0)
ret = wc_InitRsaKey_ex(key, heap, devId);
if (ret == 0 && id != NULL && len != 0) {
XMEMCPY(key->id, id, len);
key->idLen = len;
@ -362,6 +361,29 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
return ret;
}
int wc_InitRsaKey_Label(RsaKey* key, char* label, void* heap, int devId)
{
int ret = 0;
int labelLen = 0;
if (key == NULL || label == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0) {
labelLen = XSTRLEN(label);
if (labelLen == 0 || labelLen > RSA_MAX_LABEL_LEN)
ret = BUFFER_E;
}
if (ret == 0)
ret = wc_InitRsaKey_ex(key, heap, devId);
if (ret == 0) {
XMEMCPY(key->label, label, labelLen);
key->labelLen = labelLen;
}
return ret;
}
#endif

350
wolfcrypt/src/wc_pkcs11.c
View File

@ -665,54 +665,91 @@ void wc_Pkcs11Token_Close(Pkcs11Token* token)
/*
* Create a secret key.
*
* @param [out] key Handle to key object.
* @param [in] session Session object.
* @param [in] keyType Type of secret key to create.
* @param [in] data Data of the secret key.
* @param [in] len Length of data in bytes.
* @param [in] id Identifier to set against key.
* @param [in] idLen Length of identifier.
* @param [in] op Operation to support with key.
* @param [out] key Handle to key object.
* @param [in] session Session object.
* @param [in] keyType Type of secret key to create.
* @param [in] data Data of the secret key.
* @param [in] len Length of data in bytes.
* @param [in] id Identifier to set against key.
* @param [in] idLen Length of identifier.
* @param [in] label Label to set against key.
* @param [in] labelLen Length of label.
* @param [in] op Operation to support with key.
* @return WC_HW_E when another PKCS#11 library call fails.
* @return 0 on success.
*/
static int Pkcs11CreateSecretKey(CK_OBJECT_HANDLE* key, Pkcs11Session* session,
CK_KEY_TYPE keyType, unsigned char* data,
int len, unsigned char* id, int idLen, int op)
int len, unsigned char* id, int idLen,
char* label, int labelLen, int op)
{
int ret = 0;
CK_RV rv;
CK_ATTRIBUTE keyTemplate[] = {
CK_ATTRIBUTE keyTemplateEncDec[] = {
{ CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) },
{ CKA_KEY_TYPE, &keyType, sizeof(keyType) },
{ op, &ckTrue, sizeof(ckTrue) },
{ CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) },
{ CKA_DECRYPT, &ckTrue, sizeof(ckTrue) },
{ CKA_VALUE, NULL, 0 },
{ CKA_ID, id, (CK_ULONG)idLen }
{ 0, NULL, 0 },
{ 0, NULL, 0 }
};
int keyTmplCnt = 4;
CK_ATTRIBUTE keyTemplateSignVfy[] = {
{ CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) },
{ CKA_KEY_TYPE, &keyType, sizeof(keyType) },
{ CKA_SIGN, &ckTrue, sizeof(ckTrue) },
{ CKA_VERIFY, &ckTrue, sizeof(ckTrue) },
{ CKA_VALUE, NULL, 0 },
{ 0, NULL, 0 },
{ 0, NULL, 0 }
};
CK_ATTRIBUTE* keyTemplate = NULL;
int keyTmplCnt = 5;
WOLFSSL_MSG("PKCS#11: Create Secret Key");
/* Set the modulus and public exponent data. */
keyTemplate[3].pValue = data;
keyTemplate[3].ulValueLen = (CK_ULONG)len;
if (idLen > 0)
keyTmplCnt++;
#ifdef WOLFSSL_DEBUG_PKCS11
WOLFSSL_MSG("Secret Key");
pkcs11_dump_template(keyTemplate, keyTmplCnt);
#endif
/* Create an object containing key data for device to use. */
rv = session->func->C_CreateObject(session->handle, keyTemplate, keyTmplCnt,
key);
#ifdef WOLFSSL_DEBUG_PKCS11
pkcs11_rv("C_CreateObject", rv);
#endif
if (rv != CKR_OK) {
if (op == CKA_ENCRYPT || op == CKA_DECRYPT) {
keyTemplate = keyTemplateEncDec;
}
else if (op == CKA_SIGN) {
keyTemplate = keyTemplateSignVfy;
}
else {
WOLFSSL_MSG("PKCS#11: Invalid operation type");
ret = WC_HW_E;
}
if (ret == 0) {
/* Set the secret to store. */
keyTemplate[keyTmplCnt-1].pValue = data;
keyTemplate[keyTmplCnt-1].ulValueLen = (CK_ULONG)len;
if (labelLen > 0) {
keyTemplate[keyTmplCnt].type = CKA_LABEL;
keyTemplate[keyTmplCnt].pValue = label;
keyTemplate[keyTmplCnt].ulValueLen = labelLen;
keyTmplCnt++;
}
if (idLen > 0) {
keyTemplate[keyTmplCnt].type = CKA_ID;
keyTemplate[keyTmplCnt].pValue = id;
keyTemplate[keyTmplCnt].ulValueLen = idLen;
keyTmplCnt++;
}
#ifdef WOLFSSL_DEBUG_PKCS11
WOLFSSL_MSG("Secret Key");
pkcs11_dump_template(keyTemplate, keyTmplCnt);
#endif
/* Create an object containing key data for device to use. */
rv = session->func->C_CreateObject(session->handle, keyTemplate,
keyTmplCnt, key);
#ifdef WOLFSSL_DEBUG_PKCS11
pkcs11_rv("C_CreateObject", rv);
#endif
if (rv != CKR_OK) {
ret = WC_HW_E;
}
}
return ret;
}
@ -747,9 +784,10 @@ static int Pkcs11CreateRsaPrivateKey(CK_OBJECT_HANDLE* privateKey,
{ CKA_EXPONENT_2, NULL, 0 },
{ CKA_COEFFICIENT, NULL, 0 },
{ CKA_PUBLIC_EXPONENT, NULL, 0 },
{ CKA_ID, NULL, 0 }
{ 0, NULL, 0 },
{ 0, NULL, 0 }
};
CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate) - 1;
CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate) - 2;
/* Set the modulus and private key data. */
keyTemplate[ 4].pValue = rsaKey->n.raw.buf;
@ -769,7 +807,14 @@ static int Pkcs11CreateRsaPrivateKey(CK_OBJECT_HANDLE* privateKey,
keyTemplate[11].pValue = rsaKey->e.raw.buf;
keyTemplate[11].ulValueLen = rsaKey->e.raw.len;
if (permanent && rsaKey->labelLen > 0) {
keyTemplate[keyTmplCnt].type = CKA_LABEL;
keyTemplate[keyTmplCnt].pValue = rsaKey->label;
keyTemplate[keyTmplCnt].ulValueLen = rsaKey->labelLen;
keyTmplCnt++;
}
if (permanent && rsaKey->idLen > 0) {
keyTemplate[keyTmplCnt].type = CKA_ID;
keyTemplate[keyTmplCnt].pValue = rsaKey->id;
keyTemplate[keyTmplCnt].ulValueLen = rsaKey->idLen;
keyTmplCnt++;
@ -988,7 +1033,8 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key)
(unsigned char*)aes->devKey,
aes->keylen,
(unsigned char*)aes->id,
aes->idLen, CKA_ENCRYPT);
aes->idLen, aes->label,
aes->labelLen, CKA_ENCRYPT);
}
if (ret == 0 && clear)
ForceZero(aes->devKey, aes->keylen);
@ -1005,7 +1051,8 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key)
(unsigned char*)aes->devKey,
aes->keylen,
(unsigned char*)aes->id,
aes->idLen, CKA_ENCRYPT);
aes->idLen, aes->label,
aes->labelLen, CKA_ENCRYPT);
}
if (ret == 0 && clear)
ForceZero(aes->devKey, aes->keylen);
@ -1029,14 +1076,16 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key)
(unsigned char*)hmac->keyRaw,
hmac->keyLen,
(unsigned char*)hmac->id,
hmac->idLen, CKA_SIGN);
hmac->idLen, hmac->label,
hmac->labelLen, CKA_SIGN);
if (ret == WC_HW_E) {
ret = Pkcs11CreateSecretKey(&privKey, &session,
CKK_GENERIC_SECRET,
(unsigned char*)hmac->keyRaw,
hmac->keyLen,
(unsigned char*)hmac->id,
hmac->idLen, CKA_ENCRYPT);
hmac->idLen, hmac->label,
hmac->labelLen, CKA_SIGN);
}
}
break;
@ -1163,8 +1212,42 @@ static int Pkcs11FindKeyByTemplate(CK_OBJECT_HANDLE* key,
}
/**
* Find the PKCS#11 object containing the RSA public or private key data with
* the modulus specified.
* Find the PKCS#11 object containing the private key data by label.
*
* @param [out] key Handle to key object.
* @param [in] keyClass Public or private key class.
* @param [in] keyType Type of key.
* @param [in] session Session object.
* @param [in] id Identifier set against a key.
* @param [in] idLen Length of identifier.
* @return WC_HW_E when a PKCS#11 library call fails.
* @return 0 on success.
*/
static int Pkcs11FindKeyByLabel(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass,
CK_KEY_TYPE keyType, Pkcs11Session* session,
char* label, int labelLen)
{
int ret = 0;
CK_ULONG count;
CK_ATTRIBUTE keyTemplate[] = {
{ CKA_CLASS, &keyClass, sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, sizeof(keyType) },
{ CKA_LABEL, label, (CK_ULONG)labelLen }
};
CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate);
WOLFSSL_MSG("PKCS#11: Find Key By Label");
ret = Pkcs11FindKeyByTemplate(key, session, keyTemplate, keyTmplCnt,
&count);
if (ret == 0 && count == 0)
ret = WC_HW_E;
return ret;
}
/**
* Find the PKCS#11 object containing the private key data by ID.
*
* @param [out] key Handle to key object.
* @param [in] keyClass Public or private key class.
@ -1285,6 +1368,11 @@ static int Pkcs11RsaPublic(Pkcs11Session* session, wc_CryptoInfo* info)
ret = WC_HW_E;
}
}
else if (info->pk.rsa.key->labelLen > 0) {
ret = Pkcs11FindKeyByLabel(&publicKey, CKO_PUBLIC_KEY, CKK_RSA,
session, info->pk.rsa.key->label,
info->pk.rsa.key->labelLen);
}
else {
ret = Pkcs11FindKeyById(&publicKey, CKO_PUBLIC_KEY, CKK_RSA,
session, rsaKey->id, rsaKey->idLen);
@ -1442,6 +1530,11 @@ static int Pkcs11RsaPrivate(Pkcs11Session* session, wc_CryptoInfo* info)
ret = Pkcs11CreateRsaPrivateKey(&privateKey, session,
info->pk.rsa.key, 0);
}
else if (info->pk.rsa.key->labelLen > 0) {
ret = Pkcs11FindKeyByLabel(&privateKey, CKO_PRIVATE_KEY, CKK_RSA,
session, info->pk.rsa.key->label,
info->pk.rsa.key->labelLen);
}
else if (info->pk.rsa.key->idLen > 0) {
ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_RSA,
session, info->pk.rsa.key->id,
@ -1472,6 +1565,10 @@ static int Pkcs11RsaPrivate(Pkcs11Session* session, wc_CryptoInfo* info)
}
}
if (ret == 0) {
#ifdef WOLFSSL_DEBUG_PKCS11
pkcs11_val("C_Decrypt inLen", info->pk.rsa.inLen);
pkcs11_val("C_Decrypt outLen", *info->pk.rsa.outLen);
#endif
outLen = (CK_ULONG)*info->pk.rsa.outLen;
rv = session->func->C_Decrypt(session->handle,
(CK_BYTE_PTR)info->pk.rsa.in, info->pk.rsa.inLen,
@ -1565,9 +1662,10 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)
};
CK_ULONG pubTmplCnt = sizeof(pubKeyTmpl)/sizeof(*pubKeyTmpl);
CK_ATTRIBUTE privKeyTmpl[] = {
{CKA_DECRYPT, &ckTrue, sizeof(ckTrue) },
{CKA_SIGN, &ckTrue, sizeof(ckTrue) },
{CKA_ID, NULL, 0 }
{ CKA_DECRYPT, &ckTrue, sizeof(ckTrue) },
{ CKA_SIGN, &ckTrue, sizeof(ckTrue) },
{ 0, NULL, 0 },
{ 0, NULL, 0 }
};
int privTmplCnt = 2;
int i;
@ -1585,7 +1683,14 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)
}
pubKeyTmpl[3].ulValueLen = i + 1;
if (key->labelLen != 0) {
privKeyTmpl[privTmplCnt].type = CKA_LABEL;
privKeyTmpl[privTmplCnt].pValue = key->label;
privKeyTmpl[privTmplCnt].ulValueLen = key->labelLen;
privTmplCnt++;
}
if (key->idLen != 0) {
privKeyTmpl[privTmplCnt].type = CKA_ID;
privKeyTmpl[privTmplCnt].pValue = key->id;
privKeyTmpl[privTmplCnt].ulValueLen = key->idLen;
privTmplCnt++;
@ -1907,12 +2012,14 @@ static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)
int pubTmplCnt = 1;
CK_ATTRIBUTE privKeyTmplDerive[] = {
{ CKA_DERIVE, &ckTrue, sizeof(ckTrue) },
{ CKA_ID, NULL, 0 },
{ 0, NULL, 0 },
{ 0, NULL, 0 },
};
CK_ATTRIBUTE privKeyTmplEncSign[] = {
{ CKA_SIGN, &ckTrue, sizeof(ckTrue) },
{ CKA_DECRYPT, &ckTrue, sizeof(ckTrue) },
{ CKA_ID, NULL, 0 },
{ 0, NULL, 0 },
{ 0, NULL, 0 },
};
CK_ATTRIBUTE* privKeyTmpl = privKeyTmplDerive;
int privTmplCnt = 1;
@ -1930,7 +2037,14 @@ static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)
privTmplCnt = 2;
pubTmplCnt = 2;
}
if (key->labelLen != 0) {
privKeyTmpl[privTmplCnt].type = CKA_LABEL;
privKeyTmpl[privTmplCnt].pValue = key->label;
privKeyTmpl[privTmplCnt].ulValueLen = key->labelLen;
privTmplCnt++;
}
if (key->idLen != 0) {
privKeyTmpl[privTmplCnt].type = CKA_ID;
privKeyTmpl[privTmplCnt].pValue = key->id;
privKeyTmpl[privTmplCnt].ulValueLen = key->idLen;
privTmplCnt++;
@ -2079,6 +2193,12 @@ static int Pkcs11ECDH(Pkcs11Session* session, wc_CryptoInfo* info)
if ((sessionKey = !mp_iszero(&info->pk.ecdh.private_key->k)))
ret = Pkcs11CreateEccPrivateKey(&privateKey, session,
info->pk.ecdh.private_key, CKA_DERIVE);
else if (info->pk.ecdh.private_key->labelLen > 0) {
ret = Pkcs11FindKeyByLabel(&privateKey, CKO_PRIVATE_KEY, CKK_EC,
session,
info->pk.ecdh.private_key->label,
info->pk.ecdh.private_key->labelLen);
}
else if (info->pk.ecdh.private_key->idLen > 0) {
ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_EC,
session, info->pk.ecdh.private_key->id,
@ -2375,6 +2495,15 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info)
if ((sessionKey = !mp_iszero(&info->pk.eccsign.key->k)))
ret = Pkcs11CreateEccPrivateKey(&privateKey, session,
info->pk.eccsign.key, CKA_SIGN);
else if (info->pk.eccsign.key->labelLen > 0) {
ret = Pkcs11FindKeyByLabel(&privateKey, CKO_PRIVATE_KEY, CKK_EC,
session, info->pk.eccsign.key->label,
info->pk.eccsign.key->labelLen);
if (ret == 0 && info->pk.eccsign.key->dp == NULL) {
ret = Pkcs11GetEccParams(session, privateKey,
info->pk.eccsign.key);
}
}
else if (info->pk.eccsign.key->idLen > 0) {
ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_EC,
session, info->pk.eccsign.key->id,
@ -2559,18 +2688,22 @@ static int Pkcs11AesGcmEncrypt(Pkcs11Session* session, wc_CryptoInfo* info)
if (ret == 0) {
WOLFSSL_MSG("PKCS#11: AES-GCM Encryption Operation");
}
/* Create a private key object or find by id. */
if (ret == 0 && aes->idLen == 0) {
ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
(unsigned char*)aes->devKey, aes->keylen,
NULL, 0, CKA_ENCRYPT);
}
else if (ret == 0) {
ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id,
aes->idLen);
/* Create a private key object or find by label or id. */
if (aes->idLen == 0 && aes->labelLen == 0) {
ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
(unsigned char*)aes->devKey,
aes->keylen, NULL, 0, NULL, 0,
CKA_ENCRYPT);
}
else if (aes->labelLen != 0) {
ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, CKK_AES, session,
aes->label, aes->labelLen);
}
else {
ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session,
aes->id, aes->idLen);
}
}
if (ret == 0) {
@ -2620,7 +2753,7 @@ static int Pkcs11AesGcmEncrypt(Pkcs11Session* session, wc_CryptoInfo* info)
}
}
if (aes->idLen == 0 && key != NULL_PTR)
if (aes->idLen == 0 && aes->labelLen == 0 && key != NULL_PTR)
session->func->C_DestroyObject(session->handle, key);
return ret;
@ -2658,17 +2791,22 @@ static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info)
if (ret == 0) {
WOLFSSL_MSG("PKCS#11: AES-GCM Decryption Operation");
}
/* Create a private key object or find by id. */
if (ret == 0 && aes->idLen == 0) {
ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
(unsigned char*)aes->devKey, aes->keylen,
NULL, 0, CKA_ENCRYPT);
}
else if (ret == 0) {
ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id,
aes->idLen);
/* Create a private key object or find by id. */
if (aes->idLen == 0 && aes->labelLen == 0) {
ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
(unsigned char*)aes->devKey,
aes->keylen, NULL, 0, NULL, 0,
CKA_DECRYPT);
}
else if (aes->labelLen != 0) {
ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, CKK_AES, session,
aes->label, aes->labelLen);
}
else {
ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session,
aes->id, aes->idLen);
}
}
if (ret == 0) {
@ -2734,7 +2872,7 @@ static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info)
}
}
if (aes->idLen == 0 && key != NULL_PTR)
if (aes->idLen == 0 && aes->labelLen == 0 && key != NULL_PTR)
session->func->C_DestroyObject(session->handle, key);
return ret;
@ -2772,18 +2910,22 @@ static int Pkcs11AesCbcEncrypt(Pkcs11Session* session, wc_CryptoInfo* info)
if (ret == 0) {
WOLFSSL_MSG("PKCS#11: AES-CBC Encryption Operation");
}
/* Create a private key object or find by id. */
if (ret == 0 && aes->idLen == 0) {
ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
(unsigned char*)aes->devKey, aes->keylen,
NULL, 0, CKA_ENCRYPT);
}
else if (ret == 0) {
ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id,
aes->idLen);
/* Create a private key object or find by id. */
if (aes->idLen == 0 && aes->labelLen == 0) {
ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
(unsigned char*)aes->devKey,
aes->keylen, NULL, 0, NULL, 0,
CKA_ENCRYPT);
}
else if (aes->labelLen != 0) {
ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, CKK_AES, session,
aes->label, aes->labelLen);
}
else {
ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session,
aes->id, aes->idLen);
}
}
if (ret == 0) {
@ -2814,7 +2956,7 @@ static int Pkcs11AesCbcEncrypt(Pkcs11Session* session, wc_CryptoInfo* info)
}
}
if (aes->idLen == 0 && key != NULL_PTR)
if (aes->idLen == 0 && aes->labelLen == 0 && key != NULL_PTR)
session->func->C_DestroyObject(session->handle, key);
return ret;
@ -2850,17 +2992,22 @@ static int Pkcs11AesCbcDecrypt(Pkcs11Session* session, wc_CryptoInfo* info)
if (ret == 0) {
WOLFSSL_MSG("PKCS#11: AES-CBC Decryption Operation");
}
/* Create a private key object or find by id. */
if (ret == 0 && aes->idLen == 0) {
ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
(unsigned char*)aes->devKey, aes->keylen,
NULL, 0, CKA_ENCRYPT);
}
else if (ret == 0) {
ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id,
aes->idLen);
/* Create a private key object or find by id. */
if (aes->idLen == 0 && aes->labelLen == 0) {
ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
(unsigned char*)aes->devKey,
aes->keylen, NULL, 0, NULL, 0,
CKA_DECRYPT);
}
else if (aes->labelLen != 0) {
ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, CKK_AES, session,
aes->label, aes->labelLen);
}
else {
ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session,
aes->id, aes->idLen);
}
}
if (ret == 0) {
@ -2891,7 +3038,7 @@ static int Pkcs11AesCbcDecrypt(Pkcs11Session* session, wc_CryptoInfo* info)
}
}
if (aes->idLen == 0 && key != NULL_PTR)
if (aes->idLen == 0 && aes->labelLen == 0 && key != NULL_PTR)
session->func->C_DestroyObject(session->handle, key);
return ret;
@ -2948,24 +3095,33 @@ static int Pkcs11Hmac(Pkcs11Session* session, wc_CryptoInfo* info)
}
/* Create a private key object or find by id. */
if (ret == 0 && hmac->idLen == 0) {
if (ret == 0 && hmac->idLen == 0 && hmac->labelLen == 0) {
ret = Pkcs11CreateSecretKey(&key, session, keyType,
(unsigned char*)hmac->keyRaw, hmac->keyLen,
NULL, 0, CKA_SIGN);
NULL, 0, NULL, 0, CKA_SIGN);
if (ret == WC_HW_E) {
ret = Pkcs11CreateSecretKey(&key, session, CKK_GENERIC_SECRET,
(unsigned char*)hmac->keyRaw, hmac->keyLen,
NULL, 0, CKA_SIGN);
NULL, 0, NULL, 0, CKA_SIGN);
}
}
else if (ret == 0 && hmac->labelLen != 0) {
ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, keyType, session,
hmac->label, hmac->labelLen);
if (ret == WC_HW_E) {
ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY,
CKK_GENERIC_SECRET, session,
hmac->label, hmac->labelLen);
}
}
else if (ret == 0) {
ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, keyType, session,
hmac->id, hmac->idLen);
hmac->id, hmac->idLen);
if (ret == WC_HW_E) {
ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY,
CKK_GENERIC_SECRET, session, hmac->id,
hmac->idLen);
CKK_GENERIC_SECRET, session, hmac->id,
hmac->idLen);
}
}
@ -3027,7 +3183,7 @@ static int Pkcs11Hmac(Pkcs11Session* session, wc_CryptoInfo* info)
hmac->innerHashKeyed = 0;
}
if (hmac->idLen == 0 && key != NULL_PTR)
if (hmac->idLen == 0 && hmac->labelLen == 0 && key != NULL_PTR)
session->func->C_DestroyObject(session->handle, key);
return ret;

6
wolfssl/internal.h
View File

@ -2666,8 +2666,9 @@ struct WOLFSSL_CTX {
int certChainCnt;
#endif
DerBuffer* privateKey;
byte privateKeyType:7;
byte privateKeyType:6;
byte privateKeyId:1;
byte privateKeyLabel:1;
int privateKeySz;
int privateKeyDevId;
WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */
@ -3322,8 +3323,9 @@ typedef struct Buffers {
#ifndef NO_CERTS
DerBuffer* certificate; /* WOLFSSL_CTX owns, unless we own */
DerBuffer* key; /* WOLFSSL_CTX owns, unless we own */
byte keyType:7; /* Type of key: RSA, ECC, Ed25519 */
byte keyType:6; /* Type of key: RSA, ECC, Ed25519 */
byte keyId:1; /* Key data is an id not data */
byte keyLabel:1; /* Key data is a label not data */
int keySz; /* Size of RSA key */
int keyDevId; /* Device Id for key */
DerBuffer* certChain; /* WOLFSSL_CTX owns, unless we own */

9
wolfssl/ssl.h
View File

@ -2324,7 +2324,10 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len,
WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX*,
const unsigned char*, long, int);
WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX*,
const unsigned char*, long, int, long);
const unsigned char*, long,
int, long);
WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_label(WOLFSSL_CTX*, const char*,
int, long);
WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX*,
const unsigned char*, long, int);
WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX*,
@ -2338,7 +2341,9 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len,
WOLFSSL_API int wolfSSL_use_PrivateKey_buffer(WOLFSSL*, const unsigned char*,
long, int);
WOLFSSL_API int wolfSSL_use_PrivateKey_id(WOLFSSL*, const unsigned char*,
long, int, long);
long, int, long);
WOLFSSL_API int wolfSSL_use_PrivateKey_label(WOLFSSL*, const char*, int,
long);
WOLFSSL_API int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL*,
const unsigned char*, long, int);
WOLFSSL_API int wolfSSL_use_certificate_chain_buffer(WOLFSSL*,

6
wolfssl/wolfcrypt/aes.h
View File

@ -143,7 +143,8 @@ enum {
#endif
#ifdef HAVE_PKCS11
AES_MAX_ID_LEN = 32,
AES_MAX_ID_LEN = 32,
AES_MAX_LABEL_LEN = 32,
#endif
};
@ -192,6 +193,8 @@ struct Aes {
#ifdef HAVE_PKCS11
byte id[AES_MAX_ID_LEN];
int idLen;
char label[AES_MAX_LABEL_LEN];
int labelLen;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
WC_ASYNC_DEV asyncDev;
@ -437,6 +440,7 @@ WOLFSSL_API int wc_AesInit(Aes* aes, void* heap, int devId);
#ifdef HAVE_PKCS11
WOLFSSL_API int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap,
int devId);
WOLFSSL_API int wc_AesInit_Label(Aes* aes, char* label, void* heap, int devId);
#endif
WOLFSSL_API void wc_AesFree(Aes* aes);

5
wolfssl/wolfcrypt/ecc.h
View File

@ -154,6 +154,7 @@ enum {
#ifdef HAVE_PKCS11
ECC_MAX_ID_LEN = 32,
ECC_MAX_LABEL_LEN = 32,
#endif
};
@ -410,6 +411,8 @@ struct ecc_key {
#ifdef HAVE_PKCS11
byte id[ECC_MAX_ID_LEN];
int idLen;
char label[ECC_MAX_LABEL_LEN];
int labelLen;
#endif
#if defined(WOLFSSL_CRYPTOCELL)
ecc_context_t ctx;
@ -548,6 +551,8 @@ int wc_ecc_init_ex(ecc_key* key, void* heap, int devId);
WOLFSSL_API
int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
int devId);
WOLFSSL_API
int wc_ecc_init_label(ecc_key* key, char* label, void* heap, int devId);
#endif
#ifdef WOLFSSL_CUSTOM_CURVES
WOLFSSL_LOCAL

9
wolfssl/wolfcrypt/hmac.h
View File

@ -94,7 +94,8 @@ enum {
WC_SHA3_512 = WC_HASH_TYPE_SHA3_512,
#endif
#ifdef HAVE_PKCS11
HMAC_MAX_ID_LEN = 32,
HMAC_MAX_ID_LEN = 32,
HMAC_MAX_LABEL_LEN = 32,
#endif
};
@ -153,6 +154,8 @@ struct Hmac {
#ifdef HAVE_PKCS11
byte id[HMAC_MAX_ID_LEN];
int idLen;
char label[HMAC_MAX_LABEL_LEN];
int labelLen;
#endif
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
word16 keyLen; /* hmac key length (key in ipad) */
@ -174,8 +177,12 @@ WOLFSSL_API int wc_HmacFinal(Hmac*, byte*);
WOLFSSL_API int wc_HmacSizeByType(int type);
WOLFSSL_API int wc_HmacInit(Hmac* hmac, void* heap, int devId);
#ifdef HAVE_PKCS11
WOLFSSL_API int wc_HmacInit_Id(Hmac* hmac, byte* id, int len, void* heap,
int devId);
WOLFSSL_API int wc_HmacInit_Label(Hmac* hmac, char* label, void* heap,
int devId);
#endif
WOLFSSL_API void wc_HmacFree(Hmac*);
WOLFSSL_API int wolfSSL_GetHmacMaxSize(void);

5
wolfssl/wolfcrypt/rsa.h
View File

@ -143,6 +143,7 @@ enum {
#ifdef HAVE_PKCS11
RSA_MAX_ID_LEN = 32,
RSA_MAX_LABEL_LEN = 32,
#endif
};
@ -187,6 +188,8 @@ struct RsaKey {
#ifdef HAVE_PKCS11
byte id[RSA_MAX_ID_LEN];
int idLen;
char label[RSA_MAX_LABEL_LEN];
int labelLen;
#endif
#if defined(WOLFSSL_ASYNC_CRYPT) || !defined(WOLFSSL_RSA_VERIFY_INLINE)
byte dataIsAlloc;
@ -216,6 +219,8 @@ WOLFSSL_API int wc_FreeRsaKey(RsaKey* key);
#ifdef HAVE_PKCS11
WOLFSSL_API int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len,
void* heap, int devId);
WOLFSSL_API int wc_InitRsaKey_Label(RsaKey* key, char* label, void* heap,
int devId);
#endif
WOLFSSL_API int wc_CheckRsaKey(RsaKey* key);
#ifdef WOLFSSL_XILINX_CRYPT

1
wolfssl/wolfcrypt/wc_pkcs11.h
View File

@ -67,7 +67,6 @@ enum Pkcs11KeyType {
PKCS11_KEY_TYPE_EC,
};
WOLFSSL_API int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library,
void* heap);
WOLFSSL_API void wc_Pkcs11_Finalize(Pkcs11Dev* dev);