diff --git a/src/internal.c b/src/internal.c index 610fb39d5..bd6f6f875 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5349,6 +5349,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->buffers.key = ctx->privateKey; ssl->buffers.keyType = ctx->privateKeyType; ssl->buffers.keyId = ctx->privateKeyId; + ssl->buffers.keyLabel = ctx->privateKeyLabel; ssl->buffers.keySz = ctx->privateKeySz; ssl->buffers.keyDevId = ctx->privateKeyDevId; #endif @@ -20077,7 +20078,8 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) } #ifdef HAVE_PKCS11 - if (ssl->buffers.keyDevId != INVALID_DEVID && ssl->buffers.keyId) { + if (ssl->buffers.keyDevId != INVALID_DEVID && (ssl->buffers.keyId || + ssl->buffers.keyLabel)) { if (ssl->buffers.keyType == rsa_sa_algo) ssl->hsType = DYNAMIC_TYPE_RSA; else if (ssl->buffers.keyType == ecc_dsa_sa_algo) @@ -20089,9 +20091,17 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) if (ssl->buffers.keyType == rsa_sa_algo) { #ifndef NO_RSA - ret = wc_InitRsaKey_Id((RsaKey*)ssl->hsKey, - ssl->buffers.key->buffer, ssl->buffers.key->length, - ssl->heap, ssl->buffers.keyDevId); + if (ssl->buffers.keyLabel) { + ret = wc_InitRsaKey_Label((RsaKey*)ssl->hsKey, + (char*)ssl->buffers.key->buffer, + ssl->heap, ssl->buffers.keyDevId); + } + else if (ssl->buffers.keyId) { + ret = wc_InitRsaKey_Id((RsaKey*)ssl->hsKey, + ssl->buffers.key->buffer, + ssl->buffers.key->length, ssl->heap, + ssl->buffers.keyDevId); + } if (ret == 0) { if (ssl->buffers.keySz < ssl->options.minRsaKeySz) { WOLFSSL_MSG("RSA key size too small"); @@ -20107,9 +20117,17 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) } else if (ssl->buffers.keyType == ecc_dsa_sa_algo) { #ifdef HAVE_ECC - ret = wc_ecc_init_id((ecc_key*)ssl->hsKey, ssl->buffers.key->buffer, - ssl->buffers.key->length, ssl->heap, - ssl->buffers.keyDevId); + if (ssl->buffers.keyLabel) { + ret = wc_ecc_init_label((ecc_key*)ssl->hsKey, + (char*)ssl->buffers.key->buffer, + ssl->heap, ssl->buffers.keyDevId); + } + else if (ssl->buffers.keyId) { + ret = wc_ecc_init_id((ecc_key*)ssl->hsKey, + ssl->buffers.key->buffer, + ssl->buffers.key->length, ssl->heap, + ssl->buffers.keyDevId); + } if (ret == 0) { if (ssl->buffers.keySz < ssl->options.minEccKeySz) { WOLFSSL_MSG("ECC key size too small"); diff --git a/src/ssl.c b/src/ssl.c index a5e20b6ef..b4cec7f0a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -14162,6 +14162,29 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } + + int wolfSSL_CTX_use_PrivateKey_label(WOLFSSL_CTX* ctx, const char* label, + int devId, long keySz) + { + int ret = WOLFSSL_FAILURE; + word32 sz = XSTRLEN(label) + 1; + + FreeDer(&ctx->privateKey); + if (AllocDer(&ctx->privateKey, (word32)sz, PRIVATEKEY_TYPE, + ctx->heap) == 0) { + XMEMCPY(ctx->privateKey->buffer, label, sz); + ctx->privateKeyLabel = 1; + ctx->privateKeySz = (word32)keySz; + if (devId != INVALID_DEVID) + ctx->privateKeyDevId = devId; + else + ctx->privateKeyDevId = ctx->devId; + + ret = WOLFSSL_SUCCESS; + } + + return ret; + } #endif int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx, @@ -14330,6 +14353,31 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } + + int wolfSSL_use_PrivateKey_label(WOLFSSL* ssl, const char* label, int devId, + long keySz) + { + int ret = WOLFSSL_FAILURE; + word32 sz = XSTRLEN(label) + 1; + + if (ssl->buffers.weOwnKey) + FreeDer(&ssl->buffers.key); + if (AllocDer(&ssl->buffers.key, (word32)sz, PRIVATEKEY_TYPE, + ssl->heap) == 0) { + XMEMCPY(ssl->buffers.key->buffer, label, sz); + ssl->buffers.weOwnKey = 1; + ssl->buffers.keyLabel = 1; + ssl->buffers.keySz = (word32)keySz; + if (devId != INVALID_DEVID) + ssl->buffers.keyDevId = devId; + else + ssl->buffers.keyDevId = ssl->devId; + + ret = WOLFSSL_SUCCESS; + } + + return ret; + } #endif int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl, diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index eb3a8626e..259c3cbe9 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -8086,10 +8086,35 @@ int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId) ret = BUFFER_E; if (ret == 0) - ret = wc_AesInit(aes, heap, devId); + ret = wc_AesInit(aes, heap, devId); if (ret == 0) { XMEMCPY(aes->id, id, len); aes->idLen = len; + aes->labelLen = 0; + } + + return ret; +} + +int wc_AesInit_Label(Aes* aes, char* label, void* heap, int devId) +{ + int ret = 0; + int labelLen = 0; + + if (aes == NULL || label == NULL) + ret = BAD_FUNC_ARG; + if (ret == 0) { + labelLen = XSTRLEN(label); + if (labelLen == 0 || labelLen > AES_MAX_LABEL_LEN) + ret = BUFFER_E; + } + + if (ret == 0) + ret = wc_AesInit(aes, heap, devId); + if (ret == 0) { + XMEMCPY(aes->label, label, labelLen); + aes->labelLen = labelLen; + aes->idLen = 0; } return ret; diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index e8401eb58..e8ceb08eb 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -4763,7 +4763,6 @@ int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, if (ret == 0) ret = wc_ecc_init_ex(key, heap, devId); - if (ret == 0 && id != NULL && len != 0) { XMEMCPY(key->id, id, len); key->idLen = len; @@ -4771,6 +4770,29 @@ int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, return ret; } + +int wc_ecc_init_label(ecc_key* key, char* label, void* heap, int devId) +{ + int ret = 0; + int labelLen = 0; + + if (key == NULL || label == NULL) + ret = BAD_FUNC_ARG; + if (ret == 0) { + labelLen = XSTRLEN(label); + if (labelLen == 0 || labelLen > ECC_MAX_LABEL_LEN) + ret = BUFFER_E; + } + + if (ret == 0) + ret = wc_ecc_init_ex(key, heap, devId); + if (ret == 0) { + XMEMCPY(key->label, label, labelLen); + key->labelLen = labelLen; + } + + return ret; +} #endif int wc_ecc_set_flags(ecc_key* key, word32 flags) diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index 8667be102..d23847901 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -1014,7 +1014,7 @@ int wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap, ret = BUFFER_E; if (ret == 0) - ret = wc_HmacInit(hmac, heap, devId); + ret = wc_HmacInit(hmac, heap, devId); if (ret == 0) { XMEMCPY(hmac->id, id, len); hmac->idLen = len; @@ -1022,6 +1022,29 @@ int wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap, return ret; } + +int wc_HmacInit_Label(Hmac* hmac, char* label, void* heap, int devId) +{ + int ret = 0; + int labelLen = 0; + + if (hmac == NULL || label == NULL) + ret = BAD_FUNC_ARG; + if (ret == 0) { + labelLen = XSTRLEN(label); + if (labelLen == 0 || labelLen > HMAC_MAX_LABEL_LEN) + ret = BUFFER_E; + } + + if (ret == 0) + ret = wc_HmacInit(hmac, heap, devId); + if (ret == 0) { + XMEMCPY(hmac->label, label, labelLen); + hmac->labelLen = labelLen; + } + + return ret; +} #endif /* Free Hmac from use with async device */ diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index fab08cf84..e55227d6d 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -354,7 +354,6 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, if (ret == 0) ret = wc_InitRsaKey_ex(key, heap, devId); - if (ret == 0 && id != NULL && len != 0) { XMEMCPY(key->id, id, len); key->idLen = len; @@ -362,6 +361,29 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, return ret; } + +int wc_InitRsaKey_Label(RsaKey* key, char* label, void* heap, int devId) +{ + int ret = 0; + int labelLen = 0; + + if (key == NULL || label == NULL) + ret = BAD_FUNC_ARG; + if (ret == 0) { + labelLen = XSTRLEN(label); + if (labelLen == 0 || labelLen > RSA_MAX_LABEL_LEN) + ret = BUFFER_E; + } + + if (ret == 0) + ret = wc_InitRsaKey_ex(key, heap, devId); + if (ret == 0) { + XMEMCPY(key->label, label, labelLen); + key->labelLen = labelLen; + } + + return ret; +} #endif diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index c51c70522..e650a1e8e 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -665,54 +665,91 @@ void wc_Pkcs11Token_Close(Pkcs11Token* token) /* * Create a secret key. * - * @param [out] key Handle to key object. - * @param [in] session Session object. - * @param [in] keyType Type of secret key to create. - * @param [in] data Data of the secret key. - * @param [in] len Length of data in bytes. - * @param [in] id Identifier to set against key. - * @param [in] idLen Length of identifier. - * @param [in] op Operation to support with key. + * @param [out] key Handle to key object. + * @param [in] session Session object. + * @param [in] keyType Type of secret key to create. + * @param [in] data Data of the secret key. + * @param [in] len Length of data in bytes. + * @param [in] id Identifier to set against key. + * @param [in] idLen Length of identifier. + * @param [in] label Label to set against key. + * @param [in] labelLen Length of label. + * @param [in] op Operation to support with key. * @return WC_HW_E when another PKCS#11 library call fails. * @return 0 on success. */ static int Pkcs11CreateSecretKey(CK_OBJECT_HANDLE* key, Pkcs11Session* session, CK_KEY_TYPE keyType, unsigned char* data, - int len, unsigned char* id, int idLen, int op) + int len, unsigned char* id, int idLen, + char* label, int labelLen, int op) { int ret = 0; CK_RV rv; - CK_ATTRIBUTE keyTemplate[] = { + CK_ATTRIBUTE keyTemplateEncDec[] = { { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, { CKA_KEY_TYPE, &keyType, sizeof(keyType) }, - { op, &ckTrue, sizeof(ckTrue) }, + { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_VALUE, NULL, 0 }, - { CKA_ID, id, (CK_ULONG)idLen } + { 0, NULL, 0 }, + { 0, NULL, 0 } }; - int keyTmplCnt = 4; + CK_ATTRIBUTE keyTemplateSignVfy[] = { + { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, + { CKA_KEY_TYPE, &keyType, sizeof(keyType) }, + { CKA_SIGN, &ckTrue, sizeof(ckTrue) }, + { CKA_VERIFY, &ckTrue, sizeof(ckTrue) }, + { CKA_VALUE, NULL, 0 }, + { 0, NULL, 0 }, + { 0, NULL, 0 } + }; + CK_ATTRIBUTE* keyTemplate = NULL; + int keyTmplCnt = 5; WOLFSSL_MSG("PKCS#11: Create Secret Key"); - /* Set the modulus and public exponent data. */ - keyTemplate[3].pValue = data; - keyTemplate[3].ulValueLen = (CK_ULONG)len; - - if (idLen > 0) - keyTmplCnt++; - -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Secret Key"); - pkcs11_dump_template(keyTemplate, keyTmplCnt); -#endif - /* Create an object containing key data for device to use. */ - rv = session->func->C_CreateObject(session->handle, keyTemplate, keyTmplCnt, - key); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_CreateObject", rv); -#endif - if (rv != CKR_OK) { + if (op == CKA_ENCRYPT || op == CKA_DECRYPT) { + keyTemplate = keyTemplateEncDec; + } + else if (op == CKA_SIGN) { + keyTemplate = keyTemplateSignVfy; + } + else { + WOLFSSL_MSG("PKCS#11: Invalid operation type"); ret = WC_HW_E; } + if (ret == 0) { + /* Set the secret to store. */ + keyTemplate[keyTmplCnt-1].pValue = data; + keyTemplate[keyTmplCnt-1].ulValueLen = (CK_ULONG)len; + + if (labelLen > 0) { + keyTemplate[keyTmplCnt].type = CKA_LABEL; + keyTemplate[keyTmplCnt].pValue = label; + keyTemplate[keyTmplCnt].ulValueLen = labelLen; + keyTmplCnt++; + } + if (idLen > 0) { + keyTemplate[keyTmplCnt].type = CKA_ID; + keyTemplate[keyTmplCnt].pValue = id; + keyTemplate[keyTmplCnt].ulValueLen = idLen; + keyTmplCnt++; + } + +#ifdef WOLFSSL_DEBUG_PKCS11 + WOLFSSL_MSG("Secret Key"); + pkcs11_dump_template(keyTemplate, keyTmplCnt); +#endif + /* Create an object containing key data for device to use. */ + rv = session->func->C_CreateObject(session->handle, keyTemplate, + keyTmplCnt, key); +#ifdef WOLFSSL_DEBUG_PKCS11 + pkcs11_rv("C_CreateObject", rv); +#endif + if (rv != CKR_OK) { + ret = WC_HW_E; + } + } return ret; } @@ -747,9 +784,10 @@ static int Pkcs11CreateRsaPrivateKey(CK_OBJECT_HANDLE* privateKey, { CKA_EXPONENT_2, NULL, 0 }, { CKA_COEFFICIENT, NULL, 0 }, { CKA_PUBLIC_EXPONENT, NULL, 0 }, - { CKA_ID, NULL, 0 } + { 0, NULL, 0 }, + { 0, NULL, 0 } }; - CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate) - 1; + CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate) - 2; /* Set the modulus and private key data. */ keyTemplate[ 4].pValue = rsaKey->n.raw.buf; @@ -769,7 +807,14 @@ static int Pkcs11CreateRsaPrivateKey(CK_OBJECT_HANDLE* privateKey, keyTemplate[11].pValue = rsaKey->e.raw.buf; keyTemplate[11].ulValueLen = rsaKey->e.raw.len; + if (permanent && rsaKey->labelLen > 0) { + keyTemplate[keyTmplCnt].type = CKA_LABEL; + keyTemplate[keyTmplCnt].pValue = rsaKey->label; + keyTemplate[keyTmplCnt].ulValueLen = rsaKey->labelLen; + keyTmplCnt++; + } if (permanent && rsaKey->idLen > 0) { + keyTemplate[keyTmplCnt].type = CKA_ID; keyTemplate[keyTmplCnt].pValue = rsaKey->id; keyTemplate[keyTmplCnt].ulValueLen = rsaKey->idLen; keyTmplCnt++; @@ -988,7 +1033,8 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) (unsigned char*)aes->devKey, aes->keylen, (unsigned char*)aes->id, - aes->idLen, CKA_ENCRYPT); + aes->idLen, aes->label, + aes->labelLen, CKA_ENCRYPT); } if (ret == 0 && clear) ForceZero(aes->devKey, aes->keylen); @@ -1005,7 +1051,8 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) (unsigned char*)aes->devKey, aes->keylen, (unsigned char*)aes->id, - aes->idLen, CKA_ENCRYPT); + aes->idLen, aes->label, + aes->labelLen, CKA_ENCRYPT); } if (ret == 0 && clear) ForceZero(aes->devKey, aes->keylen); @@ -1029,14 +1076,16 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) (unsigned char*)hmac->keyRaw, hmac->keyLen, (unsigned char*)hmac->id, - hmac->idLen, CKA_SIGN); + hmac->idLen, hmac->label, + hmac->labelLen, CKA_SIGN); if (ret == WC_HW_E) { ret = Pkcs11CreateSecretKey(&privKey, &session, CKK_GENERIC_SECRET, (unsigned char*)hmac->keyRaw, hmac->keyLen, (unsigned char*)hmac->id, - hmac->idLen, CKA_ENCRYPT); + hmac->idLen, hmac->label, + hmac->labelLen, CKA_SIGN); } } break; @@ -1163,8 +1212,42 @@ static int Pkcs11FindKeyByTemplate(CK_OBJECT_HANDLE* key, } /** - * Find the PKCS#11 object containing the RSA public or private key data with - * the modulus specified. + * Find the PKCS#11 object containing the private key data by label. + * + * @param [out] key Handle to key object. + * @param [in] keyClass Public or private key class. + * @param [in] keyType Type of key. + * @param [in] session Session object. + * @param [in] id Identifier set against a key. + * @param [in] idLen Length of identifier. + * @return WC_HW_E when a PKCS#11 library call fails. + * @return 0 on success. + */ +static int Pkcs11FindKeyByLabel(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass, + CK_KEY_TYPE keyType, Pkcs11Session* session, + char* label, int labelLen) +{ + int ret = 0; + CK_ULONG count; + CK_ATTRIBUTE keyTemplate[] = { + { CKA_CLASS, &keyClass, sizeof(keyClass) }, + { CKA_KEY_TYPE, &keyType, sizeof(keyType) }, + { CKA_LABEL, label, (CK_ULONG)labelLen } + }; + CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate); + + WOLFSSL_MSG("PKCS#11: Find Key By Label"); + + ret = Pkcs11FindKeyByTemplate(key, session, keyTemplate, keyTmplCnt, + &count); + if (ret == 0 && count == 0) + ret = WC_HW_E; + + return ret; +} + +/** + * Find the PKCS#11 object containing the private key data by ID. * * @param [out] key Handle to key object. * @param [in] keyClass Public or private key class. @@ -1285,6 +1368,11 @@ static int Pkcs11RsaPublic(Pkcs11Session* session, wc_CryptoInfo* info) ret = WC_HW_E; } } + else if (info->pk.rsa.key->labelLen > 0) { + ret = Pkcs11FindKeyByLabel(&publicKey, CKO_PUBLIC_KEY, CKK_RSA, + session, info->pk.rsa.key->label, + info->pk.rsa.key->labelLen); + } else { ret = Pkcs11FindKeyById(&publicKey, CKO_PUBLIC_KEY, CKK_RSA, session, rsaKey->id, rsaKey->idLen); @@ -1442,6 +1530,11 @@ static int Pkcs11RsaPrivate(Pkcs11Session* session, wc_CryptoInfo* info) ret = Pkcs11CreateRsaPrivateKey(&privateKey, session, info->pk.rsa.key, 0); } + else if (info->pk.rsa.key->labelLen > 0) { + ret = Pkcs11FindKeyByLabel(&privateKey, CKO_PRIVATE_KEY, CKK_RSA, + session, info->pk.rsa.key->label, + info->pk.rsa.key->labelLen); + } else if (info->pk.rsa.key->idLen > 0) { ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_RSA, session, info->pk.rsa.key->id, @@ -1472,6 +1565,10 @@ static int Pkcs11RsaPrivate(Pkcs11Session* session, wc_CryptoInfo* info) } } if (ret == 0) { +#ifdef WOLFSSL_DEBUG_PKCS11 + pkcs11_val("C_Decrypt inLen", info->pk.rsa.inLen); + pkcs11_val("C_Decrypt outLen", *info->pk.rsa.outLen); +#endif outLen = (CK_ULONG)*info->pk.rsa.outLen; rv = session->func->C_Decrypt(session->handle, (CK_BYTE_PTR)info->pk.rsa.in, info->pk.rsa.inLen, @@ -1565,9 +1662,10 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) }; CK_ULONG pubTmplCnt = sizeof(pubKeyTmpl)/sizeof(*pubKeyTmpl); CK_ATTRIBUTE privKeyTmpl[] = { - {CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, - {CKA_SIGN, &ckTrue, sizeof(ckTrue) }, - {CKA_ID, NULL, 0 } + { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_SIGN, &ckTrue, sizeof(ckTrue) }, + { 0, NULL, 0 }, + { 0, NULL, 0 } }; int privTmplCnt = 2; int i; @@ -1585,7 +1683,14 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) } pubKeyTmpl[3].ulValueLen = i + 1; + if (key->labelLen != 0) { + privKeyTmpl[privTmplCnt].type = CKA_LABEL; + privKeyTmpl[privTmplCnt].pValue = key->label; + privKeyTmpl[privTmplCnt].ulValueLen = key->labelLen; + privTmplCnt++; + } if (key->idLen != 0) { + privKeyTmpl[privTmplCnt].type = CKA_ID; privKeyTmpl[privTmplCnt].pValue = key->id; privKeyTmpl[privTmplCnt].ulValueLen = key->idLen; privTmplCnt++; @@ -1907,12 +2012,14 @@ static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) int pubTmplCnt = 1; CK_ATTRIBUTE privKeyTmplDerive[] = { { CKA_DERIVE, &ckTrue, sizeof(ckTrue) }, - { CKA_ID, NULL, 0 }, + { 0, NULL, 0 }, + { 0, NULL, 0 }, }; CK_ATTRIBUTE privKeyTmplEncSign[] = { { CKA_SIGN, &ckTrue, sizeof(ckTrue) }, { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, - { CKA_ID, NULL, 0 }, + { 0, NULL, 0 }, + { 0, NULL, 0 }, }; CK_ATTRIBUTE* privKeyTmpl = privKeyTmplDerive; int privTmplCnt = 1; @@ -1930,7 +2037,14 @@ static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) privTmplCnt = 2; pubTmplCnt = 2; } + if (key->labelLen != 0) { + privKeyTmpl[privTmplCnt].type = CKA_LABEL; + privKeyTmpl[privTmplCnt].pValue = key->label; + privKeyTmpl[privTmplCnt].ulValueLen = key->labelLen; + privTmplCnt++; + } if (key->idLen != 0) { + privKeyTmpl[privTmplCnt].type = CKA_ID; privKeyTmpl[privTmplCnt].pValue = key->id; privKeyTmpl[privTmplCnt].ulValueLen = key->idLen; privTmplCnt++; @@ -2079,6 +2193,12 @@ static int Pkcs11ECDH(Pkcs11Session* session, wc_CryptoInfo* info) if ((sessionKey = !mp_iszero(&info->pk.ecdh.private_key->k))) ret = Pkcs11CreateEccPrivateKey(&privateKey, session, info->pk.ecdh.private_key, CKA_DERIVE); + else if (info->pk.ecdh.private_key->labelLen > 0) { + ret = Pkcs11FindKeyByLabel(&privateKey, CKO_PRIVATE_KEY, CKK_EC, + session, + info->pk.ecdh.private_key->label, + info->pk.ecdh.private_key->labelLen); + } else if (info->pk.ecdh.private_key->idLen > 0) { ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_EC, session, info->pk.ecdh.private_key->id, @@ -2375,6 +2495,15 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info) if ((sessionKey = !mp_iszero(&info->pk.eccsign.key->k))) ret = Pkcs11CreateEccPrivateKey(&privateKey, session, info->pk.eccsign.key, CKA_SIGN); + else if (info->pk.eccsign.key->labelLen > 0) { + ret = Pkcs11FindKeyByLabel(&privateKey, CKO_PRIVATE_KEY, CKK_EC, + session, info->pk.eccsign.key->label, + info->pk.eccsign.key->labelLen); + if (ret == 0 && info->pk.eccsign.key->dp == NULL) { + ret = Pkcs11GetEccParams(session, privateKey, + info->pk.eccsign.key); + } + } else if (info->pk.eccsign.key->idLen > 0) { ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_EC, session, info->pk.eccsign.key->id, @@ -2559,18 +2688,22 @@ static int Pkcs11AesGcmEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) if (ret == 0) { WOLFSSL_MSG("PKCS#11: AES-GCM Encryption Operation"); - } - /* Create a private key object or find by id. */ - if (ret == 0 && aes->idLen == 0) { - ret = Pkcs11CreateSecretKey(&key, session, CKK_AES, - (unsigned char*)aes->devKey, aes->keylen, - NULL, 0, CKA_ENCRYPT); - - } - else if (ret == 0) { - ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id, - aes->idLen); + /* Create a private key object or find by label or id. */ + if (aes->idLen == 0 && aes->labelLen == 0) { + ret = Pkcs11CreateSecretKey(&key, session, CKK_AES, + (unsigned char*)aes->devKey, + aes->keylen, NULL, 0, NULL, 0, + CKA_ENCRYPT); + } + else if (aes->labelLen != 0) { + ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, CKK_AES, session, + aes->label, aes->labelLen); + } + else { + ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, + aes->id, aes->idLen); + } } if (ret == 0) { @@ -2620,7 +2753,7 @@ static int Pkcs11AesGcmEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) } } - if (aes->idLen == 0 && key != NULL_PTR) + if (aes->idLen == 0 && aes->labelLen == 0 && key != NULL_PTR) session->func->C_DestroyObject(session->handle, key); return ret; @@ -2658,17 +2791,22 @@ static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) if (ret == 0) { WOLFSSL_MSG("PKCS#11: AES-GCM Decryption Operation"); - } - /* Create a private key object or find by id. */ - if (ret == 0 && aes->idLen == 0) { - ret = Pkcs11CreateSecretKey(&key, session, CKK_AES, - (unsigned char*)aes->devKey, aes->keylen, - NULL, 0, CKA_ENCRYPT); - } - else if (ret == 0) { - ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id, - aes->idLen); + /* Create a private key object or find by id. */ + if (aes->idLen == 0 && aes->labelLen == 0) { + ret = Pkcs11CreateSecretKey(&key, session, CKK_AES, + (unsigned char*)aes->devKey, + aes->keylen, NULL, 0, NULL, 0, + CKA_DECRYPT); + } + else if (aes->labelLen != 0) { + ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, CKK_AES, session, + aes->label, aes->labelLen); + } + else { + ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, + aes->id, aes->idLen); + } } if (ret == 0) { @@ -2734,7 +2872,7 @@ static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) } } - if (aes->idLen == 0 && key != NULL_PTR) + if (aes->idLen == 0 && aes->labelLen == 0 && key != NULL_PTR) session->func->C_DestroyObject(session->handle, key); return ret; @@ -2772,18 +2910,22 @@ static int Pkcs11AesCbcEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) if (ret == 0) { WOLFSSL_MSG("PKCS#11: AES-CBC Encryption Operation"); - } - /* Create a private key object or find by id. */ - if (ret == 0 && aes->idLen == 0) { - ret = Pkcs11CreateSecretKey(&key, session, CKK_AES, - (unsigned char*)aes->devKey, aes->keylen, - NULL, 0, CKA_ENCRYPT); - - } - else if (ret == 0) { - ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id, - aes->idLen); + /* Create a private key object or find by id. */ + if (aes->idLen == 0 && aes->labelLen == 0) { + ret = Pkcs11CreateSecretKey(&key, session, CKK_AES, + (unsigned char*)aes->devKey, + aes->keylen, NULL, 0, NULL, 0, + CKA_ENCRYPT); + } + else if (aes->labelLen != 0) { + ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, CKK_AES, session, + aes->label, aes->labelLen); + } + else { + ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, + aes->id, aes->idLen); + } } if (ret == 0) { @@ -2814,7 +2956,7 @@ static int Pkcs11AesCbcEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) } } - if (aes->idLen == 0 && key != NULL_PTR) + if (aes->idLen == 0 && aes->labelLen == 0 && key != NULL_PTR) session->func->C_DestroyObject(session->handle, key); return ret; @@ -2850,17 +2992,22 @@ static int Pkcs11AesCbcDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) if (ret == 0) { WOLFSSL_MSG("PKCS#11: AES-CBC Decryption Operation"); - } - /* Create a private key object or find by id. */ - if (ret == 0 && aes->idLen == 0) { - ret = Pkcs11CreateSecretKey(&key, session, CKK_AES, - (unsigned char*)aes->devKey, aes->keylen, - NULL, 0, CKA_ENCRYPT); - } - else if (ret == 0) { - ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id, - aes->idLen); + /* Create a private key object or find by id. */ + if (aes->idLen == 0 && aes->labelLen == 0) { + ret = Pkcs11CreateSecretKey(&key, session, CKK_AES, + (unsigned char*)aes->devKey, + aes->keylen, NULL, 0, NULL, 0, + CKA_DECRYPT); + } + else if (aes->labelLen != 0) { + ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, CKK_AES, session, + aes->label, aes->labelLen); + } + else { + ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, + aes->id, aes->idLen); + } } if (ret == 0) { @@ -2891,7 +3038,7 @@ static int Pkcs11AesCbcDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) } } - if (aes->idLen == 0 && key != NULL_PTR) + if (aes->idLen == 0 && aes->labelLen == 0 && key != NULL_PTR) session->func->C_DestroyObject(session->handle, key); return ret; @@ -2948,24 +3095,33 @@ static int Pkcs11Hmac(Pkcs11Session* session, wc_CryptoInfo* info) } /* Create a private key object or find by id. */ - if (ret == 0 && hmac->idLen == 0) { + if (ret == 0 && hmac->idLen == 0 && hmac->labelLen == 0) { ret = Pkcs11CreateSecretKey(&key, session, keyType, (unsigned char*)hmac->keyRaw, hmac->keyLen, - NULL, 0, CKA_SIGN); + NULL, 0, NULL, 0, CKA_SIGN); if (ret == WC_HW_E) { ret = Pkcs11CreateSecretKey(&key, session, CKK_GENERIC_SECRET, (unsigned char*)hmac->keyRaw, hmac->keyLen, - NULL, 0, CKA_SIGN); + NULL, 0, NULL, 0, CKA_SIGN); } } + else if (ret == 0 && hmac->labelLen != 0) { + ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, keyType, session, + hmac->label, hmac->labelLen); + if (ret == WC_HW_E) { + ret = Pkcs11FindKeyByLabel(&key, CKO_SECRET_KEY, + CKK_GENERIC_SECRET, session, + hmac->label, hmac->labelLen); + } + } else if (ret == 0) { ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, keyType, session, - hmac->id, hmac->idLen); + hmac->id, hmac->idLen); if (ret == WC_HW_E) { ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, - CKK_GENERIC_SECRET, session, hmac->id, - hmac->idLen); + CKK_GENERIC_SECRET, session, hmac->id, + hmac->idLen); } } @@ -3027,7 +3183,7 @@ static int Pkcs11Hmac(Pkcs11Session* session, wc_CryptoInfo* info) hmac->innerHashKeyed = 0; } - if (hmac->idLen == 0 && key != NULL_PTR) + if (hmac->idLen == 0 && hmac->labelLen == 0 && key != NULL_PTR) session->func->C_DestroyObject(session->handle, key); return ret; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c9613e25d..1c80d0287 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2666,8 +2666,9 @@ struct WOLFSSL_CTX { int certChainCnt; #endif DerBuffer* privateKey; - byte privateKeyType:7; + byte privateKeyType:6; byte privateKeyId:1; + byte privateKeyLabel:1; int privateKeySz; int privateKeyDevId; WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ @@ -3322,8 +3323,9 @@ typedef struct Buffers { #ifndef NO_CERTS DerBuffer* certificate; /* WOLFSSL_CTX owns, unless we own */ DerBuffer* key; /* WOLFSSL_CTX owns, unless we own */ - byte keyType:7; /* Type of key: RSA, ECC, Ed25519 */ + byte keyType:6; /* Type of key: RSA, ECC, Ed25519 */ byte keyId:1; /* Key data is an id not data */ + byte keyLabel:1; /* Key data is a label not data */ int keySz; /* Size of RSA key */ int keyDevId; /* Device Id for key */ DerBuffer* certChain; /* WOLFSSL_CTX owns, unless we own */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b2e8a9836..f83b47815 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2324,7 +2324,10 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len, WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX*, const unsigned char*, long, int); WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX*, - const unsigned char*, long, int, long); + const unsigned char*, long, + int, long); + WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_label(WOLFSSL_CTX*, const char*, + int, long); WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX*, const unsigned char*, long, int); WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX*, @@ -2338,7 +2341,9 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len, WOLFSSL_API int wolfSSL_use_PrivateKey_buffer(WOLFSSL*, const unsigned char*, long, int); WOLFSSL_API int wolfSSL_use_PrivateKey_id(WOLFSSL*, const unsigned char*, - long, int, long); + long, int, long); + WOLFSSL_API int wolfSSL_use_PrivateKey_label(WOLFSSL*, const char*, int, + long); WOLFSSL_API int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL*, const unsigned char*, long, int); WOLFSSL_API int wolfSSL_use_certificate_chain_buffer(WOLFSSL*, diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index cdd96d02f..86dccc818 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -143,7 +143,8 @@ enum { #endif #ifdef HAVE_PKCS11 - AES_MAX_ID_LEN = 32, + AES_MAX_ID_LEN = 32, + AES_MAX_LABEL_LEN = 32, #endif }; @@ -192,6 +193,8 @@ struct Aes { #ifdef HAVE_PKCS11 byte id[AES_MAX_ID_LEN]; int idLen; + char label[AES_MAX_LABEL_LEN]; + int labelLen; #endif #ifdef WOLFSSL_ASYNC_CRYPT WC_ASYNC_DEV asyncDev; @@ -437,6 +440,7 @@ WOLFSSL_API int wc_AesInit(Aes* aes, void* heap, int devId); #ifdef HAVE_PKCS11 WOLFSSL_API int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId); +WOLFSSL_API int wc_AesInit_Label(Aes* aes, char* label, void* heap, int devId); #endif WOLFSSL_API void wc_AesFree(Aes* aes); diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index 08b7148b1..f6e84c8a7 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -154,6 +154,7 @@ enum { #ifdef HAVE_PKCS11 ECC_MAX_ID_LEN = 32, + ECC_MAX_LABEL_LEN = 32, #endif }; @@ -410,6 +411,8 @@ struct ecc_key { #ifdef HAVE_PKCS11 byte id[ECC_MAX_ID_LEN]; int idLen; + char label[ECC_MAX_LABEL_LEN]; + int labelLen; #endif #if defined(WOLFSSL_CRYPTOCELL) ecc_context_t ctx; @@ -548,6 +551,8 @@ int wc_ecc_init_ex(ecc_key* key, void* heap, int devId); WOLFSSL_API int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, int devId); +WOLFSSL_API +int wc_ecc_init_label(ecc_key* key, char* label, void* heap, int devId); #endif #ifdef WOLFSSL_CUSTOM_CURVES WOLFSSL_LOCAL diff --git a/wolfssl/wolfcrypt/hmac.h b/wolfssl/wolfcrypt/hmac.h index 06b9132ec..ac6988520 100644 --- a/wolfssl/wolfcrypt/hmac.h +++ b/wolfssl/wolfcrypt/hmac.h @@ -94,7 +94,8 @@ enum { WC_SHA3_512 = WC_HASH_TYPE_SHA3_512, #endif #ifdef HAVE_PKCS11 - HMAC_MAX_ID_LEN = 32, + HMAC_MAX_ID_LEN = 32, + HMAC_MAX_LABEL_LEN = 32, #endif }; @@ -153,6 +154,8 @@ struct Hmac { #ifdef HAVE_PKCS11 byte id[HMAC_MAX_ID_LEN]; int idLen; + char label[HMAC_MAX_LABEL_LEN]; + int labelLen; #endif #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB) word16 keyLen; /* hmac key length (key in ipad) */ @@ -174,8 +177,12 @@ WOLFSSL_API int wc_HmacFinal(Hmac*, byte*); WOLFSSL_API int wc_HmacSizeByType(int type); WOLFSSL_API int wc_HmacInit(Hmac* hmac, void* heap, int devId); +#ifdef HAVE_PKCS11 WOLFSSL_API int wc_HmacInit_Id(Hmac* hmac, byte* id, int len, void* heap, int devId); +WOLFSSL_API int wc_HmacInit_Label(Hmac* hmac, char* label, void* heap, + int devId); +#endif WOLFSSL_API void wc_HmacFree(Hmac*); WOLFSSL_API int wolfSSL_GetHmacMaxSize(void); diff --git a/wolfssl/wolfcrypt/rsa.h b/wolfssl/wolfcrypt/rsa.h index 70a32e145..d5cd6194d 100644 --- a/wolfssl/wolfcrypt/rsa.h +++ b/wolfssl/wolfcrypt/rsa.h @@ -143,6 +143,7 @@ enum { #ifdef HAVE_PKCS11 RSA_MAX_ID_LEN = 32, + RSA_MAX_LABEL_LEN = 32, #endif }; @@ -187,6 +188,8 @@ struct RsaKey { #ifdef HAVE_PKCS11 byte id[RSA_MAX_ID_LEN]; int idLen; + char label[RSA_MAX_LABEL_LEN]; + int labelLen; #endif #if defined(WOLFSSL_ASYNC_CRYPT) || !defined(WOLFSSL_RSA_VERIFY_INLINE) byte dataIsAlloc; @@ -216,6 +219,8 @@ WOLFSSL_API int wc_FreeRsaKey(RsaKey* key); #ifdef HAVE_PKCS11 WOLFSSL_API int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, int devId); +WOLFSSL_API int wc_InitRsaKey_Label(RsaKey* key, char* label, void* heap, + int devId); #endif WOLFSSL_API int wc_CheckRsaKey(RsaKey* key); #ifdef WOLFSSL_XILINX_CRYPT diff --git a/wolfssl/wolfcrypt/wc_pkcs11.h b/wolfssl/wolfcrypt/wc_pkcs11.h index 55e154604..39dd5e34c 100644 --- a/wolfssl/wolfcrypt/wc_pkcs11.h +++ b/wolfssl/wolfcrypt/wc_pkcs11.h @@ -67,7 +67,6 @@ enum Pkcs11KeyType { PKCS11_KEY_TYPE_EC, }; - WOLFSSL_API int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library, void* heap); WOLFSSL_API void wc_Pkcs11_Finalize(Pkcs11Dev* dev);