diff --git a/src/internal.c b/src/internal.c index bd6f6f875..46ff3fdbf 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1649,6 +1649,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) return BAD_MUTEX_E; } +#ifndef NO_CERTS + ctx->privateKeyDevId = INVALID_DEVID; +#endif + #ifndef NO_DH ctx->minDhKeySz = MIN_DHKEY_SZ; ctx->maxDhKeySz = MAX_DHKEY_SZ; @@ -20048,6 +20052,76 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) #if !defined(NO_CERTS) +#ifdef WOLF_CRYPTO_CB +/* Create a private key for a device. + * + * pkey Key object. + * data Data to identify key. + * length Length of data. + * hsType Type of the key to create. + * heap Custom heap to use for mallocs/frees + * devId Id for device. + * return 0 on success. + * return NOT_COMPILED_IN if algorithm type not supported. + * return MEMORY_E on memory allocation failure. + * return other internal error + */ +int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType, + int label, int id, void* heap, int devId) +{ + int ret = NOT_COMPILED_IN; + + if (hsType == DYNAMIC_TYPE_RSA) { +#ifndef NO_RSA + RsaKey* rsaKey; + + rsaKey = XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA); + if (rsaKey == NULL) { + return MEMORY_E; + } + + if (label) { + ret = wc_InitRsaKey_Label(rsaKey, (char*)data, heap, devId); + } + else if (id) { + ret = wc_InitRsaKey_Id(rsaKey, data, length, heap, devId); + } + if (ret == 0) { + *pkey = (void*)rsaKey; + } + else { + XFREE(rsaKey, heap, DYNAMIC_TYPE_EC); + } +#endif + } + else if (hsType == DYNAMIC_TYPE_ECC) { +#ifdef HAVE_ECC + ecc_key* ecKey; + + ecKey = XMALLOC(sizeof(ecc_key), heap, DYNAMIC_TYPE_ECC); + if (ecKey == NULL) { + return MEMORY_E; + } + + if (label) { + ret = wc_ecc_init_label(ecKey, (char*)data, heap, devId); + } + else if (id) { + ret = wc_ecc_init_id(ecKey, data, length, heap, devId); + } + if (ret == 0) { + *pkey = (void*)ecKey; + } + else { + XFREE(ecKey, heap, DYNAMIC_TYPE_EC); + } +#endif + } + + return ret; +} +#endif + /* Decode the private key - RSA/ECC/Ed25519/Ed448 - and creates a key object. * The signature type is set as well. * The maximum length of a signature is returned. diff --git a/src/ssl.c b/src/ssl.c index c5bd80a2c..8a929ab26 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -7353,7 +7353,41 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) size = ctx->privateKey->length; buff = ctx->privateKey->buffer; - ret = wc_CheckPrivateKey(buff, size, der); +#ifdef WOLF_CRYPTO_CB + if (ctx->privateKeyDevId != INVALID_DEVID) { + int type = 0; + void *pkey = NULL; + + if (der->keyOID == RSAk) { + type = DYNAMIC_TYPE_RSA; + } + else if (der->keyOID == ECDSAk) { + type = DYNAMIC_TYPE_ECC; + } + ret = CreateDevPrivateKey(&pkey, buff, size, type, ctx->privateKeyLabel, + ctx->privateKeyId, ctx->heap, + ctx->privateKeyDevId); + if (ret == 0 && der->keyOID == RSAk) { + ret = wc_CryptoCb_RsaCheckPrivKey(pkey, der->publicKey, + der->pubKeySize); + if (ret == 0) + ret = 1; + wc_FreeRsaKey(pkey); + } + else if (ret == 0 && der->keyOID == ECDSAk) { + ret = wc_CryptoCb_EccCheckPrivKey(pkey, der->publicKey, + der->pubKeySize); + if (ret == 0) + ret = 1; + wc_ecc_free(pkey); + } + if (pkey != NULL) { + XFREE(pkey, ctx->heap, type); + } + } + else +#endif + ret = wc_CheckPrivateKey(buff, size, der); FreeDecodedCert(der); #ifdef WOLFSSL_SMALL_STACK XFREE(der, NULL, DYNAMIC_TYPE_DCERT); @@ -7920,7 +7954,42 @@ int wolfSSL_check_private_key(const WOLFSSL* ssl) size = ssl->buffers.key->length; buff = ssl->buffers.key->buffer; - ret = wc_CheckPrivateKey(buff, size, &der); +#ifdef WOLF_CRYPTO_CB + if (ssl->buffers.keyDevId != INVALID_DEVID) { + int type = 0; + void *pkey = NULL; + + if (der.keyOID == RSAk) { + type = DYNAMIC_TYPE_RSA; + } + else if (der.keyOID == ECDSAk) { + type = DYNAMIC_TYPE_ECC; + } + ret = CreateDevPrivateKey(&pkey, buff, size, type, + ssl->buffers.keyLabel, + ssl->buffers.keyId, ssl->heap, + ssl->buffers.keyDevId); + if (ret == 0 && der.keyOID == RSAk) { + ret = wc_CryptoCb_RsaCheckPrivKey(pkey, der.publicKey, + der.pubKeySize); + if (ret == 0) + ret = 1; + wc_FreeRsaKey(pkey); + } + else if (ret == 0 && der.keyOID == ECDSAk) { + ret = wc_CryptoCb_EccCheckPrivKey(pkey, der.publicKey, + der.pubKeySize); + if (ret == 0) + ret = 1; + wc_ecc_free(pkey); + } + if (pkey != NULL) { + XFREE(pkey, ctx->heap, type); + } + } + else +#endif + ret = wc_CheckPrivateKey(buff, size, &der); FreeDecodedCert(&der); return ret; } @@ -14119,6 +14188,17 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #ifdef HAVE_PKCS11 int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id, long sz, int devId, long keySz) + { + int ret = wolfSSL_CTX_use_PrivateKey_Id(ctx, id, sz, devId); + + if (ret == WOLFSSL_SUCCESS) + ctx->privateKeySz = (word32)keySz; + + return ret; + } + + int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id, + long sz, int devId) { int ret = WOLFSSL_FAILURE; @@ -14127,7 +14207,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ctx->heap) == 0) { XMEMCPY(ctx->privateKey->buffer, id, sz); ctx->privateKeyId = 1; - ctx->privateKeySz = (word32)keySz; if (devId != INVALID_DEVID) ctx->privateKeyDevId = devId; else @@ -14139,18 +14218,17 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } - int wolfSSL_CTX_use_PrivateKey_label(WOLFSSL_CTX* ctx, const char* label, - int devId, long keySz) + int wolfSSL_CTX_use_PrivateKey_Label(WOLFSSL_CTX* ctx, const char* label, + int devId) { int ret = WOLFSSL_FAILURE; - word32 sz = XSTRLEN(label) + 1; + word32 sz = (word32)XSTRLEN(label) + 1; FreeDer(&ctx->privateKey); if (AllocDer(&ctx->privateKey, (word32)sz, PRIVATEKEY_TYPE, ctx->heap) == 0) { XMEMCPY(ctx->privateKey->buffer, label, sz); ctx->privateKeyLabel = 1; - ctx->privateKeySz = (word32)keySz; if (devId != INVALID_DEVID) ctx->privateKeyDevId = devId; else @@ -14305,9 +14383,20 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl)); } -#ifdef HAVE_PKCS11 +#ifdef WOLF_CRYPTO_CB int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id, long sz, int devId, long keySz) + { + int ret = wolfSSL_use_PrivateKey_Id(ssl, id, sz, devId); + + if (ret == WOLFSSL_SUCCESS) + ssl->buffers.keySz = (word32)keySz; + + return ret; + } + + int wolfSSL_use_PrivateKey_Id(WOLFSSL* ssl, const unsigned char* id, + long sz, int devId) { int ret = WOLFSSL_FAILURE; @@ -14318,7 +14407,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl) XMEMCPY(ssl->buffers.key->buffer, id, sz); ssl->buffers.weOwnKey = 1; ssl->buffers.keyId = 1; - ssl->buffers.keySz = (word32)keySz; if (devId != INVALID_DEVID) ssl->buffers.keyDevId = devId; else @@ -14330,11 +14418,10 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } - int wolfSSL_use_PrivateKey_label(WOLFSSL* ssl, const char* label, int devId, - long keySz) + int wolfSSL_use_PrivateKey_Label(WOLFSSL* ssl, const char* label, int devId) { int ret = WOLFSSL_FAILURE; - word32 sz = XSTRLEN(label) + 1; + word32 sz = (word32)XSTRLEN(label) + 1; if (ssl->buffers.weOwnKey) FreeDer(&ssl->buffers.key); @@ -14343,7 +14430,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl) XMEMCPY(ssl->buffers.key->buffer, label, sz); ssl->buffers.weOwnKey = 1; ssl->buffers.keyLabel = 1; - ssl->buffers.keySz = (word32)keySz; if (devId != INVALID_DEVID) ssl->buffers.keyDevId = devId; else diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 259c3cbe9..b942d5450 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -8096,7 +8096,7 @@ int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId) return ret; } -int wc_AesInit_Label(Aes* aes, char* label, void* heap, int devId) +int wc_AesInit_Label(Aes* aes, const char* label, void* heap, int devId) { int ret = 0; int labelLen = 0; @@ -8104,7 +8104,7 @@ int wc_AesInit_Label(Aes* aes, char* label, void* heap, int devId) if (aes == NULL || label == NULL) ret = BAD_FUNC_ARG; if (ret == 0) { - labelLen = XSTRLEN(label); + labelLen = (int)XSTRLEN(label); if (labelLen == 0 || labelLen > AES_MAX_LABEL_LEN) ret = BUFFER_E; } diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c index a96e5d64d..b0957e85b 100644 --- a/wolfcrypt/src/cryptocb.c +++ b/wolfcrypt/src/cryptocb.c @@ -176,6 +176,32 @@ int wc_CryptoCb_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) return wc_CryptoCb_TranslateErrorCode(ret); } #endif + +int wc_CryptoCb_RsaCheckPrivKey(RsaKey* key, const byte* pubKey, + word32 pubKeySz) +{ + int ret = CRYPTOCB_UNAVAILABLE; + CryptoCb* dev; + + if (key == NULL) + return ret; + + /* locate registered callback */ + dev = wc_CryptoCb_FindDevice(key->devId); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_PK; + cryptoInfo.pk.type = WC_PK_TYPE_RSA_CHECK_PRIV_KEY; + cryptoInfo.pk.rsa_check.key = key; + cryptoInfo.pk.rsa_check.pubKey = pubKey; + cryptoInfo.pk.rsa_check.pubKeySz = pubKeySz; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} #endif /* !NO_RSA */ #ifdef HAVE_ECC @@ -289,6 +315,32 @@ int wc_CryptoCb_EccVerify(const byte* sig, word32 siglen, return wc_CryptoCb_TranslateErrorCode(ret); } + +int wc_CryptoCb_EccCheckPrivKey(ecc_key* key, const byte* pubKey, + word32 pubKeySz) +{ + int ret = CRYPTOCB_UNAVAILABLE; + CryptoCb* dev; + + if (key == NULL) + return ret; + + /* locate registered callback */ + dev = wc_CryptoCb_FindDevice(key->devId); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_PK; + cryptoInfo.pk.type = WC_PK_TYPE_EC_CHECK_PRIV_KEY; + cryptoInfo.pk.ecc_check.key = key; + cryptoInfo.pk.ecc_check.pubKey = pubKey; + cryptoInfo.pk.ecc_check.pubKeySz = pubKeySz; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} #endif /* HAVE_ECC */ #ifndef NO_AES diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index e8ceb08eb..782f83449 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -4750,7 +4750,7 @@ int wc_ecc_init(ecc_key* key) return wc_ecc_init_ex(key, NULL, INVALID_DEVID); } -#ifdef HAVE_PKCS11 +#ifdef WOLF_CRYPTO_CB int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, int devId) { @@ -4771,7 +4771,7 @@ int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, return ret; } -int wc_ecc_init_label(ecc_key* key, char* label, void* heap, int devId) +int wc_ecc_init_label(ecc_key* key, const char* label, void* heap, int devId) { int ret = 0; int labelLen = 0; @@ -4779,7 +4779,7 @@ int wc_ecc_init_label(ecc_key* key, char* label, void* heap, int devId) if (key == NULL || label == NULL) ret = BAD_FUNC_ARG; if (ret == 0) { - labelLen = XSTRLEN(label); + labelLen = (int)XSTRLEN(label); if (labelLen == 0 || labelLen > ECC_MAX_LABEL_LEN) ret = BUFFER_E; } diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index d23847901..fbf43abeb 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -1023,7 +1023,7 @@ int wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap, return ret; } -int wc_HmacInit_Label(Hmac* hmac, char* label, void* heap, int devId) +int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap, int devId) { int ret = 0; int labelLen = 0; @@ -1031,7 +1031,7 @@ int wc_HmacInit_Label(Hmac* hmac, char* label, void* heap, int devId) if (hmac == NULL || label == NULL) ret = BAD_FUNC_ARG; if (ret == 0) { - labelLen = XSTRLEN(label); + labelLen = (int)XSTRLEN(label); if (labelLen == 0 || labelLen > HMAC_MAX_LABEL_LEN) ret = BUFFER_E; } diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index e55227d6d..58e24fb6c 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -341,7 +341,7 @@ int wc_InitRsaKey(RsaKey* key, void* heap) return wc_InitRsaKey_ex(key, heap, INVALID_DEVID); } -#ifdef HAVE_PKCS11 +#ifdef WOLF_CRYPTO_CB int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, int devId) { @@ -362,7 +362,7 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, return ret; } -int wc_InitRsaKey_Label(RsaKey* key, char* label, void* heap, int devId) +int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, int devId) { int ret = 0; int labelLen = 0; @@ -370,7 +370,7 @@ int wc_InitRsaKey_Label(RsaKey* key, char* label, void* heap, int devId) if (key == NULL || label == NULL) ret = BAD_FUNC_ARG; if (ret == 0) { - labelLen = XSTRLEN(label); + labelLen = (int)XSTRLEN(label); if (labelLen == 0 || labelLen > RSA_MAX_LABEL_LEN) ret = BUFFER_E; } diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index e650a1e8e..e60052b38 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -865,6 +865,95 @@ static int Pkcs11EccSetParams(ecc_key* key, CK_ATTRIBUTE* tmpl, int idx) return ret; } +/** + * Create a PKCS#11 object containing the ECC public key data. + * Encode the public key as an OCTET_STRING of the encoded point. + * + * @param [out] publicKey Henadle to public key object. + * @param [in] session Session object. + * @param [in] public_key ECC public key. + * @param [in] operation Cryptographic operation key is to be used for. + * @return WC_HW_E when a PKCS#11 library call fails. + * @return MEMORY_E when a memory allocation fails. + * @return 0 on success. + */ +static int Pkcs11CreateEccPublicKey(CK_OBJECT_HANDLE* publicKey, + Pkcs11Session* session, + ecc_key* public_key, + CK_ATTRIBUTE_TYPE operation) +{ + int ret = 0; + int i; + unsigned char* ecPoint = NULL; + word32 len; + CK_RV rv; + CK_UTF8CHAR params[MAX_EC_PARAM_LEN]; + CK_ATTRIBUTE keyTemplate[] = { + { CKA_CLASS, &pubKeyClass, sizeof(pubKeyClass) }, + { CKA_KEY_TYPE, &ecKeyType, sizeof(ecKeyType) }, + { operation, &ckTrue, sizeof(ckTrue) }, + { CKA_EC_PARAMS, params, 0 }, + { CKA_EC_POINT, NULL, 0 }, + { 0, NULL, 0 }, + { 0, NULL, 0 } + }; + CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate) - 2; + + if (public_key->labelLen > 0) { + keyTemplate[keyTmplCnt].type = CKA_LABEL; + keyTemplate[keyTmplCnt].pValue = public_key->label; + keyTemplate[keyTmplCnt].ulValueLen = public_key->labelLen; + keyTmplCnt++; + } + if (public_key->idLen > 0) { + keyTemplate[keyTmplCnt].type = CKA_ID; + keyTemplate[keyTmplCnt].pValue = public_key->id; + keyTemplate[keyTmplCnt].ulValueLen = public_key->idLen; + keyTmplCnt++; + } + + ret = Pkcs11EccSetParams(public_key, keyTemplate, 3); + if (ret == 0) { + /* ASN1 encoded: OCT + uncompressed point */ + len = 3 + 1 + 2 * public_key->dp->size; + ecPoint = (unsigned char*)XMALLOC(len, public_key->heap, + DYNAMIC_TYPE_ECC); + if (ecPoint == NULL) + ret = MEMORY_E; + } + if (ret == 0) { + len -= 3; + i = 0; + ecPoint[i++] = ASN_OCTET_STRING; + if (len >= ASN_LONG_LENGTH) + ecPoint[i++] = ASN_LONG_LENGTH | 1; + ecPoint[i++] = len; + ret = wc_ecc_export_x963(public_key, ecPoint + i, &len); + } + if (ret == 0) { + keyTemplate[4].pValue = ecPoint; + keyTemplate[4].ulValueLen = len + i; + +#ifdef WOLFSSL_DEBUG_PKCS11 + WOLFSSL_MSG("Ec Public Key"); + pkcs11_dump_template(keyTemplate, keyTmplCnt); +#endif + rv = session->func->C_CreateObject(session->handle, keyTemplate, + keyTmplCnt, publicKey); +#ifdef WOLFSSL_DEBUG_PKCS11 + pkcs11_rv("C_CreateObject", rv); +#endif + if (rv != CKR_OK) { + ret = WC_HW_E; + } + } + + if (ecPoint != NULL) + XFREE(ecPoint, public_key->heap, DYNAMIC_TYPE_ECC); + + return ret; +} + /** * Create a PKCS#11 object containing the ECC private key data. * @@ -888,9 +977,24 @@ static int Pkcs11CreateEccPrivateKey(CK_OBJECT_HANDLE* privateKey, { CKA_KEY_TYPE, &ecKeyType, sizeof(ecKeyType) }, { operation, &ckTrue, sizeof(ckTrue) }, { CKA_EC_PARAMS, params, 0 }, - { CKA_VALUE, NULL, 0 } + { CKA_VALUE, NULL, 0 }, + { 0, NULL, 0 }, + { 0, NULL, 0 } }; - CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate); + CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate) - 2; + + if (private_key->labelLen > 0) { + keyTemplate[keyTmplCnt].type = CKA_LABEL; + keyTemplate[keyTmplCnt].pValue = private_key->label; + keyTemplate[keyTmplCnt].ulValueLen = private_key->labelLen; + keyTmplCnt++; + } + if (private_key->idLen > 0) { + keyTemplate[keyTmplCnt].type = CKA_ID; + keyTemplate[keyTmplCnt].pValue = private_key->id; + keyTemplate[keyTmplCnt].ulValueLen = private_key->idLen; + keyTmplCnt++; + } ret = Pkcs11EccSetParams(private_key, keyTemplate, 3); if (ret == 0) { @@ -1116,11 +1220,13 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) int ret2 = NOT_COMPILED_IN; #ifndef NO_PKCS11_ECDH - /* Try ECDH mechanism first. */ - ret = Pkcs11MechAvail(&session, CKM_ECDH1_DERIVE); - if (ret == 0) { - ret = Pkcs11CreateEccPrivateKey(&privKey, &session, eccKey, - CKA_DERIVE); + if ((eccKey->flags & WC_ECC_FLAG_DEC_SIGN) == 0) { + /* Try ECDH mechanism first. */ + ret = Pkcs11MechAvail(&session, CKM_ECDH1_DERIVE); + if (ret == 0) { + ret = Pkcs11CreateEccPrivateKey(&privKey, &session, + eccKey, CKA_DERIVE); + } } #endif if (ret == 0 || ret == NOT_COMPILED_IN) { @@ -1129,6 +1235,12 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) if (ret2 == 0) { ret2 = Pkcs11CreateEccPrivateKey(&privKey, &session, eccKey, CKA_SIGN); + if (ret2 == 0) { + CK_OBJECT_HANDLE pubKey = NULL_PTR; + /* Store public key for validation with cert. */ + ret2 = Pkcs11CreateEccPublicKey(&pubKey, &session, + eccKey, CKA_VERIFY); + } } /* OK for this to fail if set for ECDH. */ if (ret == NOT_COMPILED_IN) @@ -1733,8 +1845,8 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) #ifdef HAVE_ECC /** - * Find the PKCS#11 object containing the ECC public or private key data with - * the modulus specified. + * Find the PKCS#11 object containing the ECC public or private key data. + * Search for public key by public point. * * @param [out] key Henadle to key object. * @param [in] keyClass Public or private key class. @@ -1745,7 +1857,8 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) * @return 0 on success. */ static int Pkcs11FindEccKey(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass, - Pkcs11Session* session, ecc_key* eccKey) + Pkcs11Session* session, ecc_key* eccKey, + int op) { int ret = 0; int i; @@ -1758,9 +1871,10 @@ static int Pkcs11FindEccKey(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass, { CKA_CLASS, &keyClass, sizeof(keyClass) }, { CKA_KEY_TYPE, &ecKeyType, sizeof(ecKeyType) }, { CKA_EC_PARAMS, params, 0 }, + { op, &ckTrue, sizeof(ckTrue) }, { CKA_EC_POINT, NULL, 0 }, }; - CK_ULONG attrCnt = 3; + CK_ULONG attrCnt = 4; ret = Pkcs11EccSetParams(eccKey, keyTemplate, 2); if (ret == 0 && keyClass == CKO_PUBLIC_KEY) { @@ -1822,81 +1936,6 @@ static int Pkcs11FindEccKey(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass, return ret; } -/** - * Create a PKCS#11 object containing the ECC public key data. - * Encode the public key as an OCTET_STRING of the encoded point. - * - * @param [out] publicKey Henadle to public key object. - * @param [in] session Session object. - * @param [in] public_key ECC public key. - * @param [in] operation Cryptographic operation key is to be used for. - * @return WC_HW_E when a PKCS#11 library call fails. - * @return MEMORY_E when a memory allocation fails. - * @return 0 on success. - */ -static int Pkcs11CreateEccPublicKey(CK_OBJECT_HANDLE* publicKey, - Pkcs11Session* session, - ecc_key* public_key, - CK_ATTRIBUTE_TYPE operation) -{ - int ret = 0; - int i; - unsigned char* ecPoint = NULL; - word32 len; - CK_RV rv; - CK_UTF8CHAR params[MAX_EC_PARAM_LEN]; - CK_ATTRIBUTE keyTemplate[] = { - { CKA_CLASS, &pubKeyClass, sizeof(pubKeyClass) }, - { CKA_KEY_TYPE, &ecKeyType, sizeof(ecKeyType) }, - { operation, &ckTrue, sizeof(ckTrue) }, - { CKA_EC_PARAMS, params, 0 }, - { CKA_EC_POINT, NULL, 0 } - }; - CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate); - - ret = Pkcs11EccSetParams(public_key, keyTemplate, 3); - if (ret == 0) { - /* ASN1 encoded: OCT + uncompressed point */ - len = 3 + 1 + 2 * public_key->dp->size; - ecPoint = (unsigned char*)XMALLOC(len, public_key->heap, - DYNAMIC_TYPE_ECC); - if (ecPoint == NULL) - ret = MEMORY_E; - } - if (ret == 0) { - len -= 3; - i = 0; - ecPoint[i++] = ASN_OCTET_STRING; - if (len >= ASN_LONG_LENGTH) - ecPoint[i++] = ASN_LONG_LENGTH | 1; - ecPoint[i++] = len; - ret = wc_ecc_export_x963(public_key, ecPoint + i, &len); - } - if (ret == 0) { - keyTemplate[4].pValue = ecPoint; - keyTemplate[4].ulValueLen = len + i; - -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Ec Public Key"); - pkcs11_dump_template(keyTemplate, keyTmplCnt); -#endif - rv = session->func->C_CreateObject(session->handle, keyTemplate, - keyTmplCnt, publicKey); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_CreateObject", rv); -#endif - if (rv != CKR_OK) { - ret = WC_HW_E; - } - } - - if (ecPoint != NULL) - XFREE(ecPoint, public_key->heap, DYNAMIC_TYPE_ECC); - - return ret; -} - -#ifndef NO_PKCS11_EC_KEYGEN /** * Gets the public key data from the PKCS#11 object and puts into the ECC key. * @@ -1987,6 +2026,7 @@ static int Pkcs11GetEccPublicKey(ecc_key* key, Pkcs11Session* session, return ret; } +#ifndef NO_PKCS11_EC_KEYGEN /** * Perform an ECC key generation operation. * The private key data stays on the device. @@ -2189,7 +2229,6 @@ static int Pkcs11ECDH(Pkcs11Session* session, wc_CryptoInfo* info) if (ret == 0) { WOLFSSL_MSG("PKCS#11: EC Key Derivation Operation"); - if ((sessionKey = !mp_iszero(&info->pk.ecdh.private_key->k))) ret = Pkcs11CreateEccPrivateKey(&privateKey, session, info->pk.ecdh.private_key, CKA_DERIVE); @@ -2206,7 +2245,7 @@ static int Pkcs11ECDH(Pkcs11Session* session, wc_CryptoInfo* info) } else { ret = Pkcs11FindEccKey(&privateKey, CKO_PRIVATE_KEY, session, - info->pk.ecdh.public_key); + info->pk.ecdh.public_key, CKA_DERIVE); } } if (ret == 0) { @@ -2515,7 +2554,7 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info) } else { ret = Pkcs11FindEccKey(&privateKey, CKO_PRIVATE_KEY, session, - info->pk.eccsign.key); + info->pk.eccsign.key, CKA_SIGN); } } @@ -2656,6 +2695,214 @@ static int Pkcs11ECDSA_Verify(Pkcs11Session* session, wc_CryptoInfo* info) } #endif +#ifndef NO_RSA +/** + * Check the private RSA key matches the public key. + * + * @param [in] priv RSA private key. + * @param [in] publicKey Encoded RSA public key. + * @param [in] pubKeySize Length of encoded RSA public key. + * @return MEMORY_E when a memory allocation fails. + * @return MP_CMP_E when the public parts are different. + * @return 0 on success. + */ +static int wc_Pkcs11CheckPrivKey_Rsa(RsaKey* priv, + const unsigned char* publicKey, word32 pubKeySize) +{ + int ret = 0; + #ifdef WOLFSSL_SMALL_STACK + RsaKey* pub = NULL; + #else + RsaKey pub[1]; + #endif + word32 keyIdx = 0; + + #ifdef WOLFSSL_SMALL_STACK + pub = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); + if (pub == NULL) { + ret = MEMORY_E; + } + #endif + + if ((ret == 0) && (ret = wc_InitRsaKey(pub, NULL)) == 0) { + if (ret == 0) { + ret = wc_RsaPublicKeyDecode(publicKey, &keyIdx, pub, pubKeySize); + } + if (ret == 0) { + /* both keys extracted successfully now check n and e + * values are the same. This is dereferencing RsaKey */ + if (mp_cmp(&(priv->n), &(pub->n)) != MP_EQ || + mp_cmp(&(priv->e), &(pub->e)) != MP_EQ) { + ret = MP_CMP_E; + } + else + ret = 0; + } + wc_FreeRsaKey(pub); + } + #ifdef WOLFSSL_SMALL_STACK + if (pub != NULL) { + XFREE(pub, NULL, DYNAMIC_TYPE_RSA); + } + #endif + + return ret; +} + +/** + * Checks the RSA private key matches the RSA public key. + * + * @param [in] session Session object. + * @param [in] info Cryptographic operation data. + * @return WC_HW_E when a PKCS#11 library call fails. + * @return MEMORY_E when a memory allocation fails. + * @return MEMORY_E when a memory allocation fails. + * @return MP_CMP_E when the public parts are different. + * @return 0 on success. + */ +static int Pkcs11RsaCheckPrivKey(Pkcs11Session* session, wc_CryptoInfo* info) +{ + int ret = 0; + CK_OBJECT_HANDLE privateKey; + RsaKey* priv = info->pk.rsa_check.key; + + if (mp_iszero(&priv->n) || mp_iszero(&priv->e)) { + /* Get the RSA private key object. */ + if (priv->labelLen > 0) { + ret = Pkcs11FindKeyByLabel(&privateKey, CKO_PRIVATE_KEY, + CKK_RSA, session, priv->label, + priv->labelLen); + } + else if (info->pk.rsa.key->idLen > 0) { + ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_RSA, + session, priv->id, priv->idLen); + } + else { + ret = Pkcs11FindRsaKey(&privateKey, CKO_PRIVATE_KEY, session, priv); + } + + if (ret == 0) { + /* Extract the public key components. */ + ret = Pkcs11GetRsaPublicKey(priv, session, privateKey); + } + } + if (ret == 0) { + /* Compare the extracted public parts with the public key. */ + ret = wc_Pkcs11CheckPrivKey_Rsa(priv, info->pk.rsa_check.pubKey, + info->pk.rsa_check.pubKeySz); + } + + return ret; +} +#endif + +#ifdef HAVE_ECC +/** + * Check the private ECC key matches the public key. + * Do this by looking up the public key data from the associated public key. + * The public key object handle is passed in for the private key. + * + * @param [in] privateKey Handle to private key object. + * @param [in] publicKey Encoded EC public key. + * @param [in] pubKeySize Length of encoded EC public key. + * @return MEMORY_E when a memory allocation fails. + * @return MP_CMP_E when the public parts are different. + * @return 0 on success. + */ +static int wc_Pkcs11CheckPrivKey_Ecc(ecc_key* priv, + const unsigned char* publicKey, word32 pubKeySize) +{ + int ret = 0; + #ifdef WOLFSSL_SMALL_STACK + ecc_key* pub = NULL; + #else + ecc_key pub[1]; + #endif + word32 keyIdx = 0; + + #ifdef WOLFSSL_SMALL_STACK + pub = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_ECC); + if (pub == NULL) { + ret = MEMORY_E; + } + #endif + + if ((ret == 0) && (ret = wc_ecc_init(pub)) == 0) { + ret = wc_EccPublicKeyDecode(publicKey, &keyIdx, pub, pubKeySize); + if (ret == 0) { + /* both keys extracted successfully now check curve and + * pubkey. */ + if ((pub->idx != priv->idx) || (wc_ecc_cmp_point(&priv->pubkey, + &pub->pubkey) != MP_EQ)) { + ret = MP_CMP_E; + } + else { + ret = 0; + } + } + wc_ecc_free(pub); + } + #ifdef WOLFSSL_SMALL_STACK + if (pub != NULL) { + XFREE(pub, NULL, DYNAMIC_TYPE_ECC); + } + #endif + + return ret; +} + +/** + * Checks the ECC private key matches the ECC public key. + * + * @param [in] session Session object. + * @param [in] info Cryptographic operation data. + * @return WC_HW_E when a PKCS#11 library call fails. + * @return MEMORY_E when a memory allocation fails. + * @return MEMORY_E when a memory allocation fails. + * @return MP_CMP_E when the public parts are different. + * @return 0 on success. + */ +static int Pkcs11EccCheckPrivKey(Pkcs11Session* session, wc_CryptoInfo* info) +{ + int ret; + ecc_key* priv = info->pk.ecc_check.key; + CK_OBJECT_HANDLE privateKey; + + if (mp_iszero(priv->pubkey.x) || mp_iszero(priv->pubkey.y)) { + /* Get the public key object as the private key object doesn't have + * the public point stored in it. + */ + if (priv->labelLen > 0) { + ret = Pkcs11FindKeyByLabel(&privateKey, CKO_PUBLIC_KEY, CKK_EC, + session, priv->label, priv->labelLen); + } + else if (priv->idLen > 0) { + ret = Pkcs11FindKeyById(&privateKey, CKO_PUBLIC_KEY, CKK_EC, + session, priv->id, priv->idLen); + } + else { + ret = Pkcs11FindEccKey(&privateKey, CKO_PUBLIC_KEY, session, priv, + CKA_SIGN); + } + if (ret == 0 && priv->dp == NULL) { + /* Extract the group id. */ + ret = Pkcs11GetEccParams(session, privateKey, priv); + } + if (ret == 0) { + /* Extract the public point. */ + ret = Pkcs11GetEccPublicKey(priv, session, privateKey); + } + } + if (ret == 0) { + /* Compare the extracted public parts with the public key. */ + ret = wc_Pkcs11CheckPrivKey_Ecc(priv, info->pk.ecc_check.pubKey, + info->pk.ecc_check.pubKeySz); + } + + return ret; +} +#endif + #if !defined(NO_AES) && defined(HAVE_AESGCM) /** * Performs the AES-GCM encryption operation. @@ -3276,6 +3523,9 @@ int wc_Pkcs11_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) ret = Pkcs11RsaKeyGen(&session, info); break; #endif + case WC_PK_TYPE_RSA_CHECK_PRIV_KEY: + ret = Pkcs11RsaCheckPrivKey(&session, info); + break; #endif #ifdef HAVE_ECC #ifndef NO_PKCS11_EC_KEYGEN @@ -3294,6 +3544,9 @@ int wc_Pkcs11_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) case WC_PK_TYPE_ECDSA_VERIFY: ret = Pkcs11ECDSA_Verify(&session, info); break; + case WC_PK_TYPE_EC_CHECK_PRIV_KEY: + ret = Pkcs11EccCheckPrivKey(&session, info); + break; #endif default: ret = NOT_COMPILED_IN; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 1c80d0287..94387b1c3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1692,6 +1692,11 @@ WOLFSSL_LOCAL int CompleteServerHello(WOLFSSL *ssl); WOLFSSL_LOCAL int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv); WOLFSSL_LOCAL int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz); +#ifdef WOLF_CRYPTO_CB +WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* buffer, word32 length, + int hsType, int label, int id, + void* heap, int devId); +#endif WOLFSSL_LOCAL int DecodePrivateKey(WOLFSSL *ssl, word16* length); #ifdef HAVE_PK_CALLBACKS WOLFSSL_LOCAL int GetPrivateKeySigSize(WOLFSSL* ssl); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index f83b47815..320bd12c1 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -40,6 +40,10 @@ #include #endif + #ifdef WOLF_CRYPTO_CB + #include +#endif + /* used internally by wolfSSL while OpenSSL types aren't */ #include @@ -2326,8 +2330,11 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len, WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX*, const unsigned char*, long, int, long); - WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_label(WOLFSSL_CTX*, const char*, - int, long); + WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX*, + const unsigned char*, long, + int); + WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_Label(WOLFSSL_CTX*, const char*, + int); WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX*, const unsigned char*, long, int); WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX*, @@ -2342,8 +2349,9 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len, long, int); WOLFSSL_API int wolfSSL_use_PrivateKey_id(WOLFSSL*, const unsigned char*, long, int, long); - WOLFSSL_API int wolfSSL_use_PrivateKey_label(WOLFSSL*, const char*, int, - long); + WOLFSSL_API int wolfSSL_use_PrivateKey_Id(WOLFSSL*, const unsigned char*, + long, int); + WOLFSSL_API int wolfSSL_use_PrivateKey_Label(WOLFSSL*, const char*, int); WOLFSSL_API int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL*, const unsigned char*, long, int); WOLFSSL_API int wolfSSL_use_certificate_chain_buffer(WOLFSSL*, diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index 86dccc818..d879d4db9 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -440,7 +440,8 @@ WOLFSSL_API int wc_AesInit(Aes* aes, void* heap, int devId); #ifdef HAVE_PKCS11 WOLFSSL_API int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId); -WOLFSSL_API int wc_AesInit_Label(Aes* aes, char* label, void* heap, int devId); +WOLFSSL_API int wc_AesInit_Label(Aes* aes, const char* label, void* heap, + int devId); #endif WOLFSSL_API void wc_AesFree(Aes* aes); diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h index 120cc7a49..0ca091146 100644 --- a/wolfssl/wolfcrypt/cryptocb.h +++ b/wolfssl/wolfcrypt/cryptocb.h @@ -85,6 +85,11 @@ typedef struct wc_CryptoInfo { WC_RNG* rng; } rsakg; #endif + struct { + RsaKey* key; + const byte* pubKey; + word32 pubKeySz; + } rsa_check; #endif #ifdef HAVE_ECC struct { @@ -115,6 +120,11 @@ typedef struct wc_CryptoInfo { int* res; ecc_key* key; } eccverify; + struct { + ecc_key* key; + const byte* pubKey; + word32 pubKeySz; + } ecc_check; #endif }; } pk; @@ -229,6 +239,9 @@ WOLFSSL_LOCAL int wc_CryptoCb_Rsa(const byte* in, word32 inLen, byte* out, WOLFSSL_LOCAL int wc_CryptoCb_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng); #endif /* WOLFSSL_KEY_GEN */ + +WOLFSSL_LOCAL int wc_CryptoCb_RsaCheckPrivKey(RsaKey* key, const byte* pubKey, + word32 pubKeySz); #endif /* !NO_RSA */ #ifdef HAVE_ECC @@ -243,6 +256,9 @@ WOLFSSL_LOCAL int wc_CryptoCb_EccSign(const byte* in, word32 inlen, byte* out, WOLFSSL_LOCAL int wc_CryptoCb_EccVerify(const byte* sig, word32 siglen, const byte* hash, word32 hashlen, int* res, ecc_key* key); + +WOLFSSL_LOCAL int wc_CryptoCb_EccCheckPrivKey(ecc_key* key, const byte* pubKey, + word32 pubKeySz); #endif /* HAVE_ECC */ #ifndef NO_AES diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index f6e84c8a7..de714e43f 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -152,7 +152,7 @@ enum { /* Shamir's dual add constants */ SHAMIR_PRECOMP_SZ = 16, -#ifdef HAVE_PKCS11 +#ifdef WOLF_CRYPTO_CB ECC_MAX_ID_LEN = 32, ECC_MAX_LABEL_LEN = 32, #endif @@ -408,7 +408,7 @@ struct ecc_key { CertSignCtx certSignCtx; /* context info for cert sign (MakeSignature) */ #endif #endif /* WOLFSSL_ASYNC_CRYPT */ -#ifdef HAVE_PKCS11 +#ifdef WOLF_CRYPTO_CB byte id[ECC_MAX_ID_LEN]; int idLen; char label[ECC_MAX_LABEL_LEN]; @@ -547,12 +547,12 @@ WOLFSSL_API int wc_ecc_init(ecc_key* key); WOLFSSL_ABI WOLFSSL_API int wc_ecc_init_ex(ecc_key* key, void* heap, int devId); -#ifdef HAVE_PKCS11 +#ifdef WOLF_CRYPTO_CB WOLFSSL_API int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, int devId); WOLFSSL_API -int wc_ecc_init_label(ecc_key* key, char* label, void* heap, int devId); +int wc_ecc_init_label(ecc_key* key, const char* label, void* heap, int devId); #endif #ifdef WOLFSSL_CUSTOM_CURVES WOLFSSL_LOCAL diff --git a/wolfssl/wolfcrypt/hmac.h b/wolfssl/wolfcrypt/hmac.h index ac6988520..806475f30 100644 --- a/wolfssl/wolfcrypt/hmac.h +++ b/wolfssl/wolfcrypt/hmac.h @@ -180,7 +180,7 @@ WOLFSSL_API int wc_HmacInit(Hmac* hmac, void* heap, int devId); #ifdef HAVE_PKCS11 WOLFSSL_API int wc_HmacInit_Id(Hmac* hmac, byte* id, int len, void* heap, int devId); -WOLFSSL_API int wc_HmacInit_Label(Hmac* hmac, char* label, void* heap, +WOLFSSL_API int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap, int devId); #endif WOLFSSL_API void wc_HmacFree(Hmac*); diff --git a/wolfssl/wolfcrypt/rsa.h b/wolfssl/wolfcrypt/rsa.h index d5cd6194d..769af9ecf 100644 --- a/wolfssl/wolfcrypt/rsa.h +++ b/wolfssl/wolfcrypt/rsa.h @@ -141,7 +141,7 @@ enum { RSA_PSS_SALT_LEN_DISCOVER = -2, #endif -#ifdef HAVE_PKCS11 +#ifdef WOLF_CRYPTO_CB RSA_MAX_ID_LEN = 32, RSA_MAX_LABEL_LEN = 32, #endif @@ -185,7 +185,7 @@ struct RsaKey { byte* mod; XSecure_Rsa xRsa; #endif -#ifdef HAVE_PKCS11 +#ifdef WOLF_CRYPTO_CB byte id[RSA_MAX_ID_LEN]; int idLen; char label[RSA_MAX_LABEL_LEN]; @@ -216,10 +216,10 @@ struct RsaKey { WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void* heap); WOLFSSL_API int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId); WOLFSSL_API int wc_FreeRsaKey(RsaKey* key); -#ifdef HAVE_PKCS11 +#ifdef WOLF_CRYPTO_CB WOLFSSL_API int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, int devId); -WOLFSSL_API int wc_InitRsaKey_Label(RsaKey* key, char* label, void* heap, +WOLFSSL_API int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, int devId); #endif WOLFSSL_API int wc_CheckRsaKey(RsaKey* key); diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index d9b1bec04..aef56f987 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -861,8 +861,10 @@ decouple library dependencies with standard string, memory and so on. WC_PK_TYPE_CURVE25519 = 7, WC_PK_TYPE_RSA_KEYGEN = 8, WC_PK_TYPE_EC_KEYGEN = 9, + WC_PK_TYPE_RSA_CHECK_PRIV_KEY = 10, + WC_PK_TYPE_EC_CHECK_PRIV_KEY = 11, - WC_PK_TYPE_MAX = WC_PK_TYPE_EC_KEYGEN + WC_PK_TYPE_MAX = WC_PK_TYPE_EC_CHECK_PRIV_KEY };