feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #3523 from SparkiDev/pkcs11_fixes_2

Browse Source 
Pkcs11 fixes 2
This commit is contained in:
David Garske
2020-12-14 14:09:26 -08:00
committed by GitHub
parent 032b289835 9b894048fd
commit 428c6b4301
17 changed files with 1271 additions and 342 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
src/internal.c
View File

@@ -1649,6 +1649,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
return BAD_MUTEX_E; return BAD_MUTEX_E;
} }
#ifndef NO_CERTS
ctx->privateKeyDevId = INVALID_DEVID;
#endif
#ifndef NO_DH #ifndef NO_DH
ctx->minDhKeySz = MIN_DHKEY_SZ; ctx->minDhKeySz = MIN_DHKEY_SZ;
ctx->maxDhKeySz = MAX_DHKEY_SZ; ctx->maxDhKeySz = MAX_DHKEY_SZ;
@@ -5353,6 +5357,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->buffers.key = ctx->privateKey; ssl->buffers.key = ctx->privateKey;
ssl->buffers.keyType = ctx->privateKeyType; ssl->buffers.keyType = ctx->privateKeyType;
ssl->buffers.keyId = ctx->privateKeyId; ssl->buffers.keyId = ctx->privateKeyId;
ssl->buffers.keyLabel = ctx->privateKeyLabel;
ssl->buffers.keySz = ctx->privateKeySz; ssl->buffers.keySz = ctx->privateKeySz;
ssl->buffers.keyDevId = ctx->privateKeyDevId; ssl->buffers.keyDevId = ctx->privateKeyDevId;
#endif #endif
@@ -20067,6 +20072,76 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
#if !defined(NO_CERTS) #if !defined(NO_CERTS)
#ifdef WOLF_CRYPTO_CB
/* Create a private key for a device.
*
* pkey Key object.
* data Data to identify key.
* length Length of data.
* hsType Type of the key to create.
* heap Custom heap to use for mallocs/frees
* devId Id for device.
* return 0 on success.
* return NOT_COMPILED_IN if algorithm type not supported.
* return MEMORY_E on memory allocation failure.
* return other internal error
*/
int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType,
int label, int id, void* heap, int devId)
{
int ret = NOT_COMPILED_IN;
if (hsType == DYNAMIC_TYPE_RSA) {
#ifndef NO_RSA
RsaKey* rsaKey;
rsaKey = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA);
if (rsaKey == NULL) {
return MEMORY_E;
}
if (label) {
ret = wc_InitRsaKey_Label(rsaKey, (char*)data, heap, devId);
}
else if (id) {
ret = wc_InitRsaKey_Id(rsaKey, data, length, heap, devId);
}
if (ret == 0) {
*pkey = (void*)rsaKey;
}
else {
XFREE(rsaKey, heap, DYNAMIC_TYPE_RSA);
}
#endif
}
else if (hsType == DYNAMIC_TYPE_ECC) {
#ifdef HAVE_ECC
ecc_key* ecKey;
ecKey = (ecc_key*)XMALLOC(sizeof(ecc_key), heap, DYNAMIC_TYPE_ECC);
if (ecKey == NULL) {
return MEMORY_E;
}
if (label) {
ret = wc_ecc_init_label(ecKey, (char*)data, heap, devId);
}
else if (id) {
ret = wc_ecc_init_id(ecKey, data, length, heap, devId);
}
if (ret == 0) {
*pkey = (void*)ecKey;
}
else {
XFREE(ecKey, heap, DYNAMIC_TYPE_ECC);
}
#endif
}
return ret;
}
#endif
/* Decode the private key - RSA/ECC/Ed25519/Ed448 - and creates a key object. /* Decode the private key - RSA/ECC/Ed25519/Ed448 - and creates a key object.
* The signature type is set as well. * The signature type is set as well.
* The maximum length of a signature is returned. * The maximum length of a signature is returned.
@@ -20097,7 +20172,8 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
} }
#ifdef HAVE_PKCS11 #ifdef HAVE_PKCS11
if (ssl->buffers.keyDevId != INVALID_DEVID && ssl->buffers.keyId) { if (ssl->buffers.keyDevId != INVALID_DEVID && (ssl->buffers.keyId ||
ssl->buffers.keyLabel)) {
if (ssl->buffers.keyType == rsa_sa_algo) if (ssl->buffers.keyType == rsa_sa_algo)
ssl->hsType = DYNAMIC_TYPE_RSA; ssl->hsType = DYNAMIC_TYPE_RSA;
else if (ssl->buffers.keyType == ecc_dsa_sa_algo) else if (ssl->buffers.keyType == ecc_dsa_sa_algo)
@@ -20109,9 +20185,17 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
if (ssl->buffers.keyType == rsa_sa_algo) { if (ssl->buffers.keyType == rsa_sa_algo) {
#ifndef NO_RSA #ifndef NO_RSA
ret = wc_InitRsaKey_Id((RsaKey*)ssl->hsKey, if (ssl->buffers.keyLabel) {
ssl->buffers.key->buffer, ssl->buffers.key->length, ret = wc_InitRsaKey_Label((RsaKey*)ssl->hsKey,
(char*)ssl->buffers.key->buffer,
ssl->heap, ssl->buffers.keyDevId); ssl->heap, ssl->buffers.keyDevId);
}
else if (ssl->buffers.keyId) {
ret = wc_InitRsaKey_Id((RsaKey*)ssl->hsKey,
ssl->buffers.key->buffer,
ssl->buffers.key->length, ssl->heap,
ssl->buffers.keyDevId);
}
if (ret == 0) { if (ret == 0) {
if (ssl->buffers.keySz < ssl->options.minRsaKeySz) { if (ssl->buffers.keySz < ssl->options.minRsaKeySz) {
WOLFSSL_MSG("RSA key size too small"); WOLFSSL_MSG("RSA key size too small");
@@ -20127,9 +20211,17 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
} }
else if (ssl->buffers.keyType == ecc_dsa_sa_algo) { else if (ssl->buffers.keyType == ecc_dsa_sa_algo) {
#ifdef HAVE_ECC #ifdef HAVE_ECC
ret = wc_ecc_init_id((ecc_key*)ssl->hsKey, ssl->buffers.key->buffer, if (ssl->buffers.keyLabel) {
ret = wc_ecc_init_label((ecc_key*)ssl->hsKey,
(char*)ssl->buffers.key->buffer,
ssl->heap, ssl->buffers.keyDevId);
}
else if (ssl->buffers.keyId) {
ret = wc_ecc_init_id((ecc_key*)ssl->hsKey,
ssl->buffers.key->buffer,
ssl->buffers.key->length, ssl->heap, ssl->buffers.key->length, ssl->heap,
ssl->buffers.keyDevId); ssl->buffers.keyDevId);
}
if (ret == 0) { if (ret == 0) {
if (ssl->buffers.keySz < ssl->options.minEccKeySz) { if (ssl->buffers.keySz < ssl->options.minEccKeySz) {
WOLFSSL_MSG("ECC key size too small"); WOLFSSL_MSG("ECC key size too small");

211
src/ssl.c
View File

@@ -5533,7 +5533,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#else #else
DecodedCert cert[1]; DecodedCert cert[1];
#endif #endif
#ifdef HAVE_PK_CALLBACKS #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
int keyType = 0; int keyType = 0;
#endif #endif
@@ -5641,16 +5641,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
switch (cert->keyOID) { switch (cert->keyOID) {
#ifndef NO_RSA #ifndef NO_RSA
case RSAk: case RSAk:
#ifdef HAVE_PK_CALLBACKS #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
keyType = rsa_sa_algo; keyType = rsa_sa_algo;
#endif
#ifdef HAVE_PKCS11
if (ctx) {
ctx->privateKeyType = rsa_sa_algo;
}
else {
ssl->buffers.keyType = rsa_sa_algo;
}
#endif #endif
/* Determine RSA key size by parsing public key */ /* Determine RSA key size by parsing public key */
idx = 0; idx = 0;
@@ -5677,16 +5669,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif /* !NO_RSA */ #endif /* !NO_RSA */
#ifdef HAVE_ECC #ifdef HAVE_ECC
case ECDSAk: case ECDSAk:
#ifdef HAVE_PK_CALLBACKS #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
keyType = ecc_dsa_sa_algo; keyType = ecc_dsa_sa_algo;
#endif
#ifdef HAVE_PKCS11
if (ctx) {
ctx->privateKeyType = ecc_dsa_sa_algo;
}
else {
ssl->buffers.keyType = ecc_dsa_sa_algo;
}
#endif #endif
/* Determine ECC key size based on curve */ /* Determine ECC key size based on curve */
keySz = wc_ecc_get_curve_size_from_id( keySz = wc_ecc_get_curve_size_from_id(
@@ -5710,16 +5694,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
#ifdef HAVE_ED25519 #ifdef HAVE_ED25519
case ED25519k: case ED25519k:
#ifdef HAVE_PK_CALLBACKS #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
keyType = ed25519_sa_algo; keyType = ed25519_sa_algo;
#endif
#ifdef HAVE_PKCS11
if (ctx) {
ctx->privateKeyType = ed25519_sa_algo;
}
else {
ssl->buffers.keyType = ed25519_sa_algo;
}
#endif #endif
/* ED25519 is fixed key size */ /* ED25519 is fixed key size */
keySz = ED25519_KEY_SIZE; keySz = ED25519_KEY_SIZE;
@@ -5741,16 +5717,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif /* HAVE_ED25519 */ #endif /* HAVE_ED25519 */
#ifdef HAVE_ED448 #ifdef HAVE_ED448
case ED448k: case ED448k:
#ifdef HAVE_PK_CALLBACKS #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
keyType = ed448_sa_algo; keyType = ed448_sa_algo;
#endif
#ifdef HAVE_PKCS11
if (ctx) {
ctx->privateKeyType = ed448_sa_algo;
}
else {
ssl->buffers.keyType = ed448_sa_algo;
}
#endif #endif
/* ED448 is fixed key size */ /* ED448 is fixed key size */
keySz = ED448_KEY_SIZE; keySz = ED448_KEY_SIZE;
@@ -5776,12 +5744,20 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
break; /* do no check if not a case for the key */ break; /* do no check if not a case for the key */
} }
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
if (ssl
#ifdef HAVE_PK_CALLBACKS #ifdef HAVE_PK_CALLBACKS
if (ssl && ssl->buffers.keyType == 0) { && ssl->buffers.keyType == 0
#endif
) {
ssl->buffers.keyType = keyType; ssl->buffers.keyType = keyType;
ssl->buffers.keySz = keySz; ssl->buffers.keySz = keySz;
} }
else if (ctx && ctx->privateKeyType == 0) { else if (ctx
#ifdef HAVE_PK_CALLBACKS
&& ctx->privateKeyType == 0
#endif
) {
ctx->privateKeyType = keyType; ctx->privateKeyType = keyType;
ctx->privateKeySz = keySz; ctx->privateKeySz = keySz;
} }
@@ -7377,18 +7353,57 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
size = ctx->privateKey->length; size = ctx->privateKey->length;
buff = ctx->privateKey->buffer; buff = ctx->privateKey->buffer;
#ifdef WOLF_CRYPTO_CB
if (ctx->privateKeyDevId != INVALID_DEVID) {
int type = 0;
void *pkey = NULL;
if (der->keyOID == RSAk) {
type = DYNAMIC_TYPE_RSA;
}
else if (der->keyOID == ECDSAk) {
type = DYNAMIC_TYPE_ECC;
}
ret = CreateDevPrivateKey(&pkey, buff, size, type, ctx->privateKeyLabel,
ctx->privateKeyId, ctx->heap,
ctx->privateKeyDevId);
if (ret == 0 && der->keyOID == RSAk) {
ret = wc_CryptoCb_RsaCheckPrivKey(pkey, der->publicKey,
der->pubKeySize);
wc_FreeRsaKey(pkey);
}
else if (ret == 0 && der->keyOID == ECDSAk) {
ret = wc_CryptoCb_EccCheckPrivKey(pkey, der->publicKey,
der->pubKeySize);
wc_ecc_free(pkey);
}
if (pkey != NULL) {
XFREE(pkey, ctx->heap, type);
}
if (ret == 0) {
ret = WOLFSSL_SUCCESS;
}
else {
ret = WOLFSSL_FAILURE;
}
}
else
#endif
{
ret = wc_CheckPrivateKey(buff, size, der); ret = wc_CheckPrivateKey(buff, size, der);
if (ret == 1) {
ret = WOLFSSL_SUCCESS;
}
else {
ret = WOLFSSL_FAILURE;
}
}
FreeDecodedCert(der); FreeDecodedCert(der);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(der, NULL, DYNAMIC_TYPE_DCERT); XFREE(der, NULL, DYNAMIC_TYPE_DCERT);
#endif #endif
if (ret == 1) { return ret;
return WOLFSSL_SUCCESS;
}
else {
return WOLFSSL_FAILURE;
}
#else #else
WOLFSSL_MSG("NO_CERTS is defined, can not check private key"); WOLFSSL_MSG("NO_CERTS is defined, can not check private key");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
@@ -7944,6 +7959,41 @@ int wolfSSL_check_private_key(const WOLFSSL* ssl)
size = ssl->buffers.key->length; size = ssl->buffers.key->length;
buff = ssl->buffers.key->buffer; buff = ssl->buffers.key->buffer;
#ifdef WOLF_CRYPTO_CB
if (ssl->buffers.keyDevId != INVALID_DEVID) {
int type = 0;
void *pkey = NULL;
if (der.keyOID == RSAk) {
type = DYNAMIC_TYPE_RSA;
}
else if (der.keyOID == ECDSAk) {
type = DYNAMIC_TYPE_ECC;
}
ret = CreateDevPrivateKey(&pkey, buff, size, type,
ssl->buffers.keyLabel,
ssl->buffers.keyId, ssl->heap,
ssl->buffers.keyDevId);
if (ret == 0 && der.keyOID == RSAk) {
ret = wc_CryptoCb_RsaCheckPrivKey(pkey, der.publicKey,
der.pubKeySize);
if (ret == 0)
ret = 1;
wc_FreeRsaKey(pkey);
}
else if (ret == 0 && der.keyOID == ECDSAk) {
ret = wc_CryptoCb_EccCheckPrivKey(pkey, der.publicKey,
der.pubKeySize);
if (ret == 0)
ret = 1;
wc_ecc_free(pkey);
}
if (pkey != NULL) {
XFREE(pkey, ssl->heap, type);
}
}
else
#endif
ret = wc_CheckPrivateKey(buff, size, &der); ret = wc_CheckPrivateKey(buff, size, &der);
FreeDecodedCert(&der); FreeDecodedCert(&der);
return ret; return ret;
@@ -14145,6 +14195,17 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
#ifdef HAVE_PKCS11 #ifdef HAVE_PKCS11
int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id, int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id,
long sz, int devId, long keySz) long sz, int devId, long keySz)
{
int ret = wolfSSL_CTX_use_PrivateKey_Id(ctx, id, sz, devId);
if (ret == WOLFSSL_SUCCESS)
ctx->privateKeySz = (word32)keySz;
return ret;
}
int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id,
long sz, int devId)
{ {
int ret = WOLFSSL_FAILURE; int ret = WOLFSSL_FAILURE;
@@ -14153,7 +14214,28 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ctx->heap) == 0) { ctx->heap) == 0) {
XMEMCPY(ctx->privateKey->buffer, id, sz); XMEMCPY(ctx->privateKey->buffer, id, sz);
ctx->privateKeyId = 1; ctx->privateKeyId = 1;
ctx->privateKeySz = (word32)keySz; if (devId != INVALID_DEVID)
ctx->privateKeyDevId = devId;
else
ctx->privateKeyDevId = ctx->devId;
ret = WOLFSSL_SUCCESS;
}
return ret;
}
int wolfSSL_CTX_use_PrivateKey_Label(WOLFSSL_CTX* ctx, const char* label,
int devId)
{
int ret = WOLFSSL_FAILURE;
word32 sz = (word32)XSTRLEN(label) + 1;
FreeDer(&ctx->privateKey);
if (AllocDer(&ctx->privateKey, (word32)sz, PRIVATEKEY_TYPE,
ctx->heap) == 0) {
XMEMCPY(ctx->privateKey->buffer, label, sz);
ctx->privateKeyLabel = 1;
if (devId != INVALID_DEVID) if (devId != INVALID_DEVID)
ctx->privateKeyDevId = devId; ctx->privateKeyDevId = devId;
else else
@@ -14308,9 +14390,20 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl)); ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl));
} }
#ifdef HAVE_PKCS11 #ifdef WOLF_CRYPTO_CB
int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id, int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id,
long sz, int devId, long keySz) long sz, int devId, long keySz)
{
int ret = wolfSSL_use_PrivateKey_Id(ssl, id, sz, devId);
if (ret == WOLFSSL_SUCCESS)
ssl->buffers.keySz = (word32)keySz;
return ret;
}
int wolfSSL_use_PrivateKey_Id(WOLFSSL* ssl, const unsigned char* id,
long sz, int devId)
{ {
int ret = WOLFSSL_FAILURE; int ret = WOLFSSL_FAILURE;
@@ -14321,7 +14414,29 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
XMEMCPY(ssl->buffers.key->buffer, id, sz); XMEMCPY(ssl->buffers.key->buffer, id, sz);
ssl->buffers.weOwnKey = 1; ssl->buffers.weOwnKey = 1;
ssl->buffers.keyId = 1; ssl->buffers.keyId = 1;
ssl->buffers.keySz = (word32)keySz; if (devId != INVALID_DEVID)
ssl->buffers.keyDevId = devId;
else
ssl->buffers.keyDevId = ssl->devId;
ret = WOLFSSL_SUCCESS;
}
return ret;
}
int wolfSSL_use_PrivateKey_Label(WOLFSSL* ssl, const char* label, int devId)
{
int ret = WOLFSSL_FAILURE;
word32 sz = (word32)XSTRLEN(label) + 1;
if (ssl->buffers.weOwnKey)
FreeDer(&ssl->buffers.key);
if (AllocDer(&ssl->buffers.key, (word32)sz, PRIVATEKEY_TYPE,
ssl->heap) == 0) {
XMEMCPY(ssl->buffers.key->buffer, label, sz);
ssl->buffers.weOwnKey = 1;
ssl->buffers.keyLabel = 1;
if (devId != INVALID_DEVID) if (devId != INVALID_DEVID)
ssl->buffers.keyDevId = devId; ssl->buffers.keyDevId = devId;
else else

25
wolfcrypt/src/aes.c
View File

@@ -8094,6 +8094,31 @@ int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId)
if (ret == 0) { if (ret == 0) {
XMEMCPY(aes->id, id, len); XMEMCPY(aes->id, id, len);
aes->idLen = len; aes->idLen = len;
aes->labelLen = 0;
}
return ret;
}
int wc_AesInit_Label(Aes* aes, const char* label, void* heap, int devId)
{
int ret = 0;
int labelLen = 0;
if (aes == NULL || label == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0) {
labelLen = (int)XSTRLEN(label);
if (labelLen == 0 || labelLen > AES_MAX_LABEL_LEN)
ret = BUFFER_E;
}
if (ret == 0)
ret = wc_AesInit(aes, heap, devId);
if (ret == 0) {
XMEMCPY(aes->label, label, labelLen);
aes->labelLen = labelLen;
aes->idLen = 0;
} }
return ret; return ret;

52
wolfcrypt/src/cryptocb.c
View File

@@ -176,6 +176,32 @@ int wc_CryptoCb_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
return wc_CryptoCb_TranslateErrorCode(ret); return wc_CryptoCb_TranslateErrorCode(ret);
} }
#endif #endif
int wc_CryptoCb_RsaCheckPrivKey(RsaKey* key, const byte* pubKey,
word32 pubKeySz)
{
int ret = CRYPTOCB_UNAVAILABLE;
CryptoCb* dev;
if (key == NULL)
return ret;
/* locate registered callback */
dev = wc_CryptoCb_FindDevice(key->devId);
if (dev && dev->cb) {
wc_CryptoInfo cryptoInfo;
XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
cryptoInfo.pk.type = WC_PK_TYPE_RSA_CHECK_PRIV_KEY;
cryptoInfo.pk.rsa_check.key = key;
cryptoInfo.pk.rsa_check.pubKey = pubKey;
cryptoInfo.pk.rsa_check.pubKeySz = pubKeySz;
ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
}
return wc_CryptoCb_TranslateErrorCode(ret);
}
#endif /* !NO_RSA */ #endif /* !NO_RSA */
#ifdef HAVE_ECC #ifdef HAVE_ECC
@@ -289,6 +315,32 @@ int wc_CryptoCb_EccVerify(const byte* sig, word32 siglen,
return wc_CryptoCb_TranslateErrorCode(ret); return wc_CryptoCb_TranslateErrorCode(ret);
} }
int wc_CryptoCb_EccCheckPrivKey(ecc_key* key, const byte* pubKey,
word32 pubKeySz)
{
int ret = CRYPTOCB_UNAVAILABLE;
CryptoCb* dev;
if (key == NULL)
return ret;
/* locate registered callback */
dev = wc_CryptoCb_FindDevice(key->devId);
if (dev && dev->cb) {
wc_CryptoInfo cryptoInfo;
XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
cryptoInfo.pk.type = WC_PK_TYPE_EC_CHECK_PRIV_KEY;
cryptoInfo.pk.ecc_check.key = key;
cryptoInfo.pk.ecc_check.pubKey = pubKey;
cryptoInfo.pk.ecc_check.pubKeySz = pubKeySz;
ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
}
return wc_CryptoCb_TranslateErrorCode(ret);
}
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
#ifndef NO_AES #ifndef NO_AES

26
wolfcrypt/src/ecc.c
View File

@@ -4768,7 +4768,7 @@ int wc_ecc_init(ecc_key* key)
return wc_ecc_init_ex(key, NULL, INVALID_DEVID); return wc_ecc_init_ex(key, NULL, INVALID_DEVID);
} }
#ifdef HAVE_PKCS11 #ifdef WOLF_CRYPTO_CB
int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
int devId) int devId)
{ {
@@ -4781,7 +4781,6 @@ int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
if (ret == 0) if (ret == 0)
ret = wc_ecc_init_ex(key, heap, devId); ret = wc_ecc_init_ex(key, heap, devId);
if (ret == 0 && id != NULL && len != 0) { if (ret == 0 && id != NULL && len != 0) {
XMEMCPY(key->id, id, len); XMEMCPY(key->id, id, len);
key->idLen = len; key->idLen = len;
@@ -4789,6 +4788,29 @@ int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
return ret; return ret;
} }
int wc_ecc_init_label(ecc_key* key, const char* label, void* heap, int devId)
{
int ret = 0;
int labelLen = 0;
if (key == NULL || label == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0) {
labelLen = (int)XSTRLEN(label);
if (labelLen == 0 || labelLen > ECC_MAX_LABEL_LEN)
ret = BUFFER_E;
}
if (ret == 0)
ret = wc_ecc_init_ex(key, heap, devId);
if (ret == 0) {
XMEMCPY(key->label, label, labelLen);
key->labelLen = labelLen;
}
return ret;
}
#endif #endif
int wc_ecc_set_flags(ecc_key* key, word32 flags) int wc_ecc_set_flags(ecc_key* key, word32 flags)

23
wolfcrypt/src/hmac.c
View File

@@ -1022,6 +1022,29 @@ int wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap,
return ret; return ret;
} }
int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap, int devId)
{
int ret = 0;
int labelLen = 0;
if (hmac == NULL || label == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0) {
labelLen = (int)XSTRLEN(label);
if (labelLen == 0 || labelLen > HMAC_MAX_LABEL_LEN)
ret = BUFFER_E;
}
if (ret == 0)
ret = wc_HmacInit(hmac, heap, devId);
if (ret == 0) {
XMEMCPY(hmac->label, label, labelLen);
hmac->labelLen = labelLen;
}
return ret;
}
#endif #endif
/* Free Hmac from use with async device */ /* Free Hmac from use with async device */

26
wolfcrypt/src/rsa.c
View File

@@ -341,7 +341,7 @@ int wc_InitRsaKey(RsaKey* key, void* heap)
return wc_InitRsaKey_ex(key, heap, INVALID_DEVID); return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
} }
#ifdef HAVE_PKCS11 #ifdef WOLF_CRYPTO_CB
int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
int devId) int devId)
{ {
@@ -354,7 +354,6 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
if (ret == 0) if (ret == 0)
ret = wc_InitRsaKey_ex(key, heap, devId); ret = wc_InitRsaKey_ex(key, heap, devId);
if (ret == 0 && id != NULL && len != 0) { if (ret == 0 && id != NULL && len != 0) {
XMEMCPY(key->id, id, len); XMEMCPY(key->id, id, len);
key->idLen = len; key->idLen = len;
@@ -362,6 +361,29 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
return ret; return ret;
} }
int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, int devId)
{
int ret = 0;
int labelLen = 0;
if (key == NULL || label == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0) {
labelLen = (int)XSTRLEN(label);
if (labelLen == 0 || labelLen > RSA_MAX_LABEL_LEN)
ret = BUFFER_E;
}
if (ret == 0)
ret = wc_InitRsaKey_ex(key, heap, devId);
if (ret == 0) {
XMEMCPY(key->label, label, labelLen);
key->labelLen = labelLen;
}
return ret;
}
#endif #endif

859
wolfcrypt/src/wc_pkcs11.c
View File

File diff suppressed because it is too large Load Diff

11
wolfssl/internal.h
View File

@@ -1692,6 +1692,11 @@ WOLFSSL_LOCAL int CompleteServerHello(WOLFSSL *ssl);
WOLFSSL_LOCAL int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv); WOLFSSL_LOCAL int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv);
WOLFSSL_LOCAL int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, WOLFSSL_LOCAL int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo,
word32 hashSigAlgoSz); word32 hashSigAlgoSz);
#ifdef WOLF_CRYPTO_CB
WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* buffer, word32 length,
int hsType, int label, int id,
void* heap, int devId);
#endif
WOLFSSL_LOCAL int DecodePrivateKey(WOLFSSL *ssl, word16* length); WOLFSSL_LOCAL int DecodePrivateKey(WOLFSSL *ssl, word16* length);
#ifdef HAVE_PK_CALLBACKS #ifdef HAVE_PK_CALLBACKS
WOLFSSL_LOCAL int GetPrivateKeySigSize(WOLFSSL* ssl); WOLFSSL_LOCAL int GetPrivateKeySigSize(WOLFSSL* ssl);
@@ -2670,8 +2675,9 @@ struct WOLFSSL_CTX {
int certChainCnt; int certChainCnt;
#endif #endif
DerBuffer* privateKey; DerBuffer* privateKey;
byte privateKeyType:7; byte privateKeyType:6;
byte privateKeyId:1; byte privateKeyId:1;
byte privateKeyLabel:1;
int privateKeySz; int privateKeySz;
int privateKeyDevId; int privateKeyDevId;
WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */
@@ -3326,8 +3332,9 @@ typedef struct Buffers {
#ifndef NO_CERTS #ifndef NO_CERTS
DerBuffer* certificate; /* WOLFSSL_CTX owns, unless we own */ DerBuffer* certificate; /* WOLFSSL_CTX owns, unless we own */
DerBuffer* key; /* WOLFSSL_CTX owns, unless we own */ DerBuffer* key; /* WOLFSSL_CTX owns, unless we own */
byte keyType:7; /* Type of key: RSA, ECC, Ed25519 */ byte keyType:6; /* Type of key: RSA, ECC, Ed25519 */
byte keyId:1; /* Key data is an id not data */ byte keyId:1; /* Key data is an id not data */
byte keyLabel:1; /* Key data is a label not data */
int keySz; /* Size of RSA key */ int keySz; /* Size of RSA key */
int keyDevId; /* Device Id for key */ int keyDevId; /* Device Id for key */
DerBuffer* certChain; /* WOLFSSL_CTX owns, unless we own */ DerBuffer* certChain; /* WOLFSSL_CTX owns, unless we own */

15
wolfssl/ssl.h
View File

@@ -40,6 +40,10 @@
#include <wolfssl/wolfcrypt/wolfevent.h> #include <wolfssl/wolfcrypt/wolfevent.h>
#endif #endif
#ifdef WOLF_CRYPTO_CB
#include <wolfssl/wolfcrypt/cryptocb.h>
#endif
/* used internally by wolfSSL while OpenSSL types aren't */ /* used internally by wolfSSL while OpenSSL types aren't */
#include <wolfssl/callbacks.h> #include <wolfssl/callbacks.h>
@@ -2324,7 +2328,13 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len,
WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX*, WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX*,
const unsigned char*, long, int); const unsigned char*, long, int);
WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX*, WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX*,
const unsigned char*, long, int, long); const unsigned char*, long,
int, long);
WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX*,
const unsigned char*, long,
int);
WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_Label(WOLFSSL_CTX*, const char*,
int);
WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX*, WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX*,
const unsigned char*, long, int); const unsigned char*, long, int);
WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX*, WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX*,
@@ -2339,6 +2349,9 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len,
long, int); long, int);
WOLFSSL_API int wolfSSL_use_PrivateKey_id(WOLFSSL*, const unsigned char*, WOLFSSL_API int wolfSSL_use_PrivateKey_id(WOLFSSL*, const unsigned char*,
long, int, long); long, int, long);
WOLFSSL_API int wolfSSL_use_PrivateKey_Id(WOLFSSL*, const unsigned char*,
long, int);
WOLFSSL_API int wolfSSL_use_PrivateKey_Label(WOLFSSL*, const char*, int);
WOLFSSL_API int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL*, WOLFSSL_API int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL*,
const unsigned char*, long, int); const unsigned char*, long, int);
WOLFSSL_API int wolfSSL_use_certificate_chain_buffer(WOLFSSL*, WOLFSSL_API int wolfSSL_use_certificate_chain_buffer(WOLFSSL*,

5
wolfssl/wolfcrypt/aes.h
View File

@@ -144,6 +144,7 @@ enum {
#ifdef HAVE_PKCS11 #ifdef HAVE_PKCS11
AES_MAX_ID_LEN = 32, AES_MAX_ID_LEN = 32,
AES_MAX_LABEL_LEN = 32,
#endif #endif
}; };
@@ -192,6 +193,8 @@ struct Aes {
#ifdef HAVE_PKCS11 #ifdef HAVE_PKCS11
byte id[AES_MAX_ID_LEN]; byte id[AES_MAX_ID_LEN];
int idLen; int idLen;
char label[AES_MAX_LABEL_LEN];
int labelLen;
#endif #endif
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
WC_ASYNC_DEV asyncDev; WC_ASYNC_DEV asyncDev;
@@ -437,6 +440,8 @@ WOLFSSL_API int wc_AesInit(Aes* aes, void* heap, int devId);
#ifdef HAVE_PKCS11 #ifdef HAVE_PKCS11
WOLFSSL_API int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, WOLFSSL_API int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap,
int devId); int devId);
WOLFSSL_API int wc_AesInit_Label(Aes* aes, const char* label, void* heap,
int devId);
#endif #endif
WOLFSSL_API void wc_AesFree(Aes* aes); WOLFSSL_API void wc_AesFree(Aes* aes);

16
wolfssl/wolfcrypt/cryptocb.h
View File

@@ -85,6 +85,11 @@ typedef struct wc_CryptoInfo {
WC_RNG* rng; WC_RNG* rng;
} rsakg; } rsakg;
#endif #endif
struct {
RsaKey* key;
const byte* pubKey;
word32 pubKeySz;
} rsa_check;
#endif #endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
struct { struct {
@@ -115,6 +120,11 @@ typedef struct wc_CryptoInfo {
int* res; int* res;
ecc_key* key; ecc_key* key;
} eccverify; } eccverify;
struct {
ecc_key* key;
const byte* pubKey;
word32 pubKeySz;
} ecc_check;
#endif #endif
}; };
} pk; } pk;
@@ -229,6 +239,9 @@ WOLFSSL_LOCAL int wc_CryptoCb_Rsa(const byte* in, word32 inLen, byte* out,
WOLFSSL_LOCAL int wc_CryptoCb_MakeRsaKey(RsaKey* key, int size, long e, WOLFSSL_LOCAL int wc_CryptoCb_MakeRsaKey(RsaKey* key, int size, long e,
WC_RNG* rng); WC_RNG* rng);
#endif /* WOLFSSL_KEY_GEN */ #endif /* WOLFSSL_KEY_GEN */
WOLFSSL_LOCAL int wc_CryptoCb_RsaCheckPrivKey(RsaKey* key, const byte* pubKey,
word32 pubKeySz);
#endif /* !NO_RSA */ #endif /* !NO_RSA */
#ifdef HAVE_ECC #ifdef HAVE_ECC
@@ -243,6 +256,9 @@ WOLFSSL_LOCAL int wc_CryptoCb_EccSign(const byte* in, word32 inlen, byte* out,
WOLFSSL_LOCAL int wc_CryptoCb_EccVerify(const byte* sig, word32 siglen, WOLFSSL_LOCAL int wc_CryptoCb_EccVerify(const byte* sig, word32 siglen,
const byte* hash, word32 hashlen, int* res, ecc_key* key); const byte* hash, word32 hashlen, int* res, ecc_key* key);
WOLFSSL_LOCAL int wc_CryptoCb_EccCheckPrivKey(ecc_key* key, const byte* pubKey,
word32 pubKeySz);
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
#ifndef NO_AES #ifndef NO_AES

11
wolfssl/wolfcrypt/ecc.h
View File

@@ -152,8 +152,9 @@ enum {
/* Shamir's dual add constants */ /* Shamir's dual add constants */
SHAMIR_PRECOMP_SZ = 16, SHAMIR_PRECOMP_SZ = 16,
#ifdef HAVE_PKCS11 #ifdef WOLF_CRYPTO_CB
ECC_MAX_ID_LEN = 32, ECC_MAX_ID_LEN = 32,
ECC_MAX_LABEL_LEN = 32,
#endif #endif
}; };
@@ -407,9 +408,11 @@ struct ecc_key {
CertSignCtx certSignCtx; /* context info for cert sign (MakeSignature) */ CertSignCtx certSignCtx; /* context info for cert sign (MakeSignature) */
#endif #endif
#endif /* WOLFSSL_ASYNC_CRYPT */ #endif /* WOLFSSL_ASYNC_CRYPT */
#ifdef HAVE_PKCS11 #ifdef WOLF_CRYPTO_CB
byte id[ECC_MAX_ID_LEN]; byte id[ECC_MAX_ID_LEN];
int idLen; int idLen;
char label[ECC_MAX_LABEL_LEN];
int labelLen;
#endif #endif
#if defined(WOLFSSL_CRYPTOCELL) #if defined(WOLFSSL_CRYPTOCELL)
ecc_context_t ctx; ecc_context_t ctx;
@@ -544,10 +547,12 @@ WOLFSSL_API
int wc_ecc_init(ecc_key* key); int wc_ecc_init(ecc_key* key);
WOLFSSL_ABI WOLFSSL_API WOLFSSL_ABI WOLFSSL_API
int wc_ecc_init_ex(ecc_key* key, void* heap, int devId); int wc_ecc_init_ex(ecc_key* key, void* heap, int devId);
#ifdef HAVE_PKCS11 #ifdef WOLF_CRYPTO_CB
WOLFSSL_API WOLFSSL_API
int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
int devId); int devId);
WOLFSSL_API
int wc_ecc_init_label(ecc_key* key, const char* label, void* heap, int devId);
#endif #endif
#ifdef WOLFSSL_CUSTOM_CURVES #ifdef WOLFSSL_CUSTOM_CURVES
WOLFSSL_LOCAL WOLFSSL_LOCAL

7
wolfssl/wolfcrypt/hmac.h
View File

@@ -95,6 +95,7 @@ enum {
#endif #endif
#ifdef HAVE_PKCS11 #ifdef HAVE_PKCS11
HMAC_MAX_ID_LEN = 32, HMAC_MAX_ID_LEN = 32,
HMAC_MAX_LABEL_LEN = 32,
#endif #endif
}; };
@@ -153,6 +154,8 @@ struct Hmac {
#ifdef HAVE_PKCS11 #ifdef HAVE_PKCS11
byte id[HMAC_MAX_ID_LEN]; byte id[HMAC_MAX_ID_LEN];
int idLen; int idLen;
char label[HMAC_MAX_LABEL_LEN];
int labelLen;
#endif #endif
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB) #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
word16 keyLen; /* hmac key length (key in ipad) */ word16 keyLen; /* hmac key length (key in ipad) */
@@ -174,8 +177,12 @@ WOLFSSL_API int wc_HmacFinal(Hmac*, byte*);
WOLFSSL_API int wc_HmacSizeByType(int type); WOLFSSL_API int wc_HmacSizeByType(int type);
WOLFSSL_API int wc_HmacInit(Hmac* hmac, void* heap, int devId); WOLFSSL_API int wc_HmacInit(Hmac* hmac, void* heap, int devId);
#ifdef HAVE_PKCS11
WOLFSSL_API int wc_HmacInit_Id(Hmac* hmac, byte* id, int len, void* heap, WOLFSSL_API int wc_HmacInit_Id(Hmac* hmac, byte* id, int len, void* heap,
int devId); int devId);
WOLFSSL_API int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap,
int devId);
#endif
WOLFSSL_API void wc_HmacFree(Hmac*); WOLFSSL_API void wc_HmacFree(Hmac*);
WOLFSSL_API int wolfSSL_GetHmacMaxSize(void); WOLFSSL_API int wolfSSL_GetHmacMaxSize(void);

11
wolfssl/wolfcrypt/rsa.h
View File

@@ -141,8 +141,9 @@ enum {
RSA_PSS_SALT_LEN_DISCOVER = -2, RSA_PSS_SALT_LEN_DISCOVER = -2,
#endif #endif
#ifdef HAVE_PKCS11 #ifdef WOLF_CRYPTO_CB
RSA_MAX_ID_LEN = 32, RSA_MAX_ID_LEN = 32,
RSA_MAX_LABEL_LEN = 32,
#endif #endif
}; };
@@ -184,9 +185,11 @@ struct RsaKey {
byte* mod; byte* mod;
XSecure_Rsa xRsa; XSecure_Rsa xRsa;
#endif #endif
#ifdef HAVE_PKCS11 #ifdef WOLF_CRYPTO_CB
byte id[RSA_MAX_ID_LEN]; byte id[RSA_MAX_ID_LEN];
int idLen; int idLen;
char label[RSA_MAX_LABEL_LEN];
int labelLen;
#endif #endif
#if defined(WOLFSSL_ASYNC_CRYPT) || !defined(WOLFSSL_RSA_VERIFY_INLINE) #if defined(WOLFSSL_ASYNC_CRYPT) || !defined(WOLFSSL_RSA_VERIFY_INLINE)
byte dataIsAlloc; byte dataIsAlloc;
@@ -213,9 +216,11 @@ struct RsaKey {
WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void* heap); WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void* heap);
WOLFSSL_API int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId); WOLFSSL_API int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId);
WOLFSSL_API int wc_FreeRsaKey(RsaKey* key); WOLFSSL_API int wc_FreeRsaKey(RsaKey* key);
#ifdef HAVE_PKCS11 #ifdef WOLF_CRYPTO_CB
WOLFSSL_API int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, WOLFSSL_API int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len,
void* heap, int devId); void* heap, int devId);
WOLFSSL_API int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap,
int devId);
#endif #endif
WOLFSSL_API int wc_CheckRsaKey(RsaKey* key); WOLFSSL_API int wc_CheckRsaKey(RsaKey* key);
#ifdef WOLFSSL_XILINX_CRYPT #ifdef WOLFSSL_XILINX_CRYPT

4
wolfssl/wolfcrypt/types.h
View File

@@ -861,8 +861,10 @@ decouple library dependencies with standard string, memory and so on.
WC_PK_TYPE_CURVE25519 = 7, WC_PK_TYPE_CURVE25519 = 7,
WC_PK_TYPE_RSA_KEYGEN = 8, WC_PK_TYPE_RSA_KEYGEN = 8,
WC_PK_TYPE_EC_KEYGEN = 9, WC_PK_TYPE_EC_KEYGEN = 9,
WC_PK_TYPE_RSA_CHECK_PRIV_KEY = 10,
WC_PK_TYPE_EC_CHECK_PRIV_KEY = 11,
WC_PK_TYPE_MAX = WC_PK_TYPE_EC_KEYGEN WC_PK_TYPE_MAX = WC_PK_TYPE_EC_CHECK_PRIV_KEY
}; };

1
wolfssl/wolfcrypt/wc_pkcs11.h
View File

@@ -67,7 +67,6 @@ enum Pkcs11KeyType {
PKCS11_KEY_TYPE_EC, PKCS11_KEY_TYPE_EC,
}; };
WOLFSSL_API int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library, WOLFSSL_API int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library,
void* heap); void* heap);
WOLFSSL_API void wc_Pkcs11_Finalize(Pkcs11Dev* dev); WOLFSSL_API void wc_Pkcs11_Finalize(Pkcs11Dev* dev);