wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-30 16:42:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

PKCS#11: Label fixes and add support for checking private key

Browse Source 
Check private key matches the public key passed in.
Need to use a new API to pass in the token to use to perform PKCS #11
operations with.
This commit is contained in:
Sean Parkinson
2020-11-02 17:13:10 +10:00
parent 43aeac4cf4
commit 5ca8e8f87c
16 changed files with 624 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
src/internal.c
View File

@@ -1649,6 +1649,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
return BAD_MUTEX_E;
}
#ifndef NO_CERTS
ctx->privateKeyDevId = INVALID_DEVID;
#endif
#ifndef NO_DH
ctx->minDhKeySz = MIN_DHKEY_SZ;
ctx->maxDhKeySz = MAX_DHKEY_SZ;
@@ -20048,6 +20052,76 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
#if !defined(NO_CERTS)
#ifdef WOLF_CRYPTO_CB
/* Create a private key for a device.
*
* pkey Key object.
* data Data to identify key.
* length Length of data.
* hsType Type of the key to create.
* heap Custom heap to use for mallocs/frees
* devId Id for device.
* return 0 on success.
* return NOT_COMPILED_IN if algorithm type not supported.
* return MEMORY_E on memory allocation failure.
* return other internal error
*/
int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType,
int label, int id, void* heap, int devId)
{
int ret = NOT_COMPILED_IN;
if (hsType == DYNAMIC_TYPE_RSA) {
#ifndef NO_RSA
RsaKey* rsaKey;
rsaKey = XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA);
if (rsaKey == NULL) {
return MEMORY_E;
}
if (label) {
ret = wc_InitRsaKey_Label(rsaKey, (char*)data, heap, devId);
}
else if (id) {
ret = wc_InitRsaKey_Id(rsaKey, data, length, heap, devId);
}
if (ret == 0) {
*pkey = (void*)rsaKey;
}
else {
XFREE(rsaKey, heap, DYNAMIC_TYPE_EC);
}
#endif
}
else if (hsType == DYNAMIC_TYPE_ECC) {
#ifdef HAVE_ECC
ecc_key* ecKey;
ecKey = XMALLOC(sizeof(ecc_key), heap, DYNAMIC_TYPE_ECC);
if (ecKey == NULL) {
return MEMORY_E;
}
if (label) {
ret = wc_ecc_init_label(ecKey, (char*)data, heap, devId);
}
else if (id) {
ret = wc_ecc_init_id(ecKey, data, length, heap, devId);
}
if (ret == 0) {
*pkey = (void*)ecKey;
}
else {
XFREE(ecKey, heap, DYNAMIC_TYPE_EC);
}
#endif
}
return ret;
}
#endif
/* Decode the private key - RSA/ECC/Ed25519/Ed448 - and creates a key object.
* The signature type is set as well.
* The maximum length of a signature is returned.

112
src/ssl.c
View File

@@ -7353,7 +7353,41 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
size = ctx->privateKey->length;
buff = ctx->privateKey->buffer;
ret = wc_CheckPrivateKey(buff, size, der);
#ifdef WOLF_CRYPTO_CB
if (ctx->privateKeyDevId != INVALID_DEVID) {
int type = 0;
void *pkey = NULL;
if (der->keyOID == RSAk) {
type = DYNAMIC_TYPE_RSA;
}
else if (der->keyOID == ECDSAk) {
type = DYNAMIC_TYPE_ECC;
}
ret = CreateDevPrivateKey(&pkey, buff, size, type, ctx->privateKeyLabel,
ctx->privateKeyId, ctx->heap,
ctx->privateKeyDevId);
if (ret == 0 && der->keyOID == RSAk) {
ret = wc_CryptoCb_RsaCheckPrivKey(pkey, der->publicKey,
der->pubKeySize);
if (ret == 0)
ret = 1;
wc_FreeRsaKey(pkey);
}
else if (ret == 0 && der->keyOID == ECDSAk) {
ret = wc_CryptoCb_EccCheckPrivKey(pkey, der->publicKey,
der->pubKeySize);
if (ret == 0)
ret = 1;
wc_ecc_free(pkey);
}
if (pkey != NULL) {
XFREE(pkey, ctx->heap, type);
}
}
else
#endif
ret = wc_CheckPrivateKey(buff, size, der);
FreeDecodedCert(der);
#ifdef WOLFSSL_SMALL_STACK
XFREE(der, NULL, DYNAMIC_TYPE_DCERT);
@@ -7920,7 +7954,42 @@ int wolfSSL_check_private_key(const WOLFSSL* ssl)
size = ssl->buffers.key->length;
buff = ssl->buffers.key->buffer;
ret = wc_CheckPrivateKey(buff, size, &der);
#ifdef WOLF_CRYPTO_CB
if (ssl->buffers.keyDevId != INVALID_DEVID) {
int type = 0;
void *pkey = NULL;
if (der.keyOID == RSAk) {
type = DYNAMIC_TYPE_RSA;
}
else if (der.keyOID == ECDSAk) {
type = DYNAMIC_TYPE_ECC;
}
ret = CreateDevPrivateKey(&pkey, buff, size, type,
ssl->buffers.keyLabel,
ssl->buffers.keyId, ssl->heap,
ssl->buffers.keyDevId);
if (ret == 0 && der.keyOID == RSAk) {
ret = wc_CryptoCb_RsaCheckPrivKey(pkey, der.publicKey,
der.pubKeySize);
if (ret == 0)
ret = 1;
wc_FreeRsaKey(pkey);
}
else if (ret == 0 && der.keyOID == ECDSAk) {
ret = wc_CryptoCb_EccCheckPrivKey(pkey, der.publicKey,
der.pubKeySize);
if (ret == 0)
ret = 1;
wc_ecc_free(pkey);
}
if (pkey != NULL) {
XFREE(pkey, ctx->heap, type);
}
}
else
#endif
ret = wc_CheckPrivateKey(buff, size, &der);
FreeDecodedCert(&der);
return ret;
}
@@ -14119,6 +14188,17 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
#ifdef HAVE_PKCS11
int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id,
long sz, int devId, long keySz)
{
int ret = wolfSSL_CTX_use_PrivateKey_Id(ctx, id, sz, devId);
if (ret == WOLFSSL_SUCCESS)
ctx->privateKeySz = (word32)keySz;
return ret;
}
int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id,
long sz, int devId)
{
int ret = WOLFSSL_FAILURE;
@@ -14127,7 +14207,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ctx->heap) == 0) {
XMEMCPY(ctx->privateKey->buffer, id, sz);
ctx->privateKeyId = 1;
ctx->privateKeySz = (word32)keySz;
if (devId != INVALID_DEVID)
ctx->privateKeyDevId = devId;
else
@@ -14139,18 +14218,17 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ret;
}
int wolfSSL_CTX_use_PrivateKey_label(WOLFSSL_CTX* ctx, const char* label,
int devId, long keySz)
int wolfSSL_CTX_use_PrivateKey_Label(WOLFSSL_CTX* ctx, const char* label,
int devId)
{
int ret = WOLFSSL_FAILURE;
word32 sz = XSTRLEN(label) + 1;
word32 sz = (word32)XSTRLEN(label) + 1;
FreeDer(&ctx->privateKey);
if (AllocDer(&ctx->privateKey, (word32)sz, PRIVATEKEY_TYPE,
ctx->heap) == 0) {
XMEMCPY(ctx->privateKey->buffer, label, sz);
ctx->privateKeyLabel = 1;
ctx->privateKeySz = (word32)keySz;
if (devId != INVALID_DEVID)
ctx->privateKeyDevId = devId;
else
@@ -14305,9 +14383,20 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl));
}
#ifdef HAVE_PKCS11
#ifdef WOLF_CRYPTO_CB
int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id,
long sz, int devId, long keySz)
{
int ret = wolfSSL_use_PrivateKey_Id(ssl, id, sz, devId);
if (ret == WOLFSSL_SUCCESS)
ssl->buffers.keySz = (word32)keySz;
return ret;
}
int wolfSSL_use_PrivateKey_Id(WOLFSSL* ssl, const unsigned char* id,
long sz, int devId)
{
int ret = WOLFSSL_FAILURE;
@@ -14318,7 +14407,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
XMEMCPY(ssl->buffers.key->buffer, id, sz);
ssl->buffers.weOwnKey = 1;
ssl->buffers.keyId = 1;
ssl->buffers.keySz = (word32)keySz;
if (devId != INVALID_DEVID)
ssl->buffers.keyDevId = devId;
else
@@ -14330,11 +14418,10 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ret;
}
int wolfSSL_use_PrivateKey_label(WOLFSSL* ssl, const char* label, int devId,
long keySz)
int wolfSSL_use_PrivateKey_Label(WOLFSSL* ssl, const char* label, int devId)
{
int ret = WOLFSSL_FAILURE;
word32 sz = XSTRLEN(label) + 1;
word32 sz = (word32)XSTRLEN(label) + 1;
if (ssl->buffers.weOwnKey)
FreeDer(&ssl->buffers.key);
@@ -14343,7 +14430,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
XMEMCPY(ssl->buffers.key->buffer, label, sz);
ssl->buffers.weOwnKey = 1;
ssl->buffers.keyLabel = 1;
ssl->buffers.keySz = (word32)keySz;
if (devId != INVALID_DEVID)
ssl->buffers.keyDevId = devId;
else