wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-29 18:27:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Minor SE050 improvements

Browse Source 
Adds two features for SE050:

1. `WOLFSSL_SE050_AUTO_ERASE`. When enabled, this will automatically
   erase a key from the SE050 when `wc_ecc_free()` and friends are
   called.
2. `WOLFSSL_SE050_NO_RSA`. This stops RSA offloading onto the SE050,
   useful for the SE050E which does not have RSA support.
This commit is contained in:
Andrew Hutchings
2025-02-11 15:19:31 +00:00
parent be5f203274
commit cb42f18a47
7 changed files with 31 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.wolfssl_known_macro_extras
View File

@ -758,9 +758,11 @@ WOLFSSL_RSA_DECRYPT_TO_0_LEN
WOLFSSL_RW_THREADED
WOLFSSL_SAKKE_SMALL
WOLFSSL_SAKKE_SMALL_MODEXP
WOLFSSL_SE050_AUTO_ERASE
WOLFSSL_SE050_CRYPT
WOLFSSL_SE050_HASH
WOLFSSL_SE050_INIT
WOLFSSL_SE050_NO_RSA
WOLFSSL_SE050_NO_TRNG
WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
WOLFSSL_SETTINGS_FILE

3
wolfcrypt/src/curve25519.c
View File

@ -639,6 +639,9 @@ int wc_curve25519_import_private_ex(const byte* priv, word32 privSz,
}
#ifdef WOLFSSL_SE050
#ifdef WOLFSSL_SE050_AUTO_ERASE
wc_se050_erase_object(key->keyId);
#endif
/* release NXP resources if set */
se050_curve25519_free_key(key);
#endif

3
wolfcrypt/src/ecc.c
View File

@ -7950,6 +7950,9 @@ int wc_ecc_free(ecc_key* key)
#endif
#ifdef WOLFSSL_SE050
#ifdef WOLFSSL_SE050_AUTO_ERASE
wc_se050_erase_object(key->keyId);
#endif
se050_ecc_free_key(key);
#endif

3
wolfcrypt/src/ed25519.c
View File

@ -1104,6 +1104,9 @@ void wc_ed25519_free(ed25519_key* key)
#endif
#ifdef WOLFSSL_SE050
#ifdef WOLFSSL_SE050_AUTO_ERASE
wc_se050_erase_object(key->keyId);
#endif
se050_ed25519_free_key(key);
#endif

9
wolfcrypt/src/port/nxp/README_SE050.md
View File

@ -205,6 +205,10 @@ value based on an incrementing counter past the value defined by this define.
If not defined, this value will default to **100**.
**`WOLFSSL_SE050_AUTO_ERASE`**
Automatically erases the key from the SE050 when `wc_*_free()` is called.
**`WOLFSSL_SE050_FACTORY_RESET`**
When defined, calls to `wolfSSL_Init()` or `wolfCrypt_Init()` will factory
@ -237,6 +241,11 @@ a Raspberry Pi with SE05x EdgeLock dev kit. If `WOLFSSL_SE050_NO_TRNG` is
defined, wolfCrypt will instead fall back to using `/dev/random` and
`/dev/urandom` on the Raspberry Pi.
**`WOLFSSL_SE050_NO_RSA`**
Disables using the SE050 for RSA, useful for the SE050E which does not have
RSA support.
## wolfSSL HostCrypto Support
The NXP SE05x Plug & Trust Middleware by default can use either OpenSSL or

4
wolfcrypt/src/port/nxp/se050_port.c
View File

@ -54,7 +54,7 @@
#define SE050_ECC_DER_MAX 256
#endif
#endif
#ifndef NO_RSA
#if !defined(NO_RSA) && !defined(WOLFSSL_SE050_NO_RSA)
#include <wolfssl/wolfcrypt/rsa.h>
struct RsaKey;
#endif
@ -659,7 +659,7 @@ int wc_se050_get_binary_object(word32 keyId, byte* out, word32* outSz)
return ret;
}
#ifndef NO_RSA
#if !defined(NO_RSA) && !defined(WOLFSSL_SE050_NO_RSA)
/**
* Use specified SE050 key ID with this RsaKey struct.

17
wolfcrypt/src/rsa.c
View File

@ -53,7 +53,7 @@ RSA keys can be used to encrypt, decrypt, sign and verify data.
#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
#include <xsecure_rsaclient.h>
#endif
#ifdef WOLFSSL_SE050
#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
#endif
#ifdef WOLFSSL_HAVE_SP_RSA
@ -298,7 +298,7 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
int devId)
{
int ret = 0;
#ifdef WOLFSSL_SE050
#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
/* SE050 TLS users store a word32 at id, need to cast back */
word32* keyPtr = NULL;
#endif
@ -312,7 +312,7 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
if (ret == 0 && id != NULL && len != 0) {
XMEMCPY(key->id, id, (size_t)len);
key->idLen = len;
#ifdef WOLFSSL_SE050
#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
/* Set SE050 ID from word32, populate RsaKey with public from SE050 */
if (len == (int)sizeof(word32)) {
keyPtr = (word32*)key->id;
@ -521,7 +521,7 @@ static int cc310_RSA_GenerateKeyPair(RsaKey* key, int size, long e)
}
#endif /* WOLFSSL_CRYPTOCELL */
#ifdef WOLFSSL_SE050
#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
/* Use specified hardware key ID with RsaKey operations. Unlike devId,
* keyId is a word32 so can handle key IDs larger than an int.
*
@ -3368,7 +3368,7 @@ static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
return cc310_RsaSSL_Sign(in, inLen, out, outLen, key,
cc310_hashModeRSA(hash, 0));
}
#elif defined(WOLFSSL_SE050)
#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
if (rsa_type == RSA_PUBLIC_ENCRYPT && pad_value == RSA_BLOCK_TYPE_2) {
return se050_rsa_public_encrypt(in, inLen, out, outLen, key,
rsa_type, pad_value, pad_type, hash,
@ -3530,7 +3530,7 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
return cc310_RsaSSL_Verify(in, inLen, out, key,
cc310_hashModeRSA(hash, 0));
}
#elif defined(WOLFSSL_SE050)
#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
if (rsa_type == RSA_PRIVATE_DECRYPT && pad_value == RSA_BLOCK_TYPE_2) {
ret = se050_rsa_private_decrypt(in, inLen, out, outLen, key,
rsa_type, pad_value, pad_type, hash,
@ -4783,7 +4783,8 @@ int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz,
int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
{
#ifndef WC_NO_RNG
#if !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SE050)
#if !defined(WOLFSSL_CRYPTOCELL) && \
(!defined(WOLFSSL_SE050) || defined(WOLFSSL_SE050_NO_RSA))
#ifdef WOLFSSL_SMALL_STACK
mp_int *p = NULL;
mp_int *q = NULL;
@ -4826,7 +4827,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
#if defined(WOLFSSL_CRYPTOCELL)
err = cc310_RSA_GenerateKeyPair(key, size, e);
goto out;
#elif defined(WOLFSSL_SE050)
#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
err = se050_rsa_create_key(key, size, e);
goto out;
#else