From b546b2a5ecd104cc460a4b2f87620e35135c84b8 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 17 Mar 2022 14:12:13 -0700 Subject: [PATCH] Improve logic around private key id/label. Adds `WOLF_PRIVATE_KEY_ID`. --- src/internal.c | 26 ++-- src/ssl.c | 241 ++++++++++++++--------------------- wolfcrypt/src/aes.c | 2 +- wolfcrypt/src/asn.c | 49 +++---- wolfcrypt/src/ecc.c | 6 +- wolfcrypt/src/hmac.c | 4 +- wolfcrypt/src/rsa.c | 4 +- wolfssl/internal.h | 2 +- wolfssl/ssl.h | 2 +- wolfssl/wolfcrypt/aes.h | 6 +- wolfssl/wolfcrypt/asn.h | 4 +- wolfssl/wolfcrypt/ecc.h | 6 +- wolfssl/wolfcrypt/hmac.h | 6 +- wolfssl/wolfcrypt/rsa.h | 6 +- wolfssl/wolfcrypt/settings.h | 10 ++ 15 files changed, 162 insertions(+), 212 deletions(-) diff --git a/src/internal.c b/src/internal.c index f8a9afb14..23aeb6aa1 100644 --- a/src/internal.c +++ b/src/internal.c @@ -22281,7 +22281,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) #if !defined(NO_CERTS) -#if defined(WOLF_CRYPTO_CB) && !defined(NO_CHECK_PRIVATE_KEY) +#if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY) /* Create a private key for a device. * * pkey Key object. @@ -22349,7 +22349,7 @@ int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType, return ret; } -#endif +#endif /* WOLF_PRIVATE_KEY_ID && !NO_CHECK_PRIVATE_KEY */ /* Decode the private key - RSA/ECC/Ed25519/Ed448/Falcon - and creates a key * object. @@ -22382,7 +22382,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) ERROR_OUT(NO_PRIVATE_KEY, exit_dpk); } -#ifdef HAVE_PKCS11 +#ifdef WOLF_PRIVATE_KEY_ID if (ssl->buffers.keyDevId != INVALID_DEVID && (ssl->buffers.keyId || ssl->buffers.keyLabel)) { if (ssl->buffers.keyType == rsa_sa_algo) @@ -22448,7 +22448,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) } goto exit_dpk; } -#endif +#endif /* WOLF_PRIVATE_KEY_ID */ #ifndef NO_RSA if (ssl->buffers.keyType == rsa_sa_algo || ssl->buffers.keyType == 0) { @@ -22465,7 +22465,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) /* Decode the key assuming it is an RSA private key. */ ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, (RsaKey*)ssl->hsKey, ssl->buffers.key->length); - #if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID /* if using crypto or PK callbacks allow using a public key */ if (ret != 0 && ssl->devId != INVALID_DEVID) { WOLFSSL_MSG("Trying RSA public key with crypto callbacks"); @@ -22520,7 +22520,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, (ecc_key*)ssl->hsKey, ssl->buffers.key->length); - #if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID /* if using crypto or PK callbacks allow using a public key */ if (ret != 0 && ssl->devId != INVALID_DEVID) { WOLFSSL_MSG("Trying ECC public key with crypto callbacks"); @@ -22573,7 +22573,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) ret = wc_Ed25519PrivateKeyDecode(ssl->buffers.key->buffer, &idx, (ed25519_key*)ssl->hsKey, ssl->buffers.key->length); - #if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID /* if using crypto or PK callbacks allow using a public key */ if (ret != 0 && ssl->devId != INVALID_DEVID) { WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks"); @@ -25449,17 +25449,19 @@ int SendClientKeyExchange(WOLFSSL* ssl) #ifndef NO_RSA case rsa_kea: { - #if defined(HAVE_PK_CALLBACKS) + #ifdef HAVE_PK_CALLBACKS if (ssl->ctx->GenPreMasterCb) { void* ctx = wolfSSL_GetGenPreMasterCtx(ssl); - ret = ssl->ctx->GenPreMasterCb(ssl, ssl->arrays->preMasterSecret, ENCRYPT_LEN, ctx); + ret = ssl->ctx->GenPreMasterCb(ssl, + ssl->arrays->preMasterSecret, ENCRYPT_LEN, ctx); if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) { goto exit_scke; } } - if (!ssl->ctx->GenPreMasterCb || ret == PROTOCOLCB_UNAVAILABLE) { + if (!ssl->ctx->GenPreMasterCb || ret == PROTOCOLCB_UNAVAILABLE) #endif - /* build PreMasterSecret with RNG data */ + { + /* build PreMasterSecret with RNG data */ ret = wc_RNG_GenerateBlock(ssl->rng, &ssl->arrays->preMasterSecret[VERSION_SZ], SECRET_LEN - VERSION_SZ); @@ -25471,9 +25473,7 @@ int SendClientKeyExchange(WOLFSSL* ssl) ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; ssl->arrays->preMasterSz = SECRET_LEN; - #if defined(HAVE_PK_CALLBACKS) } - #endif break; } #endif /* !NO_RSA */ diff --git a/src/ssl.c b/src/ssl.c index d92f81313..fb14e3361 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5696,7 +5696,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der if (ret == 0) { *idx = 0; ret = wc_RsaPrivateKeyDecode(der->buffer, idx, key, der->length); - #if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && devId != INVALID_DEVID) { /* if using crypto or PK callbacks, try public key decode */ *idx = 0; @@ -5768,7 +5768,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der if (wc_ecc_init_ex(key, heap, devId) == 0) { *idx = 0; ret = wc_EccPrivateKeyDecode(der->buffer, idx, key, der->length); - #if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && devId != INVALID_DEVID) { /* if using crypto or PK callbacks, try public key decode */ *idx = 0; @@ -5835,7 +5835,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der if (ret == 0) { *idx = 0; ret = wc_Ed25519PrivateKeyDecode(der->buffer, idx, key, der->length); - #if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && devId != INVALID_DEVID) { /* if using crypto or PK callbacks, try public key decode */ *idx = 0; @@ -6303,7 +6303,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #else DecodedCert cert[1]; #endif - #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID int keyType = 0; #endif @@ -6435,7 +6435,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, switch (cert->keyOID) { #ifndef NO_RSA case RSAk: - #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID keyType = rsa_sa_algo; #endif /* Determine RSA key size by parsing public key */ @@ -6463,7 +6463,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #endif /* !NO_RSA */ #ifdef HAVE_ECC case ECDSAk: - #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID keyType = ecc_dsa_sa_algo; #endif /* Determine ECC key size based on curve */ @@ -6488,7 +6488,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #endif /* HAVE_ECC */ #ifdef HAVE_ED25519 case ED25519k: - #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID keyType = ed25519_sa_algo; #endif /* ED25519 is fixed key size */ @@ -6511,7 +6511,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #endif /* HAVE_ED25519 */ #ifdef HAVE_ED448 case ED448k: - #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID keyType = ed448_sa_algo; #endif /* ED448 is fixed key size */ @@ -6559,20 +6559,12 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, break; /* do no check if not a case for the key */ } - #if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) - if (ssl - #ifdef HAVE_PK_CALLBACKS - && ssl->buffers.keyType == 0 - #endif - ) { + #ifdef WOLF_PRIVATE_KEY_ID + if (ssl != NULL && ssl->buffers.keyType == 0) { ssl->buffers.keyType = keyType; ssl->buffers.keySz = keySz; } - else if (ctx - #ifdef HAVE_PK_CALLBACKS - && ctx->privateKeyType == 0 - #endif - ) { + else if (ctx != NULL && ctx->privateKeyType == 0) { ctx->privateKeyType = keyType; ctx->privateKeySz = keySz; } @@ -8222,10 +8214,10 @@ int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format) #ifndef NO_CHECK_PRIVATE_KEY /* Check private against public in certificate for match * - * ctx WOLFSSL_CTX structure to check private key in - * - * Returns SSL_SUCCESS on good private key and SSL_FAILURE if miss matched. */ -int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) + * Returns WOLFSSL_SUCCESS on good private key + * WOLFSSL_FAILURE if mismatched */ +static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap, + int devId, int isKeyLabel, int isKeyId) { #ifdef WOLFSSL_SMALL_STACK DecodedCert* der = NULL; @@ -8236,9 +8228,9 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) byte* buff; int ret = WOLFSSL_FAILURE; - WOLFSSL_ENTER("wolfSSL_CTX_check_private_key"); + WOLFSSL_ENTER("check_cert_key"); - if (ctx == NULL || ctx->certificate == NULL || ctx->privateKey == NULL) { + if (cert == NULL || key == NULL) { return WOLFSSL_FAILURE; } @@ -8248,9 +8240,9 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) return MEMORY_E; #endif - size = ctx->certificate->length; - buff = ctx->certificate->buffer; - InitDecodedCert(der, buff, size, ctx->heap); + size = cert->length; + buff = cert->buffer; + InitDecodedCert(der, buff, size, heap); if (ParseCertRelative(der, CERT_TYPE, NO_VERIFY, NULL) != 0) { FreeDecodedCert(der); #ifdef WOLFSSL_SMALL_STACK @@ -8259,10 +8251,10 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) return WOLFSSL_FAILURE; } - size = ctx->privateKey->length; - buff = ctx->privateKey->buffer; -#ifdef WOLF_CRYPTO_CB - if (ctx->privateKeyDevId != INVALID_DEVID) { + size = key->length; + buff = key->buffer; +#ifdef WOLF_PRIVATE_KEY_ID + if (devId != INVALID_DEVID) { int type = 0; void *pkey = NULL; @@ -8276,33 +8268,44 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) type = DYNAMIC_TYPE_ECC; } #endif - ret = CreateDevPrivateKey(&pkey, buff, size, type, ctx->privateKeyLabel, - ctx->privateKeyId, ctx->heap, - ctx->privateKeyDevId); - #ifndef NO_RSA - if (ret == 0 && der->keyOID == RSAk) { - ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der->publicKey, - der->pubKeySize); - wc_FreeRsaKey((RsaKey*)pkey); + + ret = CreateDevPrivateKey(&pkey, buff, size, type, + isKeyLabel, isKeyId, heap, devId); + if (ret == 0) { + #ifdef WOLF_CRYPTO_CB + #ifndef NO_RSA + if (der->keyOID == RSAk) { + ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, + der->publicKey, der->pubKeySize); + } + #endif + #ifdef HAVE_ECC + if (der->keyOID == ECDSAk) { + ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey, + der->publicKey, der->pubKeySize); + } + #endif + #else + /* devId was set, don't check, for now, just return success */ + /* TODO: Add callback for private key check? */ + ret = 0; + #endif } - #endif - #ifdef HAVE_ECC - if (ret == 0 && der->keyOID == ECDSAk) { - ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey, der->publicKey, - der->pubKeySize); - wc_ecc_free((ecc_key*)pkey); - } - #endif if (pkey != NULL) { - XFREE(pkey, ctx->heap, type); + #ifndef NO_RSA + if (der->keyOID == RSAk) { + wc_FreeRsaKey((RsaKey*)pkey); + } + #endif + #ifdef HAVE_ECC + if (der->keyOID == ECDSAk) { + wc_ecc_free((ecc_key*)pkey); + } + #endif + XFREE(pkey, heap, type); } if (ret != CRYPTOCB_UNAVAILABLE) { - if (ret == 0) { - ret = WOLFSSL_SUCCESS; - } - else { - ret = WOLFSSL_FAILURE; - } + ret = (ret == 0) ? WOLFSSL_SUCCESS: WOLFSSL_FAILURE; } } else { @@ -8311,23 +8314,37 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) } if (ret == CRYPTOCB_UNAVAILABLE) -#endif +#endif /* WOLF_PRIVATE_KEY_ID */ { ret = wc_CheckPrivateKeyCert(buff, size, der); - if (ret == 1) { - ret = WOLFSSL_SUCCESS; - } - else { - ret = WOLFSSL_FAILURE; - } + ret = (ret == 1) ? WOLFSSL_SUCCESS: WOLFSSL_FAILURE; } FreeDecodedCert(der); #ifdef WOLFSSL_SMALL_STACK XFREE(der, NULL, DYNAMIC_TYPE_DCERT); #endif + (void)devId; + (void)isKeyLabel; + (void)isKeyId; + return ret; } + +/* Check private against public in certificate for match + * + * ctx WOLFSSL_CTX structure to check private key in + * + * Returns WOLFSSL_SUCCESS on good private key + * WOLFSSL_FAILURE if mismatched. */ +int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) +{ + if (ctx == NULL) { + return WOLFSSL_FAILURE; + } + return check_cert_key(ctx->certificate, ctx->privateKey, ctx->heap, + ctx->privateKeyDevId, ctx->privateKeyLabel, ctx->privateKeyId); +} #endif /* !NO_CHECK_PRIVATE_KEY */ #ifdef OPENSSL_ALL @@ -9192,7 +9209,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out, return _d2i_PublicKey(type, out, in, inSz, 1); } -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID /* Create an EVP structure for use with crypto callbacks */ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out, void* heap, int devId) @@ -9225,7 +9242,10 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out, return NULL; } key = (RsaKey*)local->rsa->internal; + #ifdef WOLF_CRYPTO_CB key->devId = devId; + #endif + (void)key; local->rsa->inSet = 1; break; } @@ -9241,7 +9261,9 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out, return NULL; } key = (ecc_key*)local->ecc->internal; + #ifdef WOLF_CRYPTO_CB key->devId = devId; + #endif key->type = ECC_PRIVATEKEY; /* key is required to have a key size / curve set, although * actual one used is determined by devId callback function */ @@ -9263,91 +9285,24 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out, return local; } -#endif /* WOLF_CRYPTO_CB */ +#endif /* WOLF_PRIVATE_KEY_ID */ #ifndef NO_CERTS // NOLINT(readability-redundant-preprocessor) #ifndef NO_CHECK_PRIVATE_KEY +/* Check private against public in certificate for match + * + * ssl WOLFSSL structure to check private key in + * + * Returns WOLFSSL_SUCCESS on good private key + * WOLFSSL_FAILURE if mismatched. */ int wolfSSL_check_private_key(const WOLFSSL* ssl) { - DecodedCert der; - word32 size; - byte* buff; - int ret; - if (ssl == NULL) { return WOLFSSL_FAILURE; } - - size = ssl->buffers.certificate->length; - buff = ssl->buffers.certificate->buffer; - InitDecodedCert(&der, buff, size, ssl->heap); -#ifdef HAVE_PK_CALLBACKS - ret = InitSigPkCb((WOLFSSL*)ssl, &der.sigCtx); - if (ret != 0) { - FreeDecodedCert(&der); - return ret; - } -#endif - - if (ParseCertRelative(&der, CERT_TYPE, NO_VERIFY, NULL) != 0) { - FreeDecodedCert(&der); - return WOLFSSL_FAILURE; - } - - size = ssl->buffers.key->length; - buff = ssl->buffers.key->buffer; -#ifdef WOLF_CRYPTO_CB - if (ssl->buffers.keyDevId != INVALID_DEVID) { - int type = 0; - void *pkey = NULL; - - #ifndef NO_RSA - if (der.keyOID == RSAk) { - type = DYNAMIC_TYPE_RSA; - } - #endif - #ifdef HAVE_ECC - if (der.keyOID == ECDSAk) { - type = DYNAMIC_TYPE_ECC; - } - #endif - ret = CreateDevPrivateKey(&pkey, buff, size, type, - ssl->buffers.keyLabel, - ssl->buffers.keyId, ssl->heap, - ssl->buffers.keyDevId); - #ifndef NO_RSA - if (ret == 0 && der.keyOID == RSAk) { - ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der.publicKey, - der.pubKeySize); - if (ret == 0) - ret = WOLFSSL_SUCCESS; - wc_FreeRsaKey((RsaKey*)pkey); - } - #endif - #ifdef HAVE_ECC - if (ret == 0 && der.keyOID == ECDSAk) { - ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey, der.publicKey, - der.pubKeySize); - if (ret == 0) - ret = WOLFSSL_SUCCESS; - wc_ecc_free((ecc_key*)pkey); - } - #endif - if (pkey != NULL) { - XFREE(pkey, ssl->heap, type); - } - } - else { - /* fall through if unavailable */ - ret = CRYPTOCB_UNAVAILABLE; - } - - if (ret == CRYPTOCB_UNAVAILABLE) -#endif - ret = wc_CheckPrivateKeyCert(buff, size, &der); - FreeDecodedCert(&der); - return ret; + return check_cert_key(ssl->buffers.certificate, ssl->buffers.key, ssl->heap, + ssl->buffers.keyDevId, ssl->buffers.keyLabel, ssl->buffers.keyId); } #endif /* !NO_CHECK_PRIVATE_KEY */ @@ -17176,7 +17131,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } -#if defined(HAVE_PKCS11) || defined(WOLF_CRYPTO_CB) +#ifdef WOLF_PRIVATE_KEY_ID int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id, long sz, int devId, long keySz) { @@ -17230,7 +17185,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } -#endif /* HAVE_PKCS11 || WOLF_CRYPTO_CB */ +#endif /* WOLF_PRIVATE_KEY_ID */ int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx, const unsigned char* in, long sz, int format) @@ -17379,7 +17334,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl)); } -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id, long sz, int devId, long keySz) { @@ -17436,7 +17391,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } -#endif +#endif /* WOLF_PRIVATE_KEY_ID */ int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl, const unsigned char* in, long sz, int format) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 7c9aacf09..ca15a5db7 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -10459,7 +10459,7 @@ int wc_AesInit(Aes* aes, void* heap, int devId) return ret; } -#ifdef HAVE_PKCS11 +#ifdef WOLF_PRIVATE_KEY_ID int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId) { int ret = 0; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 642676800..46814b5df 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -10567,7 +10567,7 @@ typedef struct CertNameData { const char* str; /* Length of type string of name component. */ byte strLen; -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) /* Offset of data in subject name component. */ size_t data; /* Offset of length in subject name component. */ @@ -10586,7 +10586,7 @@ static const CertNameData certNameSubject[] = { /* Common Name */ { "/CN=", 4, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectCN), OFFSETOF(DecodedCert, subjectCNLen), OFFSETOF(DecodedCert, subjectCNEnc), @@ -10598,7 +10598,7 @@ static const CertNameData certNameSubject[] = { /* Surname */ { "/SN=", 4, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectSN), OFFSETOF(DecodedCert, subjectSNLen), OFFSETOF(DecodedCert, subjectSNEnc), @@ -10610,7 +10610,7 @@ static const CertNameData certNameSubject[] = { /* Serial Number */ { "/serialNumber=", 14, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectSND), OFFSETOF(DecodedCert, subjectSNDLen), OFFSETOF(DecodedCert, subjectSNDEnc), @@ -10622,7 +10622,7 @@ static const CertNameData certNameSubject[] = { /* Country Name */ { "/C=", 3, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectC), OFFSETOF(DecodedCert, subjectCLen), OFFSETOF(DecodedCert, subjectCEnc), @@ -10634,7 +10634,7 @@ static const CertNameData certNameSubject[] = { /* Locality Name */ { "/L=", 3, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectL), OFFSETOF(DecodedCert, subjectLLen), OFFSETOF(DecodedCert, subjectLEnc), @@ -10646,7 +10646,7 @@ static const CertNameData certNameSubject[] = { /* State Name */ { "/ST=", 4, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectST), OFFSETOF(DecodedCert, subjectSTLen), OFFSETOF(DecodedCert, subjectSTEnc), @@ -10670,7 +10670,7 @@ static const CertNameData certNameSubject[] = { /* Organization Name */ { "/O=", 3, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectO), OFFSETOF(DecodedCert, subjectOLen), OFFSETOF(DecodedCert, subjectOEnc), @@ -10682,7 +10682,7 @@ static const CertNameData certNameSubject[] = { /* Organization Unit Name */ { "/OU=", 4, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectOU), OFFSETOF(DecodedCert, subjectOULen), OFFSETOF(DecodedCert, subjectOUEnc), @@ -10694,7 +10694,7 @@ static const CertNameData certNameSubject[] = { /* Title */ { NULL, 0, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, 0, @@ -10706,7 +10706,7 @@ static const CertNameData certNameSubject[] = { /* Undefined */ { NULL, 0, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, 0, @@ -10718,7 +10718,7 @@ static const CertNameData certNameSubject[] = { /* Undefined */ { NULL, 0, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, 0, @@ -10730,16 +10730,10 @@ static const CertNameData certNameSubject[] = { /* Business Category */ { "/businessCategory=", 18, -#ifdef WOLFSSL_CERT_GEN -#ifdef WOLFSSL_CERT_EXT +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectBC), OFFSETOF(DecodedCert, subjectBCLen), OFFSETOF(DecodedCert, subjectBCEnc), -#else - 0, - 0, - 0, -#endif #endif #ifdef WOLFSSL_X509_NAME_AVAILABLE NID_businessCategory @@ -10748,7 +10742,7 @@ static const CertNameData certNameSubject[] = { /* Undefined */ { NULL, 0, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, 0, @@ -10760,16 +10754,10 @@ static const CertNameData certNameSubject[] = { /* Postal Code */ { "/postalCode=", 12, -#ifdef WOLFSSL_CERT_GEN -#ifdef WOLFSSL_CERT_EXT +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectPC), OFFSETOF(DecodedCert, subjectPCLen), OFFSETOF(DecodedCert, subjectPCEnc), -#else - 0, - 0, - 0, -#endif #endif #ifdef WOLFSSL_X509_NAME_AVAILABLE NID_postalCode @@ -10778,14 +10766,13 @@ static const CertNameData certNameSubject[] = { /* User Id */ { "/userid=", 8, -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) OFFSETOF(DecodedCert, subjectUID), OFFSETOF(DecodedCert, subjectUIDLen), OFFSETOF(DecodedCert, subjectUIDEnc), #endif #ifdef WOLFSSL_X509_NAME_AVAILABLE NID_userId - #endif }, }; @@ -20713,8 +20700,8 @@ int wc_RsaPublicKeyDerSize(RsaKey* key, int with_header) #endif /* !NO_RSA && WOLFSSL_CERT_GEN */ -#if ((defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && \ - !defined(NO_RSA) && !defined(HAVE_USER_RSA)) || defined(WOLFSSL_KCAPI_RSA) +#if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || \ + defined(WOLFSSL_KCAPI_RSA)) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) /* Encode private RSA key in DER format. * diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 79af8158f..fe44ca04c 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -5404,7 +5404,7 @@ int wc_ecc_init(ecc_key* key) #endif } -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, int devId) { @@ -5447,7 +5447,7 @@ int wc_ecc_init_label(ecc_key* key, const char* label, void* heap, int devId) return ret; } -#endif +#endif /* WOLF_PRIVATE_KEY_ID */ int wc_ecc_set_flags(ecc_key* key, word32 flags) { @@ -8732,7 +8732,7 @@ static int ecc_check_privkey_gen(ecc_key* key, mp_int* a, mp_int* prime) return err; } -#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || +#endif /* FIPS_VERSION_GE(5,0) || WOLFSSL_VALIDATE_ECC_KEYGEN || * (!WOLFSSL_SP_MATH && WOLFSSL_VALIDATE_ECC_IMPORT) */ #if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_ECC_KEYGEN) diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index 47ed04285..3e65cc343 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -1021,7 +1021,7 @@ int wc_HmacInit(Hmac* hmac, void* heap, int devId) return ret; } -#ifdef HAVE_PKCS11 +#ifdef WOLF_PRIVATE_KEY_ID int wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap, int devId) { @@ -1064,7 +1064,7 @@ int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap, int devId) return ret; } -#endif +#endif /* WOLF_PRIVATE_KEY_ID */ /* Free Hmac from use with async device */ void wc_HmacFree(Hmac* hmac) diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index f46bc1766..e44c9f859 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -345,7 +345,7 @@ int wc_InitRsaKey(RsaKey* key, void* heap) return wc_InitRsaKey_ex(key, heap, INVALID_DEVID); } -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, int devId) { @@ -388,7 +388,7 @@ int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, int devId) return ret; } -#endif +#endif /* WOLF_PRIVATE_KEY_ID */ #ifdef WOLFSSL_XILINX_CRYPT diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 22f3f48a3..0027aa30e 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1729,7 +1729,7 @@ WOLFSSL_LOCAL int CompleteServerHello(WOLFSSL *ssl); WOLFSSL_LOCAL int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv); WOLFSSL_LOCAL int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz); -#ifdef WOLF_CRYPTO_CB +#if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY) WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType, int label, int id, void* heap, int devId); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 27bb7b0be..5800f3dfb 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1843,7 +1843,7 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PublicKey(int type, WOLFSSL_EVP_PKEY** const unsigned char ** in, long inSz); WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out, const unsigned char **in, long inSz); -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out, void* heap, int devId); #endif diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index 921b3219c..14ea8427e 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -159,7 +159,7 @@ enum { AES_XTS_MODE = 3, #endif -#ifdef HAVE_PKCS11 +#ifdef WOLF_PRIVATE_KEY_ID AES_MAX_ID_LEN = 32, AES_MAX_LABEL_LEN = 32, #endif @@ -213,7 +213,7 @@ struct Aes { int devId; void* devCtx; #endif -#ifdef HAVE_PKCS11 +#ifdef WOLF_PRIVATE_KEY_ID byte id[AES_MAX_ID_LEN]; int idLen; char label[AES_MAX_LABEL_LEN]; @@ -537,7 +537,7 @@ WOLFSSL_API int wc_AesXtsFree(XtsAes* aes); WOLFSSL_API int wc_AesGetKeySize(Aes* aes, word32* keySize); WOLFSSL_API int wc_AesInit(Aes* aes, void* heap, int devId); -#ifdef HAVE_PKCS11 +#ifdef WOLF_PRIVATE_KEY_ID WOLFSSL_API int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId); WOLFSSL_API int wc_AesInit_Label(Aes* aes, const char* label, void* heap, diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index c97463315..1116a9479 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1585,7 +1585,6 @@ struct DecodedCert { char* subjectUID; int subjectUIDLen; char subjectUIDEnc; -#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) char* subjectStreet; int subjectStreetLen; char subjectStreetEnc; @@ -1601,7 +1600,6 @@ struct DecodedCert { char* subjectPC; int subjectPCLen; char subjectPCEnc; -#endif char* subjectEmail; int subjectEmailLen; #endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ @@ -1766,7 +1764,7 @@ struct TrustedPeerCert { /* for testing or custom openssl wrappers */ #if defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \ - defined(OPENSSL_EXTRA_X509_SMALL) + defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_PUBLIC_ASN) #define WOLFSSL_ASN_API WOLFSSL_API #else #define WOLFSSL_ASN_API WOLFSSL_LOCAL diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index 1a8d44416..772a36015 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -186,7 +186,7 @@ enum { /* Shamir's dual add constants */ SHAMIR_PRECOMP_SZ = 16, -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID ECC_MAX_ID_LEN = 32, ECC_MAX_LABEL_LEN = 32, #endif @@ -481,7 +481,7 @@ struct ecc_key { CertSignCtx certSignCtx; /* context info for cert sign (MakeSignature) */ #endif #endif /* WOLFSSL_ASYNC_CRYPT */ -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID byte id[ECC_MAX_ID_LEN]; int idLen; char label[ECC_MAX_LABEL_LEN]; @@ -631,7 +631,7 @@ WOLFSSL_API int wc_ecc_init(ecc_key* key); WOLFSSL_ABI WOLFSSL_API int wc_ecc_init_ex(ecc_key* key, void* heap, int devId); -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID WOLFSSL_API int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, int devId); diff --git a/wolfssl/wolfcrypt/hmac.h b/wolfssl/wolfcrypt/hmac.h index c2f6387f3..99ca2a4b1 100644 --- a/wolfssl/wolfcrypt/hmac.h +++ b/wolfssl/wolfcrypt/hmac.h @@ -99,7 +99,7 @@ enum { WC_SHA3_384 = WC_HASH_TYPE_SHA3_384, WC_SHA3_512 = WC_HASH_TYPE_SHA3_512, #endif -#ifdef HAVE_PKCS11 +#ifdef WOLF_PRIVATE_KEY_ID HMAC_MAX_ID_LEN = 32, HMAC_MAX_LABEL_LEN = 32, #endif @@ -160,7 +160,7 @@ struct Hmac { void* devCtx; const byte* keyRaw; #endif -#ifdef HAVE_PKCS11 +#ifdef WOLF_PRIVATE_KEY_ID byte id[HMAC_MAX_ID_LEN]; int idLen; char label[HMAC_MAX_LABEL_LEN]; @@ -192,7 +192,7 @@ WOLFSSL_API int wc_HmacFinal_Software(Hmac* hmac, byte* out); WOLFSSL_API int wc_HmacSizeByType(int type); WOLFSSL_API int wc_HmacInit(Hmac* hmac, void* heap, int devId); -#ifdef HAVE_PKCS11 +#ifdef WOLF_PRIVATE_KEY_ID WOLFSSL_API int wc_HmacInit_Id(Hmac* hmac, byte* id, int len, void* heap, int devId); WOLFSSL_API int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap, diff --git a/wolfssl/wolfcrypt/rsa.h b/wolfssl/wolfcrypt/rsa.h index d701ad14f..70697f5a5 100644 --- a/wolfssl/wolfcrypt/rsa.h +++ b/wolfssl/wolfcrypt/rsa.h @@ -148,7 +148,7 @@ enum { RSA_PSS_SALT_LEN_DISCOVER = -2, #endif -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID RSA_MAX_ID_LEN = 32, RSA_MAX_LABEL_LEN = 32, #endif @@ -195,7 +195,7 @@ struct RsaKey { #if defined(WOLFSSL_KCAPI_RSA) struct kcapi_handle* handle; #endif -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID byte id[RSA_MAX_ID_LEN]; int idLen; char label[RSA_MAX_LABEL_LEN]; @@ -226,7 +226,7 @@ struct RsaKey { WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void* heap); WOLFSSL_API int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId); WOLFSSL_API int wc_FreeRsaKey(RsaKey* key); -#ifdef WOLF_CRYPTO_CB +#ifdef WOLF_PRIVATE_KEY_ID WOLFSSL_API int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, int devId); WOLFSSL_API int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 724a59ad7..45267bb93 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2614,6 +2614,16 @@ extern void uITRON4_free(void *p) ; #error The SRTP extension requires DTLS #endif +/* Are we using an external private key store like: + * PKCS11 / HSM / crypto callback / PK callback */ +#if !defined(WOLF_PRIVATE_KEY_ID) && \ + (defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) || \ + defined(WOLF_CRYPTO_CB) || defined(WOLFSSL_KCAPI)) + /* Enables support for using wolfSSL_CTX_use_PrivateKey_Id and + * wolfSSL_CTX_use_PrivateKey_Label */ + #define WOLF_PRIVATE_KEY_ID +#endif + /* ---------------------------------------------------------------------------