wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 04:04:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4921 from dgarske/private_keyid

Browse Source 
Added private key id/label support - improve PK callback public key use
This commit is contained in:
Sean Parkinson
2022-03-18 11:36:28 +10:00
committed by GitHub
parent aa8e5a29d4 b546b2a5ec
commit f117308135
15 changed files with 162 additions and 212 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/internal.c
View File

@@ -22281,7 +22281,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
#if !defined(NO_CERTS) #if !defined(NO_CERTS)
#if defined(WOLF_CRYPTO_CB) && !defined(NO_CHECK_PRIVATE_KEY) #if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY)
/* Create a private key for a device. /* Create a private key for a device.
* *
* pkey Key object. * pkey Key object.
@@ -22349,7 +22349,7 @@ int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType,
return ret; return ret;
} }
#endif #endif /* WOLF_PRIVATE_KEY_ID && !NO_CHECK_PRIVATE_KEY */
/* Decode the private key - RSA/ECC/Ed25519/Ed448/Falcon - and creates a key /* Decode the private key - RSA/ECC/Ed25519/Ed448/Falcon - and creates a key
* object. * object.
@@ -22382,7 +22382,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
ERROR_OUT(NO_PRIVATE_KEY, exit_dpk); ERROR_OUT(NO_PRIVATE_KEY, exit_dpk);
} }
#ifdef HAVE_PKCS11 #ifdef WOLF_PRIVATE_KEY_ID
if (ssl->buffers.keyDevId != INVALID_DEVID && (ssl->buffers.keyId || if (ssl->buffers.keyDevId != INVALID_DEVID && (ssl->buffers.keyId ||
ssl->buffers.keyLabel)) { ssl->buffers.keyLabel)) {
if (ssl->buffers.keyType == rsa_sa_algo) if (ssl->buffers.keyType == rsa_sa_algo)
@@ -22448,7 +22448,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
} }
goto exit_dpk; goto exit_dpk;
} }
#endif #endif /* WOLF_PRIVATE_KEY_ID */
#ifndef NO_RSA #ifndef NO_RSA
if (ssl->buffers.keyType == rsa_sa_algo || ssl->buffers.keyType == 0) { if (ssl->buffers.keyType == rsa_sa_algo || ssl->buffers.keyType == 0) {
@@ -22465,7 +22465,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
/* Decode the key assuming it is an RSA private key. */ /* Decode the key assuming it is an RSA private key. */
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
(RsaKey*)ssl->hsKey, ssl->buffers.key->length); (RsaKey*)ssl->hsKey, ssl->buffers.key->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
/* if using crypto or PK callbacks allow using a public key */ /* if using crypto or PK callbacks allow using a public key */
if (ret != 0 && ssl->devId != INVALID_DEVID) { if (ret != 0 && ssl->devId != INVALID_DEVID) {
WOLFSSL_MSG("Trying RSA public key with crypto callbacks"); WOLFSSL_MSG("Trying RSA public key with crypto callbacks");
@@ -22520,7 +22520,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
(ecc_key*)ssl->hsKey, (ecc_key*)ssl->hsKey,
ssl->buffers.key->length); ssl->buffers.key->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
/* if using crypto or PK callbacks allow using a public key */ /* if using crypto or PK callbacks allow using a public key */
if (ret != 0 && ssl->devId != INVALID_DEVID) { if (ret != 0 && ssl->devId != INVALID_DEVID) {
WOLFSSL_MSG("Trying ECC public key with crypto callbacks"); WOLFSSL_MSG("Trying ECC public key with crypto callbacks");
@@ -22573,7 +22573,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
ret = wc_Ed25519PrivateKeyDecode(ssl->buffers.key->buffer, &idx, ret = wc_Ed25519PrivateKeyDecode(ssl->buffers.key->buffer, &idx,
(ed25519_key*)ssl->hsKey, (ed25519_key*)ssl->hsKey,
ssl->buffers.key->length); ssl->buffers.key->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
/* if using crypto or PK callbacks allow using a public key */ /* if using crypto or PK callbacks allow using a public key */
if (ret != 0 && ssl->devId != INVALID_DEVID) { if (ret != 0 && ssl->devId != INVALID_DEVID) {
WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks"); WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks");
@@ -25449,17 +25449,19 @@ int SendClientKeyExchange(WOLFSSL* ssl)
#ifndef NO_RSA #ifndef NO_RSA
case rsa_kea: case rsa_kea:
{ {
#if defined(HAVE_PK_CALLBACKS) #ifdef HAVE_PK_CALLBACKS
if (ssl->ctx->GenPreMasterCb) { if (ssl->ctx->GenPreMasterCb) {
void* ctx = wolfSSL_GetGenPreMasterCtx(ssl); void* ctx = wolfSSL_GetGenPreMasterCtx(ssl);
ret = ssl->ctx->GenPreMasterCb(ssl, ssl->arrays->preMasterSecret, ENCRYPT_LEN, ctx); ret = ssl->ctx->GenPreMasterCb(ssl,
ssl->arrays->preMasterSecret, ENCRYPT_LEN, ctx);
if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) { if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) {
goto exit_scke; goto exit_scke;
} }
} }
if (!ssl->ctx->GenPreMasterCb || ret == PROTOCOLCB_UNAVAILABLE) { if (!ssl->ctx->GenPreMasterCb || ret == PROTOCOLCB_UNAVAILABLE)
#endif #endif
/* build PreMasterSecret with RNG data */ {
/* build PreMasterSecret with RNG data */
ret = wc_RNG_GenerateBlock(ssl->rng, ret = wc_RNG_GenerateBlock(ssl->rng,
&ssl->arrays->preMasterSecret[VERSION_SZ], &ssl->arrays->preMasterSecret[VERSION_SZ],
SECRET_LEN - VERSION_SZ); SECRET_LEN - VERSION_SZ);
@@ -25471,9 +25473,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
ssl->arrays->preMasterSz = SECRET_LEN; ssl->arrays->preMasterSz = SECRET_LEN;
#if defined(HAVE_PK_CALLBACKS)
} }
#endif
break; break;
} }
#endif /* !NO_RSA */ #endif /* !NO_RSA */

241
src/ssl.c
View File

@@ -5696,7 +5696,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
if (ret == 0) { if (ret == 0) {
*idx = 0; *idx = 0;
ret = wc_RsaPrivateKeyDecode(der->buffer, idx, key, der->length); ret = wc_RsaPrivateKeyDecode(der->buffer, idx, key, der->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
if (ret != 0 && devId != INVALID_DEVID) { if (ret != 0 && devId != INVALID_DEVID) {
/* if using crypto or PK callbacks, try public key decode */ /* if using crypto or PK callbacks, try public key decode */
*idx = 0; *idx = 0;
@@ -5768,7 +5768,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
if (wc_ecc_init_ex(key, heap, devId) == 0) { if (wc_ecc_init_ex(key, heap, devId) == 0) {
*idx = 0; *idx = 0;
ret = wc_EccPrivateKeyDecode(der->buffer, idx, key, der->length); ret = wc_EccPrivateKeyDecode(der->buffer, idx, key, der->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
if (ret != 0 && devId != INVALID_DEVID) { if (ret != 0 && devId != INVALID_DEVID) {
/* if using crypto or PK callbacks, try public key decode */ /* if using crypto or PK callbacks, try public key decode */
*idx = 0; *idx = 0;
@@ -5835,7 +5835,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
if (ret == 0) { if (ret == 0) {
*idx = 0; *idx = 0;
ret = wc_Ed25519PrivateKeyDecode(der->buffer, idx, key, der->length); ret = wc_Ed25519PrivateKeyDecode(der->buffer, idx, key, der->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
if (ret != 0 && devId != INVALID_DEVID) { if (ret != 0 && devId != INVALID_DEVID) {
/* if using crypto or PK callbacks, try public key decode */ /* if using crypto or PK callbacks, try public key decode */
*idx = 0; *idx = 0;
@@ -6303,7 +6303,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#else #else
DecodedCert cert[1]; DecodedCert cert[1];
#endif #endif
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
int keyType = 0; int keyType = 0;
#endif #endif
@@ -6435,7 +6435,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
switch (cert->keyOID) { switch (cert->keyOID) {
#ifndef NO_RSA #ifndef NO_RSA
case RSAk: case RSAk:
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
keyType = rsa_sa_algo; keyType = rsa_sa_algo;
#endif #endif
/* Determine RSA key size by parsing public key */ /* Determine RSA key size by parsing public key */
@@ -6463,7 +6463,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif /* !NO_RSA */ #endif /* !NO_RSA */
#ifdef HAVE_ECC #ifdef HAVE_ECC
case ECDSAk: case ECDSAk:
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
keyType = ecc_dsa_sa_algo; keyType = ecc_dsa_sa_algo;
#endif #endif
/* Determine ECC key size based on curve */ /* Determine ECC key size based on curve */
@@ -6488,7 +6488,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
#ifdef HAVE_ED25519 #ifdef HAVE_ED25519
case ED25519k: case ED25519k:
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
keyType = ed25519_sa_algo; keyType = ed25519_sa_algo;
#endif #endif
/* ED25519 is fixed key size */ /* ED25519 is fixed key size */
@@ -6511,7 +6511,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif /* HAVE_ED25519 */ #endif /* HAVE_ED25519 */
#ifdef HAVE_ED448 #ifdef HAVE_ED448
case ED448k: case ED448k:
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
keyType = ed448_sa_algo; keyType = ed448_sa_algo;
#endif #endif
/* ED448 is fixed key size */ /* ED448 is fixed key size */
@@ -6559,20 +6559,12 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
break; /* do no check if not a case for the key */ break; /* do no check if not a case for the key */
} }
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) #ifdef WOLF_PRIVATE_KEY_ID
if (ssl if (ssl != NULL && ssl->buffers.keyType == 0) {
#ifdef HAVE_PK_CALLBACKS
&& ssl->buffers.keyType == 0
#endif
) {
ssl->buffers.keyType = keyType; ssl->buffers.keyType = keyType;
ssl->buffers.keySz = keySz; ssl->buffers.keySz = keySz;
} }
else if (ctx else if (ctx != NULL && ctx->privateKeyType == 0) {
#ifdef HAVE_PK_CALLBACKS
&& ctx->privateKeyType == 0
#endif
) {
ctx->privateKeyType = keyType; ctx->privateKeyType = keyType;
ctx->privateKeySz = keySz; ctx->privateKeySz = keySz;
} }
@@ -8222,10 +8214,10 @@ int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format)
#ifndef NO_CHECK_PRIVATE_KEY #ifndef NO_CHECK_PRIVATE_KEY
/* Check private against public in certificate for match /* Check private against public in certificate for match
* *
* ctx WOLFSSL_CTX structure to check private key in * Returns WOLFSSL_SUCCESS on good private key
* * WOLFSSL_FAILURE if mismatched */
* Returns SSL_SUCCESS on good private key and SSL_FAILURE if miss matched. */ static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap,
int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) int devId, int isKeyLabel, int isKeyId)
{ {
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
DecodedCert* der = NULL; DecodedCert* der = NULL;
@@ -8236,9 +8228,9 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
byte* buff; byte* buff;
int ret = WOLFSSL_FAILURE; int ret = WOLFSSL_FAILURE;
WOLFSSL_ENTER("wolfSSL_CTX_check_private_key"); WOLFSSL_ENTER("check_cert_key");
if (ctx == NULL || ctx->certificate == NULL || ctx->privateKey == NULL) { if (cert == NULL || key == NULL) {
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
@@ -8248,9 +8240,9 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
return MEMORY_E; return MEMORY_E;
#endif #endif
size = ctx->certificate->length; size = cert->length;
buff = ctx->certificate->buffer; buff = cert->buffer;
InitDecodedCert(der, buff, size, ctx->heap); InitDecodedCert(der, buff, size, heap);
if (ParseCertRelative(der, CERT_TYPE, NO_VERIFY, NULL) != 0) { if (ParseCertRelative(der, CERT_TYPE, NO_VERIFY, NULL) != 0) {
FreeDecodedCert(der); FreeDecodedCert(der);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
@@ -8259,10 +8251,10 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
size = ctx->privateKey->length; size = key->length;
buff = ctx->privateKey->buffer; buff = key->buffer;
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
if (ctx->privateKeyDevId != INVALID_DEVID) { if (devId != INVALID_DEVID) {
int type = 0; int type = 0;
void *pkey = NULL; void *pkey = NULL;
@@ -8276,33 +8268,44 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
type = DYNAMIC_TYPE_ECC; type = DYNAMIC_TYPE_ECC;
} }
#endif #endif
ret = CreateDevPrivateKey(&pkey, buff, size, type, ctx->privateKeyLabel,
ctx->privateKeyId, ctx->heap, ret = CreateDevPrivateKey(&pkey, buff, size, type,
ctx->privateKeyDevId); isKeyLabel, isKeyId, heap, devId);
#ifndef NO_RSA if (ret == 0) {
if (ret == 0 && der->keyOID == RSAk) { #ifdef WOLF_CRYPTO_CB
ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der->publicKey, #ifndef NO_RSA
der->pubKeySize); if (der->keyOID == RSAk) {
wc_FreeRsaKey((RsaKey*)pkey); ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey,
der->publicKey, der->pubKeySize);
}
#endif
#ifdef HAVE_ECC
if (der->keyOID == ECDSAk) {
ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey,
der->publicKey, der->pubKeySize);
}
#endif
#else
/* devId was set, don't check, for now, just return success */
/* TODO: Add callback for private key check? */
ret = 0;
#endif
} }
#endif
#ifdef HAVE_ECC
if (ret == 0 && der->keyOID == ECDSAk) {
ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey, der->publicKey,
der->pubKeySize);
wc_ecc_free((ecc_key*)pkey);
}
#endif
if (pkey != NULL) { if (pkey != NULL) {
XFREE(pkey, ctx->heap, type); #ifndef NO_RSA
if (der->keyOID == RSAk) {
wc_FreeRsaKey((RsaKey*)pkey);
}
#endif
#ifdef HAVE_ECC
if (der->keyOID == ECDSAk) {
wc_ecc_free((ecc_key*)pkey);
}
#endif
XFREE(pkey, heap, type);
} }
if (ret != CRYPTOCB_UNAVAILABLE) { if (ret != CRYPTOCB_UNAVAILABLE) {
if (ret == 0) { ret = (ret == 0) ? WOLFSSL_SUCCESS: WOLFSSL_FAILURE;
ret = WOLFSSL_SUCCESS;
}
else {
ret = WOLFSSL_FAILURE;
}
} }
} }
else { else {
@@ -8311,23 +8314,37 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
} }
if (ret == CRYPTOCB_UNAVAILABLE) if (ret == CRYPTOCB_UNAVAILABLE)
#endif #endif /* WOLF_PRIVATE_KEY_ID */
{ {
ret = wc_CheckPrivateKeyCert(buff, size, der); ret = wc_CheckPrivateKeyCert(buff, size, der);
if (ret == 1) { ret = (ret == 1) ? WOLFSSL_SUCCESS: WOLFSSL_FAILURE;
ret = WOLFSSL_SUCCESS;
}
else {
ret = WOLFSSL_FAILURE;
}
} }
FreeDecodedCert(der); FreeDecodedCert(der);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(der, NULL, DYNAMIC_TYPE_DCERT); XFREE(der, NULL, DYNAMIC_TYPE_DCERT);
#endif #endif
(void)devId;
(void)isKeyLabel;
(void)isKeyId;
return ret; return ret;
} }
/* Check private against public in certificate for match
*
* ctx WOLFSSL_CTX structure to check private key in
*
* Returns WOLFSSL_SUCCESS on good private key
* WOLFSSL_FAILURE if mismatched. */
int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
{
if (ctx == NULL) {
return WOLFSSL_FAILURE;
}
return check_cert_key(ctx->certificate, ctx->privateKey, ctx->heap,
ctx->privateKeyDevId, ctx->privateKeyLabel, ctx->privateKeyId);
}
#endif /* !NO_CHECK_PRIVATE_KEY */ #endif /* !NO_CHECK_PRIVATE_KEY */
#ifdef OPENSSL_ALL #ifdef OPENSSL_ALL
@@ -9192,7 +9209,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out,
return _d2i_PublicKey(type, out, in, inSz, 1); return _d2i_PublicKey(type, out, in, inSz, 1);
} }
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
/* Create an EVP structure for use with crypto callbacks */ /* Create an EVP structure for use with crypto callbacks */
WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out, WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out,
void* heap, int devId) void* heap, int devId)
@@ -9225,7 +9242,10 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out,
return NULL; return NULL;
} }
key = (RsaKey*)local->rsa->internal; key = (RsaKey*)local->rsa->internal;
#ifdef WOLF_CRYPTO_CB
key->devId = devId; key->devId = devId;
#endif
(void)key;
local->rsa->inSet = 1; local->rsa->inSet = 1;
break; break;
} }
@@ -9241,7 +9261,9 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out,
return NULL; return NULL;
} }
key = (ecc_key*)local->ecc->internal; key = (ecc_key*)local->ecc->internal;
#ifdef WOLF_CRYPTO_CB
key->devId = devId; key->devId = devId;
#endif
key->type = ECC_PRIVATEKEY; key->type = ECC_PRIVATEKEY;
/* key is required to have a key size / curve set, although /* key is required to have a key size / curve set, although
* actual one used is determined by devId callback function */ * actual one used is determined by devId callback function */
@@ -9263,91 +9285,24 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out,
return local; return local;
} }
#endif /* WOLF_CRYPTO_CB */ #endif /* WOLF_PRIVATE_KEY_ID */
#ifndef NO_CERTS // NOLINT(readability-redundant-preprocessor) #ifndef NO_CERTS // NOLINT(readability-redundant-preprocessor)
#ifndef NO_CHECK_PRIVATE_KEY #ifndef NO_CHECK_PRIVATE_KEY
/* Check private against public in certificate for match
*
* ssl WOLFSSL structure to check private key in
*
* Returns WOLFSSL_SUCCESS on good private key
* WOLFSSL_FAILURE if mismatched. */
int wolfSSL_check_private_key(const WOLFSSL* ssl) int wolfSSL_check_private_key(const WOLFSSL* ssl)
{ {
DecodedCert der;
word32 size;
byte* buff;
int ret;
if (ssl == NULL) { if (ssl == NULL) {
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
return check_cert_key(ssl->buffers.certificate, ssl->buffers.key, ssl->heap,
size = ssl->buffers.certificate->length; ssl->buffers.keyDevId, ssl->buffers.keyLabel, ssl->buffers.keyId);
buff = ssl->buffers.certificate->buffer;
InitDecodedCert(&der, buff, size, ssl->heap);
#ifdef HAVE_PK_CALLBACKS
ret = InitSigPkCb((WOLFSSL*)ssl, &der.sigCtx);
if (ret != 0) {
FreeDecodedCert(&der);
return ret;
}
#endif
if (ParseCertRelative(&der, CERT_TYPE, NO_VERIFY, NULL) != 0) {
FreeDecodedCert(&der);
return WOLFSSL_FAILURE;
}
size = ssl->buffers.key->length;
buff = ssl->buffers.key->buffer;
#ifdef WOLF_CRYPTO_CB
if (ssl->buffers.keyDevId != INVALID_DEVID) {
int type = 0;
void *pkey = NULL;
#ifndef NO_RSA
if (der.keyOID == RSAk) {
type = DYNAMIC_TYPE_RSA;
}
#endif
#ifdef HAVE_ECC
if (der.keyOID == ECDSAk) {
type = DYNAMIC_TYPE_ECC;
}
#endif
ret = CreateDevPrivateKey(&pkey, buff, size, type,
ssl->buffers.keyLabel,
ssl->buffers.keyId, ssl->heap,
ssl->buffers.keyDevId);
#ifndef NO_RSA
if (ret == 0 && der.keyOID == RSAk) {
ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der.publicKey,
der.pubKeySize);
if (ret == 0)
ret = WOLFSSL_SUCCESS;
wc_FreeRsaKey((RsaKey*)pkey);
}
#endif
#ifdef HAVE_ECC
if (ret == 0 && der.keyOID == ECDSAk) {
ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey, der.publicKey,
der.pubKeySize);
if (ret == 0)
ret = WOLFSSL_SUCCESS;
wc_ecc_free((ecc_key*)pkey);
}
#endif
if (pkey != NULL) {
XFREE(pkey, ssl->heap, type);
}
}
else {
/* fall through if unavailable */
ret = CRYPTOCB_UNAVAILABLE;
}
if (ret == CRYPTOCB_UNAVAILABLE)
#endif
ret = wc_CheckPrivateKeyCert(buff, size, &der);
FreeDecodedCert(&der);
return ret;
} }
#endif /* !NO_CHECK_PRIVATE_KEY */ #endif /* !NO_CHECK_PRIVATE_KEY */
@@ -17176,7 +17131,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ret; return ret;
} }
#if defined(HAVE_PKCS11) || defined(WOLF_CRYPTO_CB) #ifdef WOLF_PRIVATE_KEY_ID
int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id, int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id,
long sz, int devId, long keySz) long sz, int devId, long keySz)
{ {
@@ -17230,7 +17185,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ret; return ret;
} }
#endif /* HAVE_PKCS11 || WOLF_CRYPTO_CB */ #endif /* WOLF_PRIVATE_KEY_ID */
int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx, int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
const unsigned char* in, long sz, int format) const unsigned char* in, long sz, int format)
@@ -17379,7 +17334,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl)); ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl));
} }
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id, int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id,
long sz, int devId, long keySz) long sz, int devId, long keySz)
{ {
@@ -17436,7 +17391,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ret; return ret;
} }
#endif #endif /* WOLF_PRIVATE_KEY_ID */
int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl, int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl,
const unsigned char* in, long sz, int format) const unsigned char* in, long sz, int format)

2
wolfcrypt/src/aes.c
View File

@@ -10459,7 +10459,7 @@ int wc_AesInit(Aes* aes, void* heap, int devId)
return ret; return ret;
} }
#ifdef HAVE_PKCS11 #ifdef WOLF_PRIVATE_KEY_ID
int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId) int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId)
{ {
int ret = 0; int ret = 0;

49
wolfcrypt/src/asn.c
View File

@@ -10567,7 +10567,7 @@ typedef struct CertNameData {
const char* str; const char* str;
/* Length of type string of name component. */ /* Length of type string of name component. */
byte strLen; byte strLen;
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
/* Offset of data in subject name component. */ /* Offset of data in subject name component. */
size_t data; size_t data;
/* Offset of length in subject name component. */ /* Offset of length in subject name component. */
@@ -10586,7 +10586,7 @@ static const CertNameData certNameSubject[] = {
/* Common Name */ /* Common Name */
{ {
"/CN=", 4, "/CN=", 4,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectCN), OFFSETOF(DecodedCert, subjectCN),
OFFSETOF(DecodedCert, subjectCNLen), OFFSETOF(DecodedCert, subjectCNLen),
OFFSETOF(DecodedCert, subjectCNEnc), OFFSETOF(DecodedCert, subjectCNEnc),
@@ -10598,7 +10598,7 @@ static const CertNameData certNameSubject[] = {
/* Surname */ /* Surname */
{ {
"/SN=", 4, "/SN=", 4,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectSN), OFFSETOF(DecodedCert, subjectSN),
OFFSETOF(DecodedCert, subjectSNLen), OFFSETOF(DecodedCert, subjectSNLen),
OFFSETOF(DecodedCert, subjectSNEnc), OFFSETOF(DecodedCert, subjectSNEnc),
@@ -10610,7 +10610,7 @@ static const CertNameData certNameSubject[] = {
/* Serial Number */ /* Serial Number */
{ {
"/serialNumber=", 14, "/serialNumber=", 14,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectSND), OFFSETOF(DecodedCert, subjectSND),
OFFSETOF(DecodedCert, subjectSNDLen), OFFSETOF(DecodedCert, subjectSNDLen),
OFFSETOF(DecodedCert, subjectSNDEnc), OFFSETOF(DecodedCert, subjectSNDEnc),
@@ -10622,7 +10622,7 @@ static const CertNameData certNameSubject[] = {
/* Country Name */ /* Country Name */
{ {
"/C=", 3, "/C=", 3,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectC), OFFSETOF(DecodedCert, subjectC),
OFFSETOF(DecodedCert, subjectCLen), OFFSETOF(DecodedCert, subjectCLen),
OFFSETOF(DecodedCert, subjectCEnc), OFFSETOF(DecodedCert, subjectCEnc),
@@ -10634,7 +10634,7 @@ static const CertNameData certNameSubject[] = {
/* Locality Name */ /* Locality Name */
{ {
"/L=", 3, "/L=", 3,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectL), OFFSETOF(DecodedCert, subjectL),
OFFSETOF(DecodedCert, subjectLLen), OFFSETOF(DecodedCert, subjectLLen),
OFFSETOF(DecodedCert, subjectLEnc), OFFSETOF(DecodedCert, subjectLEnc),
@@ -10646,7 +10646,7 @@ static const CertNameData certNameSubject[] = {
/* State Name */ /* State Name */
{ {
"/ST=", 4, "/ST=", 4,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectST), OFFSETOF(DecodedCert, subjectST),
OFFSETOF(DecodedCert, subjectSTLen), OFFSETOF(DecodedCert, subjectSTLen),
OFFSETOF(DecodedCert, subjectSTEnc), OFFSETOF(DecodedCert, subjectSTEnc),
@@ -10670,7 +10670,7 @@ static const CertNameData certNameSubject[] = {
/* Organization Name */ /* Organization Name */
{ {
"/O=", 3, "/O=", 3,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectO), OFFSETOF(DecodedCert, subjectO),
OFFSETOF(DecodedCert, subjectOLen), OFFSETOF(DecodedCert, subjectOLen),
OFFSETOF(DecodedCert, subjectOEnc), OFFSETOF(DecodedCert, subjectOEnc),
@@ -10682,7 +10682,7 @@ static const CertNameData certNameSubject[] = {
/* Organization Unit Name */ /* Organization Unit Name */
{ {
"/OU=", 4, "/OU=", 4,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectOU), OFFSETOF(DecodedCert, subjectOU),
OFFSETOF(DecodedCert, subjectOULen), OFFSETOF(DecodedCert, subjectOULen),
OFFSETOF(DecodedCert, subjectOUEnc), OFFSETOF(DecodedCert, subjectOUEnc),
@@ -10694,7 +10694,7 @@ static const CertNameData certNameSubject[] = {
/* Title */ /* Title */
{ {
NULL, 0, NULL, 0,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
0, 0,
0, 0,
0, 0,
@@ -10706,7 +10706,7 @@ static const CertNameData certNameSubject[] = {
/* Undefined */ /* Undefined */
{ {
NULL, 0, NULL, 0,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
0, 0,
0, 0,
0, 0,
@@ -10718,7 +10718,7 @@ static const CertNameData certNameSubject[] = {
/* Undefined */ /* Undefined */
{ {
NULL, 0, NULL, 0,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
0, 0,
0, 0,
0, 0,
@@ -10730,16 +10730,10 @@ static const CertNameData certNameSubject[] = {
/* Business Category */ /* Business Category */
{ {
"/businessCategory=", 18, "/businessCategory=", 18,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
#ifdef WOLFSSL_CERT_EXT
OFFSETOF(DecodedCert, subjectBC), OFFSETOF(DecodedCert, subjectBC),
OFFSETOF(DecodedCert, subjectBCLen), OFFSETOF(DecodedCert, subjectBCLen),
OFFSETOF(DecodedCert, subjectBCEnc), OFFSETOF(DecodedCert, subjectBCEnc),
#else
0,
0,
0,
#endif
#endif #endif
#ifdef WOLFSSL_X509_NAME_AVAILABLE #ifdef WOLFSSL_X509_NAME_AVAILABLE
NID_businessCategory NID_businessCategory
@@ -10748,7 +10742,7 @@ static const CertNameData certNameSubject[] = {
/* Undefined */ /* Undefined */
{ {
NULL, 0, NULL, 0,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
0, 0,
0, 0,
0, 0,
@@ -10760,16 +10754,10 @@ static const CertNameData certNameSubject[] = {
/* Postal Code */ /* Postal Code */
{ {
"/postalCode=", 12, "/postalCode=", 12,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
#ifdef WOLFSSL_CERT_EXT
OFFSETOF(DecodedCert, subjectPC), OFFSETOF(DecodedCert, subjectPC),
OFFSETOF(DecodedCert, subjectPCLen), OFFSETOF(DecodedCert, subjectPCLen),
OFFSETOF(DecodedCert, subjectPCEnc), OFFSETOF(DecodedCert, subjectPCEnc),
#else
0,
0,
0,
#endif
#endif #endif
#ifdef WOLFSSL_X509_NAME_AVAILABLE #ifdef WOLFSSL_X509_NAME_AVAILABLE
NID_postalCode NID_postalCode
@@ -10778,14 +10766,13 @@ static const CertNameData certNameSubject[] = {
/* User Id */ /* User Id */
{ {
"/userid=", 8, "/userid=", 8,
#ifdef WOLFSSL_CERT_GEN #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectUID), OFFSETOF(DecodedCert, subjectUID),
OFFSETOF(DecodedCert, subjectUIDLen), OFFSETOF(DecodedCert, subjectUIDLen),
OFFSETOF(DecodedCert, subjectUIDEnc), OFFSETOF(DecodedCert, subjectUIDEnc),
#endif #endif
#ifdef WOLFSSL_X509_NAME_AVAILABLE #ifdef WOLFSSL_X509_NAME_AVAILABLE
NID_userId NID_userId
#endif #endif
}, },
}; };
@@ -20713,8 +20700,8 @@ int wc_RsaPublicKeyDerSize(RsaKey* key, int with_header)
#endif /* !NO_RSA && WOLFSSL_CERT_GEN */ #endif /* !NO_RSA && WOLFSSL_CERT_GEN */
#if ((defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && \ #if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || \
!defined(NO_RSA) && !defined(HAVE_USER_RSA)) || defined(WOLFSSL_KCAPI_RSA) defined(WOLFSSL_KCAPI_RSA)) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)
/* Encode private RSA key in DER format. /* Encode private RSA key in DER format.
* *

6
wolfcrypt/src/ecc.c
View File

@@ -5404,7 +5404,7 @@ int wc_ecc_init(ecc_key* key)
#endif #endif
} }
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
int devId) int devId)
{ {
@@ -5447,7 +5447,7 @@ int wc_ecc_init_label(ecc_key* key, const char* label, void* heap, int devId)
return ret; return ret;
} }
#endif #endif /* WOLF_PRIVATE_KEY_ID */
int wc_ecc_set_flags(ecc_key* key, word32 flags) int wc_ecc_set_flags(ecc_key* key, word32 flags)
{ {
@@ -8732,7 +8732,7 @@ static int ecc_check_privkey_gen(ecc_key* key, mp_int* a, mp_int* prime)
return err; return err;
} }
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || #endif /* FIPS_VERSION_GE(5,0) || WOLFSSL_VALIDATE_ECC_KEYGEN ||
* (!WOLFSSL_SP_MATH && WOLFSSL_VALIDATE_ECC_IMPORT) */ * (!WOLFSSL_SP_MATH && WOLFSSL_VALIDATE_ECC_IMPORT) */
#if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_ECC_KEYGEN) #if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_ECC_KEYGEN)

4
wolfcrypt/src/hmac.c
View File

@@ -1021,7 +1021,7 @@ int wc_HmacInit(Hmac* hmac, void* heap, int devId)
return ret; return ret;
} }
#ifdef HAVE_PKCS11 #ifdef WOLF_PRIVATE_KEY_ID
int wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap, int wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap,
int devId) int devId)
{ {
@@ -1064,7 +1064,7 @@ int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap, int devId)
return ret; return ret;
} }
#endif #endif /* WOLF_PRIVATE_KEY_ID */
/* Free Hmac from use with async device */ /* Free Hmac from use with async device */
void wc_HmacFree(Hmac* hmac) void wc_HmacFree(Hmac* hmac)

4
wolfcrypt/src/rsa.c
View File

@@ -345,7 +345,7 @@ int wc_InitRsaKey(RsaKey* key, void* heap)
return wc_InitRsaKey_ex(key, heap, INVALID_DEVID); return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
} }
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
int devId) int devId)
{ {
@@ -388,7 +388,7 @@ int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, int devId)
return ret; return ret;
} }
#endif #endif /* WOLF_PRIVATE_KEY_ID */
#ifdef WOLFSSL_XILINX_CRYPT #ifdef WOLFSSL_XILINX_CRYPT

2
wolfssl/internal.h
View File

@@ -1729,7 +1729,7 @@ WOLFSSL_LOCAL int CompleteServerHello(WOLFSSL *ssl);
WOLFSSL_LOCAL int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv); WOLFSSL_LOCAL int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv);
WOLFSSL_LOCAL int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, WOLFSSL_LOCAL int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo,
word32 hashSigAlgoSz); word32 hashSigAlgoSz);
#ifdef WOLF_CRYPTO_CB #if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY)
WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* data, word32 length, WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* data, word32 length,
int hsType, int label, int id, int hsType, int label, int id,
void* heap, int devId); void* heap, int devId);

2
wolfssl/ssl.h
View File

@@ -1843,7 +1843,7 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PublicKey(int type, WOLFSSL_EVP_PKEY**
const unsigned char ** in, long inSz); const unsigned char ** in, long inSz);
WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type,
WOLFSSL_EVP_PKEY** out, const unsigned char **in, long inSz); WOLFSSL_EVP_PKEY** out, const unsigned char **in, long inSz);
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type,
WOLFSSL_EVP_PKEY** out, void* heap, int devId); WOLFSSL_EVP_PKEY** out, void* heap, int devId);
#endif #endif

6
wolfssl/wolfcrypt/aes.h
View File

@@ -159,7 +159,7 @@ enum {
AES_XTS_MODE = 3, AES_XTS_MODE = 3,
#endif #endif
#ifdef HAVE_PKCS11 #ifdef WOLF_PRIVATE_KEY_ID
AES_MAX_ID_LEN = 32, AES_MAX_ID_LEN = 32,
AES_MAX_LABEL_LEN = 32, AES_MAX_LABEL_LEN = 32,
#endif #endif
@@ -213,7 +213,7 @@ struct Aes {
int devId; int devId;
void* devCtx; void* devCtx;
#endif #endif
#ifdef HAVE_PKCS11 #ifdef WOLF_PRIVATE_KEY_ID
byte id[AES_MAX_ID_LEN]; byte id[AES_MAX_ID_LEN];
int idLen; int idLen;
char label[AES_MAX_LABEL_LEN]; char label[AES_MAX_LABEL_LEN];
@@ -537,7 +537,7 @@ WOLFSSL_API int wc_AesXtsFree(XtsAes* aes);
WOLFSSL_API int wc_AesGetKeySize(Aes* aes, word32* keySize); WOLFSSL_API int wc_AesGetKeySize(Aes* aes, word32* keySize);
WOLFSSL_API int wc_AesInit(Aes* aes, void* heap, int devId); WOLFSSL_API int wc_AesInit(Aes* aes, void* heap, int devId);
#ifdef HAVE_PKCS11 #ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, WOLFSSL_API int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap,
int devId); int devId);
WOLFSSL_API int wc_AesInit_Label(Aes* aes, const char* label, void* heap, WOLFSSL_API int wc_AesInit_Label(Aes* aes, const char* label, void* heap,

4
wolfssl/wolfcrypt/asn.h
View File

@@ -1585,7 +1585,6 @@ struct DecodedCert {
char* subjectUID; char* subjectUID;
int subjectUIDLen; int subjectUIDLen;
char subjectUIDEnc; char subjectUIDEnc;
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
char* subjectStreet; char* subjectStreet;
int subjectStreetLen; int subjectStreetLen;
char subjectStreetEnc; char subjectStreetEnc;
@@ -1601,7 +1600,6 @@ struct DecodedCert {
char* subjectPC; char* subjectPC;
int subjectPCLen; int subjectPCLen;
char subjectPCEnc; char subjectPCEnc;
#endif
char* subjectEmail; char* subjectEmail;
int subjectEmailLen; int subjectEmailLen;
#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ #endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */
@@ -1766,7 +1764,7 @@ struct TrustedPeerCert {
/* for testing or custom openssl wrappers */ /* for testing or custom openssl wrappers */
#if defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \ #if defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \
defined(OPENSSL_EXTRA_X509_SMALL) defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_PUBLIC_ASN)
#define WOLFSSL_ASN_API WOLFSSL_API #define WOLFSSL_ASN_API WOLFSSL_API
#else #else
#define WOLFSSL_ASN_API WOLFSSL_LOCAL #define WOLFSSL_ASN_API WOLFSSL_LOCAL

6
wolfssl/wolfcrypt/ecc.h
View File

@@ -186,7 +186,7 @@ enum {
/* Shamir's dual add constants */ /* Shamir's dual add constants */
SHAMIR_PRECOMP_SZ = 16, SHAMIR_PRECOMP_SZ = 16,
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
ECC_MAX_ID_LEN = 32, ECC_MAX_ID_LEN = 32,
ECC_MAX_LABEL_LEN = 32, ECC_MAX_LABEL_LEN = 32,
#endif #endif
@@ -481,7 +481,7 @@ struct ecc_key {
CertSignCtx certSignCtx; /* context info for cert sign (MakeSignature) */ CertSignCtx certSignCtx; /* context info for cert sign (MakeSignature) */
#endif #endif
#endif /* WOLFSSL_ASYNC_CRYPT */ #endif /* WOLFSSL_ASYNC_CRYPT */
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
byte id[ECC_MAX_ID_LEN]; byte id[ECC_MAX_ID_LEN];
int idLen; int idLen;
char label[ECC_MAX_LABEL_LEN]; char label[ECC_MAX_LABEL_LEN];
@@ -631,7 +631,7 @@ WOLFSSL_API
int wc_ecc_init(ecc_key* key); int wc_ecc_init(ecc_key* key);
WOLFSSL_ABI WOLFSSL_API WOLFSSL_ABI WOLFSSL_API
int wc_ecc_init_ex(ecc_key* key, void* heap, int devId); int wc_ecc_init_ex(ecc_key* key, void* heap, int devId);
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API WOLFSSL_API
int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap, int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
int devId); int devId);

6
wolfssl/wolfcrypt/hmac.h
View File

@@ -99,7 +99,7 @@ enum {
WC_SHA3_384 = WC_HASH_TYPE_SHA3_384, WC_SHA3_384 = WC_HASH_TYPE_SHA3_384,
WC_SHA3_512 = WC_HASH_TYPE_SHA3_512, WC_SHA3_512 = WC_HASH_TYPE_SHA3_512,
#endif #endif
#ifdef HAVE_PKCS11 #ifdef WOLF_PRIVATE_KEY_ID
HMAC_MAX_ID_LEN = 32, HMAC_MAX_ID_LEN = 32,
HMAC_MAX_LABEL_LEN = 32, HMAC_MAX_LABEL_LEN = 32,
#endif #endif
@@ -160,7 +160,7 @@ struct Hmac {
void* devCtx; void* devCtx;
const byte* keyRaw; const byte* keyRaw;
#endif #endif
#ifdef HAVE_PKCS11 #ifdef WOLF_PRIVATE_KEY_ID
byte id[HMAC_MAX_ID_LEN]; byte id[HMAC_MAX_ID_LEN];
int idLen; int idLen;
char label[HMAC_MAX_LABEL_LEN]; char label[HMAC_MAX_LABEL_LEN];
@@ -192,7 +192,7 @@ WOLFSSL_API int wc_HmacFinal_Software(Hmac* hmac, byte* out);
WOLFSSL_API int wc_HmacSizeByType(int type); WOLFSSL_API int wc_HmacSizeByType(int type);
WOLFSSL_API int wc_HmacInit(Hmac* hmac, void* heap, int devId); WOLFSSL_API int wc_HmacInit(Hmac* hmac, void* heap, int devId);
#ifdef HAVE_PKCS11 #ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API int wc_HmacInit_Id(Hmac* hmac, byte* id, int len, void* heap, WOLFSSL_API int wc_HmacInit_Id(Hmac* hmac, byte* id, int len, void* heap,
int devId); int devId);
WOLFSSL_API int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap, WOLFSSL_API int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap,

6
wolfssl/wolfcrypt/rsa.h
View File

@@ -148,7 +148,7 @@ enum {
RSA_PSS_SALT_LEN_DISCOVER = -2, RSA_PSS_SALT_LEN_DISCOVER = -2,
#endif #endif
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
RSA_MAX_ID_LEN = 32, RSA_MAX_ID_LEN = 32,
RSA_MAX_LABEL_LEN = 32, RSA_MAX_LABEL_LEN = 32,
#endif #endif
@@ -195,7 +195,7 @@ struct RsaKey {
#if defined(WOLFSSL_KCAPI_RSA) #if defined(WOLFSSL_KCAPI_RSA)
struct kcapi_handle* handle; struct kcapi_handle* handle;
#endif #endif
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
byte id[RSA_MAX_ID_LEN]; byte id[RSA_MAX_ID_LEN];
int idLen; int idLen;
char label[RSA_MAX_LABEL_LEN]; char label[RSA_MAX_LABEL_LEN];
@@ -226,7 +226,7 @@ struct RsaKey {
WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void* heap); WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void* heap);
WOLFSSL_API int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId); WOLFSSL_API int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId);
WOLFSSL_API int wc_FreeRsaKey(RsaKey* key); WOLFSSL_API int wc_FreeRsaKey(RsaKey* key);
#ifdef WOLF_CRYPTO_CB #ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, WOLFSSL_API int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len,
void* heap, int devId); void* heap, int devId);
WOLFSSL_API int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, WOLFSSL_API int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap,

10
wolfssl/wolfcrypt/settings.h
View File

@@ -2614,6 +2614,16 @@ extern void uITRON4_free(void *p) ;
#error The SRTP extension requires DTLS #error The SRTP extension requires DTLS
#endif #endif
/* Are we using an external private key store like:
* PKCS11 / HSM / crypto callback / PK callback */
#if !defined(WOLF_PRIVATE_KEY_ID) && \
(defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) || \
defined(WOLF_CRYPTO_CB) || defined(WOLFSSL_KCAPI))
/* Enables support for using wolfSSL_CTX_use_PrivateKey_Id and
* wolfSSL_CTX_use_PrivateKey_Label */
#define WOLF_PRIVATE_KEY_ID
#endif
/* --------------------------------------------------------------------------- /* ---------------------------------------------------------------------------