Merge pull request #22 from jpbland1/key-types-user

use key type and key user as part of the internal keyId
wolfSSL · Apr 24, 2024 · be502e3 · be502e3
2 parents 4e8916b + 0936dea
commit be502e3
Show file tree

Hide file tree

Showing 12 changed files with 250 additions and 114 deletions.
diff --git a/src/wh_client.c b/src/wh_client.c
@@ -84,10 +84,8 @@ int wh_Client_SendRequest(whClientContext* c,
     if (c == NULL) {
         return WH_ERROR_BADARGS;
     }
-
-    rc = wh_CommClient_SendRequest(c->comm,
-                WH_COMM_MAGIC_NATIVE, kind, &req_id,
-                data_size, data);
+    rc = wh_CommClient_SendRequest(c->comm, WH_COMM_MAGIC_NATIVE, kind, &req_id,
+        data_size, data);
     if (rc == 0) {
         c->last_req_kind = kind;
         c->last_req_id = req_id;
@@ -465,6 +463,7 @@ int wh_Client_KeyCacheRequest_ex(whClientContext* c, uint32_t flags,
     uint8_t* packIn = (uint8_t*)(&packet->keyCacheReq + 1);
     if (c == NULL || in == NULL || inSz == 0)
         return WH_ERROR_BADARGS;
+    packet->keyCacheReq.id = keyId;
     packet->keyCacheReq.flags = flags;
     packet->keyCacheReq.sz = inSz;
     if (label == NULL)
@@ -489,7 +488,7 @@ int wh_Client_KeyCacheRequest(whClientContext* c, uint32_t flags,
     uint8_t* label, uint32_t labelSz, uint8_t* in, uint32_t inSz)
 {
     return wh_Client_KeyCacheRequest_ex(c, flags, label, labelSz, in, inSz,
-        WOLFHSM_ID_ERASED);
+        WOLFHSM_KEYID_ERASED);
 }
 
 int wh_Client_KeyCacheResponse(whClientContext* c, uint16_t* keyId)
@@ -514,7 +513,7 @@ int wh_Client_KeyCacheResponse(whClientContext* c, uint16_t* keyId)
 int wh_Client_KeyEvictRequest(whClientContext* c, uint16_t keyId)
 {
     whPacket packet[1] = {0};
-    if (c == NULL || keyId == WOLFHSM_ID_ERASED)
+    if (c == NULL || keyId == WOLFHSM_KEYID_ERASED)
         return WH_ERROR_BADARGS;
     /* set the keyId */
     packet->keyEvictReq.id = keyId;
@@ -544,7 +543,7 @@ int wh_Client_KeyEvictResponse(whClientContext* c)
 int wh_Client_KeyExportRequest(whClientContext* c, uint16_t keyId)
 {
     whPacket packet[1] = {0};
-    if (c == NULL || keyId == WOLFHSM_ID_ERASED)
+    if (c == NULL || keyId == WOLFHSM_KEYID_ERASED)
         return WH_ERROR_BADARGS;
     /* set keyId */
     packet->keyExportReq.id = keyId;
@@ -597,7 +596,7 @@ int wh_Client_KeyExportResponse(whClientContext* c, uint8_t* label,
 int wh_Client_KeyCommitRequest(whClientContext* c, whNvmId keyId)
 {
     whPacket packet[1] = {0};
-    if (c == NULL || keyId == WOLFHSM_ID_ERASED)
+    if (c == NULL || keyId == WOLFHSM_KEYID_ERASED)
         return WH_ERROR_BADARGS;
     /* set keyId */
     packet->keyCommitReq.id = keyId;
@@ -627,7 +626,7 @@ int wh_Client_KeyCommitResponse(whClientContext* c)
 int wh_Client_KeyEraseRequest(whClientContext* c, whNvmId keyId)
 {
     whPacket packet[1] = {0};
-    if (c == NULL || keyId == WOLFHSM_ID_ERASED)
+    if (c == NULL || keyId == WOLFHSM_KEYID_ERASED)
         return WH_ERROR_BADARGS;
     /* set keyId */
     packet->keyEraseReq.id = keyId;
@@ -658,4 +657,9 @@ void wh_Client_SetKeyCurve25519(curve25519_key* key, whNvmId keyId)
 {
     XMEMCPY(key->devCtx, (void*)&keyId, sizeof(keyId));
 }
+
+void wh_Client_SetKeyRsa(RsaKey* key, whNvmId keyId)
+{
+    XMEMCPY(key->devCtx, (void*)&keyId, sizeof(keyId));
+}
 #endif  /* WOLFHSM_NO_CRYPTO */
diff --git a/src/wh_comm.c b/src/wh_comm.c
@@ -78,9 +78,8 @@ int wh_CommClient_Init(whCommClient* context, const whCommClientConfig* config)
 /* If a request buffer is available, send a new request to the server.  The
  * sequence number will be incremented on transport success.
  */
-int wh_CommClient_SendRequest(whCommClient* context,
-        uint16_t magic, uint16_t kind, uint16_t *out_seq,
-        uint16_t data_size, const void* data)
+int wh_CommClient_SendRequest(whCommClient* context, uint16_t magic,
+    uint16_t kind, uint16_t *out_seq, uint16_t data_size, const void* data)
 {
     int rc = WH_ERROR_NOTREADY;
 

diff --git a/src/wh_server.c b/src/wh_server.c
@@ -263,7 +263,8 @@ int wh_Server_HandleRequestMessage(whServerContext* server)
         break;
 
         case WH_MESSAGE_GROUP_CRYPTO:
-            rc = wh_Server_HandleCryptoRequest(server, action, data, &size);
+            rc = wh_Server_HandleCryptoRequest(server, action, data,
+                &size);
         break;
 #endif  /* WOLFHSM_NO_CRYPTO */
 

diff --git a/src/wh_server_crypto.c b/src/wh_server_crypto.c
@@ -22,17 +22,17 @@
 #include "wolfhsm/wh_server_crypto.h"
 
 #ifndef NO_RSA
-static int hsmCacheKeyRsa(whServerContext* server, RsaKey* key)
+static int hsmCacheKeyRsa(whServerContext* server, RsaKey* key, whKeyId* outId)
 {
     int ret = 0;
     int slotIdx = 0;
-    whKeyId keyId = 0;
+    whKeyId keyId = WOLFHSM_KEYTYPE_CRYPTO;
     /* get a free slot */
     ret = slotIdx = hsmCacheFindSlot(server);
     if (ret >= 0) {
-        ret = keyId = hsmGetUniqueId(server);
+        ret = hsmGetUniqueId(server, &keyId);
     }
-    if (ret > 0 ) {
+    if (ret == 0) {
         /* export key */
         /* TODO: Fix wolfCrypto to allow KeyToDer when KEY_GEN is NOT set */
         ret = wc_RsaKeyToDer(key, server->cache[slotIdx].buffer,
@@ -45,7 +45,8 @@ static int hsmCacheKeyRsa(whServerContext* server, RsaKey* key)
         server->cache[slotIdx].meta->id = keyId;
         server->cache[slotIdx].meta->len = ret;
         /* export keyId */
-        ret = keyId;
+        *outId = keyId;
+        ret = 0;
     }
     return ret;
 }
@@ -56,6 +57,7 @@ static int hsmLoadKeyRsa(whServerContext* server, RsaKey* key, whKeyId keyId)
     int slotIdx = 0;
     uint32_t idx = 0;
     uint32_t size;
+    keyId |= (WOLFHSM_KEYTYPE_CRYPTO | (server->comm->client_id << 8));
     /* freshen the key */
     ret = slotIdx = hsmFreshenKey(server, keyId);
     /* decode the key */
@@ -69,19 +71,20 @@ static int hsmLoadKeyRsa(whServerContext* server, RsaKey* key, whKeyId keyId)
 #endif /* !NO_RSA */
 
 #ifdef HAVE_CURVE25519
-static int hsmCacheKeyCurve25519(whServerContext* server, curve25519_key* key)
+static int hsmCacheKeyCurve25519(whServerContext* server, curve25519_key* key,
+    whKeyId* outId)
 {
     int ret;
     int slotIdx = 0;
     word32 privSz = CURVE25519_KEYSIZE;
     word32 pubSz = CURVE25519_KEYSIZE;
-    whKeyId keyId = 0;
+    whKeyId keyId = WOLFHSM_KEYTYPE_CRYPTO;
     /* get a free slot */
     ret = slotIdx = hsmCacheFindSlot(server);
     if (ret >= 0) {
-        ret = keyId = hsmGetUniqueId(server);
+        ret = hsmGetUniqueId(server, &keyId);
     }
-    if (ret > 0) {
+    if (ret == 0) {
         /* export key */
         ret = wc_curve25519_export_key_raw(key,
             server->cache[slotIdx].buffer + CURVE25519_KEYSIZE, &privSz,
@@ -94,7 +97,8 @@ static int hsmCacheKeyCurve25519(whServerContext* server, curve25519_key* key)
         server->cache[slotIdx].meta->id = keyId;
         server->cache[slotIdx].meta->len = CURVE25519_KEYSIZE * 2;
         /* export keyId */
-        ret = keyId;
+        *outId = keyId;
+        ret = 0;
     }
     return ret;
 }
@@ -106,6 +110,7 @@ static int hsmLoadKeyCurve25519(whServerContext* server, curve25519_key* key,
     int slotIdx = 0;
     uint32_t privSz = CURVE25519_KEYSIZE;
     uint32_t pubSz = CURVE25519_KEYSIZE;
+    keyId |= WOLFHSM_KEYTYPE_CRYPTO;
     /* freshen the key */
     ret = slotIdx = hsmFreshenKey(server, keyId);
     /* decode the key */
@@ -128,6 +133,7 @@ int wh_Server_HandleCryptoRequest(whServerContext* server,
     int ret = 0;
     uint32_t field;
     uint8_t* in;
+    whKeyId keyId;
     uint8_t* out;
     whPacket* packet = (whPacket*)data;
 #ifdef WOLFHSM_SYMMETRIC_INTERNAL
@@ -156,12 +162,13 @@ int wh_Server_HandleCryptoRequest(whServerContext* server,
             }
             /* cache the generated key, data will be blown away */
             if (ret == 0) {
-                ret = hsmCacheKeyRsa(server, server->crypto->rsa);
+                ret = hsmCacheKeyRsa(server, server->crypto->rsa, &keyId);
             }
             wc_FreeRsaKey(server->crypto->rsa);
-            if (ret > 0) {
+            if (ret == 0) {
                 /* set the assigned id */
-                packet->pkRsakgRes.keyId = ret;
+                packet->pkRsakgRes.keyId =
+                    (keyId & ~WOLFHSM_KEYUSER_MASK);
                 *size = WOLFHSM_PACKET_STUB_SIZE +
                     sizeof(packet->pkRsakgRes);
                 ret = 0;
@@ -241,15 +248,16 @@ int wh_Server_HandleCryptoRequest(whServerContext* server,
             /* cache the generated key */
             if (ret == 0) {
                 ret = hsmCacheKeyCurve25519(server,
-                    server->crypto->curve25519Private);
+                    server->crypto->curve25519Private, &keyId);
             }
             /* set the assigned id */
             wc_curve25519_free(server->crypto->curve25519Private);
-            if (ret > 0) {
-                packet->pkCurve25519kgRes.keyId = ret;
+            if (ret == 0) {
+                /* strip client_id */
+                packet->pkCurve25519kgRes.keyId =
+                    (keyId & ~WOLFHSM_KEYUSER_MASK);
                 *size = WOLFHSM_PACKET_STUB_SIZE +
                     sizeof(packet->pkCurve25519kgRes);
-                ret = 0;
             }
             else
                 ret = BAD_FUNC_ARG;
@@ -268,13 +276,17 @@ int wh_Server_HandleCryptoRequest(whServerContext* server,
             if (ret == 0) {
                 ret = hsmLoadKeyCurve25519(server,
                     server->crypto->curve25519Private,
-                    packet->pkCurve25519Req.privateKeyId);
+                    MAKE_WOLFHSM_KEYID(WOLFHSM_KEYTYPE_CRYPTO,
+                    server->comm->client_id,
+                    packet->pkCurve25519Req.privateKeyId));
             }
             /* load the public key */
             if (ret == 0) {
                 ret = hsmLoadKeyCurve25519(server,
                     server->crypto->curve25519Public,
-                    packet->pkEcdhReq.publicKeyId);
+                    MAKE_WOLFHSM_KEYID(WOLFHSM_KEYTYPE_CRYPTO,
+                    server->comm->client_id,
+                    packet->pkCurve25519Req.publicKeyId));
             }
             /* make shared secret */
             if (ret == 0) {