mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve logic around private key id/label. Adds WOLF_PRIVATE_KEY_ID.

Browse Source
This commit is contained in:
David Garske 2022-03-17 14:12:13 -07:00
parent aa8e5a29d4
commit b546b2a5ec
15 changed files with 162 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/internal.c
View File

@ -22281,7 +22281,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
#if !defined(NO_CERTS)
#if defined(WOLF_CRYPTO_CB) && !defined(NO_CHECK_PRIVATE_KEY)
#if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY)
/* Create a private key for a device.
*
* pkey Key object.
@ -22349,7 +22349,7 @@ int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType,
return ret;
}
#endif
#endif /* WOLF_PRIVATE_KEY_ID && !NO_CHECK_PRIVATE_KEY */
/* Decode the private key - RSA/ECC/Ed25519/Ed448/Falcon - and creates a key
* object.
@ -22382,7 +22382,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
ERROR_OUT(NO_PRIVATE_KEY, exit_dpk);
}
#ifdef HAVE_PKCS11
#ifdef WOLF_PRIVATE_KEY_ID
if (ssl->buffers.keyDevId != INVALID_DEVID && (ssl->buffers.keyId ||
ssl->buffers.keyLabel)) {
if (ssl->buffers.keyType == rsa_sa_algo)
@ -22448,7 +22448,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
}
goto exit_dpk;
}
#endif
#endif /* WOLF_PRIVATE_KEY_ID */
#ifndef NO_RSA
if (ssl->buffers.keyType == rsa_sa_algo || ssl->buffers.keyType == 0) {
@ -22465,7 +22465,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
/* Decode the key assuming it is an RSA private key. */
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
(RsaKey*)ssl->hsKey, ssl->buffers.key->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
/* if using crypto or PK callbacks allow using a public key */
if (ret != 0 && ssl->devId != INVALID_DEVID) {
WOLFSSL_MSG("Trying RSA public key with crypto callbacks");
@ -22520,7 +22520,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
(ecc_key*)ssl->hsKey,
ssl->buffers.key->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
/* if using crypto or PK callbacks allow using a public key */
if (ret != 0 && ssl->devId != INVALID_DEVID) {
WOLFSSL_MSG("Trying ECC public key with crypto callbacks");
@ -22573,7 +22573,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
ret = wc_Ed25519PrivateKeyDecode(ssl->buffers.key->buffer, &idx,
(ed25519_key*)ssl->hsKey,
ssl->buffers.key->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
/* if using crypto or PK callbacks allow using a public key */
if (ret != 0 && ssl->devId != INVALID_DEVID) {
WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks");
@ -25449,17 +25449,19 @@ int SendClientKeyExchange(WOLFSSL* ssl)
#ifndef NO_RSA
case rsa_kea:
{
#if defined(HAVE_PK_CALLBACKS)
#ifdef HAVE_PK_CALLBACKS
if (ssl->ctx->GenPreMasterCb) {
void* ctx = wolfSSL_GetGenPreMasterCtx(ssl);
ret = ssl->ctx->GenPreMasterCb(ssl, ssl->arrays->preMasterSecret, ENCRYPT_LEN, ctx);
ret = ssl->ctx->GenPreMasterCb(ssl,
ssl->arrays->preMasterSecret, ENCRYPT_LEN, ctx);
if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) {
goto exit_scke;
}
}
if (!ssl->ctx->GenPreMasterCb || ret == PROTOCOLCB_UNAVAILABLE) {
if (!ssl->ctx->GenPreMasterCb || ret == PROTOCOLCB_UNAVAILABLE)
#endif
/* build PreMasterSecret with RNG data */
{
/* build PreMasterSecret with RNG data */
ret = wc_RNG_GenerateBlock(ssl->rng,
&ssl->arrays->preMasterSecret[VERSION_SZ],
SECRET_LEN - VERSION_SZ);
@ -25471,9 +25473,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
ssl->arrays->preMasterSz = SECRET_LEN;
#if defined(HAVE_PK_CALLBACKS)
}
#endif
break;
}
#endif /* !NO_RSA */

241
src/ssl.c
View File

@ -5696,7 +5696,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
if (ret == 0) {
*idx = 0;
ret = wc_RsaPrivateKeyDecode(der->buffer, idx, key, der->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
if (ret != 0 && devId != INVALID_DEVID) {
/* if using crypto or PK callbacks, try public key decode */
*idx = 0;
@ -5768,7 +5768,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
if (wc_ecc_init_ex(key, heap, devId) == 0) {
*idx = 0;
ret = wc_EccPrivateKeyDecode(der->buffer, idx, key, der->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
if (ret != 0 && devId != INVALID_DEVID) {
/* if using crypto or PK callbacks, try public key decode */
*idx = 0;
@ -5835,7 +5835,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
if (ret == 0) {
*idx = 0;
ret = wc_Ed25519PrivateKeyDecode(der->buffer, idx, key, der->length);
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
if (ret != 0 && devId != INVALID_DEVID) {
/* if using crypto or PK callbacks, try public key decode */
*idx = 0;
@ -6303,7 +6303,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#else
DecodedCert cert[1];
#endif
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
int keyType = 0;
#endif
@ -6435,7 +6435,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
switch (cert->keyOID) {
#ifndef NO_RSA
case RSAk:
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
keyType = rsa_sa_algo;
#endif
/* Determine RSA key size by parsing public key */
@ -6463,7 +6463,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif /* !NO_RSA */
#ifdef HAVE_ECC
case ECDSAk:
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
keyType = ecc_dsa_sa_algo;
#endif
/* Determine ECC key size based on curve */
@ -6488,7 +6488,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif /* HAVE_ECC */
#ifdef HAVE_ED25519
case ED25519k:
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
keyType = ed25519_sa_algo;
#endif
/* ED25519 is fixed key size */
@ -6511,7 +6511,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif /* HAVE_ED25519 */
#ifdef HAVE_ED448
case ED448k:
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
keyType = ed448_sa_algo;
#endif
/* ED448 is fixed key size */
@ -6559,20 +6559,12 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
break; /* do no check if not a case for the key */
}
#if defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS)
if (ssl
#ifdef HAVE_PK_CALLBACKS
&& ssl->buffers.keyType == 0
#endif
) {
#ifdef WOLF_PRIVATE_KEY_ID
if (ssl != NULL && ssl->buffers.keyType == 0) {
ssl->buffers.keyType = keyType;
ssl->buffers.keySz = keySz;
}
else if (ctx
#ifdef HAVE_PK_CALLBACKS
&& ctx->privateKeyType == 0
#endif
) {
else if (ctx != NULL && ctx->privateKeyType == 0) {
ctx->privateKeyType = keyType;
ctx->privateKeySz = keySz;
}
@ -8222,10 +8214,10 @@ int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format)
#ifndef NO_CHECK_PRIVATE_KEY
/* Check private against public in certificate for match
*
* ctx WOLFSSL_CTX structure to check private key in
*
* Returns SSL_SUCCESS on good private key and SSL_FAILURE if miss matched. */
int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
* Returns WOLFSSL_SUCCESS on good private key
* WOLFSSL_FAILURE if mismatched */
static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap,
int devId, int isKeyLabel, int isKeyId)
{
#ifdef WOLFSSL_SMALL_STACK
DecodedCert* der = NULL;
@ -8236,9 +8228,9 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
byte* buff;
int ret = WOLFSSL_FAILURE;
WOLFSSL_ENTER("wolfSSL_CTX_check_private_key");
WOLFSSL_ENTER("check_cert_key");
if (ctx == NULL || ctx->certificate == NULL || ctx->privateKey == NULL) {
if (cert == NULL || key == NULL) {
return WOLFSSL_FAILURE;
}
@ -8248,9 +8240,9 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
return MEMORY_E;
#endif
size = ctx->certificate->length;
buff = ctx->certificate->buffer;
InitDecodedCert(der, buff, size, ctx->heap);
size = cert->length;
buff = cert->buffer;
InitDecodedCert(der, buff, size, heap);
if (ParseCertRelative(der, CERT_TYPE, NO_VERIFY, NULL) != 0) {
FreeDecodedCert(der);
#ifdef WOLFSSL_SMALL_STACK
@ -8259,10 +8251,10 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
return WOLFSSL_FAILURE;
}
size = ctx->privateKey->length;
buff = ctx->privateKey->buffer;
#ifdef WOLF_CRYPTO_CB
if (ctx->privateKeyDevId != INVALID_DEVID) {
size = key->length;
buff = key->buffer;
#ifdef WOLF_PRIVATE_KEY_ID
if (devId != INVALID_DEVID) {
int type = 0;
void *pkey = NULL;
@ -8276,33 +8268,44 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
type = DYNAMIC_TYPE_ECC;
}
#endif
ret = CreateDevPrivateKey(&pkey, buff, size, type, ctx->privateKeyLabel,
ctx->privateKeyId, ctx->heap,
ctx->privateKeyDevId);
#ifndef NO_RSA
if (ret == 0 && der->keyOID == RSAk) {
ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der->publicKey,
der->pubKeySize);
wc_FreeRsaKey((RsaKey*)pkey);
ret = CreateDevPrivateKey(&pkey, buff, size, type,
isKeyLabel, isKeyId, heap, devId);
if (ret == 0) {
#ifdef WOLF_CRYPTO_CB
#ifndef NO_RSA
if (der->keyOID == RSAk) {
ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey,
der->publicKey, der->pubKeySize);
}
#endif
#ifdef HAVE_ECC
if (der->keyOID == ECDSAk) {
ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey,
der->publicKey, der->pubKeySize);
}
#endif
#else
/* devId was set, don't check, for now, just return success */
/* TODO: Add callback for private key check? */
ret = 0;
#endif
}
#endif
#ifdef HAVE_ECC
if (ret == 0 && der->keyOID == ECDSAk) {
ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey, der->publicKey,
der->pubKeySize);
wc_ecc_free((ecc_key*)pkey);
}
#endif
if (pkey != NULL) {
XFREE(pkey, ctx->heap, type);
#ifndef NO_RSA
if (der->keyOID == RSAk) {
wc_FreeRsaKey((RsaKey*)pkey);
}
#endif
#ifdef HAVE_ECC
if (der->keyOID == ECDSAk) {
wc_ecc_free((ecc_key*)pkey);
}
#endif
XFREE(pkey, heap, type);
}
if (ret != CRYPTOCB_UNAVAILABLE) {
if (ret == 0) {
ret = WOLFSSL_SUCCESS;
}
else {
ret = WOLFSSL_FAILURE;
}
ret = (ret == 0) ? WOLFSSL_SUCCESS: WOLFSSL_FAILURE;
}
}
else {
@ -8311,23 +8314,37 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
}
if (ret == CRYPTOCB_UNAVAILABLE)
#endif
#endif /* WOLF_PRIVATE_KEY_ID */
{
ret = wc_CheckPrivateKeyCert(buff, size, der);
if (ret == 1) {
ret = WOLFSSL_SUCCESS;
}
else {
ret = WOLFSSL_FAILURE;
}
ret = (ret == 1) ? WOLFSSL_SUCCESS: WOLFSSL_FAILURE;
}
FreeDecodedCert(der);
#ifdef WOLFSSL_SMALL_STACK
XFREE(der, NULL, DYNAMIC_TYPE_DCERT);
#endif
(void)devId;
(void)isKeyLabel;
(void)isKeyId;
return ret;
}
/* Check private against public in certificate for match
*
* ctx WOLFSSL_CTX structure to check private key in
*
* Returns WOLFSSL_SUCCESS on good private key
* WOLFSSL_FAILURE if mismatched. */
int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
{
if (ctx == NULL) {
return WOLFSSL_FAILURE;
}
return check_cert_key(ctx->certificate, ctx->privateKey, ctx->heap,
ctx->privateKeyDevId, ctx->privateKeyLabel, ctx->privateKeyId);
}
#endif /* !NO_CHECK_PRIVATE_KEY */
#ifdef OPENSSL_ALL
@ -9192,7 +9209,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out,
return _d2i_PublicKey(type, out, in, inSz, 1);
}
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
/* Create an EVP structure for use with crypto callbacks */
WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out,
void* heap, int devId)
@ -9225,7 +9242,10 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out,
return NULL;
}
key = (RsaKey*)local->rsa->internal;
#ifdef WOLF_CRYPTO_CB
key->devId = devId;
#endif
(void)key;
local->rsa->inSet = 1;
break;
}
@ -9241,7 +9261,9 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out,
return NULL;
}
key = (ecc_key*)local->ecc->internal;
#ifdef WOLF_CRYPTO_CB
key->devId = devId;
#endif
key->type = ECC_PRIVATEKEY;
/* key is required to have a key size / curve set, although
* actual one used is determined by devId callback function */
@ -9263,91 +9285,24 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out,
return local;
}
#endif /* WOLF_CRYPTO_CB */
#endif /* WOLF_PRIVATE_KEY_ID */
#ifndef NO_CERTS // NOLINT(readability-redundant-preprocessor)
#ifndef NO_CHECK_PRIVATE_KEY
/* Check private against public in certificate for match
*
* ssl WOLFSSL structure to check private key in
*
* Returns WOLFSSL_SUCCESS on good private key
* WOLFSSL_FAILURE if mismatched. */
int wolfSSL_check_private_key(const WOLFSSL* ssl)
{
DecodedCert der;
word32 size;
byte* buff;
int ret;
if (ssl == NULL) {
return WOLFSSL_FAILURE;
}
size = ssl->buffers.certificate->length;
buff = ssl->buffers.certificate->buffer;
InitDecodedCert(&der, buff, size, ssl->heap);
#ifdef HAVE_PK_CALLBACKS
ret = InitSigPkCb((WOLFSSL*)ssl, &der.sigCtx);
if (ret != 0) {
FreeDecodedCert(&der);
return ret;
}
#endif
if (ParseCertRelative(&der, CERT_TYPE, NO_VERIFY, NULL) != 0) {
FreeDecodedCert(&der);
return WOLFSSL_FAILURE;
}
size = ssl->buffers.key->length;
buff = ssl->buffers.key->buffer;
#ifdef WOLF_CRYPTO_CB
if (ssl->buffers.keyDevId != INVALID_DEVID) {
int type = 0;
void *pkey = NULL;
#ifndef NO_RSA
if (der.keyOID == RSAk) {
type = DYNAMIC_TYPE_RSA;
}
#endif
#ifdef HAVE_ECC
if (der.keyOID == ECDSAk) {
type = DYNAMIC_TYPE_ECC;
}
#endif
ret = CreateDevPrivateKey(&pkey, buff, size, type,
ssl->buffers.keyLabel,
ssl->buffers.keyId, ssl->heap,
ssl->buffers.keyDevId);
#ifndef NO_RSA
if (ret == 0 && der.keyOID == RSAk) {
ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der.publicKey,
der.pubKeySize);
if (ret == 0)
ret = WOLFSSL_SUCCESS;
wc_FreeRsaKey((RsaKey*)pkey);
}
#endif
#ifdef HAVE_ECC
if (ret == 0 && der.keyOID == ECDSAk) {
ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey, der.publicKey,
der.pubKeySize);
if (ret == 0)
ret = WOLFSSL_SUCCESS;
wc_ecc_free((ecc_key*)pkey);
}
#endif
if (pkey != NULL) {
XFREE(pkey, ssl->heap, type);
}
}
else {
/* fall through if unavailable */
ret = CRYPTOCB_UNAVAILABLE;
}
if (ret == CRYPTOCB_UNAVAILABLE)
#endif
ret = wc_CheckPrivateKeyCert(buff, size, &der);
FreeDecodedCert(&der);
return ret;
return check_cert_key(ssl->buffers.certificate, ssl->buffers.key, ssl->heap,
ssl->buffers.keyDevId, ssl->buffers.keyLabel, ssl->buffers.keyId);
}
#endif /* !NO_CHECK_PRIVATE_KEY */
@ -17176,7 +17131,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ret;
}
#if defined(HAVE_PKCS11) || defined(WOLF_CRYPTO_CB)
#ifdef WOLF_PRIVATE_KEY_ID
int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id,
long sz, int devId, long keySz)
{
@ -17230,7 +17185,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ret;
}
#endif /* HAVE_PKCS11 || WOLF_CRYPTO_CB */
#endif /* WOLF_PRIVATE_KEY_ID */
int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
const unsigned char* in, long sz, int format)
@ -17379,7 +17334,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl));
}
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id,
long sz, int devId, long keySz)
{
@ -17436,7 +17391,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ret;
}
#endif
#endif /* WOLF_PRIVATE_KEY_ID */
int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl,
const unsigned char* in, long sz, int format)

2
wolfcrypt/src/aes.c
View File

@ -10459,7 +10459,7 @@ int wc_AesInit(Aes* aes, void* heap, int devId)
return ret;
}
#ifdef HAVE_PKCS11
#ifdef WOLF_PRIVATE_KEY_ID
int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId)
{
int ret = 0;

49
wolfcrypt/src/asn.c
View File

@ -10567,7 +10567,7 @@ typedef struct CertNameData {
const char* str;
/* Length of type string of name component. */
byte strLen;
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
/* Offset of data in subject name component. */
size_t data;
/* Offset of length in subject name component. */
@ -10586,7 +10586,7 @@ static const CertNameData certNameSubject[] = {
/* Common Name */
{
"/CN=", 4,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectCN),
OFFSETOF(DecodedCert, subjectCNLen),
OFFSETOF(DecodedCert, subjectCNEnc),
@ -10598,7 +10598,7 @@ static const CertNameData certNameSubject[] = {
/* Surname */
{
"/SN=", 4,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectSN),
OFFSETOF(DecodedCert, subjectSNLen),
OFFSETOF(DecodedCert, subjectSNEnc),
@ -10610,7 +10610,7 @@ static const CertNameData certNameSubject[] = {
/* Serial Number */
{
"/serialNumber=", 14,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectSND),
OFFSETOF(DecodedCert, subjectSNDLen),
OFFSETOF(DecodedCert, subjectSNDEnc),
@ -10622,7 +10622,7 @@ static const CertNameData certNameSubject[] = {
/* Country Name */
{
"/C=", 3,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectC),
OFFSETOF(DecodedCert, subjectCLen),
OFFSETOF(DecodedCert, subjectCEnc),
@ -10634,7 +10634,7 @@ static const CertNameData certNameSubject[] = {
/* Locality Name */
{
"/L=", 3,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectL),
OFFSETOF(DecodedCert, subjectLLen),
OFFSETOF(DecodedCert, subjectLEnc),
@ -10646,7 +10646,7 @@ static const CertNameData certNameSubject[] = {
/* State Name */
{
"/ST=", 4,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectST),
OFFSETOF(DecodedCert, subjectSTLen),
OFFSETOF(DecodedCert, subjectSTEnc),
@ -10670,7 +10670,7 @@ static const CertNameData certNameSubject[] = {
/* Organization Name */
{
"/O=", 3,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectO),
OFFSETOF(DecodedCert, subjectOLen),
OFFSETOF(DecodedCert, subjectOEnc),
@ -10682,7 +10682,7 @@ static const CertNameData certNameSubject[] = {
/* Organization Unit Name */
{
"/OU=", 4,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectOU),
OFFSETOF(DecodedCert, subjectOULen),
OFFSETOF(DecodedCert, subjectOUEnc),
@ -10694,7 +10694,7 @@ static const CertNameData certNameSubject[] = {
/* Title */
{
NULL, 0,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
0,
0,
0,
@ -10706,7 +10706,7 @@ static const CertNameData certNameSubject[] = {
/* Undefined */
{
NULL, 0,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
0,
0,
0,
@ -10718,7 +10718,7 @@ static const CertNameData certNameSubject[] = {
/* Undefined */
{
NULL, 0,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
0,
0,
0,
@ -10730,16 +10730,10 @@ static const CertNameData certNameSubject[] = {
/* Business Category */
{
"/businessCategory=", 18,
#ifdef WOLFSSL_CERT_GEN
#ifdef WOLFSSL_CERT_EXT
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectBC),
OFFSETOF(DecodedCert, subjectBCLen),
OFFSETOF(DecodedCert, subjectBCEnc),
#else
0,
0,
0,
#endif
#endif
#ifdef WOLFSSL_X509_NAME_AVAILABLE
NID_businessCategory
@ -10748,7 +10742,7 @@ static const CertNameData certNameSubject[] = {
/* Undefined */
{
NULL, 0,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
0,
0,
0,
@ -10760,16 +10754,10 @@ static const CertNameData certNameSubject[] = {
/* Postal Code */
{
"/postalCode=", 12,
#ifdef WOLFSSL_CERT_GEN
#ifdef WOLFSSL_CERT_EXT
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectPC),
OFFSETOF(DecodedCert, subjectPCLen),
OFFSETOF(DecodedCert, subjectPCEnc),
#else
0,
0,
0,
#endif
#endif
#ifdef WOLFSSL_X509_NAME_AVAILABLE
NID_postalCode
@ -10778,14 +10766,13 @@ static const CertNameData certNameSubject[] = {
/* User Id */
{
"/userid=", 8,
#ifdef WOLFSSL_CERT_GEN
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
OFFSETOF(DecodedCert, subjectUID),
OFFSETOF(DecodedCert, subjectUIDLen),
OFFSETOF(DecodedCert, subjectUIDEnc),
#endif
#ifdef WOLFSSL_X509_NAME_AVAILABLE
NID_userId
#endif
},
};
@ -20713,8 +20700,8 @@ int wc_RsaPublicKeyDerSize(RsaKey* key, int with_header)
#endif /* !NO_RSA && WOLFSSL_CERT_GEN */
#if ((defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && \
!defined(NO_RSA) && !defined(HAVE_USER_RSA)) || defined(WOLFSSL_KCAPI_RSA)
#if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || \
defined(WOLFSSL_KCAPI_RSA)) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)
/* Encode private RSA key in DER format.
*

6
wolfcrypt/src/ecc.c
View File

@ -5404,7 +5404,7 @@ int wc_ecc_init(ecc_key* key)
#endif
}
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
int devId)
{
@ -5447,7 +5447,7 @@ int wc_ecc_init_label(ecc_key* key, const char* label, void* heap, int devId)
return ret;
}
#endif
#endif /* WOLF_PRIVATE_KEY_ID */
int wc_ecc_set_flags(ecc_key* key, word32 flags)
{
@ -8732,7 +8732,7 @@ static int ecc_check_privkey_gen(ecc_key* key, mp_int* a, mp_int* prime)
return err;
}
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN ||
#endif /* FIPS_VERSION_GE(5,0) || WOLFSSL_VALIDATE_ECC_KEYGEN ||
* (!WOLFSSL_SP_MATH && WOLFSSL_VALIDATE_ECC_IMPORT) */
#if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_ECC_KEYGEN)

4
wolfcrypt/src/hmac.c
View File

@ -1021,7 +1021,7 @@ int wc_HmacInit(Hmac* hmac, void* heap, int devId)
return ret;
}
#ifdef HAVE_PKCS11
#ifdef WOLF_PRIVATE_KEY_ID
int wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap,
int devId)
{
@ -1064,7 +1064,7 @@ int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap, int devId)
return ret;
}
#endif
#endif /* WOLF_PRIVATE_KEY_ID */
/* Free Hmac from use with async device */
void wc_HmacFree(Hmac* hmac)

4
wolfcrypt/src/rsa.c
View File

@ -345,7 +345,7 @@ int wc_InitRsaKey(RsaKey* key, void* heap)
return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
}
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
int devId)
{
@ -388,7 +388,7 @@ int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, int devId)
return ret;
}
#endif
#endif /* WOLF_PRIVATE_KEY_ID */
#ifdef WOLFSSL_XILINX_CRYPT

2
wolfssl/internal.h
View File

@ -1729,7 +1729,7 @@ WOLFSSL_LOCAL int CompleteServerHello(WOLFSSL *ssl);
WOLFSSL_LOCAL int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv);
WOLFSSL_LOCAL int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo,
word32 hashSigAlgoSz);
#ifdef WOLF_CRYPTO_CB
#if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY)
WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* data, word32 length,
int hsType, int label, int id,
void* heap, int devId);

2
wolfssl/ssl.h
View File

@ -1843,7 +1843,7 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PublicKey(int type, WOLFSSL_EVP_PKEY**
const unsigned char ** in, long inSz);
WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type,
WOLFSSL_EVP_PKEY** out, const unsigned char **in, long inSz);
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type,
WOLFSSL_EVP_PKEY** out, void* heap, int devId);
#endif

6
wolfssl/wolfcrypt/aes.h
View File

@ -159,7 +159,7 @@ enum {
AES_XTS_MODE = 3,
#endif
#ifdef HAVE_PKCS11
#ifdef WOLF_PRIVATE_KEY_ID
AES_MAX_ID_LEN = 32,
AES_MAX_LABEL_LEN = 32,
#endif
@ -213,7 +213,7 @@ struct Aes {
int devId;
void* devCtx;
#endif
#ifdef HAVE_PKCS11
#ifdef WOLF_PRIVATE_KEY_ID
byte id[AES_MAX_ID_LEN];
int idLen;
char label[AES_MAX_LABEL_LEN];
@ -537,7 +537,7 @@ WOLFSSL_API int wc_AesXtsFree(XtsAes* aes);
WOLFSSL_API int wc_AesGetKeySize(Aes* aes, word32* keySize);
WOLFSSL_API int wc_AesInit(Aes* aes, void* heap, int devId);
#ifdef HAVE_PKCS11
#ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap,
int devId);
WOLFSSL_API int wc_AesInit_Label(Aes* aes, const char* label, void* heap,

4
wolfssl/wolfcrypt/asn.h
View File

@ -1585,7 +1585,6 @@ struct DecodedCert {
char* subjectUID;
int subjectUIDLen;
char subjectUIDEnc;
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
char* subjectStreet;
int subjectStreetLen;
char subjectStreetEnc;
@ -1601,7 +1600,6 @@ struct DecodedCert {
char* subjectPC;
int subjectPCLen;
char subjectPCEnc;
#endif
char* subjectEmail;
int subjectEmailLen;
#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */
@ -1766,7 +1764,7 @@ struct TrustedPeerCert {
/* for testing or custom openssl wrappers */
#if defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \
defined(OPENSSL_EXTRA_X509_SMALL)
defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_PUBLIC_ASN)
#define WOLFSSL_ASN_API WOLFSSL_API
#else
#define WOLFSSL_ASN_API WOLFSSL_LOCAL

6
wolfssl/wolfcrypt/ecc.h
View File

@ -186,7 +186,7 @@ enum {
/* Shamir's dual add constants */
SHAMIR_PRECOMP_SZ = 16,
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
ECC_MAX_ID_LEN = 32,
ECC_MAX_LABEL_LEN = 32,
#endif
@ -481,7 +481,7 @@ struct ecc_key {
CertSignCtx certSignCtx; /* context info for cert sign (MakeSignature) */
#endif
#endif /* WOLFSSL_ASYNC_CRYPT */
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
byte id[ECC_MAX_ID_LEN];
int idLen;
char label[ECC_MAX_LABEL_LEN];
@ -631,7 +631,7 @@ WOLFSSL_API
int wc_ecc_init(ecc_key* key);
WOLFSSL_ABI WOLFSSL_API
int wc_ecc_init_ex(ecc_key* key, void* heap, int devId);
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API
int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
int devId);

6
wolfssl/wolfcrypt/hmac.h
View File

@ -99,7 +99,7 @@ enum {
WC_SHA3_384 = WC_HASH_TYPE_SHA3_384,
WC_SHA3_512 = WC_HASH_TYPE_SHA3_512,
#endif
#ifdef HAVE_PKCS11
#ifdef WOLF_PRIVATE_KEY_ID
HMAC_MAX_ID_LEN = 32,
HMAC_MAX_LABEL_LEN = 32,
#endif
@ -160,7 +160,7 @@ struct Hmac {
void* devCtx;
const byte* keyRaw;
#endif
#ifdef HAVE_PKCS11
#ifdef WOLF_PRIVATE_KEY_ID
byte id[HMAC_MAX_ID_LEN];
int idLen;
char label[HMAC_MAX_LABEL_LEN];
@ -192,7 +192,7 @@ WOLFSSL_API int wc_HmacFinal_Software(Hmac* hmac, byte* out);
WOLFSSL_API int wc_HmacSizeByType(int type);
WOLFSSL_API int wc_HmacInit(Hmac* hmac, void* heap, int devId);
#ifdef HAVE_PKCS11
#ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API int wc_HmacInit_Id(Hmac* hmac, byte* id, int len, void* heap,
int devId);
WOLFSSL_API int wc_HmacInit_Label(Hmac* hmac, const char* label, void* heap,

6
wolfssl/wolfcrypt/rsa.h
View File

@ -148,7 +148,7 @@ enum {
RSA_PSS_SALT_LEN_DISCOVER = -2,
#endif
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
RSA_MAX_ID_LEN = 32,
RSA_MAX_LABEL_LEN = 32,
#endif
@ -195,7 +195,7 @@ struct RsaKey {
#if defined(WOLFSSL_KCAPI_RSA)
struct kcapi_handle* handle;
#endif
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
byte id[RSA_MAX_ID_LEN];
int idLen;
char label[RSA_MAX_LABEL_LEN];
@ -226,7 +226,7 @@ struct RsaKey {
WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void* heap);
WOLFSSL_API int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId);
WOLFSSL_API int wc_FreeRsaKey(RsaKey* key);
#ifdef WOLF_CRYPTO_CB
#ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_API int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len,
void* heap, int devId);
WOLFSSL_API int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap,

10
wolfssl/wolfcrypt/settings.h
View File

@ -2614,6 +2614,16 @@ extern void uITRON4_free(void *p) ;
#error The SRTP extension requires DTLS
#endif
/* Are we using an external private key store like:
* PKCS11 / HSM / crypto callback / PK callback */
#if !defined(WOLF_PRIVATE_KEY_ID) && \
(defined(HAVE_PKCS11) || defined(HAVE_PK_CALLBACKS) || \
defined(WOLF_CRYPTO_CB) || defined(WOLFSSL_KCAPI))
/* Enables support for using wolfSSL_CTX_use_PrivateKey_Id and
* wolfSSL_CTX_use_PrivateKey_Label */
#define WOLF_PRIVATE_KEY_ID
#endif
/* ---------------------------------------------------------------------------