From 82b48144c58c249965b09dfd1362ab798049f8b5 Mon Sep 17 00:00:00 2001 From: John Bland Date: Sun, 21 Jul 2024 22:31:29 -0400 Subject: [PATCH 1/3] add demos for cryptographic functions with and without imported keys --- demo/certs/ca-key.der | Bin 0 -> 1192 bytes demo/certs/curve25519-private-one.raw | 1 + demo/certs/curve25519-private-two.raw | 2 + demo/certs/curve25519-public-one.raw | 2 + demo/certs/curve25519-public-two.raw | 1 + demo/certs/ecc-private-one.raw | 1 + demo/certs/ecc-private-two.raw | Bin 0 -> 96 bytes demo/certs/ecc-public-one.raw | 1 + demo/certs/ecc-public-two.raw | 1 + demo/client/wh_demo_client_all.c | 61 + demo/client/wh_demo_client_crypto.c | 1346 ++++++++++++++++++++++- demo/client/wh_demo_client_crypto.h | 15 +- demo/client/wh_demo_client_keystore.c | 6 +- demo/client/wh_demo_client_nvm.c | 7 +- posix/tcp/wh_client_tcp/Makefile | 2 + posix/tcp/wh_client_tcp/user_settings.h | 5 +- posix/tcp/wh_client_tcp/wh_client_tcp.c | 3 - posix/tcp/wh_server_tcp/Makefile | 1 + posix/tcp/wh_server_tcp/user_settings.h | 4 +- posix/tcp/wh_server_tcp/wh_server_tcp.c | 10 +- 20 files changed, 1447 insertions(+), 22 deletions(-) create mode 100644 demo/certs/ca-key.der create mode 100644 demo/certs/curve25519-private-one.raw create mode 100644 demo/certs/curve25519-private-two.raw create mode 100644 demo/certs/curve25519-public-one.raw create mode 100644 demo/certs/curve25519-public-two.raw create mode 100644 demo/certs/ecc-private-one.raw create mode 100644 demo/certs/ecc-private-two.raw create mode 100644 demo/certs/ecc-public-one.raw create mode 100644 demo/certs/ecc-public-two.raw diff --git a/demo/certs/ca-key.der b/demo/certs/ca-key.der new file mode 100644 index 0000000000000000000000000000000000000000..14456f3e453ba04c32952d0db72fecdeb153eb3e GIT binary patch literal 1192 zcmV;Z1Xueof&`=j0RRGm0RaHN49YDOvL1v&Tg^BhO7cy05b?G(pWn)T1DMmS-UDXt zD)HE`eQpO-3lNwgO@PZ1Am_|a-bH=Ma(6Q7%8Xw{Njp7uPtM2>z2;Z~ns*NeC7Tr%h)7QZZ*EPMGac zMIE^W*$eF0D6>nw?KXJ=0|5X50)hbmJ#J258iaqHg?!;l2YlexnJV6$`8G5TcMd)X z>QChcCe-#g_umZ<94-c;^eSkaV{+p)<^++EwZXBZRIJy=`$3@Ab#J{3PQS5I=wC@D zm{v!}-s$Q*U;)1<+%dmNUz16PdVyP(OHImLI8V3XveU;Q+B_162jm;vL+t46RAJ}# z?WPMZ_1}Vj#vfrBoTP&}-ywyGZ+EYT6*35-S_>v&`)~}(oH%{FBJS&>s1^YEihv#f zgs4hE_=E#zFC$won`%rvXL$JO;FFoh2=BRNw4JjL0)c@5;dVuUS+>(j-wN*%)(`Nv%PKd&r}(u^^)WTA zw5tsL;n*Cwp*?YEX}_weM=&jFZE z+;mi`ZC+YIG5-IWwx9*wsSs57YtX8L0)c=b(*%k{>rl6RX1|9k<|t0;gW~Bm;qnnj z|DpB#pDpD&f&2jjZ&R&QC$>`VR%;d67!vbzew(y z4#ABO|7Dt;EgFiHTFAhqrG#Og)Fip@sh!Dp3&(I~J-WzL-_kST^?&&%VZK*I-M2*- zB=sZYI1Z5~?&BcX6v&iEcR+VV7@iHzc|TV%RtZUGzLZ!`_Qb2=iR0snzy(z-B*03S G1Sgsk)I)m! literal 0 HcmV?d00001 diff --git a/demo/certs/curve25519-private-one.raw b/demo/certs/curve25519-private-one.raw new file mode 100644 index 0000000..229e929 --- /dev/null +++ b/demo/certs/curve25519-private-one.raw @@ -0,0 +1 @@ +J,>JCr5f?0$TVz(oF|]\iߡhG}?b︸"nÈh \ No newline at end of file diff --git a/demo/certs/curve25519-public-one.raw b/demo/certs/curve25519-public-one.raw new file mode 100644 index 0000000..14685ed --- /dev/null +++ b/demo/certs/curve25519-public-one.raw @@ -0,0 +1,2 @@ +XLF +Hņ>\iߡ \ No newline at end of file diff --git a/demo/certs/curve25519-public-two.raw b/demo/certs/curve25519-public-two.raw new file mode 100644 index 0000000..86a70b3 --- /dev/null +++ b/demo/certs/curve25519-public-two.raw @@ -0,0 +1 @@ +J,>JCr5f?0$T \ No newline at end of file diff --git a/demo/certs/ecc-private-one.raw b/demo/certs/ecc-private-one.raw new file mode 100644 index 0000000..f5edb8a --- /dev/null +++ b/demo/certs/ecc-private-one.raw @@ -0,0 +1 @@ +moL)Qx^Nn@t4-c;ᵴJC;5xW ρ5[$} ÓR ݓc T4 \ No newline at end of file diff --git a/demo/certs/ecc-private-two.raw b/demo/certs/ecc-private-two.raw new file mode 100644 index 0000000000000000000000000000000000000000..953f132a17f6caa2eed835be16cab9193dfecc74 GIT binary patch literal 96 zcmV-m0H6O%5$F8#I!q?i9)odyMqxx%)zZklT9MWl59(|e$G^zFqo4C99E+4eFnxTU z7yL}_vq=3jn@rjrrD}!ci}e#?+e;+E$)4ByRR%XD2&klpAt56W3iz^&0Q{O@E;A`I CaxQ=X literal 0 HcmV?d00001 diff --git a/demo/certs/ecc-public-one.raw b/demo/certs/ecc-public-one.raw new file mode 100644 index 0000000..e4d6a89 --- /dev/null +++ b/demo/certs/ecc-public-one.raw @@ -0,0 +1 @@ +L:L&q~FaDUȽZlǿȾ'A0}|LH3Lj \ No newline at end of file diff --git a/demo/certs/ecc-public-two.raw b/demo/certs/ecc-public-two.raw new file mode 100644 index 0000000..130bdf3 --- /dev/null +++ b/demo/certs/ecc-public-two.raw @@ -0,0 +1 @@ +moL)Qx^Nn@t4-c;ᵴJC;5xW ρ \ No newline at end of file diff --git a/demo/client/wh_demo_client_all.c b/demo/client/wh_demo_client_all.c index ffecfe3..47f77a9 100644 --- a/demo/client/wh_demo_client_all.c +++ b/demo/client/wh_demo_client_all.c @@ -26,5 +26,66 @@ int wh_DemoClient_All(whClientContext* clientContext) return rc; } + /* Crypto demos */ + rc = wh_DemoClient_CryptoRsa(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoRsaImport(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoCurve25519(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoCurve25519Import(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoEcc(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoEccImport(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoAesCbc(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoAesCbcImport(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoAesGcm(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoAesGcmImport(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoCmac(clientContext); + if (rc != 0) { + return rc; + } + + rc = wh_DemoClient_CryptoCmacImport(clientContext); + if (rc != 0) { + return rc; + } + return rc; } diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index f58cc76..b3952b2 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -1,7 +1,1347 @@ +#include +#include +#include +#include #include "wh_demo_client_crypto.h" #include "wolfhsm/wh_error.h" -int wh_DemoClient_Crypto(whClientContext* clientContext); +int wh_DemoClient_CryptoRsa(whClientContext* clientContext) { - return WH_ERROR_OK; -} \ No newline at end of file + int ret; + int needEvict = 0; + whKeyId keyId = WOLFHSM_KEYID_ERASED; + const char plainString[] = "The quick brown fox jumps over the lazy dog."; + byte plainText[256]; + byte cipherText[256]; + RsaKey rsa[1]; + WC_RNG rng[1]; + + /* set the plainText to the test string */ + strcpy((char*)plainText, plainString); + + /* initialize rng to make the rsa key */ + ret = wc_InitRng_ex(rng, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_InitRng_ex %d\n", ret); + goto exit; + } + + /* initialize the rsa key */ + ret = wc_InitRsaKey_ex(rsa, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_InitRsaKey_ex %d\n", ret); + goto exit; + } + + /* make the rsa key */ + ret = wc_MakeRsaKey(rsa, 2048, 65537, rng); + if (ret != 0) { + printf("Failed to wc_MakeRsaKey %d\n", ret); + goto exit; + } + needEvict = 1; + + /* encrypt the plaintext */ + ret = wc_RsaPublicEncrypt(plainText, sizeof(plainString), cipherText, + sizeof(cipherText), rsa, rng); + if (ret < 0) { + printf("Failed to wc_RsaPublicEncrypt %d\n", ret); + goto exit; + } + + /* decrypt the ciphertext */ + ret = wc_RsaPrivateDecrypt(cipherText, ret, plainText, sizeof(plainText), + rsa); + if (ret < 0) { + printf("Failed to wc_RsaPrivateDecrypt %d\n", ret); + goto exit; + } + + /* verify the decryption output */ + if (memcmp(plainText, plainString, sizeof(plainString)) != 0) { + printf("Failed to verify RSA output\n"); + ret = -1; + } + else + printf("RSA Decryption matches originl plaintext\n"); +exit: + (void)wc_FreeRng(rng); + if (needEvict) { + ret = wh_Client_GetKeyIdRsa(rsa, &keyId); + if (ret != 0) { + printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); + return ret; + } + ret = wh_Client_KeyEvict(clientContext, keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + return ret; +} + +int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) +{ + int ret; + int keyFd; + int keySz; + int needEvict = 0; + whKeyId keyId = WOLFHSM_KEYID_ERASED; + char keyFile[] = "../../../demo/certs/ca-key.der"; + const char plainString[] = "The quick brown fox jumps over the lazy dog."; + char keyLabel[] = "baby's first key"; + uint8_t keyBuf[2048]; + byte plainText[256]; + byte cipherText[256]; + RsaKey rsa[1]; + WC_RNG rng[1]; + + /* set the plainText to the test string */ + strcpy((char*)plainText, plainString); + + /* initialize rng to encrypt with the rsa key */ + ret = wc_InitRng_ex(rng, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_InitRng_ex %d\n", ret); + goto exit; + } + + /* open the RSA key */ + ret = keyFd = open(keyFile, O_RDONLY, 0); + if (ret < 0) { + printf("Failed to open %s %d\n", keyFile, ret); + goto exit; + } + + /* read the RSA key to local buffer */ + ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); + if (ret < 0) { + printf("Failed to read %s %d\n", keyFile, ret); + close(keyFd); + goto exit; + } + close(keyFd); + + /* cache the key in the HSM, get HSM assigned keyId */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + strlen(keyLabel), keyBuf, keySz, &keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + needEvict = 1; + + /* initialize the rsa key */ + ret = wc_InitRsaKey_ex(rsa, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_InitRsaKey_ex %d\n", ret); + goto exit; + } + + /* set the assigned keyId */ + ret = wh_Client_SetKeyIdRsa(rsa, keyId); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); + goto exit; + } + + /* encrypt the plaintext */ + ret = wc_RsaPublicEncrypt(plainText, sizeof(plainString), cipherText, + sizeof(cipherText), rsa, rng); + if (ret < 0) { + printf("Failed to wc_RsaPublicEncrypt %d\n", ret); + goto exit; + } + + /* decrypt the ciphertext */ + ret = wc_RsaPrivateDecrypt(cipherText, ret, plainText, sizeof(plainText), + rsa); + if (ret < 0) { + printf("Failed to wc_RsaPrivateDecrypt %d\n", ret); + goto exit; + } + + /* verify the decryption output */ + if (memcmp(plainText, plainString, sizeof(plainString)) != 0) { + printf("Failed to verify RSA output\n"); + ret = -1; + } + else + printf("RSA Decryption matches originl plaintext with imported key\n"); +exit: + (void)wc_FreeRng(rng); + if (needEvict) { + ret = wh_Client_KeyEvict(clientContext, keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + return ret; +} + +int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) +{ + int ret; + int needEvictPriv; + int needEvictPub; + word32 outLen; + whKeyId keyId = WOLFHSM_KEYID_ERASED; + uint8_t sharedOne[CURVE25519_KEYSIZE]; + uint8_t sharedTwo[CURVE25519_KEYSIZE]; + curve25519_key curve25519PrivateKey[1]; + /* public from the first shared secret's perspective, actually private */ + curve25519_key curve25519PublicKey[1]; + WC_RNG rng[1]; + + /* initialize rng to make the cruve25516 keys */ + ret = wc_InitRng_ex(rng, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_InitRng_ex %d\n", ret); + goto exit; + } + + /* initialize the keys */ + ret = wc_curve25519_init_ex(curve25519PrivateKey, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_curve25519_init_ex %d\n", ret); + goto exit; + } + + ret = wc_curve25519_init_ex(curve25519PublicKey, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_curve25519_init_ex %d\n", ret); + goto exit; + } + + /* generate the keys on the HSM */ + ret = wc_curve25519_make_key(rng, CURVE25519_KEYSIZE, curve25519PrivateKey); + if (ret != 0) { + printf("Failed to wc_curve25519_init_ex %d\n", ret); + goto exit; + } + needEvictPriv = 1; + + ret = wc_curve25519_make_key(rng, CURVE25519_KEYSIZE, curve25519PublicKey); + if (ret != 0) { + printf("Failed to wc_curve25519_init_ex %d\n", ret); + goto exit; + } + needEvictPub = 1; + + /* generate shared secrets from both perspectives */ + outLen = sizeof(sharedOne); + + ret = wc_curve25519_shared_secret(curve25519PrivateKey, curve25519PublicKey, + sharedOne, (word32*)&outLen); + if (ret != 0) { + printf("Failed to wc_curve25519_shared_secret %d\n", ret); + goto exit; + } + + ret = wc_curve25519_shared_secret(curve25519PublicKey, curve25519PrivateKey, + sharedTwo, (word32*)&outLen); + if (ret != 0) { + printf("Failed to wc_curve25519_shared_secret %d\n", ret); + goto exit; + } + + /* free the key structs */ + wc_curve25519_free(curve25519PrivateKey); + wc_curve25519_free(curve25519PublicKey); + + if (memcmp(sharedOne, sharedTwo, outLen) != 0) { + printf("CURVE25519 shared secrets don't match\n"); + ret = -1; + goto exit; + } + else { + printf("CURVE25519 shared secrets match\n"); + } +exit: + (void)wc_FreeRng(rng); + if (needEvictPriv) { + ret = wh_Client_GetKeyIdCurve25519(curve25519PrivateKey, &keyId); + if (ret != 0) { + printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); + return ret; + } + ret = wh_Client_KeyEvict(clientContext, keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + if (needEvictPub) { + ret = wh_Client_GetKeyIdCurve25519(curve25519PublicKey, &keyId); + if (ret != 0) { + printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); + return ret; + } + ret = wh_Client_KeyEvict(clientContext, keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + return ret; +} + +int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) +{ + int ret; + int keyFd; + int keySz; + word32 outLen; + whKeyId keyIdPriv1 = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPub1 = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPriv2 = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPub2 = WOLFHSM_KEYID_ERASED; + /* public-two is the public part of private-one, same for the *-two keys */ + char privKeyFileOne[] = "../../../demo/certs/curve25519-private-one.raw"; + char pubKeyFileOne[] = "../../../demo/certs/curve25519-public-one.raw"; + char privKeyFileTwo[] = "../../../demo/certs/curve25519-private-two.raw"; + char pubKeyFileTwo[] = "../../../demo/certs/curve25519-public-two.raw"; + char keyLabel[] = "baby's first key"; + uint8_t keyBuf[256]; + uint8_t sharedOne[CURVE25519_KEYSIZE]; + uint8_t sharedTwo[CURVE25519_KEYSIZE]; + curve25519_key curve25519PrivateKey[1]; + curve25519_key curve25519PublicKey[1]; + + /* open the first private curve25516 key */ + ret = keyFd = open(privKeyFileOne, O_RDONLY, 0); + if (ret < 0) { + printf("Failed to open %s %d\n", privKeyFileOne, ret); + goto exit; + } + + /* read the first private key to local buffer */ + ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); + if (ret < 0) { + printf("Failed to read %s %d\n", privKeyFileOne, ret); + close(keyFd); + goto exit; + } + close(keyFd); + + /* cache the key in the HSM, get HSM assigned keyId */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + strlen(keyLabel), keyBuf, keySz, &keyIdPriv1); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* initialize the private key */ + ret = wc_curve25519_init_ex(curve25519PrivateKey, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_curve25519_init_ex %d\n", ret); + goto exit; + } + + /* set the assigned keyId */ + ret = wh_Client_SetKeyIdCurve25519(curve25519PrivateKey, keyIdPriv1); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); + goto exit; + } + + /* open the first public curve25516 key */ + ret = keyFd = open(pubKeyFileOne, O_RDONLY, 0); + if (ret < 0) { + printf("Failed to open %s %d\n", pubKeyFileOne, ret); + goto exit; + } + + /* read the first public key to local buffer */ + ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); + if (ret < 0) { + printf("Failed to read %s %d\n", pubKeyFileOne, ret); + close(keyFd); + goto exit; + } + close(keyFd); + + /* cache the key in the HSM, get HSM assigned keyId */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + strlen(keyLabel), keyBuf, keySz, &keyIdPub1); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* initialize the public key */ + ret = wc_curve25519_init_ex(curve25519PublicKey, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_curve25519_init_ex %d\n", ret); + goto exit; + } + + /* set the assigned keyId */ + ret = wh_Client_SetKeyIdCurve25519(curve25519PublicKey, keyIdPub1); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); + goto exit; + } + + /* generate shared secret from perspective one */ + outLen = sizeof(sharedOne); + ret = wc_curve25519_shared_secret(curve25519PrivateKey, curve25519PublicKey, + sharedOne, (word32*)&outLen); + if (ret != 0) { + printf("Failed to wc_curve25519_shared_secret %d\n", ret); + goto exit; + } + + /* free the key structs */ + wc_curve25519_free(curve25519PrivateKey); + wc_curve25519_free(curve25519PublicKey); + + /* open the second private curve25516 key */ + ret = keyFd = open(privKeyFileTwo, O_RDONLY, 0); + if (ret < 0) { + printf("Failed to open %s %d\n", privKeyFileTwo, ret); + goto exit; + } + + /* read the second private key to local buffer */ + ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); + if (ret < 0) { + printf("Failed to read %s %d\n", privKeyFileTwo, ret); + close(keyFd); + goto exit; + } + close(keyFd); + + /* cache the key in the HSM, get HSM assigned keyId */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + strlen(keyLabel), keyBuf, keySz, &keyIdPriv2); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* initialize the private key */ + ret = wc_curve25519_init_ex(curve25519PrivateKey, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_curve25519_init_ex %d\n", ret); + goto exit; + } + + /* set the assigned keyId */ + ret = wh_Client_SetKeyIdCurve25519(curve25519PrivateKey, keyIdPriv2); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); + goto exit; + } + + /* open the second public curve25516 key */ + ret = keyFd = open(pubKeyFileTwo, O_RDONLY, 0); + if (ret < 0) { + printf("Failed to open %s %d\n", pubKeyFileTwo, ret); + goto exit; + } + + /* read the second public key to local buffer */ + ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); + if (ret < 0) { + printf("Failed to read %s %d\n", pubKeyFileTwo, ret); + close(keyFd); + goto exit; + } + close(keyFd); + + /* cache the key in the HSM, get HSM assigned keyId */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + strlen(keyLabel), keyBuf, keySz, &keyIdPub2); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* initialize the public key */ + ret = wc_curve25519_init_ex(curve25519PublicKey, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_curve25519_init_ex %d\n", ret); + goto exit; + } + + /* set the assigned keyId */ + ret = wh_Client_SetKeyIdCurve25519(curve25519PublicKey, keyIdPub2); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); + goto exit; + } + + /* generate shared secret from perspective two */ + outLen = sizeof(sharedTwo); + ret = wc_curve25519_shared_secret(curve25519PrivateKey, curve25519PublicKey, + sharedTwo, (word32*)&outLen); + if (ret != 0) { + printf("Failed to wc_curve25519_shared_secret %d\n", ret); + goto exit; + } + + if (memcmp(sharedOne, sharedTwo, outLen) != 0) { + printf("CURVE25519 shared secrets don't match with imported keys\n"); + ret = -1; + goto exit; + } + else { + printf("CURVE25519 shared secrets match with imported keys\n"); + } +exit: + /* free the key structs */ + wc_curve25519_free(curve25519PrivateKey); + wc_curve25519_free(curve25519PublicKey); + + if (keyIdPriv1 != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPriv1); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + if (keyIdPub1 != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPub1); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + if (keyIdPriv2 != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPriv2); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + if (keyIdPub2 != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPub2); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + return ret; +} + +int wh_DemoClient_CryptoEcc(whClientContext* clientContext) +{ + int ret; + int res; + int needEvictPriv; + int needEvictPub; + whKeyId keyId = WOLFHSM_KEYID_ERASED; + word32 outLen; + ecc_key eccPrivate[1]; + ecc_key eccPublic[1]; + WC_RNG rng[1]; + byte sharedOne[32]; + byte sharedTwo[32]; + const char plainMessage[] = "The quick brown fox jumps over the lazy dog."; + byte message[sizeof(plainMessage)]; + byte signature[128]; + + /* set the message to the test string */ + strcpy((char*)message, plainMessage); + + /* initialize rng to make the ecc keys */ + ret = wc_InitRng_ex(rng, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_InitRng_ex %d\n", ret); + goto exit; + } + + /* initialize the keys */ + ret = wc_ecc_init_ex(eccPrivate, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_ecc_init_ex %d\n", ret); + goto exit; + } + + ret = wc_ecc_init_ex(eccPublic, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_ecc_init_ex %d\n", ret); + goto exit; + } + + /* make the keys */ + ret = wc_ecc_make_key(rng, 32, eccPrivate); + if (ret != 0) { + printf("Failed to wc_ecc_make_key %d\n", ret); + goto exit; + } + + needEvictPriv = 1; + + ret = wc_ecc_make_key(rng, 32, eccPublic); + if (ret != 0) { + printf("Failed to wc_ecc_make_key %d\n", ret); + goto exit; + } + + needEvictPub = 1; + + /* generate the shared secrets */ + outLen = 32; + ret = wc_ecc_shared_secret(eccPrivate, eccPublic, (byte*)sharedOne, + (word32*)&outLen); + if (ret != 0) { + printf("Failed to wc_ecc_shared_secret %d\n", ret); + goto exit; + } + + ret = wc_ecc_shared_secret(eccPublic, eccPrivate, (byte*)sharedTwo, + (word32*)&outLen); + if (ret != 0) { + printf("Failed to wc_ecc_shared_secret %d\n", ret); + goto exit; + } + + /* compare the shared secrets */ + if (memcmp(sharedOne, sharedTwo, outLen) != 0) { + printf("ECC shared secrets don't match\n"); + ret = -1; + goto exit; + } + else { + printf("ECC shared secrets match\n"); + } + + /* sign the plaintext */ + outLen = sizeof(signature); + ret = wc_ecc_sign_hash(message, sizeof(message), (void*)signature, + (word32*)&outLen, rng, eccPrivate); + if (ret != 0) { + printf("Failed to wc_ecc_shared_secret %d\n", ret); + goto exit; + } + + /* verify the hash */ + ret = wc_ecc_verify_hash((void*)signature, outLen, (void*)message, + sizeof(message), &res, eccPrivate); + if (ret != 0) { + printf("Failed to wc_ecc_verify_hash %d\n", ret); + goto exit; + } + + if (res == 1) + printf("ECC sign/verify successful\n"); + else { + printf("ECC sign/verify failure\n"); + ret = -1; + goto exit; + } +exit: + /* free the keys */ + wc_ecc_free(eccPrivate); + wc_ecc_free(eccPublic); + /* free rng */ + (void)wc_FreeRng(rng); + /* evict the keys */ + if (needEvictPriv) { + ret = wh_Client_GetKeyIdEcc(eccPrivate, &keyId); + if (ret != 0) { + printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); + return ret; + } + ret = wh_Client_KeyEvict(clientContext, keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + if (needEvictPub) { + ret = wh_Client_GetKeyIdEcc(eccPublic, &keyId); + if (ret != 0) { + printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); + return ret; + } + ret = wh_Client_KeyEvict(clientContext, keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + return ret; +} + +int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) +{ + int ret; + int res; + int keyFd; + int keySz; + whKeyId keyIdPriv1 = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPub1 = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPriv2 = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPub2 = WOLFHSM_KEYID_ERASED; + word32 outLen; + word32 sigLen; + char privKeyFileOne[] = "../../../demo/certs/ecc-private-one.raw"; + char pubKeyFileOne[] = "../../../demo/certs/ecc-public-one.raw"; + char privKeyFileTwo[] = "../../../demo/certs/ecc-private-two.raw"; + char pubKeyFileTwo[] = "../../../demo/certs/ecc-public-two.raw"; + char keyLabel[] = "baby's first key"; + ecc_key eccPrivate[1]; + ecc_key eccPublic[1]; + WC_RNG rng[1]; + byte sharedOne[32]; + byte sharedTwo[32]; + const char plainMessage[] = "The quick brown fox jumps over the lazy dog."; + byte message[sizeof(plainMessage)]; + byte signature[128]; + uint8_t keyBuf[256]; + + /* set the message to the test string */ + strcpy((char*)message, plainMessage); + + /* initialize rng for signature signing */ + ret = wc_InitRng_ex(rng, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_InitRng_ex %d\n", ret); + goto exit; + } + + /* open the first private ecc key */ + ret = keyFd = open(privKeyFileOne, O_RDONLY, 0); + if (ret < 0) { + printf("Failed to open %s %d\n", privKeyFileOne, ret); + goto exit; + } + + /* read the first private key to local buffer */ + ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); + if (ret < 0) { + printf("Failed to read %s %d\n", privKeyFileOne, ret); + close(keyFd); + goto exit; + } + close(keyFd); + + /* cache the key in the HSM, get HSM assigned keyId */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + strlen(keyLabel), keyBuf, keySz, &keyIdPriv1); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* initialize the private key */ + ret = wc_ecc_init_ex(eccPrivate, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_ecc_init_ex %d\n", ret); + goto exit; + } + + /* set the curveId by size */ + ret = wc_ecc_set_curve(eccPrivate, 32, -1); + if (ret != 0) { + printf("Failed to wc_ecc_set_curve %d\n", ret); + goto exit; + } + + /* set the assigned keyId */ + ret = wh_Client_SetKeyIdEcc(eccPrivate, keyIdPriv1); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdEcc %d\n", ret); + goto exit; + } + /* open the first public ecc key */ + ret = keyFd = open(pubKeyFileOne, O_RDONLY, 0); + if (ret < 0) { + printf("Failed to open %s %d\n", pubKeyFileOne, ret); + goto exit; + } + + /* read the first public key to local buffer */ + ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); + if (ret < 0) { + printf("Failed to read %s %d\n", pubKeyFileOne, ret); + close(keyFd); + goto exit; + } + close(keyFd); + + /* cache the key in the HSM, get HSM assigned keyId */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + strlen(keyLabel), keyBuf, keySz, &keyIdPub1); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* initialize the public key */ + ret = wc_ecc_init_ex(eccPublic, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_ecc_init_ex %d\n", ret); + goto exit; + } + + /* set the curveId by size */ + ret = wc_ecc_set_curve(eccPublic, 32, -1); + if (ret != 0) { + printf("Failed to wc_ecc_set_curve %d\n", ret); + goto exit; + } + + /* set the assigned keyId */ + ret = wh_Client_SetKeyIdEcc(eccPublic, keyIdPub1); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdEcc %d\n", ret); + goto exit; + } + + /* generate the shared secret from the first perspective */ + outLen = 32; + ret = wc_ecc_shared_secret(eccPrivate, eccPublic, (byte*)sharedOne, + (word32*)&outLen); + if (ret != 0) { + printf("Failed to wc_ecc_shared_secret %d\n", ret); + goto exit; + } + + /* sign the plaintext with the first private key */ + sigLen = sizeof(signature); + ret = wc_ecc_sign_hash(message, sizeof(message), (void*)signature, + (word32*)&sigLen, rng, eccPrivate); + if (ret != 0) { + printf("Failed to wc_ecc_sign_hash %d\n", ret); + goto exit; + } + + /* free the key structs */ + wc_ecc_free(eccPrivate); + wc_ecc_free(eccPublic); + + /* open the second private ecc key */ + ret = keyFd = open(privKeyFileTwo, O_RDONLY, 0); + if (ret < 0) { + printf("Failed to open %s %d\n", privKeyFileTwo, ret); + goto exit; + } + + /* read the second private key to local buffer */ + ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); + if (ret < 0) { + printf("Failed to read %s %d\n", privKeyFileTwo, ret); + close(keyFd); + goto exit; + } + close(keyFd); + + /* cache the key in the HSM, get HSM assigned keyId */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + strlen(keyLabel), keyBuf, keySz, &keyIdPriv2); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* initialize the private key */ + ret = wc_ecc_init_ex(eccPrivate, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_ecc_init_ex %d\n", ret); + goto exit; + } + + /* set the curveId by size */ + ret = wc_ecc_set_curve(eccPrivate, 32, -1); + if (ret != 0) { + printf("Failed to wc_ecc_set_curve %d\n", ret); + goto exit; + } + + /* set the assigned keyId */ + ret = wh_Client_SetKeyIdEcc(eccPrivate, keyIdPriv2); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdEcc %d\n", ret); + goto exit; + } + + /* open the second public ecc key */ + ret = keyFd = open(pubKeyFileTwo, O_RDONLY, 0); + if (ret < 0) { + printf("Failed to open %s %d\n", pubKeyFileTwo, ret); + goto exit; + } + + /* read the second public key to local buffer */ + ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); + if (ret < 0) { + printf("Failed to read %s %d\n", pubKeyFileTwo, ret); + close(keyFd); + goto exit; + } + close(keyFd); + + /* cache the key in the HSM, get HSM assigned keyId */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + strlen(keyLabel), keyBuf, keySz, &keyIdPub2); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* initialize the public key */ + ret = wc_ecc_init_ex(eccPublic, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_ecc_init_ex %d\n", ret); + goto exit; + } + + /* set the curveId by size */ + ret = wc_ecc_set_curve(eccPublic, 32, -1); + if (ret != 0) { + printf("Failed to wc_ecc_set_curve %d\n", ret); + goto exit; + } + + /* set the assigned keyId */ + ret = wh_Client_SetKeyIdEcc(eccPublic, keyIdPub2); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdEcc %d\n", ret); + goto exit; + } + + /* generated the shared secret from the second perspective */ + ret = wc_ecc_shared_secret(eccPrivate, eccPublic, (byte*)sharedTwo, + (word32*)&outLen); + if (ret != 0) { + printf("Failed to wc_ecc_shared_secret %d\n", ret); + goto exit; + } + + /* compare the shared secrets */ + if (memcmp(sharedOne, sharedTwo, outLen) != 0) { + printf("ECC shared secrets don't match with imported keys\n"); + ret = -1; + goto exit; + } + else { + printf("ECC shared secrets match with imported keys\n"); + } + + /* verify the hash */ + ret = wc_ecc_verify_hash((void*)signature, sigLen, (void*)message, + sizeof(message), &res, eccPublic); + if (ret != 0) { + printf("Failed to wc_ecc_verify_hash %d\n", ret); + goto exit; + } + + if (res == 1) + printf("ECC sign/verify successful with imported keys\n"); + else { + printf("ECC sign/verify failure with imported keys\n"); + ret = -1; + goto exit; + } +exit: + /* free the key structs */ + wc_ecc_free(eccPrivate); + wc_ecc_free(eccPublic); + /* free rng */ + (void)wc_FreeRng(rng); + if (keyIdPriv1 != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPriv1); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + if (keyIdPub1 != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPub1); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + if (keyIdPriv2 != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPriv2); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + if (keyIdPub2 != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPub2); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + return ret; +} + +int wh_DemoClient_CryptoAesCbc(whClientContext* clientContext) +{ + int ret; + Aes aes[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + byte plainText[] = {15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}; + byte cipherText[16]; + byte finalText[16]; + + /* Initialize the aes struct */ + ret = wc_AesInit(aes, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_AesInit %d\n", ret); + goto exit; + } + + /* set the key on the client side */ + ret = wc_AesSetKey(aes, key, sizeof(key), NULL, AES_ENCRYPTION); + if (ret != 0) { + printf("Failed to wc_AesSetKey %d\n", ret); + goto exit; + } + + /* encrypt the plaintext */ + ret = wc_AesCbcEncrypt(aes, cipherText, plainText, sizeof(plainText)); + if (ret != 0) { + printf("Failed to wc_AesCbcEncrypt %d\n", ret); + goto exit; + } + + /* decrypt the ciphertext */ + ret = wc_AesCbcDecrypt(aes, finalText, cipherText, sizeof(plainText)); + if (ret != 0) { + printf("Failed to wc_AesCbcDecrypt %d\n", ret); + goto exit; + } + + /* compare final and plain */ + if (memcmp(plainText, finalText, sizeof(plainText)) != 0) { + printf("AES CBC doesn't match after decryption\n"); + ret = -1; + goto exit; + } + printf("AES CBC matches after decryption\n"); +exit: + return ret; +} + +int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext) +{ + int ret; + int needEvict = 0; + whKeyId keyId = WOLFHSM_KEYID_ERASED; + Aes aes[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + char keyLabel[] = "baby's first key"; + byte plainText[] = {15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}; + byte cipherText[16]; + byte finalText[16]; + + /* Initialize the aes struct */ + ret = wc_AesInit(aes, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_AesInit %d\n", ret); + goto exit; + } + + /* cache the key on the HSM */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + sizeof(keyLabel), key, sizeof(key), &keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + needEvict = 1; + + /* set the keyId on the struct */ + ret = wh_Client_SetKeyIdAes(aes, keyId); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); + goto exit; + } + + /* encrypt the plaintext */ + ret = wc_AesCbcEncrypt(aes, cipherText, plainText, sizeof(plainText)); + if (ret != 0) { + printf("Failed to wc_AesCbcEncrypt %d\n", ret); + goto exit; + } + + /* decrypt the ciphertext */ + ret = wc_AesCbcDecrypt(aes, finalText, cipherText, sizeof(plainText)); + if (ret != 0) { + printf("Failed to wc_AesCbcDecrypt %d\n", ret); + goto exit; + } + + /* compare final and plain */ + if (memcmp(plainText, finalText, sizeof(plainText)) != 0) { + printf("AES CBC doesn't match after decryption with imported key\n"); + ret = -1; + goto exit; + } + printf("AES CBC matches after decryption with imported key\n"); +exit: + if (needEvict) { + /* evict the key */ + ret = wh_Client_KeyEvict(clientContext, keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + return ret; +} + +int wh_DemoClient_CryptoAesGcm(whClientContext* clientContext) +{ + int ret; + Aes aes[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + byte iv[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + byte authIn[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + byte authTag[16]; + byte plainText[] = {15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}; + byte cipherText[16]; + byte finalText[16]; + + /* initialize the aes struct */ + ret = wc_AesInit(aes, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_AesInit %d\n", ret); + goto exit; + } + + /* set the key and iv on the client side */ + ret = wc_AesSetKey(aes, key, sizeof(key), iv, AES_ENCRYPTION); + if (ret != 0) { + printf("Failed to wc_AesSetKey %d\n", ret); + goto exit; + } + + /* encrypt the plaintext */ + ret = wc_AesGcmEncrypt(aes, cipherText, plainText, sizeof(plainText), iv, + sizeof(iv), authTag, sizeof(authTag), authIn, + sizeof(authIn)); + if (ret != 0) { + printf("Failed to wc_AesGcmEncrypt %d\n", ret); + goto exit; + } + + /* decrypt the ciphertext */ + ret = wc_AesGcmDecrypt(aes, finalText, cipherText, sizeof(plainText), iv, + sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)); + if (ret != 0) { + printf("Failed to wc_AesGcmDecrypt %d\n", ret); + goto exit; + } + + /* compare the finaltext to the plaintext */ + if (memcmp(plainText, finalText, sizeof(plainText)) != 0) { + printf("AES GCM doesn't match after decryption\n"); + ret = -1; + goto exit; + } + printf("AES GCM matches after decryption\n"); +exit: + return ret; +} + +int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext) +{ + int ret; + int needEvict = 0; + whKeyId keyId = WOLFHSM_KEYID_ERASED; + Aes aes[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + char keyLabel[] = "baby's first key"; + byte iv[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + byte authIn[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + byte authTag[16]; + byte plainText[] = {15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}; + byte cipherText[16]; + byte finalText[16]; + + /* initialize the aes struct */ + ret = wc_AesInit(aes, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_AesInit %d\n", ret); + goto exit; + } + + /* cache the key on the HSM */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + sizeof(keyLabel), key, sizeof(key), &keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + needEvict = 1; + + /* set the keyId on the struct */ + ret = wh_Client_SetKeyIdAes(aes, keyId); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); + goto exit; + } + + /* set the iv */ + ret = wc_AesSetIV(aes, iv); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* encrypt the plaintext */ + ret = wc_AesGcmEncrypt(aes, cipherText, plainText, sizeof(plainText), iv, + sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)); + if (ret != 0) { + printf("Failed to wc_AesGcmEncrypt %d\n", ret); + goto exit; + } + + /* decrypt the ciphertext */ + ret = wc_AesGcmDecrypt(aes, finalText, cipherText, sizeof(plainText), iv, + sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)); + if (ret != 0) { + printf("Failed to wc_AesGcmDecrypt %d\n", ret); + goto exit; + } + + /* compare plaintext and finaltext */ + if (memcmp(plainText, finalText, sizeof(plainText)) != 0) { + printf("AES GCM doesn't match after decryption with imported keys\n"); + ret = -1; + goto exit; + } + printf("AES GCM matches after decryption with imported keys\n"); +exit: + if (needEvict) { + /* evict the key from the cache */ + ret = wh_Client_KeyEvict(clientContext, keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", ret); + } + } + return ret; +} + +int wh_DemoClient_CryptoCmac(whClientContext* clientContext) +{ + int ret; + word32 outLen; + Cmac cmac[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + char message[] = "hash and verify me!"; + byte tag[16]; + + /* initialize the cmac struct and set the key */ + ret = wc_InitCmac_ex(cmac, key, sizeof(key), WC_CMAC_AES, + NULL, NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_InitCmac_ex %d\n", ret); + goto exit; + } + + /* hash the message */ + ret = wc_CmacUpdate(cmac, (byte*)message, strlen(message)); + if (ret != 0) { + printf("Failed to wc_CmacUpdate %d\n", ret); + goto exit; + } + + /* get the cmac tag */ + outLen = sizeof(tag); + ret = wc_CmacFinal(cmac, tag, &outLen); + if (ret != 0) { + printf("Failed to wc_CmacFinal %d\n", ret); + goto exit; + } + + /* verify the tag */ + ret = wc_AesCmacVerify_ex(cmac, tag, sizeof(tag), (byte*)message, + strlen(message), key, sizeof(key), NULL, WOLFHSM_DEV_ID); + if (ret != 0) { + printf("CMAC hash and verify failed %d\n", ret); + goto exit; + } + + printf("CMAC hash and verify succeeded\n"); +exit: + (void)wc_CmacFree(cmac); + return ret; +} + +int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) +{ + int ret; + int needEvict = 0; + word32 outLen; + whKeyId keyId = WOLFHSM_KEYID_ERASED; + Cmac cmac[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + char keyLabel[] = "baby's first key"; + char message[] = "hash and verify me!"; + byte tag[16]; + + /* initialize the cmac struct */ + ret = wc_InitCmac_ex(cmac, NULL, 0, WC_CMAC_AES, NULL, NULL, + WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_InitCmac_ex %d\n", ret); + goto exit; + } + + /* cache the key on the HSM */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + sizeof(keyLabel), key, sizeof(key), &keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + needEvict = 1; + + /* set the keyId on the struct */ + ret = wh_Client_SetKeyIdCmac(cmac, keyId); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); + goto exit; + } + + /* hash the message */ + ret = wc_CmacUpdate(cmac, (byte*)message, strlen(message)); + if (ret != 0) { + printf("Failed to wc_CmacUpdate %d\n", ret); + goto exit; + } + + /* get the cmac tag */ + outLen = sizeof(tag); + ret = wc_CmacFinal(cmac, tag, &outLen); + if (ret != 0) { + printf("Failed to wc_CmacFinal %d\n", ret); + goto exit; + } + + /* cache the key on the HSM again, cmac keys are evicted after wc_CmacFinal + * is called */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + sizeof(keyLabel), key, sizeof(key), &keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + needEvict = 1; + + /* set the keyId on the struct */ + ret = wh_Client_SetKeyIdCmac(cmac, keyId); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); + goto exit; + } + + /* verify the tag, note that for pre-cached keys we need to use the special + * wolfHSM functions wh_Client_AesCmacGenerate and wh_Client_AesCmacVerify + * when doing oneshot cmac generation or oneshot verifition, manual steps + * can be done as above */ + ret = wh_Client_AesCmacVerify(cmac, tag, sizeof(tag), (byte*)message, + strlen(message), keyId, NULL); + if (ret != 0) { + printf("CMAC hash and verify failed with imported key %d\n", ret); + goto exit; + } + + printf("CMAC hash and verify succeeded with imported key\n"); +exit: + (void)wc_CmacFree(cmac); + return ret; +} diff --git a/demo/client/wh_demo_client_crypto.h b/demo/client/wh_demo_client_crypto.h index 6e4bfc1..bc9a077 100644 --- a/demo/client/wh_demo_client_crypto.h +++ b/demo/client/wh_demo_client_crypto.h @@ -2,6 +2,17 @@ #define CLIENT_CRYPTO_H_ #include "wolfhsm/wh_client.h" -int wh_DemoClient_Crypto(whClientContext* clientContext); +int wh_DemoClient_CryptoRsa(whClientContext* clientContext); +int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext); +int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext); +int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext); +int wh_DemoClient_CryptoEcc(whClientContext* clientContext); +int wh_DemoClient_CryptoEccImport(whClientContext* clientContext); +int wh_DemoClient_CryptoAesCbc(whClientContext* clientContext); +int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext); +int wh_DemoClient_CryptoAesGcm(whClientContext* clientContext); +int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext); +int wh_DemoClient_CryptoCmac(whClientContext* clientContext); +int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext); -#endif /* CLIENT_CRYPTO_H_ */ \ No newline at end of file +#endif /* CLIENT_CRYPTO_H_ */ diff --git a/demo/client/wh_demo_client_keystore.c b/demo/client/wh_demo_client_keystore.c index bb1b2e1..b2dc482 100644 --- a/demo/client/wh_demo_client_keystore.c +++ b/demo/client/wh_demo_client_keystore.c @@ -163,7 +163,7 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) } /* set AES context to use the cached key */ - ret = wh_Client_SetKeyAes(&aes, keyId); + ret = wh_Client_SetKeyIdAes(&aes, keyId); if (ret != 0) { printf("Failed to set key: %d\n", ret); return ret; @@ -216,7 +216,7 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) printf("Failed to initialize AES: %d\n", ret); return ret; } - ret = wh_Client_SetKeyAes(&aes, keyId); + ret = wh_Client_SetKeyIdAes(&aes, keyId); if (ret != 0) { printf("Failed to set key: %d\n", ret); return ret; @@ -252,7 +252,7 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) } /* Key was erased, so should be unusable */ - (void)wh_Client_SetKeyAes(&aes, keyId); + (void)wh_Client_SetKeyIdAes(&aes, keyId); ret = wc_AesCbcEncrypt(&aes, cipherText, plainText, sizeof(plainText)); if (ret != WH_ERROR_NOTFOUND) { printf("Key should not be found: instead got %d\n", ret); diff --git a/demo/client/wh_demo_client_nvm.c b/demo/client/wh_demo_client_nvm.c index 63f4422..fa1e01a 100644 --- a/demo/client/wh_demo_client_nvm.c +++ b/demo/client/wh_demo_client_nvm.c @@ -98,8 +98,7 @@ int wh_DemoClient_Nvm(whClientContext* clientContext) availSize, availObjects, reclaimSize, reclaimObjects); /* Delete one object */ - rc = wh_Client_NvmDestroyObjects(clientContext, 1, objectIds, 0, NULL, - &serverRc); + rc = wh_Client_NvmDestroyObjects(clientContext, 1, objectIds, &serverRc); if (rc != 0 || serverRc != 0) { printf("Delete Objects failed with error code: %d, server error code: " "%d\n", @@ -110,7 +109,7 @@ int wh_DemoClient_Nvm(whClientContext* clientContext) /* Delete multiple objects */ rc = wh_Client_NvmDestroyObjects(clientContext, NUM_OBJECTS - 1, - &objectIds[1], 0, NULL, &serverRc); + &objectIds[1], &serverRc); if (rc != 0 || serverRc != 0) { printf("Delete Objects failed with error code: %d, server error code: " "%d\n", @@ -121,7 +120,7 @@ int wh_DemoClient_Nvm(whClientContext* clientContext) /* Reclaim space */ rc = - wh_Client_NvmDestroyObjects(clientContext, 0, NULL, 0, NULL, &serverRc); + wh_Client_NvmDestroyObjects(clientContext, 0, NULL, &serverRc); if (rc != 0 || serverRc != 0) { printf("Reclaim Objects failed with error code: %d, server error code: " "%d\n", diff --git a/posix/tcp/wh_client_tcp/Makefile b/posix/tcp/wh_client_tcp/Makefile index 0c01e85..0e69315 100644 --- a/posix/tcp/wh_client_tcp/Makefile +++ b/posix/tcp/wh_client_tcp/Makefile @@ -77,6 +77,7 @@ SRC_C += \ $(WOLFHSM_DIR)/src/wh_client.c \ $(WOLFHSM_DIR)/src/wh_client_nvm.c \ $(WOLFHSM_DIR)/src/wh_client_cryptocb.c \ + $(WOLFHSM_DIR)/src/wh_utils.c \ $(WOLFHSM_DIR)/src/wh_comm.c \ $(WOLFHSM_DIR)/src/wh_message_comm.c \ $(WOLFHSM_DIR)/src/wh_message_nvm.c \ @@ -88,6 +89,7 @@ SRC_C += $(WOLFHSM_DIR)/port/posix/posix_transport_tcp.c # Demo client code SRC_C += $(WOLFHSM_CLIENT_DEMO_DIR)/wh_demo_client_nvm.c \ $(WOLFHSM_CLIENT_DEMO_DIR)/wh_demo_client_keystore.c \ + $(WOLFHSM_CLIENT_DEMO_DIR)/wh_demo_client_crypto.c \ $(WOLFHSM_CLIENT_DEMO_DIR)/wh_demo_client_all.c # APP diff --git a/posix/tcp/wh_client_tcp/user_settings.h b/posix/tcp/wh_client_tcp/user_settings.h index a3ec4a0..07cd05f 100644 --- a/posix/tcp/wh_client_tcp/user_settings.h +++ b/posix/tcp/wh_client_tcp/user_settings.h @@ -4,6 +4,7 @@ /* Common configuration */ #define WOLFCRYPT_ONLY +#define WOLFSSL_KEY_GEN //#define BIG_ENDIAN_ORDER #define WOLF_CRYPTO_CB //#define WOLFSSL_KEY_GEN @@ -47,8 +48,8 @@ #define FP_MAX_BITS 4096 /* ECC Options */ -//#define HAVE_ECC -#define NO_ECC +#define HAVE_ECC +//#define NO_ECC #define TFM_ECC256 #define ECC_SHAMIR #define HAVE_SUPPORTED_CURVES diff --git a/posix/tcp/wh_client_tcp/wh_client_tcp.c b/posix/tcp/wh_client_tcp/wh_client_tcp.c index 4a2d707..0369cc3 100644 --- a/posix/tcp/wh_client_tcp/wh_client_tcp.c +++ b/posix/tcp/wh_client_tcp/wh_client_tcp.c @@ -128,6 +128,3 @@ int main(int argc, char** argv) return 0; } - - - diff --git a/posix/tcp/wh_server_tcp/Makefile b/posix/tcp/wh_server_tcp/Makefile index c864df1..68cceb8 100644 --- a/posix/tcp/wh_server_tcp/Makefile +++ b/posix/tcp/wh_server_tcp/Makefile @@ -80,6 +80,7 @@ SRC_C += \ $(WOLFHSM_DIR)/src/wh_server_keystore.c \ $(WOLFHSM_DIR)/src/wh_server_counter.c \ $(WOLFHSM_DIR)/src/wh_nvm.c \ + $(WOLFHSM_DIR)/src/wh_utils.c \ $(WOLFHSM_DIR)/src/wh_comm.c \ $(WOLFHSM_DIR)/src/wh_message_comm.c \ $(WOLFHSM_DIR)/src/wh_message_nvm.c \ diff --git a/posix/tcp/wh_server_tcp/user_settings.h b/posix/tcp/wh_server_tcp/user_settings.h index 7f420c1..0daaf7b 100644 --- a/posix/tcp/wh_server_tcp/user_settings.h +++ b/posix/tcp/wh_server_tcp/user_settings.h @@ -46,8 +46,8 @@ #define FP_MAX_BITS 4096 /* ECC Options */ -//#define HAVE_ECC -#define NO_ECC +#define HAVE_ECC +//#define NO_ECC #define TFM_ECC256 #define ECC_SHAMIR #define HAVE_SUPPORTED_CURVES diff --git a/posix/tcp/wh_server_tcp/wh_server_tcp.c b/posix/tcp/wh_server_tcp/wh_server_tcp.c index ca78a06..a2a6373 100644 --- a/posix/tcp/wh_server_tcp/wh_server_tcp.c +++ b/posix/tcp/wh_server_tcp/wh_server_tcp.c @@ -121,6 +121,7 @@ int main(int argc, char** argv) .comm_config = cs_conf, .nvm = nvm, .crypto = crypto, + .devId = INVALID_DEVID, }}; rc = wh_Nvm_Init(nvm, n_conf); @@ -129,10 +130,13 @@ int main(int argc, char** argv) return rc; } + rc = wc_InitRng_ex(crypto->rng, NULL, crypto->devId); + if (rc != 0) { + printf("Failed to wc_InitRng_ex: %d\n", rc); + return rc; + } + wh_ServerTask(s_conf); return 0; } - - - From 7faf60c1026c6f1b1559cf5489c60d15aa46abe4 Mon Sep 17 00:00:00 2001 From: John Bland Date: Mon, 22 Jul 2024 17:08:56 -0400 Subject: [PATCH 2/3] update based on PR comments --- ...e-two.raw => curve25519-private-alice.raw} | 0 ...ate-one.raw => curve25519-private-bob.raw} | 0 ...ic-one.raw => curve25519-public-alice.raw} | 0 ...blic-two.raw => curve25519-public-bob.raw} | 0 ...-private-two.raw => ecc-private-alice.raw} | Bin ...cc-private-one.raw => ecc-private-bob.raw} | 0 ...cc-public-one.raw => ecc-public-alice.raw} | 0 ...{ecc-public-two.raw => ecc-public-bob.raw} | 0 demo/client/wh_demo_client_crypto.c | 155 +++++++++--------- posix/tcp/wh_client_tcp/user_settings.h | 1 - posix/tcp/wh_server_tcp/user_settings.h | 1 - 11 files changed, 77 insertions(+), 80 deletions(-) rename demo/certs/{curve25519-private-two.raw => curve25519-private-alice.raw} (100%) rename demo/certs/{curve25519-private-one.raw => curve25519-private-bob.raw} (100%) rename demo/certs/{curve25519-public-one.raw => curve25519-public-alice.raw} (100%) rename demo/certs/{curve25519-public-two.raw => curve25519-public-bob.raw} (100%) rename demo/certs/{ecc-private-two.raw => ecc-private-alice.raw} (100%) rename demo/certs/{ecc-private-one.raw => ecc-private-bob.raw} (100%) rename demo/certs/{ecc-public-one.raw => ecc-public-alice.raw} (100%) rename demo/certs/{ecc-public-two.raw => ecc-public-bob.raw} (100%) diff --git a/demo/certs/curve25519-private-two.raw b/demo/certs/curve25519-private-alice.raw similarity index 100% rename from demo/certs/curve25519-private-two.raw rename to demo/certs/curve25519-private-alice.raw diff --git a/demo/certs/curve25519-private-one.raw b/demo/certs/curve25519-private-bob.raw similarity index 100% rename from demo/certs/curve25519-private-one.raw rename to demo/certs/curve25519-private-bob.raw diff --git a/demo/certs/curve25519-public-one.raw b/demo/certs/curve25519-public-alice.raw similarity index 100% rename from demo/certs/curve25519-public-one.raw rename to demo/certs/curve25519-public-alice.raw diff --git a/demo/certs/curve25519-public-two.raw b/demo/certs/curve25519-public-bob.raw similarity index 100% rename from demo/certs/curve25519-public-two.raw rename to demo/certs/curve25519-public-bob.raw diff --git a/demo/certs/ecc-private-two.raw b/demo/certs/ecc-private-alice.raw similarity index 100% rename from demo/certs/ecc-private-two.raw rename to demo/certs/ecc-private-alice.raw diff --git a/demo/certs/ecc-private-one.raw b/demo/certs/ecc-private-bob.raw similarity index 100% rename from demo/certs/ecc-private-one.raw rename to demo/certs/ecc-private-bob.raw diff --git a/demo/certs/ecc-public-one.raw b/demo/certs/ecc-public-alice.raw similarity index 100% rename from demo/certs/ecc-public-one.raw rename to demo/certs/ecc-public-alice.raw diff --git a/demo/certs/ecc-public-two.raw b/demo/certs/ecc-public-bob.raw similarity index 100% rename from demo/certs/ecc-public-two.raw rename to demo/certs/ecc-public-bob.raw diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index b3952b2..4f313b7 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -193,7 +193,7 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) curve25519_key curve25519PublicKey[1]; WC_RNG rng[1]; - /* initialize rng to make the cruve25516 keys */ + /* initialize rng to make the cruve25519 keys */ ret = wc_InitRng_ex(rng, NULL, WOLFHSM_DEV_ID); if (ret != 0) { printf("Failed to wc_InitRng_ex %d\n", ret); @@ -290,15 +290,14 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) int keyFd; int keySz; word32 outLen; - whKeyId keyIdPriv1 = WOLFHSM_KEYID_ERASED; - whKeyId keyIdPub1 = WOLFHSM_KEYID_ERASED; - whKeyId keyIdPriv2 = WOLFHSM_KEYID_ERASED; - whKeyId keyIdPub2 = WOLFHSM_KEYID_ERASED; - /* public-two is the public part of private-one, same for the *-two keys */ - char privKeyFileOne[] = "../../../demo/certs/curve25519-private-one.raw"; - char pubKeyFileOne[] = "../../../demo/certs/curve25519-public-one.raw"; - char privKeyFileTwo[] = "../../../demo/certs/curve25519-private-two.raw"; - char pubKeyFileTwo[] = "../../../demo/certs/curve25519-public-two.raw"; + whKeyId keyIdPrivBob = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPubAlice = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPrivAlice = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPubBob = WOLFHSM_KEYID_ERASED; + char privKeyFileBob[] = "../../../demo/certs/curve25519-private-bob.raw"; + char pubKeyFileAlice[] = "../../../demo/certs/curve25519-public-alice.raw"; + char privKeyFileAlice[] = "../../../demo/certs/curve25519-private-alice.raw"; + char pubKeyFileBob[] = "../../../demo/certs/curve25519-public-bob.raw"; char keyLabel[] = "baby's first key"; uint8_t keyBuf[256]; uint8_t sharedOne[CURVE25519_KEYSIZE]; @@ -306,17 +305,17 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) curve25519_key curve25519PrivateKey[1]; curve25519_key curve25519PublicKey[1]; - /* open the first private curve25516 key */ - ret = keyFd = open(privKeyFileOne, O_RDONLY, 0); + /* open the first private curve25519 key */ + ret = keyFd = open(privKeyFileBob, O_RDONLY, 0); if (ret < 0) { - printf("Failed to open %s %d\n", privKeyFileOne, ret); + printf("Failed to open %s %d\n", privKeyFileBob, ret); goto exit; } /* read the first private key to local buffer */ ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); if (ret < 0) { - printf("Failed to read %s %d\n", privKeyFileOne, ret); + printf("Failed to read %s %d\n", privKeyFileBob, ret); close(keyFd); goto exit; } @@ -324,7 +323,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPriv1); + strlen(keyLabel), keyBuf, keySz, &keyIdPrivBob); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -338,23 +337,23 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdCurve25519(curve25519PrivateKey, keyIdPriv1); + ret = wh_Client_SetKeyIdCurve25519(curve25519PrivateKey, keyIdPrivBob); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); goto exit; } - /* open the first public curve25516 key */ - ret = keyFd = open(pubKeyFileOne, O_RDONLY, 0); + /* open the first public curve25519 key */ + ret = keyFd = open(pubKeyFileAlice, O_RDONLY, 0); if (ret < 0) { - printf("Failed to open %s %d\n", pubKeyFileOne, ret); + printf("Failed to open %s %d\n", pubKeyFileAlice, ret); goto exit; } /* read the first public key to local buffer */ ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); if (ret < 0) { - printf("Failed to read %s %d\n", pubKeyFileOne, ret); + printf("Failed to read %s %d\n", pubKeyFileAlice, ret); close(keyFd); goto exit; } @@ -362,7 +361,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPub1); + strlen(keyLabel), keyBuf, keySz, &keyIdPubAlice); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -376,7 +375,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdCurve25519(curve25519PublicKey, keyIdPub1); + ret = wh_Client_SetKeyIdCurve25519(curve25519PublicKey, keyIdPubAlice); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); goto exit; @@ -395,17 +394,17 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) wc_curve25519_free(curve25519PrivateKey); wc_curve25519_free(curve25519PublicKey); - /* open the second private curve25516 key */ - ret = keyFd = open(privKeyFileTwo, O_RDONLY, 0); + /* open the second private curve25519 key */ + ret = keyFd = open(privKeyFileAlice, O_RDONLY, 0); if (ret < 0) { - printf("Failed to open %s %d\n", privKeyFileTwo, ret); + printf("Failed to open %s %d\n", privKeyFileAlice, ret); goto exit; } /* read the second private key to local buffer */ ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); if (ret < 0) { - printf("Failed to read %s %d\n", privKeyFileTwo, ret); + printf("Failed to read %s %d\n", privKeyFileAlice, ret); close(keyFd); goto exit; } @@ -413,7 +412,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPriv2); + strlen(keyLabel), keyBuf, keySz, &keyIdPrivAlice); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -427,23 +426,23 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdCurve25519(curve25519PrivateKey, keyIdPriv2); + ret = wh_Client_SetKeyIdCurve25519(curve25519PrivateKey, keyIdPrivAlice); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); goto exit; } - /* open the second public curve25516 key */ - ret = keyFd = open(pubKeyFileTwo, O_RDONLY, 0); + /* open the second public curve25519 key */ + ret = keyFd = open(pubKeyFileBob, O_RDONLY, 0); if (ret < 0) { - printf("Failed to open %s %d\n", pubKeyFileTwo, ret); + printf("Failed to open %s %d\n", pubKeyFileBob, ret); goto exit; } /* read the second public key to local buffer */ ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); if (ret < 0) { - printf("Failed to read %s %d\n", pubKeyFileTwo, ret); + printf("Failed to read %s %d\n", pubKeyFileBob, ret); close(keyFd); goto exit; } @@ -451,7 +450,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPub2); + strlen(keyLabel), keyBuf, keySz, &keyIdPubBob); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -465,7 +464,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdCurve25519(curve25519PublicKey, keyIdPub2); + ret = wh_Client_SetKeyIdCurve25519(curve25519PublicKey, keyIdPubBob); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); goto exit; @@ -493,26 +492,26 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) wc_curve25519_free(curve25519PrivateKey); wc_curve25519_free(curve25519PublicKey); - if (keyIdPriv1 != WOLFHSM_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPriv1); + if (keyIdPrivBob != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPrivBob); if (ret != 0) { printf("Failed to wh_Client_KeyEvict %d\n", ret); } } - if (keyIdPub1 != WOLFHSM_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPub1); + if (keyIdPubAlice != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPubAlice); if (ret != 0) { printf("Failed to wh_Client_KeyEvict %d\n", ret); } } - if (keyIdPriv2 != WOLFHSM_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPriv2); + if (keyIdPrivAlice != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPrivAlice); if (ret != 0) { printf("Failed to wh_Client_KeyEvict %d\n", ret); } } - if (keyIdPub2 != WOLFHSM_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPub2); + if (keyIdPubBob != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPubBob); if (ret != 0) { printf("Failed to wh_Client_KeyEvict %d\n", ret); } @@ -665,16 +664,16 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) int res; int keyFd; int keySz; - whKeyId keyIdPriv1 = WOLFHSM_KEYID_ERASED; - whKeyId keyIdPub1 = WOLFHSM_KEYID_ERASED; - whKeyId keyIdPriv2 = WOLFHSM_KEYID_ERASED; - whKeyId keyIdPub2 = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPrivBob = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPubAlice = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPrivAlice = WOLFHSM_KEYID_ERASED; + whKeyId keyIdPubBob = WOLFHSM_KEYID_ERASED; word32 outLen; word32 sigLen; - char privKeyFileOne[] = "../../../demo/certs/ecc-private-one.raw"; - char pubKeyFileOne[] = "../../../demo/certs/ecc-public-one.raw"; - char privKeyFileTwo[] = "../../../demo/certs/ecc-private-two.raw"; - char pubKeyFileTwo[] = "../../../demo/certs/ecc-public-two.raw"; + char privKeyFileBob[] = "../../../demo/certs/ecc-private-bob.raw"; + char pubKeyFileAlice[] = "../../../demo/certs/ecc-public-alice.raw"; + char privKeyFileAlice[] = "../../../demo/certs/ecc-private-alice.raw"; + char pubKeyFileBob[] = "../../../demo/certs/ecc-public-bob.raw"; char keyLabel[] = "baby's first key"; ecc_key eccPrivate[1]; ecc_key eccPublic[1]; @@ -697,16 +696,16 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) } /* open the first private ecc key */ - ret = keyFd = open(privKeyFileOne, O_RDONLY, 0); + ret = keyFd = open(privKeyFileBob, O_RDONLY, 0); if (ret < 0) { - printf("Failed to open %s %d\n", privKeyFileOne, ret); + printf("Failed to open %s %d\n", privKeyFileBob, ret); goto exit; } /* read the first private key to local buffer */ ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); if (ret < 0) { - printf("Failed to read %s %d\n", privKeyFileOne, ret); + printf("Failed to read %s %d\n", privKeyFileBob, ret); close(keyFd); goto exit; } @@ -714,7 +713,7 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPriv1); + strlen(keyLabel), keyBuf, keySz, &keyIdPrivBob); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -735,22 +734,22 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdEcc(eccPrivate, keyIdPriv1); + ret = wh_Client_SetKeyIdEcc(eccPrivate, keyIdPrivBob); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdEcc %d\n", ret); goto exit; } /* open the first public ecc key */ - ret = keyFd = open(pubKeyFileOne, O_RDONLY, 0); + ret = keyFd = open(pubKeyFileAlice, O_RDONLY, 0); if (ret < 0) { - printf("Failed to open %s %d\n", pubKeyFileOne, ret); + printf("Failed to open %s %d\n", pubKeyFileAlice, ret); goto exit; } /* read the first public key to local buffer */ ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); if (ret < 0) { - printf("Failed to read %s %d\n", pubKeyFileOne, ret); + printf("Failed to read %s %d\n", pubKeyFileAlice, ret); close(keyFd); goto exit; } @@ -758,7 +757,7 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPub1); + strlen(keyLabel), keyBuf, keySz, &keyIdPubAlice); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -779,7 +778,7 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdEcc(eccPublic, keyIdPub1); + ret = wh_Client_SetKeyIdEcc(eccPublic, keyIdPubAlice); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdEcc %d\n", ret); goto exit; @@ -808,16 +807,16 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) wc_ecc_free(eccPublic); /* open the second private ecc key */ - ret = keyFd = open(privKeyFileTwo, O_RDONLY, 0); + ret = keyFd = open(privKeyFileAlice, O_RDONLY, 0); if (ret < 0) { - printf("Failed to open %s %d\n", privKeyFileTwo, ret); + printf("Failed to open %s %d\n", privKeyFileAlice, ret); goto exit; } /* read the second private key to local buffer */ ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); if (ret < 0) { - printf("Failed to read %s %d\n", privKeyFileTwo, ret); + printf("Failed to read %s %d\n", privKeyFileAlice, ret); close(keyFd); goto exit; } @@ -825,7 +824,7 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPriv2); + strlen(keyLabel), keyBuf, keySz, &keyIdPrivAlice); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -846,23 +845,23 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdEcc(eccPrivate, keyIdPriv2); + ret = wh_Client_SetKeyIdEcc(eccPrivate, keyIdPrivAlice); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdEcc %d\n", ret); goto exit; } /* open the second public ecc key */ - ret = keyFd = open(pubKeyFileTwo, O_RDONLY, 0); + ret = keyFd = open(pubKeyFileBob, O_RDONLY, 0); if (ret < 0) { - printf("Failed to open %s %d\n", pubKeyFileTwo, ret); + printf("Failed to open %s %d\n", pubKeyFileBob, ret); goto exit; } /* read the second public key to local buffer */ ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); if (ret < 0) { - printf("Failed to read %s %d\n", pubKeyFileTwo, ret); + printf("Failed to read %s %d\n", pubKeyFileBob, ret); close(keyFd); goto exit; } @@ -870,7 +869,7 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPub2); + strlen(keyLabel), keyBuf, keySz, &keyIdPubBob); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -891,7 +890,7 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdEcc(eccPublic, keyIdPub2); + ret = wh_Client_SetKeyIdEcc(eccPublic, keyIdPubBob); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdEcc %d\n", ret); goto exit; @@ -936,26 +935,26 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) wc_ecc_free(eccPublic); /* free rng */ (void)wc_FreeRng(rng); - if (keyIdPriv1 != WOLFHSM_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPriv1); + if (keyIdPrivBob != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPrivBob); if (ret != 0) { printf("Failed to wh_Client_KeyEvict %d\n", ret); } } - if (keyIdPub1 != WOLFHSM_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPub1); + if (keyIdPubAlice != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPubAlice); if (ret != 0) { printf("Failed to wh_Client_KeyEvict %d\n", ret); } } - if (keyIdPriv2 != WOLFHSM_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPriv2); + if (keyIdPrivAlice != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPrivAlice); if (ret != 0) { printf("Failed to wh_Client_KeyEvict %d\n", ret); } } - if (keyIdPub2 != WOLFHSM_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPub2); + if (keyIdPubBob != WOLFHSM_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdPubBob); if (ret != 0) { printf("Failed to wh_Client_KeyEvict %d\n", ret); } diff --git a/posix/tcp/wh_client_tcp/user_settings.h b/posix/tcp/wh_client_tcp/user_settings.h index 07cd05f..30ec261 100644 --- a/posix/tcp/wh_client_tcp/user_settings.h +++ b/posix/tcp/wh_client_tcp/user_settings.h @@ -49,7 +49,6 @@ /* ECC Options */ #define HAVE_ECC -//#define NO_ECC #define TFM_ECC256 #define ECC_SHAMIR #define HAVE_SUPPORTED_CURVES diff --git a/posix/tcp/wh_server_tcp/user_settings.h b/posix/tcp/wh_server_tcp/user_settings.h index 0daaf7b..07d982b 100644 --- a/posix/tcp/wh_server_tcp/user_settings.h +++ b/posix/tcp/wh_server_tcp/user_settings.h @@ -47,7 +47,6 @@ /* ECC Options */ #define HAVE_ECC -//#define NO_ECC #define TFM_ECC256 #define ECC_SHAMIR #define HAVE_SUPPORTED_CURVES From 2709119a4344f0fccf1d7fca7151d060918d8ed9 Mon Sep 17 00:00:00 2001 From: John Bland Date: Mon, 22 Jul 2024 18:17:23 -0400 Subject: [PATCH 3/3] add cached oneshot examples for CMAC --- demo/client/wh_demo_client_all.c | 5 ++ demo/client/wh_demo_client_crypto.c | 91 +++++++++++++++++++++++++---- demo/client/wh_demo_client_crypto.h | 1 + 3 files changed, 85 insertions(+), 12 deletions(-) diff --git a/demo/client/wh_demo_client_all.c b/demo/client/wh_demo_client_all.c index 47f77a9..dc61ca0 100644 --- a/demo/client/wh_demo_client_all.c +++ b/demo/client/wh_demo_client_all.c @@ -87,5 +87,10 @@ int wh_DemoClient_All(whClientContext* clientContext) return rc; } + rc = wh_DemoClient_CryptoCmacOneshotImport(clientContext); + if (rc != 0) { + return rc; + } + return rc; } diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index 4f313b7..56fc090 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -193,7 +193,7 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) curve25519_key curve25519PublicKey[1]; WC_RNG rng[1]; - /* initialize rng to make the cruve25519 keys */ + /* initialize rng to make the curve25519 keys */ ret = wc_InitRng_ex(rng, NULL, WOLFHSM_DEV_ID); if (ret != 0) { printf("Failed to wc_InitRng_ex %d\n", ret); @@ -1261,7 +1261,6 @@ int wh_DemoClient_CryptoCmac(whClientContext* clientContext) int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) { int ret; - int needEvict = 0; word32 outLen; whKeyId keyId = WOLFHSM_KEYID_ERASED; Cmac cmac[1]; @@ -1286,8 +1285,6 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) goto exit; } - needEvict = 1; - /* set the keyId on the struct */ ret = wh_Client_SetKeyIdCmac(cmac, keyId); if (ret != 0) { @@ -1310,8 +1307,7 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) goto exit; } - /* cache the key on the HSM again, cmac keys are evicted after wc_CmacFinal - * is called */ + /* cache the key on the HSM */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId); if (ret != 0) { @@ -1319,8 +1315,6 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) goto exit; } - needEvict = 1; - /* set the keyId on the struct */ ret = wh_Client_SetKeyIdCmac(cmac, keyId); if (ret != 0) { @@ -1328,10 +1322,8 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) goto exit; } - /* verify the tag, note that for pre-cached keys we need to use the special - * wolfHSM functions wh_Client_AesCmacGenerate and wh_Client_AesCmacVerify - * when doing oneshot cmac generation or oneshot verifition, manual steps - * can be done as above */ + /* verify the cmac tag using the special HSM oneshot function + * wh_Client_AesCmacVerify which is required for pre cached keys */ ret = wh_Client_AesCmacVerify(cmac, tag, sizeof(tag), (byte*)message, strlen(message), keyId, NULL); if (ret != 0) { @@ -1344,3 +1336,78 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) (void)wc_CmacFree(cmac); return ret; } + +int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) +{ + int ret; + word32 outLen; + whKeyId keyId = WOLFHSM_KEYID_ERASED; + Cmac cmac[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + char keyLabel[] = "baby's first key"; + char message[] = "hash and verify me!"; + byte tag[16]; + + /* initialize the cmac struct */ + ret = wc_InitCmac_ex(cmac, NULL, 0, WC_CMAC_AES, NULL, NULL, + WOLFHSM_DEV_ID); + if (ret != 0) { + printf("Failed to wc_InitCmac_ex %d\n", ret); + goto exit; + } + + /* cache the key on the HSM */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + sizeof(keyLabel), key, sizeof(key), &keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* set the keyId on the struct */ + ret = wh_Client_SetKeyIdCmac(cmac, keyId); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); + goto exit; + } + + /* generate the cmac tag using the special HSM wh_Client_AesCmacGenerate + * function which is required for pre cached keys */ + outLen = sizeof(tag); + ret = wh_Client_AesCmacGenerate(cmac, tag, &outLen, (byte*)message, + sizeof(message), keyId, NULL); + if (ret != 0) { + printf("Failed to wh_Client_AesCmacGenerate %d\n", ret); + goto exit; + } + + /* cache the key on the HSM again, cmac keys are evicted after wc_CmacFinal + * is called */ + ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, + sizeof(keyLabel), key, sizeof(key), &keyId); + if (ret != 0) { + printf("Failed to wh_Client_KeyCache %d\n", ret); + goto exit; + } + + /* set the keyId on the struct */ + ret = wh_Client_SetKeyIdCmac(cmac, keyId); + if (ret != 0) { + printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); + goto exit; + } + + /* verify the cmac tag using the special HSM oneshot function + * wh_Client_AesCmacVerify which is required for pre cached keys */ + ret = wh_Client_AesCmacVerify(cmac, tag, sizeof(tag), (byte*)message, + sizeof(message), keyId, NULL); + if (ret != 0) { + printf("CMAC hash and verify oneshot failed with imported key %d\n", ret); + goto exit; + } + + printf("CMAC hash and verify oneshot succeeded with imported key\n"); +exit: + (void)wc_CmacFree(cmac); + return ret; +} diff --git a/demo/client/wh_demo_client_crypto.h b/demo/client/wh_demo_client_crypto.h index bc9a077..898496b 100644 --- a/demo/client/wh_demo_client_crypto.h +++ b/demo/client/wh_demo_client_crypto.h @@ -14,5 +14,6 @@ int wh_DemoClient_CryptoAesGcm(whClientContext* clientContext); int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext); int wh_DemoClient_CryptoCmac(whClientContext* clientContext); int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext); +int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext); #endif /* CLIENT_CRYPTO_H_ */