Skip to content

Commit 04b199f

Browse files
bigbrettbigbrett
authored
Key usage policies (#233)
* Add key usage policies and enforcement for cryptographic operations * relax NULL checks in freshen key and helper function to support optional output arguments
1 parent 3f08169 commit 04b199f

20 files changed

+1069
-205
lines changed

benchmark/bench_modules/wh_bench_mod_aes.c

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -71,8 +71,8 @@ static int _benchAesCtr(whClientContext* client, whBenchOpContext* ctx, int id,
7171
}
7272

7373
/* cache the key on the HSM */
74-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
75-
(uint8_t*)key, keyLen, &keyId);
74+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
75+
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
7676
if (ret != 0) {
7777
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
7878
goto exit;
@@ -204,8 +204,8 @@ static int _benchAesEcb(whClientContext* client, whBenchOpContext* ctx, int id,
204204
}
205205

206206
/* cache the key on the HSM */
207-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
208-
(uint8_t*)key, keyLen, &keyId);
207+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
208+
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
209209
if (ret != 0) {
210210
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
211211
goto exit;
@@ -337,8 +337,8 @@ static int _benchAesCbc(whClientContext* client, whBenchOpContext* ctx, int id,
337337
}
338338

339339
/* cache the key on the HSM */
340-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
341-
(uint8_t*)key, keyLen, &keyId);
340+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
341+
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
342342
if (ret != 0) {
343343
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
344344
goto exit;
@@ -503,8 +503,8 @@ static int _benchAesGcmDma(whClientContext* client, whBenchOpContext* ctx,
503503
}
504504

505505
/* cache the key on the HSM */
506-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
507-
(uint8_t*)key, keyLen, &keyId);
506+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
507+
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
508508
if (ret != 0) {
509509
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
510510
goto exit;
@@ -635,8 +635,8 @@ static int _benchAesGcm(whClientContext* client, whBenchOpContext* ctx, int id,
635635
}
636636

637637
/* cache the key on the HSM */
638-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
639-
(uint8_t*)key, keyLen, &keyId);
638+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
639+
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
640640
if (ret != 0) {
641641
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
642642
goto exit;

benchmark/bench_modules/wh_bench_mod_cmac.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,8 +55,8 @@ int _benchCmacAes(whClientContext* client, whBenchOpContext* ctx, int id,
5555
uint8_t* out = NULL;
5656

5757
/* cache the key on the HSM */
58-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
59-
(uint8_t*)key, keyLen, &keyId);
58+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
59+
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
6060
if (ret != 0) {
6161
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
6262
return ret;

benchmark/bench_modules/wh_bench_mod_curve25519.c

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -141,16 +141,18 @@ int wh_Bench_Mod_Curve25519SharedSecret(whClientContext* client,
141141
char keyLabel[] = "bench-key";
142142

143143
/* Cache Alice's key in the HSM */
144-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
145-
key1_der, sizeof(key1_der), &keyIdAlice);
144+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
145+
strlen(keyLabel), key1_der, sizeof(key1_der),
146+
&keyIdAlice);
146147
if (ret != 0) {
147148
WH_BENCH_PRINTF("Failed to cache Alice's key %d\n", ret);
148149
return ret;
149150
}
150151

151152
/* Cache Bob's key in the HSM */
152-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
153-
key2_der, sizeof(key2_der), &keyIdBob);
153+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
154+
strlen(keyLabel), key2_der, sizeof(key2_der),
155+
&keyIdBob);
154156
if (ret != 0) {
155157
WH_BENCH_PRINTF("Failed to cache Bob's key %d\n", ret);
156158
wh_Client_KeyEvict(client, keyIdAlice);

benchmark/bench_modules/wh_bench_mod_ecc.c

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -86,8 +86,8 @@ int _benchEccSign(whClientContext* client, whBenchOpContext* ctx, int id,
8686
initialized_rng = 1;
8787

8888
/* Cache key in the HSM */
89-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
90-
(uint8_t*)key, keyLen, &keyId);
89+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
90+
strlen(keyLabel), (uint8_t*)key, keyLen, &keyId);
9191
if (ret != 0) {
9292
WH_BENCH_PRINTF("Failed to cache key %d\n", ret);
9393
goto exit;
@@ -197,8 +197,8 @@ int _benchEccVerify(whClientContext* client, whBenchOpContext* ctx, int id,
197197
initialized_rng = 1;
198198

199199
/* Cache the key in the HSM */
200-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
201-
(uint8_t*)key, keyLen, &keyId);
200+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
201+
strlen(keyLabel), (uint8_t*)key, keyLen, &keyId);
202202
if (ret != 0) {
203203
WH_BENCH_PRINTF("Failed to cache key %d\n", ret);
204204
goto exit;
@@ -392,16 +392,18 @@ int _benchEccEcdh(whClientContext* client, whBenchOpContext* ctx, int id,
392392
initialized_rng = 1;
393393

394394
/* Cache Alice's key in the HSM */
395-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
396-
(uint8_t*)aliceKeyData, aliceKeyLen, &keyIdAlice);
395+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
396+
strlen(keyLabel), (uint8_t*)aliceKeyData,
397+
aliceKeyLen, &keyIdAlice);
397398
if (ret != 0) {
398399
WH_BENCH_PRINTF("Failed to cache Alice's key %d\n", ret);
399400
goto exit;
400401
}
401402

402403
/* Cache Bob's key in the HSM */
403-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
404-
(uint8_t*)bobKeyData, bobKeyLen, &keyIdBob);
404+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
405+
strlen(keyLabel), (uint8_t*)bobKeyData, bobKeyLen,
406+
&keyIdBob);
405407
if (ret != 0) {
406408
WH_BENCH_PRINTF("Failed to cache Bob's key %d\n", ret);
407409
goto exit;

benchmark/bench_modules/wh_bench_mod_mldsa.c

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -664,14 +664,16 @@ static int _benchMlDsaSign(whClientContext* client, whBenchOpContext* ctx,
664664
/* Import key to the HSM */
665665
#if defined(WOLFHSM_CFG_DMA)
666666
if (devId == WH_DEV_ID_DMA) {
667-
ret = wh_Client_MlDsaImportKeyDma(client, &key, &keyId, 0,
667+
ret = wh_Client_MlDsaImportKeyDma(client, &key, &keyId,
668+
WH_NVM_FLAGS_USAGE_ANY,
668669
strlen(keyLabel), (uint8_t*)keyLabel);
669670
}
670671
else
671672
#endif /* !(WOLFHSM_CFG_DMA) */
672673
{
673-
ret = wh_Client_MlDsaImportKey(client, &key, &keyId, 0,
674-
strlen(keyLabel), (uint8_t*)keyLabel);
674+
ret = wh_Client_MlDsaImportKey(client, &key, &keyId,
675+
WH_NVM_FLAGS_USAGE_ANY, strlen(keyLabel),
676+
(uint8_t*)keyLabel);
675677
}
676678
if (ret != 0) {
677679
WH_BENCH_PRINTF("Failed to cache key %d\n", ret);
@@ -812,14 +814,16 @@ static int _benchMlDsaVerify(whClientContext* client, whBenchOpContext* ctx,
812814
/* Import key to the HSM */
813815
#if defined(WOLFHSM_CFG_DMA)
814816
if (devId == WH_DEV_ID_DMA) {
815-
ret = wh_Client_MlDsaImportKeyDma(client, &key, &keyId, 0,
817+
ret = wh_Client_MlDsaImportKeyDma(client, &key, &keyId,
818+
WH_NVM_FLAGS_USAGE_ANY,
816819
strlen(keyLabel), (uint8_t*)keyLabel);
817820
}
818821
else
819822
#endif /* !(WOLFHSM_CFG_DMA) */
820823
{
821-
ret = wh_Client_MlDsaImportKey(client, &key, &keyId, 0,
822-
strlen(keyLabel), (uint8_t*)keyLabel);
824+
ret = wh_Client_MlDsaImportKey(client, &key, &keyId,
825+
WH_NVM_FLAGS_USAGE_ANY, strlen(keyLabel),
826+
(uint8_t*)keyLabel);
823827
}
824828
if (ret != 0) {
825829
WH_BENCH_PRINTF("Failed to cache key %d\n", ret);

benchmark/bench_modules/wh_bench_mod_rsa.c

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -361,8 +361,8 @@ int _benchRsaCrypt(whClientContext* client, whBenchOpContext* ctx, int id,
361361
initialized_rng = 1;
362362

363363
/* Cache the RSA key in the HSM */
364-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
365-
(uint8_t*)key, keyLen, &keyId);
364+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
365+
strlen(keyLabel), (uint8_t*)key, keyLen, &keyId);
366366
if (ret != 0) {
367367
WH_BENCH_PRINTF("Failed to cache RSA key %d\n", ret);
368368
goto exit;
@@ -493,8 +493,8 @@ int _benchRsaVerify(whClientContext* client, whBenchOpContext* ctx, int id,
493493
initialized_rng = 1;
494494

495495
/* Cache the RSA key in the HSM */
496-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
497-
(uint8_t*)key, keyLen, &keyId);
496+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
497+
strlen(keyLabel), (uint8_t*)key, keyLen, &keyId);
498498
if (ret != 0) {
499499
WH_BENCH_PRINTF("Failed to cache RSA key %d\n", ret);
500500
goto exit;
@@ -615,8 +615,8 @@ int _benchRsaSign(whClientContext* client, whBenchOpContext* ctx, int id,
615615
initialized_rng = 1;
616616

617617
/* Cache the RSA key in the HSM */
618-
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
619-
(uint8_t*)key, keyLen, &keyId);
618+
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
619+
strlen(keyLabel), (uint8_t*)key, keyLen, &keyId);
620620
if (ret != 0) {
621621
WH_BENCH_PRINTF("Failed to cache RSA key %d\n", ret);
622622
goto exit;

examples/demo/client/wh_demo_client_crypto.c

Lines changed: 44 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -170,8 +170,9 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext)
170170
close(keyFd);
171171

172172
/* cache the key in the HSM, get HSM assigned keyId */
173-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
174-
strlen(keyLabel), keyBuf, keySz, &keyId);
173+
ret = wh_Client_KeyCache(
174+
clientContext, WH_NVM_FLAGS_USAGE_ENCRYPT | WH_NVM_FLAGS_USAGE_DECRYPT,
175+
(uint8_t*)keyLabel, strlen(keyLabel), keyBuf, keySz, &keyId);
175176
if (ret != 0) {
176177
printf("Failed to wh_Client_KeyCache %d\n", ret);
177178
goto exit;
@@ -359,8 +360,9 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext)
359360

360361

361362
/* cache the key in the HSM, get HSM assigned keyId */
362-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
363-
strlen(keyLabel), keyBuf, keySz, &keyIdBob);
363+
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_USAGE_DERIVE,
364+
(uint8_t*)keyLabel, strlen(keyLabel), keyBuf,
365+
keySz, &keyIdBob);
364366
if (ret != 0) {
365367
printf("Failed to wh_Client_KeyCache %d\n", ret);
366368
goto exit;
@@ -394,8 +396,9 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext)
394396
close(keyFd);
395397

396398
/* cache the key in the HSM, get HSM assigned keyId */
397-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
398-
strlen(keyLabel), keyBuf, keySz, &keyIdAlice);
399+
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_USAGE_DERIVE,
400+
(uint8_t*)keyLabel, strlen(keyLabel), keyBuf,
401+
keySz, &keyIdAlice);
399402
if (ret != 0) {
400403
printf("Failed to wh_Client_KeyCache %d\n", ret);
401404
goto exit;
@@ -649,8 +652,11 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext)
649652
close(keyFd);
650653
/* Cache the key in the HSM, get HSM assigned keyId. From here on out, the
651654
* keys are stored in the HSM and can be referred to by keyId */
652-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
653-
strlen(keyLabel), keyBuf, keySz, &keyIdAlice);
655+
ret = wh_Client_KeyCache(
656+
clientContext,
657+
WH_NVM_FLAGS_USAGE_DERIVE | WH_NVM_FLAGS_USAGE_SIGN |
658+
WH_NVM_FLAGS_USAGE_VERIFY,
659+
(uint8_t*)keyLabel, strlen(keyLabel), keyBuf, keySz, &keyIdAlice);
654660
if (ret != 0) {
655661
printf("Failed to wh_Client_KeyCache %d\n", ret);
656662
goto exit;
@@ -694,8 +700,11 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext)
694700
}
695701
close(keyFd);
696702
/* Cache the key in the HSM, get HSM assigned keyId */
697-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
698-
strlen(keyLabel), keyBuf, keySz, &keyIdBob);
703+
ret = wh_Client_KeyCache(
704+
clientContext,
705+
WH_NVM_FLAGS_USAGE_DERIVE | WH_NVM_FLAGS_USAGE_SIGN |
706+
WH_NVM_FLAGS_USAGE_VERIFY,
707+
(uint8_t*)keyLabel, strlen(keyLabel), keyBuf, keySz, &keyIdBob);
699708
if (ret != 0) {
700709
printf("Failed to wh_Client_KeyCache %d\n", ret);
701710
goto exit;
@@ -902,8 +911,9 @@ int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext)
902911
}
903912

904913
/* cache the key on the HSM */
905-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
906-
sizeof(keyLabel), key, sizeof(key), &keyId);
914+
ret = wh_Client_KeyCache(
915+
clientContext, WH_NVM_FLAGS_USAGE_ENCRYPT | WH_NVM_FLAGS_USAGE_DECRYPT,
916+
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
907917
if (ret != 0) {
908918
printf("Failed to wh_Client_KeyCache %d\n", ret);
909919
goto exit;
@@ -1050,8 +1060,9 @@ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext)
10501060
}
10511061

10521062
/* cache the key on the HSM */
1053-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
1054-
sizeof(keyLabel), key, sizeof(key), &keyId);
1063+
ret = wh_Client_KeyCache(
1064+
clientContext, WH_NVM_FLAGS_USAGE_ENCRYPT | WH_NVM_FLAGS_USAGE_DECRYPT,
1065+
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
10551066
if (ret != 0) {
10561067
printf("Failed to wh_Client_KeyCache %d\n", ret);
10571068
goto exit;
@@ -1193,8 +1204,9 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext)
11931204
}
11941205

11951206
/* cache the key on the HSM */
1196-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
1197-
sizeof(keyLabel), key, sizeof(key), &keyId);
1207+
ret = wh_Client_KeyCache(
1208+
clientContext, WH_NVM_FLAGS_USAGE_SIGN | WH_NVM_FLAGS_USAGE_VERIFY,
1209+
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
11981210
if (ret != 0) {
11991211
printf("Failed to wh_Client_KeyCache %d\n", ret);
12001212
goto exit;
@@ -1235,8 +1247,9 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext)
12351247

12361248
/* cache the key on the HSM. This is required because the key is evicted
12371249
* after the non-DMA CMAC operation is finalized */
1238-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
1239-
sizeof(keyLabel), key, sizeof(key), &keyId);
1250+
ret = wh_Client_KeyCache(
1251+
clientContext, WH_NVM_FLAGS_USAGE_SIGN | WH_NVM_FLAGS_USAGE_VERIFY,
1252+
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
12401253
if (ret != 0) {
12411254
printf("Failed to wh_Client_KeyCache %d\n", ret);
12421255
goto exit;
@@ -1289,8 +1302,9 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext)
12891302
}
12901303

12911304
/* cache the key on the HSM */
1292-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
1293-
sizeof(keyLabel), key, sizeof(key), &keyId);
1305+
ret = wh_Client_KeyCache(
1306+
clientContext, WH_NVM_FLAGS_USAGE_SIGN | WH_NVM_FLAGS_USAGE_VERIFY,
1307+
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
12941308
if (ret != 0) {
12951309
printf("Failed to wh_Client_KeyCache %d\n", ret);
12961310
goto exit;
@@ -1327,8 +1341,9 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext)
13271341

13281342
/* cache the key on the HSM again, cmac keys are evicted after non-DMA CMAC
13291343
* operations are finalized is called */
1330-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
1331-
sizeof(keyLabel), key, sizeof(key), &keyId);
1344+
ret = wh_Client_KeyCache(
1345+
clientContext, WH_NVM_FLAGS_USAGE_SIGN | WH_NVM_FLAGS_USAGE_VERIFY,
1346+
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
13321347
if (ret != 0) {
13331348
printf("Failed to wh_Client_KeyCache %d\n", ret);
13341349
goto exit;
@@ -1419,7 +1434,7 @@ int wh_DemoClient_CryptoHkdfCache(whClientContext* clientContext)
14191434
const uint32_t outSz = 32; /* arbitrary output size */
14201435

14211436
/* Metadata flags/label for the cached key. Adjust to your requirements. */
1422-
whNvmFlags flags = WH_NVM_FLAGS_NONEXPORTABLE;
1437+
whNvmFlags flags = WH_NVM_FLAGS_NONEXPORTABLE | WH_NVM_FLAGS_USAGE_DERIVE;
14231438
char label[] = "hkdf-derived key";
14241439

14251440
/* Request the HSM to derive HKDF output and store it in the key cache.
@@ -1467,9 +1482,9 @@ int wh_DemoClient_CryptoHkdfCacheInputKey(whClientContext* clientContext)
14671482
byte okm[32]; /* Output key material */
14681483

14691484
/* First, cache the input key material in the HSM */
1470-
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
1471-
(uint32_t)strlen(keyLabel), ikm,
1472-
(uint32_t)sizeof(ikm), &keyIdIn);
1485+
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_USAGE_DERIVE,
1486+
(uint8_t*)keyLabel, (uint32_t)strlen(keyLabel),
1487+
ikm, (uint32_t)sizeof(ikm), &keyIdIn);
14731488
if (ret != WH_ERROR_OK) {
14741489
printf("Failed to wh_Client_KeyCache %d\n", ret);
14751490
return ret;
@@ -1565,7 +1580,7 @@ int wh_DemoClient_CryptoCmacKdfCache(whClientContext* clientContext)
15651580
{
15661581
int ret = 0;
15671582
whKeyId keyId = WH_KEYID_ERASED;
1568-
whNvmFlags flags = WH_NVM_FLAGS_NONEXPORTABLE;
1583+
whNvmFlags flags = WH_NVM_FLAGS_NONEXPORTABLE | WH_NVM_FLAGS_USAGE_DERIVE;
15691584
const char label[] = "cmac-kdf cache";
15701585

15711586
ret = wh_Client_CmacKdfMakeCacheKey(
@@ -1609,7 +1624,7 @@ int wh_DemoClient_CryptoCmacKdfCacheInputs(whClientContext* clientContext)
16091624
* as the salt is usually not sensitive information. If it is desired to use
16101625
* HSM-only information as salt, then this would likely be provisioned
16111626
* as an offline step */
1612-
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_NONE, NULL, 0,
1627+
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_USAGE_DERIVE, NULL, 0,
16131628
demoCmacKdfSalt, (uint32_t)sizeof(demoCmacKdfSalt),
16141629
&saltKeyId);
16151630
if (ret != WH_ERROR_OK) {
@@ -1619,7 +1634,7 @@ int wh_DemoClient_CryptoCmacKdfCacheInputs(whClientContext* clientContext)
16191634

16201635
/* Cache the Z input. This would typically be done offline during the HSM
16211636
* provisioning step, but is shown here for completeness */
1622-
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_NONE, NULL, 0,
1637+
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_USAGE_DERIVE, NULL, 0,
16231638
demoCmacKdfZ, (uint32_t)sizeof(demoCmacKdfZ),
16241639
&zKeyId);
16251640
if (ret != WH_ERROR_OK) {

0 commit comments

Comments
 (0)