Review feedback:

 - Renamed whServerCacheXXX to whKeyCacheXXX
 - Relocated client global+wrapped flags to wh_keyid.h from wh_client.h
 - Fixed copyright year
 - Fixed wh_settings.h include order

Author: bigbrett

src/wh_keyid.c

@@ -24,44 +24,44 @@
 
 #include "wolfhsm/wh_keyid.h"
 
-whKeyId wh_KeyId_TranslateClient(uint16_t type, uint16_t clientId,
-                                 whKeyId reqId)
+whKeyId wh_KeyId_TranslateFromClient(uint16_t type, uint16_t clientId,
+                                     whKeyId reqId)
 {
     uint16_t user = clientId;
     whKeyId  id   = reqId & WH_KEYID_MASK;
 
 #ifdef WOLFHSM_CFG_GLOBAL_KEYS
-    /* Check for global flag (bit 8: 0x0100) */
-    if ((reqId & 0x0100) != 0) {
+    /* Convert global flag to USER=0 */
+    if ((reqId & WH_KEYID_CLIENT_GLOBAL_FLAG) != 0) {
         user = WH_KEYUSER_GLOBAL;
     }
 #endif
 
 #ifdef WOLFHSM_CFG_KEYWRAP
-    /* Check for wrapped flag (bit 9: 0x0200) */
-    if ((reqId & 0x0200) != 0) {
+    /* Convert wrapped flag to TYPE=WH_KETYPE_WRAPPED */
+    if ((reqId & WH_KEYID_CLIENT_WRAPPED_FLAG) != 0) {
         type = WH_KEYTYPE_WRAPPED;
     }
 #endif
 
     return WH_MAKE_KEYID(type, user, id);
 }
 
-whKeyId wh_KeyId_ToClient(whKeyId serverId)
+whKeyId wh_KeyId_TranslateToClient(whKeyId serverId)
 {
     whKeyId clientId = WH_KEYID_ID(serverId);
 
 #ifdef WOLFHSM_CFG_GLOBAL_KEYS
-    /* Convert USER=0 to global flag (bit 8: 0x0100) */
+    /* Convert USER=0 to global flag */
     if (WH_KEYID_USER(serverId) == WH_KEYUSER_GLOBAL) {
-        clientId |= 0x0100; /* WH_CLIENT_KEYID_GLOBAL_FLAG */
+        clientId |= WH_KEYID_CLIENT_GLOBAL_FLAG;
     }
 #endif
 
 #ifdef WOLFHSM_CFG_KEYWRAP
-    /* Convert TYPE=WRAPPED to wrapped flag (bit 9: 0x0200) */
+    /* Convert TYPE=WRAPPED to wrapped flag */
     if (WH_KEYID_TYPE(serverId) == WH_KEYTYPE_WRAPPED) {
-        clientId |= 0x0200; /* WH_CLIENT_KEYID_WRAPPED_FLAG */
+        clientId |= WH_KEYID_CLIENT_WRAPPED_FLAG;
     }
 #endif
 

src/wh_server_cert.c

@@ -489,7 +489,7 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
                 cert_data = (const uint8_t*)req_packet + sizeof(req);
 
                 /* Map client keyId to server keyId space */
-                whKeyId keyId = wh_KeyId_TranslateClient(
+                whKeyId keyId = wh_KeyId_TranslateFromClient(
                     WH_KEYTYPE_CRYPTO, server->comm->client_id, req.keyId);
 
                 /* Process the verify action */
@@ -499,7 +499,7 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
 
                 /* Propagate the keyId back to the client with flags preserved
                  */
-                resp.keyId = wh_KeyId_ToClient(keyId);
+                resp.keyId = wh_KeyId_TranslateToClient(keyId);
             }
 
             /* Convert the response struct */
@@ -619,7 +619,7 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
             }
             if (resp.rc == WH_ERROR_OK) {
                 /* Map client keyId to server keyId space */
-                whKeyId keyId = wh_KeyId_TranslateClient(
+                whKeyId keyId = wh_KeyId_TranslateFromClient(
                     WH_KEYTYPE_CRYPTO, server->comm->client_id, req.keyId);
 
                 /* Process the verify action */
@@ -629,7 +629,7 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
 
                 /* Propagate the keyId back to the client with flags preserved
                  */
-                resp.keyId = wh_KeyId_ToClient(keyId);
+                resp.keyId = wh_KeyId_TranslateToClient(keyId);
             }
             if (resp.rc == WH_ERROR_OK) {
                 /* Post-process client address */

src/wh_server_crypto.c

@@ -171,7 +171,7 @@ static int _GetKeyCacheSlot(whKeyCacheContext* ctx, uint16_t keySz,
 
         /* Zero slot and return pointers */
         if (foundIndex >= 0) {
-            memset(&ctx->cache[foundIndex], 0, sizeof(whServerCacheSlot));
+            memset(&ctx->cache[foundIndex], 0, sizeof(whCacheSlot));
             *outBuf  = ctx->cache[foundIndex].buffer;
             *outMeta = ctx->cache[foundIndex].meta;
         }
@@ -197,7 +197,7 @@ static int _GetKeyCacheSlot(whKeyCacheContext* ctx, uint16_t keySz,
 
         /* Zero slot and return pointers */
         if (foundIndex >= 0) {
-            memset(&ctx->bigCache[foundIndex], 0, sizeof(whServerBigCacheSlot));
+            memset(&ctx->bigCache[foundIndex], 0, sizeof(whBigCacheSlot));
             *outBuf  = ctx->bigCache[foundIndex].buffer;
             *outMeta = ctx->bigCache[foundIndex].meta;
         }
@@ -485,26 +485,6 @@ static int _ExistsInCache(whServerContext* server, whKeyId keyId)
 }
 #endif /* WOLFHSM_CFG_KEYWRAP */
 
-#ifdef WOLFHSM_CFG_KEYWRAP
-int wh_Server_KeystoreIsWrappedKey(whServerContext* server, whKeyId keyId,
-                                   int* outIsWrapped)
-{
-    int isWrapped;
-
-    if (server == NULL || WH_KEYID_ISERASED(keyId)) {
-        return WH_ERROR_BADARGS;
-    }
-
-    (void)server;
-    isWrapped = (WH_KEYID_TYPE(keyId) == WH_KEYTYPE_WRAPPED);
-    if (outIsWrapped != NULL) {
-        *outIsWrapped = isWrapped;
-    }
-
-    return WH_ERROR_OK;
-}
-#endif /* WOLFHSM_CFG_KEYWRAP */
-
 /* try to put the specified key into cache if it isn't already, return pointers
  * to meta and the cached data*/
 int wh_Server_KeystoreFreshenKey(whServerContext* server, whKeyId keyId,
@@ -742,8 +722,8 @@ static int _AesGcmWrapKey(whServerContext* server, whKeyId serverKeyId,
     /* Get the server side key */
     ret = wh_Server_KeystoreReadKey(
         server,
-        wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO, server->comm->client_id,
-                                 serverKeyId),
+        wh_KeyId_TranslateFromClient(WH_KEYTYPE_CRYPTO, server->comm->client_id,
+                                     serverKeyId),
         NULL, serverKey, &serverKeySz);
     if (ret != WH_ERROR_OK) {
         return ret;
@@ -815,8 +795,8 @@ static int _AesGcmUnwrapKey(whServerContext* server, uint16_t serverKeyId,
     /* Get the server side key */
     ret = wh_Server_KeystoreReadKey(
         server,
-        wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO, server->comm->client_id,
-                                 serverKeyId),
+        wh_KeyId_TranslateFromClient(WH_KEYTYPE_CRYPTO, server->comm->client_id,
+                                     serverKeyId),
         NULL, serverKey, &serverKeySz);
     if (ret != WH_ERROR_OK) {
         return ret;
@@ -1115,7 +1095,7 @@ _HandleUnwrapAndCacheKeyRequest(whServerContext*                         server,
     }
 
     /* Store the assigned key ID in the response, preserving client flags */
-    resp->keyId = wh_KeyId_ToClient(metadata.id);
+    resp->keyId = wh_KeyId_TranslateToClient(metadata.id);
 
     /* Cache the key */
     return wh_Server_KeystoreCacheKey(server, &metadata, key);
@@ -1153,7 +1133,7 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
             in = (uint8_t*)req_packet + sizeof(req);
 
             /* set the metadata fields */
-            meta->id = wh_KeyId_TranslateClient(
+            meta->id = wh_KeyId_TranslateFromClient(
                 WH_KEYTYPE_CRYPTO, server->comm->client_id, req.id);
             meta->access = WH_NVM_ACCESS_ANY;
             meta->flags  = req.flags;
@@ -1181,7 +1161,7 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
             }
             if (ret == WH_ERROR_OK) {
                 /* Translate server keyId back to client format with flags */
-                resp.id = wh_KeyId_ToClient(meta->id);
+                resp.id = wh_KeyId_TranslateToClient(meta->id);
 
                 (void)wh_MessageKeystore_TranslateCacheResponse(
                     magic, &resp,
@@ -1202,7 +1182,7 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
                 magic, (whMessageKeystore_CacheDmaRequest*)req_packet, &req);
 
             /* set the metadata fields */
-            meta->id = wh_KeyId_TranslateClient(
+            meta->id = wh_KeyId_TranslateFromClient(
                 WH_KEYTYPE_CRYPTO, server->comm->client_id, req.id);
             meta->access = WH_NVM_ACCESS_ANY;
             meta->flags  = req.flags;
@@ -1236,7 +1216,7 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
             }
 
             /* Translate server keyId back to client format with flags */
-            resp.id = wh_KeyId_ToClient(meta->id);
+            resp.id = wh_KeyId_TranslateToClient(meta->id);
 
             (void)wh_MessageKeystore_TranslateCacheDmaResponse(
                 magic, &resp, (whMessageKeystore_CacheDmaResponse*)resp_packet);
@@ -1254,8 +1234,8 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
 
             ret = wh_Server_KeystoreExportKeyDma(
                 server,
-                wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
-                                         server->comm->client_id, req.id),
+                wh_KeyId_TranslateFromClient(WH_KEYTYPE_CRYPTO,
+                                             server->comm->client_id, req.id),
                 req.key.addr, req.key.sz, meta);
             resp.rc = ret;
             /* propagate bad address to client if DMA operation failed */
@@ -1288,8 +1268,8 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
 
             ret = wh_Server_KeystoreEvictKey(
                 server,
-                wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
-                                         server->comm->client_id, req.id));
+                wh_KeyId_TranslateFromClient(WH_KEYTYPE_CRYPTO,
+                                             server->comm->client_id, req.id));
             resp.rc = ret;
             /* TODO: Are there any fatal server errors? */
             ret = WH_ERROR_OK;
@@ -1320,8 +1300,8 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
             /* read the key */
             ret = wh_Server_KeystoreReadKey(
                 server,
-                wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
-                                         server->comm->client_id, req.id),
+                wh_KeyId_TranslateFromClient(WH_KEYTYPE_CRYPTO,
+                                             server->comm->client_id, req.id),
                 meta, out, &keySz);
 
             /* Check if key is non-exportable */
@@ -1364,8 +1344,8 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
 
             ret = wh_Server_KeystoreCommitKey(
                 server,
-                wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
-                                         server->comm->client_id, req.id));
+                wh_KeyId_TranslateFromClient(WH_KEYTYPE_CRYPTO,
+                                             server->comm->client_id, req.id));
             resp.rc = ret;
             /* TODO: Are there any fatal server errors? */
             ret = WH_ERROR_OK;
@@ -1391,8 +1371,8 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
 
             ret = wh_Server_KeystoreEraseKey(
                 server,
-                wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
-                                         server->comm->client_id, req.id));
+                wh_KeyId_TranslateFromClient(WH_KEYTYPE_CRYPTO,
+                                             server->comm->client_id, req.id));
             resp.rc = ret;
             /* TODO: Are there any fatal server errors? */
             ret = WH_ERROR_OK;

src/wh_server_keystore.c

@@ -1249,7 +1249,7 @@ static int _testKeyIdFlagPreservation(whClientContext* client1,
             wh_Client_KeyCacheResponse(client1, &returnedKeyId));
 
         /* Verify global flag is preserved */
-        WH_TEST_ASSERT_RETURN((returnedKeyId & WH_CLIENT_KEYID_GLOBAL_FLAG) !=
+        WH_TEST_ASSERT_RETURN((returnedKeyId & WH_KEYID_CLIENT_GLOBAL_FLAG) !=
                               0);
         WH_TEST_ASSERT_RETURN((returnedKeyId & WH_KEYID_MASK) == DUMMY_KEYID_1);
 
@@ -1275,7 +1275,7 @@ static int _testKeyIdFlagPreservation(whClientContext* client1,
             wh_Client_KeyCacheResponse(client1, &returnedKeyId));
 
         /* Verify no global flag */
-        WH_TEST_ASSERT_RETURN((returnedKeyId & WH_CLIENT_KEYID_GLOBAL_FLAG) ==
+        WH_TEST_ASSERT_RETURN((returnedKeyId & WH_KEYID_CLIENT_GLOBAL_FLAG) ==
                               0);
         WH_TEST_ASSERT_RETURN((returnedKeyId & WH_KEYID_MASK) == DUMMY_KEYID_2);
 

test/wh_test_multiclient.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2024 wolfSSL Inc.
+ * Copyright (C) 2025 wolfSSL Inc.
  *
  * This file is part of wolfHSM.
  *

test/wh_test_multiclient.h

@@ -52,6 +52,7 @@
 #ifdef WOLFHSM_CFG_DMA
 #include "wolfhsm/wh_dma.h"
 #endif /* WOLFHSM_CFG_DMA */
+#include "wolfhsm/wh_keyid.h"
 
 
 /* Forward declaration of the client structure so its elements can reference
@@ -2493,33 +2494,6 @@ int wh_Client_CertVerifyAcertDma(whClientContext* c, const void* cert,
 
 #endif /* WOLFHSM_CFG_DMA */
 
-/*
- * @brief Client-side keyId manipulation API
- *
- * This section defines the client-facing API for working with key identifiers.
- * Clients use simple numeric IDs (0-255) with optional flags to indicate
- * global or wrapped keys. The server translates these to full internal
- * representations with TYPE/USER/ID fields.
- *
- * Client keyId usage:
- * - Regular keys: Simple numeric ID (e.g., 5)
- * - Global keys: ID with WH_CLIENT_KEYID_GLOBAL_FLAG set
- * - Wrapped keys: ID with WH_CLIENT_KEYID_WRAPPED_FLAG set
- * - Wrapped metadata: Must use full WH_MAKE_KEYID() construction including type
- *    and metadata when populating the ID field in metadata to be wrapped
- */
-
-/* Client-facing key flags (temporary, stripped by server during translation) */
-
-/* Bit 8: Client-to-server signal for global key (shared across all clients) */
-#define WH_CLIENT_KEYID_GLOBAL_FLAG ((whKeyId)0x0100)
-
-/* Bit 9: Client-to-server signal for wrapped key */
-#define WH_CLIENT_KEYID_WRAPPED_FLAG ((whKeyId)0x0200)
-
-/* Combined mask of all client-facing flags */
-#define WH_CLIENT_KEYID_FLAGS_MASK \
-    (WH_CLIENT_KEYID_GLOBAL_FLAG | WH_CLIENT_KEYID_WRAPPED_FLAG)
 
 /**
  * @brief Mark a key ID as global (shared across all clients)
@@ -2535,7 +2509,7 @@ int wh_Client_CertVerifyAcertDma(whClientContext* c, const void* cert,
  *   whKeyId globalKey = WH_CLIENT_KEYID_MAKE_GLOBAL(5);
  *   wh_Client_KeyCache(client, globalKey, ...);  // Stored as global key
  */
-#define WH_CLIENT_KEYID_MAKE_GLOBAL(_id) ((_id) | WH_CLIENT_KEYID_GLOBAL_FLAG)
+#define WH_CLIENT_KEYID_MAKE_GLOBAL(_id) ((_id) | WH_KEYID_CLIENT_GLOBAL_FLAG)
 
 /**
  * @brief Mark a key ID as wrapped
@@ -2551,7 +2525,7 @@ int wh_Client_CertVerifyAcertDma(whClientContext* c, const void* cert,
  *   whKeyId wrappedKey = WH_CLIENT_KEYID_MAKE_WRAPPED(2);
  *   wh_Client_KeyExportRequest(client, wrappedKey, ...);
  */
-#define WH_CLIENT_KEYID_MAKE_WRAPPED(_id) ((_id) | WH_CLIENT_KEYID_WRAPPED_FLAG)
+#define WH_CLIENT_KEYID_MAKE_WRAPPED(_id) ((_id) | WH_KEYID_CLIENT_WRAPPED_FLAG)
 
 /**
  * @brief Mark a key ID as both global and wrapped
@@ -2567,7 +2541,7 @@ int wh_Client_CertVerifyAcertDma(whClientContext* c, const void* cert,
  *   wh_Client_AesSetKeyId(aes, globalWrappedKey);
  */
 #define WH_CLIENT_KEYID_MAKE_WRAPPED_GLOBAL(_id) \
-    ((_id) | WH_CLIENT_KEYID_GLOBAL_FLAG | WH_CLIENT_KEYID_WRAPPED_FLAG)
+    ((_id) | WH_KEYID_CLIENT_GLOBAL_FLAG | WH_KEYID_CLIENT_WRAPPED_FLAG)
 
 /**
  * @brief Construct wrapped key metadata ID with explicit ownership

wolfhsm/wh_client.h

@@ -24,11 +24,11 @@
 #ifndef WOLFHSM_WH_COMMON_H_
 #define WOLFHSM_WH_COMMON_H_
 
-#include <stdint.h>
-
 /* Pick up compile-time configuration */
 #include "wolfhsm/wh_settings.h"
 
+#include <stdint.h>
+
 /* Key management types and helpers */
 #include "wolfhsm/wh_keyid.h"