add key usage policy support to CMAC

bigbrett · bigbrett · commit 784cf00b1e3f · 2025-11-05T13:01:01.000-07:00
diff --git a/src/wh_server_crypto.c b/src/wh_server_crypto.c
@@ -2499,9 +2499,24 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
                 len   = sizeof(ctx->crypto->algoCtx.cmac);
                 keyId = wh_KeyId_TranslateFromClient(
                     WH_KEYTYPE_CRYPTO, ctx->comm->client_id, req.keyId);
-                ret   = wh_Server_KeystoreReadKey(
-                      ctx, keyId, NULL, (uint8_t*)ctx->crypto->algoCtx.cmac,
-                      (uint32_t*)&len);
+
+                /* Validate key usage policy - CMAC accepts sign or verify */
+                if (!WH_KEYID_ISERASED(keyId)) {
+                    ret = wh_Server_KeystoreFindEnforceKeyUsage(
+                        ctx, keyId, WH_NVM_FLAGS_USAGE_SIGN);
+                    if (ret == WH_ERROR_USAGE) {
+                        /* Sign not allowed, try verify */
+                        ret = wh_Server_KeystoreFindEnforceKeyUsage(
+                            ctx, keyId, WH_NVM_FLAGS_USAGE_VERIFY);
+                    }
+                    if (ret != WH_ERROR_OK) {
+                        return ret;
+                    }
+                }
+
+                ret = wh_Server_KeystoreReadKey(
+                    ctx, keyId, meta, (uint8_t*)ctx->crypto->algoCtx.cmac,
+                    (uint32_t*)&len);
                 if (ret == WH_ERROR_OK) {
                     /* if the key size is a multiple of aes, init the key and
                      * overwrite the existing key on exit */
@@ -2612,12 +2627,22 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
                 if (moveToBigCache == 1) {
                     ret = wh_Server_KeystoreEvictKey(ctx, keyId);
                 }
-                if (ret == 0) {
+                if (ret == WH_ERROR_OK) {
                     meta->id  = keyId;
                     meta->len = sizeof(ctx->crypto->algoCtx.cmac);
-                    ret       = wh_Server_KeystoreCacheKey(
+                    /* Nonzero key size means the client provided the key and
+                     * wasn't able to provide flags, therefore we tag the key as
+                     * useable for sign/verify operations. If the client instead
+                     * wants to refer to the key by ID, meta->flags should
+                     * already hold the flags set on the original AES key from
+                     * the earlier read operation */
+                    if (req.keySz != 0) {
+                        meta->flags =
+                            WH_NVM_FLAGS_USAGE_SIGN | WH_NVM_FLAGS_USAGE_VERIFY;
+                    }
+                    ret = wh_Server_KeystoreCacheKey(
                         ctx, meta, (uint8_t*)ctx->crypto->algoCtx.cmac);
-                    if (ret == 0) {
+                    if (ret == WH_ERROR_OK) {
                         res.keyId = wh_KeyId_TranslateToClient(keyId);
                         res.outSz = 0;
                     }
@@ -4692,6 +4717,22 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
                         keyId = wh_KeyId_TranslateFromClient(
                             WH_KEYTYPE_CRYPTO, ctx->comm->client_id,
                             clientKeyId);
+
+                        /* Validate key usage policy - CMAC accepts sign or
+                         * verify */
+                        if (!WH_KEYID_ISERASED(keyId)) {
+                            ret = wh_Server_KeystoreFindEnforceKeyUsage(
+                                ctx, keyId, WH_NVM_FLAGS_USAGE_SIGN);
+                            if (ret == WH_ERROR_USAGE) {
+                                /* Sign not allowed, try verify */
+                                ret = wh_Server_KeystoreFindEnforceKeyUsage(
+                                    ctx, keyId, WH_NVM_FLAGS_USAGE_VERIFY);
+                            }
+                            if (ret != WH_ERROR_OK) {
+                                return ret;
+                            }
+                        }
+
                         keyLen = sizeof(tmpKey);
 
                         /* Load key from cache */
@@ -4756,6 +4797,22 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
                         /* Get key ID from CMAC context */
                         keyId = wh_KeyId_TranslateFromClient(
                             WH_KEYTYPE_CRYPTO, ctx->comm->client_id, nvmId);
+
+                        /* Validate key usage policy - CMAC accepts sign or
+                         * verify */
+                        if (!WH_KEYID_ISERASED(keyId)) {
+                            ret = wh_Server_KeystoreFindEnforceKeyUsage(
+                                ctx, keyId, WH_NVM_FLAGS_USAGE_SIGN);
+                            if (ret == WH_ERROR_USAGE) {
+                                /* Sign not allowed, try verify */
+                                ret = wh_Server_KeystoreFindEnforceKeyUsage(
+                                    ctx, keyId, WH_NVM_FLAGS_USAGE_VERIFY);
+                            }
+                            if (ret != WH_ERROR_OK) {
+                                return ret;
+                            }
+                        }
+
                         keyLen = sizeof(tmpKey);
 
                         /* Load key from cache */
diff --git a/test/wh_test_crypto.c b/test/wh_test_crypto.c
@@ -4029,6 +4029,108 @@ int whTest_CryptoKeyUsagePolicies(whClientContext* client, WC_RNG* rng)
         return ret;
 #endif /* HAVE_HKDF */
 
+#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)
+    /* CMAC Generate without SIGN flag */
+    printf("  Testing CMAC generate without SIGN flag...\n");
+    {
+        Cmac    cmac;
+        whKeyId keyId = WH_KEYID_ERASED;
+        uint8_t message[64];
+        uint8_t tag[AES_BLOCK_SIZE];
+        word32  tagLen = sizeof(tag);
+
+        /* Generate random message */
+        ret = wc_RNG_GenerateBlock(rng, message, sizeof(message));
+        if (ret == 0) {
+            /* Cache AES key without SIGN flag */
+            ret = wh_Client_KeyCache(
+                client, WH_NVM_FLAGS_NONE, (uint8_t*)"cmac-no-sign",
+                strlen("cmac-no-sign"), key, AES_128_KEY_SIZE, &keyId);
+        }
+
+        if (ret == 0) {
+            /* Initialize CMAC with HSM device ID */
+            ret = wc_InitCmac_ex(&cmac, NULL, 0, WC_CMAC_AES, NULL, NULL,
+                                 WH_DEV_ID);
+            if (ret == 0) {
+                /* Associate cached key */
+                ret = wh_Client_CmacSetKeyId(&cmac, keyId);
+                if (ret == 0) {
+                    /* Try to generate CMAC - should fail */
+                    ret = wc_AesCmacGenerate_ex(&cmac, tag, &tagLen, message,
+                                                sizeof(message), NULL, 0, NULL,
+                                                WH_DEV_ID);
+                    if (ret == WH_ERROR_USAGE) {
+                        printf("    PASS: Correctly denied CMAC generate\n");
+                        ret = 0; /* Test passed */
+                    }
+                    else {
+                        WH_ERROR_PRINT(
+                            "    FAIL: Expected WH_ERROR_USAGE, got %d\n", ret);
+                        ret = WH_ERROR_ABORTED;
+                    }
+                }
+                wc_CmacFree(&cmac);
+            }
+            wh_Client_KeyEvict(client, keyId);
+        }
+    }
+    if (ret != 0)
+        return ret;
+
+    /* CMAC Verify without VERIFY flag */
+    printf("  Testing CMAC verify without VERIFY flag...\n");
+    {
+        Cmac    cmac;
+        whKeyId keyId = WH_KEYID_ERASED;
+        uint8_t message[64];
+        uint8_t tag[AES_BLOCK_SIZE];
+        word32  tagLen = sizeof(tag);
+
+        /* Generate random message and tag */
+        ret = wc_RNG_GenerateBlock(rng, message, sizeof(message));
+        if (ret == 0) {
+            ret = wc_RNG_GenerateBlock(rng, tag, sizeof(tag));
+        }
+
+        if (ret == 0) {
+            /* Cache AES key without VERIFY flag */
+            ret = wh_Client_KeyCache(
+                client, WH_NVM_FLAGS_NONE, (uint8_t*)"cmac-no-verify",
+                strlen("cmac-no-verify"), key, AES_128_KEY_SIZE, &keyId);
+        }
+
+        if (ret == 0) {
+            /* Initialize CMAC with HSM device ID */
+            ret = wc_InitCmac_ex(&cmac, NULL, 0, WC_CMAC_AES, NULL, NULL,
+                                 WH_DEV_ID);
+            if (ret == 0) {
+                /* Associate cached key */
+                ret = wh_Client_CmacSetKeyId(&cmac, keyId);
+                if (ret == 0) {
+                    /* Try to verify CMAC - should fail */
+                    ret = wc_AesCmacVerify_ex(&cmac, tag, tagLen, message,
+                                              sizeof(message), NULL, 0, NULL,
+                                              WH_DEV_ID);
+                    if (ret == WH_ERROR_USAGE) {
+                        printf("    PASS: Correctly denied CMAC verify\n");
+                        ret = 0; /* Test passed */
+                    }
+                    else {
+                        WH_ERROR_PRINT(
+                            "    FAIL: Expected WH_ERROR_USAGE, got %d\n", ret);
+                        ret = WH_ERROR_ABORTED;
+                    }
+                }
+                wc_CmacFree(&cmac);
+            }
+            wh_Client_KeyEvict(client, keyId);
+        }
+    }
+    if (ret != 0)
+        return ret;
+#endif /* WOLFSSL_CMAC && !NO_AES && WOLFSSL_AES_DIRECT */
+
 #ifdef WOLFHSM_CFG_KEYWRAP
     /* Key wrap without WRAP flag */
     printf("  Testing key wrap without WRAP flag...\n");
