add sensitive flag for wrapped keys

bigbrett · bigbrett · commit b468279e3196 · 2025-10-30T14:44:31.000-06:00
diff --git a/src/wh_server_keystore.c b/src/wh_server_keystore.c
@@ -969,6 +969,11 @@ static int _HandleUnwrapAndExportKeyRequest(
                 return WH_ERROR_ACCESS;
             }
 
+            /* Check if the key is sensitive */
+            if (metadata->flags & WH_NVM_FLAGS_SENSITIVE) {
+                return WH_ERROR_ACCESS;
+            }
+
             /* Validate client ownership.
              * The USER field in wrapped key metadata specifies the owner.
              * Only the owning client can export wrapped keys. */
@@ -1304,34 +1309,40 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
                                              server->comm->client_id, req.id),
                 meta, out, &keySz);
 
-            /* Check if key is non-exportable */
-            if (ret == WH_ERROR_OK &&
-                (meta->flags & WH_NVM_FLAGS_NONEXPORTABLE)) {
-                ret = WH_ERROR_ACCESS;
-                /* Clear any key data that may have been read */
-                memset(out, 0, keySz);
+            if (ret == WH_ERROR_OK) {
+                /* Check if key is non-exportable */
+                if (meta->flags & WH_NVM_FLAGS_NONEXPORTABLE) {
+                    ret = WH_ERROR_ACCESS;
+                }
+
+                /* Check if key is sensitive */
+                if (meta->flags & WH_NVM_FLAGS_SENSITIVE) {
+                    ret = WH_ERROR_ACCESS;
+                }
+
+                if (ret != WH_ERROR_OK) {
+                    /* Clear any key data that may have been read */
+                    memset(out, 0, keySz);
+                }
             }
 
+            /* propagate any failures back to client */
             resp.rc = ret;
-            /* TODO: Are there any fatal server errors? */
             ret = WH_ERROR_OK;
 
-            if (ret == WH_ERROR_OK) {
-                /* Only provide key output if no error */
-                if (resp.rc == WH_ERROR_OK) {
-                    resp.len = keySz;
-                }
-                else {
-                    resp.len = 0;
-                }
-                memcpy(resp.label, meta->label, sizeof(meta->label));
+            /* Only provide key output if no error */
+            if (resp.rc == WH_ERROR_OK) {
+                resp.len = keySz;
+            }
+            else {
+                resp.len = 0;
+            }
+            memcpy(resp.label, meta->label, sizeof(meta->label));
 
-                (void)wh_MessageKeystore_TranslateExportResponse(
-                    magic, &resp,
-                    (whMessageKeystore_ExportResponse*)resp_packet);
+            (void)wh_MessageKeystore_TranslateExportResponse(
+                magic, &resp, (whMessageKeystore_ExportResponse*)resp_packet);
 
-                *out_resp_size = sizeof(resp) + resp.len;
-            }
+            *out_resp_size = sizeof(resp) + resp.len;
         } break;
 
         case WH_KEY_COMMIT: {
@@ -1583,6 +1594,11 @@ int wh_Server_KeystoreExportKeyDma(whServerContext* server, whKeyId keyId,
         return WH_ERROR_ACCESS;
     }
 
+    /* Check if key is sensitive */
+    if (cacheMeta->flags & WH_NVM_FLAGS_SENSITIVE) {
+        return WH_ERROR_ACCESS;
+    }
+
     if (keySz < cacheMeta->len) {
         return WH_ERROR_NOSPACE;
     }
diff --git a/test/wh_test_keywrap.c b/test/wh_test_keywrap.c
@@ -227,6 +227,100 @@ static int _AesGcm_KeyWrap(whClientContext* client, WC_RNG* rng)
     return ret;
 }
 
+static int _TestKeyWrapSensitive(whClientContext* client, int cipher)
+{
+    int           ret = 0;
+    uint8_t       tmpPlainKey[WH_TEST_AES_KEYSIZE];
+    uint8_t       wrappedKey[WH_TEST_AES_WRAPPED_KEYSIZE];
+    whKeyId       wrappedKeyId = WH_KEYID_ERASED;
+    uint16_t      tmpOutSz     = 0;
+    whNvmMetadata metadata     = {
+            .id    = WH_CLIENT_KEYID_MAKE_WRAPPED_META(WH_TEST_DEFAULT_CLIENT_ID,
+                                                       WH_TEST_AESGCM_KEYID + 1),
+            .label = "Sensitive AES Key",
+            .len   = WH_TEST_AES_KEYSIZE,
+            .flags = WH_NVM_FLAGS_SENSITIVE,
+    };
+    whNvmMetadata tmpMetadata = {0};
+
+    const uint8_t hardcodedKey[WH_TEST_AES_KEYSIZE] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+        0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+        0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f};
+
+    /* Wrap the key with SENSITIVE flag */
+    ret =
+        wh_Client_KeyWrap(client, cipher, WH_TEST_KEKID, (uint8_t*)hardcodedKey,
+                          (uint16_t)sizeof(hardcodedKey), &metadata, wrappedKey,
+                          (uint16_t)sizeof(wrappedKey));
+    if (ret != WH_ERROR_OK) {
+        WH_ERROR_PRINT("Failed to wh_Client_KeyWrap with SENSITIVE flag %d\n",
+                       ret);
+        return ret;
+    }
+
+    /* Unwrap and cache the sensitive key - should succeed */
+    ret = wh_Client_KeyUnwrapAndCache(client, cipher, WH_TEST_KEKID, wrappedKey,
+                                      (uint16_t)sizeof(wrappedKey),
+                                      &wrappedKeyId);
+    if (ret != WH_ERROR_OK) {
+        WH_ERROR_PRINT(
+            "Failed to wh_Client_KeyUnwrapAndCache for sensitive key %d\n",
+            ret);
+        return ret;
+    }
+
+    /* Now test that all export paths back to client are blocked */
+
+    /* Attempts to directly export should fail with WH_ERROR_ACCESS */
+    tmpOutSz = (uint16_t)sizeof(tmpPlainKey);
+    ret      = wh_Client_KeyExport(client, wrappedKeyId, NULL, 0, tmpPlainKey,
+                                   &tmpOutSz);
+    if (ret != WH_ERROR_ACCESS) {
+        WH_ERROR_PRINT("wh_Client_KeyExport should return WH_ERROR_ACCESS for "
+                       "sensitive key, got %d\n",
+                       ret);
+        (void)wh_Client_KeyEvict(client, wrappedKeyId);
+        return ret;
+    }
+
+#ifdef WOLFHSM_CFG_DMA
+    /* Attempts to directly export via DMA should fail with WH_ERROR_ACCESS */
+    tmpOutSz = (uint16_t)sizeof(tmpPlainKey);
+    ret = wh_Client_KeyExportDma(client, wrappedKeyId, (const void*)tmpPlainKey,
+                                 (uint16_t)sizeof(tmpPlainKey), NULL, 0,
+                                 &tmpOutSz);
+    if (ret != WH_ERROR_ACCESS) {
+        WH_ERROR_PRINT("wh_Client_KeyExportDma should return WH_ERROR_ACCESS "
+                       "for sensitive key, got %d\n",
+                       ret);
+        (void)wh_Client_KeyEvict(client, wrappedKeyId);
+        return ret;
+    }
+#endif
+
+    /* Attempts to unwrap and export via the keywrap API should fail with
+     * WH_ERROR_ACCESS */
+    ret = wh_Client_KeyUnwrapAndExport(
+        client, cipher, WH_TEST_KEKID, wrappedKey, (uint16_t)sizeof(wrappedKey),
+        &tmpMetadata, tmpPlainKey, (uint16_t)sizeof(tmpPlainKey));
+    if (ret != WH_ERROR_ACCESS) {
+        WH_ERROR_PRINT("wh_Client_KeyUnwrapAndExport should return "
+                       "WH_ERROR_ACCESS for sensitive key, got %d\n",
+                       ret);
+        (void)wh_Client_KeyEvict(client, wrappedKeyId);
+        return ret;
+    }
+
+    /* Success */
+    ret = WH_ERROR_OK;
+
+    /* Cleanup */
+    (void)wh_Client_KeyEvict(client, wrappedKeyId);
+
+    return ret;
+}
+
 #endif /* HAVE_AESGCM */
 
 int whTest_Client_KeyWrap(whClientContext* client)
@@ -253,6 +347,14 @@ int whTest_Client_KeyWrap(whClientContext* client)
     }
 #endif
 
+    /* Test sensitive key attribute */
+    if (ret == WH_ERROR_OK) {
+        ret = _TestKeyWrapSensitive(client, WC_CIPHER_AES_GCM);
+        if (ret != WH_ERROR_OK) {
+            WH_ERROR_PRINT("Failed to _TestKeyWrapSensitive %d\n", ret);
+        }
+    }
+
     _CleanupServerKek(client);
 
     (void)wc_FreeRng(rng);
diff --git a/wolfhsm/wh_common.h b/wolfhsm/wh_common.h
@@ -70,7 +70,7 @@ typedef uint16_t whNvmFlags;
 #define WH_NVM_FLAGS_ANY   ((whNvmFlags)-1)
 
 #define WH_NVM_FLAGS_IMMUTABLE      ((whNvmFlags)1 << 0) /* Cannot be overwritten */
-#define WH_NVM_FLAGS_SENSITIVE      ((whNvmFlags)1 << 1) /* Holds private/secret data */
+#define WH_NVM_FLAGS_SENSITIVE      ((whNvmFlags)1 << 1) /* Cannot be exported in unwrapped form */
 #define WH_NVM_FLAGS_NONEXPORTABLE  ((whNvmFlags)1 << 2) /* Cannot be exported */
 #define WH_NVM_FLAGS_LOCAL          ((whNvmFlags)1 << 3) /* Was generated locally */
 #define WH_NVM_FLAGS_EPHEMERAL      ((whNvmFlags)1 << 4) /* Cannot be cached nor committed */
