Clean up wrap key test code. Fix minor issues with Wrap key server and client code

AlexLanzano · AlexLanzano · commit d374f66fd0be · 2025-09-13T13:22:49.000-04:00
diff --git a/examples/demo/client/wh_demo_client_wrapkey.c b/examples/demo/client/wh_demo_client_wrapkey.c
@@ -46,11 +46,10 @@
 #define WH_TEST_AES_WRAPPED_KEYSIZE                                     \
     (WH_TEST_AES_AUTHSIZE + WH_TEST_AES_TAGSIZE + WH_TEST_AES_KEYSIZE + \
      sizeof(whNvmMetadata))
+#define WH_TEST_WRAPKEY_ID 8
 
 int wh_DemoClient_AesGcmWrapKeyBasic(whClientContext* ctx, WC_RNG* rng)
 {
-
-
     int           ret = 0;
     uint8_t       iv[AES_BLOCK_SIZE];
     uint8_t       key[WH_TEST_AES_KEYSIZE];
@@ -60,7 +59,8 @@ int wh_DemoClient_AesGcmWrapKeyBasic(whClientContext* ctx, WC_RNG* rng)
     uint8_t       label[WH_NVM_LABEL_LEN] = "Server AES Key Label";
     whKeyId       serverKeyId;
     whKeyId       wrappedKeyId;
-    whNvmMetadata metadata = {.label  = "AES Key Label",
+    whNvmMetadata metadata = {.id = WH_TEST_WRAPKEY_ID,
+                              .label  = "AES Key Label",
                               .access = WH_NVM_ACCESS_ANY,
                               .len    = WH_TEST_AES_KEYSIZE};
     whNvmMetadata tmpMetadata;
diff --git a/src/wh_server_keystore.c b/src/wh_server_keystore.c
@@ -344,6 +344,26 @@ static int _FindInCache(whServerContext* server, whKeyId keyId, int* out_index,
     return ret;
 }
 
+static bool _ExistsInCache(whServerContext* server, whKeyId keyId)
+{
+    int           ret           = 0;
+    int           foundIndex    = -1;
+    int           foundBigIndex = -1;
+    whNvmMetadata* tmpMeta;
+    uint8_t* tmpBuf;
+
+    ret = _FindInCache(server, keyId, &foundIndex, 
+                       &foundBigIndex, &tmpBuf, &tmpMeta);
+    
+    if (ret != WH_ERROR_OK) {
+        /* Key doesn't exist in the cache */
+        return false;
+    }
+
+    /* Key exists in the cache */
+    return true;
+}
+
 /* try to put the specified key into cache if it isn't already, return pointers
  * to meta and the cached data*/
 int wh_Server_KeystoreFreshenKey(whServerContext* server, whKeyId keyId,
@@ -532,9 +552,6 @@ int wh_Server_KeystoreEraseKey(whServerContext* server, whNvmId keyId)
 }
 
 
-#define WOLFHSM_WRAPKEY_AES_GCM_TAG_SIZE 16
-#define WOLFHSM_WRAPKEY_AES_GCM_IV_SIZE 16
-#define WOLFHSM_WRAPKEY_MAX_KEY_SIZE 4096
 
 static int _AesGcmWrapKey(whServerContext* server, whKeyId serverKeyId,
                           uint8_t* keyIn, uint16_t keySz,
@@ -543,9 +560,8 @@ static int _AesGcmWrapKey(whServerContext* server, whKeyId serverKeyId,
 {
     int      ret = 0;
     Aes      aes[1];
-    WC_RNG   rng[1];
-    uint8_t  authTag[WOLFHSM_WRAPKEY_AES_GCM_TAG_SIZE];
-    uint8_t  iv[WOLFHSM_WRAPKEY_AES_GCM_IV_SIZE];
+    uint8_t  authTag[WOLFHSM_CFG_WRAPKEY_AES_GCM_TAG_SIZE];
+    uint8_t  iv[WOLFHSM_CFG_WRAPKEY_AES_GCM_IV_SIZE];
     uint8_t  serverKey[AES_MAX_KEY_SIZE];
     uint32_t serverKeySz = sizeof(serverKey);
 
@@ -558,12 +574,6 @@ static int _AesGcmWrapKey(whServerContext* server, whKeyId serverKeyId,
         sizeof(iv) + sizeof(authTag) + sizeof(*metadataIn) + keySz)
         return WH_ERROR_BUFFER_SIZE;
 
-    /* Initialize RNG context */
-    ret = wc_InitRng_ex(rng, NULL, server->crypto->devId);
-    if (ret != 0) {
-        return ret;
-    }
-
     /* Get the server side key */
     ret = wh_Server_KeystoreReadKey(
         server,
@@ -576,20 +586,18 @@ static int _AesGcmWrapKey(whServerContext* server, whKeyId serverKeyId,
     /* Initialize AES context and set it to use the server side key */
     ret = wc_AesInit(aes, NULL, server->crypto->devId);
     if (ret != 0) {
-        wc_FreeRng(rng);
         return ret;
     }
 
     ret = wc_AesGcmSetKey(aes, serverKey, serverKeySz);
     if (ret != 0) {
-        wc_FreeRng(rng);
+        wc_AesFree(aes);
         return ret;
     }
 
     /* Generate the IV */
-    ret = wc_RNG_GenerateBlock(rng, iv, sizeof(iv));
+    ret = wc_RNG_GenerateBlock(server->crypto->rng, iv, sizeof(iv));
     if (ret != 0) {
-        wc_FreeRng(rng);
         wc_AesFree(aes);
         return ret;
     }
@@ -604,7 +612,6 @@ static int _AesGcmWrapKey(whServerContext* server, whKeyId serverKeyId,
     ret = wc_AesGcmEncrypt(aes, encBlob, plainBlob, sizeof(plainBlob), iv,
                            sizeof(iv), authTag, sizeof(authTag), NULL, 0);
     if (ret != 0) {
-        wc_FreeRng(rng);
         wc_AesFree(aes);
         return ret;
     }
@@ -613,7 +620,6 @@ static int _AesGcmWrapKey(whServerContext* server, whKeyId serverKeyId,
     memcpy(wrappedKeyOut, iv, sizeof(iv));
     memcpy(wrappedKeyOut + sizeof(iv), authTag, sizeof(authTag));
 
-    wc_FreeRng(rng);
     wc_AesFree(aes);
 
     return WH_ERROR_OK;
@@ -626,8 +632,8 @@ static int _AesGcmUnwrapKey(whServerContext* server, uint16_t serverKeyId,
 {
     int      ret = 0;
     Aes      aes[1];
-    uint8_t  authTag[WOLFHSM_WRAPKEY_AES_GCM_TAG_SIZE];
-    uint8_t  iv[WOLFHSM_WRAPKEY_AES_GCM_IV_SIZE];
+    uint8_t  authTag[WOLFHSM_CFG_WRAPKEY_AES_GCM_TAG_SIZE];
+    uint8_t  iv[WOLFHSM_CFG_WRAPKEY_AES_GCM_IV_SIZE];
     uint8_t  serverKey[AES_MAX_KEY_SIZE];
     uint32_t serverKeySz = sizeof(serverKey);
     uint8_t* encBlob   = (uint8_t*)wrappedKeyIn + sizeof(iv) + sizeof(authTag);
@@ -685,17 +691,15 @@ static int _HandleWrapKeyRequest(whServerContext*              server,
                                  whMessageKeystore_WrapResponse* resp,
                                  uint8_t* respData, uint32_t respDataSz)
 {
-    if (server == NULL || req == NULL || reqData == NULL || resp == NULL ||
-        respData == NULL)
-        return WH_ERROR_BADARGS;
-
-    if (req->keySz > WOLFHSM_WRAPKEY_MAX_KEY_SIZE)
-        return WH_ERROR_BADARGS;
 
     int           ret;
     uint8_t*      wrappedKey;
     whNvmMetadata metadata;
-    uint8_t       key[WOLFHSM_WRAPKEY_MAX_KEY_SIZE];
+    uint8_t       key[WOLFHSM_CFG_WRAPKEY_MAX_KEY_SIZE];
+
+    if (server == NULL || req == NULL || reqData == NULL || resp == NULL ||
+        respData == NULL || req->keySz > WOLFHSM_CFG_WRAPKEY_MAX_KEY_SIZE)
+        return WH_ERROR_BADARGS;
 
     /* Check if the reqData is big enough to hold the metadata and key */
     if (reqDataSz < sizeof(metadata) + req->keySz)
@@ -710,8 +714,8 @@ static int _HandleWrapKeyRequest(whServerContext*              server,
 
     switch (req->cipherType) {
         case WC_CIPHER_AES_GCM: {
-            uint16_t wrappedKeySz = WOLFHSM_WRAPKEY_AES_GCM_IV_SIZE +
-                                    WOLFHSM_WRAPKEY_AES_GCM_TAG_SIZE +
+            uint16_t wrappedKeySz = WOLFHSM_CFG_WRAPKEY_AES_GCM_IV_SIZE +
+                                    WOLFHSM_CFG_WRAPKEY_AES_GCM_TAG_SIZE +
                                     sizeof(metadata) + req->keySz;
 
             /* Check if the response data can fit the wrapped key */
@@ -766,8 +770,8 @@ static int _HandleUnwrapExportKeyRequest(whServerContext*                server,
     switch (req->cipherType) {
         case WC_CIPHER_AES_GCM: {
             uint16_t keySz =
-                req->wrappedKeySz - WOLFHSM_WRAPKEY_AES_GCM_IV_SIZE -
-                WOLFHSM_WRAPKEY_AES_GCM_TAG_SIZE - sizeof(*metadata);
+                req->wrappedKeySz - WOLFHSM_CFG_WRAPKEY_AES_GCM_IV_SIZE -
+                WOLFHSM_CFG_WRAPKEY_AES_GCM_TAG_SIZE - sizeof(*metadata);
 
             /* Check if the response data can fit the metadata + key  */
             if (respDataSz < sizeof(*metadata) + keySz)
@@ -780,6 +784,11 @@ static int _HandleUnwrapExportKeyRequest(whServerContext*                server,
                 return ret;
             }
 
+            /* Check if the key is exportable */
+            if (metadata->flags & WH_NVM_FLAGS_NONEXPORTABLE) {
+                return WH_ERROR_ACCESS;
+            }
+
             /* Tell the client how big the key is */
             resp->keySz = keySz;
             resp->cipherType = WC_CIPHER_AES_GCM;
@@ -811,7 +820,7 @@ static int _HandleUnwrapCacheKeyRequest(whServerContext*               server,
     uint8_t*      wrappedKey;
     whNvmMetadata metadata;
     uint16_t keySz;
-    uint8_t key[WOLFHSM_WRAPKEY_MAX_KEY_SIZE];
+    uint8_t key[WOLFHSM_CFG_WRAPKEY_MAX_KEY_SIZE];
 
     /* Check if the reqData is big enough to hold the wrapped key */
     if (reqDataSz < req->wrappedKeySz)
@@ -824,8 +833,8 @@ static int _HandleUnwrapCacheKeyRequest(whServerContext*               server,
     switch (req->cipherType) {
         case WC_CIPHER_AES_GCM: {
             keySz =
-                req->wrappedKeySz - WOLFHSM_WRAPKEY_AES_GCM_IV_SIZE -
-                WOLFHSM_WRAPKEY_AES_GCM_TAG_SIZE - sizeof(metadata);
+                req->wrappedKeySz - WOLFHSM_CFG_WRAPKEY_AES_GCM_IV_SIZE -
+                WOLFHSM_CFG_WRAPKEY_AES_GCM_TAG_SIZE - sizeof(metadata);
 
             ret = _AesGcmUnwrapKey(server, req->serverKeyId, wrappedKey,
                                    req->wrappedKeySz, &metadata, key, keySz);
@@ -834,6 +843,7 @@ static int _HandleUnwrapCacheKeyRequest(whServerContext*               server,
             }
 
             resp->cipherType = WC_CIPHER_AES_GCM;
+            resp->keyId = metadata.id;
 
         } break;
         default:
@@ -845,17 +855,12 @@ static int _HandleUnwrapCacheKeyRequest(whServerContext*               server,
         return WH_ERROR_BADARGS;
     }
 
-    /* Get a new id if one wasn't provided */
-    if (WH_KEYID_ISERASED(metadata.id)) {
-        ret = wh_Server_KeystoreGetUniqueId(server, &metadata.id);
-        if (ret != WH_ERROR_OK) {
-            return ret;
-        }
+    /* Check if this key already exists in the cache */
+    if (_ExistsInCache(server, metadata.id)) {
+        return WH_ERROR_ABORTED;
     }
 
-    resp->keyId = metadata.id;
-
-    /* Write the key */
+    /* Cache the key */
     return wh_Server_KeystoreCacheKey(server, &metadata, key);
 }
 
@@ -1230,7 +1235,7 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
             cacheResp.rc = ret;
 
             (void)wh_MessageKeystore_TranslateUnwrapCacheResponse(magic, &cacheResp,
-                                                           resp_packet);
+                                                                  resp_packet);
             *out_resp_size = sizeof(cacheResp);
 
         } break;
diff --git a/test/wh_test_crypto.c b/test/wh_test_crypto.c
@@ -2141,8 +2141,8 @@ static int whTestCrypto_Aes(whClientContext* ctx, int devId, WC_RNG* rng)
                                 WH_ERROR_PRINT("Failed to wc_AesSetIV %d\n",
                                         ret);
                             } else {
-                                ret = wc_AesCbcDecrypt(aes, plainOut, cipher,
-                                                       sizeof(plainIn));
+                                ret = wc_AesCbcDecrypt(aes, plainOut,
+                                        cipher, sizeof(plainIn));
                                 if (ret != 0) {
                                     WH_ERROR_PRINT("Failed to decrypt %d\n",
                                             ret);
diff --git a/test/wh_test_wrapkey.c b/test/wh_test_wrapkey.c
@@ -46,9 +46,6 @@
 
 #ifdef HAVE_AESGCM
 
-static int whTest_Client_AesGcmWrapKey(whClientContext* ctx, int devId,
-                                       WC_RNG* rng)
-{
 #define WH_TEST_AES_KEYSIZE 16
 #define WH_TEST_AES_TEXTSIZE 16
 #define WH_TEST_AES_AUTHSIZE 16
@@ -57,6 +54,10 @@ static int whTest_Client_AesGcmWrapKey(whClientContext* ctx, int devId,
     (WH_TEST_AES_AUTHSIZE + WH_TEST_AES_TAGSIZE + WH_TEST_AES_KEYSIZE + \
      sizeof(whNvmMetadata))
 
+static int whTest_Client_AesGcmWrapKey(whClientContext* ctx, int devId,
+                                       WC_RNG* rng)
+{
+
     int           ret = 0;
     uint8_t       iv[AES_BLOCK_SIZE];
     uint8_t       key[WH_TEST_AES_KEYSIZE];
@@ -66,7 +67,8 @@ static int whTest_Client_AesGcmWrapKey(whClientContext* ctx, int devId,
     uint8_t       label[WH_NVM_LABEL_LEN] = "Server AES Key Label";
     whKeyId       serverKeyId;
     whKeyId       wrappedKeyId;
-    whNvmMetadata metadata = {.label = "AES Key Label",
+    whNvmMetadata metadata = {.id = 8,
+                              .label = "AES Key Label",
                               .len   = WH_TEST_AES_KEYSIZE};
     whNvmMetadata tmpMetadata;
 
@@ -104,22 +106,21 @@ static int whTest_Client_AesGcmWrapKey(whClientContext* ctx, int devId,
         return ret;
     }
 
-    ret = wh_Client_WrapKeyCache(ctx, WC_CIPHER_AES_GCM, serverKeyId, wrappedKey,
-                                 sizeof(wrappedKey), &wrappedKeyId);
+    ret = wh_Client_UnwrapKeyCache(ctx, WC_CIPHER_AES_GCM, serverKeyId, wrappedKey,
+                                   sizeof(wrappedKey), &wrappedKeyId);
     if (ret != 0) {
         printf("Failed to wh_Client_AesGcmWrapKeyCache %d\n", ret);
         return ret;
     }
 
-    ret = wh_Client_UnwrapKey(ctx, WC_CIPHER_AES_GCM, serverKeyId, wrappedKey,
-                              sizeof(wrappedKey), &tmpMetadata,
-                              tmpPlainKey, sizeof(tmpPlainKey));
+    ret = wh_Client_UnwrapKeyExport(ctx, WC_CIPHER_AES_GCM, serverKeyId, wrappedKey,
+                                    sizeof(wrappedKey), &tmpMetadata,
+                                    tmpPlainKey, sizeof(tmpPlainKey));
     if (ret != 0) {
         printf("Failed to wh_Client_AesGcmUnwrapKeyCache %d\n", ret);
         return ret;
     }
 
-
     if (memcmp(plainKey, tmpPlainKey, sizeof(plainKey)) != 0) {
         printf("AES GCM wrap/unwrap key failed to match\n");
         return ret;
@@ -151,21 +152,29 @@ static int whTest_Client_AesWrapKey(whClientContext* ctx, int devId,
 
 #endif /* !NO_AES */
 
-static int whTest_Client_WrapKey(whClientContext* ctx, int devId, WC_RNG* rng)
+static int whTest_Client_WrapKey(whClientContext* ctx, int devId)
 {
     int ret = 0;
+    WC_RNG rng[1];
+
+    ret = wc_InitRng_ex(rng, NULL, devId);
+    if (ret != 0) {
+        WH_ERROR_PRINT("Failed to wc_InitRng_ex %d\n", ret);
+        return ret;
+    }
+
 #ifndef NO_AES
     ret = whTest_Client_AesWrapKey(ctx, devId, rng);
 #endif
 
+    (void)wc_FreeRng(rng);
     return ret;
 }
 
 int whTest_WrapKeyClientConfig(whClientConfig* config)
 {
     int             ret       = 0;
     whClientContext client[1] = {0};
-    WC_RNG          rng[1];
 
     if (config == NULL) {
         return WH_ERROR_BADARGS;
@@ -175,28 +184,17 @@ int whTest_WrapKeyClientConfig(whClientConfig* config)
 
     ret = wh_Client_CommInit(client, NULL, NULL);
     if (ret != 0) {
-        WH_ERROR_PRINT("Failed to comm init:%d\n", ret);
+        WH_ERROR_PRINT("Failed to wh_Client_Init %d\n", ret);
         (void)wh_Client_Cleanup(client);
         return ret;
     }
 
-    ret = wc_InitRng_ex(rng, NULL, WH_DEV_ID);
-    if (ret != 0) {
-        WH_ERROR_PRINT("Failed to wc_InitRng_ex %d\n", ret);
-        (void)wh_Client_CommClose(client);
-        (void)wh_Client_Cleanup(client);
-        return ret;
-    }
-
-    ret = whTest_Client_WrapKey(client, WH_DEV_ID, rng);
+    ret = whTest_Client_WrapKey(client, WH_DEV_ID);
     if (ret != 0) {
         WH_ERROR_PRINT("Failed to whTest_Client_WrapKey %d\n", ret);
-        goto cleanup_and_exit;
     }
 
-cleanup_and_exit:
     /* Clean up used resources */
-    (void)wc_FreeRng(rng);
     (void)wh_Client_CommClose(client);
     (void)wh_Client_Cleanup(client);
 
diff --git a/wolfhsm/wh_settings.h b/wolfhsm/wh_settings.h
