keystore: improvements

* use whKeyId instead of whNvmId in wh_Client_KeyRevoke API
* propagate WH_ERROR_NOT_FOUND in check policy functions
* simplify check policies functions

Author: rizlik

src/wh_client.c

@@ -1114,7 +1114,7 @@ int wh_Client_KeyRevokeResponse(whClientContext* c)
     return ret;
 }
 
-int wh_Client_KeyRevoke(whClientContext* c, whNvmId keyId)
+int wh_Client_KeyRevoke(whClientContext* c, whKeyId keyId)
 {
     int ret;
     ret = wh_Client_KeyRevokeRequest(c, keyId);

src/wh_nvm.c

@@ -52,38 +52,29 @@ static int wh_Nvm_CheckPolicy(whNvmContext* context, whNvmOp op, whNvmId id,
     }
 
     ret = wh_Nvm_GetMetadata(context, id, &meta);
-    if (existing_meta != NULL && ret == WH_ERROR_OK) {
+    if (ret != WH_ERROR_OK) {
+        return ret;
+    }
+
+    if (existing_meta != NULL) {
         *existing_meta = meta;
     }
 
     switch (op) {
         case WH_NVM_OP_ADD:
-            if (ret == WH_ERROR_OK) {
-                if (meta.flags & WH_NVM_FLAGS_NONMODIFIABLE) {
-                    return WH_ERROR_ACCESS;
-                }
-            }
-            else if (ret != WH_ERROR_NOTFOUND) {
-                return ret;
+            if (meta.flags & WH_NVM_FLAGS_NONMODIFIABLE) {
+                return WH_ERROR_ACCESS;
             }
             break;
 
         case WH_NVM_OP_DESTROY:
-            if (ret == WH_ERROR_OK) {
-                if (meta.flags & (WH_NVM_FLAGS_NONMODIFIABLE |
-                                  WH_NVM_FLAGS_NONDESTROYABLE)) {
-                    return WH_ERROR_ACCESS;
-                }
-            }
-            else if (ret != WH_ERROR_NOTFOUND) {
-                return ret;
+            if (meta.flags &
+                (WH_NVM_FLAGS_NONMODIFIABLE | WH_NVM_FLAGS_NONDESTROYABLE)) {
+                return WH_ERROR_ACCESS;
             }
             break;
 
         case WH_NVM_OP_READ:
-            if (ret != WH_ERROR_OK) {
-                return ret;
-            }
             if (meta.flags & WH_NVM_FLAGS_NONEXPORTABLE) {
                 return WH_ERROR_ACCESS;
             }
@@ -97,16 +88,15 @@ static int wh_Nvm_CheckPolicy(whNvmContext* context, whNvmOp op, whNvmId id,
 }
 
 
-int wh_Nvm_Init(whNvmContext* context, const whNvmConfig *config)
+int wh_Nvm_Init(whNvmContext* context, const whNvmConfig* config)
 {
     int rc = 0;
 
-    if (    (context == NULL) ||
-            (config == NULL) ) {
+    if ((context == NULL) || (config == NULL)) {
         return WH_ERROR_BADARGS;
     }
 
-    context->cb = config->cb;
+    context->cb      = config->cb;
     context->context = config->context;
 
 #if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_GLOBAL_KEYS)
@@ -221,7 +211,7 @@ int wh_Nvm_AddObjectChecked(whNvmContext* context, whNvmMetadata* meta,
     int ret;
 
     ret = wh_Nvm_CheckPolicy(context, WH_NVM_OP_ADD, meta->id, NULL);
-    if (ret != WH_ERROR_OK) {
+    if (ret != WH_ERROR_OK && ret != WH_ERROR_NOTFOUND) {
         return ret;
     }
 

src/wh_server_keystore.c

@@ -114,116 +114,82 @@ static int _KeyIsCommitted(whServerContext* server, whKeyId keyId)
 /* Centralized cache/NVM policy: enforce NONMODIFIABLE/NONEXPORTABLE at the
  * keystore layer. Usage enforcement remains separate. */
 static int _KeystoreCheckPolicy(whServerContext* server, whKsOp op,
-                                whKeyId keyId, const whNvmMetadata* metaOpt)
+                                whKeyId keyId)
 {
-    whNvmMetadata*       cacheMeta = NULL;
-    whNvmMetadata        nvmMeta;
-    const whNvmMetadata* meta = metaOpt;
-    int                  ret;
+    whNvmMetadata* cacheMeta = NULL;
+    whNvmMetadata  nvmMeta;
+    whNvmFlags     flags;
+    int            ret;
+    int            foundInCache = 0;
+    int            foundInNvm   = 0;
 
     if ((server == NULL) || WH_KEYID_ISERASED(keyId)) {
         return WH_ERROR_BADARGS;
     }
 
-    /* See if the key is already in cache to use its flags */
+    /* Check cache first */
     ret = _FindInCache(server, keyId, NULL, NULL, NULL, &cacheMeta);
-    if (ret == WH_ERROR_OK) {
-        if (cacheMeta != NULL) {
-            switch (op) {
-                case WH_KS_OP_CACHE:
-                    if (cacheMeta->flags & WH_NVM_FLAGS_NONMODIFIABLE) {
-                        return WH_ERROR_ACCESS;
-                    }
-                    else {
-                        return WH_ERROR_OK;
-                    }
-                case WH_KS_OP_ERASE:
-                    if (cacheMeta->flags & (WH_NVM_FLAGS_NONMODIFIABLE |
-                                            WH_NVM_FLAGS_NONDESTROYABLE)) {
-                        return WH_ERROR_ACCESS;
-                    }
-                    else {
-                        return WH_ERROR_OK;
-                    }
-                    break;
-                case WH_KS_OP_EVICT:
-                    /* committed key can be evicted */
-                    if (_KeyIsCommitted(server, keyId)) {
-                        return WH_ERROR_OK;
-                    }
-                    if (cacheMeta->flags & WH_NVM_FLAGS_NONMODIFIABLE) {
-                        return WH_ERROR_ACCESS;
-                    }
-                    else {
-                        return WH_ERROR_OK;
-                    }
-                    break;
-                case WH_KS_OP_COMMIT:
-                    return WH_ERROR_OK;
-                case WH_KS_OP_EXPORT:
-                    if (cacheMeta->flags & WH_NVM_FLAGS_NONEXPORTABLE) {
-                        return WH_ERROR_ACCESS;
-                    }
-                    else {
-                        return WH_ERROR_OK;
-                    }
-                    break;
-                case WH_KS_OP_REVOKE:
-                    /* revoke is allowed even if already NONMODIFIABLE */
-                    return WH_ERROR_OK;
-            }
-            meta = cacheMeta;
-        }
+    if (ret == WH_ERROR_OK && cacheMeta != NULL) {
+        foundInCache = 1;
     }
-    else if (ret != WH_ERROR_NOTFOUND) {
+    else if (ret != WH_ERROR_OK && ret != WH_ERROR_NOTFOUND) {
         return ret;
     }
 
-    /* Get NVM metadata if not found in cache */
-    ret = wh_Nvm_GetMetadata(server->nvm, keyId, &nvmMeta);
-    if (ret == WH_ERROR_OK) {
-        switch (op) {
-            /* should never happen */
-            case WH_KS_OP_COMMIT:
-                return WH_ERROR_ABORTED;
-            case WH_KS_OP_CACHE:
-                if (nvmMeta.flags & WH_NVM_FLAGS_NONMODIFIABLE) {
-                    return WH_ERROR_ACCESS;
-                }
-                else {
-                    return WH_ERROR_OK;
-                }
-                break;
-            case WH_KS_OP_ERASE:
-                if (nvmMeta.flags & (WH_NVM_FLAGS_NONMODIFIABLE |
-                                     WH_NVM_FLAGS_NONDESTROYABLE)) {
-                    return WH_ERROR_ACCESS;
-                }
-                else {
-                    return WH_ERROR_OK;
-                }
-                break;
-            case WH_KS_OP_EXPORT:
-                if (nvmMeta.flags & WH_NVM_FLAGS_NONEXPORTABLE) {
-                    return WH_ERROR_ACCESS;
-                }
-                else {
-                    return WH_ERROR_OK;
-                }
-                break;
-            case WH_KS_OP_REVOKE:
-                /* allow revoke even if already NONMODIFIABLE */
-                return WH_ERROR_OK;
-            case WH_KS_OP_EVICT:
-                /* no-op */
-                return WH_ERROR_OK;
+    /* Check NVM if not in cache */
+    if (!foundInCache) {
+        ret = wh_Nvm_GetMetadata(server->nvm, keyId, &nvmMeta);
+        if (ret == WH_ERROR_OK) {
+            foundInNvm = 1;
         }
-        if (meta == NULL) {
-            meta = &nvmMeta;
+        else if (ret != WH_ERROR_NOTFOUND) {
+            return ret;
         }
     }
-    else if (ret != WH_ERROR_NOTFOUND) {
-        return ret;
+
+    /* Key not found */
+    if (!foundInCache && !foundInNvm) {
+        return WH_ERROR_NOTFOUND;
+    }
+
+    /* Get flags from the appropriate source */
+    flags = (foundInCache) ? cacheMeta->flags : nvmMeta.flags;
+
+    switch (op) {
+        case WH_KS_OP_CACHE:
+            if (flags & WH_NVM_FLAGS_NONMODIFIABLE) {
+                return WH_ERROR_ACCESS;
+            }
+            break;
+
+        case WH_KS_OP_EVICT:
+            if (_KeyIsCommitted(server, keyId)) {
+                /* Committed keys can always be evicted */
+                break;
+            }
+            if (flags &
+                (WH_NVM_FLAGS_NONMODIFIABLE | WH_NVM_FLAGS_NONDESTROYABLE)) {
+                return WH_ERROR_ACCESS;
+            }
+            break;
+
+        case WH_KS_OP_ERASE:
+            if (flags &
+                (WH_NVM_FLAGS_NONMODIFIABLE | WH_NVM_FLAGS_NONDESTROYABLE)) {
+                return WH_ERROR_ACCESS;
+            }
+            break;
+
+        case WH_KS_OP_EXPORT:
+            if (flags & WH_NVM_FLAGS_NONEXPORTABLE) {
+                return WH_ERROR_ACCESS;
+            }
+            break;
+
+        case WH_KS_OP_COMMIT:
+        case WH_KS_OP_REVOKE:
+            /* Always allowed */
+            break;
     }
 
     return WH_ERROR_OK;
@@ -518,8 +484,8 @@ int wh_Server_KeystoreGetCacheSlotChecked(whServerContext* server,
                                           whNvmMetadata** outMeta)
 {
     int ret;
-    ret = _KeystoreCheckPolicy(server, WH_KS_OP_CACHE, keyId, NULL);
-    if (ret != WH_ERROR_OK) {
+    ret = _KeystoreCheckPolicy(server, WH_KS_OP_CACHE, keyId);
+    if (ret != WH_ERROR_OK && ret != WH_ERROR_NOTFOUND) {
         return ret;
     }
     return wh_Server_KeystoreGetCacheSlot(server, keyId, keySz, outBuf,
@@ -651,15 +617,14 @@ int wh_Server_KeystoreFreshenKey(whServerContext* server, whKeyId keyId,
                                              cacheBufOut, cacheMetaOut);
         if (ret == WH_ERROR_OK) {
             /* Read the key from NVM into the cache slot */
-            ret = wh_Nvm_Read(server->nvm, keyId, 0, tmpMeta->len,
-                              *cacheBufOut);
+            ret =
+                wh_Nvm_Read(server->nvm, keyId, 0, tmpMeta->len, *cacheBufOut);
             if (ret == WH_ERROR_OK) {
                 /* Copy the metadata to the cache slot if key read is
                  * successful*/
                 memcpy((uint8_t*)*cacheMetaOut, (uint8_t*)tmpMeta,
                        sizeof(whNvmMetadata));
-                _MarkKeyCommitted(_GetCacheContext(server, keyId), keyId,
-                                  1);
+                _MarkKeyCommitted(_GetCacheContext(server, keyId), keyId, 1);
             }
         }
     }
@@ -749,7 +714,7 @@ int wh_Server_KeystoreReadKeyChecked(whServerContext* server, whKeyId keyId,
 {
     int ret;
 
-    ret = _KeystoreCheckPolicy(server, WH_KS_OP_EXPORT, keyId, NULL);
+    ret = _KeystoreCheckPolicy(server, WH_KS_OP_EXPORT, keyId);
     if (ret != WH_ERROR_OK) {
         return ret;
     }
@@ -783,7 +748,7 @@ int wh_Server_KeystoreEvictKeyChecked(whServerContext* server, whNvmId keyId)
 {
     int ret;
 
-    ret = _KeystoreCheckPolicy(server, WH_KS_OP_EVICT, keyId, NULL);
+    ret = _KeystoreCheckPolicy(server, WH_KS_OP_EVICT, keyId);
     if (ret != WH_ERROR_OK) {
         return ret;
     }
@@ -826,7 +791,7 @@ int wh_Server_KeystoreCommitKeyChecked(whServerContext* server, whNvmId keyId)
 {
     int ret;
 
-    ret = _KeystoreCheckPolicy(server, WH_KS_OP_COMMIT, keyId, NULL);
+    ret = _KeystoreCheckPolicy(server, WH_KS_OP_COMMIT, keyId);
     if (ret != WH_ERROR_OK) {
         return ret;
     }
@@ -896,7 +861,7 @@ int wh_Server_KeystoreRevokeKey(whServerContext* server, whNvmId keyId)
         return WH_ERROR_BADARGS;
     }
 
-    ret = _KeystoreCheckPolicy(server, WH_KS_OP_REVOKE, keyId, NULL);
+    ret = _KeystoreCheckPolicy(server, WH_KS_OP_REVOKE, keyId);
     if (ret != WH_ERROR_OK) {
         return ret;
     }
@@ -2210,7 +2175,7 @@ int wh_Server_KeystoreExportKeyDmaChecked(whServerContext* server,
 {
     int ret;
 
-    ret = _KeystoreCheckPolicy(server, WH_KS_OP_EXPORT, keyId, NULL);
+    ret = _KeystoreCheckPolicy(server, WH_KS_OP_EXPORT, keyId);
     if (ret != WH_ERROR_OK) {
         return ret;
     }

wolfhsm/wh_client.h

@@ -773,7 +773,7 @@ int wh_Client_KeyErase(whClientContext* c, whNvmId keyId);
  * @param[in] keyId Key ID to be revoked.
  * @return int Returns 0 on success, or a negative error code on failure.
  */
-int wh_Client_KeyRevokeRequest(whClientContext* c, whNvmId keyId);
+int wh_Client_KeyRevokeRequest(whClientContext* c, whKeyId keyId);
 
 /**
  * @brief Receives a key revoke response from the server.
@@ -800,7 +800,7 @@ int wh_Client_KeyRevokeResponse(whClientContext* c);
  * @param[in] keyId Key ID to be revoked.
  * @return int Returns 0 on success, or a negative error code on failure.
  */
-int wh_Client_KeyRevoke(whClientContext* c, whNvmId keyId);
+int wh_Client_KeyRevoke(whClientContext* c, whKeyId keyId);
 
 #ifdef WOLFHSM_CFG_DMA
 

wolfhsm/wh_server_keystore.h

@@ -189,7 +189,7 @@ int wh_Server_KeystoreEraseKeyChecked(whServerContext* server, whNvmId keyId);
  *
  * Placeholder implementation for key revocation.
  */
-int wh_Server_KeystoreRevokeKey(whServerContext* server, whNvmId keyId);
+int wh_Server_KeystoreRevokeKey(whServerContext* server, whKeyId keyId);
 
 /**
  * @brief Handle key management requests from clients