wolfSSL
diff --git a/‎examples/demo/client/wh_demo_client_all.c‎
Lines changed: 2 additions & 5 deletions b/‎examples/demo/client/wh_demo_client_all.c‎
Lines changed: 2 additions & 5 deletions
diff --git a/‎…les/demo/client/wh_demo_client_wrapkey.c‎ ‎…les/demo/client/wh_demo_client_keywrap.c‎examples/demo/client/wh_demo_client_wrapkey.c renamed to examples/demo/client/wh_demo_client_keywrap.c
Lines changed: 29 additions & 34 deletions b/‎…les/demo/client/wh_demo_client_wrapkey.c‎ ‎…les/demo/client/wh_demo_client_keywrap.c‎examples/demo/client/wh_demo_client_wrapkey.c renamed to examples/demo/client/wh_demo_client_keywrap.c
Lines changed: 29 additions & 34 deletions
diff --git a/‎examples/demo/client/wh_demo_client_keywrap.h‎
Lines changed: 8 additions & 0 deletions b/‎examples/demo/client/wh_demo_client_keywrap.h‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎examples/demo/client/wh_demo_client_wrapkey.h‎
Lines changed: 0 additions & 8 deletions b/‎examples/demo/client/wh_demo_client_wrapkey.h‎
Lines changed: 0 additions & 8 deletions
@@ -4,7 +4,7 @@
 #include "wh_demo_client_keystore.h"
 #include "wh_demo_client_crypto.h"
 #include "wh_demo_client_secboot.h"
-#include "wh_demo_client_wrapkey.h"
+#include "wh_demo_client_keywrap.h"
 #include "wh_demo_client_all.h"
 
 int wh_DemoClient_All(whClientContext* clientContext)
@@ -46,13 +46,10 @@ int wh_DemoClient_All(whClientContext* clientContext)
     }
 #endif
 
-    /* Wrap key demos */
-#ifdef WOLFHSM_CFG_WRAPKEY
-    rc = wh_DemoClient_WrapKeyBasic(clientContext);
+    rc = wh_DemoClient_KeyWrapBasic(clientContext);
     if (rc != 0) {
         return rc;
     }
-#endif
 
     /**Crypto demos */
 #ifndef NO_RSA
 
@@ -18,7 +18,6 @@
  */
 
 #include "wolfhsm/wh_settings.h"
-#ifdef WOLFHSM_CFG_WRAPKEY
 #include <stdint.h>
 #include <stdio.h>
 #include <string.h>
@@ -27,13 +26,12 @@
 #include "wolfhsm/wh_error.h"
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_client_crypto.h"
-#include "wolfhsm/wh_client_wrapkey.h"
 
 #include "wolfssl/wolfcrypt/settings.h"
 #include "wolfssl/wolfcrypt/aes.h"
 #include "wolfssl/wolfcrypt/random.h"
 
-#include "wh_demo_client_wrapkey.h"
+#include "wh_demo_client_keywrap.h"
 
 #ifndef NO_AES
 #define HAVE_AESGCM
@@ -48,13 +46,12 @@
      sizeof(whNvmMetadata))
 #define WH_TEST_WRAPKEY_ID 8
 
-int wh_DemoClient_AesGcmWrapKeyBasic(whClientContext* ctx, WC_RNG* rng)
+int wh_DemoClient_AesGcmKeyWrapBasic(whClientContext* ctx, WC_RNG* rng)
 {
     int           ret = 0;
-    uint8_t       iv[AES_BLOCK_SIZE];
-    uint8_t       key[WH_TEST_AES_KEYSIZE];
-    uint8_t       plainKey[WH_TEST_AES_KEYSIZE];
-    uint8_t       tmpPlainKey[WH_TEST_AES_KEYSIZE];
+    uint8_t       kek[WH_TEST_AES_KEYSIZE];
+    uint8_t       clientKey[WH_TEST_AES_KEYSIZE];
+    uint8_t       tmpClientKey[WH_TEST_AES_KEYSIZE];
     uint8_t       wrappedKey[WH_TEST_AES_WRAPPED_KEYSIZE];
     uint8_t       label[WH_NVM_LABEL_LEN] = "Server AES Key Label";
     whKeyId       serverKeyId;
@@ -65,61 +62,61 @@ int wh_DemoClient_AesGcmWrapKeyBasic(whClientContext* ctx, WC_RNG* rng)
                               .len    = WH_TEST_AES_KEYSIZE};
     whNvmMetadata tmpMetadata;
 
-    /* Randomize inputs */
-    ret = wc_RNG_GenerateBlock(rng, key, sizeof(key));
+    /* Generate a random KEK to encrypt the client key */
+    ret = wc_RNG_GenerateBlock(rng, kek, sizeof(kek));
     if (ret != 0) {
         printf("Failed to wc_RNG_GenerateBlock for key %d\n", ret);
         return ret;
     }
-
-    ret = wc_RNG_GenerateBlock(rng, plainKey, sizeof(plainKey));
+    
+    /* Generate a random client key */
+    ret = wc_RNG_GenerateBlock(rng, clientKey, sizeof(clientKey));
     if (ret != 0) {
         printf("Failed to wc_RNG_GenerateBlock for key data %d\n", ret);
         return ret;
     }
 
-    ret = wc_RNG_GenerateBlock(rng, iv, sizeof(iv));
-    if (ret != 0) {
-        printf("Failed to wc_RNG_GenerateBlock for IV %d\n", ret);
-        return ret;
-    }
-
-    /* Initialize the AES GCM Server key */
-    ret = wh_Client_KeyCache(ctx, 0, label, sizeof(label), key, sizeof(key),
+    /* Request the server to cache the KEK and give us back a key ID*/
+    ret = wh_Client_KeyCache(ctx, 0, label, sizeof(label), kek, sizeof(kek),
                              &serverKeyId);
     if (ret != 0) {
         printf("Failed to wh_Client_KeyCache %d\n", ret);
         return ret;
     }
 
-    ret = wh_Client_WrapKey(ctx, WC_CIPHER_AES_GCM, serverKeyId, plainKey, sizeof(plainKey),
+    /* Request the server to wrap the client key using the KEK we just cached */
+    ret = wh_Client_KeyWrap(ctx, WC_CIPHER_AES_GCM, serverKeyId, clientKey, sizeof(clientKey),
                             &metadata, wrappedKey, sizeof(wrappedKey));
     if (ret != 0) {
-        printf("Failed to wh_Client_WrapKey %d\n", ret);
+        printf("Failed to wh_Client_KeyWrap %d\n", ret);
         return ret;
     }
 
-    ret = wh_Client_UnwrapKeyCache(ctx, WC_CIPHER_AES_GCM, serverKeyId, wrappedKey,
+    /* Request the server to unwrap and cache the wrapped key we just created */
+    ret = wh_Client_KeyUnwrapAndCache(ctx, WC_CIPHER_AES_GCM, serverKeyId, wrappedKey,
                                    sizeof(wrappedKey), &wrappedKeyId);
     if (ret != 0) {
-        printf("Failed to wh_Client_UnwrapKeyCache %d\n", ret);
+        printf("Failed to wh_Client_KeyUnwrapAndCache %d\n", ret);
         return ret;
     }
 
-    ret = wh_Client_UnwrapKeyExport(ctx, WC_CIPHER_AES_GCM, serverKeyId, wrappedKey,
+    /* Request the server to unwrap and export the wrapped key we created */
+    ret = wh_Client_KeyUnwrapAndExport(ctx, WC_CIPHER_AES_GCM, serverKeyId, wrappedKey,
                                     sizeof(wrappedKey), &tmpMetadata,
-                                    tmpPlainKey, sizeof(tmpPlainKey));
+                                    tmpClientKey, sizeof(tmpClientKey));
     if (ret != 0) {
-        printf("Failed to wh_Client_UnwrapKeyCache %d\n", ret);
+        printf("Failed to wh_Client_KeyUnwrapAndCache %d\n", ret);
         return ret;
     }
 
 
-    if (memcmp(plainKey, tmpPlainKey, sizeof(plainKey)) != 0) {
+    /* Compare the exported key to the client key we requested to wrap */
+    if (memcmp(clientKey, tmpClientKey, sizeof(clientKey)) != 0) {
         printf("AES GCM wrap/unwrap key failed to match\n");
         return ret;
     }
 
+    /* Compare the exported metadata to the metadata we requested to wrap */
     if (memcmp(&metadata, &tmpMetadata, sizeof(metadata)) != 0) {
         printf("AES GCM wrap/unwrap metadata failed to match\n");
         return ret;
@@ -130,19 +127,19 @@ int wh_DemoClient_AesGcmWrapKeyBasic(whClientContext* ctx, WC_RNG* rng)
 
 #endif /* HAVE_AESGCM */
 
-int wh_DemoClient_AesWrapKeyBasic(whClientContext* clientContext, WC_RNG* rng)
+int wh_DemoClient_AesKeyWrapBasic(whClientContext* clientContext, WC_RNG* rng)
 {
     int ret = WH_ERROR_OK;
 
 #ifdef HAVE_AESGCM
-    ret = wh_DemoClient_AesGcmWrapKeyBasic(clientContext, rng);
+    ret = wh_DemoClient_AesGcmKeyWrapBasic(clientContext, rng);
 #endif
 
     return ret;
 }
 
 #endif /* !NO_AES */
-int wh_DemoClient_WrapKeyBasic(whClientContext* clientContext)
+int wh_DemoClient_KeyWrapBasic(whClientContext* clientContext)
 {
 
     int    ret;
@@ -155,11 +152,9 @@ int wh_DemoClient_WrapKeyBasic(whClientContext* clientContext)
     }
 
 #ifndef NO_AES
-    ret = wh_DemoClient_AesWrapKeyBasic(clientContext, rng);
+    ret = wh_DemoClient_AesKeyWrapBasic(clientContext, rng);
 #endif
 
     wc_FreeRng(rng);
     return ret;
 }
-
-#endif /* WOLFHSM_CFG_WRAPKEY */
@@ -0,0 +1,8 @@
+#ifndef DEMO_CLIENT_KEYWRAP_H_
+#define DEMO_CLIENT_KEYWRAP_H_
+
+#include "wolfhsm/wh_client.h"
+
+int wh_DemoClient_KeyWrapBasic(whClientContext* clientContext);
+
+#endif /* !DEMO_CLIENT_KEYWRAP_H_ */