add (placeholder) access and label fields to cert functions

Author: bigbrett

src/wh_client_cert.c

@@ -115,8 +115,9 @@ int wh_Client_CertInit(whClientContext* c, int32_t* out_rc)
 
 /* Add a trusted certificate */
 int wh_Client_CertAddTrustedRequest(whClientContext* c, whNvmId id,
-                                    const uint8_t* cert, uint32_t cert_len,
-                                    whNvmFlags flags)
+                                    whNvmAccess access, whNvmFlags flags,
+                                    uint8_t* label, whNvmSize label_len,
+                                    const uint8_t* cert, uint32_t cert_len)
 {
     whMessageCert_AddTrustedRequest req;
     uint8_t                         buffer[WOLFHSM_CFG_COMM_DATA_LEN] = {0};
@@ -129,9 +130,16 @@ int wh_Client_CertAddTrustedRequest(whClientContext* c, whNvmId id,
     }
 
     /* Prepare request */
+    memset(&req, 0, sizeof(req));
     req.id       = id;
-    req.cert_len = cert_len;
+    req.access   = access;
     req.flags    = flags;
+    req.cert_len = cert_len;
+    if (label != NULL && label_len > 0) {
+        whNvmSize copy_len =
+            (label_len > WH_NVM_LABEL_LEN) ? WH_NVM_LABEL_LEN : label_len;
+        memcpy(req.label, label, copy_len);
+    }
 
     /* Copy request struct and certificate data */
     memcpy(buffer, &req, hdr_len);
@@ -173,9 +181,10 @@ int wh_Client_CertAddTrustedResponse(whClientContext* c, int32_t* out_rc)
     return rc;
 }
 
-int wh_Client_CertAddTrusted(whClientContext* c, whNvmId id,
-                             const uint8_t* cert, uint32_t cert_len,
-                             whNvmFlags flags, int32_t* out_rc)
+int wh_Client_CertAddTrusted(whClientContext* c, whNvmId id, whNvmAccess access,
+                             whNvmFlags flags, uint8_t* label,
+                             whNvmSize label_len, const uint8_t* cert,
+                             uint32_t cert_len, int32_t* out_rc)
 {
     int rc = 0;
 
@@ -184,7 +193,8 @@ int wh_Client_CertAddTrusted(whClientContext* c, whNvmId id,
     }
 
     do {
-        rc = wh_Client_CertAddTrustedRequest(c, id, cert, cert_len, flags);
+        rc = wh_Client_CertAddTrustedRequest(c, id, access, flags, label,
+                                             label_len, cert, cert_len);
     } while (rc == WH_ERROR_NOTREADY);
 
     if (rc == 0) {
@@ -493,8 +503,9 @@ int wh_Client_CertVerifyAndCacheLeafPubKey(
 #ifdef WOLFHSM_CFG_DMA
 
 int wh_Client_CertAddTrustedDmaRequest(whClientContext* c, whNvmId id,
-                                       const void* cert, uint32_t cert_len,
-                                       whNvmFlags flags)
+                                       whNvmAccess access, whNvmFlags flags,
+                                       uint8_t* label, whNvmSize label_len,
+                                       const void* cert, uint32_t cert_len)
 {
     whMessageCert_AddTrustedDmaRequest req;
 
@@ -503,10 +514,17 @@ int wh_Client_CertAddTrustedDmaRequest(whClientContext* c, whNvmId id,
     }
 
     /* Prepare and send request */
+    memset(&req, 0, sizeof(req));
     req.id        = id;
+    req.access    = access;
+    req.flags     = flags;
     req.cert_addr = (uint64_t)(uintptr_t)cert;
     req.cert_len  = cert_len;
-    req.flags     = flags;
+    if (label != NULL && label_len > 0) {
+        whNvmSize copy_len =
+            (label_len > WH_NVM_LABEL_LEN) ? WH_NVM_LABEL_LEN : label_len;
+        memcpy(req.label, label, copy_len);
+    }
     return wh_Client_SendRequest(c, WH_MESSAGE_GROUP_CERT,
                                  WH_MESSAGE_CERT_ACTION_ADDTRUSTED_DMA,
                                  sizeof(req), &req);
@@ -543,8 +561,10 @@ int wh_Client_CertAddTrustedDmaResponse(whClientContext* c, int32_t* out_rc)
 }
 
 int wh_Client_CertAddTrustedDma(whClientContext* c, whNvmId id,
+                                whNvmAccess access, whNvmFlags flags,
+                                uint8_t* label, whNvmSize label_len,
                                 const void* cert, uint32_t cert_len,
-                                whNvmFlags flags, int32_t* out_rc)
+                                int32_t* out_rc)
 {
     int rc = 0;
 
@@ -553,7 +573,8 @@ int wh_Client_CertAddTrustedDma(whClientContext* c, whNvmId id,
     }
 
     do {
-        rc = wh_Client_CertAddTrustedDmaRequest(c, id, cert, cert_len, flags);
+        rc = wh_Client_CertAddTrustedDmaRequest(c, id, access, flags, label,
+                                                label_len, cert, cert_len);
     } while (rc == WH_ERROR_NOTREADY);
 
     if (rc == 0) {

src/wh_message_cert.c

@@ -52,9 +52,12 @@ int wh_MessageCert_TranslateAddTrustedRequest(
     if ((src == NULL) || (dest == NULL)) {
         return WH_ERROR_BADARGS;
     }
-    WH_T16(magic, dest, src, id);
     WH_T32(magic, dest, src, cert_len);
+    WH_T16(magic, dest, src, id);
+    WH_T16(magic, dest, src, access);
     WH_T16(magic, dest, src, flags);
+    /* Label array doesn't need byte-order translation */
+    memcpy(dest->label, src->label, WH_NVM_LABEL_LEN);
     return 0;
 }
 
@@ -126,10 +129,13 @@ int wh_MessageCert_TranslateAddTrustedDmaRequest(
     if ((src == NULL) || (dest == NULL)) {
         return WH_ERROR_BADARGS;
     }
-    WH_T16(magic, dest, src, id);
     WH_T64(magic, dest, src, cert_addr);
     WH_T32(magic, dest, src, cert_len);
+    WH_T16(magic, dest, src, id);
+    WH_T16(magic, dest, src, access);
     WH_T16(magic, dest, src, flags);
+    /* Label array doesn't need byte-order translation */
+    memcpy(dest->label, src->label, WH_NVM_LABEL_LEN);
     return 0;
 }
 

src/wh_server_cert.c

@@ -175,12 +175,11 @@ int wh_Server_CertInit(whServerContext* server)
 
 /* Add a trusted certificate to NVM storage */
 int wh_Server_CertAddTrusted(whServerContext* server, whNvmId id,
-                             const uint8_t* cert, uint32_t cert_len,
-                             whNvmFlags flags)
+                             whNvmAccess access, whNvmFlags flags,
+                             const uint8_t* label, whNvmSize label_len,
+                             const uint8_t* cert, uint32_t cert_len)
 {
     int           rc;
-    whNvmAccess   access                  = WH_NVM_ACCESS_ANY;
-    uint8_t       label[WH_NVM_LABEL_LEN] = "trusted_cert";
     whNvmMetadata metadata;
 
     if ((server == NULL) || (cert == NULL) || (cert_len == 0)) {
@@ -192,7 +191,16 @@ int wh_Server_CertAddTrusted(whServerContext* server, whNvmId id,
     metadata.access = access;
     metadata.flags  = flags;
     metadata.len    = cert_len;
-    memcpy(metadata.label, label, sizeof(label));
+    memset(metadata.label, 0, WH_NVM_LABEL_LEN);
+    if (label != NULL && label_len > 0) {
+        whNvmSize copy_len =
+            (label_len > WH_NVM_LABEL_LEN) ? WH_NVM_LABEL_LEN : label_len;
+        memcpy(metadata.label, label, copy_len);
+    }
+    else {
+        /* Default label if none provided */
+        memcpy(metadata.label, "trusted_cert", sizeof("trusted_cert"));
+    }
 
     rc = wh_Nvm_AddObject(server->nvm, &metadata, cert_len, cert);
 
@@ -386,8 +394,9 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
             cert_data = (const uint8_t*)req_packet + sizeof(req);
 
             /* Process the add trusted action */
-            rc      = wh_Server_CertAddTrusted(server, req.id, cert_data,
-                                               req.cert_len, req.flags);
+            rc = wh_Server_CertAddTrusted(server, req.id, req.access, req.flags,
+                                          req.label, WH_NVM_LABEL_LEN,
+                                          cert_data, req.cert_len);
             resp.rc = rc;
 
             /* Convert the response struct */
@@ -520,8 +529,9 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
             }
             if (resp.rc == WH_ERROR_OK) {
                 /* Process the add trusted action */
-                resp.rc = wh_Server_CertAddTrusted(server, req.id, cert_data,
-                                                   req.cert_len, req.flags);
+                resp.rc = wh_Server_CertAddTrusted(
+                    server, req.id, req.access, req.flags, req.label,
+                    WH_NVM_LABEL_LEN, cert_data, req.cert_len);
             }
             if (resp.rc == WH_ERROR_OK) {
                 /* Post-process client address */

test/wh_test_cert.c

@@ -69,15 +69,15 @@ int whTest_CertServerCfg(whServerConfig* serverCfg)
 
     /* Add trusted root certificate for chain A */
     WH_DEBUG_PRINT("Adding trusted root certificate for chain A...\n");
-    WH_TEST_RETURN_ON_FAIL(
-        wh_Server_CertAddTrusted(server, rootCertA, ROOT_A_CERT,
-                                 ROOT_A_CERT_len, WH_NVM_FLAGS_IMMUTABLE));
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertAddTrusted(
+        server, rootCertA, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE, NULL, 0,
+        ROOT_A_CERT, ROOT_A_CERT_len));
 
     /* Add trusted root certificate for chain B */
     WH_DEBUG_PRINT("Adding trusted root certificate for chain B...\n");
-    WH_TEST_RETURN_ON_FAIL(
-        wh_Server_CertAddTrusted(server, rootCertB, ROOT_B_CERT,
-                                 ROOT_B_CERT_len, WH_NVM_FLAGS_IMMUTABLE));
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertAddTrusted(
+        server, rootCertB, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE, NULL, 0,
+        ROOT_B_CERT, ROOT_B_CERT_len));
 
     /* Verify valid single cert (intermediate) */
     WH_DEBUG_PRINT(
@@ -159,14 +159,14 @@ int whTest_CertClient(whClientContext* client)
     /* Add root certificates to NVM */
     WH_DEBUG_PRINT("Adding root certificate A to NVM...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertAddTrusted(
-        client, rootCertA_id, ROOT_A_CERT, ROOT_A_CERT_len,
-        WH_NVM_FLAGS_IMMUTABLE, &out_rc));
+        client, rootCertA_id, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE, NULL,
+        0, ROOT_A_CERT, ROOT_A_CERT_len, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     WH_DEBUG_PRINT("Adding root certificate B to NVM...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertAddTrusted(
-        client, rootCertB_id, ROOT_B_CERT, ROOT_B_CERT_len,
-        WH_NVM_FLAGS_IMMUTABLE, &out_rc));
+        client, rootCertB_id, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE, NULL,
+        0, ROOT_B_CERT, ROOT_B_CERT_len, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     /* Verify valid single cert (intermediate) */
@@ -277,14 +277,14 @@ int whTest_CertClientAcert(whClientContext* client)
     /* Add trusted certificate to NVM */
     WH_DEBUG_PRINT("Adding trusted certificate to NVM...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertAddTrusted(
-        client, trustedCertId, caCert_der, caCert_der_len,
-        WH_NVM_FLAGS_IMMUTABLE, &out_rc));
+        client, trustedCertId, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE, NULL,
+        0, caCert_der, caCert_der_len, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     WH_DEBUG_PRINT("Adding root certificate B to NVM...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertAddTrusted(
-        client, rootCertB_id, ROOT_B_CERT, ROOT_B_CERT_len,
-        WH_NVM_FLAGS_IMMUTABLE, &out_rc));
+        client, rootCertB_id, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE, NULL,
+        0, ROOT_B_CERT, ROOT_B_CERT_len, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     /* Verify attribute certificate */
@@ -344,14 +344,14 @@ int whTest_CertClientDma_ClientServerTestInternal(whClientContext* client)
     /* Add root certificates to NVM */
     WH_DEBUG_PRINT("Adding root certificate A to NVM...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertAddTrustedDma(
-        client, rootCertA_id, ROOT_A_CERT, ROOT_A_CERT_len,
-        WH_NVM_FLAGS_IMMUTABLE, &out_rc));
+        client, rootCertA_id, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE, NULL,
+        0, ROOT_A_CERT, ROOT_A_CERT_len, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     WH_DEBUG_PRINT("Adding root certificate B to NVM...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertAddTrustedDma(
-        client, rootCertB_id, ROOT_B_CERT, ROOT_B_CERT_len,
-        WH_NVM_FLAGS_IMMUTABLE, &out_rc));
+        client, rootCertB_id, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE, NULL,
+        0, ROOT_B_CERT, ROOT_B_CERT_len, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     /* Verify valid single cert (intermediate) */
@@ -464,14 +464,14 @@ int whTest_CertClientAcertDma_ClientServerTestInternal(whClientContext* client)
     /* Add trusted certificate to NVM */
     WH_DEBUG_PRINT("Adding trusted certificate to NVM...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertAddTrustedDma(
-        client, trustedCertId, caCert_der, caCert_der_len,
-        WH_NVM_FLAGS_IMMUTABLE, &out_rc));
+        client, trustedCertId, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE, NULL,
+        0, caCert_der, caCert_der_len, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     WH_DEBUG_PRINT("Adding root certificate B to NVM...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertAddTrustedDma(
-        client, rootCertB_id, ROOT_B_CERT, ROOT_B_CERT_len,
-        WH_NVM_FLAGS_IMMUTABLE, &out_rc));
+        client, rootCertB_id, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE, NULL,
+        0, ROOT_B_CERT, ROOT_B_CERT_len, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     /* Verify attribute certificate */
@@ -521,15 +521,16 @@ static int whTest_CertNonExportable(whClientContext* client)
     /* Add exportable certificate */
     WH_DEBUG_PRINT("Adding exportable certificate...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertAddTrusted(
-        client, exportable_cert_id, ROOT_A_CERT, ROOT_A_CERT_len,
-        WH_NVM_FLAGS_IMMUTABLE, &out_rc));
+        client, exportable_cert_id, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_IMMUTABLE,
+        NULL, 0, ROOT_A_CERT, ROOT_A_CERT_len, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     /* Add non-exportable certificate */
     WH_DEBUG_PRINT("Adding non-exportable certificate...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertAddTrusted(
-        client, nonexportable_cert_id, ROOT_B_CERT, ROOT_B_CERT_len,
-        WH_NVM_FLAGS_IMMUTABLE | WH_NVM_FLAGS_NONEXPORTABLE, &out_rc));
+        client, nonexportable_cert_id, WH_NVM_ACCESS_ANY,
+        WH_NVM_FLAGS_IMMUTABLE | WH_NVM_FLAGS_NONEXPORTABLE, NULL, 0,
+        ROOT_B_CERT, ROOT_B_CERT_len, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     /* Test reading exportable certificate - should succeed */

wolfhsm/wh_client.h

@@ -1630,8 +1630,9 @@ int wh_Client_CertInit(whClientContext* c, int32_t* out_rc);
  * @return int Returns 0 on success, or a negative error code on failure.
  */
 int wh_Client_CertAddTrustedRequest(whClientContext* c, whNvmId id,
-                                    const uint8_t* cert, uint32_t cert_len,
-                                    whNvmFlags flags);
+                                    whNvmAccess access, whNvmFlags flags,
+                                    uint8_t* label, whNvmSize label_len,
+                                    const uint8_t* cert, uint32_t cert_len);
 
 /**
  * @brief Receives a response from the server after adding a trusted
@@ -1662,9 +1663,10 @@ int wh_Client_CertAddTrustedResponse(whClientContext* c, int32_t* out_rc);
  * @param[out] out_rc Pointer to store the response code from the server.
  * @return int Returns 0 on success, or a negative error code on failure.
  */
-int wh_Client_CertAddTrusted(whClientContext* c, whNvmId id,
-                             const uint8_t* cert, uint32_t cert_len,
-                             whNvmFlags flags, int32_t* out_rc);
+int wh_Client_CertAddTrusted(whClientContext* c, whNvmId id, whNvmAccess access,
+                             whNvmFlags flags, uint8_t* label,
+                             whNvmSize label_len, const uint8_t* cert,
+                             uint32_t cert_len, int32_t* out_rc);
 
 /**
  * @brief Sends a request to erase a trusted certificate from NVM storage.
@@ -1892,8 +1894,9 @@ int wh_Client_CertVerifyAndCacheLeafPubKey(
  * @return int Returns 0 on success, or a negative error code on failure.
  */
 int wh_Client_CertAddTrustedDmaRequest(whClientContext* c, whNvmId id,
-                                       const void* cert, uint32_t cert_len,
-                                       whNvmFlags flags);
+                                       whNvmAccess access, whNvmFlags flags,
+                                       uint8_t* label, whNvmSize label_len,
+                                       const void* cert, uint32_t cert_len);
 
 /**
  * @brief Receives a response from the server after adding a trusted certificate
@@ -1926,8 +1929,10 @@ int wh_Client_CertAddTrustedDmaResponse(whClientContext* c, int32_t* out_rc);
  * @return int Returns 0 on success, or a negative error code on failure.
  */
 int wh_Client_CertAddTrustedDma(whClientContext* c, whNvmId id,
+                                whNvmAccess access, whNvmFlags flags,
+                                uint8_t* label, whNvmSize label_len,
                                 const void* cert, uint32_t cert_len,
-                                whNvmFlags flags, int32_t* out_rc);
+                                int32_t* out_rc);
 
 /**
  * @brief Sends a request to read a trusted certificate from NVM storage using

wolfhsm/wh_message_cert.h

@@ -62,9 +62,12 @@ int wh_MessageCert_TranslateSimpleResponse(
 
 /* AddTrusted Request */
 typedef struct {
-    uint32_t   cert_len;
-    whNvmId    id;
-    whNvmFlags flags;
+    uint32_t    cert_len;
+    whNvmId     id;
+    whNvmAccess access;
+    whNvmFlags  flags;
+    uint8_t     label[WH_NVM_LABEL_LEN];
+    uint8_t     WH_PAD[2];
     /* Certificate data follows */
 } whMessageCert_AddTrustedRequest;
 
@@ -138,10 +141,13 @@ int wh_MessageCert_TranslateVerifyResponse(
 
 /* AddTrusted DMA Request */
 typedef struct {
-    uint64_t   cert_addr;
-    uint32_t   cert_len;
-    whNvmId    id;
-    whNvmFlags flags;
+    uint64_t    cert_addr;
+    uint32_t    cert_len;
+    whNvmId     id;
+    whNvmAccess access;
+    whNvmFlags  flags;
+    uint8_t     label[WH_NVM_LABEL_LEN];
+    uint8_t     WH_PAD[6];
 } whMessageCert_AddTrustedDmaRequest;
 
 int wh_MessageCert_TranslateAddTrustedDmaRequest(