wolfKeyMgr v1.0:

* Support for Curve25519 and Curve448 in key manager.
* Support for Curve25519 in middle-box decryption.
* Support for loading all supported ephemeral keys.
* Refactor common ETSI client test code.
* Improved middle-box decryption to better handle concurrent keys of different formats.
* Improved handling for not compiled in cases.
* Fix for ./configure config summary.

Author: dgarske

README.md

@@ -50,7 +50,7 @@ $ ./autogen.sh
 $ git clone https://github.com/wolfssl/wolfssl
 $ cd wolfssl
 $ ./autogen.sh
-$ ./configure --enable-sniffer CFLAGS="-DWOLFSSL_DH_EXTRA"
+$ ./configure --enable-sniffer --enable-curve25519 CFLAGS="-DWOLFSSL_DH_EXTRA"
 $ make
 $ make check   # (optional, but highly recommended)
 $ sudo make install
@@ -62,6 +62,7 @@ Notes:
 * To enable all ARMv8 (aarch64) speedups use `--enable-armasm --enable-sp --enable-sp-asm`
 * Requires at least wolfSSL v4.8.0 with PR:
    - https://github.com/wolfSSL/wolfssl/pull/4181
+   - https://github.com/wolfSSL/wolfssl/pull/4335 (required for Curve25519)
 
 2. Install libevent version 2.0+
 
@@ -101,7 +102,7 @@ Notes:
 * A custom install location can be specified using: `./configure --prefix=/opt/local`
 * `autogen.sh` is script to generate configure, you'll need the autoconf tools
 installed, then proceed to the next step.
-
+* `src/wolfkeymgr` is the key manager service / dameon. A make install will typically put it into `/usr/local/bin/wolfkeymgr` or ``/usr/bin/wolfkeymgr`.
 
 ## Examples
 
@@ -115,7 +116,7 @@ This application handles secure distribution and optional storage of the generat
 
 ```sh
 $ ./src/wolfkeymgr -?
-wolfKeyManager 0.11
+wolfKeyManager 1.0
 -?          Help, print this usage
 -i          Do not chdir / in daemon mode
 -b          Daemon mode, run in background
@@ -141,7 +142,7 @@ This demonstrates secure interactions with the key manager service using the ETS
 
 ```sh
 $ ./examples/etsi_test/etsi_test -?
-etsi_test 0.11
+etsi_test 1.0
 -?          Help, print this usage
 -e          Error mode, force error response
 -h <str>    Host to connect to, default localhost
@@ -316,8 +317,8 @@ Content-Length: 44
 ```
 
 ## Features Missing
+
 * Find error response message (currently disconnects with socket FIN)
-* Curve25519 and Curve448
 * X509 Visibility support
 * TLS v1.2 ephemeral key support
 

configure.ac

@@ -5,7 +5,7 @@
 
 AC_PREREQ(2.59)
 
-AC_INIT([wolfKeyManager],[0.11],[http://www.wolfssl.com])
+AC_INIT([wolfKeyManager],[1.0],[http://www.wolfssl.com])
 AC_CONFIG_AUX_DIR(config)
 AC_CONFIG_HEADERS([wolfkeymgr/config.h])
 AC_CONFIG_MACRO_DIR(m4)
@@ -71,7 +71,7 @@ LT_PREREQ([2.2])
 LT_INIT([disable-static win32-dll])
 
 # Shared library versioning
-WOLFKM_LIBRARY_VERSION=7:0:0
+WOLFKM_LIBRARY_VERSION=8:0:0
 #                      | | |
 #               +------+ | +---+
 #               |        |     |
@@ -252,11 +252,13 @@ echo ""
 echo "   * Installation prefix:       $prefix"
 echo "   * System type:               $host_vendor-$host_os"
 echo "   * Host CPU:                  $host_cpu"
-echo "   * C Compiler:                $CC_VERSION"
+echo "   * C Compiler:                $CC"
 echo "   * C Flags:                   $CFLAGS"
+echo "   * C++ Compiler:              $CXX"
+echo "   * C++ Flags:                 $CXXFLAGS"
 echo "   * CPP Flags:                 $CPPFLAGS"
+echo "   * CCAS Flags:                $CCASFLAGS"
 echo "   * LIB Flags:                 $LIB"
-echo "   * Debug enabled:             $ax_enable_debug"
 
 echo "   * Vault                      $ENABLED_VAULT"
 echo "   * Sniffer                    $ENABLED_SNIFFER"

examples/etsi_test/etsi_test.c

@@ -84,6 +84,9 @@ static int keyCb(EtsiClientCtx* client, EtsiKey* key, void* userCtx)
         ret = wolfSSL_CTX_set_ephemeral_key(tctx->ctx,
             keyAlgo, (char*)key->response, key->responseSz,
             WOLFSSL_FILETYPE_ASN1);
+        if (ret == NOT_COMPILED_IN) {
+            ret = 0; /* not compiled in case is okay */
+        }
     #endif
     }
     if (ret == 0) {
@@ -170,7 +173,7 @@ static void* DoRequests(void* arg)
     if (ret != 0) {
         XLOG(WOLFKM_LOG_ERROR, "Error loading ETSI client key/cert %d!\n", ret);
     }
-    ret = wolfEtsiClientConnect(client, info->host, info->port, 
+    ret = wolfEtsiClientConnect(client, info->host, info->port,
         info->timeoutSec);
     if (ret == 0) {
         /* setup test CTX to demonstrate loading static ephemeral */
@@ -328,7 +331,7 @@ int etsi_test(int argc, char** argv)
 
     if (errorMode)
         return DoErrorMode();
-    
+
     wolfEtsiClientInit();
 
     if (poolSize == 0) {

examples/https/include.am

@@ -13,6 +13,7 @@ examples_https_client_DEPENDENCIES = src/libwolfkeymgr.la
 
 noinst_PROGRAMS += examples/https/server
 noinst_HEADERS  += examples/https/server.h
-examples_https_server_SOURCES      = examples/https/server.c
+examples_https_server_SOURCES      = examples/https/server.c \
+                                     examples/test_config.c
 examples_https_server_LDADD        = src/libwolfkeymgr.la $(LIB_STATIC_ADD)
 examples_https_server_DEPENDENCIES = src/libwolfkeymgr.la

examples/https/server.c

@@ -29,9 +29,6 @@
 static volatile int mStop = 0;
 static WKM_SOCKET_T listenFd = WKM_SOCKET_INVALID;
 
-static EtsiClientCtx* gEtsiClient;
-static int etsi_client_get(WOLFSSL_CTX* ctx);
-
 static void sig_handler(const int sig)
 {
     printf("SIGINT handled = %d.\n", sig);
@@ -40,6 +37,16 @@ static void sig_handler(const int sig)
     mStop = 1;
 }
 
+static int etsi_key_cb(EtsiKey* key, void* cbCtx)
+{
+    WOLFSSL_CTX* ctx = (WOLFSSL_CTX*)cbCtx;
+    int ret = wolfEtsiKeyLoadCTX(key, ctx);
+    if (ret == NOT_COMPILED_IN) {
+        ret = 0; /* this is okay - if feature is not compiled in */
+    }
+    return ret;
+}
+
 int https_server_test(int argc, char** argv)
 {
     int ret;
@@ -51,6 +58,7 @@ int https_server_test(int argc, char** argv)
     HttpHeader headers[2];
     const char* body = HTTPS_TEST_RESPONSE;
     SOCKADDR_IN_T clientAddr;
+    const char* etsiServer = "https://" ETSI_TEST_HOST ":" ETSI_TEST_PORT_STR;
 
     signal(SIGINT, sig_handler);
 
@@ -61,7 +69,7 @@ int https_server_test(int argc, char** argv)
     printf("HTTPS Server: Port %d\n", HTTPS_TEST_PORT);
 
     wolfSSL_Init();
-    
+
     /* log setup */
     //wolfSSL_Debugging_ON();
     wolfKeyMgr_SetLogFile(NULL, 0, WOLFKM_LOG_DEBUG);
@@ -81,7 +89,7 @@ int https_server_test(int argc, char** argv)
     if (ret != 0) goto exit;
 
     do {
-        ret = etsi_client_get(ctx);
+        ret = etsi_client_get_all(etsiServer, etsi_key_cb, ctx);
         if (ret != 0) {
             mStop = 1;
             goto end_sess;
@@ -91,14 +99,14 @@ int https_server_test(int argc, char** argv)
             HTTPS_TEST_TIMEOUT_SEC);
         if (ret == WOLFKM_BAD_TIMEOUT) continue;
         if (ret != 0) goto end_sess;
-        
+
         printf("TLS Accept %s\n", wolfSocketAddrStr(&clientAddr));
 
         /* Get HTTP request and print */
         dataSz = (int)sizeof(data);
         ret = wolfTlsRead(ssl, data, &dataSz, HTTPS_TEST_TIMEOUT_SEC);
         if (ret < 0) goto end_sess;
-        
+
         ret = wolfHttpServer_ParseRequest(&req, data, dataSz);
         if (ret == 0) {
             wolfHttpRequestPrint(&req);
@@ -142,68 +150,6 @@ int https_server_test(int argc, char** argv)
     return ret;
 }
 
-/* ETSI Client */
-static void etsi_client_cleanup(void)
-{
-    if (gEtsiClient) {
-        wolfEtsiClientFree(gEtsiClient);
-        gEtsiClient = NULL;
-
-        wolfEtsiClientCleanup();
-    }
-}
-static int etsi_client_get(WOLFSSL_CTX* ctx)
-{
-    int ret = -1;
-    static EtsiKey key;
-    
-    /* setup key manager connection */
-    if (gEtsiClient == NULL) {
-        wolfEtsiClientInit();
-
-        gEtsiClient = wolfEtsiClientNew();
-        if (gEtsiClient) {
-            wolfEtsiClientAddCA(gEtsiClient, ETSI_TEST_CLIENT_CA);
-            wolfEtsiClientSetKey(gEtsiClient,
-                ETSI_TEST_CLIENT_KEY, ETSI_TEST_CLIENT_PASS,
-                ETSI_TEST_CLIENT_CERT, WOLFSSL_FILETYPE_PEM);
-
-            ret = wolfEtsiClientConnect(gEtsiClient, ETSI_TEST_HOST,
-                ETSI_TEST_PORT, ETSI_TEST_TIMEOUT_MS);
-            if (ret != 0) {
-                printf("Error connecting to ETSI server! %d\n", ret);
-                etsi_client_cleanup();
-            }
-        }
-        else {
-            ret = WOLFKM_BAD_MEMORY;
-        }
-    }
-    if (gEtsiClient) {
-        ret = wolfEtsiClientGet(gEtsiClient, &key, ETSI_TEST_KEY_TYPE, 
-            NULL, NULL, ETSI_TEST_TIMEOUT_MS);
-        /* positive return means new key returned */
-        /* zero means, same key is used */
-        /* negative means error */
-        if (ret < 0) {
-            printf("Error getting ETSI static ephemeral key! %d\n", ret);
-            etsi_client_cleanup();
-        }
-        else if (ret > 0) {
-            /* got new key */
-            printf("Got ETSI static ephemeral key (%d bytes)\n", key.responseSz);
-            wolfEtsiKeyPrint(&key);
-            ret = wolfEtsiKeyLoadCTX(&key, ctx);
-        }
-        else {
-            /* key has not changed */
-            printf("ETSI Key Cached (valid for %lu sec)\n",
-                key.expires - wolfGetCurrentTimeT());
-        }
-    }
-    return ret;
-}
-
 #ifndef NO_MAIN_DRIVER
 int main(int argc, char* argv[])
 {

examples/include.am

@@ -6,4 +6,5 @@ include examples/etsi_test/include.am
 include examples/middlebox/include.am
 include examples/https/include.am
 
-EXTRA_DIST += examples/test_config.h
+EXTRA_DIST += examples/test_config.h \
+              examples/test_config.c