wolfKeyMgr v0.11:

* Fix to use fingerprint to find keys
* Improved the fingerprint calculation code and added hash
* Added multiple server support using `contextStr`
* Add unit test to `make check`
* Improve `src/wolfkeymgr` exit documentation
* Added example output for demo to `README.md`

Author: dgarske

Makefile.am

@@ -36,4 +36,6 @@ include docs/include.am
 check_SCRIPTS+= $(dist_noinst_SCRIPTS)
 
 TESTS += $(check_SCRIPTS)
+TESTS += $(check_PROGRAMS)
+
 test: check

README.md

@@ -115,7 +115,7 @@ This application handles secure distribution and optional storage of the generat
 
 ```sh
 $ ./src/wolfkeymgr -?
-wolfKeyManager 0.9
+wolfKeyManager 0.11
 -?          Help, print this usage
 -i          Do not chdir / in daemon mode
 -b          Daemon mode, run in background
@@ -133,13 +133,15 @@ wolfKeyManager 0.9
 -K <keyt>   Key Type: SECP256R1, FFDHE_2048, X25519 or X448 (default SECP256R1)
 ```
 
+To exit the key manager use ctrl+c.
+
 ### ETSI Test client
 
 This demonstrates secure interactions with the key manager service using the ETSI HTTPS GET/PUT commands for different key types.
 
 ```sh
 $ ./examples/etsi_test/etsi_test -?
-etsi_test 0.9
+etsi_test 0.11
 -?          Help, print this usage
 -e          Error mode, force error response
 -h <str>    Host to connect to, default localhost
@@ -155,46 +157,27 @@ etsi_test 0.9
 -c <pem>    TLS Client Certificate, default certs/client-cert.pem
 -A <pem>    TLS CA Certificate, default certs/ca-cert.pem
 -K <keyt>   Key Type: SECP256R1, FFDHE_2048, X25519 or X448 (default SECP256R1)
--F <fprint> Fingerprint used for multiple servers (first 80-bit of pkey hash as hex string)
--n <name>   Find key using public key name (hex string)
+-F <fprint> Fingerprint of ephemeral public key (first 80-bit of pkey hash as hex string)
+-C <ctxstr> Context string (used for multiple servers)
 ```
 
 This client also support stress testing options:
 * Use the thread pool "-t" to spin up more threads.
 * Use the ETSI test client "-r" to make additional requests per thread.
-* Use the "-n" command to find key using public key name (hex string of first 64 bytes of public key).
 * Use the "-F" argument to get key for specific fingerprint (hex string of hash of public key - first 80 bits / 10 bytes)
+* Use the "-C" command to include context string (used for multiple servers).
 
-#### ETSI Fingerprint Names
-
-The fingerprint is a SHA-256 hash of the long term public key with the first 80 bits returned in big endian format. This is used when keys are served for multiple servers concurrently where each server should use a different ephemeral key. If the fingerprint is blank the same key will be returned assuming it is within the expiration and use count restrictions.
-
-#### ETSI Context Names
+#### ETSI Fingerprint
 
-The context is used to lookup an ephemeral key based on public key using the following scheme:
-* ECC: Public X and Y limited to 32 digits each (64 total)
-* DH: Public key truncated to 64 digits.
+The fingerprint is a SHA-256 hash of the ephemeral public key with the first 80 bits (10 bytes) in big endian format. If the fingerprint is blank the current active key for that TLS group will be returned (assuming it is within the expiration and use count restrictions).
 
-The "contextStr" used in the HTTP GET is converted to a hex string up to 128 characters.
+The fingerprint is used to lookup an ephemeral key based on public key using the following scheme:
+* ECC: Public X and Y hashed with SHA256 (first 10 bytes)
+* DH: Public key hashed with SHA256 (first 10 bytes)
 
-For example: An ECC public key printed like this:
+#### ETSI Context String
 
-```sh
-ECC Pub X: 5D2DA665BDD597EC3AAA6AA2E999F115CED9F1016324C7F1711294C8871608CC
-ECC Pub Y: 38006E20B8EDE358CF23CED1FF46593AC0CED787C55B360F35ED3B5D2854018B
-
-# Retrieved using:
-$ ./examples/etsi_test/etsi_test -n 5D2DA665BDD597EC3AAA6AA2E999F115CED9F1016324C7F1711294C8871608CC38006E20B8EDE358CF23CED1FF46593AC0CED787C55B360F35ED3B5D2854018B
-
-# Example Key Manager output:
-HTTP GET
-Version: HTTP/1.1
-URI: /.well-known/enterprise-transport-security/keys?fingerprints=&groups=0x0017&contextstr=5D2DA665BDD597EC3AAA6AA2E999F115CED9F1016324C7F1711294C8871608CC38006E20B8EDE358CF23CED1FF46593AC0CED787C55B360F35ED3B5D2854018
-Headers: 1
-    Accept: : application/pkcs8
-Context: 5D2DA665BDD597EC3AAA6AA2E999F115CED9F1016324C7F1711294C8871608CC38006E20B8EDE358CF23CED1FF46593AC0CED787C55B360F35ED3B5D2854018
-Group: SECP256R1 (23)
-```
+The context string is used to specify additional information to the key manager to distribute keys for multiple servers.
 
 ### HTTP Server / Client
 
@@ -217,8 +200,7 @@ Jun 15 14:26:54 2021: [DEBUG] 		Content-Length: : 121
 Jun 15 14:26:54 2021: [DEBUG] 	Body Size: 121
 Jun 15 14:26:54 2021: [INFO] Got ETSI response (121 bytes)
 Got ETSI static ephemeral key (121 bytes)
-Jun 15 14:26:54 2021: [INFO] ECC Pub X: C30E4D7E99B80D561736640FE108DB577DC399C9E9CAAA5338989D7B06978BA7
-Jun 15 14:26:54 2021: [INFO] ECC Pub Y: E446F67FED21B8B4267CD91738AC078CD32BB6E039875A4484CA07E859658526
+Jun 15 14:26:54 2021: [INFO] SECP256R1: E24EF332747DF70CD4E5
 
 TLS Accept 127.0.0.1
 Jun 15 14:27:01 2021: [DEBUG] HTTP GET
@@ -254,7 +236,6 @@ usage: ./decrypt or ./decrypt dumpFile keyServerURL [server] [port] [password]
 3. Run the middle-box decryption `./examples/middlebox/decrypt` and use the default parameters.
 4. Open a web browser to `https://localhost` or run the HTTP client example `./examples/https/client`.
 5. In the middle-box decryption window you will see the decrypted HTTPS traffic.
-co
 
 Notes:
 
@@ -270,10 +251,73 @@ Notes:
 4) If you get "Permission denied" errors try adding `sudo` to the commands.
 
 
+### Demo example output
+
+```
+% ./src/wolfkeymgr
+Aug 03 15:05:21 2021: [INFO] Starting Key Manager
+Aug 03 15:05:21 2021: [INFO] 	To exit use ctrl+c
+Aug 03 15:05:21 2021: [INFO] loaded CA certificate file ./certs/ca-cert.pem
+Aug 03 15:05:21 2021: [INFO] loaded key file ./certs/server-rsa-key.pem
+Aug 03 15:05:21 2021: [INFO] loaded certificate file ./certs/server-rsa-cert.pem
+Aug 03 15:05:21 2021: [ERRO] Vault open failed, creating new
+Aug 03 15:05:21 2021: [INFO] Vault ./wolfkeymgr.vault opened (0 bytes)
+Aug 03 15:05:21 2021: [INFO] Version: 1
+Aug 03 15:05:21 2021: [INFO] Header Size: 296
+Aug 03 15:05:21 2021: [INFO] Item Count: 0
+Aug 03 15:05:21 2021: [INFO] Total Size: 0
+Aug 03 15:05:21 2021: [WARN] Generating new SECP256R1 key
+Aug 03 15:05:21 2021: [INFO] Binding listener :::8119
+Aug 03 15:05:21 2021: [INFO] Setting up new ETSI conn item pool
+Aug 03 15:05:21 2021: [INFO] Growing ETSI service conn pool
+Aug 03 15:05:21 2021: [INFO] Growing ETSI service conn pool
+Aug 03 15:05:21 2021: [INFO] SECP256R1: E24EF332747DF70CD4E5
+Aug 03 15:05:21 2021: [WARN] Vault Auth: Setting up new encryption key
+Aug 03 15:05:21 2021: [INFO] Next key renewal 3600 seconds
+```
+
+```
+ % ./examples/https/server
+HTTPS Server: Port 443
+Aug 03 15:09:50 2021: [INFO] Connected to ETSI service
+```
+
+```
+ % ./examples/middlebox/decrypt
+1. lo0 (No description available)
+2. en0 (No description available)
+Enter the interface number (1-2) [default: 1]:
+server = 127.0.0.1
+server = ::1
+server = fe80::1
+Enter the port to scan [default: 443]:
+Enter the server key [default: https://localhost:8119]:
+Aug 03 15:07:33 2021: [INFO] Connected to ETSI service
+...
+
+Got ETSI static ephemeral key (121 bytes)
+Aug 03 15:07:33 2021: [INFO] SECP256R1: E24EF332747DF70CD4E5
+Loaded key for fe80::1:443
+SSL App Data(30:323):GET / HTTP/1.1
+Host: localhost
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us
+Connection: keep-alive
+Accept-Encoding: gzip, deflate, br
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Safari/605.1.15
+
+
+SSL App Data(32:132):HTTP/1.1 200 OK
+Content-Type: text/html
+Connection: keep-alive
+Content-Length: 44
+
+<html><body><h1>It works!</h1></body></html>
+```
+
 ## Features Missing
-* Finish adding multiple server support with "fingerprint" (see `ETSI_SVC_MAX_SERVERS`)
 * Find error response message (currently disconnects with socket FIN)
-* ED25519 and ED448
+* Curve25519 and Curve448
 * X509 Visibility support
 * TLS v1.2 ephemeral key support
 

configure.ac

@@ -5,7 +5,7 @@
 
 AC_PREREQ(2.59)
 
-AC_INIT([wolfKeyManager],[0.10],[http://www.wolfssl.com])
+AC_INIT([wolfKeyManager],[0.11],[http://www.wolfssl.com])
 AC_CONFIG_AUX_DIR(config)
 AC_CONFIG_HEADERS([wolfkeymgr/config.h])
 AC_CONFIG_MACRO_DIR(m4)
@@ -71,7 +71,7 @@ LT_PREREQ([2.2])
 LT_INIT([disable-static win32-dll])
 
 # Shared library versioning
-WOLFKM_LIBRARY_VERSION=6:0:0
+WOLFKM_LIBRARY_VERSION=7:0:0
 #                      | | |
 #               +------+ | +---+
 #               |        |     |

examples/etsi_test/etsi_test.c

@@ -43,7 +43,7 @@ typedef struct WorkThreadInfo {
     int requests;
     int timeoutSec;
     int requestType;
-    const char* findName; /* contextStr */
+    const char* contextStr;
     const char* fingerprint;
     char* saveResp;
     word16 port;
@@ -111,8 +111,8 @@ static int DoKeyRequest(EtsiClientCtx* client, WorkThreadCtx* tctx)
     /* push: will wait for server to push new keys */
     /* get:  will ask server for key and return */
     if (info->requestType == REQ_TYPE_GET) {
-        ret = wolfEtsiClientGet(client, &tctx->key, info->keyType, NULL, NULL,
-            info->timeoutSec);
+        ret = wolfEtsiClientGet(client, &tctx->key, info->keyType, NULL,
+            info->contextStr, info->timeoutSec);
         /* positive return means new key returned */
         /* zero means, same key is used */
         /* negative means error */
@@ -134,7 +134,7 @@ static int DoKeyRequest(EtsiClientCtx* client, WorkThreadCtx* tctx)
     else if (info->requestType == REQ_TYPE_FIND) {
         /* find key from server  call and new keys from server will issue callback */
         ret = wolfEtsiClientFind(client, &tctx->key, info->keyType,
-            info->fingerprint, info->findName, info->timeoutSec);
+            info->fingerprint, info->contextStr, info->timeoutSec);
         if (ret > 0) {
             /* use same "push" callback to test key use / print */
             keyCb(client, &tctx->key, tctx);
@@ -217,7 +217,7 @@ static void Usage(void)
     printf("-K <keyt>   Key Type: SECP256R1, FFDHE_2048, X25519 or X448 (default %s)\n",
         wolfEtsiKeyGetTypeStr(ETSI_TEST_KEY_TYPE));
     printf("-F <fprint> Fingerprint used for multiple servers (first 80-bit of pkey hash as hex string)\n");
-    printf("-n <name>   Find key using public key name (hex string)\n");
+    printf("-C <name>   Find key using public key name (hex string)\n");
 }
 
 int etsi_test(int argc, char** argv)
@@ -242,7 +242,7 @@ int etsi_test(int argc, char** argv)
     info.keyType = ETSI_TEST_KEY_TYPE;
 
     /* argument processing */
-    while ((ch = getopt(argc, argv, "?eh:p:t:l:r:f:gus:k:w:c:A:K:F:n:")) != -1) {
+    while ((ch = getopt(argc, argv, "?eh:p:t:l:r:f:gus:k:w:c:A:K:F:C:")) != -1) {
         switch (ch) {
             case '?' :
                 Usage();
@@ -308,14 +308,13 @@ int etsi_test(int argc, char** argv)
                 break;
             }
             case 'F':
-                /* optional ID for server on key GET / PUT */
                 /* sha256 hash of public key - 10 bytes (80 bits) as hex string */
+                info.requestType = REQ_TYPE_FIND;
                 info.fingerprint = optarg;
                 break;
-            case 'n':
-                /* Find key based on first 64 bytes of public key as hex string */
-                info.requestType = REQ_TYPE_FIND;
-                info.findName = optarg;
+            case 'C':
+                /* optional ID for server on key GET / PUT */
+                info.contextStr = optarg;
                 break;
             default:
                 Usage();

examples/middlebox/decrypt.c

@@ -142,12 +142,12 @@ static int etsi_client_find(char* urlStr, EtsiKey* key, int namedGroup,
 
     ret = etsi_client_connect(urlStr);
     if (ret == 0 && key) {
-        char name[ETSI_MAX_KEY_NAME_STR];
-        word32 nameSz = (word32)sizeof(name);
-        ret = wolfEtsiGetPubKeyName((EtsiKeyType)namedGroup, pub, pubSz,
-            name, &nameSz);
+        char fpStr[ETSI_MAX_FINGERPRINT_STR];
+        word32 fpStrSz = (word32)sizeof(fpStr);
+        ret = wolfEtsiCalcTlsFingerprint((EtsiKeyType)namedGroup, pub, pubSz,
+            fpStr, &fpStrSz);
         if (ret == 0) {
-            ret = wolfEtsiClientFind(gEtsiClient, key, namedGroup, name,
+            ret = wolfEtsiClientFind(gEtsiClient, key, namedGroup, fpStr,
                 NULL, ETSI_TEST_TIMEOUT_MS);
         }
         if (ret < 0) {
@@ -159,6 +159,7 @@ static int etsi_client_find(char* urlStr, EtsiKey* key, int namedGroup,
                 key->responseSz);
             wolfEtsiKeyPrint(key);
         }
+        (void)fpStrSz;
     }
     return ret;
 }
@@ -171,11 +172,6 @@ static int myKeyCb(void* vSniffer, int namedGroup,
     int ret;
     static EtsiKey key;
 
-    if (!isOfflinePcap) {
-        /* decrypt is real-time, don't use find */
-        return 0;
-    }
-
     ret = etsi_client_find(NULL, &key, namedGroup, srvPub, srvPubSz);
     if (ret >= 0) {
         byte* keyBuf = NULL;

src/keymanager.c

@@ -207,6 +207,7 @@ int main(int argc, char** argv)
     /* start log */
     wolfKeyMgr_SetLogFile(logName, daemon, logLevel);
     XLOG(WOLFKM_LOG_INFO, "Starting Key Manager\n");
+    XLOG(WOLFKM_LOG_INFO, "\tTo exit use ctrl+c\n");
 
     if (CheckCtcSettings() != 1) {
         XLOG(WOLFKM_LOG_ERROR, "wolfSSL math library mismatch in settings\n");