wolfKeyMgr v0.8:

* Added DH key support.
* Added HTTP support for fingerprints, groups and contextstr.
* Added ETSI client key argument (`-K`)
* Fixes for URI encoding.
* Refactor of service to support more key types.
* Refactor of internal structure names to leading upper case.
* Removed the "noTLS" build option.

Author: dgarske

configure.ac

@@ -5,7 +5,7 @@
 
 AC_PREREQ(2.59)
 
-AC_INIT([wolfKeyManager],[0.7],[http://www.wolfssl.com])
+AC_INIT([wolfKeyManager],[0.8],[http://www.wolfssl.com])
 AC_CONFIG_AUX_DIR(config)
 AC_CONFIG_HEADERS([wolfkeymgr/config.h])
 AC_CONFIG_MACRO_DIR(m4)
@@ -71,7 +71,7 @@ LT_PREREQ([2.2])
 LT_INIT([disable-static win32-dll])
 
 # Shared library versioning
-WOLFKM_LIBRARY_VERSION=4:1:0
+WOLFKM_LIBRARY_VERSION=5:0:0
 #                      | | |
 #               +------+ | +---+
 #               |        |     |

examples/etsi_client/etsi_client.c

@@ -45,6 +45,7 @@ typedef struct WorkThreadInfo {
     const char* clientCertFile;
     const char* caFile;
     EtsiKey key;
+    EtsiKeyType keyType;
     WOLFSSL_CTX* ctx; /* test ctx loading static ephemeral key */
 } WorkThreadInfo;
 
@@ -61,11 +62,12 @@ static int keyCb(EtsiClientCtx* client, EtsiKey* key, void* userCtx)
 {
     int ret = 0;
     WorkThreadInfo* info = (WorkThreadInfo*)userCtx;
+    int keyAlgo = wolfEtsiKeyGetPkType(key);
 
     /* test use-case setting static ephemeral key */
     if (info->ctx) {
         ret = wolfSSL_CTX_set_ephemeral_key(info->ctx,
-            WC_PK_TYPE_ECDH, key->response, key->responseSz,
+            keyAlgo, key->response, key->responseSz,
             WOLFSSL_FILETYPE_ASN1);
     }
     wolfEtsiKeyPrint(key);
@@ -80,12 +82,11 @@ static int keyCb(EtsiClientCtx* client, EtsiKey* key, void* userCtx)
 static int DoKeyRequest(EtsiClientCtx* client, WorkThreadInfo* info)
 {
     int ret;
-    EtsiKeyType keyType = ETSI_KEY_TYPE_SECP256R1;
 
     /* push: will wait for server to push new keys */
     /* get:  will ask server for key and return */
     if (info->useGet) {
-        ret = wolfEtsiClientGet(client, &info->key, keyType, NULL, NULL,
+        ret = wolfEtsiClientGet(client, &info->key, info->keyType, NULL, NULL,
             info->timeoutSec);
         /* positive return means new key returned */
         /* zero means, same key is used */
@@ -103,7 +104,7 @@ static int DoKeyRequest(EtsiClientCtx* client, WorkThreadInfo* info)
     }
     else {
         /* blocking call and new keys from server will issue callback */
-        ret = wolfEtsiClientPush(client, keyType, NULL, NULL, keyCb, info);
+        ret = wolfEtsiClientPush(client, info->keyType, NULL, NULL, keyCb, info);
     }
 
     if (ret != 0) {
@@ -177,6 +178,7 @@ static void Usage(void)
     printf("-w <pass>   TLS Client Key Password, default %s\n", WOLFKM_ETSICLIENT_PASS);
     printf("-c <pem>    TLS Client Certificate, default %s\n", WOLFKM_ETSICLIENT_CERT);
     printf("-A <pem>    TLS CA Certificate, default %s\n", WOLFKM_ETSICLIENT_CA);
+    printf("-K <keyt>   Key Type: SECP256R1 (default), FFDHE_2048, X25519 or X448\n");
 }
 
 int main(int argc, char** argv)
@@ -199,13 +201,10 @@ int main(int argc, char** argv)
     info.clientCertFile = WOLFKM_ETSICLIENT_CERT;
     info.caFile = WOLFKM_ETSICLIENT_CA;
     info.useGet = 1;
-
-#ifdef DISABLE_SSL
-    usingTLS = 0;    /* can only disable at build time */
-#endif
+    info.keyType = ETSI_KEY_TYPE_SECP256R1;
 
     /* argument processing */
-    while ((ch = getopt(argc, argv, "?eh:p:t:l:r:f:gus:k:w:c:A:")) != -1) {
+    while ((ch = getopt(argc, argv, "?eh:p:t:l:r:f:gus:k:w:c:A:K:")) != -1) {
         switch (ch) {
             case '?' :
                 Usage();
@@ -256,7 +255,20 @@ int main(int argc, char** argv)
             case 'A':
                 info.caFile = optarg;
                 break;
-
+            case 'K':
+            {
+                /* find key type */
+                for (i=(int)ETSI_KEY_TYPE_MIN; i<=(int)ETSI_KEY_TYPE_FFDHE_8192; i++) {
+                    const char* keyStr = wolfEtsiKeyGetTypeStr((EtsiKeyType)i);
+                    if (keyStr != NULL) {
+                        if (XSTRNCMP(optarg, keyStr, XSTRLEN(keyStr)) == 0) {
+                            info.keyType = (EtsiKeyType)i;
+                            break;
+                        }
+                    }
+                }
+                break;
+            }
             default:
                 Usage();
                 exit(EX_USAGE);

src/keymanager.c

@@ -48,7 +48,7 @@ static void Usage(void)
 }
 
 static int wolfKeyMgr_AddSigHandler(struct event_base* mainBase,
-    signalArg* sigArg, int sig)
+    SignalArg* sigArg, int sig)
 {
     struct event* signalEvent = event_new(mainBase, sig,
         (EV_SIGNAL | EV_PERSIST), wolfKeyMgr_SignalCb, sigArg);
@@ -70,15 +70,15 @@ int main(int argc, char** argv)
     char*  pidName    = WOLFKM_DEFAULT_PID;
     struct event_base*      mainBase = NULL;    /* main thread's base  */
     FILE*                   pidF = 0;
-    svcInfo* etsiSvc = NULL;
+    SvcInfo* etsiSvc = NULL;
     int sec;
     word32 timeoutSec  = WOLFKM_DEFAULT_TIMEOUT, renewSec = WOLFKM_KEY_RENEW_TIMEOUT;
     int disableMutualAuth = 0; /* on by default */
     const char* serverKey = WOLFKM_ETSISVC_KEY;
     const char* serverKeyPass = WOLFKM_ETSISVC_KEY_PASSWORD;
     const char* serverCert = WOLFKM_ETSISVC_CERT;
     const char* caCert = WOLFKM_ETSISVC_CA;
-    signalArg sigArgInt, sigArgTerm;
+    SignalArg sigArgInt, sigArgTerm;
 
     /* argument processing */
     while ((ch = getopt(argc, argv, "?bis:t:o:f:l:dk:w:c:A:r:")) != -1) {

src/mod_etsi.c

@@ -130,7 +130,8 @@ int wolfEtsiClientMakeRequest(EtsiClientType type, const char* fingerprint,
     const char* groups, const char* contextstr, byte* request, word32* requestSz)
 {
     int ret;
-    char uri[256];
+    char uri[HTTP_MAX_URI*3]; /* fingerprint, groups, contextStr */
+    size_t uriLen;
     HttpHeader headers[1];
     HttpMethodType httpType;
     headers[0].type = HTTP_HDR_ACCEPT;
@@ -145,11 +146,36 @@ int wolfEtsiClientMakeRequest(EtsiClientType type, const char* fingerprint,
     else {
         /* use GET with either fingerprint (with optional groups/context) */
         httpType = HTTP_METHOD_GET;
-        snprintf(uri, sizeof(uri), 
-            "/.well-known/enterprise-transport-security/keys?fingerprints=%s%s%s%s%s",
-            fingerprint == NULL ? "" : fingerprint,
-            groups == NULL ? "" : "&groups=", groups == NULL ? "" : groups,
-            contextstr == NULL ? "" : "&contextstr=", contextstr == NULL ? "" : contextstr);
+        strncpy(uri,
+            "/.well-known/enterprise-transport-security/keys?fingerprints=",
+            sizeof(uri));
+        uriLen = strlen(uri);
+        if (fingerprint != NULL) {
+            ret = wolfHttpUriEncode(fingerprint, strlen(fingerprint),
+                uri+uriLen, sizeof(uri)-uriLen);
+            if (ret < 0)
+                return WOLFKM_BAD_ARGS;
+            uriLen += ret;
+        }
+        if (groups != NULL) {
+            strncpy(uri+uriLen, "&groups=", sizeof(uri)-uriLen);
+            uriLen = strlen(uri);
+            ret = wolfHttpUriEncode(groups, strlen(groups),
+                uri+uriLen, sizeof(uri)-uriLen);
+            if (ret < 0)
+                return WOLFKM_BAD_ARGS;
+            uriLen += ret;
+        }
+        if (contextstr != NULL) {
+            strncpy(uri+uriLen, "&contextstr=", sizeof(uri)-uriLen);
+            uriLen = strlen(uri);
+            ret = wolfHttpUriEncode(contextstr, strlen(contextstr),
+                uri+uriLen, sizeof(uri)-uriLen);
+            if (ret < 0)
+                return WOLFKM_BAD_ARGS;
+            uriLen += ret;
+        }
+        uri[uriLen] = '\0'; /* null term */
     }
     ret = wolfHttpClient_EncodeRequest(httpType, uri, request,
             requestSz, headers, sizeof(headers)/sizeof(HttpHeader));
@@ -353,6 +379,57 @@ int wolfEtsiKeyGetPkType(EtsiKey* key)
     return WC_PK_TYPE_NONE;
 }
 
+const char* wolfEtsiKeyGetTypeStr(EtsiKeyType type)
+{
+    switch (type) {
+        case ETSI_KEY_TYPE_SECP160K1:
+            return "SECP160K1";
+        case ETSI_KEY_TYPE_SECP160R1:
+            return "SECP160R1";
+        case ETSI_KEY_TYPE_SECP160R2:
+            return "SECP160R2";
+        case ETSI_KEY_TYPE_SECP192K1:
+            return "SECP192K1";
+        case ETSI_KEY_TYPE_SECP192R1:
+            return "SECP192R1";
+        case ETSI_KEY_TYPE_SECP224K1:
+            return "SECP224K1";
+        case ETSI_KEY_TYPE_SECP224R1:
+            return "SECP224R1";
+        case ETSI_KEY_TYPE_SECP256K1:
+            return "SECP256K1";
+        case ETSI_KEY_TYPE_SECP256R1:
+            return "SECP256R1";
+        case ETSI_KEY_TYPE_SECP384R1:
+            return "SECP384R1";
+        case ETSI_KEY_TYPE_SECP521R1:
+            return "SECP521R1";
+        case ETSI_KEY_TYPE_BRAINPOOLP256R1:
+            return "BRAINPOOLP256R1";
+        case ETSI_KEY_TYPE_BRAINPOOLP384R1:
+            return "BRAINPOOLP384R1";
+        case ETSI_KEY_TYPE_BRAINPOOLP512R1:
+            return "BRAINPOOLP512R1";
+        case ETSI_KEY_TYPE_X25519:
+            return "X25519";
+        case ETSI_KEY_TYPE_X448:
+            return "X448";
+        case ETSI_KEY_TYPE_FFDHE_2048:
+            return "FFDHE_2048";
+        case ETSI_KEY_TYPE_FFDHE_3072:
+            return "FFDHE_3072";
+        case ETSI_KEY_TYPE_FFDHE_4096:
+            return "FFDHE_4096";
+        case ETSI_KEY_TYPE_FFDHE_6144:
+            return "FFDHE_6144";
+        case ETSI_KEY_TYPE_FFDHE_8192:
+            return "FFDHE_8192";
+        default:
+            break;
+    }
+    return NULL;
+}
+
 int wolfEtsiKeyLoadCTX(EtsiKey* key, WOLFSSL_CTX* ctx)
 {
     int keyAlgo;
@@ -406,7 +483,8 @@ int wolfEtsiKeyPrint(EtsiKey* key)
             ret = wc_EccPrivateKeyDecode((byte*)key->response, &idx, &ecKey,
                 key->responseSz);
             if (ret == 0) {
-                byte pubX[32*2+1], pubY[32*2+1];
+                byte pubX[MAX_ECC_BYTES*2+1];
+                byte pubY[MAX_ECC_BYTES*2+1];
                 word32 pubXLen = sizeof(pubX), pubYLen = sizeof(pubY);
                 ret = wc_ecc_export_ex(&ecKey,
                     pubX, &pubXLen,
@@ -423,9 +501,22 @@ int wolfEtsiKeyPrint(EtsiKey* key)
 #endif
 #ifndef NO_DH
     if (keyAlgo == WC_PK_TYPE_DH) {
-        /* TODO: add example for loading DHE key and print */
-        //DhKey dh;
-        XLOG(WOLFKM_LOG_INFO, "DH Pub: TODO\n");
+        /* example for loading DHE key */
+        DhKey dhKey;
+        ret = wc_InitDhKey(&dhKey);
+        if (ret == 0) {
+            word32 idx = 0;
+            ret = wc_DhKeyDecode((byte*)key->response, &idx, &dhKey, key->responseSz);
+            if (ret == 0) {
+                byte pubKey[MAX_DH_PUB_SZ];
+                word32 pubKeyLen = sizeof(pubKey);
+                ret = wc_DhExportKeyPair(&dhKey, NULL, NULL, pubKey, &pubKeyLen);
+                if (ret == 0) {
+                    XLOG(WOLFKM_LOG_INFO, "DH Pub: %d\n", pubKeyLen);
+                }
+            }
+            wc_FreeDhKey(&dhKey);
+        }
     }
 #endif
 #ifdef HAVE_CURVE25519

src/mod_http.c

@@ -433,21 +433,26 @@ void wolfHttpResponsePrint(HttpRsp* rsp)
 }
 
 
-char* wolfHttpUriEncode(const byte *s, char *enc)
+int wolfHttpUriEncode(const char *s, size_t sSz, char *enc, size_t encSz)
 {
-    for (; *s; s++){
+    int idx = 0;
+    for (; idx < sSz && *s; s++){
+        if (idx + 3 > encSz)
+            return -1;
         if (*s == '*' || *s == '-' || *s == '.' || *s == '_') {
             char a = (char)(*s >> 4), b = (char)(*s & 0xff);
-            *enc++ = '%';
-            *enc++ = (a < 10) ? '0' + a : 'A' + a - 10;
-            *enc++ = (b < 10) ? '0' + b : 'A' + b - 10;
+            enc[idx++] = '%';
+            enc[idx++] = (a < 10) ? '0' + a : 'A' + a - 10;
+            enc[idx++] = (b < 10) ? '0' + b : 'A' + b - 10;
+        }
+        else if (*s == ' ') {
+            enc[idx++] = '+';
+        }
+        else {
+            enc[idx++] = *s;
         }
-        else if (*s == ' ')
-            *enc++ = '+';
-        else
-            *enc++ = *s;
     }
-    return enc;
+    return idx;
 }
 
 static int hex_to_char(char a, byte* out)
@@ -464,24 +469,27 @@ static int hex_to_char(char a, byte* out)
     return 1;
 }
 
-byte* wolfHttpUriDecode(const char *s, byte *dec)
+int wolfHttpUriDecode(const char *s, size_t sSz, char *dec, size_t decSz)
 {
+    int idx = 0;
     byte a, b;
-    for (; *s; s++){
-        if (*s == '%' && 
+    for (; idx < sSz && *s; s++){
+        if (idx + 1 > decSz)
+            return -1;
+        if (*s == '%' &&
                 hex_to_char((char)s[1], &a) && 
                 hex_to_char((char)s[2], &b)) {
-            *dec++ = (a << 4 | b);
+            dec[idx++] = (a << 4 | b);
             s+=2;
         }
         else if (*s == '+') {
-            *dec++ = ' ';
+            dec[idx++] = ' ';
         }
         else {
-            *dec++ = *s;
+            dec[idx++] = *s;
         }
     }
-    return dec;
+    return idx;
 }
 
 int wolfHttpUrlDecode(HttpUrl* url, char* s)
@@ -519,3 +527,28 @@ int wolfHttpUrlDecode(HttpUrl* url, char* s)
     }
     return 0;
 }
+
+/* item should include equal sign. Example: "fingerprint=" */
+int wolfHttpUriGetItem(const char* uri, const char* itemName, char* item,
+    size_t itemSz)
+{
+    int ret = -1; /* not found */
+    const char *begin, *end;
+    size_t len = 0;
+    /* find item= */
+    begin = strstr(uri, itemName);
+    if (begin) {
+        begin += strlen(itemName);
+
+        /* find next & or null term */
+        end = strstr(begin, "&");
+        if (end != NULL)
+            len = (size_t)end - (size_t)begin;
+        else
+            len = strlen(begin);
+
+        /* perform URI decode */
+        ret = wolfHttpUriDecode(begin, len, item, itemSz); 
+    }
+    return ret;
+}