Bring in support for MAXQ1065

anhu · anhu · commit a20779465df2 · 2025-01-02T18:18:22.000-05:00
diff --git a/src/crypto.c b/src/crypto.c
@@ -2554,7 +2554,7 @@ CK_RV C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
 CK_RV C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
                     CK_OBJECT_HANDLE hKey)
 {
-    int ret;
+    int ret = 0;
     WP11_Session* session;
     WP11_Object* obj = NULL;
     CK_KEY_TYPE type;
@@ -2568,10 +2568,27 @@ CK_RV C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
         return CKR_ARGUMENTS_BAD;
 
     ret = WP11_Object_Find(session, hKey, &obj);
-    if (ret != 0)
+#ifdef WOLFSSL_MAXQ10XX_CRYPTO
+    if ((ret != 0) && (hKey == 0) && (pMechanism->mechanism == CKM_ECDSA)) {
+        if (pMechanism->pParameter != NULL || pMechanism->ulParameterLen != 0) {
+            return CKR_MECHANISM_PARAM_INVALID;
+        }
+
+        /* Do not worry; the private key is pre-provisioned, but note there is
+         * no object to set. */
+        init = WP11_INIT_ECDSA_SIGN;
+        WP11_Session_SetMechanism(session, pMechanism->mechanism);
+        WP11_Session_SetOpInitialized(session, init);
+
+        return CKR_OK;
+    } else
+#endif
+    if (ret != 0) {
         return CKR_OBJECT_HANDLE_INVALID;
+    }
 
     type = WP11_Object_GetType(obj);
+
     switch (pMechanism->mechanism) {
 #ifndef NO_RSA
         case CKM_RSA_X_509:
@@ -2770,8 +2787,9 @@ CK_RV C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
 #endif
 #ifdef HAVE_ECC
         case CKM_ECDSA:
-            if (!WP11_Session_IsOpInitialized(session, WP11_INIT_ECDSA_SIGN))
+            if (!WP11_Session_IsOpInitialized(session, WP11_INIT_ECDSA_SIGN)) {
                 return CKR_OPERATION_NOT_INITIALIZED;
+            }
 
             sigLen = WP11_Ec_SigLen(obj);
             if (pSignature == NULL) {
diff --git a/src/internal.c b/src/internal.c
@@ -59,6 +59,10 @@
 #define WOLFPKCS11_NEED_RSA_RNG
 #endif
 
+#if defined(WOLFPKCS11_TPM) && defined(WOLFSSL_MAXQ10XX_CRYPTO)
+    #error "wolfTPM and MAXQ10XX are incompatable with each other."
+#endif
+
 /* Helper to get size of struct field */
 #define FIELD_SIZE(type, field) (sizeof(((type *)0)->field))
 
@@ -3538,8 +3542,10 @@ static int wp11_Slot_Init(WP11_Slot* slot, int id)
 
     ret = WP11_Lock_Init(&slot->lock);
     if (ret == 0) {
-    #ifdef WOLFPKCS11_TPM
+    #if defined(WOLFPKCS11_TPM)
         ret = wp11_TpmInit(slot);
+    #elif defined (WOLFSSL_MAXQ10XX_CRYPTO)
+        slot->devId = MAXQ_DEVICE_ID;
     #endif
         /* Create the minimum number of unused sessions. */
         for (i = 0; ret == 0 && i < WP11_SESSION_CNT_MIN; i++) {
@@ -3605,8 +3611,16 @@ int WP11_Library_Init(void)
 
     if (libraryInitCount == 0) {
         ret = WP11_Lock_Init(&globalLock);
-        if (ret == 0)
+        if (ret == 0) {
+#ifdef WOLFSSL_MAXQ10XX_CRYPTO
+            ret = wolfCrypt_Init();
+            if (ret == 0) {
+                ret = wc_InitRng_ex(&globalRandom, NULL, MAXQ_DEVICE_ID);
+            }
+#else
             ret = wc_InitRng(&globalRandom);
+#endif
+        }
         for (i = 0; (ret == 0) && (i < slotCnt); i++) {
             ret = wp11_Slot_Init(&slotList[i], i + 1);
         }
@@ -4725,7 +4739,7 @@ int WP11_Session_SetCbcParams(WP11_Session* session, unsigned char* iv,
     WP11_Data* key;
 
     /* AES object on session. */
-    ret = wc_AesInit(&cbc->aes, NULL, INVALID_DEVID);
+    ret = wc_AesInit(&cbc->aes, NULL, session->devId);
     if (ret == 0) {
         if (object->onToken)
             WP11_Lock_LockRO(object->lock);
@@ -7659,7 +7673,7 @@ int WP11_EC_Derive(unsigned char* point, word32 pointLen, unsigned char* key,
     WC_RNG rng;
 #endif
 
-    ret = wc_ecc_init_ex(&pubKey, NULL, INVALID_DEVID);
+    ret = wc_ecc_init_ex(&pubKey, NULL, priv->slot->devId);
     if (ret == 0) {
         ret = wc_ecc_import_x963(point, pointLen, &pubKey);
     }
@@ -8280,7 +8294,7 @@ int WP11_AesGcm_Encrypt(unsigned char* plain, word32 plainSz,
     word32 authTagSz = gcm->tagBits / 8;
     unsigned char* authTag = enc + plainSz;
 
-    ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+    ret = wc_AesInit(&aes, NULL, session->devId);
     if (ret == 0) {
         if (secret->onToken)
             WP11_Lock_LockRO(secret->lock);
@@ -8332,7 +8346,7 @@ int WP11_AesGcm_EncryptUpdate(unsigned char* plain, word32 plainSz,
     word32 authTagSz = gcm->tagBits / 8;
     unsigned char* authTag = gcm->authTag;
 
-    ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+    ret = wc_AesInit(&aes, NULL, session->devId);
     if (ret == 0) {
         if (secret->onToken)
             WP11_Lock_LockRO(secret->lock);
@@ -8412,7 +8426,7 @@ int WP11_AesGcm_Decrypt(unsigned char* enc, word32 encSz, unsigned char* dec,
     word32 authTagSz = gcm->tagBits / 8;
     unsigned char* authTag = enc + encSz - authTagSz;
 
-    ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+    ret = wc_AesInit(&aes, NULL, session->devId);
     if (ret == 0) {
         if (secret->onToken) {
             WP11_Lock_LockRO(secret->lock);
@@ -8737,7 +8751,7 @@ int WP11_Hmac_Init(CK_MECHANISM_TYPE mechanism, WP11_Object* secret,
     if (ret == 0)
         hmac->hmacSz = wc_HmacSizeByType(hashType);
     if (ret == 0)
-        ret = wc_HmacInit(&hmac->hmac, NULL, INVALID_DEVID);
+        ret = wc_HmacInit(&hmac->hmac, NULL, secret->slot->devId);
     if (ret == 0) {
         if (secret->onToken)
             WP11_Lock_LockRO(secret->lock);
diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c
@@ -2930,8 +2930,8 @@ static CK_RV test_pubkey_sig_fail(CK_SESSION_HANDLE session, CK_MECHANISM* mech,
         CHECK_CKR_FAIL(ret, CKR_OPERATION_NOT_INITIALIZED, "Verify wrong init");
     }
     if (ret == CKR_OK) {
-       ret = funcList->C_VerifyInit(session, mech, pub);
-       CHECK_CKR(ret, "Verify Init");
+        ret = funcList->C_VerifyInit(session, mech, pub);
+        CHECK_CKR(ret, "Verify Init");
     }
     if (ret == CKR_OK) {
         ret = funcList->C_Sign(session, hash, hashSz, out, &outSz);
@@ -3794,11 +3794,13 @@ static CK_RV test_rsa_fixed_keys_oaep(void* args)
                                                                              0);
         CHECK_CKR(ret, "SHA1 No AAD");
     }
+#ifdef WOLFSSL_SHA224
     if (ret == CKR_OK) {
         ret = rsa_oaep_test(session, priv, pub, CKM_SHA224, CKG_MGF1_SHA224,
                                                                        NULL, 0);
         CHECK_CKR(ret, "SHA224 No AAD");
     }
+#endif
     if (ret == CKR_OK) {
         ret = rsa_oaep_test(session, priv, pub, CKM_SHA384, CKG_MGF1_SHA384,
                                                                        NULL, 0);
@@ -3893,10 +3895,12 @@ static CK_RV test_rsa_fixed_keys_pss(void* args)
         ret = rsa_pss_test(session, priv, pub, CKM_SHA1, CKG_MGF1_SHA1, 20);
         CHECK_CKR(ret, "RSA PKCS#1 PSS - SHA1");
     }
+#ifdef WOLFSSL_SHA224
     if (ret == CKR_OK) {
         ret = rsa_pss_test(session, priv, pub, CKM_SHA224, CKG_MGF1_SHA224, 28);
         CHECK_CKR(ret, "RSA PKCS#1 PSS - SHA224");
     }
+#endif
     if (ret == CKR_OK) {
         ret = rsa_pss_test(session, priv, pub, CKM_SHA384, CKG_MGF1_SHA384, 48);
         CHECK_CKR(ret, "RSA PKCS#1 PSS - SHA384");
@@ -4819,10 +4823,15 @@ static CK_RV ecdsa_test(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE privKey,
         ret = funcList->C_VerifyInit(session, &mech, pubKey);
         CHECK_CKR(ret, "ECDSA Verify Init");
     }
+#ifndef WOLFSSL_MAXQ10XX_CRYPTO
+    /* In the case of MAXQ1065 it will be signed by the pre-provisioned private
+     * key so verify operation will fail as this is NOT the corresponding
+     * public key. */
     if (ret == CKR_OK) {
         ret = funcList->C_Verify(session, hash, hashSz, out, outSz);
         CHECK_CKR(ret, "ECDSA Verify");
     }
+#endif
     if (ret == CKR_OK) {
         ret = funcList->C_Verify(session, hash, hashSz - 1, out, outSz);
         CHECK_CKR_FAIL(ret, CKR_SIGNATURE_INVALID, "ECDSA Verify bad hash");
