From e84a49ab8dd4a6bcd24a1d394d3a793c11069200 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 18 Aug 2025 09:25:38 -0600 Subject: [PATCH 01/11] Add initial support for STM32U5 DHUK use --- examples/stm32_dhuk_aes_key.c | 732 ++++++++++++++++++++++++++++++++++ src/crypto.c | 37 +- src/internal.c | 122 ++++-- wolfpkcs11/pkcs11.h | 8 + 4 files changed, 850 insertions(+), 49 deletions(-) create mode 100644 examples/stm32_dhuk_aes_key.c diff --git a/examples/stm32_dhuk_aes_key.c b/examples/stm32_dhuk_aes_key.c new file mode 100644 index 00000000..635c4776 --- /dev/null +++ b/examples/stm32_dhuk_aes_key.c @@ -0,0 +1,732 @@ +/* stm32_dhuk_aes_key.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfPKCS11. + * + * wolfPKCS11 is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfPKCS11 is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + +#ifdef HAVE_CONFIG_H + #include +#endif + +#ifndef WOLFSSL_USER_SETTINGS + #include +#endif +#include +#include +#include + +#ifndef WOLFPKCS11_USER_SETTINGS + #include +#endif +#include + +#ifndef HAVE_PKCS11_STATIC +#include +#endif + +extern int uart_printf(const char* format, ...); +#undef printf +#define printf uart_printf + +#ifdef DEBUG_WOLFPKCS11 + #define CHECK_CKR(rv, op) \ + fprintf(stderr, "%s: %ld\n", op, rv) +#else + #define CHECK_CKR(rv, op) \ + if (ret != CKR_OK) \ + printf("%s: %ld\n", op, rv) +#endif + + +/* DLL Location and slot */ +#ifndef WOLFPKCS11_DLL_FILENAME + #ifdef __MACH__ + #define WOLFPKCS11_DLL_FILENAME "./src/.libs/libwolfpkcs11.dylib" + #else + #define WOLFPKCS11_DLL_FILENAME "./src/.libs/libwolfpkcs11.so" + #endif +#endif +#ifndef WOLFPKCS11_DLL_SLOT + #define WOLFPKCS11_DLL_SLOT 1 +#endif + + +#ifndef HAVE_PKCS11_STATIC +static void* dlib; +#endif +static CK_FUNCTION_LIST* funcList; +static CK_SLOT_ID slot = WOLFPKCS11_DLL_SLOT; + +static byte* userPin = (byte*)"wolfpkcs11-test"; +static CK_ULONG userPinLen; + + +static CK_RV pkcs11_init(const char* library, CK_SESSION_HANDLE* session) +{ + CK_RV ret = CKR_OK; +#ifndef HAVE_PKCS11_STATIC + void* func; + + dlib = dlopen(library, RTLD_NOW | RTLD_LOCAL); + if (dlib == NULL) { + fprintf(stderr, "dlopen error: %s\n", dlerror()); + ret = -1; + } + + if (ret == CKR_OK) { + func = (void*)(CK_C_GetFunctionList)dlsym(dlib, "C_GetFunctionList"); + if (func == NULL) { + fprintf(stderr, "Failed to get function list function\n"); + ret = -1; + } + } + + if (ret == CKR_OK) { + ret = ((CK_C_GetFunctionList)func)(&funcList); + CHECK_CKR(ret, "Get Function List call"); + } + + if (ret != CKR_OK && dlib != NULL) + dlclose(dlib); + +#else + ret = C_GetFunctionList(&funcList); + (void)library; +#endif + + if (ret == CKR_OK) { + ret = funcList->C_Initialize(NULL); + CHECK_CKR(ret, "Initialize"); + } + + if (ret == CKR_OK) { + CK_FLAGS sessFlags = CKF_SERIAL_SESSION | CKF_RW_SESSION; + + ret = funcList->C_OpenSession(slot, sessFlags, NULL, NULL, session); + CHECK_CKR(ret, "Open Session"); + if (ret == CKR_OK && userPinLen != 0) { + ret = funcList->C_Login(*session, CKU_USER, userPin, userPinLen); + CHECK_CKR(ret, "Login"); + } + } + + return ret; +} + + +static void pkcs11_final(CK_SESSION_HANDLE session) +{ + if (userPinLen != 0) + funcList->C_Logout(session); + funcList->C_CloseSession(session); + + funcList->C_Finalize(NULL); +#ifndef HAVE_PKCS11_STATIC + dlclose(dlib); +#endif +} + + +static CK_OBJECT_CLASS secretKeyClass = CKO_SECRET_KEY; +static CK_BBOOL ckTrue = CK_TRUE; +#ifndef NO_AES +static CK_KEY_TYPE aesKeyType = CKK_AES; +#else +static CK_KEY_TYPE genericKeyType = CKK_GENERIC_SECRET; +#endif + +static unsigned char aes_256_key[] = { + 0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe, + 0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81, + 0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7, + 0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4 + }; + +/* Search for DHUK object which is the DHUK key to be used with C_WrapKey */ +CK_RV pkcs11_find_dhuk_key_object(CK_SESSION_HANDLE session, + unsigned char* privId, CK_ULONG privIdLen); +CK_RV pkcs11_find_dhuk_key_object(CK_SESSION_HANDLE session, + unsigned char* privId, CK_ULONG privIdLen) +{ + CK_RV ret; + CK_OBJECT_HANDLE objects[10]; /* Buffer to hold object handles */ + CK_ULONG objectCount = 0; + CK_ULONG foundCount = 0; + CK_ATTRIBUTE labelAttr; + unsigned char labelBuffer[256]; + CK_ULONG i; + CK_ATTRIBUTE searchTemplate; + + + printf("Searching for existing PKCS11 objects...\n"); + + /* First, let's find all objects to see what's available */ + ret = funcList->C_FindObjectsInit(session, &searchTemplate, 0); + if (ret != CKR_OK) { + CHECK_CKR(ret, "FindObjectsInit (all objects)"); + return ret; + } + + /* Get all objects */ + ret = funcList->C_FindObjects(session, objects, 10, &objectCount); + if (ret != CKR_OK) { + CHECK_CKR(ret, "FindObjects (all objects)"); + funcList->C_FindObjectsFinal(session); + return ret; + } + + printf("Found %lu total objects\n", objectCount); + + /* Iterate through all objects and print their labels */ + for (i = 0; i < objectCount; i++) { + CK_ATTRIBUTE attrs[3]; + CK_OBJECT_CLASS objClass; + CK_KEY_TYPE keyType; + unsigned char classBuffer[sizeof(CK_OBJECT_CLASS)]; + unsigned char typeBuffer[sizeof(CK_KEY_TYPE)]; + + /* Get object class */ + attrs[0].type = CKA_CLASS; + attrs[0].pValue = classBuffer; + attrs[0].ulValueLen = sizeof(classBuffer); + + /* Get key type (for key objects) */ + attrs[1].type = CKA_KEY_TYPE; + attrs[1].pValue = typeBuffer; + attrs[1].ulValueLen = sizeof(typeBuffer); + + /* Get label */ + attrs[2].type = CKA_LABEL; + attrs[2].pValue = labelBuffer; + attrs[2].ulValueLen = sizeof(labelBuffer); + + ret = funcList->C_GetAttributeValue(session, objects[i], attrs, 3); + if (ret == CKR_OK) { + objClass = *(CK_OBJECT_CLASS*)classBuffer; + keyType = *(CK_KEY_TYPE*)typeBuffer; + + /* Only show AES keys and vendor-defined keys */ + if (objClass == CKO_SECRET_KEY && + (keyType == CKK_AES || keyType == CKK_VENDOR_DEFINED)) { + + if (keyType == CKK_AES) { + printf("AES Key %lu: ", i); + } else { + printf("Vendor Key %lu: ", i); + } + + if (attrs[2].ulValueLen > 0) { + printf("Label='%.*s'", (int)attrs[2].ulValueLen, (char*)labelBuffer); + } else { + printf("No label"); + } + printf("\n"); + } + } else { + printf("Object %lu: Error getting attributes (ret=%ld)\n", i, ret); + } + } + + ret = funcList->C_FindObjectsFinal(session); + if (ret != CKR_OK) { + CHECK_CKR(ret, "FindObjectsFinal (all objects)"); + } + + /* Now search for the specific DHUK key object */ + if (privId != NULL && privIdLen > 0) { + CK_ATTRIBUTE searchTemplate[] = { + { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, + { CKA_ID, privId, privIdLen } + }; + + ret = funcList->C_FindObjectsInit(session, searchTemplate, sizeof(searchTemplate) / sizeof(CK_ATTRIBUTE)); + if (ret != CKR_OK) { + CHECK_CKR(ret, "FindObjectsInit (DHUK search)"); + return ret; + } + + ret = funcList->C_FindObjects(session, objects, 1, &foundCount); + if (ret != CKR_OK) { + CHECK_CKR(ret, "FindObjects (DHUK search)"); + funcList->C_FindObjectsFinal(session); + return ret; + } + + ret = funcList->C_FindObjectsFinal(session); + if (ret != CKR_OK) { + CHECK_CKR(ret, "FindObjectsFinal (DHUK search)"); + } + + if (foundCount > 0) { + printf("Found DHUK key object with ID '%.*s'\n", (int)privIdLen, privId); + return CKR_OK; + } else { + printf("DHUK key object with ID '%.*s' not found\n", (int)privIdLen, privId); + return CKR_FUNCTION_FAILED; + } + } + + return CKR_OK; +} + +/* Use the AES key for encryption/decryption */ +CK_RV pkcs11_use_aes_key(CK_SESSION_HANDLE session, + unsigned char* privId, CK_ULONG privIdLen); +CK_RV pkcs11_use_aes_key(CK_SESSION_HANDLE session, + unsigned char* privId, CK_ULONG privIdLen) +{ + CK_RV ret; + CK_OBJECT_HANDLE keyHandle; + CK_ULONG foundCount = 0; + + printf("Using AES key...\n"); + + /* Find the AES key object */ + CK_ATTRIBUTE searchTemplate[] = { + { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, + { CKA_ID, privId, privIdLen } + }; + + ret = funcList->C_FindObjectsInit(session, searchTemplate, sizeof(searchTemplate) / sizeof(CK_ATTRIBUTE)); + if (ret != CKR_OK) { + CHECK_CKR(ret, "FindObjectsInit (AES key)"); + return ret; + } + + ret = funcList->C_FindObjects(session, &keyHandle, 1, &foundCount); + if (ret != CKR_OK) { + CHECK_CKR(ret, "FindObjects (AES key)"); + funcList->C_FindObjectsFinal(session); + return ret; + } + + ret = funcList->C_FindObjectsFinal(session); + if (ret != CKR_OK) { + CHECK_CKR(ret, "FindObjectsFinal (AES key)"); + } + + if (foundCount > 0) { + printf("Found AES key object, ready for use\n"); + return CKR_OK; + } else { + printf("AES key object not found\n"); + return CKR_FUNCTION_FAILED; + } +} + +CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session, + unsigned char* privId, CK_ULONG privIdLen); +CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session, + unsigned char* privId, CK_ULONG privIdLen) +{ + CK_RV ret; + int devId = WOLFSSL_STM32U5_DHUK_DEVID; /* signal use of hardware key */ + CK_ATTRIBUTE aes_dhuk_secret_key[] = { + { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, +#ifndef NO_AES + { CKA_KEY_TYPE, &aesKeyType, sizeof(aesKeyType) }, +#else + { CKA_KEY_TYPE, &genericKeyType, sizeof(genericKeyType) }, +#endif + { CKA_WRAP, &ckTrue, sizeof(ckTrue) }, + { CKA_UNWRAP, &ckTrue, sizeof(ckTrue) }, + { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, + { CKA_VALUE, aes_256_key, sizeof(aes_256_key) }, + { CKA_DEVID, &devId, sizeof(devId) }, + }; + CK_ULONG cnt = sizeof(aes_dhuk_secret_key)/sizeof(*aes_dhuk_secret_key); + CK_OBJECT_HANDLE obj; + + ret = funcList->C_CreateObject(session, aes_dhuk_secret_key, cnt, &obj); + CHECK_CKR(ret, "CreateObject AES DHUK key"); + + return ret; +} + +CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session, + unsigned char* privId, CK_ULONG privIdLen); +CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session, + unsigned char* privId, CK_ULONG privIdLen) +{ + CK_RV ret; + int devId = WOLFSSL_STM32U5_SAES_DEVID; + CK_ATTRIBUTE aes_256_secret_key[] = { + { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, +#ifndef NO_AES + { CKA_KEY_TYPE, &aesKeyType, sizeof(aesKeyType) }, +#else + { CKA_KEY_TYPE, &genericKeyType, sizeof(genericKeyType) }, +#endif + { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, + { CKA_VALUE, aes_256_key, sizeof(aes_256_key) }, + { CKA_DEVID, &devId, sizeof(devId) }, + }; + CK_ULONG cnt = sizeof(aes_256_secret_key)/sizeof(*aes_256_secret_key); + CK_OBJECT_HANDLE obj; + + ret = funcList->C_CreateObject(session, aes_256_secret_key, cnt, &obj); + CHECK_CKR(ret, "CreateObject AES 256-bit key"); + + return ret; +} + +CK_OBJECT_HANDLE find_key_type(CK_SESSION_HANDLE session, int devId); +CK_OBJECT_HANDLE find_key_type(CK_SESSION_HANDLE session, int devId) +{ + CK_RV ret = CKR_OK; + CK_OBJECT_HANDLE obj, match = 0; + CK_ATTRIBUTE findTmpl; + CK_ULONG cnt; + + /* Find all objects. */ + ret = funcList->C_FindObjectsInit(session, &findTmpl, 0); + CHECK_CKR(ret, "Initialize Find"); + + while (ret == CKR_OK) { + int devIdFound; + CK_ULONG devIdLen = sizeof(devIdFound); + CK_ATTRIBUTE getTmpl[] = { + { CKA_DEVID, &devIdFound, devIdLen }, + }; + CK_ULONG getTmplCnt = sizeof(getTmpl) / sizeof(CK_ATTRIBUTE); + + ret = funcList->C_FindObjects(session, &obj, 1, &cnt); + CHECK_CKR(ret, "Find Object"); + if (cnt == 1) { + /* check devId match */ + ret = funcList->C_GetAttributeValue(session, obj, getTmpl, getTmplCnt); + printf("Return value from GetAttributeValue = %d, {%d, %d}\n", ret, devIdFound, getTmpl[0].ulValueLen); + if (devIdFound == devId) { + printf("Found matching object\n"); + match = obj; + break; + } + } + else { + break; + } + } + ret = funcList->C_FindObjectsFinal(session); + CHECK_CKR(ret, "Find Object Final"); + + return match; +} + +CK_OBJECT_HANDLE find_dhuk_key(CK_SESSION_HANDLE session); +CK_OBJECT_HANDLE find_dhuk_key(CK_SESSION_HANDLE session) +{ + CK_OBJECT_HANDLE ret; + ret = find_key_type(session, WOLFSSL_STM32U5_DHUK_DEVID); + if (ret == 0) { + printf("Failed to find DHUK key\n"); + } + else { + printf("Found DHUK key\n"); + } + return ret; +} + +static CK_OBJECT_HANDLE find_software_key(CK_SESSION_HANDLE session) +{ + CK_OBJECT_HANDLE ret; + ret = find_key_type(session, WOLFSSL_STM32U5_SAES_DEVID); + if (ret == 0) { + printf("Failed to find software key\n"); + } + else { + printf("Found software key\n"); + } + return ret; +} + +static CK_OBJECT_HANDLE find_wrapped_key(CK_SESSION_HANDLE session) +{ + CK_OBJECT_HANDLE ret; + ret = find_key_type(session, WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID); + if (ret == 0) { + printf("Failed to find wrapped key\n"); + } + else { + printf("Found wrapped key\n"); + } + return ret; +} + + +CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session, + unsigned char* privId, CK_ULONG privIdLen); +CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session, + unsigned char* privId, CK_ULONG privIdLen) +{ + + CK_OBJECT_HANDLE wrappedKey; + CK_OBJECT_HANDLE dhuk; + CK_OBJECT_HANDLE key; + CK_BYTE wrappedKeyBuffer[32]; + CK_ULONG wrappedKeyBufferLen = sizeof(wrappedKeyBuffer); + int devId = WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID; + CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; + int i; + CK_RV rv; + + key = find_software_key(session); + if (key == 0) { + return CKR_FUNCTION_FAILED; + } + + // Wrap the key using the DHUK key + dhuk = find_dhuk_key(session); + if (dhuk == 0) { + return CKR_FUNCTION_FAILED; + } + + // Perform the wrapping operation + rv = funcList->C_WrapKey(session, &mech, dhuk, key, wrappedKeyBuffer, + &wrappedKeyBufferLen); + if (rv != CKR_OK) { + printf("Failed to wrap key, ret = %d\n", rv); + return rv; + } + + printf("DHUK wrapped key created : "); + for (i = 0; i < wrappedKeyBufferLen; i++) { + printf("%02X", wrappedKeyBuffer[i]); + } + printf("\n"); + + /* Create a wrapped key object */ + CK_ATTRIBUTE wrapped_key_template[] = { + { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, + { CKA_KEY_TYPE, &aesKeyType, sizeof(aesKeyType) }, + { CKA_VALUE, wrappedKeyBuffer, wrappedKeyBufferLen }, + { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, + { CKA_ID, privId, privIdLen }, + { CKA_DEVID, &devId, sizeof(devId) }, + }; + CK_ULONG wrapped_key_template_len = sizeof(wrapped_key_template) / sizeof(CK_ATTRIBUTE); + + rv = funcList->C_CreateObject(session, wrapped_key_template, wrapped_key_template_len, &wrappedKey); + if (rv != CKR_OK) { + return rv; + } + + printf("Created a key wrapped with using the DHUK\n"); + + return CKR_OK; +} + + +static CK_RV pkcs11_encrypt_with_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key, + byte* data, CK_ULONG dataLen, byte* iv, byte* out, CK_ULONG_PTR outLen) +{ + CK_MECHANISM mech = {CKM_AES_CBC, iv, 16}; + //CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; + CK_RV rv; + + rv = funcList->C_EncryptInit(session, &mech, key); + if (rv != CKR_OK) { + return rv; + } + + rv = funcList->C_Encrypt(session, data, dataLen, out, outLen); + if (rv != CKR_OK) { + return rv; + } + + return CKR_OK; +} + +/* compare encryption using the wrapped AES key versus unwrapped one */ +static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) +{ + CK_RV ret = 0; + byte plain[] = { + 0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96, + 0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a + }; + byte cipher[16]; + byte expected[] = { + 0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c, + 0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8 + }; + byte iv[16]; + CK_ULONG cipherLen = sizeof(cipher); + CK_ULONG plainLen = sizeof(plain); + CK_OBJECT_HANDLE key; + int i; + + printf("Software key and wrapped key should produce the same results\n"); + + /* Encrypt plain text using software only key */ + key = find_software_key(session); + memset(cipher, 0, sizeof(cipher)); + ret = pkcs11_encrypt_with_key(session, key, plain, sizeof(plain), iv, cipher, &cipherLen); + if (ret != CKR_OK) { + return ret; + } + + printf("\tSoftware : "); + for (i = 0; i < cipherLen; i++) { + printf("%02X", cipher[i]); + } + printf("\n"); + + /* encrypt using wrapped key */ + memset(cipher, 0, sizeof(cipher)); + key = find_wrapped_key(session); + ret = pkcs11_encrypt_with_key(session, key, plain, sizeof(plain), iv, cipher, &cipherLen); + if (ret != CKR_OK) { + return ret; + } + + printf("\tWrapped : "); + for (i = 0; i < cipherLen; i++) { + printf("%02X", cipher[i]); + } + printf("\n"); + + return ret; +} + +/* Match the command line argument with the string. + * + * arg Command line argument. + * str String to check for. + * return 1 if the command line argument matches the string, 0 otherwise. + */ +static int string_matches(const char* arg, const char* str) +{ + int len = (int)XSTRLEN(str) + 1; + return XSTRNCMP(arg, str, len) == 0; +} + + +/* Display the usage options of the benchmark program. */ +static void Usage(void) +{ + printf("add_aes_key\n"); + printf("-? Help, print this usage\n"); + printf("-lib PKCS#11 library to test\n"); + printf("-slot Slot number to use\n"); + printf("-userPin User PIN\n"); + printf("-privId Private key identifier\n"); +} + + +#ifndef NO_MAIN_DRIVER +int main(int argc, char* argv[]) +#else +int stm32_dhuk_aes_key(int argc, char* argv[]) +#endif +{ + int ret; + CK_RV rv; + const char* libName = WOLFPKCS11_DLL_FILENAME; + CK_SESSION_HANDLE session = CK_INVALID_HANDLE; + unsigned char* privId = NULL; + CK_ULONG privIdLen = 0; + +#ifndef WOLFPKCS11_NO_ENV + if (!XGETENV("WOLFPKCS11_TOKEN_PATH")) { + XSETENV("WOLFPKCS11_TOKEN_PATH", "./store", 1); + } +#endif + printf("Testing PKCS11 DHUK AES use\n\r"); + + argc--; + argv++; + while (argc > 0) { + if (string_matches(*argv, "-?")) { + Usage(); + return 0; + } + else if (string_matches(*argv, "-lib")) { + argc--; + argv++; + if (argc == 0) { + fprintf(stderr, "Library name not supplied\n"); + return 1; + } + libName = *argv; + } + else if (string_matches(*argv, "-slot")) { + argc--; + argv++; + if (argc == 0) { + fprintf(stderr, "Slot number not supplied\n"); + return 1; + } + slot = atoi(*argv); + } + else if (string_matches(*argv, "-userPin")) { + argc--; + argv++; + if (argc == 0) { + fprintf(stderr, "User PIN not supplied\n"); + return 1; + } + userPin = (byte*)*argv; + } + else if (string_matches(*argv, "-privId")) { + argc--; + argv++; + if (argc == 0) { + fprintf(stderr, "Private key identifier not supplied\n"); + return 1; + } + privId = (unsigned char*)*argv; + privIdLen = (int)strlen(*argv); + } + else { + fprintf(stderr, "Unrecognized command line argument\n %s\n", + argv[0]); + return 1; + } + + argc--; + argv++; + } + + userPinLen = (int)XSTRLEN((const char*)userPin); + + rv = pkcs11_init(libName, &session); + if (rv == CKR_OK) { + rv = pkcs11_add_aes_dhuk_key(session, privId, privIdLen); + } + if (rv == CKR_OK) { + rv = pkcs11_add_aes_software_key(session, privId, privIdLen); + } + if (rv == CKR_OK) { + rv = pkcs11_wrap_aes_key(session, privId, privIdLen); + } + if (rv == CKR_OK) { + rv = pkcs11_compare_results(session); + } + pkcs11_final(session); + + if (rv == CKR_OK) + ret = 0; + else + ret = 1; + return ret; +} diff --git a/src/crypto.c b/src/crypto.c index 7e4ee71e..d32ea076 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -40,6 +40,7 @@ #define ATTR_TYPE_BOOL 1 #define ATTR_TYPE_DATA 2 #define ATTR_TYPE_DATE 3 +#define ATTR_TYPE_INT 4 #define PRF_KEY_SIZE 48 @@ -235,6 +236,7 @@ static AttributeType attrType[] = { { CKA_TRUST_CODE_SIGNING, ATTR_TYPE_ULONG }, { CKA_TRUST_STEP_UP_APPROVED, ATTR_TYPE_BOOL }, #endif + { CKA_DEVID, ATTR_TYPE_INT }, }; /* Count of elements in attribute type list. */ #define ATTR_TYPE_SIZE (sizeof(attrType) / sizeof(*attrType)) @@ -313,6 +315,13 @@ static CK_RV CheckAttributes(CK_ATTRIBUTE* pTemplate, CK_ULONG ulCount, int set) (attr->ulValueLen != sizeof(CK_ULONG))) return CKR_BUFFER_TOO_SMALL; } + else if (attrType[j].type == ATTR_TYPE_INT) { + if (attr->pValue == NULL && set) + return CKR_ATTRIBUTE_VALUE_INVALID; + if ((attr->pValue != NULL) && + (attr->ulValueLen != sizeof(CK_INT))) + return CKR_BUFFER_TOO_SMALL; + } else if (attrType[j].type == ATTR_TYPE_BOOL) { if (attr->pValue == NULL && set) return CKR_ATTRIBUTE_VALUE_INVALID; @@ -6627,11 +6636,12 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, keyClass = WP11_Object_GetClass(key); rv = CHECK_WRAPPABLE(keyClass, keyType); - if (rv != CKR_OK) + if (rv != CKR_OK) { + WOLFPKCS11_MSG("Not a wrappable key: keyClass %d keyType %d\n", keyClass, keyType); return rv; + } switch (keyType) { -#ifndef WOLFPKCS11_NO_STORE #ifndef NO_RSA case CKK_RSA: ret = WP11_Rsa_SerializeKeyPTPKC8(key, NULL, &serialSize); @@ -6672,7 +6682,6 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, goto err_out; } break; -#endif default: rv = CKR_KEY_NOT_WRAPPABLE; goto err_out; @@ -6692,14 +6701,22 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, goto err_out; } - rv = EncryptInit(hSession, pMechanism, hWrappingKey, 1); - if (rv != CKR_OK) - goto err_out; - - rv = C_Encrypt(hSession, serialBuff, serialSize, pWrappedKey, pulWrappedKeyLen); - if (rv != CKR_OK) - goto err_out; + if (WP11_Object_GetDevId(wrappingKey) == WOLFSSL_STM32U5_DHUK_DEVID) { + if (wc_Stm32_Aes_Wrap(NULL, serialBuff, serialSize, pWrappedKey, + pulWrappedKeyLen, NULL) != 0) { + rv = CKR_FUNCTION_FAILED; + goto err_out; + } + } + else { + rv = EncryptInit(hSession, pMechanism, hWrappingKey, 1); + if (rv != CKR_OK) + goto err_out; + rv = C_Encrypt(hSession, serialBuff, serialSize, pWrappedKey, pulWrappedKeyLen); + if (rv != CKR_OK) + goto err_out; + } break; #endif #ifndef NO_RSA diff --git a/src/internal.c b/src/internal.c index 4fb5372f..79ebb54f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -43,6 +43,7 @@ #include #include +#ifndef WOLFPKCS11_NO_STORE /* OS-specific includes for directory creation */ #if defined(_WIN32) || defined(_MSC_VER) #include @@ -53,6 +54,7 @@ #include #define MKDIR(path) mkdir(path, 0700) #endif +#endif #include #include @@ -292,6 +294,7 @@ struct WP11_Object { WP11_Lock* lock; /* Object specific lock */ + int devId; WP11_Object* next; /* Next object in linked list */ }; @@ -811,6 +814,7 @@ int WP11_Slot_SOPin_IsSet(WP11_Slot* slot) return slot->token.tokenFlags & WP11_TOKEN_FLAG_SO_PIN_SET; } + /** * Add a new session to the token in the slot. * @@ -2078,6 +2082,7 @@ static int wp11_Object_New(WP11_Slot* slot, CK_KEY_TYPE type, obj->onToken = 0; obj->slot = slot; obj->keyGenMech = CK_UNAVAILABLE_INFORMATION; + obj->devId = slot->devId; /* default to slot's devId */ /* TPM key allocation will be done later when object class is known */ } @@ -2315,6 +2320,7 @@ int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest) OBJ_COPY_DATA(src, dest, subject); dest->category = src->category; + dest->devId = src->devId; if (src->objClass == CKO_CERTIFICATE) { return BAD_FUNC_ARG; @@ -2339,13 +2345,13 @@ int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest) #ifndef NO_RSA case CKK_RSA: ret = wc_InitRsaKey_ex(dest->data.rsaKey, NULL, - dest->slot->devId); + dest->devId); break; #endif #ifdef HAVE_ECC case CKK_EC: ret = wc_ecc_init_ex(dest->data.ecKey, NULL, - dest->slot->devId); + dest->devId); break; #endif default: @@ -2386,7 +2392,7 @@ int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest) /* Initialize destination RSA key */ ret = wc_InitRsaKey_ex(dest->data.rsaKey, NULL, - dest->slot->devId); + dest->devId); if (ret != 0) break; @@ -2452,7 +2458,7 @@ int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest) /* Initialize destination ECC key */ ret = wc_ecc_init_ex(dest->data.ecKey, NULL, - dest->slot->devId); + dest->devId); if (ret != 0) break; @@ -2561,12 +2567,12 @@ int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest) * @return -ve on failure. */ static int wp11_EncryptData(byte* out, byte* data, int len, byte* key, - int keySz, byte* iv, int ivSz) + int keySz, byte* iv, int ivSz, int devId) { Aes aes; int ret; - ret = wc_AesInit(&aes, NULL, INVALID_DEVID); + ret = wc_AesInit(&aes, NULL, devId); if (ret == 0) { ret = wc_AesGcmSetKey(&aes, key, keySz); } @@ -2595,12 +2601,12 @@ static int wp11_EncryptData(byte* out, byte* data, int len, byte* key, * @return Other -ve on failure. */ static int wp11_DecryptData(byte* out, byte* data, int len, byte* key, - int keySz, byte* iv, int ivSz) + int keySz, byte* iv, int ivSz, int devId) { Aes aes; int ret; - ret = wc_AesInit(&aes, NULL, INVALID_DEVID); + ret = wc_AesInit(&aes, NULL, devId); if (ret == 0) { ret = wc_AesGcmSetKey(&aes, key, keySz); } @@ -3282,7 +3288,7 @@ static int wp11_Object_Decode_RsaKey(WP11_Object* object) word32 idx = 0; RsaKey* key = object->data.rsaKey; - ret = wc_InitRsaKey_ex(key, NULL, object->slot->devId); + ret = wc_InitRsaKey_ex(key, NULL, object->devId); if (ret != 0) { return ret; } @@ -3305,7 +3311,7 @@ static int wp11_Object_Decode_RsaKey(WP11_Object* object) ret = wp11_DecryptData(der, object->keyData, len, object->slot->token.key, sizeof(object->slot->token.key), object->iv, - sizeof(object->iv)); + sizeof(object->iv), object->devId); } if (ret == 0) { /* Decode RSA private key. */ @@ -3397,7 +3403,7 @@ static int wp11_Object_Encode_RsaKey(WP11_Object* object) ret = wp11_EncryptData(object->keyData, object->keyData, ret, object->slot->token.key, sizeof(object->slot->token.key), object->iv, - sizeof(object->iv)); + sizeof(object->iv), object->devId); } #else ret = NOT_COMPILED_IN; @@ -3628,7 +3634,7 @@ static int wp11_Object_Decode_EccKey(WP11_Object* object) word32 idx = 0; ecc_key* key = object->data.ecKey; - ret = wc_ecc_init_ex(key, NULL, object->slot->devId); + ret = wc_ecc_init_ex(key, NULL, object->devId); if (ret != 0) { return ret; } @@ -3651,10 +3657,10 @@ static int wp11_Object_Decode_EccKey(WP11_Object* object) ret = wp11_DecryptData(der, object->keyData, len, object->slot->token.key, sizeof(object->slot->token.key), object->iv, - sizeof(object->iv)); + sizeof(object->iv), object->devId); } if (ret == 0) { - ret = wc_ecc_init_ex(key, NULL, object->slot->devId); + ret = wc_ecc_init_ex(key, NULL, object->devId); } if (ret == 0) { /* Decode ECC private key. */ @@ -3736,7 +3742,7 @@ static int wp11_Object_Encode_EccKey(WP11_Object* object) ret = wp11_EncryptData(object->keyData, object->keyData, ret, object->slot->token.key, sizeof(object->slot->token.key), object->iv, - sizeof(object->iv)); + sizeof(object->iv), object->devId); } } else if (ret == 0 && object->objClass == CKO_PUBLIC_KEY) { @@ -3856,7 +3862,7 @@ static int wp11_Object_Decode_DhKey(WP11_Object* object) object->keyDataLen - AES_BLOCK_SIZE, object->slot->token.key, sizeof(object->slot->token.key), object->iv, - sizeof(object->iv)); + sizeof(object->iv), object->devId); if (ret == 0) object->data.dhKey->len = object->keyDataLen - AES_BLOCK_SIZE; } @@ -3896,7 +3902,7 @@ static int wp11_Object_Encode_DhKey(WP11_Object* object) object->data.dhKey->len, object->slot->token.key, sizeof(object->slot->token.key), object->iv, - sizeof(object->iv)); + sizeof(object->iv), object->devId); if (ret == 0) object->keyDataLen = object->data.dhKey->len + AES_BLOCK_SIZE; } @@ -4190,7 +4196,7 @@ static int wp11_Object_Decode_SymmKey(WP11_Object* object) object->keyDataLen - AES_BLOCK_SIZE, object->slot->token.key, sizeof(object->slot->token.key), object->iv, - sizeof(object->iv)); + sizeof(object->iv), object->devId); } if (ret == 0) object->data.symmKey->len = object->keyDataLen - AES_BLOCK_SIZE; @@ -4223,7 +4229,7 @@ static int wp11_Object_Encode_SymmKey(WP11_Object* object) object->data.symmKey->len, object->slot->token.key, sizeof(object->slot->token.key), object->iv, - sizeof(object->iv)); + sizeof(object->iv), object->devId); if (ret == 0) object->keyDataLen = object->data.symmKey->len + AES_BLOCK_SIZE; } @@ -4850,6 +4856,7 @@ static int wp11_Object_Unstore(WP11_Object* object, int tokenId, int objId) } #endif /* !WOLFPKCS11_NO_STORE */ + /** * Initialize the token. * @@ -6803,7 +6810,7 @@ int WP11_Session_SetCbcParams(WP11_Session* session, unsigned char* iv, WP11_Data* key; /* AES object on session. */ - ret = wc_AesInit(&cbc->aes, NULL, session->devId); + ret = wc_AesInit(&cbc->aes, NULL, object->devId); if (ret == 0) { if (object->onToken) WP11_Lock_LockRO(object->lock); @@ -6841,7 +6848,7 @@ int WP11_Session_SetCtrParams(WP11_Session* session, CK_ULONG ulCounterBits, if (ulCounterBits > 128 || ulCounterBits == 0) return BAD_FUNC_ARG; - ret = wc_AesInit(&ctr->aes, NULL, session->devId); + ret = wc_AesInit(&ctr->aes, NULL, object->devId); if (ret == 0) { if (object->onToken) WP11_Lock_LockRO(object->lock); @@ -6864,7 +6871,7 @@ int WP11_Session_SetAesWrapParams(WP11_Session* session, byte* iv, word32 ivLen, WP11_Data *key; XMEMSET(wrap, 0, sizeof(*wrap)); - ret = wc_AesInit(&wrap->aes, NULL, session->devId); + ret = wc_AesInit(&wrap->aes, NULL, object->devId); if (ret == 0) { if (object->onToken) WP11_Lock_LockRO(object->lock); @@ -6988,7 +6995,7 @@ int WP11_Session_SetCtsParams(WP11_Session* session, unsigned char* iv, WP11_Data* key; /* AES object on session. */ - ret = wc_AesInit(&cts->aes, NULL, session->devId); + ret = wc_AesInit(&cts->aes, NULL, object->devId); if (ret == 0) { if (object->onToken) WP11_Lock_LockRO(object->lock); @@ -7454,6 +7461,17 @@ CK_KEY_TYPE WP11_Object_GetType(WP11_Object* object) return object->type; } +/** + * Get the object's devId. + * + * @param object [in] Object object. + * @return Object's devId. + */ +CK_INT WP11_Object_GetDevId(WP11_Object* object) +{ + return object->devId; +} + /** * Get the object's class. * @@ -7510,7 +7528,7 @@ int WP11_Object_SetRsaKey(WP11_Object* object, unsigned char** data, WP11_Lock_LockRW(object->lock); key = object->data.rsaKey; - ret = wc_InitRsaKey_ex(key, NULL, object->slot->devId); + ret = wc_InitRsaKey_ex(key, NULL, object->devId); if (ret == 0) { ret = SetMPI(&key->d, data[1], (int)len[1]); if (ret == 0) @@ -7695,7 +7713,7 @@ int WP11_Object_SetEcKey(WP11_Object* object, unsigned char** data, WP11_Lock_LockRW(object->lock); key = object->data.ecKey; - ret = wc_ecc_init_ex(key, NULL, object->slot->devId); + ret = wc_ecc_init_ex(key, NULL, object->devId); if (ret == 0) { if (ret == 0 && data[0] != NULL) ret = EcSetParams(key, data[0], (int)len[0]); @@ -7754,7 +7772,7 @@ int WP11_Object_SetDhKey(WP11_Object* object, unsigned char** data, WP11_Lock_LockRW(object->lock); key = object->data.dhKey; - ret = wc_InitDhKey_ex(&key->params, NULL, INVALID_DEVID); + ret = wc_InitDhKey_ex(&key->params, NULL, object->devId); if (ret == 0) { if (data[0] != NULL && data[1] != NULL) ret = wc_DhSetKey(&key->params, data[0], (int)len[0], data[1], @@ -8174,6 +8192,23 @@ static int GetULong(CK_ULONG value, byte* data, CK_ULONG* len) return ret; } +static int GetAttributeInt(int value, byte* data, CK_ULONG* len) +{ + int ret = 0; + CK_ULONG dataLen = sizeof(value); + + if (data == NULL) + *len = dataLen; + else if (*len < dataLen) + ret = BUFFER_E; + else { + *len = dataLen; + *(int*)data = value; + } + + return ret; +} + /** * Get the data of a data array. * @@ -8945,6 +8980,10 @@ int WP11_Object_GetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data, } break; } + + case CKA_DEVID: + ret = GetAttributeInt(object->devId, data, len); + break; } if (object->onToken) @@ -9316,6 +9355,11 @@ int WP11_Object_SetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data, ret = BAD_FUNC_ARG; } break; + + case CKA_DEVID: + object->devId = *(CK_INT*)data; + break; + default: ret = BAD_FUNC_ARG; break; @@ -9568,7 +9612,7 @@ int WP11_Rsa_ParsePrivKey(byte* data, word32 dataLen, WP11_Object* privKey) int ret = 0; word32 idx = 0; - ret = wc_InitRsaKey_ex(privKey->data.rsaKey, NULL, privKey->slot->devId); + ret = wc_InitRsaKey_ex(privKey->data.rsaKey, NULL, privKey->devId); if (ret == 0) { ret = wc_RsaPrivateKeyDecode(data, &idx, privKey->data.rsaKey, dataLen); } @@ -9593,7 +9637,7 @@ int WP11_Rsa_PrivKey2PubKey(WP11_Object* privKey, WP11_Object* pubKey, int ret; word32 idx = 0; - ret = wc_InitRsaKey_ex(pubKey->data.rsaKey, NULL, pubKey->slot->devId); + ret = wc_InitRsaKey_ex(pubKey->data.rsaKey, NULL, pubKey->devId); if (ret == 0) { ret = wc_RsaKeyToPublicDer(privKey->data.rsaKey, workbuf, worksz); if (ret >= 0) { @@ -9649,7 +9693,7 @@ int WP11_Rsa_GenerateKeyPair(WP11_Object* pub, WP11_Object* priv, if (ret == 0) { ret = Rng_New(&slot->token.rng, &slot->token.rngLock, &rng); if (ret == 0) { - ret = wc_InitRsaKey_ex(priv->data.rsaKey, NULL, priv->slot->devId); + ret = wc_InitRsaKey_ex(priv->data.rsaKey, NULL, priv->devId); if (ret == 0) { #ifdef WOLFPKCS11_TPM priv->slot->tpmCtx.rsaKeyGen = priv->tpmKey; @@ -10381,7 +10425,7 @@ int WP11_Ec_GenerateKeyPair(WP11_Object* pub, WP11_Object* priv, int ret = 0; WC_RNG rng; - ret = wc_ecc_init_ex(priv->data.ecKey, NULL, priv->slot->devId); + ret = wc_ecc_init_ex(priv->data.ecKey, NULL, priv->devId); if (ret == 0) { #ifdef WOLFPKCS11_TPM CK_BBOOL isSign = CK_FALSE; @@ -10751,7 +10795,7 @@ int WP11_EC_Derive(unsigned char* point, word32 pointLen, unsigned char* key, } } - ret = wc_ecc_init_ex(&pubKey, NULL, priv->slot->devId); + ret = wc_ecc_init_ex(&pubKey, NULL, priv->devId); if (ret == 0) { if (priv->data.ecKey->dp) { ret = wc_ecc_import_x963_ex(x963Data, x963Len, &pubKey, @@ -11010,7 +11054,7 @@ int WP11_AesCbc_DeriveKey(unsigned char* plain, word32 plainSz, return BAD_FUNC_ARG; XMEMSET(&aes, 0, sizeof(aes)); - ret = wc_AesInit(&aes, NULL, key->slot->devId); + ret = wc_AesInit(&aes, NULL, key->devId); if (ret == 0) { ret = wc_AesSetKey(&aes, key->data.symmKey->data, key->data.symmKey->len, iv, AES_ENCRYPTION); @@ -11683,7 +11727,7 @@ int WP11_AesGcm_Encrypt(unsigned char* plain, word32 plainSz, word32 authTagSz = gcm->tagBits / 8; unsigned char* authTag = enc + plainSz; - ret = wc_AesInit(&aes, NULL, session->devId); + ret = wc_AesInit(&aes, NULL, secret->devId); if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); @@ -11735,7 +11779,7 @@ int WP11_AesGcm_EncryptUpdate(unsigned char* plain, word32 plainSz, word32 authTagSz = gcm->tagBits / 8; unsigned char* authTag = gcm->authTag; - ret = wc_AesInit(&aes, NULL, session->devId); + ret = wc_AesInit(&aes, NULL, secret->devId); if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); @@ -11815,7 +11859,7 @@ int WP11_AesGcm_Decrypt(unsigned char* enc, word32 encSz, unsigned char* dec, word32 authTagSz = gcm->tagBits / 8; unsigned char* authTag = enc + encSz - authTagSz; - ret = wc_AesInit(&aes, NULL, session->devId); + ret = wc_AesInit(&aes, NULL, secret->devId); if (ret == 0) { if (secret->onToken) { WP11_Lock_LockRO(secret->lock); @@ -11977,7 +12021,7 @@ int WP11_AesCcm_Encrypt(unsigned char* plain, word32 plainSz, word32 authTagSz = ccm->macSz; unsigned char* authTag = enc + plainSz; - ret = wc_AesInit(&aes, NULL, session->devId); + ret = wc_AesInit(&aes, NULL, secret->devId); if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); @@ -12032,7 +12076,7 @@ int WP11_AesCcm_Decrypt(unsigned char* enc, word32 encSz, unsigned char* dec, unsigned char* authTag = enc + encSz - authTagSz; encSz -= authTagSz; - ret = wc_AesInit(&aes, NULL, session->devId); + ret = wc_AesInit(&aes, NULL, secret->devId); if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); @@ -12088,7 +12132,7 @@ int WP11_AesEcb_Encrypt(unsigned char* plain, word32 plainSz, Aes aes; WP11_Data* key; - ret = wc_AesInit(&aes, NULL, session->devId); + ret = wc_AesInit(&aes, NULL, secret->devId); if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); @@ -12129,7 +12173,7 @@ int WP11_AesEcb_Decrypt(unsigned char* enc, word32 encSz, unsigned char* dec, Aes aes; WP11_Data* key; - ret = wc_AesInit(&aes, NULL, session->devId); + ret = wc_AesInit(&aes, NULL, secret->devId); if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); diff --git a/wolfpkcs11/pkcs11.h b/wolfpkcs11/pkcs11.h index 48a976f7..99b1a0be 100644 --- a/wolfpkcs11/pkcs11.h +++ b/wolfpkcs11/pkcs11.h @@ -57,6 +57,13 @@ extern "C" { #define CKA_NSS (CKA_VENDOR_DEFINED | CK_VENDOR_NSS) #endif +#ifdef WOLFPKCS11_DHUK +#define CK_VENDOR_DEVID 0x1L +/* Set the crypto callback device ID to be used with the object */ +#define CKA_DEVID (CKA_VENDOR_DEFINED | CK_VENDOR_DEVID) + +#endif + #ifndef NULL_PTR #define NULL_PTR 0 #endif @@ -444,6 +451,7 @@ typedef CK_BYTE CK_UTF8CHAR; typedef CK_BYTE CK_BBOOL; typedef unsigned long int CK_ULONG; typedef long int CK_LONG; +typedef int CK_INT; typedef CK_ULONG CK_FLAGS; typedef CK_BYTE* CK_BYTE_PTR; typedef CK_CHAR* CK_CHAR_PTR; From 4bb667ab9be4ba5e5dab5e009317fc783ed21625 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 18 Aug 2025 10:31:14 -0600 Subject: [PATCH 02/11] improving example --- examples/stm32_dhuk_aes_key.c | 329 ++++++---------------------------- 1 file changed, 54 insertions(+), 275 deletions(-) diff --git a/examples/stm32_dhuk_aes_key.c b/examples/stm32_dhuk_aes_key.c index 635c4776..e77a494a 100644 --- a/examples/stm32_dhuk_aes_key.c +++ b/examples/stm32_dhuk_aes_key.c @@ -36,10 +36,6 @@ #endif #include -#ifndef HAVE_PKCS11_STATIC -#include -#endif - extern int uart_printf(const char* format, ...); #undef printf #define printf uart_printf @@ -66,10 +62,6 @@ extern int uart_printf(const char* format, ...); #define WOLFPKCS11_DLL_SLOT 1 #endif - -#ifndef HAVE_PKCS11_STATIC -static void* dlib; -#endif static CK_FUNCTION_LIST* funcList; static CK_SLOT_ID slot = WOLFPKCS11_DLL_SLOT; @@ -77,38 +69,11 @@ static byte* userPin = (byte*)"wolfpkcs11-test"; static CK_ULONG userPinLen; -static CK_RV pkcs11_init(const char* library, CK_SESSION_HANDLE* session) +static CK_RV pkcs11_init(CK_SESSION_HANDLE* session) { CK_RV ret = CKR_OK; -#ifndef HAVE_PKCS11_STATIC - void* func; - dlib = dlopen(library, RTLD_NOW | RTLD_LOCAL); - if (dlib == NULL) { - fprintf(stderr, "dlopen error: %s\n", dlerror()); - ret = -1; - } - - if (ret == CKR_OK) { - func = (void*)(CK_C_GetFunctionList)dlsym(dlib, "C_GetFunctionList"); - if (func == NULL) { - fprintf(stderr, "Failed to get function list function\n"); - ret = -1; - } - } - - if (ret == CKR_OK) { - ret = ((CK_C_GetFunctionList)func)(&funcList); - CHECK_CKR(ret, "Get Function List call"); - } - - if (ret != CKR_OK && dlib != NULL) - dlclose(dlib); - -#else ret = C_GetFunctionList(&funcList); - (void)library; -#endif if (ret == CKR_OK) { ret = funcList->C_Initialize(NULL); @@ -137,9 +102,6 @@ static void pkcs11_final(CK_SESSION_HANDLE session) funcList->C_CloseSession(session); funcList->C_Finalize(NULL); -#ifndef HAVE_PKCS11_STATIC - dlclose(dlib); -#endif } @@ -158,182 +120,9 @@ static unsigned char aes_256_key[] = { 0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4 }; -/* Search for DHUK object which is the DHUK key to be used with C_WrapKey */ -CK_RV pkcs11_find_dhuk_key_object(CK_SESSION_HANDLE session, - unsigned char* privId, CK_ULONG privIdLen); -CK_RV pkcs11_find_dhuk_key_object(CK_SESSION_HANDLE session, - unsigned char* privId, CK_ULONG privIdLen) -{ - CK_RV ret; - CK_OBJECT_HANDLE objects[10]; /* Buffer to hold object handles */ - CK_ULONG objectCount = 0; - CK_ULONG foundCount = 0; - CK_ATTRIBUTE labelAttr; - unsigned char labelBuffer[256]; - CK_ULONG i; - CK_ATTRIBUTE searchTemplate; - - - printf("Searching for existing PKCS11 objects...\n"); - - /* First, let's find all objects to see what's available */ - ret = funcList->C_FindObjectsInit(session, &searchTemplate, 0); - if (ret != CKR_OK) { - CHECK_CKR(ret, "FindObjectsInit (all objects)"); - return ret; - } - - /* Get all objects */ - ret = funcList->C_FindObjects(session, objects, 10, &objectCount); - if (ret != CKR_OK) { - CHECK_CKR(ret, "FindObjects (all objects)"); - funcList->C_FindObjectsFinal(session); - return ret; - } - printf("Found %lu total objects\n", objectCount); - - /* Iterate through all objects and print their labels */ - for (i = 0; i < objectCount; i++) { - CK_ATTRIBUTE attrs[3]; - CK_OBJECT_CLASS objClass; - CK_KEY_TYPE keyType; - unsigned char classBuffer[sizeof(CK_OBJECT_CLASS)]; - unsigned char typeBuffer[sizeof(CK_KEY_TYPE)]; - - /* Get object class */ - attrs[0].type = CKA_CLASS; - attrs[0].pValue = classBuffer; - attrs[0].ulValueLen = sizeof(classBuffer); - - /* Get key type (for key objects) */ - attrs[1].type = CKA_KEY_TYPE; - attrs[1].pValue = typeBuffer; - attrs[1].ulValueLen = sizeof(typeBuffer); - - /* Get label */ - attrs[2].type = CKA_LABEL; - attrs[2].pValue = labelBuffer; - attrs[2].ulValueLen = sizeof(labelBuffer); - - ret = funcList->C_GetAttributeValue(session, objects[i], attrs, 3); - if (ret == CKR_OK) { - objClass = *(CK_OBJECT_CLASS*)classBuffer; - keyType = *(CK_KEY_TYPE*)typeBuffer; - - /* Only show AES keys and vendor-defined keys */ - if (objClass == CKO_SECRET_KEY && - (keyType == CKK_AES || keyType == CKK_VENDOR_DEFINED)) { - - if (keyType == CKK_AES) { - printf("AES Key %lu: ", i); - } else { - printf("Vendor Key %lu: ", i); - } - - if (attrs[2].ulValueLen > 0) { - printf("Label='%.*s'", (int)attrs[2].ulValueLen, (char*)labelBuffer); - } else { - printf("No label"); - } - printf("\n"); - } - } else { - printf("Object %lu: Error getting attributes (ret=%ld)\n", i, ret); - } - } - - ret = funcList->C_FindObjectsFinal(session); - if (ret != CKR_OK) { - CHECK_CKR(ret, "FindObjectsFinal (all objects)"); - } - - /* Now search for the specific DHUK key object */ - if (privId != NULL && privIdLen > 0) { - CK_ATTRIBUTE searchTemplate[] = { - { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, - { CKA_ID, privId, privIdLen } - }; - - ret = funcList->C_FindObjectsInit(session, searchTemplate, sizeof(searchTemplate) / sizeof(CK_ATTRIBUTE)); - if (ret != CKR_OK) { - CHECK_CKR(ret, "FindObjectsInit (DHUK search)"); - return ret; - } - - ret = funcList->C_FindObjects(session, objects, 1, &foundCount); - if (ret != CKR_OK) { - CHECK_CKR(ret, "FindObjects (DHUK search)"); - funcList->C_FindObjectsFinal(session); - return ret; - } - - ret = funcList->C_FindObjectsFinal(session); - if (ret != CKR_OK) { - CHECK_CKR(ret, "FindObjectsFinal (DHUK search)"); - } - - if (foundCount > 0) { - printf("Found DHUK key object with ID '%.*s'\n", (int)privIdLen, privId); - return CKR_OK; - } else { - printf("DHUK key object with ID '%.*s' not found\n", (int)privIdLen, privId); - return CKR_FUNCTION_FAILED; - } - } - - return CKR_OK; -} - -/* Use the AES key for encryption/decryption */ -CK_RV pkcs11_use_aes_key(CK_SESSION_HANDLE session, - unsigned char* privId, CK_ULONG privIdLen); -CK_RV pkcs11_use_aes_key(CK_SESSION_HANDLE session, - unsigned char* privId, CK_ULONG privIdLen) -{ - CK_RV ret; - CK_OBJECT_HANDLE keyHandle; - CK_ULONG foundCount = 0; - - printf("Using AES key...\n"); - - /* Find the AES key object */ - CK_ATTRIBUTE searchTemplate[] = { - { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, - { CKA_ID, privId, privIdLen } - }; - - ret = funcList->C_FindObjectsInit(session, searchTemplate, sizeof(searchTemplate) / sizeof(CK_ATTRIBUTE)); - if (ret != CKR_OK) { - CHECK_CKR(ret, "FindObjectsInit (AES key)"); - return ret; - } - - ret = funcList->C_FindObjects(session, &keyHandle, 1, &foundCount); - if (ret != CKR_OK) { - CHECK_CKR(ret, "FindObjects (AES key)"); - funcList->C_FindObjectsFinal(session); - return ret; - } - - ret = funcList->C_FindObjectsFinal(session); - if (ret != CKR_OK) { - CHECK_CKR(ret, "FindObjectsFinal (AES key)"); - } - - if (foundCount > 0) { - printf("Found AES key object, ready for use\n"); - return CKR_OK; - } else { - printf("AES key object not found\n"); - return CKR_FUNCTION_FAILED; - } -} - -CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session, - unsigned char* privId, CK_ULONG privIdLen); -CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session, - unsigned char* privId, CK_ULONG privIdLen) +CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session); +CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session) { CK_RV ret; int devId = WOLFSSL_STM32U5_DHUK_DEVID; /* signal use of hardware key */ @@ -359,10 +148,8 @@ CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session, return ret; } -CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session, - unsigned char* privId, CK_ULONG privIdLen); -CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session, - unsigned char* privId, CK_ULONG privIdLen) +CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session); +CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session) { CK_RV ret; int devId = WOLFSSL_STM32U5_SAES_DEVID; @@ -415,7 +202,6 @@ CK_OBJECT_HANDLE find_key_type(CK_SESSION_HANDLE session, int devId) ret = funcList->C_GetAttributeValue(session, obj, getTmpl, getTmplCnt); printf("Return value from GetAttributeValue = %d, {%d, %d}\n", ret, devIdFound, getTmpl[0].ulValueLen); if (devIdFound == devId) { - printf("Found matching object\n"); match = obj; break; } @@ -471,10 +257,8 @@ static CK_OBJECT_HANDLE find_wrapped_key(CK_SESSION_HANDLE session) } -CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session, - unsigned char* privId, CK_ULONG privIdLen); -CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session, - unsigned char* privId, CK_ULONG privIdLen) +CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session); +CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session) { CK_OBJECT_HANDLE wrappedKey; @@ -520,7 +304,6 @@ CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session, { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, - { CKA_ID, privId, privIdLen }, { CKA_DEVID, &devId, sizeof(devId) }, }; CK_ULONG wrapped_key_template_len = sizeof(wrapped_key_template) / sizeof(CK_ATTRIBUTE); @@ -556,6 +339,28 @@ static CK_RV pkcs11_encrypt_with_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE return CKR_OK; } + +static CK_RV pkcs11_decrypt_with_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key, + byte* data, CK_ULONG dataLen, byte* iv, byte* out, CK_ULONG_PTR outLen) +{ + CK_MECHANISM mech = {CKM_AES_CBC, iv, 16}; + //CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; + CK_RV rv; + + rv = funcList->C_DecryptInit(session, &mech, key); + if (rv != CKR_OK) { + return rv; + } + + rv = funcList->C_Decrypt(session, data, dataLen, out, outLen); + if (rv != CKR_OK) { + return rv; + } + + return CKR_OK; +} + + /* compare encryption using the wrapped AES key versus unwrapped one */ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) { @@ -565,6 +370,7 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) 0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a }; byte cipher[16]; + byte output[16]; byte expected[] = { 0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c, 0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8 @@ -572,11 +378,17 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) byte iv[16]; CK_ULONG cipherLen = sizeof(cipher); CK_ULONG plainLen = sizeof(plain); + CK_ULONG outputLen = sizeof(output); CK_OBJECT_HANDLE key; int i; printf("Software key and wrapped key should produce the same results\n"); + /* in applications a random IV should be used, for this example it is constant */ + for (i = 0; i < 16; i++) { + iv[i] = i; + } + /* Encrypt plain text using software only key */ key = find_software_key(session); memset(cipher, 0, sizeof(cipher)); @@ -585,7 +397,7 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) return ret; } - printf("\tSoftware : "); + printf("\tSAES User Key [Encrypted]: "); for (i = 0; i < cipherLen; i++) { printf("%02X", cipher[i]); } @@ -599,12 +411,24 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) return ret; } - printf("\tWrapped : "); + printf("\tWrapped Key [Encrypted] : "); for (i = 0; i < cipherLen; i++) { printf("%02X", cipher[i]); } printf("\n"); + memset(output, 0, sizeof(output)); + ret = pkcs11_decrypt_with_key(session, key, cipher, cipherLen, iv, output, &outputLen); + if (ret != CKR_OK) { + return ret; + } + + printf("\tWrapped Key [Decrypted] : "); + for (i = 0; i < outputLen; i++) { + printf("%02X", output[i]); + } + printf("\n"); + return ret; } @@ -626,10 +450,6 @@ static void Usage(void) { printf("add_aes_key\n"); printf("-? Help, print this usage\n"); - printf("-lib PKCS#11 library to test\n"); - printf("-slot Slot number to use\n"); - printf("-userPin User PIN\n"); - printf("-privId Private key identifier\n"); } @@ -643,8 +463,6 @@ int stm32_dhuk_aes_key(int argc, char* argv[]) CK_RV rv; const char* libName = WOLFPKCS11_DLL_FILENAME; CK_SESSION_HANDLE session = CK_INVALID_HANDLE; - unsigned char* privId = NULL; - CK_ULONG privIdLen = 0; #ifndef WOLFPKCS11_NO_ENV if (!XGETENV("WOLFPKCS11_TOKEN_PATH")) { @@ -660,43 +478,6 @@ int stm32_dhuk_aes_key(int argc, char* argv[]) Usage(); return 0; } - else if (string_matches(*argv, "-lib")) { - argc--; - argv++; - if (argc == 0) { - fprintf(stderr, "Library name not supplied\n"); - return 1; - } - libName = *argv; - } - else if (string_matches(*argv, "-slot")) { - argc--; - argv++; - if (argc == 0) { - fprintf(stderr, "Slot number not supplied\n"); - return 1; - } - slot = atoi(*argv); - } - else if (string_matches(*argv, "-userPin")) { - argc--; - argv++; - if (argc == 0) { - fprintf(stderr, "User PIN not supplied\n"); - return 1; - } - userPin = (byte*)*argv; - } - else if (string_matches(*argv, "-privId")) { - argc--; - argv++; - if (argc == 0) { - fprintf(stderr, "Private key identifier not supplied\n"); - return 1; - } - privId = (unsigned char*)*argv; - privIdLen = (int)strlen(*argv); - } else { fprintf(stderr, "Unrecognized command line argument\n %s\n", argv[0]); @@ -707,17 +488,15 @@ int stm32_dhuk_aes_key(int argc, char* argv[]) argv++; } - userPinLen = (int)XSTRLEN((const char*)userPin); - - rv = pkcs11_init(libName, &session); + rv = pkcs11_init(&session); if (rv == CKR_OK) { - rv = pkcs11_add_aes_dhuk_key(session, privId, privIdLen); + rv = pkcs11_add_aes_dhuk_key(session); } if (rv == CKR_OK) { - rv = pkcs11_add_aes_software_key(session, privId, privIdLen); + rv = pkcs11_add_aes_software_key(session); } if (rv == CKR_OK) { - rv = pkcs11_wrap_aes_key(session, privId, privIdLen); + rv = pkcs11_wrap_aes_key(session); } if (rv == CKR_OK) { rv = pkcs11_compare_results(session); From 6e6e7a83cb3d6e65cd4b20e1621c74b050b2cf36 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 18 Aug 2025 14:09:26 -0600 Subject: [PATCH 03/11] resolving warnings of unused function --- examples/stm32_dhuk_aes_key.c | 44 +---------------------------------- src/crypto.c | 2 +- wolfpkcs11/internal.h | 1 + 3 files changed, 3 insertions(+), 44 deletions(-) diff --git a/examples/stm32_dhuk_aes_key.c b/examples/stm32_dhuk_aes_key.c index e77a494a..c84cf330 100644 --- a/examples/stm32_dhuk_aes_key.c +++ b/examples/stm32_dhuk_aes_key.c @@ -371,13 +371,8 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) }; byte cipher[16]; byte output[16]; - byte expected[] = { - 0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c, - 0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8 - }; byte iv[16]; CK_ULONG cipherLen = sizeof(cipher); - CK_ULONG plainLen = sizeof(plain); CK_ULONG outputLen = sizeof(output); CK_OBJECT_HANDLE key; int i; @@ -432,26 +427,6 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) return ret; } -/* Match the command line argument with the string. - * - * arg Command line argument. - * str String to check for. - * return 1 if the command line argument matches the string, 0 otherwise. - */ -static int string_matches(const char* arg, const char* str) -{ - int len = (int)XSTRLEN(str) + 1; - return XSTRNCMP(arg, str, len) == 0; -} - - -/* Display the usage options of the benchmark program. */ -static void Usage(void) -{ - printf("add_aes_key\n"); - printf("-? Help, print this usage\n"); -} - #ifndef NO_MAIN_DRIVER int main(int argc, char* argv[]) @@ -461,7 +436,6 @@ int stm32_dhuk_aes_key(int argc, char* argv[]) { int ret; CK_RV rv; - const char* libName = WOLFPKCS11_DLL_FILENAME; CK_SESSION_HANDLE session = CK_INVALID_HANDLE; #ifndef WOLFPKCS11_NO_ENV @@ -469,24 +443,8 @@ int stm32_dhuk_aes_key(int argc, char* argv[]) XSETENV("WOLFPKCS11_TOKEN_PATH", "./store", 1); } #endif - printf("Testing PKCS11 DHUK AES use\n\r"); - - argc--; - argv++; - while (argc > 0) { - if (string_matches(*argv, "-?")) { - Usage(); - return 0; - } - else { - fprintf(stderr, "Unrecognized command line argument\n %s\n", - argv[0]); - return 1; - } + printf("Example PKCS11 DHUK AES use\n\r"); - argc--; - argv++; - } rv = pkcs11_init(&session); if (rv == CKR_OK) { diff --git a/src/crypto.c b/src/crypto.c index d32ea076..bf0aa723 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -6703,7 +6703,7 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, if (WP11_Object_GetDevId(wrappingKey) == WOLFSSL_STM32U5_DHUK_DEVID) { if (wc_Stm32_Aes_Wrap(NULL, serialBuff, serialSize, pWrappedKey, - pulWrappedKeyLen, NULL) != 0) { + (word32*)pulWrappedKeyLen, NULL) != 0) { rv = CKR_FUNCTION_FAILED; goto err_out; } diff --git a/wolfpkcs11/internal.h b/wolfpkcs11/internal.h index 97f37d15..ab31c13a 100644 --- a/wolfpkcs11/internal.h +++ b/wolfpkcs11/internal.h @@ -386,6 +386,7 @@ WP11_LOCAL int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest); WP11_LOCAL CK_OBJECT_HANDLE WP11_Object_GetHandle(WP11_Object* object); WP11_LOCAL CK_KEY_TYPE WP11_Object_GetType(WP11_Object* object); +WP11_LOCAL int WP11_Object_GetDevId(WP11_Object* object); WP11_LOCAL int WP11_Object_SetRsaKey(WP11_Object* object, unsigned char** data, CK_ULONG* len); From e25c58aecd73568fbd2a95d7190471b778f33581 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 18 Aug 2025 14:41:44 -0600 Subject: [PATCH 04/11] fix macro guard for alternate build configurations --- src/crypto.c | 11 ++++++++--- wolfpkcs11/pkcs11.h | 5 +---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/crypto.c b/src/crypto.c index bf0aa723..4eaec34c 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -6701,19 +6701,24 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, goto err_out; } - if (WP11_Object_GetDevId(wrappingKey) == WOLFSSL_STM32U5_DHUK_DEVID) { + #ifdef WOLFPKCS11_DHUK + if (WP11_Object_GetDevId(wrappingKey) == + WOLFSSL_STM32U5_DHUK_DEVID) { if (wc_Stm32_Aes_Wrap(NULL, serialBuff, serialSize, pWrappedKey, (word32*)pulWrappedKeyLen, NULL) != 0) { rv = CKR_FUNCTION_FAILED; goto err_out; } } - else { + else + #endif + { rv = EncryptInit(hSession, pMechanism, hWrappingKey, 1); if (rv != CKR_OK) goto err_out; - rv = C_Encrypt(hSession, serialBuff, serialSize, pWrappedKey, pulWrappedKeyLen); + rv = C_Encrypt(hSession, serialBuff, serialSize, pWrappedKey, + pulWrappedKeyLen); if (rv != CKR_OK) goto err_out; } diff --git a/wolfpkcs11/pkcs11.h b/wolfpkcs11/pkcs11.h index 99b1a0be..f98a7078 100644 --- a/wolfpkcs11/pkcs11.h +++ b/wolfpkcs11/pkcs11.h @@ -57,13 +57,10 @@ extern "C" { #define CKA_NSS (CKA_VENDOR_DEFINED | CK_VENDOR_NSS) #endif -#ifdef WOLFPKCS11_DHUK -#define CK_VENDOR_DEVID 0x1L +#define CK_VENDOR_DEVID 0x1000L /* Set the crypto callback device ID to be used with the object */ #define CKA_DEVID (CKA_VENDOR_DEFINED | CK_VENDOR_DEVID) -#endif - #ifndef NULL_PTR #define NULL_PTR 0 #endif From c3adf02c3c6ab1b7d7a958c50066a670bd9620ad Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 18 Aug 2025 14:54:51 -0600 Subject: [PATCH 05/11] default to SAES devId when available, remove extra debug message --- src/crypto.c | 1 - src/internal.c | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/crypto.c b/src/crypto.c index 4eaec34c..d63a0d56 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -6637,7 +6637,6 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, rv = CHECK_WRAPPABLE(keyClass, keyType); if (rv != CKR_OK) { - WOLFPKCS11_MSG("Not a wrappable key: keyClass %d keyType %d\n", keyClass, keyType); return rv; } diff --git a/src/internal.c b/src/internal.c index 79ebb54f..662dc10e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5355,6 +5355,8 @@ static int wp11_Slot_Init(WP11_Slot* slot, int id) ret = wp11_TpmInit(slot); #elif defined (WOLFSSL_MAXQ10XX_CRYPTO) slot->devId = MAXQ_DEVICE_ID; + #elif defined (WOLFSSL_STM32U5_DHUK) + slot->devId = WOLFSSL_STM32U5_SAES_DEVID; #endif /* Create the minimum number of unused sessions. */ for (i = 0; ret == 0 && i < WP11_SESSION_CNT_MIN; i++) { From 87fc1778bbbc3822de4c57ed27aa773f241b0c68 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 18 Aug 2025 15:01:36 -0600 Subject: [PATCH 06/11] fix for unused parameter warning --- src/internal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/internal.c b/src/internal.c index 662dc10e..fb99e1ec 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12151,6 +12151,7 @@ int WP11_AesEcb_Encrypt(unsigned char* plain, word32 plainSz, wc_AesFree(&aes); } + (void)session; return ret; } @@ -12194,6 +12195,7 @@ int WP11_AesEcb_Decrypt(unsigned char* enc, word32 encSz, unsigned char* dec, wc_AesFree(&aes); } + (void)session; return ret; } #endif /* HAVE_AESECB */ From 073bf035a093f542cbc62c321c39daca3bbd9679 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 19 Aug 2025 14:51:44 -0600 Subject: [PATCH 07/11] fix for no store macro guard --- src/crypto.c | 4 +++- src/internal.c | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/crypto.c b/src/crypto.c index d63a0d56..73eb079c 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -6641,7 +6641,7 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, } switch (keyType) { -#ifndef NO_RSA +#if !defined(NO_RSA) && !defined(WOLFPKCS11_NO_STORE) case CKK_RSA: ret = WP11_Rsa_SerializeKeyPTPKC8(key, NULL, &serialSize); if (ret != 0) @@ -6659,6 +6659,7 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, } break; #endif +#if defined(WOLFSSL_STM32U5_DHUK) || !defined(WOLFPKCS11_NO_STORE) #ifndef NO_AES case CKK_AES: #endif @@ -6681,6 +6682,7 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, goto err_out; } break; +#endif default: rv = CKR_KEY_NOT_WRAPPABLE; goto err_out; diff --git a/src/internal.c b/src/internal.c index fb99e1ec..da32f4a5 100644 --- a/src/internal.c +++ b/src/internal.c @@ -7161,6 +7161,7 @@ int WP11_Session_RemoveObject(WP11_Session* session, WP11_Object* object) else { WP11_Lock_UnlockRW(&session->slot->token.lock); } + (void)id; /* set but not used with WOLFPKCS11_NO_STORE */ return ret; } From 2ff2eae19c36bacfbd1e390cfe88a523dd91f69f Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 19 Aug 2025 17:04:21 -0600 Subject: [PATCH 08/11] added example to make dist --- examples/include.am | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/include.am b/examples/include.am index 34035d9f..1d67dc3f 100644 --- a/examples/include.am +++ b/examples/include.am @@ -47,6 +47,7 @@ examples_token_info_LDADD = dist_noinst_SCRIPTS += examples/examples.test EXTRA_DIST += examples/rsa-2048.der +EXTRA_DIST += examples/stm32_dhuk_aes_key.c if BUILD_STATIC examples_add_aes_key_LDADD += src/libwolfpkcs11.la From e5394b69771b80fa810e3fbfa8160f8d52dcfc12 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 20 Aug 2025 10:09:21 -0600 Subject: [PATCH 09/11] use CK_ULONG for devId instead of int, rename devId vendor --- examples/stm32_dhuk_aes_key.c | 29 ++++++++++++++--------------- src/crypto.c | 10 +--------- src/internal.c | 28 ++++++---------------------- wolfpkcs11/internal.h | 2 +- wolfpkcs11/pkcs11.h | 5 ++--- 5 files changed, 24 insertions(+), 50 deletions(-) diff --git a/examples/stm32_dhuk_aes_key.c b/examples/stm32_dhuk_aes_key.c index c84cf330..28a54483 100644 --- a/examples/stm32_dhuk_aes_key.c +++ b/examples/stm32_dhuk_aes_key.c @@ -113,11 +113,11 @@ static CK_KEY_TYPE aesKeyType = CKK_AES; static CK_KEY_TYPE genericKeyType = CKK_GENERIC_SECRET; #endif -static unsigned char aes_256_key[] = { - 0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe, - 0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81, - 0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7, - 0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4 +static unsigned char aes_256_key[] = { + 0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe, + 0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81, + 0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7, + 0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4 }; @@ -125,7 +125,7 @@ CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session); CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session) { CK_RV ret; - int devId = WOLFSSL_STM32U5_DHUK_DEVID; /* signal use of hardware key */ + CK_ULONG devId = WOLFSSL_STM32U5_DHUK_DEVID;/* signal use of hardware key */ CK_ATTRIBUTE aes_dhuk_secret_key[] = { { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, #ifndef NO_AES @@ -137,7 +137,7 @@ CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session) { CKA_UNWRAP, &ckTrue, sizeof(ckTrue) }, { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, { CKA_VALUE, aes_256_key, sizeof(aes_256_key) }, - { CKA_DEVID, &devId, sizeof(devId) }, + { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, }; CK_ULONG cnt = sizeof(aes_dhuk_secret_key)/sizeof(*aes_dhuk_secret_key); CK_OBJECT_HANDLE obj; @@ -152,7 +152,7 @@ CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session); CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session) { CK_RV ret; - int devId = WOLFSSL_STM32U5_SAES_DEVID; + CK_ULONG devId = WOLFSSL_STM32U5_SAES_DEVID; CK_ATTRIBUTE aes_256_secret_key[] = { { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, #ifndef NO_AES @@ -164,7 +164,7 @@ CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session) { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, { CKA_VALUE, aes_256_key, sizeof(aes_256_key) }, - { CKA_DEVID, &devId, sizeof(devId) }, + { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, }; CK_ULONG cnt = sizeof(aes_256_secret_key)/sizeof(*aes_256_secret_key); CK_OBJECT_HANDLE obj; @@ -188,10 +188,10 @@ CK_OBJECT_HANDLE find_key_type(CK_SESSION_HANDLE session, int devId) CHECK_CKR(ret, "Initialize Find"); while (ret == CKR_OK) { - int devIdFound; + CK_ULONG devIdFound; CK_ULONG devIdLen = sizeof(devIdFound); CK_ATTRIBUTE getTmpl[] = { - { CKA_DEVID, &devIdFound, devIdLen }, + { CKA_WOLFSSL_DEVID, &devIdFound, devIdLen }, }; CK_ULONG getTmplCnt = sizeof(getTmpl) / sizeof(CK_ATTRIBUTE); @@ -201,7 +201,7 @@ CK_OBJECT_HANDLE find_key_type(CK_SESSION_HANDLE session, int devId) /* check devId match */ ret = funcList->C_GetAttributeValue(session, obj, getTmpl, getTmplCnt); printf("Return value from GetAttributeValue = %d, {%d, %d}\n", ret, devIdFound, getTmpl[0].ulValueLen); - if (devIdFound == devId) { + if ((int)devIdFound == devId) { match = obj; break; } @@ -260,13 +260,12 @@ static CK_OBJECT_HANDLE find_wrapped_key(CK_SESSION_HANDLE session) CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session); CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session) { - CK_OBJECT_HANDLE wrappedKey; CK_OBJECT_HANDLE dhuk; CK_OBJECT_HANDLE key; CK_BYTE wrappedKeyBuffer[32]; CK_ULONG wrappedKeyBufferLen = sizeof(wrappedKeyBuffer); - int devId = WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID; + CK_ULONG devId = WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID; CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; int i; CK_RV rv; @@ -304,7 +303,7 @@ CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session) { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, - { CKA_DEVID, &devId, sizeof(devId) }, + { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, }; CK_ULONG wrapped_key_template_len = sizeof(wrapped_key_template) / sizeof(CK_ATTRIBUTE); diff --git a/src/crypto.c b/src/crypto.c index 73eb079c..1c131d1b 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -40,7 +40,6 @@ #define ATTR_TYPE_BOOL 1 #define ATTR_TYPE_DATA 2 #define ATTR_TYPE_DATE 3 -#define ATTR_TYPE_INT 4 #define PRF_KEY_SIZE 48 @@ -236,7 +235,7 @@ static AttributeType attrType[] = { { CKA_TRUST_CODE_SIGNING, ATTR_TYPE_ULONG }, { CKA_TRUST_STEP_UP_APPROVED, ATTR_TYPE_BOOL }, #endif - { CKA_DEVID, ATTR_TYPE_INT }, + { CKA_WOLFSSL_DEVID, ATTR_TYPE_ULONG }, }; /* Count of elements in attribute type list. */ #define ATTR_TYPE_SIZE (sizeof(attrType) / sizeof(*attrType)) @@ -315,13 +314,6 @@ static CK_RV CheckAttributes(CK_ATTRIBUTE* pTemplate, CK_ULONG ulCount, int set) (attr->ulValueLen != sizeof(CK_ULONG))) return CKR_BUFFER_TOO_SMALL; } - else if (attrType[j].type == ATTR_TYPE_INT) { - if (attr->pValue == NULL && set) - return CKR_ATTRIBUTE_VALUE_INVALID; - if ((attr->pValue != NULL) && - (attr->ulValueLen != sizeof(CK_INT))) - return CKR_BUFFER_TOO_SMALL; - } else if (attrType[j].type == ATTR_TYPE_BOOL) { if (attr->pValue == NULL && set) return CKR_ATTRIBUTE_VALUE_INVALID; diff --git a/src/internal.c b/src/internal.c index da32f4a5..68677879 100644 --- a/src/internal.c +++ b/src/internal.c @@ -7470,9 +7470,9 @@ CK_KEY_TYPE WP11_Object_GetType(WP11_Object* object) * @param object [in] Object object. * @return Object's devId. */ -CK_INT WP11_Object_GetDevId(WP11_Object* object) +CK_ULONG WP11_Object_GetDevId(WP11_Object* object) { - return object->devId; + return (CK_ULONG)object->devId; } /** @@ -8195,22 +8195,6 @@ static int GetULong(CK_ULONG value, byte* data, CK_ULONG* len) return ret; } -static int GetAttributeInt(int value, byte* data, CK_ULONG* len) -{ - int ret = 0; - CK_ULONG dataLen = sizeof(value); - - if (data == NULL) - *len = dataLen; - else if (*len < dataLen) - ret = BUFFER_E; - else { - *len = dataLen; - *(int*)data = value; - } - - return ret; -} /** * Get the data of a data array. @@ -8984,8 +8968,8 @@ int WP11_Object_GetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data, break; } - case CKA_DEVID: - ret = GetAttributeInt(object->devId, data, len); + case CKA_WOLFSSL_DEVID: + ret = GetULong(object->devId, data, len); break; } @@ -9359,8 +9343,8 @@ int WP11_Object_SetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data, } break; - case CKA_DEVID: - object->devId = *(CK_INT*)data; + case CKA_WOLFSSL_DEVID: + object->devId = (int)(*(CK_ULONG*)data); break; default: diff --git a/wolfpkcs11/internal.h b/wolfpkcs11/internal.h index ab31c13a..15f84a0d 100644 --- a/wolfpkcs11/internal.h +++ b/wolfpkcs11/internal.h @@ -386,7 +386,7 @@ WP11_LOCAL int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest); WP11_LOCAL CK_OBJECT_HANDLE WP11_Object_GetHandle(WP11_Object* object); WP11_LOCAL CK_KEY_TYPE WP11_Object_GetType(WP11_Object* object); -WP11_LOCAL int WP11_Object_GetDevId(WP11_Object* object); +WP11_LOCAL CK_ULONG WP11_Object_GetDevId(WP11_Object* object); WP11_LOCAL int WP11_Object_SetRsaKey(WP11_Object* object, unsigned char** data, CK_ULONG* len); diff --git a/wolfpkcs11/pkcs11.h b/wolfpkcs11/pkcs11.h index f98a7078..36982f7e 100644 --- a/wolfpkcs11/pkcs11.h +++ b/wolfpkcs11/pkcs11.h @@ -57,9 +57,9 @@ extern "C" { #define CKA_NSS (CKA_VENDOR_DEFINED | CK_VENDOR_NSS) #endif -#define CK_VENDOR_DEVID 0x1000L +#define CK_VENDOR_WOLFSSL_DEVID 0x574F4C46L /* Set the crypto callback device ID to be used with the object */ -#define CKA_DEVID (CKA_VENDOR_DEFINED | CK_VENDOR_DEVID) +#define CKA_WOLFSSL_DEVID (CKA_VENDOR_DEFINED | CK_VENDOR_WOLFSSL_DEVID) #ifndef NULL_PTR #define NULL_PTR 0 @@ -448,7 +448,6 @@ typedef CK_BYTE CK_UTF8CHAR; typedef CK_BYTE CK_BBOOL; typedef unsigned long int CK_ULONG; typedef long int CK_LONG; -typedef int CK_INT; typedef CK_ULONG CK_FLAGS; typedef CK_BYTE* CK_BYTE_PTR; typedef CK_CHAR* CK_CHAR_PTR; From 5f8da793ecad064acb35a8a360a7868c2b9966d8 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 20 Aug 2025 13:51:24 -0600 Subject: [PATCH 10/11] don't require MKDRI if using a custom store --- src/internal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 68677879..f51043aa 100644 --- a/src/internal.c +++ b/src/internal.c @@ -43,7 +43,7 @@ #include #include -#ifndef WOLFPKCS11_NO_STORE +#if !defined(WOLFPKCS11_NO_STORE) && !defined(WOLFPKCS11_CUSTOM_STORE) /* OS-specific includes for directory creation */ #if defined(_WIN32) || defined(_MSC_VER) #include From ec42c187ef27df8d787f3ec3c33aab4dd5a6163f Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 20 Aug 2025 14:31:58 -0600 Subject: [PATCH 11/11] improve coding standards with example --- examples/stm32_dhuk_aes_key.c | 81 +++++++++++++++++++---------------- 1 file changed, 45 insertions(+), 36 deletions(-) diff --git a/examples/stm32_dhuk_aes_key.c b/examples/stm32_dhuk_aes_key.c index 28a54483..dd749e0c 100644 --- a/examples/stm32_dhuk_aes_key.c +++ b/examples/stm32_dhuk_aes_key.c @@ -113,7 +113,7 @@ static CK_KEY_TYPE aesKeyType = CKK_AES; static CK_KEY_TYPE genericKeyType = CKK_GENERIC_SECRET; #endif -static unsigned char aes_256_key[] = { +static unsigned char aes256Key[] = { 0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe, 0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81, 0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7, @@ -136,7 +136,7 @@ CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session) { CKA_WRAP, &ckTrue, sizeof(ckTrue) }, { CKA_UNWRAP, &ckTrue, sizeof(ckTrue) }, { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, - { CKA_VALUE, aes_256_key, sizeof(aes_256_key) }, + { CKA_VALUE, aes256Key, sizeof(aes256Key) }, { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, }; CK_ULONG cnt = sizeof(aes_dhuk_secret_key)/sizeof(*aes_dhuk_secret_key); @@ -153,7 +153,7 @@ CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session) { CK_RV ret; CK_ULONG devId = WOLFSSL_STM32U5_SAES_DEVID; - CK_ATTRIBUTE aes_256_secret_key[] = { + CK_ATTRIBUTE aes256SecretKey[] = { { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, #ifndef NO_AES { CKA_KEY_TYPE, &aesKeyType, sizeof(aesKeyType) }, @@ -163,13 +163,13 @@ CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session) { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, - { CKA_VALUE, aes_256_key, sizeof(aes_256_key) }, + { CKA_VALUE, aes256Key, sizeof(aes256Key) }, { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, }; - CK_ULONG cnt = sizeof(aes_256_secret_key)/sizeof(*aes_256_secret_key); + CK_ULONG cnt = sizeof(aes256SecretKey)/sizeof(*aes256SecretKey); CK_OBJECT_HANDLE obj; - ret = funcList->C_CreateObject(session, aes_256_secret_key, cnt, &obj); + ret = funcList->C_CreateObject(session, aes256SecretKey, cnt, &obj); CHECK_CKR(ret, "CreateObject AES 256-bit key"); return ret; @@ -199,8 +199,10 @@ CK_OBJECT_HANDLE find_key_type(CK_SESSION_HANDLE session, int devId) CHECK_CKR(ret, "Find Object"); if (cnt == 1) { /* check devId match */ - ret = funcList->C_GetAttributeValue(session, obj, getTmpl, getTmplCnt); - printf("Return value from GetAttributeValue = %d, {%d, %d}\n", ret, devIdFound, getTmpl[0].ulValueLen); + ret = funcList->C_GetAttributeValue(session, obj, getTmpl, + getTmplCnt); + printf("Return value from GetAttributeValue = %d, {%d, %d}\n", + ret, devIdFound, getTmpl[0].ulValueLen); if ((int)devIdFound == devId) { match = obj; break; @@ -269,19 +271,31 @@ CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session) CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; int i; CK_RV rv; + CK_ATTRIBUTE wrappedKeyTemplate[] = { + { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, + { CKA_KEY_TYPE, &aesKeyType, sizeof(aesKeyType) }, + { CKA_VALUE, wrappedKeyBuffer, wrappedKeyBufferLen }, + { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, + { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, + }; + CK_ULONG wrappedKeyTemplateLen = sizeof(wrappedKeyTemplate) / + sizeof(CK_ATTRIBUTE); + key = find_software_key(session); if (key == 0) { return CKR_FUNCTION_FAILED; } - // Wrap the key using the DHUK key + /* Wrap the key using the DHUK key */ dhuk = find_dhuk_key(session); if (dhuk == 0) { return CKR_FUNCTION_FAILED; } - // Perform the wrapping operation + /* Perform the wrapping operation */ rv = funcList->C_WrapKey(session, &mech, dhuk, key, wrappedKeyBuffer, &wrappedKeyBufferLen); if (rv != CKR_OK) { @@ -296,18 +310,8 @@ CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session) printf("\n"); /* Create a wrapped key object */ - CK_ATTRIBUTE wrapped_key_template[] = { - { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, - { CKA_KEY_TYPE, &aesKeyType, sizeof(aesKeyType) }, - { CKA_VALUE, wrappedKeyBuffer, wrappedKeyBufferLen }, - { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, - { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, - { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, - { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, - }; - CK_ULONG wrapped_key_template_len = sizeof(wrapped_key_template) / sizeof(CK_ATTRIBUTE); - - rv = funcList->C_CreateObject(session, wrapped_key_template, wrapped_key_template_len, &wrappedKey); + rv = funcList->C_CreateObject(session, wrappedKeyTemplate, + wrappedKeyTemplateLen, &wrappedKey); if (rv != CKR_OK) { return rv; } @@ -318,11 +322,12 @@ CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session) } -static CK_RV pkcs11_encrypt_with_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key, - byte* data, CK_ULONG dataLen, byte* iv, byte* out, CK_ULONG_PTR outLen) +static CK_RV pkcs11_encrypt_with_key(CK_SESSION_HANDLE session, + CK_OBJECT_HANDLE key, byte* data, CK_ULONG dataLen, byte* iv, byte* out, + CK_ULONG_PTR outLen) { CK_MECHANISM mech = {CKM_AES_CBC, iv, 16}; - //CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; + /* CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; */ CK_RV rv; rv = funcList->C_EncryptInit(session, &mech, key); @@ -339,11 +344,12 @@ static CK_RV pkcs11_encrypt_with_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE } -static CK_RV pkcs11_decrypt_with_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key, - byte* data, CK_ULONG dataLen, byte* iv, byte* out, CK_ULONG_PTR outLen) +static CK_RV pkcs11_decrypt_with_key(CK_SESSION_HANDLE session, + CK_OBJECT_HANDLE key, byte* data, CK_ULONG dataLen, byte* iv, byte* out, + CK_ULONG_PTR outLen) { CK_MECHANISM mech = {CKM_AES_CBC, iv, 16}; - //CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; + /* CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; */ CK_RV rv; rv = funcList->C_DecryptInit(session, &mech, key); @@ -364,9 +370,9 @@ static CK_RV pkcs11_decrypt_with_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) { CK_RV ret = 0; - byte plain[] = { - 0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96, - 0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a + byte plain[] = { + 0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96, + 0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a }; byte cipher[16]; byte output[16]; @@ -378,7 +384,7 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) printf("Software key and wrapped key should produce the same results\n"); - /* in applications a random IV should be used, for this example it is constant */ + /* in applications a random IV should be used */ for (i = 0; i < 16; i++) { iv[i] = i; } @@ -386,7 +392,8 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) /* Encrypt plain text using software only key */ key = find_software_key(session); memset(cipher, 0, sizeof(cipher)); - ret = pkcs11_encrypt_with_key(session, key, plain, sizeof(plain), iv, cipher, &cipherLen); + ret = pkcs11_encrypt_with_key(session, key, plain, sizeof(plain), iv, + cipher, &cipherLen); if (ret != CKR_OK) { return ret; } @@ -400,7 +407,8 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) /* encrypt using wrapped key */ memset(cipher, 0, sizeof(cipher)); key = find_wrapped_key(session); - ret = pkcs11_encrypt_with_key(session, key, plain, sizeof(plain), iv, cipher, &cipherLen); + ret = pkcs11_encrypt_with_key(session, key, plain, sizeof(plain), iv, + cipher, &cipherLen); if (ret != CKR_OK) { return ret; } @@ -412,8 +420,9 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) printf("\n"); memset(output, 0, sizeof(output)); - ret = pkcs11_decrypt_with_key(session, key, cipher, cipherLen, iv, output, &outputLen); - if (ret != CKR_OK) { + ret = pkcs11_decrypt_with_key(session, key, cipher, cipherLen, iv, output, + &outputLen); + if (ret != CKR_OK) { return ret; }