diff --git a/examples/stm32_dhuk_aes_key.c b/examples/stm32_dhuk_aes_key.c index dd749e0c..69a7e0fa 100644 --- a/examples/stm32_dhuk_aes_key.c +++ b/examples/stm32_dhuk_aes_key.c @@ -65,11 +65,12 @@ extern int uart_printf(const char* format, ...); static CK_FUNCTION_LIST* funcList; static CK_SLOT_ID slot = WOLFPKCS11_DLL_SLOT; -static byte* userPin = (byte*)"wolfpkcs11-test"; +static byte* userDefaultPin = (byte*)"wolfpkcs11-test"; static CK_ULONG userPinLen; -static CK_RV pkcs11_init(CK_SESSION_HANDLE* session) +static CK_RV pkcs11_init(CK_SESSION_HANDLE* session, char* userPin, + int userPinLen) { CK_RV ret = CKR_OK; @@ -126,7 +127,7 @@ CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session) { CK_RV ret; CK_ULONG devId = WOLFSSL_STM32U5_DHUK_DEVID;/* signal use of hardware key */ - CK_ATTRIBUTE aes_dhuk_secret_key[] = { + CK_ATTRIBUTE aesDhukSecretKey[] = { { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, #ifndef NO_AES { CKA_KEY_TYPE, &aesKeyType, sizeof(aesKeyType) }, @@ -135,14 +136,13 @@ CK_RV pkcs11_add_aes_dhuk_key(CK_SESSION_HANDLE session) #endif { CKA_WRAP, &ckTrue, sizeof(ckTrue) }, { CKA_UNWRAP, &ckTrue, sizeof(ckTrue) }, - { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, { CKA_VALUE, aes256Key, sizeof(aes256Key) }, { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, }; - CK_ULONG cnt = sizeof(aes_dhuk_secret_key)/sizeof(*aes_dhuk_secret_key); + CK_ULONG cnt = sizeof(aesDhukSecretKey)/sizeof(*aesDhukSecretKey); CK_OBJECT_HANDLE obj; - ret = funcList->C_CreateObject(session, aes_dhuk_secret_key, cnt, &obj); + ret = funcList->C_CreateObject(session, aesDhukSecretKey, cnt, &obj); CHECK_CKR(ret, "CreateObject AES DHUK key"); return ret; @@ -162,7 +162,6 @@ CK_RV pkcs11_add_aes_software_key(CK_SESSION_HANDLE session) #endif { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, - { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, { CKA_VALUE, aes256Key, sizeof(aes256Key) }, { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, }; @@ -268,21 +267,27 @@ CK_RV pkcs11_wrap_aes_key(CK_SESSION_HANDLE session) CK_BYTE wrappedKeyBuffer[32]; CK_ULONG wrappedKeyBufferLen = sizeof(wrappedKeyBuffer); CK_ULONG devId = WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID; - CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; + byte iv[16]; + /* CK_MECHANISM mech = {CKM_AES_ECB, NULL, 0}; */ + CK_MECHANISM mech = {CKM_AES_CBC_PAD, iv, 16}; int i; CK_RV rv; CK_ATTRIBUTE wrappedKeyTemplate[] = { { CKA_CLASS, &secretKeyClass, sizeof(secretKeyClass) }, { CKA_KEY_TYPE, &aesKeyType, sizeof(aesKeyType) }, { CKA_VALUE, wrappedKeyBuffer, wrappedKeyBufferLen }, - { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, - { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, - { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, - { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, + { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, + { CKA_WOLFSSL_DHUK_IV, iv, sizeof(iv) }, + { CKA_WOLFSSL_DEVID, &devId, sizeof(devId) }, }; CK_ULONG wrappedKeyTemplateLen = sizeof(wrappedKeyTemplate) / sizeof(CK_ATTRIBUTE); + for (i = 0; i < 16; i++) { + iv[i] = i; + } key = find_software_key(session); if (key == 0) { @@ -388,7 +393,6 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) for (i = 0; i < 16; i++) { iv[i] = i; } - /* Encrypt plain text using software only key */ key = find_software_key(session); memset(cipher, 0, sizeof(cipher)); @@ -435,6 +439,25 @@ static CK_RV pkcs11_compare_results(CK_SESSION_HANDLE session) return ret; } +/* Match the command line argument with the string. + * + * arg Command line argument. + * str String to check for. + * return 1 if the command line argument matches the string, 0 otherwise. + */ +static int string_matches(const char* arg, const char* str) +{ + int len = (int)XSTRLEN(str) + 1; + return XSTRNCMP(arg, str, len) == 0; +} + +/* Display the usage options of the benchmark program. */ +static void Usage(void) +{ + printf("stm32_dhuk_aes_key\n"); + printf("-? Help, print this usage\n"); + printf("-userPin User PIN\n"); +} #ifndef NO_MAIN_DRIVER int main(int argc, char* argv[]) @@ -445,16 +468,39 @@ int stm32_dhuk_aes_key(int argc, char* argv[]) int ret; CK_RV rv; CK_SESSION_HANDLE session = CK_INVALID_HANDLE; + char* userPin = userDefaultPin; -#ifndef WOLFPKCS11_NO_ENV - if (!XGETENV("WOLFPKCS11_TOKEN_PATH")) { - XSETENV("WOLFPKCS11_TOKEN_PATH", "./store", 1); - } -#endif printf("Example PKCS11 DHUK AES use\n\r"); + argc--; + argv++; + while (argc > 0) { + if (string_matches(*argv, "-?")) { + Usage(); + return 0; + } + else if (string_matches(*argv, "-userPin")) { + argc--; + argv++; + if (argc == 0) { + printf("User PIN not supplied\n"); + return 1; + } + userPin = (byte*)*argv; + } + else { + printf("Unrecognized command line argument\n %s\n", + argv[0]); + return 1; + } + + argc--; + argv++; + } + userPinLen = (int)XSTRLEN((const char*)userPin); + - rv = pkcs11_init(&session); + rv = pkcs11_init(&session, userPin, userPinLen); if (rv == CKR_OK) { rv = pkcs11_add_aes_dhuk_key(session); } diff --git a/src/crypto.c b/src/crypto.c index 1c131d1b..cebd41e1 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -234,6 +234,9 @@ static AttributeType attrType[] = { { CKA_TRUST_EMAIL_PROTECTION, ATTR_TYPE_ULONG }, { CKA_TRUST_CODE_SIGNING, ATTR_TYPE_ULONG }, { CKA_TRUST_STEP_UP_APPROVED, ATTR_TYPE_BOOL }, +#endif +#ifdef WOLFSSL_STM32U5_DHUK + { CKA_WOLFSSL_DHUK_IV, ATTR_TYPE_DATA }, #endif { CKA_WOLFSSL_DEVID, ATTR_TYPE_ULONG }, }; @@ -6694,11 +6697,18 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, goto err_out; } - #ifdef WOLFPKCS11_DHUK + #ifdef WOLFSSL_STM32U5_DHUK if (WP11_Object_GetDevId(wrappingKey) == WOLFSSL_STM32U5_DHUK_DEVID) { + if (pMechanism->pParameter != NULL && + pMechanism->ulParameterLen != AES_IV_SIZE) { + rv = CKR_ATTRIBUTE_VALUE_INVALID; + goto err_out; + } + if (wc_Stm32_Aes_Wrap(NULL, serialBuff, serialSize, pWrappedKey, - (word32*)pulWrappedKeyLen, NULL) != 0) { + (word32*)pulWrappedKeyLen, pMechanism->pParameter, + pMechanism->ulParameterLen) != 0) { rv = CKR_FUNCTION_FAILED; goto err_out; } diff --git a/src/internal.c b/src/internal.c index 671711b4..7b6494df 100644 --- a/src/internal.c +++ b/src/internal.c @@ -252,6 +252,10 @@ struct WP11_Object { } data; #ifdef WOLFPKCS11_TPM WOLFTPM2_KEYBLOB* tpmKey; +#endif +#ifdef WOLFSSL_STM32U5_DHUK + unsigned char* dhukIv; /* IV used with wrapping and unwrapping AES key. */ + int dhukIvLen; #endif CK_KEY_TYPE type; /* Key type of this object */ word32 size; /* Size of the key in bits or bytes */ @@ -6813,6 +6817,12 @@ int WP11_Session_SetCbcParams(WP11_Session* session, unsigned char* iv, /* AES object on session. */ ret = wc_AesInit(&cbc->aes, NULL, object->devId); +#ifdef WOLFSSL_STM32U5_DHUK + if (ret == 0 && object->dhukIvLen > 0) { + ret = wc_Stm32_Aes_SetDHUK_IV(&cbc->aes, object->dhukIv, + object->dhukIvLen); + } +#endif if (ret == 0) { if (object->onToken) WP11_Lock_LockRO(object->lock); @@ -8967,6 +8977,12 @@ int WP11_Object_GetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data, } break; } + #ifdef WOLFSSL_STM32U5_DHUK + case CKA_WOLFSSL_DHUK_IV: + ret = GetData((byte*)object->dhukIv, object->dhukIvLen, + data, len); + break; + #endif case CKA_WOLFSSL_DEVID: ret = GetULong(object->devId, data, len); @@ -9347,6 +9363,13 @@ int WP11_Object_SetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data, object->devId = (int)(*(CK_ULONG*)data); break; + #ifdef WOLFSSL_STM32U5_DHUK + case CKA_WOLFSSL_DHUK_IV: + ret = WP11_Object_SetData(&object->dhukIv, &object->dhukIvLen, + data, (int)len); + break; + #endif + default: ret = BAD_FUNC_ARG; break; @@ -12115,6 +12138,11 @@ int WP11_AesEcb_Encrypt(unsigned char* plain, word32 plainSz, WP11_Data* key; ret = wc_AesInit(&aes, NULL, secret->devId); +#ifdef WOLFSSL_STM32U5_DHUK + if (ret == 0 && secret->dhukIvLen > 0) { + ret = wc_Stm32_Aes_SetDHUK_IV(&aes, secret->dhukIv, secret->dhukIvLen); + } +#endif if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); @@ -12157,6 +12185,11 @@ int WP11_AesEcb_Decrypt(unsigned char* enc, word32 encSz, unsigned char* dec, WP11_Data* key; ret = wc_AesInit(&aes, NULL, secret->devId); +#ifdef WOLFSSL_STM32U5_DHUK + if (ret == 0 && secret->dhukIvLen > 0) { + ret = wc_Stm32_Aes_SetDHUK_IV(&aes, secret->dhukIv, secret->dhukIvLen); + } +#endif if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); diff --git a/wolfpkcs11/pkcs11.h b/wolfpkcs11/pkcs11.h index 36982f7e..528e408b 100644 --- a/wolfpkcs11/pkcs11.h +++ b/wolfpkcs11/pkcs11.h @@ -61,6 +61,10 @@ extern "C" { /* Set the crypto callback device ID to be used with the object */ #define CKA_WOLFSSL_DEVID (CKA_VENDOR_DEFINED | CK_VENDOR_WOLFSSL_DEVID) +#ifdef WOLFSSL_STM32U5_DHUK +#define CKA_WOLFSSL_DHUK_IV (CKA_VENDOR_DEFINED | (CK_VENDOR_WOLFSSL_DEVID + 1)) +#endif + #ifndef NULL_PTR #define NULL_PTR 0 #endif