Global keystore

benchmark/wh_bench.c

@@ -52,6 +52,9 @@
 
 #if defined(WOLFHSM_CFG_BENCH_ENABLE)
 
+/* Default client ID for benchmarks */
+#define WH_BENCH_CLIENT_ID (1)
+
 /* Buffer sizes for transport */
 /* Large enough to handle an RSA 4096 key */
 #define BUFFER_SIZE \
@@ -815,7 +818,7 @@ static whCommClientConfig          g_mem_cc_conf = {
              .transport_cb      = &g_mem_tccb,
              .transport_context = (void*)&g_mem_tmcc,
              .transport_config  = (void*)&g_mem_tmcf,
-             .client_id         = 123,
+             .client_id         = WH_BENCH_CLIENT_ID,
 };
 
 static whTransportServerCb         g_mem_tscb    = WH_TRANSPORT_MEM_SERVER_CB;
@@ -867,7 +870,7 @@ static int _configureClientTransport(whBenchTransportType transport,
                 .transport_cb      = pttcClientShmCb,
                 .transport_context = (void*)&tccShm,
                 .transport_config  = (void*)&myshmconfig,
-                .client_id         = 12,
+                .client_id         = WH_BENCH_CLIENT_ID,
             };
 
             memset(&tccShm, 0, sizeof(posixTransportShmClientContext));
@@ -887,7 +890,7 @@ static int _configureClientTransport(whBenchTransportType transport,
                 .transport_cb      = &pttcClientTcpCb,
                 .transport_context = (void*)&tccTcp,
                 .transport_config  = (void*)&mytcpconfig,
-                .client_id         = 12,
+                .client_id         = WH_BENCH_CLIENT_ID,
             };
 
             memset(&tccTcp, 0, sizeof(posixTransportTcpClientContext));

examples/demo/client/wh_demo_client_keywrap.c

@@ -35,13 +35,13 @@
 
 #ifdef WOLFHSM_CFG_KEYWRAP
 
-#define WH_TEST_KEKID 1
+#define WH_DEMO_KEYWRAP_KEKID 1
 static int _InitServerKek(whClientContext* ctx)
 {
     /* IMPORTANT NOTE: Server KEK is typically intrinsic or set during
      * provisioning. Uploading the KEK via the client is for testing purposes
      * only and not intended as a recommendation */
-    whKeyId    serverKeyId             = WH_TEST_KEKID;
+    whKeyId    serverKeyId             = WH_DEMO_KEYWRAP_KEKID;
     whNvmFlags flags                   = WH_NVM_FLAGS_NONEXPORTABLE;
     uint8_t    label[WH_NVM_LABEL_LEN] = "Server KEK key";
     uint8_t    kek[] = {0x03, 0x03, 0x0d, 0xd9, 0xeb, 0x18, 0x17, 0x2e,
@@ -55,43 +55,42 @@ static int _InitServerKek(whClientContext* ctx)
 
 static int _CleanupServerKek(whClientContext* ctx)
 {
-    return wh_Client_KeyErase(ctx, WH_TEST_KEKID);
+    return wh_Client_KeyErase(ctx, WH_DEMO_KEYWRAP_KEKID);
 }
 
 #ifndef NO_AES
 #ifdef HAVE_AESGCM
 
-#define WH_TEST_AES_KEYSIZE 16
-#define WH_TEST_AES_TEXTSIZE 16
-#define WH_TEST_AES_IVSIZE 12
-#define WH_TEST_AES_TAGSIZE 16
-#define WH_TEST_AES_WRAPPED_KEYSIZE                                   \
-    (WH_TEST_AES_IVSIZE + WH_TEST_AES_TAGSIZE + WH_TEST_AES_KEYSIZE + \
-     sizeof(whNvmMetadata))
-#define WH_TEST_AESGCM_WRAPKEY_ID 8
+#define WH_DEMO_KEYWRAP_AES_KEYSIZE 16
+#define WH_DEMO_KEYWRAP_AES_TEXTSIZE 16
+#define WH_DEMO_KEYWRAP_AES_IVSIZE 12
+#define WH_DEMO_KEYWRAP_AES_TAGSIZE 16
+#define WH_DEMO_KEYWRAP_AES_WRAPPED_KEYSIZE                     \
+    (WH_DEMO_KEYWRAP_AES_IVSIZE + WH_DEMO_KEYWRAP_AES_TAGSIZE + \
+     WH_DEMO_KEYWRAP_AES_KEYSIZE + sizeof(whNvmMetadata))
+#define WH_DEMO_KEYWRAP_AESGCM_WRAPKEY_ID 8
 
 int wh_DemoClient_AesGcmKeyWrap(whClientContext* client)
 {
     int           ret = 0;
     Aes           aes[1];
     WC_RNG        rng[1];
-    uint8_t       key[WH_TEST_AES_KEYSIZE];
-    uint8_t       exportedKey[WH_TEST_AES_KEYSIZE];
-    whNvmMetadata metadata = {
-        .id    = WH_MAKE_KEYID(WH_KEYTYPE_CRYPTO, 0, WH_TEST_AESGCM_WRAPKEY_ID),
-        .label = "AES Key Label",
-        .access = WH_NVM_ACCESS_ANY,
-        .len    = WH_TEST_AES_KEYSIZE};
+    uint8_t       key[WH_DEMO_KEYWRAP_AES_KEYSIZE];
+    uint8_t       exportedKey[WH_DEMO_KEYWRAP_AES_KEYSIZE];
+    whNvmMetadata metadata = {.id     = WH_DEMO_KEYWRAP_AESGCM_WRAPKEY_ID,
+                              .label  = "AES Key Label",
+                              .access = WH_NVM_ACCESS_ANY,
+                              .len    = WH_DEMO_KEYWRAP_AES_KEYSIZE};
     whNvmMetadata exportedMetadata;
-    uint8_t       wrappedKey[WH_TEST_AES_WRAPPED_KEYSIZE];
+    uint8_t       wrappedKey[WH_DEMO_KEYWRAP_AES_WRAPPED_KEYSIZE];
     whKeyId       wrappedKeyId;
 
     const uint8_t plaintext[] = "hello, wolfSSL AES-GCM!";
     uint8_t       ciphertext[sizeof(plaintext)];
     uint8_t       decrypted[sizeof(plaintext)];
 
-    uint8_t       tag[WH_TEST_AES_TAGSIZE];
-    uint8_t       iv[WH_TEST_AES_IVSIZE];
+    uint8_t       tag[WH_DEMO_KEYWRAP_AES_TAGSIZE];
+    uint8_t       iv[WH_DEMO_KEYWRAP_AES_IVSIZE];
     const uint8_t aad[] = {0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe,
                            0xef, 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad,
                            0xbe, 0xef, 0xab, 0xad, 0xda, 0xd2};
@@ -127,8 +126,8 @@ int wh_DemoClient_AesGcmKeyWrap(whClientContext* client)
 
     /* Now we request the server to wrap the key using the KEK we
      * establish above in the first step. */
-    ret = wh_Client_KeyWrap(client, WC_CIPHER_AES_GCM, WH_TEST_KEKID, key,
-                            sizeof(key), &metadata, wrappedKey,
+    ret = wh_Client_KeyWrap(client, WC_CIPHER_AES_GCM, WH_DEMO_KEYWRAP_KEKID,
+                            key, sizeof(key), &metadata, wrappedKey,
                             sizeof(wrappedKey));
     if (ret != 0) {
         printf("Failed to wh_Client_KeyWrap %d\n", ret);
@@ -144,9 +143,9 @@ int wh_DemoClient_AesGcmKeyWrap(whClientContext* client)
     /* Request the server to unwrap and cache the wrapped key we just created.
      * This will provide us back a key ID that the client can use to do crypto
      * operations */
-    ret = wh_Client_KeyUnwrapAndCache(client, WC_CIPHER_AES_GCM, WH_TEST_KEKID,
-                                      wrappedKey, sizeof(wrappedKey),
-                                      &wrappedKeyId);
+    ret = wh_Client_KeyUnwrapAndCache(client, WC_CIPHER_AES_GCM,
+                                      WH_DEMO_KEYWRAP_KEKID, wrappedKey,
+                                      sizeof(wrappedKey), &wrappedKeyId);
     if (ret != 0) {
         printf("Failed to wh_Client_KeyUnwrapAndCache %d\n", ret);
         goto cleanup_rng;
@@ -207,10 +206,10 @@ int wh_DemoClient_AesGcmKeyWrap(whClientContext* client)
     /* Exporting a wrapped key */
 
     /* Request the server to unwrap and export the wrapped key we created */
-    ret = wh_Client_KeyUnwrapAndExport(client, WC_CIPHER_AES_GCM, WH_TEST_KEKID,
-                                       wrappedKey, sizeof(wrappedKey),
-                                       &exportedMetadata, exportedKey,
-                                       sizeof(exportedKey));
+    ret = wh_Client_KeyUnwrapAndExport(client, WC_CIPHER_AES_GCM,
+                                       WH_DEMO_KEYWRAP_KEKID, wrappedKey,
+                                       sizeof(wrappedKey), &exportedMetadata,
+                                       exportedKey, sizeof(exportedKey));
     if (ret != 0) {
         printf("Failed to wh_Client_KeyUnwrapAndCache %d\n", ret);
         goto cleanup_aes;

examples/demo/client/wh_demo_client_keywrap.h

@@ -3,6 +3,9 @@
 
 #include "wolfhsm/wh_client.h"
 
+/* Exposed in header so the demo server can obtain the ID for registration */
+#define WH_DEMO_KEYWRAP_AESGCM_WRAPKEY_ID 8
+
 int wh_DemoClient_KeyWrap(whClientContext* clientContext);
 
 #endif /* !DEMO_CLIENT_KEYWRAP_H_ */

examples/posix/wh_posix_client/wh_posix_client.c

@@ -85,6 +85,7 @@ static int wh_ClientTask(void* cf, const char* type, int test)
 
     printf("Client connecting to server...\n");
     if (ret == 0 && test) {
+        printf("Running client demos...\n");
         return wh_DemoClient_All(client);
     }
 

examples/posix/wh_posix_client/wolfhsm_cfg.h

@@ -30,5 +30,6 @@
 #define WOLFHSM_CFG_HEXDUMP
 #define WOLFHSM_CFG_COMM_DATA_LEN 5000
 #define WOLFHSM_CFG_KEYWRAP
+#define WOLFHSM_CFG_GLOBAL_KEYS
 
 #endif /* WOLFHSM_CFG_H_ */

examples/posix/wh_posix_server/wh_posix_server.c

@@ -29,6 +29,8 @@
 
 #include "wh_posix_cfg.h"
 #include "wh_posix_server_cfg.h"
+/* For demo wrapped key ID registration */
+#include "../../demo/client/wh_demo_client_keywrap.h"
 
 /** Local declarations */
 static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId,
@@ -118,6 +120,29 @@ static int loadAndStoreKeys(whServerContext* server, whKeyId* outKeyId,
     return ret;
 }
 
+static int _InitDemoServer(whServerContext* server, whServerConfig* config)
+{
+    int ret;
+
+    ret = wh_Server_Init(server, config);
+
+#ifdef WOLFHSM_CFG_KEYWRAP
+    if (ret == WH_ERROR_OK) {
+        /* Register wrapped keys from demo client (wh_demo_client_keywrap.h) */
+        const whKeyId wrappedIds[] = {WH_DEMO_KEYWRAP_AESGCM_WRAPKEY_ID};
+        ret                        = wh_Server_KeystoreRegisterWrappedKeys(
+                                   server, wrappedIds,
+                                   (uint16_t)(sizeof(wrappedIds) / sizeof(wrappedIds[0])));
+        if (ret != WH_ERROR_OK) {
+            printf("Failed to register wrapped key IDs: %d\n", ret);
+            (void)wh_Server_Cleanup(server);
+        }
+    }
+#endif
+
+    return ret;
+}
+
 
 static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId,
                          int clientId)
@@ -132,7 +157,7 @@ static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId,
         return -1;
     }
 
-    ret = wh_Server_Init(server, config);
+    ret = _InitDemoServer(server, config);
 
     /* Load keys into cache if file path is provided */
     if (keyFilePath != NULL) {
@@ -182,7 +207,7 @@ static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId,
                         (void)wh_Server_Cleanup(server);
 
                         /* Reinitialize the server */
-                        ret = wh_Server_Init(server, config);
+                        ret = _InitDemoServer(server, config);
                         if (ret != 0) {
                             printf("Failed to reinitialize server: %d\n", ret);
                             break;

examples/posix/wh_posix_server/wolfhsm_cfg.h

@@ -44,9 +44,11 @@
 #define WOLFHSM_CFG_CERTIFICATE_MANAGER
 #define WOLFHSM_CFG_CERTIFICATE_MANAGER_ACERT
 
+#define WOLFHSM_CFG_KEYWRAP
 #define WOLFHSM_CFG_KEYWRAP_MAX_KEY_SIZE 5000
 
+#define WOLFHSM_CFG_GLOBAL_KEYS
+
 #define XMEMFENCE() __atomic_thread_fence(__ATOMIC_SEQ_CST)
-#define WOLFHSM_CFG_KEYWRAP
 
 #endif /* WOLFHSM_CFG_H_ */

src/wh_nvm.c

@@ -46,6 +46,11 @@ int wh_Nvm_Init(whNvmContext* context, const whNvmConfig *config)
     context->cb = config->cb;
     context->context = config->context;
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_GLOBAL_KEYS)
+    /* Initialize the global key cache */
+    memset(&context->globalCache, 0, sizeof(context->globalCache));
+#endif
+
     if (context->cb->Init != NULL) {
         rc = context->cb->Init(context->context, config->config);
         if (rc != 0) {
@@ -64,6 +69,11 @@ int wh_Nvm_Cleanup(whNvmContext* context)
         return WH_ERROR_BADARGS;
     }
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_GLOBAL_KEYS)
+    /* Initialize the global key cache */
+    memset(&context->globalCache, 0, sizeof(context->globalCache));
+#endif
+
     /* No callback? Return ABORTED */
     if (context->cb->Cleanup == NULL) {
         return WH_ERROR_ABORTED;

src/wh_server.c

@@ -188,8 +188,17 @@ static int _wh_Server_HandleCommRequest(whServerContext* server,
         wh_MessageComm_TranslateInitRequest(magic,
                 (whMessageCommInitRequest*)req_packet, &req);
 
+#ifdef WOLFHSM_CFG_GLOBAL_KEYS
+        /* USER=0 is reserved for global keys, client_id must be non-zero */
+        if (req.client_id == WH_KEYUSER_GLOBAL) {
+            *out_resp_size = 0;
+            return WH_ERROR_BADARGS;
+        }
+#endif
+
         /* Process the init action */
         server->comm->client_id = req.client_id;
+
         resp.client_id = server->comm->client_id;
         resp.server_id = server->comm->server_id;
 

src/wh_server_cert.c

@@ -122,8 +122,9 @@ static int _verifyChainAgainstCmStore(whServerContext*      server,
 
                     /* Grab the cache slot and dump the public key from the cert
                      * into it */
-                    rc = wh_Server_KeystoreGetCacheSlot(server, cacheBufSize,
-                                                        &cacheBuf, &cacheMeta);
+                    rc = wh_Server_KeystoreGetCacheSlot(server, *inout_keyId,
+                                                        cacheBufSize, &cacheBuf,
+                                                        &cacheMeta);
                     if (rc == WH_ERROR_OK) {
                         rc = wc_GetSubjectPubKeyInfoDerFromCert(
                             cert_ptr, cert_len + idx, cacheBuf, &cacheBufSize);
@@ -488,7 +489,7 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
                 cert_data = (const uint8_t*)req_packet + sizeof(req);
 
                 /* Map client keyId to server keyId space */
-                whKeyId keyId = WH_MAKE_KEYID(
+                whKeyId keyId = WH_TRANSLATE_CLIENT_KEYID(
                     WH_KEYTYPE_CRYPTO, server->comm->client_id, req.keyId);
 
                 /* Process the verify action */
@@ -617,7 +618,7 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
             }
             if (resp.rc == WH_ERROR_OK) {
                 /* Map client keyId to server keyId space */
-                whKeyId keyId = WH_MAKE_KEYID(
+                whKeyId keyId = WH_TRANSLATE_CLIENT_KEYID(
                     WH_KEYTYPE_CRYPTO, server->comm->client_id, req.keyId);
 
                 /* Process the verify action */