Skip to content

Commit e5d7832

Browse files
bigbrettbigbrett
committed
create separate keyid module
1 parent 7d758f8 commit e5d7832

File tree

6 files changed

+234
-186
lines changed

6 files changed

+234
-186
lines changed

src/wh_keyid.c

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
/*
2+
* Copyright (C) 2025 wolfSSL Inc.
3+
*
4+
* This file is part of wolfHSM.
5+
*
6+
* wolfHSM is free software; you can redistribute it and/or modify
7+
* it under the terms of the GNU General Public License as published by
8+
* the Free Software Foundation; either version 3 of the License, or
9+
* (at your option) any later version.
10+
*
11+
* wolfHSM is distributed in the hope that it will be useful,
12+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14+
* GNU General Public License for more details.
15+
*
16+
* You should have received a copy of the GNU General Public License
17+
* along with wolfHSM. If not, see <http://www.gnu.org/licenses/>.
18+
*/
19+
/*
20+
* src/wh_keyid.c
21+
*
22+
* KeyId helper function implementations for wolfHSM
23+
*/
24+
25+
#include "wolfhsm/wh_keyid.h"
26+
27+
whKeyId wh_KeyId_TranslateClient(uint16_t type, uint16_t clientId,
28+
whKeyId reqId)
29+
{
30+
uint16_t user = clientId;
31+
whKeyId id = reqId & WH_KEYID_MASK;
32+
33+
#ifdef WOLFHSM_CFG_GLOBAL_KEYS
34+
/* Check for global flag (bit 8: 0x0100) */
35+
if ((reqId & 0x0100) != 0) {
36+
user = WH_KEYUSER_GLOBAL;
37+
}
38+
#endif
39+
40+
#ifdef WOLFHSM_CFG_KEYWRAP
41+
/* Check for wrapped flag (bit 9: 0x0200) */
42+
if ((reqId & 0x0200) != 0) {
43+
type = WH_KEYTYPE_WRAPPED;
44+
}
45+
else
46+
#endif
47+
{
48+
type = WH_KEYTYPE_CRYPTO;
49+
}
50+
51+
return WH_MAKE_KEYID(type, user, id);
52+
}

src/wh_server_cert.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -489,7 +489,7 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
489489
cert_data = (const uint8_t*)req_packet + sizeof(req);
490490

491491
/* Map client keyId to server keyId space */
492-
whKeyId keyId = WH_TRANSLATE_CLIENT_KEYID(
492+
whKeyId keyId = wh_KeyId_TranslateClient(
493493
WH_KEYTYPE_CRYPTO, server->comm->client_id, req.keyId);
494494

495495
/* Process the verify action */
@@ -618,7 +618,7 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
618618
}
619619
if (resp.rc == WH_ERROR_OK) {
620620
/* Map client keyId to server keyId space */
621-
whKeyId keyId = WH_TRANSLATE_CLIENT_KEYID(
621+
whKeyId keyId = wh_KeyId_TranslateClient(
622622
WH_KEYTYPE_CRYPTO, server->comm->client_id, req.keyId);
623623

624624
/* Process the verify action */

src/wh_server_crypto.c

Lines changed: 55 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -287,8 +287,8 @@ static int _HandleRsaKeyGen(whServerContext* ctx, uint16_t magic,
287287
long e = req.e;
288288

289289
/* Force incoming key_id to have current user/type */
290-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
291-
ctx->comm->client_id, req.keyId);
290+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
291+
ctx->comm->client_id, req.keyId);
292292
whNvmFlags flags = req.flags;
293293
uint8_t* label = req.label;
294294
uint32_t label_size = WH_NVM_LABEL_LEN;
@@ -386,8 +386,8 @@ static int _HandleRsaFunction( whServerContext* ctx, uint16_t magic,
386386
int op_type = (int)(req.opType);
387387
uint32_t options = req.options;
388388
int evict = !!(options & WH_MESSAGE_CRYPTO_RSA_OPTIONS_EVICT);
389-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
390-
ctx->comm->client_id, req.keyId);
389+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
390+
ctx->comm->client_id, req.keyId);
391391
word32 in_len = (word32)(req.inLen);
392392
word32 out_len = (word32)(req.outLen);
393393
/* in and out are after the fixed size fields */
@@ -471,8 +471,8 @@ static int _HandleRsaGetSize(whServerContext* ctx, uint16_t magic,
471471
}
472472

473473
/* Extract parameters from translated request */
474-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
475-
ctx->comm->client_id, req.keyId);
474+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
475+
ctx->comm->client_id, req.keyId);
476476
uint32_t options = req.options;
477477
int evict = !!(options & WH_MESSAGE_CRYPTO_RSA_GET_SIZE_OPTIONS_EVICT);
478478

@@ -738,8 +738,8 @@ static int _HandleEccKeyGen(whServerContext* ctx, uint16_t magic,
738738
/* Extract parameters from translated request */
739739
int key_size = req.sz;
740740
int curve_id = req.curveId;
741-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
742-
ctx->comm->client_id, req.keyId);
741+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
742+
ctx->comm->client_id, req.keyId);
743743
whNvmFlags flags = req.flags;
744744
uint8_t* label = req.label;
745745
uint16_t label_size = WH_NVM_LABEL_LEN;
@@ -841,9 +841,9 @@ static int _HandleEccSharedSecret(whServerContext* ctx, uint16_t magic,
841841
uint32_t options = req.options;
842842
int evict_pub = !!(options & WH_MESSAGE_CRYPTO_ECDH_OPTIONS_EVICTPUB);
843843
int evict_prv = !!(options & WH_MESSAGE_CRYPTO_ECDH_OPTIONS_EVICTPRV);
844-
whKeyId pub_key_id = WH_TRANSLATE_CLIENT_KEYID(
844+
whKeyId pub_key_id = wh_KeyId_TranslateClient(
845845
WH_KEYTYPE_CRYPTO, ctx->comm->client_id, req.publicKeyId);
846-
whKeyId prv_key_id = WH_TRANSLATE_CLIENT_KEYID(
846+
whKeyId prv_key_id = wh_KeyId_TranslateClient(
847847
WH_KEYTYPE_CRYPTO, ctx->comm->client_id, req.privateKeyId);
848848

849849
/* Response message */
@@ -919,8 +919,8 @@ static int _HandleEccSign(whServerContext* ctx, uint16_t magic,
919919
/* Extract parameters from translated request */
920920
uint8_t* in =
921921
(uint8_t*)(cryptoDataIn) + sizeof(whMessageCrypto_EccSignRequest);
922-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
923-
ctx->comm->client_id, req.keyId);
922+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
923+
ctx->comm->client_id, req.keyId);
924924
word32 in_len = req.sz;
925925
uint32_t options = req.options;
926926
int evict = !!(options & WH_MESSAGE_CRYPTO_ECCSIGN_OPTIONS_EVICT);
@@ -991,8 +991,8 @@ static int _HandleEccVerify(whServerContext* ctx, uint16_t magic,
991991

992992
/* Extract parameters from translated request */
993993
uint32_t options = req.options;
994-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
995-
ctx->comm->client_id, req.keyId);
994+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
995+
ctx->comm->client_id, req.keyId);
996996
uint32_t hash_len = req.hashSz;
997997
uint32_t sig_len = req.sigSz;
998998
uint8_t* req_sig =
@@ -1213,10 +1213,10 @@ static int _HandleHkdf(whServerContext* ctx, uint16_t magic,
12131213
uint32_t saltSz = req.saltSz;
12141214
uint32_t infoSz = req.infoSz;
12151215
uint32_t outSz = req.outSz;
1216-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
1217-
ctx->comm->client_id, req.keyIdOut);
1218-
whKeyId keyIdIn = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
1219-
ctx->comm->client_id, req.keyIdIn);
1216+
whKeyId key_id = wh_KeyId_TranslateClient(
1217+
WH_KEYTYPE_CRYPTO, ctx->comm->client_id, req.keyIdOut);
1218+
whKeyId keyIdIn = wh_KeyId_TranslateClient(
1219+
WH_KEYTYPE_CRYPTO, ctx->comm->client_id, req.keyIdIn);
12201220
whNvmFlags flags = req.flags;
12211221
uint8_t* label = req.label;
12221222
uint16_t label_size = WH_NVM_LABEL_LEN;
@@ -1335,8 +1335,8 @@ static int _HandleCurve25519KeyGen(whServerContext* ctx, uint16_t magic,
13351335

13361336
/* Extract parameters from translated request */
13371337
int key_size = req.sz;
1338-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
1339-
ctx->comm->client_id, req.keyId);
1338+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
1339+
ctx->comm->client_id, req.keyId);
13401340
whNvmFlags flags = req.flags;
13411341
uint8_t* label = req.label;
13421342
uint16_t label_size = WH_NVM_LABEL_LEN;
@@ -1429,9 +1429,9 @@ static int _HandleCurve25519SharedSecret(whServerContext* ctx, uint16_t magic,
14291429
uint32_t options = req.options;
14301430
int evict_pub = !!(options & WH_MESSAGE_CRYPTO_CURVE25519_OPTIONS_EVICTPUB);
14311431
int evict_prv = !!(options & WH_MESSAGE_CRYPTO_CURVE25519_OPTIONS_EVICTPRV);
1432-
whKeyId pub_key_id = WH_TRANSLATE_CLIENT_KEYID(
1432+
whKeyId pub_key_id = wh_KeyId_TranslateClient(
14331433
WH_KEYTYPE_CRYPTO, ctx->comm->client_id, req.publicKeyId);
1434-
whKeyId prv_key_id = WH_TRANSLATE_CLIENT_KEYID(
1434+
whKeyId prv_key_id = wh_KeyId_TranslateClient(
14351435
WH_KEYTYPE_CRYPTO, ctx->comm->client_id, req.privateKeyId);
14361436
int endian = req.endian;
14371437

@@ -1517,8 +1517,8 @@ static int _HandleAesCtr(whServerContext* ctx, uint16_t magic,
15171517
if (needed_size > inSize) {
15181518
return WH_ERROR_BADARGS;
15191519
}
1520-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
1521-
ctx->comm->client_id, req.keyId);
1520+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
1521+
ctx->comm->client_id, req.keyId);
15221522
/* in, key, iv, and out are after fixed size fields */
15231523
uint8_t* in =
15241524
(uint8_t*)(cryptoDataIn) + sizeof(whMessageCrypto_AesCtrRequest);
@@ -1634,8 +1634,8 @@ static int _HandleAesEcb(whServerContext* ctx, uint16_t magic,
16341634
return WH_ERROR_BADARGS;
16351635
}
16361636

1637-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
1638-
ctx->comm->client_id, req.keyId);
1637+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
1638+
ctx->comm->client_id, req.keyId);
16391639

16401640
/* in, key, iv, and out are after fixed size fields */
16411641
uint8_t* in =
@@ -1742,8 +1742,8 @@ static int _HandleAesCbc(whServerContext* ctx, uint16_t magic, const void* crypt
17421742
return WH_ERROR_BADARGS;
17431743
}
17441744

1745-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
1746-
ctx->comm->client_id, req.keyId);
1745+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
1746+
ctx->comm->client_id, req.keyId);
17471747

17481748
/* in, key, iv, and out are after fixed size fields */
17491749
uint8_t* in =
@@ -1851,8 +1851,8 @@ static int _HandleAesGcm(whServerContext* ctx, uint16_t magic,
18511851
uint32_t iv_len = req.ivSz;
18521852
uint32_t authin_len = req.authInSz;
18531853
uint32_t tag_len = req.authTagSz;
1854-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
1855-
ctx->comm->client_id, req.keyId);
1854+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
1855+
ctx->comm->client_id, req.keyId);
18561856

18571857
/* in, key, iv, authin, tag, and out are after fixed size fields */
18581858
uint8_t* in = (uint8_t*)(cryptoDataIn) + sizeof(whMessageCrypto_AesGcmRequest);
@@ -2075,8 +2075,8 @@ static int _HandleAesGcmDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
20752075

20762076
/* Handle keyId-based keys if no direct key was provided */
20772077
if (ret == WH_ERROR_OK && req.key.sz == 0) {
2078-
keyId = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO, ctx->comm->client_id,
2079-
req.keyId);
2078+
keyId = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
2079+
ctx->comm->client_id, req.keyId);
20802080
keyLen = sizeof(tmpKey);
20812081
ret = wh_Server_KeystoreReadKey(ctx, keyId, NULL, tmpKey, &keyLen);
20822082
if (ret == WH_ERROR_OK) {
@@ -2222,8 +2222,8 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
22222222
* cache slot until CmacFinal() is called, at which point we evict the
22232223
* struct from the cache. TODO: client should hold CMAC state */
22242224
len = sizeof(ctx->crypto->algoCtx.cmac);
2225-
keyId = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
2226-
ctx->comm->client_id, req.keyId);
2225+
keyId = wh_KeyId_TranslateClient(
2226+
WH_KEYTYPE_CRYPTO, ctx->comm->client_id, req.keyId);
22272227
ret = wh_Server_KeystoreReadKey(
22282228
ctx, keyId, NULL, (uint8_t*)ctx->crypto->algoCtx.cmac,
22292229
(uint32_t*)&len);
@@ -2300,8 +2300,8 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
23002300
/* Don't override return value except on failure */
23012301
int tmpRet = wh_Server_KeystoreEvictKey(
23022302
ctx,
2303-
WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
2304-
ctx->comm->client_id, keyId));
2303+
wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
2304+
ctx->comm->client_id, keyId));
23052305
if (tmpRet != 0) {
23062306
ret = tmpRet;
23072307
}
@@ -2312,9 +2312,9 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
23122312
/* Handle cancellation - evict key and abandon state */
23132313
if (!WH_KEYID_ISERASED(req.keyId)) {
23142314
wh_Server_KeystoreEvictKey(
2315-
ctx,
2316-
WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
2317-
ctx->comm->client_id, req.keyId));
2315+
ctx, wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
2316+
ctx->comm->client_id,
2317+
req.keyId));
23182318
}
23192319
}
23202320
#endif
@@ -2330,7 +2330,7 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
23302330
return ret;
23312331
}
23322332
else {
2333-
keyId = WH_TRANSLATE_CLIENT_KEYID(
2333+
keyId = wh_KeyId_TranslateClient(
23342334
WH_KEYTYPE_CRYPTO, ctx->comm->client_id, req.keyId);
23352335
}
23362336
/* evict the aes sized key in the normal cache */
@@ -2716,8 +2716,8 @@ static int _HandleMlDsaKeyGen(whServerContext* ctx, uint16_t magic,
27162716

27172717
/* Extract parameters from translated request */
27182718
int key_size = req.sz;
2719-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
2720-
ctx->comm->client_id, req.keyId);
2719+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
2720+
ctx->comm->client_id, req.keyId);
27212721
int level = req.level;
27222722
whNvmFlags flags = req.flags;
27232723
uint8_t* label = req.label;
@@ -2830,8 +2830,8 @@ static int _HandleMlDsaSign(whServerContext* ctx, uint16_t magic,
28302830

28312831
/* Extract parameters from translated request */
28322832
byte* in = (uint8_t*)(cryptoDataIn) + sizeof(whMessageCrypto_MlDsaSignRequest);
2833-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
2834-
ctx->comm->client_id, req.keyId);
2833+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
2834+
ctx->comm->client_id, req.keyId);
28352835
word32 in_len = req.sz;
28362836
uint32_t options = req.options;
28372837
int evict = !!(options & WH_MESSAGE_CRYPTO_MLDSA_SIGN_OPTIONS_EVICT);
@@ -2910,8 +2910,8 @@ static int _HandleMlDsaVerify(whServerContext* ctx, uint16_t magic,
29102910

29112911
/* Extract parameters from translated request */
29122912
uint32_t options = req.options;
2913-
whKeyId key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
2914-
ctx->comm->client_id, req.keyId);
2913+
whKeyId key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
2914+
ctx->comm->client_id, req.keyId);
29152915
uint32_t hash_len = req.hashSz;
29162916
uint32_t sig_len = req.sigSz;
29172917
byte* req_sig =
@@ -3911,7 +3911,7 @@ static int _HandleMlDsaKeyGenDma(whServerContext* ctx, uint16_t magic,
39113911
else {
39123912
/* Must import the key into the cache and return keyid
39133913
*/
3914-
whKeyId keyId = WH_TRANSLATE_CLIENT_KEYID(
3914+
whKeyId keyId = wh_KeyId_TranslateClient(
39153915
WH_KEYTYPE_CRYPTO, ctx->comm->client_id, req.keyId);
39163916

39173917
if (WH_KEYID_ISERASED(keyId)) {
@@ -4000,8 +4000,8 @@ static int _HandleMlDsaSignDma(whServerContext* ctx, uint16_t magic,
40004000

40014001

40024002
/* Get key ID and evict flag */
4003-
key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO, ctx->comm->client_id,
4004-
req.keyId);
4003+
key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO, ctx->comm->client_id,
4004+
req.keyId);
40054005
evict = !!(req.options & WH_MESSAGE_CRYPTO_MLDSA_SIGN_OPTIONS_EVICT);
40064006

40074007
/* Initialize key */
@@ -4109,8 +4109,8 @@ static int _HandleMlDsaVerifyDma(whServerContext* ctx, uint16_t magic,
41094109
int evict = 0;
41104110

41114111
/* Get key ID and evict flag */
4112-
key_id = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO, ctx->comm->client_id,
4113-
req.keyId);
4112+
key_id = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO, ctx->comm->client_id,
4113+
req.keyId);
41144114
evict = !!(req.options & WH_MESSAGE_CRYPTO_MLDSA_VERIFY_OPTIONS_EVICT);
41154115

41164116
/* Initialize key */
@@ -4379,9 +4379,9 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
43794379
* that has been initialized to use a keyId by
43804380
* reference. We need to load the key from cache and
43814381
* initialize a new context with it */
4382-
keyId = WH_TRANSLATE_CLIENT_KEYID(WH_KEYTYPE_CRYPTO,
4383-
ctx->comm->client_id,
4384-
clientKeyId);
4382+
keyId = wh_KeyId_TranslateClient(WH_KEYTYPE_CRYPTO,
4383+
ctx->comm->client_id,
4384+
clientKeyId);
43854385
keyLen = sizeof(tmpKey);
43864386

43874387
/* Load key from cache */
@@ -4444,7 +4444,7 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
44444444
whNvmId nvmId = WH_DEVCTX_TO_KEYID(cmac->devCtx);
44454445
if (nvmId != WH_KEYID_ERASED) {
44464446
/* Get key ID from CMAC context */
4447-
keyId = WH_TRANSLATE_CLIENT_KEYID(
4447+
keyId = wh_KeyId_TranslateClient(
44484448
WH_KEYTYPE_CRYPTO, ctx->comm->client_id, nvmId);
44494449
keyLen = sizeof(tmpKey);
44504450

0 commit comments

Comments
 (0)