diff --git a/FreeRTOS-Plus/Demo/corePKCS11_MQTT_Mutual_Auth_Windows_Simulator/DemoTasks/MutualAuthMQTTExample.c b/FreeRTOS-Plus/Demo/corePKCS11_MQTT_Mutual_Auth_Windows_Simulator/DemoTasks/MutualAuthMQTTExample.c index f1795004c8..a4048ceb7a 100644 --- a/FreeRTOS-Plus/Demo/corePKCS11_MQTT_Mutual_Auth_Windows_Simulator/DemoTasks/MutualAuthMQTTExample.c +++ b/FreeRTOS-Plus/Demo/corePKCS11_MQTT_Mutual_Auth_Windows_Simulator/DemoTasks/MutualAuthMQTTExample.c @@ -49,6 +49,7 @@ /* Demo Specific configs. */ #include "demo_config.h" +#include "core_pkcs11_config.h" /* MQTT library includes. */ #include "core_mqtt.h" @@ -456,6 +457,8 @@ static void prvTLSConnect( NetworkCredentials_t * pxNetworkCredentials, /* Set the credentials for establishing a TLS connection. */ pxNetworkCredentials->pRootCa = ( const unsigned char * ) democonfigROOT_CA_PEM; pxNetworkCredentials->rootCaSize = sizeof( democonfigROOT_CA_PEM ); + pxNetworkCredentials->pClientCertLabel = pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS; + pxNetworkCredentials->pPrivateKeyLabel = pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS; /* Attempt to create a mutually authenticated TLS connection. */ xNetworkStatus = TLS_FreeRTOS_Connect( pxNetworkContext, diff --git a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.c b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.c index e7598f1f04..792f4ca9e5 100644 --- a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.c +++ b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.c @@ -57,8 +57,8 @@ /*-----------------------------------------------------------*/ -/** - * @brief Each compilation unit that consumes the NetworkContext must define it. +/** + * @brief Each compilation unit that consumes the NetworkContext must define it. * It should contain a single pointer as seen below whenever the header file * of this transport implementation is included to your project. * @@ -165,18 +165,28 @@ static int32_t generateRandomBytes( void * pvCtx, * @return Zero on success. */ static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext, - char * pcLabelName, + const char * pcLabelName, CK_OBJECT_CLASS xClass, mbedtls_x509_crt * pxCertificateContext ); /** - * @brief Helper for setting up potentially hardware-based cryptographic context. + * @brief Helper for setting up potentially hardware-based cryptographic context + * for the client TLS certificate and private key. * - * @param Caller context. + * @param[in] Caller context. + * @param[in] PKCS11 label which contains the desired private key. * * @return Zero on success. */ -static CK_RV initializeClientKeys( SSLContext_t * pxCtx ); +static CK_RV initializeClientKeys( SSLContext_t * pxCtx, + const char * pcLabelName ); + +/** + * @brief Stub function to satisfy mbedtls checks before sign operations + * + * @return 1. + */ +int canDoStub( mbedtls_pk_type_t type ); /** * @brief Sign a cryptographic hash with the private key. @@ -248,6 +258,8 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext, configASSERT( pHostName != NULL ); configASSERT( pNetworkCredentials != NULL ); configASSERT( pNetworkCredentials->pRootCa != NULL ); + configASSERT( pNetworkCredentials->pClientCertLabel != NULL ); + configASSERT( pNetworkCredentials->pPrivateKeyLabel != NULL ); pTlsTransportParams = pNetworkContext->pParams; @@ -316,7 +328,8 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext, if( returnStatus == TLS_TRANSPORT_SUCCESS ) { /* Setup the client private key. */ - xResult = initializeClientKeys( &( pTlsTransportParams->sslContext ) ); + xResult = initializeClientKeys( &( pTlsTransportParams->sslContext ), + pNetworkCredentials->pPrivateKeyLabel ); if( xResult != CKR_OK ) { @@ -328,7 +341,7 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext, { /* Setup the client certificate. */ xResult = readCertificateIntoContext( &( pTlsTransportParams->sslContext ), - pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS, + pNetworkCredentials->pClientCertLabel, CKO_CERTIFICATE, &( pTlsTransportParams->sslContext.clientCert ) ); @@ -510,7 +523,7 @@ static int32_t generateRandomBytes( void * pvCtx, /*-----------------------------------------------------------*/ static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext, - char * pcLabelName, + const char * pcLabelName, CK_OBJECT_CLASS xClass, mbedtls_x509_crt * pxCertificateContext ) { @@ -521,7 +534,8 @@ static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext, /* Get the handle of the certificate. */ xResult = xFindObjectWithLabelAndClass( pSslContext->xP11Session, pcLabelName, - strlen( pcLabelName ), + strnlen( pcLabelName, + pkcs11configMAX_LABEL_LENGTH ), xClass, &xCertObj ); @@ -582,11 +596,13 @@ static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext, * @brief Helper for setting up potentially hardware-based cryptographic context * for the client TLS certificate and private key. * - * @param Caller context. + * @param[in] Caller context. + * @param[in] PKCS11 label which contains the desired private key. * * @return Zero on success. */ -static CK_RV initializeClientKeys( SSLContext_t * pxCtx ) +static CK_RV initializeClientKeys( SSLContext_t * pxCtx, + const char * pcLabelName ) { CK_RV xResult = CKR_OK; CK_SLOT_ID * pxSlotIds = NULL; @@ -634,8 +650,9 @@ static CK_RV initializeClientKeys( SSLContext_t * pxCtx ) { /* Get the handle of the device private key. */ xResult = xFindObjectWithLabelAndClass( pxCtx->xP11Session, - pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS, - sizeof( pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS ) - 1UL, + pcLabelName, + strnlen( pcLabelName, + pkcs11configMAX_LABEL_LENGTH ), CKO_PRIVATE_KEY, &pxCtx->xP11PrivateKey ); } @@ -682,6 +699,25 @@ static CK_RV initializeClientKeys( SSLContext_t * pxCtx ) { memcpy( &pxCtx->privKeyInfo, mbedtls_pk_info_from_type( xKeyAlgo ), sizeof( mbedtls_pk_info_t ) ); + /* Assign unimplemented function pointers to NULL */ + pxCtx->privKeyInfo.get_bitlen = NULL; + pxCtx->privKeyInfo.can_do = canDoStub; + pxCtx->privKeyInfo.verify_func = NULL; +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) + pxCtx->privKeyInfo.verify_rs_func = NULL; + pxCtx->privKeyInfo.sign_rs_func = NULL; +#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ + pxCtx->privKeyInfo.decrypt_func = NULL; + pxCtx->privKeyInfo.encrypt_func = NULL; + pxCtx->privKeyInfo.check_pair_func = NULL; + pxCtx->privKeyInfo.ctx_alloc_func = NULL; + pxCtx->privKeyInfo.ctx_free_func = NULL; +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) + pxCtx->privKeyInfo.rs_alloc_func = NULL; + pxCtx->privKeyInfo.rs_free_func = NULL; +#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ + pxCtx->privKeyInfo.debug_func = NULL; + pxCtx->privKeyInfo.sign_func = privateKeySigningCallback; pxCtx->privKey.pk_info = &pxCtx->privKeyInfo; pxCtx->privKey.pk_ctx = pxCtx; @@ -790,6 +826,13 @@ static int32_t privateKeySigningCallback( void * pvContext, /*-----------------------------------------------------------*/ +int canDoStub( mbedtls_pk_type_t type ) +{ + return 1; +} + +/*-----------------------------------------------------------*/ + TlsTransportStatus_t TLS_FreeRTOS_Connect( NetworkContext_t * pNetworkContext, const char * pHostName, uint16_t port, diff --git a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.h b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.h index 790e0d28f9..2b5b6f95ae 100644 --- a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.h +++ b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.h @@ -148,6 +148,8 @@ typedef struct NetworkCredentials size_t userNameSize; /**< @brief Size associated with #NetworkCredentials.pUserName. */ const unsigned char * pPassword; /**< @brief String representing the password for MQTT. */ size_t passwordSize; /**< @brief Size associated with #NetworkCredentials.pPassword. */ + const char * pClientCertLabel; /**< @brief String representing the PKCS #11 label for the client certificate. */ + const char * pPrivateKeyLabel; /**< @brief String representing the PKCS #11 label for the private key. */ } NetworkCredentials_t; /** diff --git a/lexicon.txt b/lexicon.txt index 7dd1fb0acd..232ef98b8d 100644 --- a/lexicon.txt +++ b/lexicon.txt @@ -1524,6 +1524,7 @@ pcks pcl pclabelname pclientcert +pclientcertlabel pclk pclkb pclwipappsblockinggettxbuffer @@ -1693,6 +1694,7 @@ ppcmessagetodisplay ppollperiod ppr pprivatekey +pprivatekeylabel ppublishinfo ppvcontext ppxidletaskstackbuffer