From b1b3a0a3e98b226e7fe59a6db84bd3f3e2179967 Mon Sep 17 00:00:00 2001 From: johnrhen <90864038+johnrhen@users.noreply.github.com> Date: Fri, 26 Nov 2021 10:49:59 -0800 Subject: [PATCH] Add variable PKCS11 label support to using_mbedtls_pkcs11 (#723) The previous "using_mbedtls_pkcs11.c" implementation requires using the device key and device certificate stored under the labels "pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS" and "pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS". This commit updates the NetworkCredentials to include fields for pClientCertLabel and pPrivateKeyLabel, so other labels can be used with PKCS11. This matches the behavior seen in the CSDK. This commit also updates the "pkcs11_mqtt_mutual_auth_demo" to set the newly-added NetworkCredentials fields. --- .../DemoTasks/MutualAuthMQTTExample.c | 3 + .../using_mbedtls_pkcs11.c | 71 +++++++++++++++---- .../using_mbedtls_pkcs11.h | 2 + lexicon.txt | 2 + 4 files changed, 64 insertions(+), 14 deletions(-) diff --git a/FreeRTOS-Plus/Demo/corePKCS11_MQTT_Mutual_Auth_Windows_Simulator/DemoTasks/MutualAuthMQTTExample.c b/FreeRTOS-Plus/Demo/corePKCS11_MQTT_Mutual_Auth_Windows_Simulator/DemoTasks/MutualAuthMQTTExample.c index f1795004c8..a4048ceb7a 100644 --- a/FreeRTOS-Plus/Demo/corePKCS11_MQTT_Mutual_Auth_Windows_Simulator/DemoTasks/MutualAuthMQTTExample.c +++ b/FreeRTOS-Plus/Demo/corePKCS11_MQTT_Mutual_Auth_Windows_Simulator/DemoTasks/MutualAuthMQTTExample.c @@ -49,6 +49,7 @@ /* Demo Specific configs. */ #include "demo_config.h" +#include "core_pkcs11_config.h" /* MQTT library includes. */ #include "core_mqtt.h" @@ -456,6 +457,8 @@ static void prvTLSConnect( NetworkCredentials_t * pxNetworkCredentials, /* Set the credentials for establishing a TLS connection. */ pxNetworkCredentials->pRootCa = ( const unsigned char * ) democonfigROOT_CA_PEM; pxNetworkCredentials->rootCaSize = sizeof( democonfigROOT_CA_PEM ); + pxNetworkCredentials->pClientCertLabel = pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS; + pxNetworkCredentials->pPrivateKeyLabel = pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS; /* Attempt to create a mutually authenticated TLS connection. */ xNetworkStatus = TLS_FreeRTOS_Connect( pxNetworkContext, diff --git a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.c b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.c index e7598f1f04..792f4ca9e5 100644 --- a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.c +++ b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.c @@ -57,8 +57,8 @@ /*-----------------------------------------------------------*/ -/** - * @brief Each compilation unit that consumes the NetworkContext must define it. +/** + * @brief Each compilation unit that consumes the NetworkContext must define it. * It should contain a single pointer as seen below whenever the header file * of this transport implementation is included to your project. * @@ -165,18 +165,28 @@ static int32_t generateRandomBytes( void * pvCtx, * @return Zero on success. */ static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext, - char * pcLabelName, + const char * pcLabelName, CK_OBJECT_CLASS xClass, mbedtls_x509_crt * pxCertificateContext ); /** - * @brief Helper for setting up potentially hardware-based cryptographic context. + * @brief Helper for setting up potentially hardware-based cryptographic context + * for the client TLS certificate and private key. * - * @param Caller context. + * @param[in] Caller context. + * @param[in] PKCS11 label which contains the desired private key. * * @return Zero on success. */ -static CK_RV initializeClientKeys( SSLContext_t * pxCtx ); +static CK_RV initializeClientKeys( SSLContext_t * pxCtx, + const char * pcLabelName ); + +/** + * @brief Stub function to satisfy mbedtls checks before sign operations + * + * @return 1. + */ +int canDoStub( mbedtls_pk_type_t type ); /** * @brief Sign a cryptographic hash with the private key. @@ -248,6 +258,8 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext, configASSERT( pHostName != NULL ); configASSERT( pNetworkCredentials != NULL ); configASSERT( pNetworkCredentials->pRootCa != NULL ); + configASSERT( pNetworkCredentials->pClientCertLabel != NULL ); + configASSERT( pNetworkCredentials->pPrivateKeyLabel != NULL ); pTlsTransportParams = pNetworkContext->pParams; @@ -316,7 +328,8 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext, if( returnStatus == TLS_TRANSPORT_SUCCESS ) { /* Setup the client private key. */ - xResult = initializeClientKeys( &( pTlsTransportParams->sslContext ) ); + xResult = initializeClientKeys( &( pTlsTransportParams->sslContext ), + pNetworkCredentials->pPrivateKeyLabel ); if( xResult != CKR_OK ) { @@ -328,7 +341,7 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext, { /* Setup the client certificate. */ xResult = readCertificateIntoContext( &( pTlsTransportParams->sslContext ), - pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS, + pNetworkCredentials->pClientCertLabel, CKO_CERTIFICATE, &( pTlsTransportParams->sslContext.clientCert ) ); @@ -510,7 +523,7 @@ static int32_t generateRandomBytes( void * pvCtx, /*-----------------------------------------------------------*/ static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext, - char * pcLabelName, + const char * pcLabelName, CK_OBJECT_CLASS xClass, mbedtls_x509_crt * pxCertificateContext ) { @@ -521,7 +534,8 @@ static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext, /* Get the handle of the certificate. */ xResult = xFindObjectWithLabelAndClass( pSslContext->xP11Session, pcLabelName, - strlen( pcLabelName ), + strnlen( pcLabelName, + pkcs11configMAX_LABEL_LENGTH ), xClass, &xCertObj ); @@ -582,11 +596,13 @@ static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext, * @brief Helper for setting up potentially hardware-based cryptographic context * for the client TLS certificate and private key. * - * @param Caller context. + * @param[in] Caller context. + * @param[in] PKCS11 label which contains the desired private key. * * @return Zero on success. */ -static CK_RV initializeClientKeys( SSLContext_t * pxCtx ) +static CK_RV initializeClientKeys( SSLContext_t * pxCtx, + const char * pcLabelName ) { CK_RV xResult = CKR_OK; CK_SLOT_ID * pxSlotIds = NULL; @@ -634,8 +650,9 @@ static CK_RV initializeClientKeys( SSLContext_t * pxCtx ) { /* Get the handle of the device private key. */ xResult = xFindObjectWithLabelAndClass( pxCtx->xP11Session, - pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS, - sizeof( pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS ) - 1UL, + pcLabelName, + strnlen( pcLabelName, + pkcs11configMAX_LABEL_LENGTH ), CKO_PRIVATE_KEY, &pxCtx->xP11PrivateKey ); } @@ -682,6 +699,25 @@ static CK_RV initializeClientKeys( SSLContext_t * pxCtx ) { memcpy( &pxCtx->privKeyInfo, mbedtls_pk_info_from_type( xKeyAlgo ), sizeof( mbedtls_pk_info_t ) ); + /* Assign unimplemented function pointers to NULL */ + pxCtx->privKeyInfo.get_bitlen = NULL; + pxCtx->privKeyInfo.can_do = canDoStub; + pxCtx->privKeyInfo.verify_func = NULL; +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) + pxCtx->privKeyInfo.verify_rs_func = NULL; + pxCtx->privKeyInfo.sign_rs_func = NULL; +#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ + pxCtx->privKeyInfo.decrypt_func = NULL; + pxCtx->privKeyInfo.encrypt_func = NULL; + pxCtx->privKeyInfo.check_pair_func = NULL; + pxCtx->privKeyInfo.ctx_alloc_func = NULL; + pxCtx->privKeyInfo.ctx_free_func = NULL; +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) + pxCtx->privKeyInfo.rs_alloc_func = NULL; + pxCtx->privKeyInfo.rs_free_func = NULL; +#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ + pxCtx->privKeyInfo.debug_func = NULL; + pxCtx->privKeyInfo.sign_func = privateKeySigningCallback; pxCtx->privKey.pk_info = &pxCtx->privKeyInfo; pxCtx->privKey.pk_ctx = pxCtx; @@ -790,6 +826,13 @@ static int32_t privateKeySigningCallback( void * pvContext, /*-----------------------------------------------------------*/ +int canDoStub( mbedtls_pk_type_t type ) +{ + return 1; +} + +/*-----------------------------------------------------------*/ + TlsTransportStatus_t TLS_FreeRTOS_Connect( NetworkContext_t * pNetworkContext, const char * pHostName, uint16_t port, diff --git a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.h b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.h index 790e0d28f9..2b5b6f95ae 100644 --- a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.h +++ b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.h @@ -148,6 +148,8 @@ typedef struct NetworkCredentials size_t userNameSize; /**< @brief Size associated with #NetworkCredentials.pUserName. */ const unsigned char * pPassword; /**< @brief String representing the password for MQTT. */ size_t passwordSize; /**< @brief Size associated with #NetworkCredentials.pPassword. */ + const char * pClientCertLabel; /**< @brief String representing the PKCS #11 label for the client certificate. */ + const char * pPrivateKeyLabel; /**< @brief String representing the PKCS #11 label for the private key. */ } NetworkCredentials_t; /** diff --git a/lexicon.txt b/lexicon.txt index 7dd1fb0acd..232ef98b8d 100644 --- a/lexicon.txt +++ b/lexicon.txt @@ -1524,6 +1524,7 @@ pcks pcl pclabelname pclientcert +pclientcertlabel pclk pclkb pclwipappsblockinggettxbuffer @@ -1693,6 +1694,7 @@ ppcmessagetodisplay ppollperiod ppr pprivatekey +pprivatekeylabel ppublishinfo ppvcontext ppxidletaskstackbuffer