Add variable PKCS11 label support to using_mbedtls_pkcs11 (#723)

The previous "using_mbedtls_pkcs11.c" implementation requires using the device key and device certificate stored under the labels "pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS" and "pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS".

This commit updates the NetworkCredentials to include fields for pClientCertLabel and pPrivateKeyLabel, so other labels can be used with PKCS11. This matches the behavior seen in the CSDK.

This commit also updates the "pkcs11_mqtt_mutual_auth_demo" to set the newly-added NetworkCredentials fields.

FreeRTOS-Plus/Demo/corePKCS11_MQTT_Mutual_Auth_Windows_Simulator/DemoTasks/MutualAuthMQTTExample.c

@@ -49,6 +49,7 @@
 
 /* Demo Specific configs. */
 #include "demo_config.h"
+#include "core_pkcs11_config.h"
 
 /* MQTT library includes. */
 #include "core_mqtt.h"
@@ -456,6 +457,8 @@ static void prvTLSConnect( NetworkCredentials_t * pxNetworkCredentials,
     /* Set the credentials for establishing a TLS connection. */
     pxNetworkCredentials->pRootCa = ( const unsigned char * ) democonfigROOT_CA_PEM;
     pxNetworkCredentials->rootCaSize = sizeof( democonfigROOT_CA_PEM );
+    pxNetworkCredentials->pClientCertLabel = pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS;
+    pxNetworkCredentials->pPrivateKeyLabel = pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS;
 
     /* Attempt to create a mutually authenticated TLS connection. */
     xNetworkStatus = TLS_FreeRTOS_Connect( pxNetworkContext,

FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.c

@@ -57,8 +57,8 @@
 
 /*-----------------------------------------------------------*/
 
-/** 
- * @brief Each compilation unit that consumes the NetworkContext must define it. 
+/**
+ * @brief Each compilation unit that consumes the NetworkContext must define it.
  * It should contain a single pointer as seen below whenever the header file
  * of this transport implementation is included to your project.
  *
@@ -165,18 +165,28 @@ static int32_t generateRandomBytes( void * pvCtx,
  * @return Zero on success.
  */
 static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext,
-                                         char * pcLabelName,
+                                         const char * pcLabelName,
                                          CK_OBJECT_CLASS xClass,
                                          mbedtls_x509_crt * pxCertificateContext );
 
 /**
- * @brief Helper for setting up potentially hardware-based cryptographic context.
+ * @brief Helper for setting up potentially hardware-based cryptographic context
+ * for the client TLS certificate and private key.
  *
- * @param Caller context.
+ * @param[in] Caller context.
+ * @param[in] PKCS11 label which contains the desired private key.
  *
  * @return Zero on success.
  */
-static CK_RV initializeClientKeys( SSLContext_t * pxCtx );
+static CK_RV initializeClientKeys( SSLContext_t * pxCtx,
+                                   const char * pcLabelName );
+
+/**
+ * @brief Stub function to satisfy mbedtls checks before sign operations
+ *
+ * @return 1.
+ */
+int canDoStub( mbedtls_pk_type_t type );
 
 /**
  * @brief Sign a cryptographic hash with the private key.
@@ -248,6 +258,8 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext,
     configASSERT( pHostName != NULL );
     configASSERT( pNetworkCredentials != NULL );
     configASSERT( pNetworkCredentials->pRootCa != NULL );
+    configASSERT( pNetworkCredentials->pClientCertLabel != NULL );
+    configASSERT( pNetworkCredentials->pPrivateKeyLabel != NULL );
 
     pTlsTransportParams = pNetworkContext->pParams;
 
@@ -316,7 +328,8 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext,
     if( returnStatus == TLS_TRANSPORT_SUCCESS )
     {
         /* Setup the client private key. */
-        xResult = initializeClientKeys( &( pTlsTransportParams->sslContext ) );
+        xResult = initializeClientKeys( &( pTlsTransportParams->sslContext ),
+                                        pNetworkCredentials->pPrivateKeyLabel );
 
         if( xResult != CKR_OK )
         {
@@ -328,7 +341,7 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext,
         {
             /* Setup the client certificate. */
             xResult = readCertificateIntoContext( &( pTlsTransportParams->sslContext ),
-                                                  pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS,
+                                                  pNetworkCredentials->pClientCertLabel,
                                                   CKO_CERTIFICATE,
                                                   &( pTlsTransportParams->sslContext.clientCert ) );
 
@@ -510,7 +523,7 @@ static int32_t generateRandomBytes( void * pvCtx,
 /*-----------------------------------------------------------*/
 
 static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext,
-                                         char * pcLabelName,
+                                         const char * pcLabelName,
                                          CK_OBJECT_CLASS xClass,
                                          mbedtls_x509_crt * pxCertificateContext )
 {
@@ -521,7 +534,8 @@ static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext,
     /* Get the handle of the certificate. */
     xResult = xFindObjectWithLabelAndClass( pSslContext->xP11Session,
                                             pcLabelName,
-                                            strlen( pcLabelName ),
+                                            strnlen( pcLabelName,
+                                                     pkcs11configMAX_LABEL_LENGTH ),
                                             xClass,
                                             &xCertObj );
 
@@ -582,11 +596,13 @@ static CK_RV readCertificateIntoContext( SSLContext_t * pSslContext,
  * @brief Helper for setting up potentially hardware-based cryptographic context
  * for the client TLS certificate and private key.
  *
- * @param Caller context.
+ * @param[in] Caller context.
+ * @param[in] PKCS11 label which contains the desired private key.
  *
  * @return Zero on success.
  */
-static CK_RV initializeClientKeys( SSLContext_t * pxCtx )
+static CK_RV initializeClientKeys( SSLContext_t * pxCtx,
+                                   const char * pcLabelName )
 {
     CK_RV xResult = CKR_OK;
     CK_SLOT_ID * pxSlotIds = NULL;
@@ -634,8 +650,9 @@ static CK_RV initializeClientKeys( SSLContext_t * pxCtx )
     {
         /* Get the handle of the device private key. */
         xResult = xFindObjectWithLabelAndClass( pxCtx->xP11Session,
-                                                pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS,
-                                                sizeof( pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS ) - 1UL,
+                                                pcLabelName,
+                                                strnlen( pcLabelName,
+                                                         pkcs11configMAX_LABEL_LENGTH ),
                                                 CKO_PRIVATE_KEY,
                                                 &pxCtx->xP11PrivateKey );
     }
@@ -682,6 +699,25 @@ static CK_RV initializeClientKeys( SSLContext_t * pxCtx )
     {
         memcpy( &pxCtx->privKeyInfo, mbedtls_pk_info_from_type( xKeyAlgo ), sizeof( mbedtls_pk_info_t ) );
 
+        /* Assign unimplemented function pointers to NULL */
+        pxCtx->privKeyInfo.get_bitlen = NULL;
+        pxCtx->privKeyInfo.can_do = canDoStub;
+        pxCtx->privKeyInfo.verify_func = NULL;
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        pxCtx->privKeyInfo.verify_rs_func = NULL;
+        pxCtx->privKeyInfo.sign_rs_func = NULL;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+        pxCtx->privKeyInfo.decrypt_func = NULL;
+        pxCtx->privKeyInfo.encrypt_func = NULL;
+        pxCtx->privKeyInfo.check_pair_func = NULL;
+        pxCtx->privKeyInfo.ctx_alloc_func = NULL;
+        pxCtx->privKeyInfo.ctx_free_func = NULL;
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        pxCtx->privKeyInfo.rs_alloc_func = NULL;
+        pxCtx->privKeyInfo.rs_free_func = NULL;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+        pxCtx->privKeyInfo.debug_func = NULL;
+
         pxCtx->privKeyInfo.sign_func = privateKeySigningCallback;
         pxCtx->privKey.pk_info = &pxCtx->privKeyInfo;
         pxCtx->privKey.pk_ctx = pxCtx;
@@ -790,6 +826,13 @@ static int32_t privateKeySigningCallback( void * pvContext,
 
 /*-----------------------------------------------------------*/
 
+int canDoStub( mbedtls_pk_type_t type )
+{
+    return 1;
+}
+
+/*-----------------------------------------------------------*/
+
 TlsTransportStatus_t TLS_FreeRTOS_Connect( NetworkContext_t * pNetworkContext,
                                            const char * pHostName,
                                            uint16_t port,

FreeRTOS-Plus/Source/Application-Protocols/network_transport/using_mbedtls_pkcs11/using_mbedtls_pkcs11.h

@@ -148,6 +148,8 @@ typedef struct NetworkCredentials
     size_t userNameSize;             /**< @brief Size associated with #NetworkCredentials.pUserName. */
     const unsigned char * pPassword; /**< @brief String representing the password for MQTT. */
     size_t passwordSize;             /**< @brief Size associated with #NetworkCredentials.pPassword. */
+    const char * pClientCertLabel;   /**< @brief String representing the PKCS #11 label for the client certificate. */
+    const char * pPrivateKeyLabel;   /**< @brief String representing the PKCS #11 label for the private key. */
 } NetworkCredentials_t;
 
 /**

lexicon.txt

@@ -1524,6 +1524,7 @@ pcks
 pcl
 pclabelname
 pclientcert
+pclientcertlabel
 pclk
 pclkb
 pclwipappsblockinggettxbuffer
@@ -1693,6 +1694,7 @@ ppcmessagetodisplay
 ppollperiod
 ppr
 pprivatekey
+pprivatekeylabel
 ppublishinfo
 ppvcontext
 ppxidletaskstackbuffer