Add argument allowing client to set key usage flags for certificate cached public keys

Author: bigbrett

src/wh_client_cert.c

@@ -39,7 +39,8 @@
 /* Helper function to send a certificate verification request */
 static int _certVerifyRequest(whClientContext* c, const uint8_t* cert,
                               uint32_t cert_len, whNvmId trustedRootNvmId,
-                              uint16_t flags, whKeyId keyId);
+                              uint16_t verifyFlags, whNvmFlags cachedKeyFlags,
+                              whKeyId keyId);
 
 /* Helper function to receive a verify response */
 static int _certVerifyResponse(whClientContext* c, whKeyId* out_keyId,
@@ -48,7 +49,8 @@ static int _certVerifyResponse(whClientContext* c, whKeyId* out_keyId,
 /* Helper function to perform certificate verification */
 static int _certVerify(whClientContext* c, const uint8_t* cert,
                        uint32_t cert_len, whNvmId trustedRootNvmId,
-                       uint16_t flags, whKeyId* inout_keyId, int32_t* out_rc);
+                       uint16_t flags, whNvmFlags cachedKeyFlags,
+                       whKeyId* inout_keyId, int32_t* out_rc);
 
 
 /* Initialize the certificate manager */
@@ -362,7 +364,8 @@ int wh_Client_CertReadTrusted(whClientContext* c, whNvmId id, uint8_t* cert,
 /* Helper function to send a verify request */
 static int _certVerifyRequest(whClientContext* c, const uint8_t* cert,
                               uint32_t cert_len, whNvmId trustedRootNvmId,
-                              uint16_t flags, whKeyId keyId)
+                              uint16_t verifyFlags, whNvmFlags cachedKeyFlags,
+                              whKeyId keyId)
 {
     whMessageCert_VerifyRequest req                               = {0};
     uint8_t                     buffer[WOLFHSM_CFG_COMM_DATA_LEN] = {0};
@@ -377,7 +380,8 @@ static int _certVerifyRequest(whClientContext* c, const uint8_t* cert,
     /* Prepare request */
     req.cert_len         = cert_len;
     req.trustedRootNvmId = trustedRootNvmId;
-    req.flags            = flags;
+    req.flags            = verifyFlags;
+    req.cachedKeyFlags   = cachedKeyFlags;
     req.keyId            = keyId;
 
     /* Copy request struct and certificate data */
@@ -427,7 +431,8 @@ static int _certVerifyResponse(whClientContext* c, whKeyId* out_keyId,
 
 static int _certVerify(whClientContext* c, const uint8_t* cert,
                        uint32_t cert_len, whNvmId trustedRootNvmId,
-                       uint16_t flags, whKeyId* inout_keyId, int32_t* out_rc)
+                       uint16_t flags, whNvmFlags cachedKeyFlags,
+                       whKeyId* inout_keyId, int32_t* out_rc)
 {
     int     rc    = 0;
     whKeyId keyId = WH_KEYID_ERASED;
@@ -442,7 +447,7 @@ static int _certVerify(whClientContext* c, const uint8_t* cert,
 
     do {
         rc = _certVerifyRequest(c, cert, cert_len, trustedRootNvmId, flags,
-                                keyId);
+                                cachedKeyFlags, keyId);
     } while (rc == WH_ERROR_NOTREADY);
 
     if (rc == 0) {
@@ -458,7 +463,8 @@ int wh_Client_CertVerifyRequest(whClientContext* c, const uint8_t* cert,
                                 uint32_t cert_len, whNvmId trustedRootNvmId)
 {
     return _certVerifyRequest(c, cert, cert_len, trustedRootNvmId,
-                              WH_CERT_FLAGS_NONE, WH_KEYID_ERASED);
+                              WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY,
+                              WH_KEYID_ERASED);
 }
 
 int wh_Client_CertVerifyResponse(whClientContext* c, int32_t* out_rc)
@@ -471,17 +477,16 @@ int wh_Client_CertVerify(whClientContext* c, const uint8_t* cert,
                          int32_t* out_rc)
 {
     return _certVerify(c, cert, cert_len, trustedRootNvmId, WH_CERT_FLAGS_NONE,
-                       NULL, out_rc);
+                       WH_NVM_FLAGS_USAGE_ANY, NULL, out_rc);
 }
 
-int wh_Client_CertVerifyAndCacheLeafPubKeyRequest(whClientContext* c,
-                                                  const uint8_t*   cert,
-                                                  uint32_t         cert_len,
-                                                  whNvmId trustedRootNvmId,
-                                                  whKeyId keyId)
+int wh_Client_CertVerifyAndCacheLeafPubKeyRequest(
+    whClientContext* c, const uint8_t* cert, uint32_t cert_len,
+    whNvmId trustedRootNvmId, whNvmFlags cachedKeyFlags, whKeyId keyId)
 {
     return _certVerifyRequest(c, cert, cert_len, trustedRootNvmId,
-                              WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, keyId);
+                              WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, cachedKeyFlags,
+                              keyId);
 }
 
 int wh_Client_CertVerifyAndCacheLeafPubKeyResponse(whClientContext* c,
@@ -494,10 +499,12 @@ int wh_Client_CertVerifyAndCacheLeafPubKeyResponse(whClientContext* c,
 
 int wh_Client_CertVerifyAndCacheLeafPubKey(
     whClientContext* c, const uint8_t* cert, uint32_t cert_len,
-    whNvmId trustedRootNvmId, whKeyId* inout_keyId, int32_t* out_rc)
+    whNvmId trustedRootNvmId, whNvmFlags cachedKeyFlags, whKeyId* inout_keyId,
+    int32_t* out_rc)
 {
     return _certVerify(c, cert, cert_len, trustedRootNvmId,
-                       WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, inout_keyId, out_rc);
+                       WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, cachedKeyFlags,
+                       inout_keyId, out_rc);
 }
 
 #ifdef WOLFHSM_CFG_DMA
@@ -658,7 +665,8 @@ int wh_Client_CertReadTrustedDma(whClientContext* c, whNvmId id, void* cert,
 
 static int _certVerifyDmaRequest(whClientContext* c, const void* cert,
                                  uint32_t cert_len, whNvmId trustedRootNvmId,
-                                 uint16_t flags, whKeyId keyId)
+                                 uint16_t flags, whNvmFlags cachedKeyFlags,
+                                 whKeyId keyId)
 {
     whMessageCert_VerifyDmaRequest req = {0};
 
@@ -671,6 +679,7 @@ static int _certVerifyDmaRequest(whClientContext* c, const void* cert,
     req.cert_len         = cert_len;
     req.trustedRootNvmId = trustedRootNvmId;
     req.flags            = flags;
+    req.cachedKeyFlags   = cachedKeyFlags;
     req.keyId            = keyId;
     return wh_Client_SendRequest(c, WH_MESSAGE_GROUP_CERT,
                                  WH_MESSAGE_CERT_ACTION_VERIFY_DMA, sizeof(req),
@@ -713,7 +722,8 @@ static int _certVerifyDmaResponse(whClientContext* c, whKeyId* out_keyId,
 
 static int _certVerifyDma(whClientContext* c, const void* cert,
                           uint32_t cert_len, whNvmId trustedRootNvmId,
-                          uint16_t flags, whKeyId* inout_keyId, int32_t* out_rc)
+                          uint16_t flags, whNvmFlags cachedKeyFlags,
+                          whKeyId* inout_keyId, int32_t* out_rc)
 {
     int     rc    = 0;
     whKeyId keyId = WH_KEYID_ERASED;
@@ -731,7 +741,7 @@ static int _certVerifyDma(whClientContext* c, const void* cert,
 
     do {
         rc = _certVerifyDmaRequest(c, cert, cert_len, trustedRootNvmId, flags,
-                                   keyId);
+                                   cachedKeyFlags, keyId);
     } while (rc == WH_ERROR_NOTREADY);
 
     if (rc == 0) {
@@ -747,7 +757,8 @@ int wh_Client_CertVerifyDmaRequest(whClientContext* c, const void* cert,
                                    uint32_t cert_len, whNvmId trustedRootNvmId)
 {
     return _certVerifyDmaRequest(c, cert, cert_len, trustedRootNvmId,
-                                 WH_CERT_FLAGS_NONE, WH_KEYID_ERASED);
+                                 WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY,
+                                 WH_KEYID_ERASED);
 }
 
 int wh_Client_CertVerifyDmaResponse(whClientContext* c, int32_t* out_rc)
@@ -760,17 +771,17 @@ int wh_Client_CertVerifyDma(whClientContext* c, const void* cert,
                             int32_t* out_rc)
 {
     return _certVerifyDma(c, cert, cert_len, trustedRootNvmId,
-                          WH_CERT_FLAGS_NONE, NULL, out_rc);
+                          WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL,
+                          out_rc);
 }
 
-int wh_Client_CertVerifyDmaAndCacheLeafPubKeyRequest(whClientContext* c,
-                                                     const void*      cert,
-                                                     uint32_t         cert_len,
-                                                     whNvmId trustedRootNvmId,
-                                                     whKeyId keyId)
+int wh_Client_CertVerifyDmaAndCacheLeafPubKeyRequest(
+    whClientContext* c, const void* cert, uint32_t cert_len,
+    whNvmId trustedRootNvmId, whNvmFlags cachedKeyFlags, whKeyId keyId)
 {
     return _certVerifyDmaRequest(c, cert, cert_len, trustedRootNvmId,
-                                 WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, keyId);
+                                 WH_CERT_FLAGS_CACHE_LEAF_PUBKEY,
+                                 cachedKeyFlags, keyId);
 }
 
 int wh_Client_CertVerifyDmaAndCacheLeafPubKeyResponse(whClientContext* c,
@@ -782,10 +793,12 @@ int wh_Client_CertVerifyDmaAndCacheLeafPubKeyResponse(whClientContext* c,
 
 int wh_Client_CertVerifyDmaAndCacheLeafPubKey(
     whClientContext* c, const void* cert, uint32_t cert_len,
-    whNvmId trustedRootNvmId, whKeyId* inout_keyId, int32_t* out_rc)
+    whNvmId trustedRootNvmId, whNvmFlags cachedKeyFlags, whKeyId* inout_keyId,
+    int32_t* out_rc)
 {
     return _certVerifyDma(c, cert, cert_len, trustedRootNvmId,
-                          WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, inout_keyId, out_rc);
+                          WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, cachedKeyFlags,
+                          inout_keyId, out_rc);
 }
 
 #endif /* WOLFHSM_CFG_DMA */

src/wh_message_cert.c

@@ -105,6 +105,8 @@ int wh_MessageCert_TranslateVerifyRequest(
     WH_T32(magic, dest, src, cert_len);
     WH_T16(magic, dest, src, trustedRootNvmId);
     WH_T16(magic, dest, src, flags);
+    WH_T16(magic, dest, src, cachedKeyFlags);
+    WH_T16(magic, dest, src, keyId);
     return 0;
 }
 
@@ -193,4 +195,4 @@ int wh_MessageCert_TranslateVerifyAcertRequest(
     return 0;
 }
 #endif /* WOLFHSM_CFG_CERTIFICATE_MANAGER_ACERT */
-#endif /* WOLFHSM_CFG_CERTIFICATE_MANAGER && !WOLFHSM_CFG_NO_CRYPTO */
+#endif /* WOLFHSM_CFG_CERTIFICATE_MANAGER && !WOLFHSM_CFG_NO_CRYPTO */

src/wh_server_cert.c

@@ -46,7 +46,9 @@
 static int _verifyChainAgainstCmStore(whServerContext*      server,
                                       WOLFSSL_CERT_MANAGER* cm,
                                       const uint8_t* chain, uint32_t chain_len,
-                                      whCertFlags flags, whKeyId* inout_keyId)
+                                      whCertFlags flags,
+                                      whNvmFlags  cachedKeyFlags,
+                                      whKeyId*    inout_keyId)
 {
     int            rc            = 0;
     const uint8_t* cert_ptr      = chain;
@@ -133,7 +135,7 @@ static int _verifyChainAgainstCmStore(whServerContext*      server,
                         if (rc == 0) {
                             const char label[] = "cert_pubkey";
                             cacheMeta->len     = (whNvmSize)cacheBufSize;
-                            cacheMeta->flags   = WH_NVM_FLAGS_NONE;
+                            cacheMeta->flags   = cachedKeyFlags;
                             cacheMeta->access  = WH_NVM_ACCESS_ANY;
                             cacheMeta->id      = *inout_keyId;
                             memset(cacheMeta->label, 0,
@@ -258,7 +260,8 @@ int wh_Server_CertReadTrusted(whServerContext* server, whNvmId id,
 /* Verify a certificate against trusted certificates */
 int wh_Server_CertVerify(whServerContext* server, const uint8_t* cert,
                          uint32_t cert_len, whNvmId trustedRootNvmId,
-                         whCertFlags flags, whKeyId* inout_keyId)
+                         whCertFlags flags, whNvmFlags cachedKeyFlags,
+                         whKeyId* inout_keyId)
 {
     WOLFSSL_CERT_MANAGER* cm = NULL;
 
@@ -293,7 +296,7 @@ int wh_Server_CertVerify(whServerContext* server, const uint8_t* cert,
         if (rc == WOLFSSL_SUCCESS) {
             /* Verify the certificate */
             rc = _verifyChainAgainstCmStore(server, cm, cert, cert_len, flags,
-                                            inout_keyId);
+                                            cachedKeyFlags, inout_keyId);
             if (rc != WH_ERROR_OK) {
                 rc = WH_ERROR_CERT_VERIFY;
             }
@@ -511,7 +514,7 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
                 /* Process the verify action */
                 resp.rc = wh_Server_CertVerify(server, cert_data, req.cert_len,
                                                req.trustedRootNvmId, req.flags,
-                                               &keyId);
+                                               req.cachedKeyFlags, &keyId);
 
                 /* Propagate the keyId back to the client with flags preserved
                  */
@@ -641,7 +644,7 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
                 /* Process the verify action */
                 resp.rc = wh_Server_CertVerify(server, cert_data, req.cert_len,
                                                req.trustedRootNvmId, req.flags,
-                                               &keyId);
+                                               req.cachedKeyFlags, &keyId);
 
                 /* Propagate the keyId back to the client with flags preserved
                  */

test/wh_test_cert.c

@@ -88,16 +88,16 @@ int whTest_CertServerCfg(whServerConfig* serverCfg)
         "Verifying valid single certificate...using intermediate cert\n");
     WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(
         server, INTERMEDIATE_A_CERT, INTERMEDIATE_A_CERT_len, rootCertA,
-        WH_CERT_FLAGS_NONE, NULL));
+        WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL));
 
     /* attempt to verify invalid cert (leaf w/o intermediate), should fail */
     WH_TEST_DEBUG_PRINT(
         "Attempting to verify invalid single certificate...using leaf cert "
         "without intermediate\n");
-    WH_TEST_ASSERT_RETURN(WH_ERROR_CERT_VERIFY ==
-                          wh_Server_CertVerify(server, LEAF_A_CERT,
-                                               LEAF_A_CERT_len, rootCertA,
-                                               WH_CERT_FLAGS_NONE, NULL));
+    WH_TEST_ASSERT_RETURN(
+        WH_ERROR_CERT_VERIFY ==
+        wh_Server_CertVerify(server, LEAF_A_CERT, LEAF_A_CERT_len, rootCertA,
+                             WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL));
 
     /* attempt to verify invalid cert (intermediate with different root),
      * should fail */
@@ -107,30 +107,32 @@ int whTest_CertServerCfg(whServerConfig* serverCfg)
                           wh_Server_CertVerify(server, INTERMEDIATE_B_CERT,
                                                INTERMEDIATE_B_CERT_len,
                                                rootCertA, WH_CERT_FLAGS_NONE,
-                                               NULL));
+                                               WH_NVM_FLAGS_USAGE_ANY, NULL));
 
     /* Verify valid chain */
     WH_TEST_DEBUG_PRINT("Verifying valid certificate chain...\n");
-    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(server, RAW_CERT_CHAIN_A,
-                                                RAW_CERT_CHAIN_A_len, rootCertA,
-                                                WH_CERT_FLAGS_NONE, NULL));
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(
+        server, RAW_CERT_CHAIN_A, RAW_CERT_CHAIN_A_len, rootCertA,
+        WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL));
 
     /* Verify valid chain B */
     WH_TEST_DEBUG_PRINT("Verifying valid certificate chain B...\n");
-    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(server, RAW_CERT_CHAIN_B,
-                                                RAW_CERT_CHAIN_B_len, rootCertB,
-                                                WH_CERT_FLAGS_NONE, NULL));
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(
+        server, RAW_CERT_CHAIN_B, RAW_CERT_CHAIN_B_len, rootCertB,
+        WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL));
 
     /* attempt to verify invalid chains, should fail */
     WH_TEST_DEBUG_PRINT("Attempting to verify invalid certificate chains...\n");
     WH_TEST_ASSERT_RETURN(WH_ERROR_CERT_VERIFY ==
                           wh_Server_CertVerify(server, RAW_CERT_CHAIN_A,
                                                RAW_CERT_CHAIN_A_len, rootCertB,
-                                               WH_CERT_FLAGS_NONE, NULL));
+                                               WH_CERT_FLAGS_NONE,
+                                               WH_NVM_FLAGS_USAGE_ANY, NULL));
     WH_TEST_ASSERT_RETURN(WH_ERROR_CERT_VERIFY ==
                           wh_Server_CertVerify(server, RAW_CERT_CHAIN_B,
                                                RAW_CERT_CHAIN_B_len, rootCertA,
-                                               WH_CERT_FLAGS_NONE, NULL));
+                                               WH_CERT_FLAGS_NONE,
+                                               WH_NVM_FLAGS_USAGE_ANY, NULL));
 
     /* remove trusted root certificate for chain A */
     WH_TEST_DEBUG_PRINT("Removing trusted root certificates...\n");
@@ -224,7 +226,7 @@ int whTest_CertClient(whClientContext* client)
     WH_TEST_PRINT("Testing verify with cached leaf public key...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertVerifyAndCacheLeafPubKey(
         client, RAW_CERT_CHAIN_A, RAW_CERT_CHAIN_A_len, rootCertA_id,
-        &out_keyId, &out_rc));
+        WH_NVM_FLAGS_USAGE_ANY, &out_keyId, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     /* Export the cached public key so we can verify it matches the expected
@@ -409,7 +411,7 @@ int whTest_CertClientDma_ClientServerTestInternal(whClientContext* client)
     WH_TEST_PRINT("Testing verify with cached leaf public key using DMA...\n");
     WH_TEST_RETURN_ON_FAIL(wh_Client_CertVerifyDmaAndCacheLeafPubKey(
         client, RAW_CERT_CHAIN_A, RAW_CERT_CHAIN_A_len, rootCertA_id,
-        &out_keyId, &out_rc));
+        WH_NVM_FLAGS_USAGE_ANY, &out_keyId, &out_rc));
     WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
 
     /* Export the cached public key so we can verify it matches the expected