diff --git a/src/crypto.c b/src/crypto.c index 9a239c1..94189c4 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -2465,7 +2465,7 @@ CK_RV C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_RV C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { - int ret; + int ret = 0; WP11_Session* session; WP11_Object* obj = NULL; CK_KEY_TYPE type; @@ -2479,10 +2479,27 @@ CK_RV C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, return CKR_ARGUMENTS_BAD; ret = WP11_Object_Find(session, hKey, &obj); - if (ret != 0) +#ifdef WOLFSSL_MAXQ10XX_CRYPTO + if ((ret != 0) && (hKey == 0) && (pMechanism->mechanism == CKM_ECDSA)) { + if (pMechanism->pParameter != NULL || pMechanism->ulParameterLen != 0) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* Do not worry; the private key is pre-provisioned, but note there is + * no object to set. */ + init = WP11_INIT_ECDSA_SIGN; + WP11_Session_SetMechanism(session, pMechanism->mechanism); + WP11_Session_SetOpInitialized(session, init); + + return CKR_OK; + } else +#endif + if (ret != 0) { return CKR_OBJECT_HANDLE_INVALID; + } type = WP11_Object_GetType(obj); + switch (pMechanism->mechanism) { #ifndef NO_RSA case CKM_RSA_X_509: @@ -2681,8 +2698,9 @@ CK_RV C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, #endif #ifdef HAVE_ECC case CKM_ECDSA: - if (!WP11_Session_IsOpInitialized(session, WP11_INIT_ECDSA_SIGN)) + if (!WP11_Session_IsOpInitialized(session, WP11_INIT_ECDSA_SIGN)) { return CKR_OPERATION_NOT_INITIALIZED; + } sigLen = WP11_Ec_SigLen(obj); if (pSignature == NULL) { diff --git a/src/internal.c b/src/internal.c index 3fb5de4..6be6632 100644 --- a/src/internal.c +++ b/src/internal.c @@ -59,6 +59,10 @@ #define WOLFPKCS11_NEED_RSA_RNG #endif +#if defined(WOLFPKCS11_TPM) && defined(WOLFSSL_MAXQ10XX_CRYPTO) + #error "wolfTPM and MAXQ10XX are incompatable with each other." +#endif + /* Size of hash calculated from PIN. */ #define PIN_HASH_SZ 32 /* Size of seed used when calculating hash from PIN. */ @@ -3380,8 +3384,10 @@ static int wp11_Slot_Init(WP11_Slot* slot, int id) ret = WP11_Lock_Init(&slot->lock); if (ret == 0) { - #ifdef WOLFPKCS11_TPM + #if defined(WOLFPKCS11_TPM) ret = wp11_TpmInit(slot); + #elif defined (WOLFSSL_MAXQ10XX_CRYPTO) + slot->devId = MAXQ_DEVICE_ID; #endif /* Create the minimum number of unused sessions. */ for (i = 0; ret == 0 && i < WP11_SESSION_CNT_MIN; i++) { @@ -3447,8 +3453,16 @@ int WP11_Library_Init(void) if (libraryInitCount == 0) { ret = WP11_Lock_Init(&globalLock); - if (ret == 0) + if (ret == 0) { +#ifdef WOLFSSL_MAXQ10XX_CRYPTO + ret = wolfCrypt_Init(); + if (ret == 0) { + ret = wc_InitRng_ex(&globalRandom, NULL, MAXQ_DEVICE_ID); + } +#else ret = wc_InitRng(&globalRandom); +#endif + } for (i = 0; (ret == 0) && (i < slotCnt); i++) { ret = wp11_Slot_Init(&slotList[i], i + 1); } @@ -4567,7 +4581,7 @@ int WP11_Session_SetCbcParams(WP11_Session* session, unsigned char* iv, WP11_Data* key; /* AES object on session. */ - ret = wc_AesInit(&cbc->aes, NULL, INVALID_DEVID); + ret = wc_AesInit(&cbc->aes, NULL, session->devId); if (ret == 0) { if (object->onToken) WP11_Lock_LockRO(object->lock); @@ -7441,7 +7455,7 @@ int WP11_EC_Derive(unsigned char* point, word32 pointLen, unsigned char* key, WC_RNG rng; #endif - ret = wc_ecc_init_ex(&pubKey, NULL, INVALID_DEVID); + ret = wc_ecc_init_ex(&pubKey, NULL, priv->slot->devId); if (ret == 0) { ret = wc_ecc_import_x963(point, pointLen, &pubKey); } @@ -8062,7 +8076,7 @@ int WP11_AesGcm_Encrypt(unsigned char* plain, word32 plainSz, word32 authTagSz = gcm->tagBits / 8; unsigned char* authTag = enc + plainSz; - ret = wc_AesInit(&aes, NULL, INVALID_DEVID); + ret = wc_AesInit(&aes, NULL, session->devId); if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); @@ -8114,7 +8128,7 @@ int WP11_AesGcm_EncryptUpdate(unsigned char* plain, word32 plainSz, word32 authTagSz = gcm->tagBits / 8; unsigned char* authTag = gcm->authTag; - ret = wc_AesInit(&aes, NULL, INVALID_DEVID); + ret = wc_AesInit(&aes, NULL, session->devId); if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); @@ -8194,7 +8208,7 @@ int WP11_AesGcm_Decrypt(unsigned char* enc, word32 encSz, unsigned char* dec, word32 authTagSz = gcm->tagBits / 8; unsigned char* authTag = enc + encSz - authTagSz; - ret = wc_AesInit(&aes, NULL, INVALID_DEVID); + ret = wc_AesInit(&aes, NULL, session->devId); if (ret == 0) { if (secret->onToken) { WP11_Lock_LockRO(secret->lock); @@ -8379,7 +8393,7 @@ int WP11_Hmac_Init(CK_MECHANISM_TYPE mechanism, WP11_Object* secret, if (ret == 0) hmac->hmacSz = wc_HmacSizeByType(hashType); if (ret == 0) - ret = wc_HmacInit(&hmac->hmac, NULL, INVALID_DEVID); + ret = wc_HmacInit(&hmac->hmac, NULL, secret->slot->devId); if (ret == 0) { if (secret->onToken) WP11_Lock_LockRO(secret->lock); diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c index 48c23e7..6099870 100644 --- a/tests/pkcs11test.c +++ b/tests/pkcs11test.c @@ -2930,8 +2930,8 @@ static CK_RV test_pubkey_sig_fail(CK_SESSION_HANDLE session, CK_MECHANISM* mech, CHECK_CKR_FAIL(ret, CKR_OPERATION_NOT_INITIALIZED, "Verify wrong init"); } if (ret == CKR_OK) { - ret = funcList->C_VerifyInit(session, mech, pub); - CHECK_CKR(ret, "Verify Init"); + ret = funcList->C_VerifyInit(session, mech, pub); + CHECK_CKR(ret, "Verify Init"); } if (ret == CKR_OK) { ret = funcList->C_Sign(session, hash, hashSz, out, &outSz); @@ -3794,11 +3794,13 @@ static CK_RV test_rsa_fixed_keys_oaep(void* args) 0); CHECK_CKR(ret, "SHA1 No AAD"); } +#ifdef WOLFSSL_SHA224 if (ret == CKR_OK) { ret = rsa_oaep_test(session, priv, pub, CKM_SHA224, CKG_MGF1_SHA224, NULL, 0); CHECK_CKR(ret, "SHA224 No AAD"); } +#endif if (ret == CKR_OK) { ret = rsa_oaep_test(session, priv, pub, CKM_SHA384, CKG_MGF1_SHA384, NULL, 0); @@ -3893,10 +3895,12 @@ static CK_RV test_rsa_fixed_keys_pss(void* args) ret = rsa_pss_test(session, priv, pub, CKM_SHA1, CKG_MGF1_SHA1, 20); CHECK_CKR(ret, "RSA PKCS#1 PSS - SHA1"); } +#ifdef WOLFSSL_SHA224 if (ret == CKR_OK) { ret = rsa_pss_test(session, priv, pub, CKM_SHA224, CKG_MGF1_SHA224, 28); CHECK_CKR(ret, "RSA PKCS#1 PSS - SHA224"); } +#endif if (ret == CKR_OK) { ret = rsa_pss_test(session, priv, pub, CKM_SHA384, CKG_MGF1_SHA384, 48); CHECK_CKR(ret, "RSA PKCS#1 PSS - SHA384"); @@ -4819,10 +4823,15 @@ static CK_RV ecdsa_test(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE privKey, ret = funcList->C_VerifyInit(session, &mech, pubKey); CHECK_CKR(ret, "ECDSA Verify Init"); } +#ifndef WOLFSSL_MAXQ10XX_CRYPTO + /* In the case of MAXQ1065 it will be signed by the pre-provisioned private + * key so verify operation will fail as this is NOT the corresponding + * public key. */ if (ret == CKR_OK) { ret = funcList->C_Verify(session, hash, hashSz, out, outSz); CHECK_CKR(ret, "ECDSA Verify"); } +#endif if (ret == CKR_OK) { ret = funcList->C_Verify(session, hash, hashSz - 1, out, outSz); CHECK_CKR_FAIL(ret, CKR_SIGNATURE_INVALID, "ECDSA Verify bad hash");