Jim Carver
Simulated product dispenser
Fork of
mbed-cloud-workshop-connect-HTS221
by 
Jim Carver
Embed:
(wiki syntax)
Show/hide line numbers
cs_der_keys_and_csrs.c
00001 // ---------------------------------------------------------------------------- 00002 // Copyright 2016-2017 ARM Ltd. 00003 // 00004 // Licensed under the Apache License, Version 2.0 (the "License"); 00005 // you may not use this file except in compliance with the License. 00006 // You may obtain a copy of the License at 00007 // 00008 // http://www.apache.org/licenses/LICENSE-2.0 00009 // 00010 // Unless required by applicable law or agreed to in writing, software 00011 // distributed under the License is distributed on an "AS IS" BASIS, 00012 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00013 // See the License for the specific language governing permissions and 00014 // limitations under the License. 00015 // ---------------------------------------------------------------------------- 00016 00017 #include "pv_error_handling.h" 00018 #include "cs_der_keys_and_csrs.h" 00019 #include "pal.h" 00020 #include "cs_utils.h" 00021 #include "cs_hash.h" 00022 #include "pk.h" 00023 #include "kcm_internal.h" 00024 00025 //For now only EC keys supported!!! 00026 static kcm_status_e der_key_verify(const uint8_t *der_key, size_t der_key_length, palKeyToCheck_t key_type) 00027 { 00028 kcm_status_e kcm_status = KCM_STATUS_SUCCESS; 00029 palStatus_t pal_status = PAL_SUCCESS; 00030 palECKeyHandle_t key_handle = NULLPTR; 00031 palCurveHandle_t grp = NULLPTR; 00032 palGroupIndex_t pal_grp_idx; 00033 bool verified = false; 00034 00035 00036 SA_PV_ERR_RECOVERABLE_RETURN_IF((der_key == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid der_key pointer"); 00037 SA_PV_ERR_RECOVERABLE_RETURN_IF((der_key_length <= 0), KCM_STATUS_INVALID_PARAMETER, "Invalid der_key_length"); 00038 00039 //Create new key handler 00040 pal_status = pal_ECKeyNew(&key_handle); 00041 SA_PV_ERR_RECOVERABLE_RETURN_IF((PAL_SUCCESS != pal_status), cs_error_handler(pal_status), "pal_ECKeyNew failed "); 00042 00043 //Parse the key from DER format 00044 if (key_type == PAL_CHECK_PRIVATE_KEY) { 00045 pal_status = pal_parseECPrivateKeyFromDER(der_key, der_key_length, key_handle); 00046 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "pal_parseECPrivateKeyFromDER failed "); 00047 } else { 00048 pal_status = pal_parseECPublicKeyFromDER(der_key, der_key_length, key_handle); 00049 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "pal_parseECPublicKeyFromDER failed "); 00050 } 00051 00052 //retrieve key curve from key handle 00053 pal_status = pal_ECKeyGetCurve(key_handle, &pal_grp_idx); 00054 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "pal_ECKeyGetCurve failed "); 00055 00056 //Allocate curve handler 00057 pal_status = pal_ECGroupInitAndLoad(&grp, pal_grp_idx); 00058 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "pal_parseECPrivateKeyFromDER failed "); 00059 00060 //Perform key verification 00061 pal_status = pal_ECCheckKey(grp, key_handle, key_type, &verified); 00062 SA_PV_ERR_RECOVERABLE_GOTO_IF(((PAL_SUCCESS != pal_status) || (verified != true)), kcm_status = cs_error_handler(pal_status), exit, "pal_ECCheckKey failed "); 00063 00064 00065 exit: 00066 //Free curve handle 00067 (void)pal_ECGroupFree(&grp); 00068 //Free key handler 00069 (void)pal_ECKeyFree(&key_handle); 00070 00071 if (kcm_status == KCM_STATUS_SUCCESS) { 00072 SA_PV_ERR_RECOVERABLE_RETURN_IF((grp != NULLPTR || key_handle != NULLPTR), KCM_STATUS_ERROR, "Free handle failed "); 00073 } 00074 00075 return kcm_status; 00076 } 00077 //For now only EC SECP256R keys supported!!! 00078 kcm_status_e cs_get_pub_raw_key_from_der(const uint8_t *der_key, size_t der_key_length, uint8_t *raw_key_data_out, size_t raw_key_data_max_size, size_t *raw_key_data_act_size_out) 00079 { 00080 kcm_status_e kcm_status = KCM_STATUS_SUCCESS; 00081 palStatus_t pal_status = PAL_SUCCESS; 00082 int mbdtls_result = 0; 00083 palECKeyHandle_t key_handle = NULLPTR; 00084 mbedtls_pk_context* localECKey; 00085 mbedtls_ecp_keypair *ecp_key_pair; 00086 00087 SA_PV_ERR_RECOVERABLE_RETURN_IF((der_key == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid der_key pointer"); 00088 SA_PV_ERR_RECOVERABLE_RETURN_IF((der_key_length != KCM_EC_SECP256R1_MAX_PUB_KEY_DER_SIZE), KCM_STATUS_INVALID_PARAMETER, "Invalid der_key_length"); 00089 SA_PV_ERR_RECOVERABLE_RETURN_IF((raw_key_data_out == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid raw_key_data_out"); 00090 SA_PV_ERR_RECOVERABLE_RETURN_IF((raw_key_data_act_size_out == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid raw_key_data_act_size_out pointer"); 00091 SA_PV_ERR_RECOVERABLE_RETURN_IF((raw_key_data_max_size < KCM_EC_SECP256R1_MAX_PUB_KEY_RAW_SIZE), KCM_STATUS_INVALID_PARAMETER, "Invalid raw_key_size_out value"); 00092 00093 //Create new key handler 00094 pal_status = pal_ECKeyNew(&key_handle); 00095 SA_PV_ERR_RECOVERABLE_RETURN_IF((PAL_SUCCESS != pal_status), cs_error_handler(pal_status), "pal_ECKeyNew failed "); 00096 00097 pal_status = pal_parseECPublicKeyFromDER(der_key, der_key_length, key_handle); 00098 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "pal_parseECPublicKeyFromDER failed "); 00099 00100 localECKey = (mbedtls_pk_context*)key_handle; 00101 ecp_key_pair = (mbedtls_ecp_keypair*)localECKey->pk_ctx; 00102 00103 //Get raw public key data 00104 mbdtls_result = mbedtls_ecp_point_write_binary(&ecp_key_pair->grp, &ecp_key_pair->Q, MBEDTLS_ECP_PF_UNCOMPRESSED, raw_key_data_act_size_out, raw_key_data_out, raw_key_data_max_size); 00105 SA_PV_ERR_RECOVERABLE_GOTO_IF((mbdtls_result != 0), kcm_status = KCM_CRYPTO_STATUS_INVALID_PK_PUBKEY, exit, "mbedtls_ecp_point_write_binary failed "); 00106 SA_PV_ERR_RECOVERABLE_GOTO_IF((raw_key_data_max_size != KCM_EC_SECP256R1_MAX_PUB_KEY_RAW_SIZE), kcm_status = KCM_CRYPTO_STATUS_INVALID_PK_PUBKEY, exit, "Wrong raw_key_data_max_size "); 00107 00108 exit: 00109 //Free key handler 00110 (void)pal_ECKeyFree(&key_handle); 00111 return kcm_status; 00112 } 00113 00114 00115 kcm_status_e cs_der_priv_key_verify(const uint8_t *key, size_t key_length) 00116 { 00117 kcm_status_e kcm_status = KCM_STATUS_SUCCESS; 00118 00119 kcm_status = der_key_verify(key, key_length, PAL_CHECK_PRIVATE_KEY); 00120 SA_PV_ERR_RECOVERABLE_RETURN_IF((kcm_status != KCM_STATUS_SUCCESS), kcm_status, "Private key verification failed"); 00121 00122 return kcm_status; 00123 } 00124 00125 kcm_status_e cs_der_public_key_verify(const uint8_t *der_key, size_t der_key_length) 00126 { 00127 kcm_status_e kcm_status = KCM_STATUS_SUCCESS; 00128 00129 kcm_status = der_key_verify(der_key, der_key_length, PAL_CHECK_PUBLIC_KEY); 00130 SA_PV_ERR_RECOVERABLE_RETURN_IF((kcm_status != KCM_STATUS_SUCCESS), kcm_status, "Public key verification failed"); 00131 00132 return kcm_status; 00133 } 00134 00135 kcm_status_e cs_ecdsa_sign(const uint8_t *der_priv_key, size_t der_priv_key_length, const uint8_t *hash_dgst, size_t size_of_hash_dgst, uint8_t *out_sign, size_t signature_data_max_size, size_t * signature_data_act_size_out) 00136 { 00137 kcm_status_e kcm_status = KCM_STATUS_SUCCESS; 00138 palStatus_t pal_status = PAL_SUCCESS; 00139 palECKeyHandle_t key_handle = NULLPTR; 00140 palCurveHandle_t grp = NULLPTR; 00141 palGroupIndex_t pal_grp_idx; 00142 palMDType_t md_type = PAL_SHA256; 00143 00144 SA_PV_ERR_RECOVERABLE_RETURN_IF((der_priv_key == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid private key pointer"); 00145 SA_PV_ERR_RECOVERABLE_RETURN_IF((der_priv_key_length <= 0), KCM_STATUS_INVALID_PARAMETER, "Invalid private key length"); 00146 SA_PV_ERR_RECOVERABLE_RETURN_IF((hash_dgst == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid hash digest pointer"); 00147 SA_PV_ERR_RECOVERABLE_RETURN_IF((size_of_hash_dgst != CS_SHA256_SIZE), KCM_STATUS_INVALID_PARAMETER, "Invalid hash digest size"); 00148 SA_PV_ERR_RECOVERABLE_RETURN_IF((out_sign == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid out signature pointer"); 00149 SA_PV_ERR_RECOVERABLE_RETURN_IF((signature_data_act_size_out == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid signature_data_act_size_out pointer"); 00150 SA_PV_ERR_RECOVERABLE_RETURN_IF((signature_data_max_size < KCM_ECDSA_SECP256R1_MAX_SIGNATURE_SIZE_IN_BYTES), KCM_STATUS_INVALID_PARAMETER, "Invalid size of signature buffer"); 00151 00152 00153 //Create new key handler 00154 pal_status = pal_ECKeyNew(&key_handle); 00155 SA_PV_ERR_RECOVERABLE_RETURN_IF((PAL_SUCCESS != pal_status), cs_error_handler(pal_status), "pal_ECKeyNew failed "); 00156 00157 //Parse der private key 00158 pal_status = pal_parseECPrivateKeyFromDER(der_priv_key, der_priv_key_length, key_handle); 00159 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "pal_parseECPrivateKeyFromDER failed "); 00160 00161 //retrieve key curve from key handle 00162 pal_status = pal_ECKeyGetCurve(key_handle, &pal_grp_idx); 00163 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "pal_ECKeyGetCurve failed "); 00164 00165 //Load the key curve 00166 pal_status = pal_ECGroupInitAndLoad(&grp, pal_grp_idx); 00167 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "pal_ECGroupInitAndLoad failed "); 00168 00169 *signature_data_act_size_out = signature_data_max_size; 00170 //Sign on hash digest 00171 pal_status = pal_ECDSASign(grp, md_type, key_handle, (unsigned char*)hash_dgst, (uint32_t)size_of_hash_dgst, out_sign, signature_data_act_size_out); 00172 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "pal_ECDSASign failed "); 00173 00174 exit: 00175 00176 //Free curve handler 00177 (void)pal_ECGroupFree(&grp); 00178 //Free key handler 00179 (void)pal_ECKeyFree(&key_handle); 00180 00181 if (kcm_status == KCM_STATUS_SUCCESS) { 00182 SA_PV_ERR_RECOVERABLE_RETURN_IF((grp != NULLPTR || key_handle != NULLPTR), KCM_STATUS_ERROR, "Free handle failed "); 00183 } 00184 return kcm_status; 00185 } 00186 00187 static kcm_status_e cs_key_pair_generate_int(palECKeyHandle_t key_handle, kcm_crypto_key_scheme_e curve_name, uint8_t *priv_key_out, size_t priv_key_max_size, 00188 size_t *priv_key_act_size_out, uint8_t *pub_key_out, size_t pub_key_max_size, size_t *pub_key_act_size_out) 00189 { 00190 palStatus_t pal_status = PAL_SUCCESS; 00191 palGroupIndex_t pal_group_id; 00192 00193 SA_PV_ERR_RECOVERABLE_RETURN_IF((priv_key_out == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid out private key buffer"); 00194 SA_PV_ERR_RECOVERABLE_RETURN_IF((priv_key_max_size == 0), KCM_STATUS_INVALID_PARAMETER, "Invalid max private key size"); 00195 SA_PV_ERR_RECOVERABLE_RETURN_IF((priv_key_act_size_out == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid out private key size"); 00196 if (pub_key_out != NULL) { 00197 SA_PV_ERR_RECOVERABLE_RETURN_IF((pub_key_max_size == 0), KCM_STATUS_INVALID_PARAMETER, "Invalid max public key size"); 00198 SA_PV_ERR_RECOVERABLE_RETURN_IF((pub_key_act_size_out == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid out public key size"); 00199 } 00200 00201 // convert curve_name to pal_group_id 00202 switch (curve_name) { 00203 case KCM_SCHEME_EC_SECP256R1: 00204 pal_group_id = PAL_ECP_DP_SECP256R1; 00205 break; 00206 default: 00207 SA_PV_ERR_RECOVERABLE_RETURN_IF(true, KCM_CRYPTO_STATUS_UNSUPPORTED_CURVE, "unsupported curve name"); 00208 } 00209 00210 // Generate keys 00211 pal_status = pal_ECKeyGenerateKey(pal_group_id, key_handle); 00212 SA_PV_ERR_RECOVERABLE_RETURN_IF((PAL_SUCCESS != pal_status), cs_error_handler(pal_status), "Failed to generate keys"); 00213 00214 // Save private key to out buffer 00215 pal_status = pal_writePrivateKeyToDer(key_handle, priv_key_out, priv_key_max_size, priv_key_act_size_out); 00216 SA_PV_ERR_RECOVERABLE_RETURN_IF((PAL_SUCCESS != pal_status), cs_error_handler(pal_status), "Failed to write private key to out buffer"); 00217 00218 if (pub_key_out != NULL) { 00219 // Save public key to out buffer 00220 pal_status = pal_writePublicKeyToDer(key_handle, pub_key_out, pub_key_max_size, pub_key_act_size_out); 00221 SA_PV_ERR_RECOVERABLE_RETURN_IF((PAL_SUCCESS != pal_status), cs_error_handler(pal_status), "Failed to write public key to out buffer"); 00222 } 00223 00224 return KCM_STATUS_SUCCESS; 00225 } 00226 00227 kcm_status_e cs_key_pair_generate(kcm_crypto_key_scheme_e curve_name, uint8_t *priv_key_out, size_t priv_key_max_size, size_t *priv_key_act_size_out, uint8_t *pub_key_out, 00228 size_t pub_key_max_size, size_t *pub_key_act_size_out) 00229 { 00230 kcm_status_e kcm_status = KCM_STATUS_SUCCESS; 00231 palStatus_t pal_status = PAL_SUCCESS; 00232 palECKeyHandle_t key_handle = NULLPTR; 00233 00234 // Create new key handler 00235 pal_status = pal_ECKeyNew(&key_handle); 00236 SA_PV_ERR_RECOVERABLE_RETURN_IF((PAL_SUCCESS != pal_status), cs_error_handler(pal_status), "pal_ECKeyNew failed"); 00237 00238 // Call to internal key_pair_generate 00239 kcm_status = cs_key_pair_generate_int(key_handle, curve_name, priv_key_out, priv_key_max_size, priv_key_act_size_out, 00240 pub_key_out, pub_key_max_size, pub_key_act_size_out); 00241 SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_status != KCM_STATUS_SUCCESS), kcm_status = kcm_status, exit, "Failed to generate keys"); 00242 00243 exit: 00244 //Free key handler 00245 if (key_handle != NULLPTR) { 00246 pal_ECKeyFree(&key_handle); 00247 SA_PV_ERR_RECOVERABLE_RETURN_IF((key_handle != NULLPTR && kcm_status == KCM_STATUS_SUCCESS), KCM_STATUS_ERROR, "Free key handle failed "); 00248 } 00249 return kcm_status; 00250 } 00251 00252 static kcm_status_e cs_csr_generate_int(palECKeyHandle_t key_handle, const kcm_csr_params_s *csr_params, 00253 uint8_t *csr_buff_out, size_t csr_buff_max_size, size_t *csr_buff_act_size_out) 00254 { 00255 kcm_status_e kcm_status = KCM_STATUS_SUCCESS; 00256 palStatus_t pal_status = PAL_SUCCESS; 00257 palx509CSRHandle_t x509CSR_handle = NULLPTR; 00258 palMDType_t pal_md_type; 00259 uint32_t pal_key_usage = 0; 00260 uint32_t pal_ext_key_usage = 0; 00261 uint32_t eku_all_bits = KCM_CSR_EXT_KU_ANY | KCM_CSR_EXT_KU_SERVER_AUTH | KCM_CSR_EXT_KU_CLIENT_AUTH | 00262 KCM_CSR_EXT_KU_CODE_SIGNING | KCM_CSR_EXT_KU_EMAIL_PROTECTION | KCM_CSR_EXT_KU_TIME_STAMPING | KCM_CSR_EXT_KU_OCSP_SIGNING; 00263 00264 SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_params == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid csr_params pointer"); 00265 SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_params->subject == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid subject pointer in csr_params"); 00266 SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_buff_out == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid out csr buffer"); 00267 SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_buff_max_size == 0), KCM_STATUS_INVALID_PARAMETER, "Invalid max csr buffer size"); 00268 SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_buff_act_size_out == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid out csr buffer size"); 00269 SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_params->ext_key_usage & (~eku_all_bits)), KCM_STATUS_INVALID_PARAMETER, "Invalid extended key usage options"); 00270 00271 // Initialize x509 CSR handle 00272 pal_status = pal_x509CSRInit(&x509CSR_handle); 00273 SA_PV_ERR_RECOVERABLE_RETURN_IF((PAL_SUCCESS != pal_status), cs_error_handler(pal_status), "Failed to initialize x509 CSR handle"); 00274 00275 // Set CSR Subject 00276 pal_status = pal_x509CSRSetSubject(x509CSR_handle, csr_params->subject); 00277 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "Failed to set CSR Subject"); 00278 00279 // Set MD algorithm to SHA256 for the signature 00280 switch (csr_params->md_type) { 00281 case KCM_MD_SHA256: 00282 pal_md_type = PAL_SHA256; 00283 break; 00284 default: 00285 SA_PV_ERR_RECOVERABLE_GOTO_IF(true, kcm_status = KCM_CRYPTO_STATUS_INVALID_MD_TYPE, exit, "MD type not supported"); 00286 } 00287 pal_status = pal_x509CSRSetMD(x509CSR_handle, pal_md_type); 00288 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "Failed to set MD algorithm"); 00289 00290 // Set keys into CSR 00291 pal_status = pal_x509CSRSetKey(x509CSR_handle, key_handle, NULLPTR); 00292 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "Failed to Set keys into CSR"); 00293 00294 // Set CSR key usage 00295 if (csr_params->key_usage != KCM_CSR_KU_NONE) { 00296 if (csr_params->key_usage & KCM_CSR_KU_DIGITAL_SIGNATURE) { 00297 pal_key_usage |= PAL_X509_KU_DIGITAL_SIGNATURE; 00298 } 00299 if (csr_params->key_usage & KCM_CSR_KU_NON_REPUDIATION) { 00300 pal_key_usage |= PAL_X509_KU_NON_REPUDIATION; 00301 } 00302 if (csr_params->key_usage & KCM_CSR_KU_KEY_CERT_SIGN) { 00303 pal_key_usage |= PAL_X509_KU_KEY_CERT_SIGN; 00304 } 00305 pal_status = pal_x509CSRSetKeyUsage(x509CSR_handle, pal_key_usage); 00306 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "Failed to set CSR key usage"); 00307 } 00308 00309 // Set CSR extended key usage 00310 if (csr_params->ext_key_usage != KCM_CSR_EXT_KU_NONE) { 00311 if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_ANY) { 00312 pal_ext_key_usage |= PAL_X509_EXT_KU_ANY; 00313 } 00314 if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_SERVER_AUTH) { 00315 pal_ext_key_usage |= PAL_X509_EXT_KU_SERVER_AUTH; 00316 } 00317 if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_CLIENT_AUTH) { 00318 pal_ext_key_usage |= PAL_X509_EXT_KU_CLIENT_AUTH; 00319 } 00320 if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_CODE_SIGNING) { 00321 pal_ext_key_usage |= PAL_X509_EXT_KU_CODE_SIGNING; 00322 } 00323 if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_EMAIL_PROTECTION) { 00324 pal_ext_key_usage |= PAL_X509_EXT_KU_EMAIL_PROTECTION; 00325 } 00326 if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_TIME_STAMPING) { 00327 pal_ext_key_usage |= PAL_X509_EXT_KU_TIME_STAMPING; 00328 } 00329 if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_OCSP_SIGNING) { 00330 pal_ext_key_usage |= PAL_X509_EXT_KU_OCSP_SIGNING; 00331 } 00332 pal_status = pal_x509CSRSetExtendedKeyUsage(x509CSR_handle, pal_ext_key_usage); 00333 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "Failed to set CSR extended key usage"); 00334 } 00335 00336 // Write the CSR to out buffer in DER format 00337 pal_status = pal_x509CSRWriteDER(x509CSR_handle, csr_buff_out, csr_buff_max_size, csr_buff_act_size_out); 00338 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "Failed to write the CSR to out buffer"); 00339 00340 exit: 00341 //Free CSR handler 00342 if (x509CSR_handle != NULLPTR) { 00343 pal_x509CSRFree(&x509CSR_handle); 00344 SA_PV_ERR_RECOVERABLE_RETURN_IF((x509CSR_handle != NULLPTR && kcm_status == KCM_STATUS_SUCCESS), KCM_STATUS_ERROR, "Free CSR handle failed "); 00345 } 00346 00347 return kcm_status; 00348 } 00349 00350 kcm_status_e cs_csr_generate(const uint8_t *priv_key, size_t priv_key_size, const kcm_csr_params_s *csr_params, uint8_t *csr_buff_out, 00351 size_t csr_buff_max_size, size_t *csr_buff_act_size_out) 00352 { 00353 kcm_status_e kcm_status = KCM_STATUS_SUCCESS; 00354 palStatus_t pal_status = PAL_SUCCESS; 00355 palECKeyHandle_t key_handle = NULLPTR; 00356 00357 SA_PV_ERR_RECOVERABLE_RETURN_IF((priv_key == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid private key pointer"); 00358 SA_PV_ERR_RECOVERABLE_RETURN_IF((priv_key_size == 0), KCM_STATUS_INVALID_PARAMETER, "Invalid private key size"); 00359 00360 // Create new key handler 00361 pal_status = pal_ECKeyNew(&key_handle); 00362 SA_PV_ERR_RECOVERABLE_RETURN_IF((PAL_SUCCESS != pal_status), cs_error_handler(pal_status), "pal_ECKeyNew failed"); 00363 00364 // Parse private key from DER format 00365 pal_status = pal_parseECPrivateKeyFromDER(priv_key, priv_key_size, key_handle); 00366 SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "Failed to parse private key from DER format"); 00367 00368 // Call to internal csr_generate 00369 kcm_status = cs_csr_generate_int(key_handle, csr_params, csr_buff_out, csr_buff_max_size, csr_buff_act_size_out); 00370 SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_status != KCM_STATUS_SUCCESS), kcm_status = kcm_status, exit, "Failed to generate csr"); 00371 00372 exit: 00373 //Free key handler 00374 if (key_handle != NULLPTR) { 00375 pal_ECKeyFree(&key_handle); 00376 SA_PV_ERR_RECOVERABLE_RETURN_IF((key_handle != NULLPTR && kcm_status == KCM_STATUS_SUCCESS), KCM_STATUS_ERROR, "Free key handle failed "); 00377 } 00378 return kcm_status; 00379 } 00380 kcm_status_e cs_generate_keys_and_csr(kcm_crypto_key_scheme_e curve_name, const kcm_csr_params_s *csr_params, uint8_t *priv_key_out, 00381 size_t priv_key_max_size, size_t *priv_key_act_size_out, uint8_t *pub_key_out, 00382 size_t pub_key_max_size, size_t *pub_key_act_size_out, uint8_t *csr_buff_out, 00383 const size_t csr_buff_max_size, size_t *csr_buff_act_size_out) 00384 { 00385 kcm_status_e kcm_status = KCM_STATUS_SUCCESS; 00386 palStatus_t pal_status = PAL_SUCCESS; 00387 palECKeyHandle_t key_handle = NULLPTR; 00388 00389 // Create new key handler 00390 pal_status = pal_ECKeyNew(&key_handle); 00391 SA_PV_ERR_RECOVERABLE_RETURN_IF((PAL_SUCCESS != pal_status), cs_error_handler(pal_status), "pal_ECKeyNew failed"); 00392 00393 // Call to internal key_pair_generate 00394 kcm_status = cs_key_pair_generate_int(key_handle, curve_name, priv_key_out, priv_key_max_size, priv_key_act_size_out, pub_key_out, pub_key_max_size, pub_key_act_size_out); 00395 SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_status != KCM_STATUS_SUCCESS), kcm_status = kcm_status, exit, "Failed to generate keys"); 00396 00397 // Call to internal csr_generate 00398 kcm_status = cs_csr_generate_int(key_handle, csr_params, csr_buff_out, csr_buff_max_size, csr_buff_act_size_out); 00399 SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_status != KCM_STATUS_SUCCESS), kcm_status = kcm_status, exit, "Failed to generate csr"); 00400 00401 exit: 00402 //Free key handler 00403 if (key_handle != NULLPTR) { 00404 pal_ECKeyFree(&key_handle); 00405 SA_PV_ERR_RECOVERABLE_RETURN_IF((key_handle != NULLPTR && kcm_status == KCM_STATUS_SUCCESS), KCM_STATUS_ERROR, "Free key handle failed "); 00406 } 00407 return kcm_status; 00408 }
Generated on Tue Jul 12 2022 19:12:12 by
1.7.2