wire-sysio/wrap_8c_source.html

/*

 * Copyright 2015-2018 Yubico AB

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */


#ifdef NDEBUG

#undef NDEBUG

#endif

#include <assert.h>

#include <stdio.h>

#include <stdint.h>

#include <stdlib.h>

#include <string.h>


#include <yubihsm.h>


#ifndef DEFAULT_CONNECTOR_URL

#define DEFAULT_CONNECTOR_URL "http://127.0.0.1:12345"

#endif


const char *key_label = "label";

const uint8_t password[] = "password";


int main(void) {

  yh_connector *connector = NULL;

  yh_session *session = NULL;

  yh_rc yrc = YHR_GENERIC_ERROR;


  uint16_t authkey = 1;


  const char *connector_url;


  connector_url = getenv("DEFAULT_CONNECTOR_URL");

  if (connector_url == NULL) {

    connector_url = DEFAULT_CONNECTOR_URL;

  }


  yrc = yh_init();

  assert(yrc == YHR_SUCCESS);


  yrc = yh_init_connector(connector_url, &connector);

  assert(yrc == YHR_SUCCESS);


  yrc = yh_connect(connector, 0);

  assert(yrc == YHR_SUCCESS);


  yrc = yh_create_session_derived(connector, authkey, password,

                                  sizeof(password), false, &session);

  assert(yrc == YHR_SUCCESS);


  yrc = yh_authenticate_session(session);

  assert(yrc == YHR_SUCCESS);


  uint8_t session_id;

  yrc = yh_get_session_id(session, &session_id);

  assert(yrc == YHR_SUCCESS);


  printf("Successfully established session %02d\n", session_id);


  yh_capabilities capabilities = {{0}};

  yrc =

    yh_string_to_capabilities("export-wrapped:import-wrapped", &capabilities);

  assert(yrc == YHR_SUCCESS);


  yh_capabilities delegated_capabilities = {{0}};

  yrc = yh_string_to_capabilities("sign-ecdsa:exportable-under-wrap",

                                  &delegated_capabilities); // delegated

                                                            // capabilities has

                                                            // to match the

                                                            // capabilities of

                                                            // the object we

                                                            // want to export

  assert(yrc == YHR_SUCCESS);


  uint16_t domain_five = 0;

  yrc = yh_string_to_domains("5", &domain_five);

  assert(yrc == YHR_SUCCESS);


  uint16_t wrapping_key_id = 0; // ID 0 lets the device generate an ID

  yrc =

    yh_util_generate_wrap_key(session, &wrapping_key_id, key_label, domain_five,

                              &capabilities, YH_ALGO_AES256_CCM_WRAP,

                              &delegated_capabilities);

  assert(yrc == YHR_SUCCESS);


  printf("Generated wrapping key with ID %04x\n", wrapping_key_id);


  memset(capabilities.capabilities, 0, YH_CAPABILITIES_LEN);

  yrc = yh_string_to_capabilities("sign-ecdsa:exportable-under-wrap",

                                  &capabilities);

  assert(yrc == YHR_SUCCESS);


  uint16_t key_id_before = 0; // ID 0 lets the device generate an ID

  yrc = yh_util_generate_ec_key(session, &key_id_before, key_label, domain_five,

                                &capabilities, YH_ALGO_EC_P256);

  assert(yrc == YHR_SUCCESS);


  printf("Generated ec key with ID %04x\n", key_id_before);


  uint8_t public_key_before[512];

  size_t public_key_before_len = sizeof(public_key_before);

  yrc = yh_util_get_public_key(session, key_id_before, public_key_before,

                               &public_key_before_len, NULL);

  assert(yrc == YHR_SUCCESS);


  printf("Public key before (%zu bytes) is:", public_key_before_len);

  for (unsigned int i = 0; i < public_key_before_len; i++) {

    printf(" %02x", public_key_before[i]);

  }

  printf("\n");


  uint8_t wrapped_object[512];

  size_t wrapped_object_len = sizeof(wrapped_object);

  yh_object_type object_type_after;

  yrc =

    yh_util_export_wrapped(session, wrapping_key_id, YH_ASYMMETRIC_KEY,

                           key_id_before, wrapped_object, &wrapped_object_len);

  assert(yrc == YHR_SUCCESS);


  printf("Wrapped object (%zu bytes) is:", wrapped_object_len);

  for (unsigned int i = 0; i < wrapped_object_len; i++) {

    printf(" %02x", wrapped_object[i]);

  }

  printf("\n");


  yrc = yh_util_delete_object(session, key_id_before, YH_ASYMMETRIC_KEY);

  assert(yrc == YHR_SUCCESS);


  printf("Successfully deleted ec key with ID %04x\n", key_id_before);


  uint8_t public_key_after[512];

  size_t public_key_after_len = sizeof(public_key_after);

  yrc = yh_util_get_public_key(session, key_id_before, public_key_after,

                               &public_key_after_len, NULL);

  assert(yrc == YHR_DEVICE_OBJECT_NOT_FOUND);


  printf("Unable to get public key for ec key with ID %04x\n", key_id_before);


  uint16_t key_id_after;

  yrc = yh_util_import_wrapped(session, wrapping_key_id, wrapped_object,

                               wrapped_object_len, &object_type_after,

                               &key_id_after);

  assert(yrc == YHR_SUCCESS);


  printf("Successfully imported wrapped object with ID %04x\n", key_id_after);


  if (object_type_after != YH_ASYMMETRIC_KEY) {

    printf("Unexpected odbject type\n");

    exit(EXIT_FAILURE);

  }


  if (key_id_before != key_id_after) {

    printf("ID %04x and %04x do not match\n", key_id_before, key_id_after);

    exit(EXIT_FAILURE);

  } else {

    printf("ID %04x and %04x match\n", key_id_before, key_id_after);

  }


  yrc = yh_util_get_public_key(session, key_id_after, public_key_after,

                               &public_key_after_len, NULL);

  assert(yrc == YHR_SUCCESS);


  printf("Public key after (%zu bytes) is:", public_key_after_len);

  for (unsigned int i = 0; i < public_key_after_len; i++) {

    printf(" %02x", public_key_after[i]);

  }

  printf("\n");


  if (public_key_before_len != public_key_after_len ||

      memcmp(public_key_before, public_key_after, public_key_before_len) != 0) {

    printf("Public key before and after do not match\n");

    exit(EXIT_FAILURE);

  } else {

    printf("Public key before and after match\n");

  }


  yh_object_descriptor object;


  yrc =

    yh_util_get_object_info(session, key_id_after, YH_ASYMMETRIC_KEY, &object);

  assert(yrc == YHR_SUCCESS);


  yrc = yh_util_close_session(session);

  assert(yrc == YHR_SUCCESS);


  yrc = yh_destroy_session(&session);

  assert(yrc == YHR_SUCCESS);


  yh_disconnect(connector);

  assert(yrc == YHR_SUCCESS);


  yrc = yh_exit();

  assert(yrc == YHR_SUCCESS);


  return 0;

}


session
CK_SESSION_HANDLE session
Definition ecdh_derive_test.c:45

stdint.h

uint16_t
unsigned short uint16_t
Definition stdint.h:125

uint8_t
unsigned char uint8_t
Definition stdint.h:124

yh_capabilities
Capabilities representation.
Definition yubihsm.h:162

yh_capabilities::capabilities
uint8_t capabilities[YH_CAPABILITIES_LEN]
Capabilities is represented as an 8 byte uint8_t array.
Definition yubihsm.h:164

yh_connector
Definition internal.h:37

yh_object_descriptor
Definition yubihsm.h:540

yh_session
Definition internal.h:25

DEFAULT_CONNECTOR_URL
#define DEFAULT_CONNECTOR_URL
Definition wrap.c:29

main
int main(void)
Definition wrap.c:35

key_label
const char * key_label
Definition wrap.c:32

yh_destroy_session
yh_rc yh_destroy_session(yh_session **session)
Definition yubihsm.c:890

yh_util_generate_wrap_key
yh_rc yh_util_generate_wrap_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const yh_capabilities *delegated_capabilities)
Definition yubihsm.c:2458

yh_util_generate_ec_key
yh_rc yh_util_generate_ec_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Definition yubihsm.c:1913

yh_exit
yh_rc yh_exit(void)
Definition yubihsm.c:3910

yh_create_session_derived
yh_rc yh_create_session_derived(yh_connector *connector, uint16_t authkey_id, const uint8_t *password, size_t password_len, bool recreate, yh_session **session)
Definition yubihsm.c:593

yh_init
yh_rc yh_init(void)
Definition yubihsm.c:3857

yh_util_close_session
yh_rc yh_util_close_session(yh_session *session)
Definition yubihsm.c:1257

yh_authenticate_session
yh_rc yh_authenticate_session(yh_session *session)
Definition yubihsm.c:2927

yh_util_get_object_info
yh_rc yh_util_get_object_info(yh_session *session, uint16_t id, yh_object_type type, yh_object_descriptor *object)
Definition yubihsm.c:1128

yh_string_to_domains
yh_rc yh_string_to_domains(const char *domains, uint16_t *result)
Definition yubihsm.c:4535

yh_init_connector
yh_rc yh_init_connector(const char *url, yh_connector **connector)
Definition yubihsm.c:4024

yh_connect
yh_rc yh_connect(yh_connector *connector, int timeout)
Definition yubihsm.c:4079

yh_util_export_wrapped
yh_rc yh_util_export_wrapped(yh_session *session, uint16_t wrapping_key_id, yh_object_type target_type, uint16_t target_id, uint8_t *out, size_t *out_len)
Definition yubihsm.c:2265

yh_util_get_public_key
yh_rc yh_util_get_public_key(yh_session *session, uint16_t id, uint8_t *data, size_t *data_len, yh_algorithm *algorithm)
Definition yubihsm.c:1216

yh_string_to_capabilities
yh_rc yh_string_to_capabilities(const char *capability, yh_capabilities *result)
Definition yubihsm.c:4115

yh_disconnect
yh_rc yh_disconnect(yh_connector *connector)
Definition yubihsm.c:4097

yh_util_import_wrapped
yh_rc yh_util_import_wrapped(yh_session *session, uint16_t wrapping_key_id, const uint8_t *in, size_t in_len, yh_object_type *target_type, uint16_t *target_id)
Definition yubihsm.c:2309

yh_util_delete_object
yh_rc yh_util_delete_object(yh_session *session, uint16_t id, yh_object_type type)
Definition yubihsm.c:2222

yh_get_session_id
yh_rc yh_get_session_id(yh_session *session, uint8_t *sid)
Definition yubihsm.c:2915

yubihsm.h

yh_object_type
yh_object_type
Definition yubihsm.h:359

YH_ASYMMETRIC_KEY
@ YH_ASYMMETRIC_KEY
Asymmetric Key is the private key of an asymmetric key-pair.
Definition yubihsm.h:366

YH_ALGO_AES256_CCM_WRAP
@ YH_ALGO_AES256_CCM_WRAP
aes256-ccm-wrap
Definition yubihsm.h:474

YH_ALGO_EC_P256
@ YH_ALGO_EC_P256
ecp256
Definition yubihsm.h:414

YH_CAPABILITIES_LEN
#define YH_CAPABILITIES_LEN
Length of capabilities array.
Definition yubihsm.h:119

yh_rc
yh_rc
Definition yubihsm.h:170

YHR_GENERIC_ERROR
@ YHR_GENERIC_ERROR
Return value when encountering an unknown error.
Definition yubihsm.h:228

YHR_SUCCESS
@ YHR_SUCCESS
Returned value when function was successful.
Definition yubihsm.h:172

YHR_DEVICE_OBJECT_NOT_FOUND
@ YHR_DEVICE_OBJECT_NOT_FOUND
Return value when the object not found on the device.
Definition yubihsm.h:218

capabilities
yh_capabilities capabilities
Definition yubihsm_pkcs11.c:1305

object
yh_object_descriptor object
Definition yubihsm_pkcs11.c:1544

yrc
yh_rc yrc
Definition yubihsm_pkcs11.c:606

memset
memset(pInfo->slotDescription, ' ', 64)

delegated_capabilities
yh_capabilities delegated_capabilities
Definition yubihsm_pkcs11.c:1306