703 lines
26 KiB
C
703 lines
26 KiB
C
/**
|
|
* PSA API key derivation demonstration
|
|
*
|
|
* This program calculates a key ladder: a chain of secret material, each
|
|
* derived from the previous one in a deterministic way based on a label.
|
|
* Two keys are identical if and only if they are derived from the same key
|
|
* using the same label.
|
|
*
|
|
* The initial key is called the master key. The master key is normally
|
|
* randomly generated, but it could itself be derived from another key.
|
|
*
|
|
* This program derives a series of keys called intermediate keys.
|
|
* The first intermediate key is derived from the master key using the
|
|
* first label passed on the command line. Each subsequent intermediate
|
|
* key is derived from the previous one using the next label passed
|
|
* on the command line.
|
|
*
|
|
* This program has four modes of operation:
|
|
*
|
|
* - "generate": generate a random master key.
|
|
* - "wrap": derive a wrapping key from the last intermediate key,
|
|
* and use that key to encrypt-and-authenticate some data.
|
|
* - "unwrap": derive a wrapping key from the last intermediate key,
|
|
* and use that key to decrypt-and-authenticate some
|
|
* ciphertext created by wrap mode.
|
|
* - "save": save the last intermediate key so that it can be reused as
|
|
* the master key in another run of the program.
|
|
*
|
|
* See the usage() output for the command line usage. See the file
|
|
* `key_ladder_demo.sh` for an example run.
|
|
*/
|
|
|
|
/*
|
|
* Copyright The Mbed TLS Contributors
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/* First include Mbed TLS headers to get the Mbed TLS configuration and
|
|
* platform definitions that we'll use in this program. Also include
|
|
* standard C headers for functions we'll use here. */
|
|
#include "mbedtls/build_info.h"
|
|
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
#include "mbedtls/platform.h" // for mbedtls_setbuf
|
|
#include "mbedtls/platform_util.h" // for mbedtls_platform_zeroize
|
|
|
|
#include <psa/crypto.h>
|
|
|
|
/* If the build options we need are not enabled, compile a placeholder. */
|
|
#if !defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \
|
|
!defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CCM_C) || \
|
|
!defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) || \
|
|
defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
|
|
int main(void)
|
|
{
|
|
printf("MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or "
|
|
"MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or "
|
|
"MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO "
|
|
"not defined and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER "
|
|
"defined.\n");
|
|
return 0;
|
|
}
|
|
#else
|
|
|
|
/* The real program starts here. */
|
|
|
|
/* Run a system function and bail out if it fails. */
|
|
#define SYS_CHECK(expr) \
|
|
do \
|
|
{ \
|
|
if (!(expr)) \
|
|
{ \
|
|
perror( #expr); \
|
|
status = DEMO_ERROR; \
|
|
goto exit; \
|
|
} \
|
|
} \
|
|
while (0)
|
|
|
|
/* Run a PSA function and bail out if it fails. */
|
|
#define PSA_CHECK(expr) \
|
|
do \
|
|
{ \
|
|
status = (expr); \
|
|
if (status != PSA_SUCCESS) \
|
|
{ \
|
|
printf("Error %d at line %d: %s\n", \
|
|
(int) status, \
|
|
__LINE__, \
|
|
#expr); \
|
|
goto exit; \
|
|
} \
|
|
} \
|
|
while (0)
|
|
|
|
/* To report operational errors in this program, use an error code that is
|
|
* different from every PSA error code. */
|
|
#define DEMO_ERROR 120
|
|
|
|
/* The maximum supported key ladder depth. */
|
|
#define MAX_LADDER_DEPTH 10
|
|
|
|
/* Salt to use when deriving an intermediate key. */
|
|
#define DERIVE_KEY_SALT ((uint8_t *) "key_ladder_demo.derive")
|
|
#define DERIVE_KEY_SALT_LENGTH (strlen((const char *) DERIVE_KEY_SALT))
|
|
|
|
/* Salt to use when deriving a wrapping key. */
|
|
#define WRAPPING_KEY_SALT ((uint8_t *) "key_ladder_demo.wrap")
|
|
#define WRAPPING_KEY_SALT_LENGTH (strlen((const char *) WRAPPING_KEY_SALT))
|
|
|
|
/* Size of the key derivation keys (applies both to the master key and
|
|
* to intermediate keys). */
|
|
#define KEY_SIZE_BYTES 40
|
|
|
|
/* Algorithm for key derivation. */
|
|
#define KDF_ALG PSA_ALG_HKDF(PSA_ALG_SHA_256)
|
|
|
|
/* Type and size of the key used to wrap data. */
|
|
#define WRAPPING_KEY_TYPE PSA_KEY_TYPE_AES
|
|
#define WRAPPING_KEY_BITS 128
|
|
|
|
/* Cipher mode used to wrap data. */
|
|
#define WRAPPING_ALG PSA_ALG_CCM
|
|
|
|
/* Nonce size used to wrap data. */
|
|
#define WRAPPING_IV_SIZE 13
|
|
|
|
/* Header used in files containing wrapped data. We'll save this header
|
|
* directly without worrying about data representation issues such as
|
|
* integer sizes and endianness, because the data is meant to be read
|
|
* back by the same program on the same machine. */
|
|
#define WRAPPED_DATA_MAGIC "key_ladder_demo" // including trailing null byte
|
|
#define WRAPPED_DATA_MAGIC_LENGTH (sizeof(WRAPPED_DATA_MAGIC))
|
|
typedef struct {
|
|
char magic[WRAPPED_DATA_MAGIC_LENGTH];
|
|
size_t ad_size; /* Size of the additional data, which is this header. */
|
|
size_t payload_size; /* Size of the encrypted data. */
|
|
/* Store the IV inside the additional data. It's convenient. */
|
|
uint8_t iv[WRAPPING_IV_SIZE];
|
|
} wrapped_data_header_t;
|
|
|
|
/* The modes that this program can operate in (see usage). */
|
|
enum program_mode {
|
|
MODE_GENERATE,
|
|
MODE_SAVE,
|
|
MODE_UNWRAP,
|
|
MODE_WRAP
|
|
};
|
|
|
|
/* Save a key to a file. In the real world, you may want to export a derived
|
|
* key sometimes, to share it with another party. */
|
|
static psa_status_t save_key(psa_key_id_t key,
|
|
const char *output_file_name)
|
|
{
|
|
psa_status_t status = PSA_SUCCESS;
|
|
uint8_t key_data[KEY_SIZE_BYTES];
|
|
size_t key_size;
|
|
FILE *key_file = NULL;
|
|
|
|
PSA_CHECK(psa_export_key(key,
|
|
key_data, sizeof(key_data),
|
|
&key_size));
|
|
SYS_CHECK((key_file = fopen(output_file_name, "wb")) != NULL);
|
|
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
|
|
mbedtls_setbuf(key_file, NULL);
|
|
SYS_CHECK(fwrite(key_data, 1, key_size, key_file) == key_size);
|
|
SYS_CHECK(fclose(key_file) == 0);
|
|
key_file = NULL;
|
|
|
|
exit:
|
|
if (key_file != NULL) {
|
|
fclose(key_file);
|
|
}
|
|
return status;
|
|
}
|
|
|
|
/* Generate a master key for use in this demo.
|
|
*
|
|
* Normally a master key would be non-exportable. For the purpose of this
|
|
* demo, we want to save it to a file, to avoid relying on the keystore
|
|
* capability of the PSA crypto library. */
|
|
static psa_status_t generate(const char *key_file_name)
|
|
{
|
|
psa_status_t status = PSA_SUCCESS;
|
|
psa_key_id_t key = 0;
|
|
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
|
|
|
psa_set_key_usage_flags(&attributes,
|
|
PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
|
|
psa_set_key_algorithm(&attributes, KDF_ALG);
|
|
psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
|
|
psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(KEY_SIZE_BYTES));
|
|
|
|
PSA_CHECK(psa_generate_key(&attributes, &key));
|
|
|
|
PSA_CHECK(save_key(key, key_file_name));
|
|
|
|
exit:
|
|
(void) psa_destroy_key(key);
|
|
return status;
|
|
}
|
|
|
|
/* Load the master key from a file.
|
|
*
|
|
* In the real world, this master key would be stored in an internal memory
|
|
* and the storage would be managed by the keystore capability of the PSA
|
|
* crypto library. */
|
|
static psa_status_t import_key_from_file(psa_key_usage_t usage,
|
|
psa_algorithm_t alg,
|
|
const char *key_file_name,
|
|
psa_key_id_t *master_key)
|
|
{
|
|
psa_status_t status = PSA_SUCCESS;
|
|
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
|
uint8_t key_data[KEY_SIZE_BYTES];
|
|
size_t key_size;
|
|
FILE *key_file = NULL;
|
|
unsigned char extra_byte;
|
|
|
|
SYS_CHECK((key_file = fopen(key_file_name, "rb")) != NULL);
|
|
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
|
|
mbedtls_setbuf(key_file, NULL);
|
|
SYS_CHECK((key_size = fread(key_data, 1, sizeof(key_data),
|
|
key_file)) != 0);
|
|
if (fread(&extra_byte, 1, 1, key_file) != 0) {
|
|
printf("Key file too large (max: %u).\n",
|
|
(unsigned) sizeof(key_data));
|
|
status = DEMO_ERROR;
|
|
goto exit;
|
|
}
|
|
SYS_CHECK(fclose(key_file) == 0);
|
|
key_file = NULL;
|
|
|
|
psa_set_key_usage_flags(&attributes, usage);
|
|
psa_set_key_algorithm(&attributes, alg);
|
|
psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
|
|
PSA_CHECK(psa_import_key(&attributes, key_data, key_size, master_key));
|
|
exit:
|
|
if (key_file != NULL) {
|
|
fclose(key_file);
|
|
}
|
|
mbedtls_platform_zeroize(key_data, sizeof(key_data));
|
|
if (status != PSA_SUCCESS) {
|
|
/* If the key creation hasn't happened yet or has failed,
|
|
* *master_key is null. psa_destroy_key( 0 ) is
|
|
* guaranteed to do nothing and return PSA_SUCCESS. */
|
|
(void) psa_destroy_key(*master_key);
|
|
*master_key = 0;
|
|
}
|
|
return status;
|
|
}
|
|
|
|
/* Derive the intermediate keys, using the list of labels provided on
|
|
* the command line. On input, *key is the master key identifier.
|
|
* This function destroys the master key. On successful output, *key
|
|
* is the identifier of the final derived key.
|
|
*/
|
|
static psa_status_t derive_key_ladder(const char *ladder[],
|
|
size_t ladder_depth,
|
|
psa_key_id_t *key)
|
|
{
|
|
psa_status_t status = PSA_SUCCESS;
|
|
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
|
psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
|
|
size_t i;
|
|
|
|
psa_set_key_usage_flags(&attributes,
|
|
PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
|
|
psa_set_key_algorithm(&attributes, KDF_ALG);
|
|
psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
|
|
psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(KEY_SIZE_BYTES));
|
|
|
|
/* For each label in turn, ... */
|
|
for (i = 0; i < ladder_depth; i++) {
|
|
/* Start deriving material from the master key (if i=0) or from
|
|
* the current intermediate key (if i>0). */
|
|
PSA_CHECK(psa_key_derivation_setup(&operation, KDF_ALG));
|
|
PSA_CHECK(psa_key_derivation_input_bytes(
|
|
&operation, PSA_KEY_DERIVATION_INPUT_SALT,
|
|
DERIVE_KEY_SALT, DERIVE_KEY_SALT_LENGTH));
|
|
PSA_CHECK(psa_key_derivation_input_key(
|
|
&operation, PSA_KEY_DERIVATION_INPUT_SECRET,
|
|
*key));
|
|
PSA_CHECK(psa_key_derivation_input_bytes(
|
|
&operation, PSA_KEY_DERIVATION_INPUT_INFO,
|
|
(uint8_t *) ladder[i], strlen(ladder[i])));
|
|
/* When the parent key is not the master key, destroy it,
|
|
* since it is no longer needed. */
|
|
PSA_CHECK(psa_destroy_key(*key));
|
|
*key = 0;
|
|
/* Derive the next intermediate key from the parent key. */
|
|
PSA_CHECK(psa_key_derivation_output_key(&attributes, &operation,
|
|
key));
|
|
PSA_CHECK(psa_key_derivation_abort(&operation));
|
|
}
|
|
|
|
exit:
|
|
psa_key_derivation_abort(&operation);
|
|
if (status != PSA_SUCCESS) {
|
|
psa_destroy_key(*key);
|
|
*key = 0;
|
|
}
|
|
return status;
|
|
}
|
|
|
|
/* Derive a wrapping key from the last intermediate key. */
|
|
static psa_status_t derive_wrapping_key(psa_key_usage_t usage,
|
|
psa_key_id_t derived_key,
|
|
psa_key_id_t *wrapping_key)
|
|
{
|
|
psa_status_t status = PSA_SUCCESS;
|
|
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
|
psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
|
|
|
|
*wrapping_key = 0;
|
|
|
|
/* Set up a key derivation operation from the key derived from
|
|
* the master key. */
|
|
PSA_CHECK(psa_key_derivation_setup(&operation, KDF_ALG));
|
|
PSA_CHECK(psa_key_derivation_input_bytes(
|
|
&operation, PSA_KEY_DERIVATION_INPUT_SALT,
|
|
WRAPPING_KEY_SALT, WRAPPING_KEY_SALT_LENGTH));
|
|
PSA_CHECK(psa_key_derivation_input_key(
|
|
&operation, PSA_KEY_DERIVATION_INPUT_SECRET,
|
|
derived_key));
|
|
PSA_CHECK(psa_key_derivation_input_bytes(
|
|
&operation, PSA_KEY_DERIVATION_INPUT_INFO,
|
|
NULL, 0));
|
|
|
|
/* Create the wrapping key. */
|
|
psa_set_key_usage_flags(&attributes, usage);
|
|
psa_set_key_algorithm(&attributes, WRAPPING_ALG);
|
|
psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
|
|
psa_set_key_bits(&attributes, WRAPPING_KEY_BITS);
|
|
PSA_CHECK(psa_key_derivation_output_key(&attributes, &operation,
|
|
wrapping_key));
|
|
|
|
exit:
|
|
psa_key_derivation_abort(&operation);
|
|
return status;
|
|
}
|
|
|
|
static psa_status_t wrap_data(const char *input_file_name,
|
|
const char *output_file_name,
|
|
psa_key_id_t wrapping_key)
|
|
{
|
|
psa_status_t status;
|
|
FILE *input_file = NULL;
|
|
FILE *output_file = NULL;
|
|
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
|
psa_key_type_t key_type;
|
|
long input_position;
|
|
size_t input_size;
|
|
size_t buffer_size = 0;
|
|
unsigned char *buffer = NULL;
|
|
size_t ciphertext_size;
|
|
wrapped_data_header_t header;
|
|
|
|
/* Find the size of the data to wrap. */
|
|
SYS_CHECK((input_file = fopen(input_file_name, "rb")) != NULL);
|
|
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
|
|
mbedtls_setbuf(input_file, NULL);
|
|
SYS_CHECK(fseek(input_file, 0, SEEK_END) == 0);
|
|
SYS_CHECK((input_position = ftell(input_file)) != -1);
|
|
#if LONG_MAX > SIZE_MAX
|
|
if (input_position > SIZE_MAX) {
|
|
printf("Input file too large.\n");
|
|
status = DEMO_ERROR;
|
|
goto exit;
|
|
}
|
|
#endif
|
|
input_size = input_position;
|
|
PSA_CHECK(psa_get_key_attributes(wrapping_key, &attributes));
|
|
key_type = psa_get_key_type(&attributes);
|
|
buffer_size =
|
|
PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, WRAPPING_ALG, input_size);
|
|
/* Check for integer overflow. */
|
|
if (buffer_size < input_size) {
|
|
printf("Input file too large.\n");
|
|
status = DEMO_ERROR;
|
|
goto exit;
|
|
}
|
|
|
|
/* Load the data to wrap. */
|
|
SYS_CHECK(fseek(input_file, 0, SEEK_SET) == 0);
|
|
SYS_CHECK((buffer = calloc(1, buffer_size)) != NULL);
|
|
SYS_CHECK(fread(buffer, 1, input_size, input_file) == input_size);
|
|
SYS_CHECK(fclose(input_file) == 0);
|
|
input_file = NULL;
|
|
|
|
/* Construct a header. */
|
|
memcpy(&header.magic, WRAPPED_DATA_MAGIC, WRAPPED_DATA_MAGIC_LENGTH);
|
|
header.ad_size = sizeof(header);
|
|
header.payload_size = input_size;
|
|
|
|
/* Wrap the data. */
|
|
PSA_CHECK(psa_generate_random(header.iv, WRAPPING_IV_SIZE));
|
|
PSA_CHECK(psa_aead_encrypt(wrapping_key, WRAPPING_ALG,
|
|
header.iv, WRAPPING_IV_SIZE,
|
|
(uint8_t *) &header, sizeof(header),
|
|
buffer, input_size,
|
|
buffer, buffer_size,
|
|
&ciphertext_size));
|
|
|
|
/* Write the output. */
|
|
SYS_CHECK((output_file = fopen(output_file_name, "wb")) != NULL);
|
|
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
|
|
mbedtls_setbuf(output_file, NULL);
|
|
SYS_CHECK(fwrite(&header, 1, sizeof(header),
|
|
output_file) == sizeof(header));
|
|
SYS_CHECK(fwrite(buffer, 1, ciphertext_size,
|
|
output_file) == ciphertext_size);
|
|
SYS_CHECK(fclose(output_file) == 0);
|
|
output_file = NULL;
|
|
|
|
exit:
|
|
if (input_file != NULL) {
|
|
fclose(input_file);
|
|
}
|
|
if (output_file != NULL) {
|
|
fclose(output_file);
|
|
}
|
|
if (buffer != NULL) {
|
|
mbedtls_platform_zeroize(buffer, buffer_size);
|
|
}
|
|
free(buffer);
|
|
return status;
|
|
}
|
|
|
|
static psa_status_t unwrap_data(const char *input_file_name,
|
|
const char *output_file_name,
|
|
psa_key_id_t wrapping_key)
|
|
{
|
|
psa_status_t status;
|
|
FILE *input_file = NULL;
|
|
FILE *output_file = NULL;
|
|
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
|
psa_key_type_t key_type;
|
|
unsigned char *buffer = NULL;
|
|
size_t ciphertext_size = 0;
|
|
size_t plaintext_size;
|
|
wrapped_data_header_t header;
|
|
unsigned char extra_byte;
|
|
|
|
/* Load and validate the header. */
|
|
SYS_CHECK((input_file = fopen(input_file_name, "rb")) != NULL);
|
|
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
|
|
mbedtls_setbuf(input_file, NULL);
|
|
SYS_CHECK(fread(&header, 1, sizeof(header),
|
|
input_file) == sizeof(header));
|
|
if (memcmp(&header.magic, WRAPPED_DATA_MAGIC,
|
|
WRAPPED_DATA_MAGIC_LENGTH) != 0) {
|
|
printf("The input does not start with a valid magic header.\n");
|
|
status = DEMO_ERROR;
|
|
goto exit;
|
|
}
|
|
if (header.ad_size != sizeof(header)) {
|
|
printf("The header size is not correct.\n");
|
|
status = DEMO_ERROR;
|
|
goto exit;
|
|
}
|
|
PSA_CHECK(psa_get_key_attributes(wrapping_key, &attributes));
|
|
key_type = psa_get_key_type(&attributes);
|
|
ciphertext_size =
|
|
PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, WRAPPING_ALG, header.payload_size);
|
|
/* Check for integer overflow. */
|
|
if (ciphertext_size < header.payload_size) {
|
|
printf("Input file too large.\n");
|
|
status = DEMO_ERROR;
|
|
goto exit;
|
|
}
|
|
|
|
/* Load the payload data. */
|
|
SYS_CHECK((buffer = calloc(1, ciphertext_size)) != NULL);
|
|
SYS_CHECK(fread(buffer, 1, ciphertext_size,
|
|
input_file) == ciphertext_size);
|
|
if (fread(&extra_byte, 1, 1, input_file) != 0) {
|
|
printf("Extra garbage after ciphertext\n");
|
|
status = DEMO_ERROR;
|
|
goto exit;
|
|
}
|
|
SYS_CHECK(fclose(input_file) == 0);
|
|
input_file = NULL;
|
|
|
|
/* Unwrap the data. */
|
|
PSA_CHECK(psa_aead_decrypt(wrapping_key, WRAPPING_ALG,
|
|
header.iv, WRAPPING_IV_SIZE,
|
|
(uint8_t *) &header, sizeof(header),
|
|
buffer, ciphertext_size,
|
|
buffer, ciphertext_size,
|
|
&plaintext_size));
|
|
if (plaintext_size != header.payload_size) {
|
|
printf("Incorrect payload size in the header.\n");
|
|
status = DEMO_ERROR;
|
|
goto exit;
|
|
}
|
|
|
|
/* Write the output. */
|
|
SYS_CHECK((output_file = fopen(output_file_name, "wb")) != NULL);
|
|
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
|
|
mbedtls_setbuf(output_file, NULL);
|
|
SYS_CHECK(fwrite(buffer, 1, plaintext_size,
|
|
output_file) == plaintext_size);
|
|
SYS_CHECK(fclose(output_file) == 0);
|
|
output_file = NULL;
|
|
|
|
exit:
|
|
if (input_file != NULL) {
|
|
fclose(input_file);
|
|
}
|
|
if (output_file != NULL) {
|
|
fclose(output_file);
|
|
}
|
|
if (buffer != NULL) {
|
|
mbedtls_platform_zeroize(buffer, ciphertext_size);
|
|
}
|
|
free(buffer);
|
|
return status;
|
|
}
|
|
|
|
static psa_status_t run(enum program_mode mode,
|
|
const char *key_file_name,
|
|
const char *ladder[], size_t ladder_depth,
|
|
const char *input_file_name,
|
|
const char *output_file_name)
|
|
{
|
|
psa_status_t status = PSA_SUCCESS;
|
|
psa_key_id_t derivation_key = 0;
|
|
psa_key_id_t wrapping_key = 0;
|
|
|
|
/* Initialize the PSA crypto library. */
|
|
PSA_CHECK(psa_crypto_init());
|
|
|
|
/* Generate mode is unlike the others. Generate the master key and exit. */
|
|
if (mode == MODE_GENERATE) {
|
|
return generate(key_file_name);
|
|
}
|
|
|
|
/* Read the master key. */
|
|
PSA_CHECK(import_key_from_file(PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT,
|
|
KDF_ALG,
|
|
key_file_name,
|
|
&derivation_key));
|
|
|
|
/* Calculate the derived key for this session. */
|
|
PSA_CHECK(derive_key_ladder(ladder, ladder_depth,
|
|
&derivation_key));
|
|
|
|
switch (mode) {
|
|
case MODE_SAVE:
|
|
PSA_CHECK(save_key(derivation_key, output_file_name));
|
|
break;
|
|
case MODE_UNWRAP:
|
|
PSA_CHECK(derive_wrapping_key(PSA_KEY_USAGE_DECRYPT,
|
|
derivation_key,
|
|
&wrapping_key));
|
|
PSA_CHECK(unwrap_data(input_file_name, output_file_name,
|
|
wrapping_key));
|
|
break;
|
|
case MODE_WRAP:
|
|
PSA_CHECK(derive_wrapping_key(PSA_KEY_USAGE_ENCRYPT,
|
|
derivation_key,
|
|
&wrapping_key));
|
|
PSA_CHECK(wrap_data(input_file_name, output_file_name,
|
|
wrapping_key));
|
|
break;
|
|
default:
|
|
/* Unreachable but some compilers don't realize it. */
|
|
break;
|
|
}
|
|
|
|
exit:
|
|
/* Destroy any remaining key. Deinitializing the crypto library would do
|
|
* this anyway since they are volatile keys, but explicitly destroying
|
|
* keys makes the code easier to reuse. */
|
|
(void) psa_destroy_key(derivation_key);
|
|
(void) psa_destroy_key(wrapping_key);
|
|
/* Deinitialize the PSA crypto library. */
|
|
mbedtls_psa_crypto_free();
|
|
return status;
|
|
}
|
|
|
|
static void usage(void)
|
|
{
|
|
printf("Usage: key_ladder_demo MODE [OPTION=VALUE]...\n");
|
|
printf("Demonstrate the usage of a key derivation ladder.\n");
|
|
printf("\n");
|
|
printf("Modes:\n");
|
|
printf(" generate Generate the master key\n");
|
|
printf(" save Save the derived key\n");
|
|
printf(" unwrap Unwrap (decrypt) input with the derived key\n");
|
|
printf(" wrap Wrap (encrypt) input with the derived key\n");
|
|
printf("\n");
|
|
printf("Options:\n");
|
|
printf(" input=FILENAME Input file (required for wrap/unwrap)\n");
|
|
printf(" master=FILENAME File containing the master key (default: master.key)\n");
|
|
printf(" output=FILENAME Output file (required for save/wrap/unwrap)\n");
|
|
printf(" label=TEXT Label for the key derivation.\n");
|
|
printf(" This may be repeated multiple times.\n");
|
|
printf(" To get the same key, you must use the same master key\n");
|
|
printf(" and the same sequence of labels.\n");
|
|
}
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
const char *key_file_name = "master.key";
|
|
const char *input_file_name = NULL;
|
|
const char *output_file_name = NULL;
|
|
const char *ladder[MAX_LADDER_DEPTH];
|
|
size_t ladder_depth = 0;
|
|
int i;
|
|
enum program_mode mode;
|
|
psa_status_t status;
|
|
|
|
if (argc <= 1 ||
|
|
strcmp(argv[1], "help") == 0 ||
|
|
strcmp(argv[1], "-help") == 0 ||
|
|
strcmp(argv[1], "--help") == 0) {
|
|
usage();
|
|
return EXIT_SUCCESS;
|
|
}
|
|
|
|
for (i = 2; i < argc; i++) {
|
|
char *q = strchr(argv[i], '=');
|
|
if (q == NULL) {
|
|
printf("Missing argument to option %s\n", argv[i]);
|
|
goto usage_failure;
|
|
}
|
|
*q = 0;
|
|
++q;
|
|
if (strcmp(argv[i], "input") == 0) {
|
|
input_file_name = q;
|
|
} else if (strcmp(argv[i], "label") == 0) {
|
|
if (ladder_depth == MAX_LADDER_DEPTH) {
|
|
printf("Maximum ladder depth %u exceeded.\n",
|
|
(unsigned) MAX_LADDER_DEPTH);
|
|
return EXIT_FAILURE;
|
|
}
|
|
ladder[ladder_depth] = q;
|
|
++ladder_depth;
|
|
} else if (strcmp(argv[i], "master") == 0) {
|
|
key_file_name = q;
|
|
} else if (strcmp(argv[i], "output") == 0) {
|
|
output_file_name = q;
|
|
} else {
|
|
printf("Unknown option: %s\n", argv[i]);
|
|
goto usage_failure;
|
|
}
|
|
}
|
|
|
|
if (strcmp(argv[1], "generate") == 0) {
|
|
mode = MODE_GENERATE;
|
|
} else if (strcmp(argv[1], "save") == 0) {
|
|
mode = MODE_SAVE;
|
|
} else if (strcmp(argv[1], "unwrap") == 0) {
|
|
mode = MODE_UNWRAP;
|
|
} else if (strcmp(argv[1], "wrap") == 0) {
|
|
mode = MODE_WRAP;
|
|
} else {
|
|
printf("Unknown action: %s\n", argv[1]);
|
|
goto usage_failure;
|
|
}
|
|
|
|
if (input_file_name == NULL &&
|
|
(mode == MODE_WRAP || mode == MODE_UNWRAP)) {
|
|
printf("Required argument missing: input\n");
|
|
return DEMO_ERROR;
|
|
}
|
|
if (output_file_name == NULL &&
|
|
(mode == MODE_SAVE || mode == MODE_WRAP || mode == MODE_UNWRAP)) {
|
|
printf("Required argument missing: output\n");
|
|
return DEMO_ERROR;
|
|
}
|
|
|
|
status = run(mode, key_file_name,
|
|
ladder, ladder_depth,
|
|
input_file_name, output_file_name);
|
|
return status == PSA_SUCCESS ?
|
|
EXIT_SUCCESS :
|
|
EXIT_FAILURE;
|
|
|
|
usage_failure:
|
|
usage();
|
|
return EXIT_FAILURE;
|
|
}
|
|
#endif /* MBEDTLS_SHA256_C && MBEDTLS_MD_C &&
|
|
MBEDTLS_AES_C && MBEDTLS_CCM_C &&
|
|
MBEDTLS_PSA_CRYPTO_C && MBEDTLS_FS_IO */
|