wolfSSL · billphipps · Oct 14, 2024 · Aug 30, 2024 · Oct 14, 2024 · Oct 14, 2024
diff --git a/README.md b/README.md
@@ -34,6 +34,13 @@ Set the `WOLFHSM_DIR` and `WOLFSSL_DIR` variables to point to your local install
 ### Executables
 In the root directory for wolfHSM-examples run `./posix/tcp/wh_server_tcp/Build/wh_server_tcp.elf` to launch the server. In a separate shell, run `./posix/tcp/wh_client_tcp/Build/wh_client_tcp.elf` to launch the client.
 
+### Loading a key on the server
+The example server supports loading a key at a specific keyId, passed as arguments on the command line. To load a key at a keyId in the server example, invoke the server with the `--key` and `--id` arguments.
+
+```
+./wh_server_tcp.elf --key /path/to/key.der --id <keyId>
+```
+
 ### Results
 After all steps are you complete you should see the following outputs.
 

diff --git a/posix/tcp/wh_server_tcp/Makefile b/posix/tcp/wh_server_tcp/Makefile
@@ -17,7 +17,7 @@ INC = -I$(WOLFHSM_DIR) \
       -I$(WOLFSSL_DIR) \
 
 # Defines
-DEF = -DWOLFSSL_USER_SETTINGS -D_GNUC_
+DEF = -DWOLFSSL_USER_SETTINGS -D_GNUC_ -DWOLFHSM_CFG
 
 # Architecture
 ARCHFLAGS ?= 

diff --git a/posix/tcp/wh_server_tcp/user_settings.h b/posix/tcp/wh_server_tcp/user_settings.h
@@ -45,7 +45,7 @@
 #define HAVE_RSA
 #define WC_RSA_PSS
 #define WOLFSSL_PSS_LONG_SALT
-#define FP_MAX_BITS 4096
+#define FP_MAX_BITS 8192
 
 /* ECC Options */
 #define HAVE_ECC

diff --git a/posix/tcp/wh_server_tcp/wh_server_tcp.c b/posix/tcp/wh_server_tcp/wh_server_tcp.c
@@ -4,128 +4,260 @@
 
 #include <stdint.h>
 #include <stdio.h>  /* For printf */
-#include <string.h> /* For memset, memcpy */
+#include <stdlib.h> /* For atoi */
+#include <string.h> /* For memset, memcpy, strcmp */
 #include <unistd.h> /* For sleep */
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
 
 #include "wolfhsm/wh_error.h"
 #include "wolfhsm/wh_comm.h"
+#include "wolfhsm/wh_common.h"
 #include "wolfhsm/wh_message.h"
 #include "wolfhsm/wh_server.h"
+#include "wolfhsm/wh_server_keystore.h"
 #include "wolfhsm/wh_nvm.h"
 #include "wolfhsm/wh_nvm_flash.h"
 #include "wolfhsm/wh_flash_ramsim.h"
 #include "port/posix/posix_transport_tcp.h"
 
 /** Local declarations */
-static int wh_ServerTask(void* cf);
+static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId,
+                         int clientId);
 
 enum {
-	ONE_MS = 1000,
+    ONE_MS         = 1000,
     FLASH_RAM_SIZE = 1024 * 1024,
 };
 
 #define WH_SERVER_TCP_IPSTRING "127.0.0.1"
 #define WH_SERVER_TCP_PORT 23456
-#define WH_SERVER_ID 56
+#define WH_SERVER_ID 57
 
-static int wh_ServerTask(void* cf)
+static int loadAndStoreKeys(whServerContext* server, whKeyId* outKeyId,
-static int loadAndStoreKeys(whServerContext* server, whKeyId* outKeyId,
+static int _LoadAndStoreKeys(whServerContext* server, whKeyId* outKeyId,
-static int loadAndStoreKeys(whServerContext* server, whKeyId* outKeyId,
+static int _LoadAndStoreKeys(whServerContext* server, whKeyId* outKeyId,
+                            const char* keyFilePath, int keyId, int clientId)
+{
+    int           ret;
+    int           keyFd;
+    int           keySz;
+    char          keyLabel[] = "baby's first key";
+    uint8_t       keyBuf[4096];
+    whNvmMetadata meta = {0};
+
+    /* open the key file */
+    ret = keyFd = open(keyFilePath, O_RDONLY, 0);
+    if (ret < 0) {
+        printf("Failed to open %s %d\n", keyFilePath, ret);
+        return ret;
+    }
+
+    /* read the key to local buffer */
+    ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf));
+    if (ret < 0) {
+        printf("Failed to read %s %d\n", keyFilePath, ret);
+        close(keyFd);
+        return ret;
+    }
+    ret = 0;
+    close(keyFd);
+
+    printf("Loading key from %s (size=%d) with keyId=0x%02X and clientId=0x%01X\n",
+           keyFilePath, keySz, keyId, clientId);
+
+    /* cache the key in the HSM, get HSM assigned keyId */
+    /* set the metadata fields */
+    meta.id    = WH_MAKE_KEYID(WH_KEYTYPE_CRYPTO, clientId, keyId);
+    meta.flags = 0;
+    meta.len   = keySz;
+    memcpy(meta.label, keyLabel, strlen(keyLabel));
+
+    /* Get HSM assigned keyId if not set */
+    if (keyId == WH_KEYID_ERASED) {
+        ret = hsmGetUniqueId(server, &meta.id);
+        printf("got unique ID = 0x%02X\n", meta.id & WH_KEYID_MASK);
+    }
+    printf(
+        "key NVM ID = 0x%04X\n\ttype=0x%01X\n\tuser=0x%01X\n\tkeyId=0x%02X\n",
+        meta.id, WH_KEYID_TYPE(meta.id), WH_KEYID_USER(meta.id),
+        WH_KEYID_ID(meta.id));
+
+    if (ret == 0) {
+        ret = hsmCacheKey(server, &meta, keyBuf);
+        if (ret != 0) {
+            printf("Failed to hsmCacheKey, ret=%d\n", ret);
+            return ret;
+        }
+    }
+    else {
+        printf("Failed to hsmGetUniqueId, ret=%d\n", ret);
+        return ret;
+    }
+
+    *outKeyId = meta.id;
+    return ret;
+}
+
+
+static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId,
+                         int clientId)
 {
     whServerContext server[1];
-    whServerConfig* config = (whServerConfig*)cf;
-    int ret = 0;
-    int connectionMessage = 0;
-    whCommConnected am_connected = WH_COMM_CONNECTED;
+    whServerConfig* config            = (whServerConfig*)cf;
+    int             ret               = 0;
+    whCommConnected last_state        = WH_COMM_DISCONNECTED;
+    whKeyId         loadedKeyId;
 
     if (config == NULL) {
         return -1;
     }
 
     ret = wh_Server_Init(server, config);
-    printf("Waiting for connection...\n");
 
-    if (ret == 0) {
-        wh_Server_SetConnected(server, am_connected);
+    /* Load keys into cache if file path is provided */
+    if (keyFilePath != NULL) {
+        ret = loadAndStoreKeys(server, &loadedKeyId, keyFilePath, keyId,
+                               clientId);
+        if (ret != 0) {
+            printf("server failed to load key, ret=%d\n", ret);
+            (void)wh_Server_Cleanup(server);
+            return ret;
+        }
+    }
 
-        while (am_connected == WH_COMM_CONNECTED) {
+
+    if (ret == 0) {
+        printf("Waiting for connection...\n");
+        while (1) {
             ret = wh_Server_HandleRequestMessage(server);
             if (ret == WH_ERROR_NOTREADY) {
                 usleep(ONE_MS);
-            } else if (ret == WH_ERROR_OK) {
-                if (!connectionMessage) {
-                    printf("Successful connection!\n");
-                    connectionMessage = 1;
-                }
-            } else {
+            }
+            else if (ret != WH_ERROR_OK) {
                 printf("Failed to wh_Server_HandleRequestMessage: %d\n", ret);
                 break;
             }
-            wh_Server_GetConnected(server, &am_connected);
-        }
-        if (ret != 0) {
-            (void)wh_Server_Cleanup(server);
-        } else {
-            ret = wh_Server_Cleanup(server);
+            else {
+                whCommConnected current_state;
+                int             get_conn_result =
+                    wh_Server_GetConnected(server, &current_state);
+                if (get_conn_result == WH_ERROR_OK) {
+                    if (current_state == WH_COMM_CONNECTED &&
+                        last_state == WH_COMM_DISCONNECTED) {
+                        printf("Server connected\n");
+                        last_state = WH_COMM_CONNECTED;
+                    }
+                    else if (current_state == WH_COMM_DISCONNECTED &&
+                             last_state == WH_COMM_CONNECTED) {
+                        printf("Server disconnected\n");
+                        last_state = WH_COMM_DISCONNECTED;
+
+                        /* POSIX TCP transport requires server to be
+                         * re-initialized in order to reconnect */
+
+                        (void)wh_Server_Cleanup(server);
+
+                        /* Reinitialize the server */
+                        ret = wh_Server_Init(server, config);
+                        if (ret != 0) {
+                            printf("Failed to reinitialize server: %d\n", ret);
+                            break;
+                        }
+
+                        /* Reload keys into cache if file path was provided */
+                        if (keyFilePath != NULL) {
+                            ret =
+                                loadAndStoreKeys(server, &loadedKeyId,
+                                                 keyFilePath, keyId, clientId);
+                            if (ret != 0) {
+                                printf("server failed to load key, ret=%d\n",
+                                       ret);
+                                break;
+                            }
+                        }
+                    }
+                }
+                else {
+                    printf("Failed to get connection state: %d\n",
+                           get_conn_result);
+                }
+            }
         }
-        printf("Server disconnected\n");
     }
     return ret;
 }
 
 int main(int argc, char** argv)
 {
-    (void)argc; (void)argv;
-    int rc = 0;
+    int         rc          = 0;
+    const char* keyFilePath = NULL;
+    int         keyId = WH_KEYID_ERASED; /* Default key ID if none provided */
+    int         clientId = 12; /* Default client ID if none provided */
+
+    /* Parse command-line arguments */
+    for (int i = 1; i < argc; i++) {
+        if (strcmp(argv[i], "--key") == 0 && i + 1 < argc) {
+            keyFilePath = argv[++i];
+        }
+        else if (strcmp(argv[i], "--id") == 0 && i + 1 < argc) {
+            keyId = atoi(argv[++i]);
+        }
+        else if (strcmp(argv[i], "--client") == 0 && i + 1 < argc) {
+            clientId = atoi(argv[++i]);
+        }
+    }
 
     /* Server configuration/context */
-    whTransportServerCb ptttcb[1] = {PTT_SERVER_CB};
-    posixTransportTcpServerContext tsc[1] = {};
-    posixTransportTcpConfig mytcpconfig[1] = {{
-            .server_ip_string = WH_SERVER_TCP_IPSTRING,
-            .server_port = WH_SERVER_TCP_PORT,
+    whTransportServerCb            ptttcb[1]      = {PTT_SERVER_CB};
+    posixTransportTcpServerContext tsc[1]         = {};
+    posixTransportTcpConfig        mytcpconfig[1] = {{
+               .server_ip_string = WH_SERVER_TCP_IPSTRING,
+               .server_port      = WH_SERVER_TCP_PORT,
     }};
-    whCommServerConfig cs_conf[1] = {{
-            .transport_cb = ptttcb,
-            .transport_context = (void*)tsc,
-            .transport_config = (void*)mytcpconfig,
-            .server_id = WH_SERVER_ID,
+    whCommServerConfig             cs_conf[1]     = {{
+                        .transport_cb      = ptttcb,
+                        .transport_context = (void*)tsc,
+                        .transport_config  = (void*)mytcpconfig,
+                        .server_id         = WH_SERVER_ID,
     }};
 
     /* RamSim Flash state and configuration */
-    whFlashRamsimCtx fc[1] = {0};
+    whFlashRamsimCtx fc[1]      = {0};
     whFlashRamsimCfg fc_conf[1] = {{
         .size       = FLASH_RAM_SIZE,
-        .sectorSize = FLASH_RAM_SIZE/2,
+        .sectorSize = FLASH_RAM_SIZE / 2,
         .pageSize   = 8,
         .erasedByte = (uint8_t)0,
     }};
-    const whFlashCb  fcb[1]          = {WH_FLASH_RAMSIM_CB};
+    const whFlashCb  fcb[1]     = {WH_FLASH_RAMSIM_CB};
 
     /* NVM Flash Configuration using RamSim HAL Flash */
-    whNvmFlashConfig nf_conf[1] = {{
-        .cb      = fcb,
-        .context = fc,
-        .config  = fc_conf,
+    whNvmFlashConfig  nf_conf[1] = {{
+         .cb      = fcb,
+         .context = fc,
+         .config  = fc_conf,
     }};
-    whNvmFlashContext nfc[1] = {0};
-    whNvmCb nfcb[1] = {WH_NVM_FLASH_CB};
+    whNvmFlashContext nfc[1]     = {0};
+    whNvmCb           nfcb[1]    = {WH_NVM_FLASH_CB};
 
-    whNvmConfig n_conf[1] = {{
-            .cb = nfcb,
-            .context = nfc,
-            .config = nf_conf,
+    whNvmConfig  n_conf[1] = {{
+         .cb      = nfcb,
+         .context = nfc,
+         .config  = nf_conf,
     }};
-    whNvmContext nvm[1] = {{0}};
+    whNvmContext nvm[1]    = {{0}};
 
     /* Crypto context */
     whServerCryptoContext crypto[1] = {{
-            .devId = INVALID_DEVID,
+        .devId = INVALID_DEVID,
     }};
 
     whServerConfig s_conf[1] = {{
-            .comm_config = cs_conf,
-            .nvm = nvm,
-            .crypto = crypto,
-            .devId = INVALID_DEVID,
+        .comm_config = cs_conf,
+        .nvm         = nvm,
+        .crypto      = crypto,
+        .devId       = INVALID_DEVID,
     }};
 
     rc = wh_Nvm_Init(nvm, n_conf);
@@ -144,7 +276,7 @@ int main(int argc, char** argv)
         return rc;
     }
 
-    rc = wh_ServerTask(s_conf);
+    rc = wh_ServerTask(s_conf, keyFilePath, keyId, clientId);
 
     return rc;
 }
diff --git a/posix/tcp/wh_server_tcp/wolfhsm_cfg.h b/posix/tcp/wh_server_tcp/wolfhsm_cfg.h
@@ -25,7 +25,6 @@
 #ifndef WOLFHSM_CFG_H_
 #define WOLFHSM_CFG_H_
 
-
 /** wolfHSM settings.  Simple overrides to show they work */
 /* #define WOLFHSM_CFG_NO_CRYPTO */
 #define WOLFHSM_CFG_SHE_EXTENSION
@@ -35,7 +34,11 @@
 #define WOLFHSM_CFG_NVM_OBJECT_COUNT 32
 #define WOLFHSM_CFG_SERVER_KEYCACHE_COUNT 10
 #define WOLFHSM_CFG_SERVER_KEYCACHE_SIZE 1024
+#define WOLFHSM_CFG_SERVER_KEYCACHE_BIG_BUFSIZE 4096
+
 #define WOLFHSM_CFG_SERVER_DMAADDR_COUNT 8
 #define WOLFHSM_CFG_SERVER_CUSTOMCB_COUNT 8
 
+#define XMEMFENCE() __atomic_thread_fence(__ATOMIC_SEQ_CST)
+
 #endif /* WOLFHSM_CFG_H_ */