Impl put_authkey_ex

Yubico · Nov 2, 2021 · 26b9a7a · 26b9a7a
1 parent 0e06b78
commit 26b9a7a
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 72 deletions.
diff --git a/aes_cmac/aes.c b/aes_cmac/aes.c
@@ -392,31 +392,6 @@ int aes_generate_key(const char *name, uint8_t *key, uint32_t key_len) {
 #endif
 }
 
-int aes_destroy_key(const char *name) {
-#ifdef _WIN32_BCRYPT
-  NCRYPT_PROV_HANDLE prov = 0;
-  NCRYPT_KEY_HANDLE hkey = 0;
-  SECURITY_STATUS st = ncrypt_open_key(name, &prov, &hkey);
-  if (st) {
-    return -1;
-  }
-  if (prov) {
-    NCryptFreeObject(prov);
-  }
-  if (hkey) {
-    st = NCryptDeleteKey(hkey, 0);
-    if (st) {
-      mserror("NCryptDeleteKey", st);
-      return -2;
-    }
-  }
-  return 0;
-#else
-  UNUSED(name);
-  return -1;
-#endif
-}
-
 int aes_encrypt(const uint8_t *in, uint8_t *out, uint32_t len,
                 aes_context *ctx) {
 #ifdef _WIN32_BCRYPT

diff --git a/aes_cmac/aes.h b/aes_cmac/aes.h
@@ -60,7 +60,6 @@ typedef struct {
 
 int YH_INTERNAL aes_generate_key(const char *name, uint8_t *key,
                                  uint32_t key_len);
-int YH_INTERNAL aes_destroy_key(const char *name);
 
 int YH_INTERNAL aes_load_key(const char *key, aes_context *ctx);
 int YH_INTERNAL aes_set_key(const uint8_t *key, uint32_t key_len,

diff --git a/common/ecdh.c b/common/ecdh.c
@@ -541,6 +541,7 @@ int ecdh_destroy_key_ex(const char *privkey) {
   if (hkey) {
     st = NCryptDeleteKey(hkey, 0);
     if (st) {
+      mserror("NCryptDeleteKey", st);
       return -2;
     }
   }

diff --git a/lib/yubihsm.c b/lib/yubihsm.c
@@ -1322,41 +1322,26 @@ yh_rc yh_util_list_client_asym_auth_keys(FILE *out) {
   return YHR_SUCCESS;
 }
 
-yh_rc yh_util_provision_auth_key(yh_session *session, const char *key,
-                                 uint16_t authkey_id) {
+yh_rc yh_util_generate_auth_key(const char *key_name, uint8_t *key,
+                                size_t len) {
   int rc = 0;
-  uint8_t buf[16];
 
-  (void) session;
-  (void) authkey_id;
-
-  if ((rc = aes_generate_key(key, buf, sizeof(buf)))) {
+  if ((rc = aes_generate_key(key_name, key, len)) <= 0) {
+    DBG_ERR("%s: Failed to generate AES key: %s %d",
+            yh_strerror(YHR_GENERIC_ERROR), key_name, rc);
     return YHR_GENERIC_ERROR;
   }
 
   return YHR_SUCCESS;
 }
 
-yh_rc yh_util_provision_asym_auth_key(yh_session *session, const char *key,
-                                      uint16_t authkey_id) {
-  int rc = 0;
-  uint8_t buf[65];
-
-  (void) session;
-  (void) authkey_id;
-
-  if ((rc =
-         ecdh_generate_keypair_ex(ecdh_curve_p256(), key, buf, sizeof(buf)))) {
-  }
-
-  return YHR_GENERIC_ERROR;
-}
-
 yh_rc yh_util_destroy_auth_key(const char *key) {
 
   int rc = 0;
 
-  if ((rc = aes_destroy_key(key))) {
+  if ((rc = ecdh_destroy_key_ex(key)) <= 0) {
+    DBG_ERR("%s: Failed to destroy key: %s %d", yh_strerror(YHR_GENERIC_ERROR),
+            key, rc);
     return YHR_GENERIC_ERROR;
   }
 

diff --git a/lib/yubihsm.h b/lib/yubihsm.h
@@ -943,11 +943,7 @@ yh_rc yh_util_list_client_auth_keys(FILE *out);
 
 yh_rc yh_util_list_client_asym_auth_keys(FILE *out);
 
-yh_rc yh_util_provision_auth_key(yh_session *session, const char *key,
-                                 uint16_t authkey_id);
-
-yh_rc yh_util_provision_asym_auth_key(yh_session *session, const char *key,
-                                      uint16_t authkey_id);
+yh_rc yh_util_generate_auth_key(const char *key_name, uint8_t *key, size_t len);
 
 yh_rc yh_util_destroy_auth_key(const char *key);
 

diff --git a/src/commands.c b/src/commands.c
@@ -1544,18 +1544,6 @@ int yh_com_list_client_auth_keys(yubihsm_context *ctx, Argument *argv,
   return 0;
 }
 
-int yh_com_provision_auth_key(yubihsm_context *ctx, Argument *argv,
-                              cmd_format in_fmt, cmd_format fmt) {
-
-  UNUSED(ctx);
-  UNUSED(argv);
-  UNUSED(in_fmt);
-  UNUSED(fmt);
-
-  yh_util_provision_auth_key(argv[0].e, argv[2].s, argv[1].w);
-  return 0;
-}
-
 #ifdef USE_ASYMMETRIC_AUTH
 // NOTE: Open a session with a connector using an Asymmetric
 // Authentication Key argc = 2 arg 0: w:authkey arg 1: i:password
@@ -2056,6 +2044,60 @@ int yh_com_put_authentication(yubihsm_context *ctx, Argument *argv,
   return 0;
 }
 
+// NOTE: Store an asymmetric authentication key
+// argc = 7
+// arg 0: e:session
+// arg 1: w:key_id
+// arg 2: s:label
+// arg 3: w:domains
+// arg 4: c:capabilities
+// arg 5: c:delegated_capabilities
+// arg 6: s:key_enc_name
+// arg 7: s:key_mac_name
+int yh_com_put_authentication_ex(yubihsm_context *ctx, Argument *argv,
+                                 cmd_format in_fmt, cmd_format fmt) {
+
+  UNUSED(ctx);
+  UNUSED(argv);
+  UNUSED(in_fmt);
+  UNUSED(fmt);
+
+  uint8_t key_enc[16];
+  yh_rc yrc = yh_util_generate_auth_key(argv[6].s, key_enc, sizeof(key_enc));
+
+  if (yrc != YHR_SUCCESS) {
+    fprintf(stderr, "Failed to generate encryption key: %s\n",
+            yh_strerror(yrc));
+    return -1;
+  }
+
+  uint8_t key_mac[16];
+  yrc = yh_util_generate_auth_key(argv[7].s, key_mac, sizeof(key_mac));
+
+  if (yrc != YHR_SUCCESS) {
+    insecure_memzero(key_enc, sizeof(key_enc));
+    fprintf(stderr, "Failed to generate mac key: %s\n", yh_strerror(yrc));
+    return -1;
+  }
+
+  yrc = yh_util_import_authentication_key(argv[0].e, &argv[1].w, argv[2].s,
+                                          argv[3].w, &argv[4].c, &argv[5].c,
+                                          key_enc, sizeof(key_enc), key_mac,
+                                          sizeof(key_mac));
+
+  insecure_memzero(key_enc, sizeof(key_enc));
+  insecure_memzero(key_mac, sizeof(key_mac));
+
+  if (yrc != YHR_SUCCESS) {
+    fprintf(stderr, "Failed to store asymmetric authkey: %s\n",
+            yh_strerror(yrc));
+    return -1;
+  }
+
+  fprintf(stderr, "Stored Persistents Authentication key 0x%04x\n", argv[1].w);
+  return 0;
+}
+
 #ifdef USE_ASYMMETRIC_AUTH
 // NOTE: Store an asymmetric authentication key
 // argc = 7

diff --git a/src/commands.h b/src/commands.h
@@ -129,8 +129,6 @@ int yh_com_list_client_auth_providers(yubihsm_context *ctx, Argument *argv,
                                       cmd_format in_fmt, cmd_format fmt);
 int yh_com_list_client_auth_keys(yubihsm_context *ctx, Argument *argv,
                                  cmd_format in_fmt, cmd_format fmt);
-int yh_com_provision_auth_key(yubihsm_context *ctx, Argument *argv,
-                              cmd_format in_fmt, cmd_format fmt);
 #ifdef USE_ASYMMETRIC_AUTH
 int yh_com_open_session_asym(yubihsm_context *ctx, Argument *argv,
                              cmd_format in_fmt, cmd_format fmt);
@@ -149,6 +147,8 @@ int yh_com_put_asymmetric(yubihsm_context *ctx, Argument *argv,
                           cmd_format in_fmt, cmd_format fmt);
 int yh_com_put_authentication(yubihsm_context *ctx, Argument *argv,
                               cmd_format in_fmt, cmd_format fmt);
+int yh_com_put_authentication_ex(yubihsm_context *ctx, Argument *argv,
+                                 cmd_format in_fmt, cmd_format fmt);
 #ifdef USE_ASYMMETRIC_AUTH
 int yh_com_put_authentication_asym(yubihsm_context *ctx, Argument *argv,
                                    cmd_format in_fmt, cmd_format fmt);

diff --git a/src/main.c b/src/main.c
@@ -346,10 +346,6 @@ static void create_command_list(CommandList *c) {
                                     "capabilities,a:algorithm,u:nonce_id",
                                     fmt_nofmt, fmt_nofmt,
                                     "Generate OTP AEAD key", NULL, NULL});
-  register_subcommand(*c, (Command){"authkey_ex", yh_com_provision_auth_key,
-                                    "e:session,w:key_id,s:label", fmt_nofmt,
-                                    fmt_nofmt, "Generate persistend auth key",
-                                    NULL, NULL});
   *c = register_command(*c, (Command){"get", yh_com_noop, NULL, fmt_nofmt,
                                       fmt_nofmt, "Retrieve data", NULL, NULL});
   register_subcommand(*c, (Command){"opaque", yh_com_get_opaque,
@@ -461,6 +457,14 @@ static void create_command_list(CommandList *c) {
                                     "password=-",
                                     fmt_password, fmt_nofmt,
                                     "Store an authentication key", NULL, NULL});
+  register_subcommand(*c, (Command){"authkey_ex", yh_com_put_authentication_ex,
+                                    "e:session,w:key_id,s:label,d:domains,c:"
+                                    "capabilities,c:delegated_capabilities,"
+                                    "s:key_enc_name,s:key_mac_name",
+                                    fmt_nofmt, fmt_nofmt,
+                                    "Provision a random persistent "
+                                    "authentication key",
+                                    NULL, NULL});
 #ifdef USE_ASYMMETRIC_AUTH
   register_subcommand(*c,
                       (Command){"authkey_asym", yh_com_put_authentication_asym,