Move PKCS #11 labels from aws_pkcs11.h to aws_pkcs11_config.h

aws · Jan 21, 2019 · 63f6e9d · 63f6e9d
1 parent 748e689
commit 63f6e9d
Show file tree

Hide file tree

Showing 5 changed files with 110 additions and 15 deletions.
diff --git a/demos/pc/windows/common/config_files/aws_pkcs11_config.h b/demos/pc/windows/common/config_files/aws_pkcs11_config.h
@@ -35,4 +35,60 @@
 /* A non-standard version of C_INITIALIZE should be used by this port. */
 /* #define pkcs11configC_INITIALIZE_ALT */
 
+/**
+ * PKCS #11 default user PIN.
+ *
+ * The PKCS #11 standard specifies the presence of a user PIN. That feature is
+ * sensible for applications that have an interactive user interface and memory
+ * protections. However, since typical microcontroller applications lack one or
+ * both of those, the user PIN is assumed to be used herein for interoperability
+ * purposes only, and not as a security feature.
+ */
+#define configPKCS11_DEFAULT_USER_PIN    "0000"
+
+/**
+ * @brief The PKCS #11 label for device private key.
+ *
+ * Private key for connection to AWS IoT endpoint.  The corresponding
+ * public key should be registered with the AWS IoT endpoint.
+ */
+#define pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS    "Device Priv TLS Key"
+
+/**
+ * @brief The PKCS #11 label for device public key.
+ *
+ * The public key corresponding to pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS.
+ */
+#define pkcs11configLABEL_DEVICE_PUBLIC_KEY_FOR_TLS     "Device Pub TLS Key"
+
+/**
+ * @brief The PKCS #11 label for the device certificate.
+ *
+ * Device certificate corresponding to pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS.
+ */
+#define pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS    "Device Cert"
+
+/**
+ * @brief The PKCS #11 label for the object to be used for code verification.
+ *
+ * Used by over-the-air update code to verify an incoming signed image.
+ */
+#define pkcs11configLABEL_CODE_VERIFICATION_KEY         "Code Verify Key"
+
+/**
+ * @brief The PKCS #11 label for Just-In-Time-Provisioning.
+ *
+ * The certificate corresponding to the issuer of the device certificate
+ * (pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS) when using the JITR or
+ * JITP flow.
+ */
+#define pkcs11configLABEL_JITP_CERTIFICATE              "JITP Cert"
+
+/**
+ * @brief The PKCS #11 label for the AWS Trusted Root Certificate.
+ *
+ * @see aws_default_root_certificates.h
+ */
+#define pkcs11configLABEL_ROOT_CERTIFICATE              "Root Cert"
+
 #endif /* _AWS_PKCS11_CONFIG_H_ include guard. */
diff --git a/lib/include/aws_pkcs11.h b/lib/include/aws_pkcs11.h
@@ -131,16 +131,10 @@ typedef struct PKCS11_GenerateKeyPrivateTemplate
     CK_ATTRIBUTE xLabel;
 } PKCS11_GenerateKeyPrivateTemplate_t, * PKCS11_GenerateKeyPrivateTemplatePtr_t;
 
-#define pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS    "Device Priv TLS Key"
-#define pkcs11configLABEL_DEVICE_PUBLIC_KEY_FOR_TLS     "Device Pub TLS Key"
-#define pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS    "Device Cert"
-#define pkcs11configLABEL_CODE_VERIFICATION_KEY         "Code Verify Key"
-#define pkcs11configLABEL_JITP_CERTIFICATE              "JITP Cert"
-#define pkcs11configLABEL_ROOT_CERTIFICATE              "Root Cert"
 
-#define pkcs11INVALID_OBJECT_HANDLE                     0
+#define pkcs11INVALID_OBJECT_HANDLE    0
 
-#define pkcs11DER_ENCODED_OID_P256                      { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 } /*"\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07" */
+#define pkcs11DER_ENCODED_OID_P256     { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }
 
 /* \brief Initializes the PKCS #11 module and opens a session.
  *

diff --git a/tests/common/ota/aws_test_ota_pal.c b/tests/common/ota/aws_test_ota_pal.c
@@ -37,7 +37,7 @@
 #include "aws_ota_pal_test_access_declare.h"
 #include "aws_ota_pal.h"
 #include "aws_ota_agent.h"
-#include "aws_pkcs11.h"
+#include "aws_pkcs11_config.h"
 #include "aws_ota_codesigner_certificate.h"
 #include "aws_test_ota_config.h"
 #include "aws_dev_mode_key_provisioning.h"

diff --git a/tests/common/pkcs11/aws_test_pkcs11.c b/tests/common/pkcs11/aws_test_pkcs11.c
@@ -1261,7 +1261,7 @@ TEST( Full_PKCS11_RSA, AFQP_GenerateKeyPair )
 
     xResult = xDestroyCredentials( xGlobalSession );
     xCurrentCredentials = eNone;
-    TEST_ASSERT_EQUAL( CKR_OK, xResult, "Failed to destroy credentials before RSA generate key pair test." );
+    TEST_ASSERT_EQUAL_MESSAGE( CKR_OK, xResult, "Failed to destroy credentials before RSA generate key pair test." );
 
     xResult = xProvisionGenerateKeyPairRSA( xGlobalSession,
                                             pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS,

diff --git a/tests/pc/windows/common/config_files/aws_pkcs11_config.h b/tests/pc/windows/common/config_files/aws_pkcs11_config.h
@@ -40,10 +40,55 @@
  *
  * The PKCS #11 standard specifies the presence of a user PIN. That feature is
  * sensible for applications that have an interactive user interface and memory
- * protections. However, since typical microcontroller applications lack one or 
- * both of those, the user PIN is assumed to be used herein for interoperability 
- * purposes only, and not as a security feature. 
+ * protections. However, since typical microcontroller applications lack one or
+ * both of those, the user PIN is assumed to be used herein for interoperability
+ * purposes only, and not as a security feature.
  */
-#define configPKCS11_DEFAULT_USER_PIN "0000"
+#define configPKCS11_DEFAULT_USER_PIN    "0000"
 
-#endif /* _AWS_PKCS11_CONFIG_H_ include guard. */
+/**
+ * @brief The PKCS #11 label for device private key.
+ *
+ * Private key for connection to AWS IoT endpoint.  The corresponding
+ * public key should be registered with the AWS IoT endpoint.
+ */
+#define pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS    "Device Priv TLS Key"
+
+/**
+ * @brief The PKCS #11 label for device public key.
+ *
+ * The public key corresponding to pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS.
+ */
+#define pkcs11configLABEL_DEVICE_PUBLIC_KEY_FOR_TLS     "Device Pub TLS Key"
+
+/**
+ * @brief The PKCS #11 label for the device certificate.
+ *
+ * Device certificate corresponding to pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS.
+ */
+#define pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS    "Device Cert"
+
+/**
+ * @brief The PKCS #11 label for the object to be used for code verification.
+ *
+ * Used by over-the-air update code to verify an incoming signed image.
+ */
+#define pkcs11configLABEL_CODE_VERIFICATION_KEY         "Code Verify Key"
+
+/**
+ * @brief The PKCS #11 label for Just-In-Time-Provisioning.
+ *
+ * The certificate corresponding to the issuer of the device certificate
+ * (pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS) when using the JITR or
+ * JITP flow.
+ */
+#define pkcs11configLABEL_JITP_CERTIFICATE              "JITP Cert"
+
+/**
+ * @brief The PKCS #11 label for the AWS Trusted Root Certificate.
+ *
+ * @see aws_default_root_certificates.h
+ */
+#define pkcs11configLABEL_ROOT_CERTIFICATE              "Root Cert"
+
+#endif /* _AWS_PKCS11_CONFIG_H_ include guard. */