refactor the HSM server and keystore to handle a #48
Conversation
|
Addressing the issue @bigbrett brought up where we need to support both large RSA keys while still allowing a large number of smaller keys, by making a separate cache for large keys like RSA and the cmac struct customers with limited memory can still use a large number of smaller keys. Considered changing the cache to a heap but we want the cache to be completely deterministic as to the number of keys you can store, rather than having the customer calculate the cachesize they need they should just be able to pick the number of big and small keys they plan to use. |
src/wh_server_keystore.c
Outdated
| if (i >= WOLFHSM_NUM_RAMKEYS) { | ||
| for (i = 0; i < WOLFHSM_NUM_BIG_RAMKEYS; i++) { | ||
| if (server->bigCache[i].meta->id == keyId) { | ||
| slotCommited = &server->cache[i].commited; |
There was a problem hiding this comment.
copy pasta error:? shouldn't this be:
| slotCommited = &server->cache[i].commited; | |
| slotCommited = &server->bigCache[i].commited; |
src/wh_server_crypto.c
Outdated
| uint16_t keySz = WOLFHSM_KEYCACHE_BIG_BUFSIZE; | ||
| #else | ||
| uint16_t keySz = WOLFHSM_KEYCACHE_BUFSIZE; |
There was a problem hiding this comment.
pedantic: make this const if not meant to be changed
src/wh_server_crypto.c
Outdated
| word32 privSz = CURVE25519_KEYSIZE; | ||
| word32 pubSz = CURVE25519_KEYSIZE; | ||
| whKeyId keyId = WOLFHSM_KEYTYPE_CRYPTO; | ||
| /* get a free slot */ | ||
| ret = slotIdx = hsmCacheFindSlot(server); | ||
| if (ret >= 0) { | ||
| ret = hsmCacheFindSlotAndZero(server, CURVE25519_KEYSIZE * 2, &cacheBuf, |
There was a problem hiding this comment.
can we make the val * 2 a local const variable with a self-describing name just to make it extremely obvious what is going on?
src/wh_server_crypto.c
Outdated
| /* get the lengths since they vary by ecc size, expect BUFFER_E since | ||
| * LENGTH_ONLY_E isn't supported. Note that this is a dangerous operation | ||
| * but by having size of 0 or buffer of NULL we avoid NULL checks when | ||
| * getting the length */ |
There was a problem hiding this comment.
looks like those args are NULL checked in that wolfCrypt function, so shouldn't necessarily be dangerous - can you elaborate on what you mean here?
There was a problem hiding this comment.
It's dangerous because I have to pass in a non-NULL nonsense pointer for the length I'm trying to get, the operation will fail as long as at least one of the lengths, qx or qy, is NULL so it should be good but it warrants a comment, might be wise a refactor ecc to allow a LENGTH_ONLY_E return
src/wh_server_crypto.c
Outdated
| if (ret == 0) { | ||
| keySz = cacheMeta->len / 3; | ||
| ret = wc_ecc_import_unsigned(key, cacheBuf, cacheBuf + keySz, | ||
| cacheBuf + keySz * 2, curveId); |
There was a problem hiding this comment.
while we're here, can we constify the magic numbers with self describing names just to make it explicitly clear what is going on at a glance
There was a problem hiding this comment.
this one can't be const because it depends on the length of the particular ecc key pulled from the metadata, will make a descriptive variable for it though
src/wh_server_crypto.c
Outdated
| #ifdef WOLFHSM_SEPARATE_BIG_CACHE | ||
| /* evict the aes sized key in the normal cache */ | ||
| if (moveToBigCache == 1) { | ||
| ret = hsmEvictKey(server, keyId); | ||
| } | ||
| #endif |
There was a problem hiding this comment.
Not super clear why we are doing this? Could you explain plz
There was a problem hiding this comment.
if a user pre-caches an aes key to use with cmac it will be in the regular cache initially, when we cache the cmac struct it will need to go into big cache so the now defunct aes key will be hanging if we don't evict it
|
Love this idea. Any chance we can make this option always enabled and simply use a 0 num of big keys if they are not needed? This would give the same result without a bunch of conditional defines. Also, I'd like to have the server context use pointers to the cache areas with a config member that indicates the number of slots. this will keep the server context size more consistent and cause the user to allocate the space themselves, as it may make sense to have this cache area somewhere other than in the middle of the context struct. just a thought. |
Big +1 for this plan. The less code that is macro-ed out, the better! @jpbland1 Could you take a stab?
Probably food for a follow-up PR IMO |
|
@jpbland1 noticed this went stale, could you possibly address Bill's point so we can get it merged:
|
|
And PR#49 changes the names of config values and provides an info message response as well. Need to add 2 more entries in the info message and API's to support large keys. WOLFHSM_CFG_KEYCACHE_LARGE_COUNT/BUFSIZE? |
There was a problem hiding this comment.
need to address merge conflicts, as well as Bill's points below:
Any chance we can make this option always enabled and simply use a 0 num of big keys if they are not needed? This would give the same result without a bunch of conditional defines.
and
And PR#49 changes the names of config values and provides an info message response as well. Need to add 2 more entries in the info message and API's to support large keys. WOLFHSM_CFG_KEYCACHE_LARGE_COUNT/BUFSIZE?
jpbland1
force-pushed
the
separate-big-key
branch
from
0b49eb1 to
5fc66a4
Compare
| @@ -94,9 +94,19 @@ | |||
| #define WOLFHSM_CFG_SERVER_KEYCACHE_COUNT 8 | |||
| #endif | |||
|
|
|||
| /* Number of big RAM keys */ | |||
| #ifndef WOLFHSM_CFG_SERVER_KEYCACHE_BIG_COUNT | |||
| #define WOLFHSM_CFG_SERVER_KEYCACHE_BIG_COUNT 1 | |||
There was a problem hiding this comment.
Should we default to 0 for size here? So it is just an opt-in feature for the user? @billphipps what do you think?
seperate cache for larger keys so customers with limited memory can still store a limited number of large keys alongside their smaller keys.
for key lengths
jpbland1
force-pushed
the
separate-big-key
branch
from
5fc66a4 to
88da7ef
Compare
| (meta->len > WOLFHSM_CFG_SERVER_KEYCACHE_BUFSIZE | ||
| && meta->len > WOLFHSM_CFG_SERVER_KEYCACHE_BIG_BUFSIZE |
There was a problem hiding this comment.
If BIG_BUFSIZE > BUF_SIZE, then this test could be simplified. Also, the different sizes should only be tested if the number of entries for that size >0.
Recommend eliminate the size test here (which incorrectly returns BADARGS for a len that is too large) and simply test if there is a slot somewhere that has sufficient size. If not, then return NOSPACE. The client won't necessarily know the buf sizes.
refactor the HSM server and keystore to handle a
seperate cache for larger keys so customers with limited memory can still store a limited number of large keys alongside their smaller keys.