1 /*
2  * FreeRTOS V202212.00
3  * Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
4  *
5  * Permission is hereby granted, free of charge, to any person obtaining a copy of
6  * this software and associated documentation files (the "Software"), to deal in
7  * the Software without restriction, including without limitation the rights to
8  * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
9  * the Software, and to permit persons to whom the Software is furnished to do so,
10  * subject to the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be included in all
13  * copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
17  * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
18  * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
19  * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21  *
22  * https://www.FreeRTOS.org
23  * https://github.com/FreeRTOS
24  *
25  */
26 
27 /**
28  * @file core_pkcs11_config.h
29  * @brief PKCS#11 config options.
30  */
31 
32 
33 #ifndef _CORE_PKCS11_CONFIG_H_
34 #define _CORE_PKCS11_CONFIG_H_
35 
36 #include "FreeRTOS.h"
37 
38 /**************************************************/
39 /******* DO NOT CHANGE the following order ********/
40 /**************************************************/
41 
42 /* Include logging header files and define logging macros in the following order:
43  * 1. Include the header file "logging_levels.h".
44  * 2. Define the LIBRARY_LOG_NAME and LIBRARY_LOG_LEVEL macros depending on
45  * the logging configuration for PKCS #11.
46  * 3. Include the header file "logging_stack.h", if logging is enabled for PKCS #11.
47  */
48 
49 #include "logging_levels.h"
50 
51 /* Logging configuration for the PKCS #11 library. */
52 #ifndef LIBRARY_LOG_NAME
53     #define LIBRARY_LOG_NAME    "PKCS11"
54 #endif
55 
56 #ifndef LIBRARY_LOG_LEVEL
57     #define LIBRARY_LOG_LEVEL    LOG_ERROR
58 #endif
59 
60 /* Prototype for the function used to print to console on Windows simulator
61  * of FreeRTOS.
62  * The function prints to the console before the network is connected;
63  * then a UDP port after the network has connected. */
64 extern void vLoggingPrintf( const char * pcFormatString,
65                             ... );
66 
67 
68 /* Map the SdkLog macro to the logging function to enable logging
69  * on Windows simulator. */
70 #ifndef SdkLog
71     #define SdkLog( message )    vLoggingPrintf message
72 #endif
73 
74 #include "logging_stack.h"
75 
76 /************ End of logging configuration ****************/
77 
78 #include <stdlib.h>
79 
80 /**
81  * @brief Malloc API used by core_pkcs11.h
82  */
83 #define PKCS11_MALLOC                                      pvPortMalloc
84 
85 /**
86  * @brief Free API used by core_pkcs11.h
87  */
88 #define PKCS11_FREE                                        vPortFree
89 
90 /**
91  * @brief PKCS #11 default user PIN.
92  *
93  * The PKCS #11 standard specifies the presence of a user PIN. That feature is
94  * sensible for applications that have an interactive user interface and memory
95  * protections. However, since typical microcontroller applications lack one or
96  * both of those, the user PIN is assumed to be used herein for interoperability
97  * purposes only, and not as a security feature.
98  *
99  * Note: Do not cast this to a pointer! The library calls sizeof to get the length
100  * of this string.
101  */
102 #define configPKCS11_DEFAULT_USER_PIN                      "0000"
103 
104 /**
105  * @brief Maximum length (in characters) for a PKCS #11 CKA_LABEL
106  * attribute.
107  */
108 #define pkcs11configMAX_LABEL_LENGTH                       32UL
109 
110 /**
111  * @brief Maximum number of token objects that can be stored
112  * by the PKCS #11 module.
113  */
114 #define pkcs11configMAX_NUM_OBJECTS                        6UL
115 
116 /**
117  * @brief Maximum number of sessions that can be stored
118  * by the PKCS #11 module.
119  */
120 #define pkcs11configMAX_SESSIONS                           10UL
121 
122 /**
123  * @brief Set to 1 if a PAL destroy object is implemented.
124  *
125  * If set to 0, no PAL destroy object is implemented, and this functionality
126  * is implemented in the common PKCS #11 layer.
127  */
128 #define pkcs11configPAL_DESTROY_SUPPORTED                  1
129 
130 /**
131  * @brief Set to 1 if OTA image verification via PKCS #11 module is supported.
132  *
133  * If set to 0, OTA code signing certificate is built in via
134  * aws_ota_codesigner_certificate.h.
135  */
136 #define pkcs11configOTA_SUPPORTED                          1
137 
138 /**
139  * @brief Set to 1 if PAL supports storage for JITP certificate,
140  * code verify certificate, and trusted server root certificate.
141  *
142  * If set to 0, PAL does not support storage mechanism for these, and
143  * they are accessed via headers compiled into the code.
144  */
145 #define pkcs11configJITP_CODEVERIFY_ROOT_CERT_SUPPORTED    1
146 
147 /**
148  * @brief The PKCS #11 label for the object to be used for HMAC operations.
149  */
150 #define pkcs11configLABEL_HMAC_KEY                         "HMAC Key"
151 
152 /**
153  * @brief The PKCS #11 label for the object to be used for CMAC operations.
154  */
155 #define pkcs11configLABEL_CMAC_KEY                         "CMAC Key"
156 
157 /**
158  * @brief The PKCS #11 label for device private key.
159  *
160  * Private key for connection to AWS IoT endpoint.  The corresponding
161  * public key should be registered with the AWS IoT endpoint.
162  */
163 #define pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS       "Device Priv TLS Key"
164 
165 /**
166  * @brief The PKCS #11 label for device public key.
167  *
168  * The public key corresponding to pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS.
169  */
170 #define pkcs11configLABEL_DEVICE_PUBLIC_KEY_FOR_TLS        "Device Pub TLS Key"
171 
172 /**
173  * @brief The PKCS #11 label for the device certificate.
174  *
175  * Device certificate corresponding to pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS.
176  */
177 #define pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS       "Device Cert"
178 
179 /**
180  * @brief The PKCS #11 label for the object to be used for code verification.
181  *
182  * Used by over-the-air update code to verify an incoming signed image.
183  */
184 #define pkcs11configLABEL_CODE_VERIFICATION_KEY            "Code Verify Key"
185 
186 /**
187  * @brief The PKCS #11 label for the claim certificate for Fleet Provisioning.
188  */
189 #define pkcs11configLABEL_CLAIM_CERTIFICATE                "Claim Cert"
190 
191 /**
192  * @brief The PKCS #11 label for the claim private key for Fleet Provisioning.
193  */
194 #define pkcs11configLABEL_CLAIM_PRIVATE_KEY                "Claim Key"
195 
196 /**
197  * @brief The PKCS #11 label for Just-In-Time-Provisioning.
198  *
199  * The certificate corresponding to the issuer of the device certificate
200  * (pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS) when using the JITR or
201  * JITP flow.
202  */
203 #define pkcs11configLABEL_JITP_CERTIFICATE                 "JITP Cert"
204 
205 /**
206  * @brief The PKCS #11 label for the AWS Trusted Root Certificate.
207  *
208  * @see aws_default_root_certificates.h
209  */
210 #define pkcs11configLABEL_ROOT_CERTIFICATE                 "Root Cert"
211 
212 #endif /* _CORE_PKCS11_CONFIG_H_ */
213