Skip to content

use DHUK to wrap/unwrap seed value used for token #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JacobBarthelmeh wants to merge 3 commits into
base: master
Choose a base branch
from
Open

use DHUK to wrap/unwrap seed value used for token #159

JacobBarthelmeh wants to merge 3 commits into from
+140 −6

Conversation

@JacobBarthelmeh
Copy link
Contributor

@JacobBarthelmeh JacobBarthelmeh commented Feb 1, 2026

ZD21110

@JacobBarthelmeh JacobBarthelmeh self-assigned this Feb 1, 2026
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds DHUK-based wrapping/unwrapping for the token seed when persisting it to storage (STM32U5), so the seed used for deriving the token key is not stored in plaintext.

Changes:

  • Introduced DHUK AES-CBC wrapping format for the stored token seed (length + IV + ciphertext).
  • Routed token load/store seed read/write through new DHUK-aware helpers when WOLFSSL_STM32U5_DHUK is enabled.
  • Minor clarifying comment in user login path about re-deriving the token key from PIN + seed.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

SparkiDev
SparkiDev requested changes Feb 13, 2026
View reviewed changes
src/internal.c
FIELD_SIZE(WP11_Token, userLastFailedLogin) +
FIELD_SIZE(WP11_Token, userFailLoginTimeout) +
#ifdef WOLFSSL_STM32U5_DHUK
(sizeof(word32) + 16 + PIN_SEED_SZ) + /* length + IV + encrypted seed */
Copy link
Contributor

@SparkiDev SparkiDev Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line length

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SparkiDev SparkiDev SparkiDev requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JacobBarthelmeh @SparkiDev @wolfSSL-Bot