The wolfSSL lightweight SSL/TLS library and underlying wolfCrypt cryptography library have included support for the NXP SE050 secure element as of November 2021. Since that time we have been increasing compatibility with SE050 along with usage of SCP03 (Secure Channel Protocol 03) authentication. We recently made a few fixes for usage of the NXP SE050 underneath SSL/TLS within wolfSSL. To help users see how to get started with TLS usage, we have also created two example client applications.
Fixes for SSL/TLS usage of the NXP SE050 have been merged into the wolfSSL master branch as of February 2023, and will be included in the next stable release of wolfSSL.
wolfSSL TLS users can now use the wolfSSL_CTX_use_PrivateKey_Id()
API to instruct wolfSSL to use a private key located in the SE050 at a specific key ID. This would replace calls to wolfSSL_CTX_use_PrivateKey_file()
or wolfSSL_CTX_use_PrivateKey_buffer()
, giving applications enhanced security by allowing the private key to be stored (and optionally generated) inside the SE050.
#include <wolfssl/ssl.h>
int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id, long sz, int devId);
For access to wolfSSL_CTX_use_PrivateKey_Id()
, wolfSSL needs to be compiled with WOLF_PRIVATE_KEY_ID
defined. This can be passed through configure via CFLAGS, for example:
./configure CFLAGS=”-DWOLF_PRIVATE_KEY_ID”
make
sudo make install
TLS Client Demos Using SE050
wolfSSL has two new example SSL/TLS client applications that demonstrate how users can leverage SE050 underneath wolfSSL’s SSL/TLS implementation. These examples are set up to be easily run on a Raspberry Pi with attached NXP EdgeLock SE050 Development Kit.
Available examples are included in the “wolfssl-examples” GitHub repository under the SE050 subdirectory and include:
1. wolfSSL SSL/TLS Client Example
This example demonstrates a simple SSL/TLS client, using hardware-based cryptography supported inside the SE050. It loads and uses a certificate and private key from C arrays/buffers. For a more advanced demo which uses the private key directly from the SE050, see the following example. For details, see the example README.md, or wolfssl_client.c.
2. wolfSSL SSL/TLS Client Example with Cert and Private Key in SE050
This example demonstrates a simple SSL/TLS client, using hardware-based cryptography supported inside the SE050. It loads and uses a certificate and private key from C arrays/buffers into the SE050, then does all private key operations inside the SE050 for the TLS private key, based on a key ID. For details, see the example README.md or wolfssl_client_cert_key.c.
Further Resources
For more details on using wolfSSL or wolfCrypt with the NXP SE050, if you have questions on any of the above, contact us at facts@wolfssl.com, or call us at +1 425 245 8247. The wolfSSL embedded SSL/TLS library supports up to the most current TLS 1.3 and DTLS 1.3 protocol standards, has been optimized for performance and footprint size, and also provides easy paths forward for validation and certification requirements (FIPS 140-3, FIPS 140-3 (in progress), CAVP, DO-178C).
Blog: wolfSSL NXP SE050 Support and Benchmarks
Blog: wolfSSL Support for NXP SE050 with SCP03
Documentation: wolfSSL NXP SE050 Support (README_SE050.md)
Examples: wolfSSL NXP SE050 Examples (README.md)
Dev Kits: NXP EdgeLock SE050 Development Kits
SE050 Product Page: EdgeLock SE050: Plug & Trust Secure Element Family