Topic: Porting WolfSSL to baremetal

Hi all,

I have an application running on a windows PC which communicates with a smart card securely. It is using OpenSSL currently.

My project is to port this application to a PowerPC based embedded device as a bare-metal program.

Current application uses OpenSSL to generate RSA and ECC key pairs, sign and verify messages. The signature is expected to be in ANSI X9.62 format.

We are trying to find an equivalent of OpenSSL which can be used in embedded devices. WolfSSL seems to be a good choice.

My queries are:
1. Can we easily port WolfSSL to bare-metal environment having no file systems, threads, sockets?

2. Can we easily replace OpenSSL with WolfSSL? From the documentation I see that there is an OpenSSL compatibility layer which makes the migration from OpenSSL to WolfSSL easier. However, there a few APIs which seems missing that are used by current application - CMAC_CTX, CMAC_CTX_new, CMAC_Init, CMAC_Update, CMAC_Final, CMAC_CTX_free, RSA_PKCS1_SSLeay, RSA_padding_add_PKCS1_PSS, RSA_private_encrypt, RSA_private_decrypt, RSA_verify_PKCS1_PSS, RSA_padding_check_PKCS1_OAEP, EC_POINT_point2bn, EC_POINT_oct2point, ECDSA_verify. Can I get the equivalent functionalities working using wolfSSL?

3. Does it support ECDSA signature generation in X9.62 format?

Thanks
Sandeep

Share

Re: Porting WolfSSL to baremetal

Hi sandeepvl,

1. Can we easily port WolfSSL to bare-metal environment having no file systems, threads, sockets?

Yes wolfSSL has defines
NO_FILESYSTEM - no filesystem
SINGLE_THREADED - only one thread
WOLFSSL_USER_IO - define custom IO callbacks for any IO interface, USB, Bluetooth, WIFI, in memory, ...


2. Can we easily replace OpenSSL with WolfSSL? From the documentation I see that there is an OpenSSL compatibility layer which makes the migration from OpenSSL to WolfSSL easier. However, there a few APIs which seems missing that are used by current application - CMAC_CTX, CMAC_CTX_new, CMAC_Init, CMAC_Update, CMAC_Final, CMAC_CTX_free, RSA_PKCS1_SSLeay, RSA_padding_add_PKCS1_PSS, RSA_private_encrypt, RSA_private_decrypt, RSA_verify_PKCS1_PSS, RSA_padding_check_PKCS1_OAEP, EC_POINT_point2bn, EC_POINT_oct2point, ECDSA_verify. Can I get the equivalent functionalities working using wolfSSL?

You are correct. We have a compatibility layer that support 400+ of the most common OpenSSL API's and we are adding more all the time. (in fact there are a couple pull requests in the testing phase as we speak)

https://github.com/wolfSSL/wolfssl/pull/764
https://github.com/wolfSSL/wolfssl/pull/724


3. Does it support ECDSA signature generation in X9.62 format?

Yes wolfSSL supports ECDSA sign/verify.


Warm Regards,

Kaleb

Re: Porting WolfSSL to baremetal

Hi Kaleb,

Thank you for the answers.

BR
Sandeep

Share

Re: Porting WolfSSL to baremetal

Hi Kaleb,

I am porting my host application replacing OpenSSL calls with WolfSSL, before moving to bare-metal.

Current application generates ECC Keypair and sets the public key in the smart card for subsequent secure communication.The public key generated is converted to flat binary array using EC_POINT_point2bn() and BN_bn2bin() APIs in OpenSSL. But in WolfSSL I could not find an API similar to EC_POINT_point2bn().

Is there any way to do convert the EC_POINT public key to a flat byte array? Purpose is to set this public key in a smart card that expects the key in plain uncompressed binary format.

Thanks
Sandeep

Share

Re: Porting WolfSSL to baremetal

Hi Kaleb,

I think I got it.    

Instead of trying to get public key using EC_KEY_get0_public_key() and then try to convert it to byte array, found that the generated key contains a field (WOLFSSL_EC_KEY->internal) pointing to ecc_key which can be used to export in x9.63 format.

ret = wc_ecc_export_x963((ecc_key*)ecckey->internal, out, &outLen);

Hope my understanding is correct.

Thank
Sandeep

Share

Re: Porting WolfSSL to baremetal

Hi sandeepvl,

Sorry it took me so long to get back I was traveling and out of the office last week.

Yes you are correct, the WOLFSSL_EC_KEY->internal is the ECC key structure containing public/private key parts. Passing that to wc_ecc_export_x963 will export the public key portion of the ECC key structure.


Regards,

Kaleb