Topic: Using TLS with a crypto chip

Hi,

I have working a test implementation of TLS, after modifying the httpd.c example. But, by now, I'm using your example of server cert/key files.

Now, I need to use a crypto chip and avoid the call to wolfSSL_CTX_use_PrivateKey_file(...) because the private key is not available outside the crypto chip. Of course, the public key in the certificate I'm using match the private key in the crypto chip.

NOTE: I already have the RSA engine redirected to crypto chip - Encryption/Decryption is working fine without the private key for, as example signing pkcs7 files.

Is this scenario supported?

Thanks in advance!
Federico

Share

Re: Using TLS with a crypto chip

Hi @fvillaf,

Can you tell us a little about what it is you're working on the end goals for the project? We provide PK callbacks to resolve your situation when using hardware keys at the TLS level.

Looking forward to hearing more about your project!


K

Re: Using TLS with a crypto chip

Hi Kaleb,

As commented in other forum's posts, I'm working in the firmware for a fiscal printer (Argentina).
All other requisites (RSA through a crypto chip, CSR generation, CERT validation, PKCS7 generation and signing) were fullfilled.

Now, I'm working in an embedded https server that each fiscal printer must expose, with a simple site used by inspectors to grab audit info.

The website exposed by each printer must be HTTPS and only usable when the connected browser send a certificate issued by our fiscal administration (in replace of any login/password schema). Of course, I have a CA root certificate to validate the inspector's certificate.

To develop the site, I used the httpd example (from lwip distribution), with SSI and CGI enabled. This website is working fine (as a pure HTTP, not HTTPS) and is time to move it from HTTP to HTTPS. The transport is LWIP over FreeRTOS.

I have the printer's certificate with the public key, and a crypto chip with the related private key. But the private key is not accesible nor extraible from the crypto chip.

I think that I could obtain a valid certificate already trusted by a some CA, with a different private key. But I modified your rsa.c in a way that all operations related to a private key are redirected to the crypto chip and I'm trying to avoid to touch that source code again.

So, I need to skip the injection of a private key using wolfSSL_CTX_use_PrivateKey_file(...) without disturbing TLS working.

Hope this explanation is clear. Else, don't hesitate to let me know.
Federico

Share

Re: Using TLS with a crypto chip

Kaleb,

I forgot to say that I already integrated wolfssl in my firmware and the HTTPS site is correctly working in my emulator (windows -> vs2017, emulating LWIP over winsock2).

So, the only missing part is to move all the code into the device, using the printer's certificate and chip's privkey in place of the cert/key you provided in the examples (https://github.com/wolfSSL/wolfssl-exam … master/tls).

F

Share

Re: Using TLS with a crypto chip

Hi @kaleb,

Do you have a chance of see my question?

Thanks!
Federico

Share

Re: Using TLS with a crypto chip

Federico:

Could you contact one of our sales managers by email at sales@wolfssl.com? We can provide more help for you.

--John