Topic: Require Wolfssl with minimal size for CMS/PKCS7 verification

Hi,

Need to use wolfSSL with minimal size as much as possible to perform CMS/PKCS7 verification.
For that require OPENSSL and PKCS7 utility only as need BIO chaining and verification support from WOLFSSL.

To achieve this, tried compilation of wolfSSL with below command, and able to reduce the size of wolfssl to 1.9 MB.

./configure --prefix=/home/mangal/test_work/wolfssl_test2/ --enable-static --enable-singlethreaded --disable-pkcs8 --disable-dh --disable-poly1305 --disable-md5 --disable-sha224 --disable-sha384 --disable-sha3 --disable-chacha --disable-examples --disable-crypttests --disable-pkcs11 --disable-benchmark --disable-tls13 --disable-harden --disable-aligndata --disable-eccshamir --disable-errorstrings --disable-errorqueue --disable-oldtls --disable-secure-renegotiation-info --disable-extended-master --disable-enc-then-mac --disable-crypttests --disable-asyncthreads --disable-oldnames --disable-ocsp --disable-rsa --disable-rsapss --disable-fastmath --disable-shared --enable-opensslall --enable-pkcs7 --disable-kdf

Need your support for below points:
1. Please suggest a way to reduce the wolfssl size further and how I can achieve that?
2. How much wolfssl's size can be reduced just to perform pkcs7 verification with BIO chaining only?
3. Facing compilation issues on disabling flags as mentioned below, So Can you please suggest a way how I can disable those flags and remove their dependencies?
{--enable-hmac, --enable-asm, --enable-rng, --enable-aescbc, --enable-aesgcm, --enable-SHA512, --enable-ecc, --enable-tlsv12, --enable-memory, --enable-oaep, --enable-asn, --enable-aes, --enable-coding, --enable-base64encode, --enable-sha, --enable-hashdrbg,  --enable-filesystem,  --enable-inline and --enable-pkcs12}

Share

Re: Require Wolfssl with minimal size for CMS/PKCS7 verification

Hello Anika,

Thanks for joining the wolfSSL Forums. If you do not require support for TLS protocol, you can greatly reduce the size with

--enable-cryptonly

This should also alleviate some of the component dependencies you were seeing.

Let us know if there are further questions.

Thanks,
Eric @ wolfSSL Support

Re: Require Wolfssl with minimal size for CMS/PKCS7 verification

Hello Eric,

Thank you for quick response.
For BIO chaining we must need "--enable-opensslall", whereas "--enable-opensslall" and "--enable-cryptonly" flags are not compatible and can not be used together.
So, if we disable opensslall and enable cryptonly flag as shown in below configure comamnd we are facing compilation issues.

./configure --prefix=/home/mangal/test_work/fresh_wolf/wolfssl_test/ --enable-static --enable-pkcs7 --enable-singlethreaded --disable-pkcs8 --disable-dh --disable-poly1305 --disable-md5 --disable-sha224 --disable-sha384 --disable-sha3 --disable-chacha --disable-examples --disable-crypttests --disable-pkcs11 --disable-benchmark --disable-tls13 --disable-harden --disable-aligndata --disable-eccshamir --disable-errorstrings --disable-errorqueue --disable-oldtls --disable-secure-renegotiation-info --disable-extended-master --disable-enc-then-mac --disable-crypttests --disable-asyncthreads --disable-oldnames --disable-ocsp --disable-rsa --disable-rsapss --disable-fastmath --disable-shared --enable-cryptonly


Compilation Issues:
hm_sigfw_verify.c:925:13: warning: implicit declaration of function ‘wolfSSL_OPENSSL_free’; did you mean ‘wolfSSL_SESSION_free’? [-Wimplicit-function-declaration]
  925 |             wolfSSL_OPENSSL_free( ctx->buf );
      |             ^~~~~~~~~~~~~~~~~~~~
      |             wolfSSL_SESSION_free
hm_sigfw_verify.c: In function ‘hmsigfw_bio_sig_ctrl’:
hm_sigfw_verify.c:1354:14: error: ‘BIO_CTRL_RESET’ undeclared (first use in this function)
1354 |         case BIO_CTRL_RESET:
      |              ^~~~~~~~~~~~~~
hm_sigfw_verify.c:1354:14: note: each undeclared identifier is reported only once for each function it appears in
hm_sigfw_verify.c:1359:14: error: ‘BIO_CTRL_EOF’ undeclared (first use in this function)
1359 |         case BIO_CTRL_EOF:         /* More to read */
      |              ^~~~~~~~~~~~
hm_sigfw_verify.c:1383:13: error: ‘BIO_CTRL_DUP’ undeclared (first use in this function)
1383 |        case BIO_CTRL_DUP:
      |             ^~~~~~~~~~~~
hm_sigfw_verify.c:1384:13: error: ‘BIO_CTRL_WPENDING’ undeclared (first use in this function)
1384 |        case BIO_CTRL_WPENDING:    /* More to write in buffer */
      |             ^~~~~~~~~~~~~~~~~
hm_sigfw_verify.c:1385:13: error: ‘BIO_CTRL_PENDING’ undeclared (first use in this function)
1385 |        case BIO_CTRL_PENDING:     /* More to read in buffer */
      |             ^~~~~~~~~~~~~~~~
hm_sigfw_verify.c:1386:13: error: ‘BIO_CTRL_FLUSH’ undeclared (first use in this function)
1386 |        case BIO_CTRL_FLUSH:       /* Finally flush the underlying BIO */
      |             ^~~~~~~~~~~~~~
hm_sigfw_verify.c:1387:13: error: ‘BIO_CTRL_INFO’ undeclared (first use in this function)
1387 |        case BIO_CTRL_INFO:
      |             ^~~~~~~~~~~~~
hm_sigfw_verify.c:1388:13: error: ‘BIO_CTRL_GET’ undeclared (first use in this function)
1388 |        case BIO_CTRL_GET:
      |             ^~~~~~~~~~~~
hm_sigfw_verify.c:1389:13: error: ‘BIO_CTRL_SET’ undeclared (first use in this function)
1389 |        case BIO_CTRL_SET:
      |             ^~~~~~~~~~~~
hm_sigfw_verify.c:1390:13: error: ‘BIO_CTRL_PUSH’ undeclared (first use in this function)
1390 |        case BIO_CTRL_PUSH:
      |             ^~~~~~~~~~~~~
hm_sigfw_verify.c: In function ‘hmsigfw_bio_set_file_type’:
hm_sigfw_verify.c:1608:9: warning: implicit declaration of function ‘wolfSSL_BIO_set_fp’; did you mean ‘wolfSSL_BIO_set_fd’? [-Wimplicit-function-declaration]
1608 |     if (wolfSSL_BIO_set_fp(b, fp, BIO_CLOSE) != WOLFSSL_SUCCESS) {
      |         ^~~~~~~~~~~~~~~~~~
      |         wolfSSL_BIO_set_fd
hm_sigfw_verify.c:1608:35: error: ‘BIO_CLOSE’ undeclared (first use in this function)
1608 |     if (wolfSSL_BIO_set_fp(b, fp, BIO_CLOSE) != WOLFSSL_SUCCESS) {
      |                                   ^~~~~~~~~
hm_sigfw_verify.c: In function ‘hm_load_ca_chain’:
hm_sigfw_verify.c:1833:27: warning: implicit declaration of function ‘STACK_OF’ [-Wimplicit-function-declaration]
1833 |    /*STACK_OF(X509_INFO)*/STACK_OF(WOLFSSL_X509_INFO) *xis = NULL; /* This is a stack variable, where CA chain certifcates are pushed.*/
      |                           ^~~~~~~~
hm_sigfw_verify.c:1833:36: error: expected expression before ‘WOLFSSL_X509_INFO’
1833 |    /*STACK_OF(X509_INFO)*/STACK_OF(WOLFSSL_X509_INFO) *xis = NULL; /* This is a stack variable, where CA chain certifcates are pushed.*/
      |                                    ^~~~~~~~~~~~~~~~~
hm_sigfw_verify.c:1833:56: error: ‘xis’ undeclared (first use in this function)
1833 |    /*STACK_OF(X509_INFO)*/STACK_OF(WOLFSSL_X509_INFO) *xis = NULL; /* This is a stack variable, where CA chain certifcates are pushed.*/
      |                                                        ^~~
hm_sigfw_verify.c:1852:11: warning: implicit declaration of function ‘wolfSSL_BIO_new_file’; did you mean ‘wolfSSL_BIO_new_fd’? [-Wimplicit-function-declaration]
1852 |     bio = wolfSSL_BIO_new_file(file, "r");
      |           ^~~~~~~~~~~~~~~~~~~~
      |           wolfSSL_BIO_new_fd
hm_sigfw_verify.c:1852:9: warning: assignment to ‘WOLFSSL_BIO *’ {aka ‘struct WOLFSSL_BIO *’} from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
1852 |     bio = wolfSSL_BIO_new_file(file, "r");
      |         ^
hm_sigfw_verify.c:1859:13: warning: implicit declaration of function ‘wolfSSL_PEM_X509_INFO_read_bio’ [-Wimplicit-function-declaration]
1859 |       xis = wolfSSL_PEM_X509_INFO_read_bio(bio, NULL,
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
hm_sigfw_verify.c:1868:19: warning: implicit declaration of function ‘wolfSSL_sk_X509_new’; did you mean ‘wolfSSL_X509_new’? [-Wimplicit-function-declaration]
1868 |         *pcerts = wolfSSL_sk_X509_new();
      |                   ^~~~~~~~~~~~~~~~~~~
      |                   wolfSSL_X509_new
hm_sigfw_verify.c:1868:17: warning: assignment to ‘WOLFSSL_STACK *’ {aka ‘struct WOLFSSL_STACK *’} from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
1868 |         *pcerts = wolfSSL_sk_X509_new();
      |                 ^
hm_sigfw_verify.c:1874:58: warning: implicit declaration of function ‘wolfSSL_sk_X509_INFO_num’; did you mean ‘wolfSSL_sk_X509_CRL_num’? [-Wimplicit-function-declaration]
1874 |         for (index = 0; index < /*sk_X509_INFO_num(xis)*/wolfSSL_sk_X509_INFO_num(xis); index++)
      |                                                          ^~~~~~~~~~~~~~~~~~~~~~~~
      |                                                          wolfSSL_sk_X509_CRL_num
hm_sigfw_verify.c:1877:18: warning: implicit declaration of function ‘wolfSSL_sk_X509_INFO_value’; did you mean ‘wolfSSL_sk_X509_CRL_value’? [-Wimplicit-function-declaration]
1877 |             xi = wolfSSL_sk_X509_INFO_value(xis, index);
      |                  ^~~~~~~~~~~~~~~~~~~~~~~~~~
      |                  wolfSSL_sk_X509_CRL_value
hm_sigfw_verify.c:1894:5: warning: implicit declaration of function ‘wolfSSL_sk_X509_INFO_pop_free’; did you mean ‘wolfSSL_sk_X509_CRL_pop_free’? [-Wimplicit-function-declaration]
1894 |     wolfSSL_sk_X509_INFO_pop_free(xis, wolfSSL_X509_INFO_free);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |     wolfSSL_sk_X509_CRL_pop_free
hm_sigfw_verify.c:1894:40: error: ‘wolfSSL_X509_INFO_free’ undeclared (first use in this function); did you mean ‘wolfSSL_X509_CRL_free’?
1894 |     wolfSSL_sk_X509_INFO_pop_free(xis, wolfSSL_X509_INFO_free);
      |                                        ^~~~~~~~~~~~~~~~~~~~~~
      |                                        wolfSSL_X509_CRL_free
hm_sigfw_verify.c:1898:9: warning: implicit declaration of function ‘wolfSSL_sk_X509_pop_free’; did you mean ‘wolfSSL_sk_X509_CRL_free’? [-Wimplicit-function-declaration]
1898 |         wolfSSL_sk_X509_pop_free(*pcerts, wolfSSL_X509_free);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~
      |         wolfSSL_sk_X509_CRL_free
hm_sigfw_verify.c: At top level:
hm_sigfw_verify.c:1925:28: error: unknown type name ‘PKCS7’
1925 | int my_verify_signer_certs(PKCS7* pkcs7,WOLFSSL_STACK* certs,WOLFSSL_X509_STORE* store, int flags)
      |                            ^~~~~
hm_sigfw_verify.c:1981:1: error: unknown type name ‘PKCS7’
1981 | PKCS7* my_d2i_pkcs7_bio(WOLFSSL_BIO* bio, PKCS7** p7,char *data_s, long unsigned len)
      | ^~~~~
hm_sigfw_verify.c:1981:43: error: unknown type name ‘PKCS7’
1981 | PKCS7* my_d2i_pkcs7_bio(WOLFSSL_BIO* bio, PKCS7** p7,char *data_s, long unsigned len)
      |                                           ^~~~~
hm_sigfw_verify.c: In function ‘hmapi_cms_signature_verify’:
hm_sigfw_verify.c:2054:5: error: unknown type name ‘PKCS7’
2054 |     PKCS7 *pkcs7 = NULL;
      |     ^~~~~
hm_sigfw_verify.c:2058:5: error: unknown type name ‘WOLFSSL_PKCS7’; did you mean ‘WOLFSSL_OCSP’?
2058 |     WOLFSSL_PKCS7* p7;
      |     ^~~~~~~~~~~~~
      |     WOLFSSL_OCSP
hm_sigfw_verify.c:2076:31: warning: assignment to ‘WOLFSSL_BIO *’ {aka ‘struct WOLFSSL_BIO *’} from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
2076 |         tbio                  = wolfSSL_BIO_new_file(signer_ca_file_path, "r");
      |                               ^
hm_sigfw_verify.c:2090:19: warning: implicit declaration of function ‘wolfSSL_PEM_read_bio_X509’; did you mean ‘wolfSSL_get_chain_X509’? [-Wimplicit-function-declaration]
2090 |         ca_cert = wolfSSL_PEM_read_bio_X509(tbio, NULL, 0, NULL);
      |                   ^~~~~~~~~~~~~~~~~~~~~~~~~
      |                   wolfSSL_get_chain_X509
hm_sigfw_verify.c:2090:17: warning: assignment to ‘WOLFSSL_X509 *’ {aka ‘struct WOLFSSL_X509 *’} from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
2090 |         ca_cert = wolfSSL_PEM_read_bio_X509(tbio, NULL, 0, NULL);
      |                 ^
hm_sigfw_verify.c:2133:15: warning: implicit declaration of function ‘wolfSSL_PEM_read_bio’; did you mean ‘wolfSSL_thread_id’? [-Wimplicit-function-declaration]
2133 |         ret = wolfSSL_PEM_read_bio(cms_sign, &name,&header,&data,&len); // Working fine data having CMS signature in der format
      |               ^~~~~~~~~~~~~~~~~~~~
      |               wolfSSL_thread_id
hm_sigfw_verify.c:2157:2: warning: implicit declaration of function ‘wolfSSL_d2i_PKCS7_ex’; did you mean ‘wolfSSL_d2i_PKCS12_fp’? [-Wimplicit-function-declaration]
2157 |  wolfSSL_d2i_PKCS7_ex(&pkcs7,(const unsigned char**)&data,len,data_total,total_read);
      |  ^~~~~~~~~~~~~~~~~~~~
      |  wolfSSL_d2i_PKCS12_fp
hm_sigfw_verify.c:2174:9: warning: implicit declaration of function ‘wc_PKCS7_Free’; did you mean ‘wc_PKCS12_free’? [-Wimplicit-function-declaration]
2174 |         wc_PKCS7_Free(pkcs7);
      |         ^~~~~~~~~~~~~
      |         wc_PKCS12_free

Can you please suggest a way how we can resolve this issue?

Share

Re: Require Wolfssl with minimal size for CMS/PKCS7 verification

Responding in ZenDesk ticket

Re: Require Wolfssl with minimal size for CMS/PKCS7 verification

Out of curiosity what was the set of config options that was determined, I am trying to do something similar

Share

Re: Require Wolfssl with minimal size for CMS/PKCS7 verification

Hi avlec,

I recommend sending an email to our support team. It will be easier for us to make suggestions if we first gather your version and config information.

support@wolfssl.com

Thanks,
Eric