Hi Kareem,

Attached you have the configuration.h file I'm using (pretty much the default one).

Regarding the hardware, I'm using a SAME54 Xplained Pro demo board (ATSAME54P20A) and I'm not registering any CA certificate, that's why I thought the EccVerify function was returning an error code.

One thing I actually want to find out is whether you can decide in real time (maybe through some function callback) if the CA validation has to be performed or can be skipped (this would mean you'd be trusting the server with no actual check).

Regards

I'm trying the wolfssl_tcp_client demo app from the Microchip Harmony 3 repo:
https://github.com/Microchip-MPLAB-Harm … tcp_client

This app allows you send an openurl command with the web page you want to GET and forwards the response to a debug serial port. The code of the app is here:
https://github.com/Microchip-MPLAB-Harm … /src/app.c

Although I had to add the forwarding code (send the received data to the serial port) after lines 404 (ht-tp version) and 457 (ht-tps version), I was trying pretty much the original app and the ht-tp version worked fine, but the ht-tps version didn't.

After having enabed debug (I also added a few additional messages in some parts of the code), I noticed the problem was in the EccVerify function of internal.c. There was a signature verification error and I thought it might be related with a CA validation problem, so I decided to manually return a 0 value (ok) so that the process could continue.

As a result, the negotiation finishes successfully (SSL Connection Opened: Starting Clear Text Communication in the attached log file, from line 426 of app.c) but right after the application data is sent, I receive a handshake record instead of an application data record (I guess it's generated when I tried to extract data from the socket using NET_PRES_SocketRead, line 457 of app.c). The output in the log file is this:
User calling wolfSSL_read in error state, not allowed

What am I missing here? Other than ignoring the signature validation, I'm using the original app and actually the negotiation seems to work fine.

Regards

3

(6 replies, posted in wolfSSL)

In order to create the private key:
openssl ecparam -name secp160r1 -genkey -noout -out secp160r1-key.pem

With this one you get the public key based on the previous private key:
openssl ec -in secp160r1-key.pem -pubout -out secp160r1-pub-key.pem

And this is the same as the previous one, but to create the public key in der format:
openssl ec -in secp160r1-key.pem -pubout -outform DER -out secp160r1-pub-key.der

Regards

4

(6 replies, posted in wolfSSL)

I'm trying to load the public key from a file generated by openssl. In this case the idea is to load the key using the website embedded in my uC-powered board and store it in a non-volatile memory. So, even though I could deal with certificates, in my case loading it directly would be much easier.

However, as I said, having a way to convert from DER/PEM to X9.63 would be enough for me.

Regards

5

(6 replies, posted in wolfSSL)

Although you can load a private ECC key from a DER/PEM file, there is no such option for public keys. You can import it by having it in ANSI X9.63 format, but I don't know how to convert an openssl-generated key to this specific format.

So, I'd like to know what to do, that is:
- how to convert from DER/PEM to X9.63, or
- how to load directly from DER/PEM.

Regards