226 Reply by dgarske

(5 replies, posted in wolfSSL)

Hi Octopus01,

After the call to `wc_InitCert` you need to set subject, serial number, sigType and key usage for "keyCertSign". See example here: https://github.com/wolfSSL/wolfssl/blob … t.c#L12504

If you are using a self-signed certificate for the client mutual authentication then the server side needs to load this same certificate using `wolfSSL_CTX_load_verify_buffer`.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

227 Reply by dgarske

(5 replies, posted in wolfSSL)

Hi Octopus01,

We have some good TLS examples here:
https://github.com/wolfSSL/wolfssl-exam … master/tls

The certificate is missing all the subject information (like common name). I suspect this certificate does not meet the requirements for TLS mutual auth. How did you generate this certificate?

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

228 Reply by dgarske

(5 replies, posted in wolfSSL)

Hi Octopus01,

Perhaps double check the use of `wolfSSL_CTX_trust_peer_buffer` on the client side. You should be using `wolfSSL_CTX_load_verify_buffer`. The -155 (ASN_NO_SIGNER_E) indicates the provided peer (server in this case) certificate could not be verified. If you want to bypass that check most users alter the `wolfSSL_set_verify` API call to use `WOLFSSL_VERIFY_NONE`, however this will bypass all peer certificate checking, so use it with caution.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

229 Reply by dgarske

(2 replies, posted in wolfCrypt)

Hi RyVel,

My first guess is a FIPS boundary check hash issue. If HAVE_FIPS (--enable-fips=v2) is set you must update the fips boundary hash in fips_test.c. See https://www.wolfssl.com/docs/fips-ready-user-guide/

Using a test seed won't cause this error, however a failure with the DRBG such as SHA256 returning FIPS_NOT_ALLOWED_E would.

Please review the FIPS ready user guide and let us know if that doesn't resolve it.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

230 Reply by dgarske

(5 replies, posted in wolfSSL)

Hi akhi_gangwar,

You can debug the certificates being sent using the verify callback.

1. Add build option: WOLFSSL_ALWAYS_VERIFY_CB
2. Set callback function 

wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);

3. Pull in code like this to show the certificates: https://github.com/wolfSSL/wolfssl/blob … st.h#L1755

Then you can pinpoint which certificate is causing it.

Another option is to locally test the AWS connection and use Wireshark to view the peer's certificates.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

231 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi Scott,

We have several CSR generation and signing examples here:
https://github.com/wolfSSL/wolfssl-exam … er/certgen

The device would have a copy of the CA certificate (public info) to define as "trusted" to validate the peer.

A device would either have a key provisioned at factory or generate one and then generate a CSR for signing by a CA. A certificate is based on a key either RSA or ECC typically. During a TLS connection the certificate is presented and the key associated with it signs data to validate they own the key.

On the CA signing side we have some good scripts here:
https://github.com/wolfSSL/wolfTPM/blob … certreq.sh

Let me know if you have any issues or questions.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

232 Reply by dgarske

(5 replies, posted in wolfSSL)

Hi akhi_gangwar,

Can you share the device certificate? Are you sure there are not other certificates in the chain presented that would expire then? AWS provides like 4 certificates in the chain.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

233 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi j3ll3,

I found a couple things.

1. The wolfSSL example server will not load the "-A v2g_root.cert.pem" if "-d" is provided. Without the CA loaded it will not be able to setup an OCSP certificate request.

2. Looks like you will need to load the -A as a chain for now. Two PEM's combined with Int CA -> Root CA. I put up a fix for this issue here:
https://github.com/wolfSSL/wolfssl/pull/3299

3. The example/server/server loads internal OCSP certificates for testing that may throw off your test. Feel free to comment out that section for testing. https://github.com/wolfSSL/wolfssl/blob … er.c#L2065

Here is the tests I ran that worked:

openssl ocsp -index index.txt -port 8080 -rsigner ocsp_root.cert.pem -rkey ocsp_root.key.pem -CA v2g_root.cert.pem -text -ndays 7

./examples/server/server -c cpo_sub_1.cert.pem -k cpo_sub_1.key.pem -A v2g_root.cert.pem -b -o
openssl s_server -cert cpo_sub_1.cert.pem -key cpo_sub_1.key.pem -CAfile v2g_root.cert.pem -accept 11111 -status_verbose

./examples/client/client -A v2g_root.cert.pem -x -W 3

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

234 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi eli.hughes,

Thanks for sharing these findings. I also hope other folks on the Cortex M will see this. The SP WOLFSSL_SP_ARM_CORTEX_M_ASM option is quite impressive for RSA/DH/ECC math speedups because it uses hand written assembly.

I will suggest to marketing we make this into a blog post.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

235 Reply by dgarske

(2 replies, posted in General Inquiries)

Hi srihari,

Make sure you have the wolfssl root directory in your include path...

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries

236 Reply by dgarske

(1 replies, posted in General Inquiries)

Hi srihari,

See section 3 of the user manual:
https://www.wolfssl.com/docs/wolfssl-manual/ch3/

3.6 ECHOCLIENT EXAMPLE
3.3 CLIENT EXAMPLE

These are calling the examples/echoclient and example/client here:
https://github.com/wolfSSL/wolfssl/tree/master/examples

The echo sends data and expects the same data back from echo server.

The simple client sends a Hello and expects a I hear you. It can also use the "-g" option to send a sample HTTP GET.

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries

237 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi j3ll3,

The -188 error indicates the certificate could not be tied back to a trusted CA. Perhaps a missing intermediate? Is it possible to share the wireshark and the certificates used? If you'd like to send them directly you can use support@wolfssl.com.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

238 Reply by dgarske

(1 replies, posted in General Inquiries)

Hi kbarb,

Did you happen to see the instructions for HiFive Unleashed here?
https://github.com/wolfSSL/wolfssl/tree … -UNLEASHED
https://github.com/wolfSSL/wolfssl/tree … -compiling

The errors above look like either libc or sysroot target/host mismatch issue with cross-compiling.  Perhaps try using `--with-sysroot=` instead of manually putting it into "CFLAGS"-I..."?

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries

239 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi Scoobi_FreeBSD,

If you define single threaded it just means you will not use the same WOLFSSL_CTX or WOLFSSL object from more than one thread at a time. You could have separate instances of those for multiple threads at the same time.

For the uITRON4 build issues I will have to defer to another engineer.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

240 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi anonazh228,

I believe you need to compile in the assembly versions of the code in `aes_asm.asm`. See the example project here: https://github.com/wolfSSL/wolfssl/blob … xproj#L343

And build options:
https://github.com/wolfSSL/wolfssl/blob … ings.h#L52

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

241 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi srihari,

Looks like "rl_fs.h" is for the file system and is not part of wolfSSL.

If you do not have that support in your platform then define "NO_FILESYSTEM" to disable it.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

242 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi Scoobi_FreeBSD,

You can also build with "SINGLE_THREADED" defined to disable threading / mutex support. What Renesas uiTRON headers are not found when using WOLFSSL_uITRON4?

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

243 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi Scoobi_FreeBSD,

See our "More Downloads" page. https://www.wolfssl.com/download/downloadMoreForm.php
Microchip_ATECC_Demos.zip

You are correct that `WOLFSSL_ATMEL` is specific to the ASF and you are not required to set `WOLFSSL_ATMEL` to use the ATECC508A/608A code.

#if defined(WOLFSSL_ATMEL) || defined(WOLFSSL_ATECC508A) || \
    defined(WOLFSSL_ATECC608A) || defined(WOLFSSL_ATECC_PKCB)

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

244 Reply by dgarske

(4 replies, posted in wolfSSL)

Hi akhi_gangwar,

The -155 "RSA_FUNCTION MP_EXPTMOD_E: memory/config problem" means either stack too small or FP_MAX_BITS is not set large enough. If you have FP_MAX_BITS 8192 you should be good with fast math.

Did you try the SP version of our math. It's much much faster and memory efficient.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

245 Reply by dgarske

(4 replies, posted in wolfSSL)

Hi akhi_gangwar,

That sounds like a stack issue. The fast math option uses stack for the math variables. Setting the FP_MAX_BITS to 8192 is correct (double max key size). But you'll also need to make sure your task or linker script increases the allowed / reserved stack space. By disabling fast math it uses heap. The normal math is slower because of the extra malloc/free calls.

You might also try using our single precision small math option with these options:

#define WOLFSSL_SP
#define WOLFSSL_SP_SMALL      /* use smaller version of code */
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_HAVE_SP_DH
#define WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_SP_4096       /* enable 4096-bit */
//#define WOLFSSL_SP_MATH     /* only SP math - eliminates integer/tfm math code, so only standard curves/key sizes are supported */
//#define WOLFSSL_SP_ASM      /* enable the assembly speedup */
//#define WOLFSSL_SP_ARM_CORTEX_M_ASM /* optional cortex-m speedups */

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

246 Reply by dgarske

(8 replies, posted in wolfCrypt)

Hi Scotty2541,

The most common reasons for this is:

1) The signature has the ASN.1 encoding. See WC_SIGNATURE_TYPE_RSA_W_ENC, wc_SignatureDerEncode or wc_EncodeSignature.

Can you share a snippet of the code you are using?

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

247 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi rahila_shams,

The difference between DH and ECC is the asymmetric algorithm used for securely deriving a shared secret. If DH is disabled only ECDH(E) cipher suites are available.

For setting the build option I recommend using our user_settings.h and WOLFSSL_USER_SETTINGS to define NO_DH. See our first FAQ item here: https://www.wolfssl.com/docs/frequently … r_wolfSSL?

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

248 Reply by dgarske

(1 replies, posted in wolfMQTT)

Hi srihari,

We have a new STM Cube pack that you can use to generate a project for your STM hardware.

See https://www.wolfssl.com/docs/stm32/ for instructions.

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

249 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi sergiop,

Thanks for this report. I will setup a test case for this and validate. I would expect that sequence of openssl compatibility calls to work.

Also we have an example for setting up a TLS proxy with native wolfSSL API's. I'm emailing you that example.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

250 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi sergiop,

The word `template` is reserved with some compilers. This has already been renamed to `tpl` post v4.4.0 release here:
https://github.com/wolfSSL/wolfssl/pull/2921

I just pushed the fix for the missing `X509_add_ext` to PR:
https://github.com/wolfSSL/wolfssl/pull/3199

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL