301 Reply by dgarske

(4 replies, posted in wolfSSL)

Hi pm_vnct,

Your steps for certificate and key generation look correct. The DER format should be loaded with the `WOLFSSL_FILETYPE_ASN1` option as you are doing. The -4 option is `WOLFSSL_BAD_FILETYPE`, which would happen if the format was invalid.

Here is how the use private key buffer call should look:

wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, (long)sz, WOLFSSL_FILETYPE_ASN1);

For the connection to work you also need the peer to load the CA as trusted using the wolfSSL_CTX_load_verify_buffer API. You will also need to load the client certificate using wolfSSL_CTX_use_certificate_buffer.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

302 Reply by dgarske

(8 replies, posted in wolfSSL)

Hi coco21,

We've started a dialog with Hex-Five here: https://github.com/hex-five/multizone-s … /issues/65
Feel free to join the discussion.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

303 Reply by dgarske

(8 replies, posted in wolfSSL)

Hi coco21,

Make sure:

1. Your Makefile/build script defines the `WOLFSSL_USER_SETTINGS` macro (CFLAGS="-DWOLFSSL_USER_SETTINGS"). This will make sure the user_settings.h configuration is included and the same build configuration is used.

2. You include <wolfssl/wolfcrypt/settings.h> in your application code prior to any other wolfSSL headers.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

304 Reply by dgarske

(8 replies, posted in wolfSSL)

Hi coco21,

Thanks for the issue report.

The user_settings.h https://github.com/hex-five/multizone-s … ngs.h#L218 has `HAVE_FFDHE_4096` set, which would require `FP_MAX_BITS` = 4096*2 or 8192.
Options are:
1. Comment out `HAVE_FFDHE_4096` to disable 4096-bit DH support.
2. Change `FP_MAX_BITS` to 8192.

We'll make sure this gets fixed in the HexFive demo.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

305 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi pm_vnct,

You are on the right track. If you register IO callbacks using `wolfSSL_CTX_SetIORecv` and `wolfSSL_CTX_SetIOSend`, then return `WOLFSSL_CBIO_ERR_WANT_READ` or `WOLFSSL_CBIO_ERR_WANT_WRITE` it will go up to the original caller wolfSSL_connect, wolfSSL_read or wolfSSL_write. This allows you to check for the return code, do other work and call again.

Here is an example for using the callbacks with want read/write:
https://github.com/wolfSSL/wolfssl-exam … callback.c

Here is an example for non-blocking:
https://github.com/wolfSSL/wolfssl-exam … ing.c#L136

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

306 Reply by dgarske

(6 replies, posted in wolfSSL)

Hi harish.reddy,

Can you also tell us a bit about the build environment you are using such as compiler, IDE and RTOS?

I'm guessing you are building the sources directly. Make sure you have added the wolfssl-root to your include path. All our code include references the root. `CFLAGS="-I<wolfssl-root>"`. For build configuration I recommend defining `WOLFSSL_USER_SETTINGS` and having your own `user_settings.h` file. You can find a good article for this here:https://www.wolfssl.com/how-do-i-manage-the-build-configuration-of-wolfssl/

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

307 Reply by dgarske

(6 replies, posted in wolfSSL)

Hi harish.reddy,

We have a good AES CBC example here, which can be adopted to GCM:
https://github.com/wolfSSL/wolfssl-exam … -encrypt.c

Our AES GCM wolfCrypt test is here:
https://github.com/wolfSSL/wolfssl/blob … st.c#L7225

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

308 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi rndtk9,

The certificate chain presented by peer should have server cert first, then intermediates, then root.

From src/ssl.c line 4779:

/* Chain should have server cert first, then intermediates, then root.
* First certificate in chain is processed below after ProcessUserChain
*   and is loaded into ssl->buffers.certificate.
* Remainder are processed using ProcessUserChain and are loaded into
*   ssl->buffers.certChain. */

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

309 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi Kit,

The call to generate an ECC shared secret uses an encrypted channel with requires a paired encryption key. The default wolfSSL examples use `atmel_get_enc_key_default`, which is all 0xFF's. You should override this function with your own implementation and key. This can be done at build-time using `ATECC_GET_ENC_KEY`.

If you'd like to use a different slot for the ephemeral key generation you can override at build time with macro `ATECC_SLOT_ECDHE_PRIV` or at runtime by registering a slot allocator using `atmel_set_slot_allocator`.

You can test if its the encryption key by replacing the `atcab_ecdh_enc` with `atcab_ecdh` in `atmel_ecc_create_pms`.

Also the ATECC chips have a watchdog that will occur if the chip isn't put into idle state when done. You'll notice calls to `atcab_idle` in our wolfcrypt/port/atmel/atmel.c to resolve this.

Feel free to email us directly at support@wolfssl.com with your user_settings.h and logs. These emails get directed into our ZenDesk system and I'll make sure and grab the incoming ticket.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

310 Reply by dgarske

(2 replies, posted in wolfTPM)

Hi TonyM,

The TPM 2.0 specification uses the term "evict" to indicate desire to perist a key into a permanent handle. Example for Native is here:
https://github.com/wolfSSL/wolfTPM/blob … est.c#L638

The wolfTPM wrapper has lots of code examples for doing this here:
https://github.com/wolfSSL/wolfTPM/blob … ap.c#L1190
https://github.com/wolfSSL/wolfTPM/blob … est.c#L199

Most TPM's only have room for about 8 permanent keys. Another option is to use the output from TPM2_Create or TPM2_CreatePrimary, which is encrypted and store that on your device (with more storage) then use TPM2_Load to put into a temporary handle.

Thanks,
David Garske, wolfSSL

Go to forum: wolfTPM

311 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi faberge,

Thanks for your interest in wolfSSL! It sounds like you are 99% of the way there.

The call to read 5 bytes is to get the TLS header, which indicates the total size of the TLS packet. So the next read will be the remainder of the TLS packet. Perhaps you can share a bit more about the code used in your read and write callbacks? You can find our default IO callback functions here: https://github.com/wolfSSL/wolfssl/blob … io.c#L194.

Make sure you are properly handling a non-blocking case, which you would need to return `WOLFSSL_CBIO_ERR_WANT_READ`.

Another common pitfall (depending on your transport layer) is some stacks require getting the entire packet in which case you'd need to cache the remainder of the TLS packet for the read after the 5 byte header.

If you still need help debugging this please provide debug logs, wireshark trace and code snippets for review. If you'd like to keep those private you can email us directly at support@wolfssl.com and reference this forum link.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

312 Reply by dgarske

(5 replies, posted in wolfMQTT)

Hi Peter,

Thanks for the excellent question! We are working on an enhancement right now to add the ability to chunk large publish messages being sent. The engineer working on this is Eric B. He will be following up with you shortly.

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

313 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi Paul,

We will look into supporting this feature. I've started an email thread with another engineer. Your code may be valid, but wolfSSL doesn't yet support the serial number as part of the multi-attrib.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

314 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi ePaul,

The code changes to use multi-attrib for serial number are not valid. In fact the serial number field is different all-together and is not encoded into a CSR.

If you'd like to have a unique identifier in the certificate typically that goes into one of the subject fields such as common name. The only valid mult-attrib fields are: ASN_ORGUNIT_NAME and ASN_DOMAIN_COMPONENT.

Example here:
https://github.com/wolfSSL/wolfssl/blob … st.c#L8564

If you are going to use the multi-attrib fields then make sure the csr.c `CertName myCertName` is not const (I see you made it static above, which is fine).

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

315 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi ePaul,

We've pushed an example for using large data with PKCS 7 sign/verify here:
https://github.com/wolfSSL/wolfTPM/pull/32

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

316 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi ePaul,

We recently enhanced PKCS7 to support signing a large file using a computed hash and known total size. The wolfSSL pull request is here: https://github.com/wolfSSL/wolfssl/pull/1780
This works by computing the hash and providing it to the new wc_PKCS7_EncodeSignedData_ex API. It returns a header and footer that surrounds the original data.

I will post a wolfTPM example for using this shortly.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

317 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi Paul,

The CSR should not contain a serial number. The serial number is assigned by the CA when it gets signed.

I will however take a look at your example and see if there is an issue that needs fixed around CSR gen with serial number provided.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

318 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi ePaul,

You can do whichever is easier for you.

To clone the branch use:

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
git fetch origin pull/1805/head:fix_csr
git checkout fix_csr

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

319 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi ePaul,

Thanks for the bug report. I was able to reproduce your issue and identiy the cause. I've pushed a wolfSSL fix for this issue here (https://github.com/wolfSSL/wolfssl/pull/1805). It was a new issue that happened after we added some additional fields to support BusinessUnit.

I'm located in PDT (UTC -7).

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

320 Reply by dgarske

(2 replies, posted in wolfCrypt)

Hi Ehsan,

The RSA key generation is a very intensive operation. Even on a top end Intel i7 part is takes almost 1 second. Generating an RSA 2048-bit key requires two 256 byte prime numbers. It requires a large amount of RNG data. I suspect it appears to hang, but its still running.

Example:

./configure --enable-keygen && make
./wolfcrypt/benchmark/benchmark -rsa-kg
wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
RSA     1024 key gen         8 ops took 1.058 sec, avg 132.305 ms, 7.558 ops/sec
RSA     2048 key gen         3 ops took 2.862 sec, avg 954.070 ms, 1.048 ops/sec

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

321 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi ePaul,

To build you'll need to use:

./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptodev --enable-opensslextra=x509small CFLAGS="-DTIME_T_NOT_LONG  -DWOLFSSL_MULTI_ATTRIB"
make
sudo make install
sudo ldconfig

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

322 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi ePaul,

To resolve the build error in our api.c unit test you can build with the `./configure CFLAGS="-DTIME_T_NOT_LONG"` option. This uses a 32-bit time type.

For the wolfTPM question on creating a Certificate Signing Request you can find the complete example here:
https://github.com/wolfSSL/wolfTPM/blob … /csr/csr.c

Let us know if you have any other issues or questions.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

323 Reply by dgarske

(3 replies, posted in wolfCrypt)

Hi AdoraKalb,

That sounds like an issue with not providing enough stack space to the FreeRTOS thread on the xTaskCreate. Try increasing the stack size for that task and let us know if that helps.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

324 Reply by dgarske

(2 replies, posted in General Inquiries)

Hi kjjy,

The actual function name is `wc_EccKeyToDer`.
https://github.com/wolfSSL/wolfssl/blob … lic.h#L402

The old Cyassl used `EccKeyToDer` and is deprecated here:
https://github.com/wolfSSL/wolfssl/blob … blic.h#L71

To use this you must have ECC enabled:
`./configure --enable-ecc` or `#define HAVE_ECC`.

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries

325 Reply by dgarske

(2 replies, posted in General Inquiries)

Hi kjjy7,

If you are using ./configure you do not need to use user_settings.h. The ./configure outputs a build configuration file to wolfssl/options.h. You can use this file as a template for user_settings.h if you are building the sources directly (without ./configure).

If you are building sources directly then you can define WOLFSSL_USER_SETTINGS and add a user_settings.h file to your include path. There is an excellent template for this here: https://github.com/wolfSSL/wolfssl/blob … settings.h

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries