Hi Melek,
Yes, thanks for correcting me. You are right - the ecc_export_x963() function exports the ECC key to X9.63 format, not DER. wolfSSL embedded SSL doesn't currently have a function to export the generated key to DER.
Regards,
Chris
You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by chrisc
Hi Melek,
Yes, thanks for correcting me. You are right - the ecc_export_x963() function exports the ECC key to X9.63 format, not DER. wolfSSL embedded SSL doesn't currently have a function to export the generated key to DER.
Regards,
Chris
Hi Doug,
We recently put together several simple wolfSSL examples - some of which included DTLS examples. You can find them here:
https://github.com/wolfSSL/wolfssl-examples
Do you see the same problem when using the DTLS examples from there?
Thanks,
Chris
Hi Marvin,
Can you re-test with the current wolfSSL version? It looks like you were getting an ASN parse error. We recently fixed an area which had been causing a parse error with some optional constraints.
Thanks,
Chris
Hi Frank,
Will you need functionality from asn.c/.h, or just functionality from rsa.c/.h?
It looks like rsa.c can be compiled individually as long as you include the following files as well:
arc4.c
integer.c
memory.c
random.c
rsa.c
This uses the normal big integer math library (integer.c). To use the fastmath library instead, you'd use tfm.c instead of integer.c.
In ParseCertRelative() and ParseCRL() in asn.c use GetCA() and GetCAByName() which are located in ssl.c.
Best Regards,
Chris
Hi Cyberrobot,
Yes, wolfSSL requires that the root CA certificate be loaded in order to verify the peer's certificate. If there are intermediate certificates in the chain as well, but the peer doesn't send them, wolfSSL will need to have those intermediate certs loaded as well (in order to verify the integrity of the cert chain).
For example, if you have a cert chain that looks like:
RootCA -> IntCA -> Peer
If you only load RootCA into a wolfSSL server, and the peer only sends "Peer", wolfSSL won't be able to verify the chain unless "IntCA" is loaded as well.
It looks like https://www.microsoft.com is signed by the "Baltimore CyberTrust Root". It looks like you may have the wrong root CA for the microsoft server. Maybe they updated it after your cert bundle was created?
I usually use the "openssl s_client" command to view the certificate chain for a given server. For example, to view the cert chain for microsoft.com, you could do:
openssl s_client -connect microsoft.com:443 -showcerts
Which shows the cert chain and the root CA as the "Baltimore CyberTrust Root".
Best Regards,
Chris
Hi JhihPing,
Our certificate generation functionality doesn't currently support adding Subject Key Identifier or Authority Key Identifier options yet. How important is this functionality for you?
Thanks,
Chris
Hi,
Can you verify that you have the correct CA certificate loaded for Google? I have attached the one which works for me.
Thanks,
Chris
Hi Santa,
Can you clarify - are you looking to call wolfSSL from your PHP code directly? If so, I haven't had any experience calling native C libraries from PHP code. From a few searches, it looks like it might be possible to call native C code from PHP using SWIG or Zend extensions.
Thanks,
Chris
Hi Alex,
In Visual Studio, you'll need to add the HAVE_AESCCM define to the list of preprocessor defines in your project properties in order to enable AES-CCM support.
Best Regards,
Chris
Hi,
CyaSSL 3.1.0 has been released and is now available for download from the wolfSSL website (http://www.wolfssl.com/yaSSL/Download.html). This release includes bug fixes and new features including:
- Fix for older versions of icc without 128-bit type
- Intel ASM syntax for AES-NI
- Updated NTRU support, keygen benchmark
- FIPS check for minimum required HMAC key length
- Small stack (--enable-smallstack) improvements for PKCS#7, ASN
- TLS extension support for DTLS
- Default I/O callbacks external to user
- Updated example client with bad clock test
- Ability to set optional ECC context info
- Ability to enable/disable DH separate from opensslextra using --enable-dh and --disable-dh
- Additional test key/cert buffers for CA and server, located in certs_test.h
- Updated example certificates
Please see the README and our on-line documentation for more information or feel free to contact us.
CyaSSL Manual: http://www.yassl.com/yaSSL/Docs-cyassl-manual-toc.html
Hi Stanleyman,
At the moment, we have only tested it under Linux/Unix and OS X environments. You may be able to use a unix-like shell for Windows such as Cygwin.
Best Regards,
Chris
Hi Stanleyman,
We do have a simple Java SSL/TLS server available in our "wolfSSL JNI" download package. The example uses our JNI wrapper instead of the regular Java API's. You can download the JNI wrapper bundle here:
http://yassl.com/yaSSL/download/downloadForm.php
Best Regards,
Chris
Hi pcu,
STM32F2_CRYPTO doesn't have the same problem with multiple block cipher contexts since the functionality of each call is stored into the respective wolfCrypt structure (ie: Aes, Des, etc.).
I don't think a mutex would solve the issue, since the limitation isn't necessarily just with access to the hardware hash module, but more with the internal state of the hash module.
Best Regards,
Chris
Hi Marvin,
Do you have more details about the connection failure? Can you try enabling debug messages in CyaSSL?
Thanks,
Chris
Hi Brian,
We have not yet added support for secure renegotiation to wolfSSL embedded SSL.
Best Regards,
Chris
Yun,
Glad to hear you found the correct link.
Best Regards,
Chris
Hi Cache,
We recently updated our SSL Tutorial code. Can you try again using our most up to date version, available here:
http://www.wolfssl.com/documentation/ss … al-2.1.zip
Thanks,
Chris
Hi cyberrobot,
Are you still having problems with finding the correct root certificate to load to verify the server you are connecting to?
Best Regards,
Chris
Hi zhbn,
See the example referenced in the response to this post:
http://www.yassl.com/forums/topic548-i- … -code.html
Best Regards,
Chris
Hi zhbn,
You can load a server's RSA private key into a wolfSSL server using the following function:
int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX* ctx, const char* file,int format)
This function is able to accept both PEM and DER formatted keys, using SSL_FILETYPE_PEM for the "format" argument with PEM encoded keys and SSL_FILETYPE_ASN1 for the "format" argument for DER encoded keys.
Best Regards,
Chris
Hi zhbn,
For an example of using CyaSSL key and certificate generation, you can reference the rsa_test() function in <cyassl_root>/ctaocrypt/test/test.c, specifically the code inside of the CYASSL_KEY_GEN and CYASSL_CERT_GEN #ifdef blocks.
CyaSSL will need to be compiled with --enable-certgen to enable certificate generation and --enable-keygen if you want to do RSA key generation.
Best Regards,
Chris
Hi zhbn,
The RsaPublicKeyDecode() function requires the input buffer (input) to be in DER format, with size specified by "inSz".
Best Regards,
Chris
Hi cyberrobot,
If you define KEEP_PEER_CERT when compiling wolfSSL, you should be able to use the following function to get the CommonName from a CYASSL_X509*:
char* CyaSSL_X509_get_subjectCN(CYASSL_X509* x509)
Best Regards,
Chris
Hi zhbn,
Is your goal to build against wolfSSL's OpenSSL compatibility layer, or to convert your application over to the native wolfSSL API completely?
In the case of the former, oftentimes a good first approach is to try linking against the wolfSSL library (compiled with the OpenSSL compatibility layer enabled), and then view the feature / function gaps. This usually lets you begin to get a scope for the project.
Best Regards,
Chris
Hi zhbn,
It sounds like the server you are testing against is only using TLS 1.2. Are you testing against the wolfSSL embedded SSL example server?
If you would like to use SSL 3.0 with the wolfSSL example server, you can change the protocol version used with the "-v" option, i.e.:
./examples/server/server -v 0
Best Regards,
Chris
wolfSSL - Embedded SSL Library → Posts by chrisc
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.027 seconds (66% PHP - 34% DB) with 5 queries