You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by chrisc
Is there a way to convert the generated RSA key into PKCS #8 format using cyassl?
CyaSSL doesn't currently have this feature, no. You'll need to save the generated key to a file and then use the OpenSSL command line utility to convert it to PKCS#8 format.
Just out of curiosity, what kind of project are you working on where you are using Crypto++ with CyaSSL? Are you able to use CTaoCrypt instead?
Best Regards,
Chris
Hi mkey,
It looks like verification of the peer certificates is failing - possibly due to the incorrect CA cert being loaded. Can you verify once again that you converted the certificate (Equifax_Secure_Certificate_Authority_DER.cer) to PEM format before loading it with CyaSSL_CTX_load_verify_locations(), and that this is the CA cert you are loading?
You can convert the certificate using the OpenSSL command line tool:
openssl x509 -inform der -in Equifax_Secure_Certificate_Authority_DER.cer -out Equifax_Secure_Certificate_Authority.pemChris
Hi jammers,
We just pushed a patch to our GitHub repository which should solve several of the problems you are encountering. You can find the patch here (https://github.com/cyassl/cyassl/commit … ef42bd1667). This patch adds an include for <cyassl/ctaocrypt/settings.h> in wolfSSL's crypto.h file. It also implements SSL_get_cipher() which is needed by ssmtp.
In addition to using the new patch, you'll need to swith "-lssl -lcrypto" for "-lcyassl" in configure.in.
Where is the modified stunnel and light-httpd sources referenced in the forum?
I can't see those downloads anywhere on this site.
You can find instructions to build lighttpd 1.4.23 with wolfSSL in the wolfSSL README file included in the download. I believe the last time we looked at stunnel compatibility was with stunnel 4.31 and wolfSSL 1.4.0. Is this something you will be needing?
Regards,
Chris
Hi Nitin,
... the test.c file uses the same key to sign and verify. Am I missing something here?
A RSA private key contains the public key, therefore CyaSSL is able to use it as both the public and private key as used in test.c. You can load a separate public key using RsaPublicKeyDecode if you would like. Apart from this, RsaSSL_Sign and RsaSSL_Verify are just inverse operations to the RsaPublicEncrypt and RsaPrivateDecrypt functions described in the CTaoCrypt Usage Reference.
Also, http://yassl.com/yaSSL/Docs-cyassl-manu … cates.html shows how to generate an RSA key. This is a private key. What about public key??
CTaoCrypt doesn't currently have functionality to generate an individual public key (but the private key does contain the public key, as mentioned above). The reasoning behind this is that for SSL, the private key and the public key in the form of a certificate is all that is needed. You could use the OpenSSL command line utility to generate an individual public key based off your private key if needed.
Regards,
Chris
Glad to hear you got it worked out. So, things are working correctly now?
- Chris
Hi,
Can you try using the most recent CyaSSL sources from GitHub (https://github.com/cyassl/cyassl) and see if your issue is resolved? We recently made some changes to how CyaSSL processes CA certificates. Please let me know if you are still having troubles.
Best Regards,
Chris
Hi jammers,
How did you configure the wolfSSL library? Are you using version 2.0.2 of wolfSSL?
Regards,
Chris
Hi protocold,
You can build only the CyaSSL embedded SSL library (excluding examples, testsuite, etc.) by issuing the following after ./configure:
make src/libcyassl.laRegards,
Chris
Hi mkey,
Can you try testing your code with the most recent CyaSSL code on GitHub (https://github.com/cyassl/cyassl)? We've changed a few things regarding CA Basic Constraints recently which looks like it might make a difference. Also, note that you can build CyaSSL with --enable-debug and then call CyaSSL_Debugging_ON() from your application for more verbose debug information from CyaSSL.
As you know, set SSL_VERIFY_PEER, using:
CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);It looks like you have found the correct certificate chain, yes. I downloaded the Equifax Secure Certificate Authority from here: https://www.geotrust.com/resources/root-certificates/.
With CyaSSL (version >= 2.0), only the top or root certificate of the chain is required to be loaded as a trusted certificate in order to properly verify the chain. So, in your case, you could load the equifax CA cert like this (where equifaxCert is the path to your Equifax CA Cert):
CyaSSL_CTX_load_verify_locations(ctx, equifaxCert, 0)This will return SSL_SUCCESS upon success. I tried this using our example client after making the above cert modifications (./examples/client/client pop.gmail.com 995) and it was able to connect to pop.gmail.com.
Note: the function CyaSSL_Init according to the manual returns a "1" if successful, while in fact it returns a 0 if everything went OK.
Thanks for the heads up on this. We'll make sure the docs and/or code get changed to clear this up.
Regards,
Chris
Hi Pedro,
CyaSSL_CTX_load_verify_buffer() returns SSL_BAD_FILE.
I believe this is due to the way you have entered your certificate string. Try only separating lines with a newline (\n), and add a newline character after the closing "-----END CERTIFICATE-----" as well. So, your corrected cert string would be:
const char cert[]= "-----BEGIN CERTIFICATE-----\nMIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ\nBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh\nc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy\nMTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp\nemVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X\nDTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw\nFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg\nUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo\nYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5\nMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB\nAQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4\npO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0\n13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk\nU01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i\nF6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY\noJ2daZH9\n-----END CERTIFICATE-----\n";One thing to keep in mind is that you can turn on CyaSSL debugging by configuring CyaSSL with the "--enable-debug" option. This will give you a much more verbose output of what is happening with CyaSSL. After building CyaSSL with this enabled, you can turn on debug messages in your application by calling:
CyaSSL_Debugging_ON();After you get your certificate to load (PCA-3G2.pem), you will probably run into another problem where CyaSSL doesn't think it is actually a CA certificate. This is due to it lacking the CA:TRUE basic constraint. If you would still like to use this certificate, you can download our current GitHub source package (https://github.com/cyassl/cyassl) which will allow this certificate to be imported as a CA cert.
*The CyaSSL API reference states CyaSSL_Init() returns SSL_SUCCESS (1) on success which, looking at the code, is wrong. It returns 0 when no error is found.
Thanks for the heads up on this. We'll make sure to get this cleared up.
Let me know if this helps. By the way, what kind of project are you working on for the Wii?
Best Regards,
Chris
Hi Pedro,
The build fails when trying to compile the client example (which is expected but somehow messy to fix and I wanted to know if there was a more straightforward way of doing this).
You can build only the CyaSSL library (no examples, testsuite, etc.) by running:
make src/libcyassl.laRegarding CyaSSL_CTX_load_verify_buffer, can you check the return value? This function will return SSL_SUCCESS upon success and a variety of other values upon failure (See the CyaSSL API Reference for return values, http://yassl.com/yaSSL/Docs-cyassl-manu … rence.html). This will tell you if your certificate buffer is being loaded. It does look like you are providing the correct parameters to the function.
What kind of message are you seeing when CyaSSL crashes? Are you able to identify what part of InitSSL() is failing?
Regards,
Chris
Hi Pedro,
DevkitPro support was added with CyaSSL rc2-1.0.0. You can take a look at the CyaSSL README file (included in the CyaSSL download) for build instructions and more detailed information. This will explain how to build and link with CyaSSL. Please let me know if you run into problems.
Regards,
Chris
Hi Nitin,
Just as pure guess work, I tried converting this key from PEM to DER and it worked !.. But, I'm not able to use these keys with the echo client and echo server examples..
The RsaPrivateKeyDecode() function only accepts keys in DER format (raw data). To use the example echo client and echo server with DER-formatted keys, you will need to use the SSL_FILETYPE_ASN1 format instead of the SSL_FILETYPE_PEM format. For example, the echo server would load a private key like this (where svrKey is a RSA key in DER format):
CyaSSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_ASN1)Here are the OpenSSL commands that we typically use to generate test CA keys and certificates and create test CA-signed certs. To create a CA key and certificate:
1. openssl genrsa 1024 > ca-key.pem
2. openssl req -new -x509 -nodes -sha1 -days 1000 -key ca-key.pem > ca-cert.pemTo create a server key and CA-signed server cert:
1. openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem
2. openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pemDoes this help?
- Chris
Hi Nitin,
What command and parameters did you use to generate your CA key using OpenSSL?
- Chris
Not necessarily - you could define it in your source code as well if that was your preferred way.
Hi Nitin,
I get "Cert undeclared" error. I'm unable to figure out why this is happening. Generating RSA keys works fine, but as soon as I declare a variable to generate certificate, I get this error.
You could be seeing this error if CYASSL_CERT_GEN is not defined. Can you try defining -DCYASSL_CERT_GEN this when building your application and see if it resolves your error?
Regards,
Chris
Hi Bobo,
Thanks for the report. We'll look into this.
- Chris
Hi Kevin,
What version of CyaSSL are you using the tutorial with?
./echoserver: error while loading shared libraries: libcyassl.so.2: cannot open shared object file: No such file or directory
This error occurs when the OS can't find the necessary shared library at runtime. This could be caused by several things depending on what version of CyaSSL you were using.
1. I just updated the SSL Tutorial (Makefiles, source files, etc.) to work with our newest versions of CyaSSL (2.0.2). Beginning with our 2.0.0rc3 release, the default installation locations were changed for CyaSSL. Please try downloading the most current version of the SSL Tutorial, now up at http://www.yassl.com/documentation/ssl-tutorial-2.0.zip.
2. If you are still getting the error after updating to the newest SSL Tutorial version, make sure your LD_LIBRARY_PATH environment variable is set correctly to point to where the CyaSSL libraries are installed (/usr/local/lib in CyaSSL 2.0.2).
Linux:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/libMac:
export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:/usr/local/libDoes this help?
Regards,
Chris
Hi,
We have released version 2.0.2 of the CyaSSL embedded SSL library. Release 2.0.2 has bug fixes and a few new features including:
CTaoCrypt Runtime library detection settings when directly using the crypto
library
Default certificate generation now uses SHAwRSA and adds SHA256wRSA generation
All test certificates now use 2048bit and SHA-1 for better modern browser
support
Direct AES block access and AES-CTR (counter) mode
Microchip pic32 support
This new version can be downloaded here: http://yassl.com/yaSSL/Download.html
The CyaSSL manual is available online at: http://yassl.com/yaSSL/Docs-cyassl-manual-toc.html. For build instructions
and comments about the new features please check the manual. If you have any questions or comments about the new release, please let us know!
Thanks,
Team yaSSL
Hi,
WolfSSL hasn't been officially ported to the Freescale MQX RTOS yet, no. This is something that's on our list of things to do. Is this something that you would be interested in? Have you tried building wolfSSL on MQX?
Best Regards,
Chris
Hi Kchitiz,
Although it is missing from our product page (thanks for pointing this out, we'll have to add it), we have previously ported wolfSSL to WinCE. The _WIN32_WCE defines in the wolfSSL code are for WinCE.
Please build wolfSSL with _WIN32_WCE and let me know if you run into any snags.
What kind of project are you working on with WinCE?
Regards,
Chris
Hi Nrupen,
It looks like the common name of the subject lacks a set header in your certificate. In our initial interpretation of the X509 standard, we believed that the set header was required. As such, wolfSSL returned an error.
We have checked in a patch to our GitHub repository that gives a warning if a certificate name lacks a set header, then continues execution for better OpenSSL compatibility. Please take a look at the patch, here: https://github.com/cyassl/cyassl/commit … 7d53a812ea.
What kind of project are you working on?
Regards,
Chris
Hi Michal,
You are correct, these flags can be used together while still providing all of CTaoCrypt's crypto functionality. You can test this by building CyaSSL with NO_TLS, NO_CYASSL_SERVER, and NO_CYASSL_CLIENT and then running the test application under the /ctaocrypt/test directory of the CyaSSL download.
You will still have the public key infrastructure as well. Normally verification is done internally within CyaSSL, but can also be done by hand (as the /ctaocrypt/test example does).
Regards,
Chris
Are you saying that the only way to import a public RSA key in DER or PEM format is to rewrite the decoder class?
Yes, in it's current state, yaSSL only supports public keys through certificates (for SSL). Would you mind if I asked what your goal is? If this feature is necessary, we can work with you to add it to yaSSL.
Regards,
Chris
Hi Kristofer,
yaSSL was designed to use public keys from certificates (see the example in taocrypt/test/test.cpp for reference). If you run the "test" application in taocrypt/test with the example certificates, you will notice that FixedCiphertextLength is a non-zero value when using a certificate.
If you want to use OpenSSL format for public keys, then you can use CyaSSL with the --openssl-Extra build option. Is there a reason why you chose to use yaSSL over CyaSSL?
Regards,
Chris
wolfSSL - Embedded SSL Library → Posts by chrisc
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.024 seconds (69% PHP - 31% DB) with 4 queries