Hi Jeff,

Thanks a lot for your help, it seems it was a encoding issue, now the output from wolfssl and lapo.it is consistent.

Thanks a lot for your time.
Remy

Ok great Jeff,
I will study this and post back here.

Remy

Hi Jeff,

the thing is that this private key :
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIB9OmcdEpovFHYwrKwb/0LAShWskWY8GJbEz8zRDmNdzoAoGCCqGSM49
AwEHoUQDQgAEj89fqBfGJRtV37F6+peeEwNbQx5D5NnkoFJPyfE54UAWKM+6zTc/
EZQ6egk/k8Kh+VYJE+bak9x8Qo45yrZelw==
-----END EC PRIVATE KEY-----

gives:
30 77 21 14 20 1f 4e99c744a68bc51d8c2b2b6ffd0b012856b24598f625b133f3344398d773a0a682a8648ce3d317a1443420
48fcf5fa817c6251b55dfb17afa979e1335b431e43e4d9e4a0524fc9f139e1401628cfbacd373f11943a7a93f93c2a1f956913
e6da93dc7c428e39cab65e97

with wolfSSL.

But now when I use an ASN1 parser, such as lapo.it, I have different results.
i have the following DER:
30 77 02 01 01 04 20 1F  4E 99 C7 44 A6 8B C5 1D
8C 2B 2B 06 FF D0 B0 12  85 6B 24 59 8F 06 25 B1
33 F3 34 43 98 D7 73 A0  0A 06 08 2A 86 48 CE 3D
03 01 07 A1 44 03 42 00  04 8F CF 5F A8 17 C6 25
1B 55 DF B1 7A FA 97 9E  13 03 5B 43 1E 43 E4 D9
E4 A0 52 4F C9 F1 39 E1  40 16 28 CF BA CD 37 3F
11 94 3A 7A 09 3F 93 C2  A1 F9 56 09 13 E6 DA 93
DC 7C 42 8E 39 CA B6 5E  97

It is almost the same, but the header is quite different. So I am not sure which one to trust... Wolfssl or lapo.it parser.

Remy

Hi Jeff,

Thanks for your help yes i share my conf:
./configure --enable-sni --enable-debug=yes --enable-static=yes --enable-shared=no --disable-examples --disable-filesystem --enable-ocspstapling --disable-oldtls --enable-ecc --enable-harden --enable-coding --enable-base64encode

The code i have is strictly the same as your attached.
The wolfssl is also the same 4.7.0-stable

Maybe I need to find a better corresponding configuration option..
Something important i forgot to mention is that i am using wolfssl on a raspberry pi platform.
I can see there are some issue on the google report for this platform..



Thanks
Remy

Hi all,

I am having a hard time to decode a ecc private key with wolfssl.

Here how my key must be generated (It has to be this way, it is a requirement)

openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem
openssl ec -in ec_private.pem -pubout -out ec_public.pem


const char* private_key_pem = private_key_data->crypto_key_union.key_pem.key;

output private key:
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIB9OmcdEpovFHYwrKwb/0LAShWskWY8GJbEz8zRDmNdzoAoGCCqGSM49
AwEHoUQDQgAEj89fqBfGJRtV37F6+peeEwNbQx5D5NnkoFJPyfE54UAWKM+6zTc/
EZQ6egk/k8Kh+VYJE+bak9x8Qo45yrZelw==
-----END EC PRIVATE KEY-----

DerBuffer* pDer = NULL;
ret = PemToDer((unsigned char*)private_key_pem, strlen(private_key_pem),
                 ECC_PRIVATEKEY_TYPE, &pDer, NULL, NULL, NULL);

decode to DER format:
307702010104201f4e99c744a68bc51d8c2b2b06ffd0b012856b24598f0625b133f3344
398d773a00a06082a8648ce3d030107a144034200048fcf5fa817c6251b55dfb17afa97
9e13035b431e43e4d9e4a0524fc9f139e1401628cfbacd373f11943a7a093f93c2a1f95
60913e6da93dc7c428e39cab65e97

then decode the private key to be stored into the structure:

ecc_key ecc_key_private;
  wc_ecc_init(&ecc_key_private);

  word32 in_out_idx = 0;
  ret = wc_EccPrivateKeyDecode(pDer->buffer, &in_out_idx, &ecc_key_private,
                               pDer->length);


the error is here= -140 => ASN Parsing error.

Can anyone help me?
wolfssl version: 4.7.0-stable

Thanks
Remy

6

(12 replies, posted in wolfMQTT)

Hi Sean,

Yes you are right:
Pkcs11EcKeyGen() is calling Pkcs11GetEccPublicKey() and Pkcs11GetEccPublicKey() return 0, which mean everything is okay with the PKCS11 but when I try to print the key it is failing. It is like the key is in the structure but there is no way i can double check if the public key is correct.

In order to check if the public key is okay I do two things:
1. call:  wc_ecc_check_key(key) which returns MP_OKAY
2. print the public key with:

 word32 buffSz = 67;
  byte  der[buffSz];
 XMEMSET(der, 0, sizeof(der));
 wc_EccKeyToDer(key, der, buffSz); 

which return -173

BAD_FUNC_ARG       = -173,  /* Bad function argument provided */

The function:

int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen)

calls:

 static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 inLen,
                             int pubIn)
{
 if (key == NULL || output == NULL || inLen == 0)
        return BAD_FUNC_ARG;
....
}

Does it means my key actually null? it does not make sense, the wc_ecc_check_key(key) return MP_OKAY.

Anyway,

After enabling the PKCS11_DEBUG inside:
static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)

C_OpenSession: OK
C_Login: OK
C_GenerateKeyPair: OK
C_GetAttributeValue: OK
C_GetAttributeValue: OK

Ec Public Key
             CKA_EC_POINT: 67
                           0x04,0x41,0x04,0xea,0x6a,0x08,0xad,0xa2,
                           0xca,0x5b,0x15,0xbe,0x03,0xe8,0x05,0x89,
                           0xc4,0xec,0x0f,0x03,0x35,0x71,0x71,0x8f,
                           0x54,0x31,0xc0,0xfc,0x21,0x95,0x44,0x32,
                           0xaa,0xab,0x19,0x43,0x6e,0x17,0x7f,0x8d,
                           0x53,0x4d,0x6a,0x71,0x25,0x78,0x17,0x6f,
                           0x12,0xd0,0xd8,0x0a,0xa4,0xad,0xf2,0x54,
                           0x86,0x53,0x64,0x36,0xca,0x95,0x2c,0x7f,
                           0x71,0x65,0x81,
            CKA_EC_PARAMS: 10
                           0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x03,
                           0x01,0x07,

I am getting:
wolfSSL Leaving SendClientKeyExchange, return -354
wolfSSL error occurred, error = -354

  ECC_EXPORT_ERROR             = -354,   /* Bad ECC Export Key */




Thanks for your help
Remy

7

(12 replies, posted in wolfMQTT)

Hi,

Sorry for the late reply, I could not login to the forum.
Thank you for your previous answer. I could generate the secret as long as I fallback of the software implementation to generate the key pair.

But my purpose is to generate the key pair with my token (Can do) and use the generated public key to create the secret (cannot do).

I manage to use my token to generate the key pair, but it is not possible for me to re-inject the public key into the SSL context after the callback. I am stuck on this for a few weeks...

entry point: cryptocb.c
the key has been initialized but empty in order to let the token generate the public key in the "key" structure.

#ifdef HAVE_ECC
int wc_CryptoCb_MakeEccKey(WC_RNG* rng, int keySize, ecc_key* key, int curveId)
{
    printf("\n wc crypto Make ecc key. keySize= %d  \n", keySize);
    int ret = CRYPTOCB_UNAVAILABLE;
    CryptoCb* dev;

    if (key == NULL)
        return ret;

    /* locate registered callback */
    dev = wc_CryptoCb_FindDevice(key->devId);
    if (dev && dev->cb) {
        wc_CryptoInfo cryptoInfo;
        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
        cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
        cryptoInfo.pk.type = WC_PK_TYPE_EC_KEYGEN;
        cryptoInfo.pk.eckg.rng = rng;
        cryptoInfo.pk.eckg.size = keySize;
        cryptoInfo.pk.eckg.key = key;
        cryptoInfo.pk.eckg.curveId = curveId;

        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);

          printf("\n INSIDE THE CALLBACK....  \n");

         #define FOURK_BUF 4096
            byte  der[FOURK_BUF];
            int derSz = 0;

            derSz = wc_EccKeyToDer(key, der, FOURK_BUF);
            int i;
            for (i = 0; i <= derSz;i++){
                printf("%02x:", der[i]);
                if (((i+1)%16)==0){
                    printf("\n");
                }
            }
            printf("\n");
    }

    return wc_CryptoCb_TranslateErrorCode(ret);
}

in my pkcs11 interface the following code allows me to generate the CKA-points for the public key:

static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)
{
    int               ret = 0;
    ecc_key*          key = info->pk.eckg.key;

...

rv = session->func->C_GenerateKeyPair(session->handle, &mech,
                                                       pubKeyTmpl, pubTmplCnt,
                                                       privKeyTmpl, privTmplCnt,
                                                       &pubKey, &privKey);

...
Pkcs11GetEccPublicKey(key, session, pubKey);
pkcs11_dump_template(pubKeyTmpl, pubTmplCnt); 

Ecc Public Key
             CKA_EC_POINT: 67
                           0x04,0x41,0x04,0x80,0xf6,0x67,0x7a,0x5b,
                           0xac,0x31,0x25,0xf8,0x2e,0xa7,0xc8,0x32,
                           0x12,0xf9,0xad,0xd9,0x33,0x01,0x6d,0xe0,
                           0x17,0x50,0xcb,0x2d,0x36,0xb1,0x28,0xf6,
                           0x32,0x2a,0xf0,0x55,0x75,0x6e,0xe3,0xc9,
                           0xff,0x7f,0xf4,0x0f,0xe2,0xce,0x4c,0x35,
                           0xbd,0x30,0x92,0x47,0x86,0x0f,0xc3,0x25,
                           0x3f,0xaa,0xeb,0x1c,0xb4,0x58,0x98,0x9a,
                           0x5e,0x02,0x1a,
            CKA_EC_PARAMS: 10
                           0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x03,
                           0x01,0x07,

from here, the key structure must have the public key. I can print the public key CKA points just nice as expected.


When this function ends I am going back to the callback (first sample of the code above.)

And then I try to display the public key after the printf : printf("\n INSIDE THE CALLBACK....  \n");
But i always get error -173 =>     BAD_FUNC_ARG       = -173,  /* Bad function argument provided */

INSIDE THE CALLBACK....
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:

So I believe the public key is not getting updated in the 'ecc_key' structure. it is quite hard to debug.

inside the Pkcs11 implementation i have tried to:

-check the "ecc_key key" with:

check_result = wc_ecc_check_key(key);

-> success
           

- Copy the point from the template that display the CKA points to the "ecc_key key" structure.

point = wc_ecc_new_point();
int copy_return = wc_ecc_copy_point(&key->pubkey,  &info->pk.eckg.key->pubkey);

-> success.

- Compare the CKA points inside the "ecc_key key" with:

 int cmp_result = wc_ecc_cmp_point(&key->pubkey, &info->pk.eckg.key->pubkey);

-> success

- Export the points into byte array to print them with:

       word32 buffSz = 64;
        byte  der[buffSz];
        XMEMSET(der, 0, sizeof(der));
        wc_ecc_export_point_der(key->dp->id, &key->pubkey, der,  &buffSz);

->  not successful



I am short of idea, I am not sure where the keys goes and in which format the key is represented.


Any help would highly appreciated.