wolfSSL Cisco libest Port

With wolfSSL 4.6.0, the cisco/libest EST library has been ported to work with wolfSSL. The Enrollment over Secure Transport (EST) protocol defines “enrollment for clients using Certificate Management over CMS (CMC) [RFC5272] messages over a secure transport.” It uses TLS >1.1 and the Hypertext Transfer Protocol (HTTP) to facilitate secure and authenticated Public Key Infrastructure (PKI) Requests and Responses [RFC5272]. libest is a client and server EST implementation written in C.

To build wolfSSL 4.6.0 for libest:

./configure --enable-libest
make
make install

To obtain a copy of libest that is compatible with wolfSSL, please contact us at support@wolfssl.com.

Once you have a wolfSSL compatible version of libest, to build the library:

./autogen.sh
./configure --enable-wolfssl
make
make install

To run the tests in test/UT configure wolfSSL instead with:

./configure --enable-libest --enable-dsa --enable-oldtls --enable-tlsv10 --enable-sslv3

The porting of libest to wolfSSL has greatly expanded the compatibility layer. Many new API’s were introduced and old ones have been updated. Additionally, Certificate Signing Request (CSR) generation and parsing has been expanded to meet the needs of the libest library. Some of the new changes include:

  • Parsing a CSR to be used for certificate generation
  • Parsing and generating a limited number of supported CSR attributes
  • Parsing configuration files using NCONF APIs
  • Retrieving the local and peer finished message contents
  • Creating and parsing text databases using TXT_DB API
  • New OpenSSL compatibility layer functions implemented
    • ASN1_get_object
    • d2i_ASN1_OBJECT
    • c2i_ASN1_OBJECT
    • BIO_new_fd
    • BIO_snprintf
    • BUF_strdup
    • BUF_strlcpy
    • BUF_strlcat
    • sk_CONF_VALUE_new
    • sk_CONF_VALUE_free
    • sk_CONF_VALUE_pop_free
    • sk_CONF_VALUE_num
    • sk_CONF_VALUE_value
    • lh_CONF_VALUE_retrieve
    • lh_CONF_VALUE_insert
    • NCONF_new
    • NCONF_free
    • NCONF_get_string
    • NCONF_get_section
    • NCONF_get_number
    • NCONF_load
    • CONF_modules_load
    • _CONF_new_section
    • _CONF_get_section
    • X509V3_conf_free
    • EVP_PKEY_copy_parameters
    • EVP_PKEY_get_default_digest_nid
    • EVP_PKEY_CTX_ctrl_str
    • IMPLEMENT_LHASH_HASH_FN
    • IMPLEMENT_LHASH_COMP_FN
    • LHASH_HASH_FN
    • LHASH_COMP_FN
    • lh_strhash
    • PKCS12_verify_mac
    • i2d_PKCS7_bio
    • SSL_get_finished
    • SSL_get_peer_finished
    • X509_get_ext_by_OBJ
    • i2d_X509_REQ_bio
    • d2i_X509_REQ_bio
    • PEM_read_bio_X509_REQ
    • d2i_X509_REQ
    • X509_REQ_sign_ctx
    • X509_REQ_add1_attr_by_NID
    • X509_REQ_add1_attr_by_txt
    • X509_REQ_get_attr_by_NID
    • X509_REQ_get_attr
    • X509_ATTRIBUTE_get0_type
    • X509_to_X509_REQ
    • X509_get0_extensions
    • X509_get_extensions
    • X509_REQ_get_extensions
    • X509_REQ_get_subject_name
    • X509_REQ_get_pubkey
    • X509_REQ_set_version
    • X509_sign_ctx
    • X509_REQ_print
    • X509_print_fp
    • X509_REQ_print_fp
    • X509_signature_print
    • X509_get0_signature
    • X509_verify
    • X509_REQ_verify
    • X509_REQ_check_private_key
    • X509_delete_ext
    • sk_X509_INFO_shift
    • X509_NAME_delete_entry
    • X509_NAME_print_ex_fp
    • X509_STORE_CTX_get0_parent_ctx
    • X509_REQ_get_X509_PUBKEY
    • BIO_new_connect
    • BIO_set_conn_port
    • BIO_do_connect
    • ASN1_TIME_new
    • ASN1_UTCTIME_new
    • ASN1_UTCTIME_free
    • ASN1_TIME_set
    • ASN1_TIME_set_string
    • ASN1_TIME_to_string
    • a2i_ASN1_INTEGER
    • ASN1_STRING_new
    • ASN1_STRING_free
    • ASN1_STRING_cmp
    • ASN1_UNIVERSALSTRING_to_string
    • DHparams_dup
    • OPENSSL_cleanse
    • sk_OPENSSL_STRING_num
    • sk_OPENSSL_PSTRING_num
    • sk_OPENSSL_PSTRING_value
    • sk_OPENSSL_STRING_free
    • SSL_CTX_set_srp_strength
    • SSL_get_srp_username
    • TXT_DB_read
    • TXT_DB_write
    • TXT_DB_insert
    • TXT_DB_free
    • TXT_DB_create_index
    • TXT_DB_get_by_index

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.