wolfCrypt JCE Provider and JNI Wrapper 1.5.0 Now Available

Version 1.5.0 of the wolfCrypt JCE Provider and JNI wrapper is now available for download!

wolfCrypt JNI/JCE provide Java-based applications with an easy way to use the native wolfCrypt cryptography library. The thin JNI wrapper can be used for direct JNI calls into native wolfCrypt, or the JCE provider (wolfJCE) can be registered as a Java Security provider for seamless integration underneath the Java Security API. wolfCrypt JNI/JCE can work with wolfCrypt FIPS 140-2 (and upcoming 140-3) as well!

Release 1.5.0 of wolfCrypt JNI has bug fixes and new features including:

  • Add build compatibility for Java 7 (PR 38)
  • Add support for “SHA” algorithm string in wolfJCE (PR 39)
  • Add rpm package support (PR 40)
  • Add wolfJCE MessageDigest.clone() support (PR 41)
  • Improve error checking of native Md5 API calls (PR 41)
  • Add unit tests for com.wolfssl.wolfcrypt.Md5 (PR 41)

Version 1.5.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfCrypt JNI/JCE User Manual can be found here. For any questions, or to get help using wolfSSL in your product or projects, contact us at facts@wolfssl.com.

Announcing New Capabilities in wolfSentry

As wolfSentry gets ever closer to its first production release, we are introducing some exciting new capabilities, among them:

  • Mature dynamic rule management, with automatic peer tracking, penalty boxing, O(1) release from penalty box, and realtime-safe (O(1)) limits on resource usage.
  • Robust support in the configuration file and public API for user-defined data (key-value pairs) with freeform JSON values, to arbitrary (user-limited) depth, with a fully integrated API for processing and exporting JSON in DOM (random-access) mode.
  • An API for setting user-defined configuration nodes as read-only.
  • Improvements and extensions to the API for use by user plugins (action handlers) streamlining typical use cases involving dynamic rule insertion and update.
  • Added examples/notification-demo/log_server
    • A standalone web server demonstrating HTTPS with dynamic insertion of limited-lifespan wolfSentry rules blocking (penalty boxing) abusive peers.
    • Mutual authentication using TLS, role-based authorizations pivoting on client certificate issuer (certificate authority), and wolfSentry event log retrieval, as a dynamically generated JSON array.

All of these and more are featured in wolfSentry preview release 7. For more details, clone wolfSentry from https://github.com/wolfSSL/wolfsentry, review ChangeLog.md and README.md, and “make test”.  For questions or help integrating wolfSentry into your project, contact us at facts@wolfssl.com!

wolfSSL running on Xilinx Versal Hardware Encryption

Our Xilinx Versaldemo shows wolfSSL making calls to Xilinx hardened crypto, doing both basic unit tests and benchmarking with it. Xilinx hardened crypto is accelerated crypto operations (SHA3-384 / AES-GCM / RSA / ECDSA) available on Ultrascale+ devices and is available for use with the latest and greatest Versal boards. wolfSSL makes these calls using the API from Xilinx’s XilSecure library (https://github.com/Xilinx/embeddedsw/tree/master/lib/sw_services/xilsecure) and with the addition of Versal there was minor changes to the existing calls to make use of the new features available (ECC / RNG / AES-GCM with AAD). Benchmark numbers are being fine tuned but you can see well over a Gigabyte per second with AES-GCM operations in the demo and improvements in performance of RSA, ECDSA, and SHA3-384 over software only implementations.

A previous white paper going into the setup and use of wolfSSL on older Ultrascale+ devices with Xilinx hardened crypto can be found here (https://docs.xilinx.com/v/u/en-US/wp512-accel-crypto).

For questions contact facts@wolfssl.com.

wolfSSL TriCore HSM Support

The Infineon Tricore TC2xx and the new TC3xx series chips are popular chips among safety and security critical applications. As the name implies, these chips come with multiple CPU cores to meet the demands of real time computing, however some variants come with a built in HSM core that is an ARM Cortex M3 operating at a frequency of 100MHz, 96KB RAM, MPU and offers a few useful secure applications.

  1. Secure boot
  2. Shared memory bridge module with “Firewall” functionality
  3. Debug support with authentication
  4. Secure data storage and logging
  5. 1KB shared cryptography memory
  6. Configurable OTP and HSM exclusive flash sections
  7. Hardware cryptography (AES, Hash, PKC, TRNG)
  8. Immobilizer (theft protection)
  9. Secure flash loading

We are excited to announce that we have ported wolfCrypt to the TriCore HSM. This will extend the HSM functionality beyond the hardware cryptography support to include the full wolfCrypt suite in the HSM environment. This adds useful features such as:

  1. AES256-ECB/CBC/GCM
  2. ECDSA-384
  3. ECC
  4. RSA (2048/3072/4096)
  5. SHA-384/512
  6. NIST Compliant DRBG (with HW TRNG seed)
  7. CMAC/GMAC/HMAC

Technicals

  • Built and tested using arm-none-eabi-gcc 12.2 toolchain
  • Executed on a TC3XX HSM module with -O2 optimizations at clock of 100Mhz
  • Verified heap-only as well as stack-only usage
  • Benchmarks executed with a 10ms timer
wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
RNG                775 KB took 1.010 seconds,  767.327 KB/s
AES-128-CBC-enc    325 KB took 1.010 seconds,  321.782 KB/s
AES-128-CBC-dec    325 KB took 1.000 seconds,  325.000 KB/s
AES-192-CBC-enc    250 KB took 1.040 seconds,  240.385 KB/s
AES-192-CBC-dec    250 KB took 1.020 seconds,  245.098 KB/s
AES-256-CBC-enc    200 KB took 1.010 seconds,  198.020 KB/s
AES-256-CBC-dec    200 KB took 1.000 seconds,  200.000 KB/s
AES-128-GCM-enc    275 KB took 1.050 seconds,  261.905 KB/s
AES-128-GCM-dec    275 KB took 1.050 seconds,  261.905 KB/s
AES-192-GCM-enc    225 KB took 1.100 seconds,  204.545 KB/s
AES-192-GCM-dec    225 KB took 1.110 seconds,  202.703 KB/s
AES-256-GCM-enc    175 KB took 1.030 seconds,  169.903 KB/s
AES-256-GCM-dec    175 KB took 1.020 seconds,  171.569 KB/s
GMAC Table 4-bit     1 MB took 1.000 seconds,    1.288 MB/s
AES-128-ECB-enc    314 KB took 1.000 seconds,  313.672 KB/s
AES-128-ECB-dec    343 KB took 1.000 seconds,  342.578 KB/s
AES-192-ECB-enc    225 KB took 1.000 seconds,  225.000 KB/s
AES-192-ECB-dec    236 KB took 1.000 seconds,  235.938 KB/s
AES-256-ECB-enc    200 KB took 1.000 seconds,  199.609 KB/s
AES-256-ECB-dec    189 KB took 1.000 seconds,  189.453 KB/s
SHA                  2 MB took 1.000 seconds,    1.953 MB/s
SHA-256              2 MB took 1.000 seconds,    2.051 MB/s
SHA-384            275 KB took 1.030 seconds,  266.990 KB/s
AES-128-CMAC       300 KB took 1.030 seconds,  291.262 KB/s
AES-256-CMAC       200 KB took 1.070 seconds,  186.916 KB/s
HMAC-SHA             2 MB took 1.000 seconds,    2.222 MB/s
HMAC-SHA256          2 MB took 1.000 seconds,    2.051 MB/s
HMAC-SHA384        275 KB took 1.040 seconds,  264.423 KB/s
RSA     2048 public         38 ops took 1.010 sec, avg 26.579 ms, 37.624 ops/sec
RSA     2048 private         2 ops took 1.950 sec, avg 975.000 ms, 1.026 ops/sec
ECC   [      SECP384R1]   384 key gen         6 ops took 1.080 sec, avg 180.000 ms, 5.556 ops/sec
ECDHE [      SECP384R1]   384 agree           4 ops took 1.560 sec, avg 390.000 ms, 2.564 ops/sec
ECDSA [      SECP384R1]   384 sign            6 ops took 1.340 sec, avg 223.333 ms, 4.478 ops/sec
ECDSA [      SECP384R1]   384 verify          2 ops took 1.020 sec, avg 510.000 ms, 1.961 ops/sec
Benchmark complete
Benchmark Test: Return code 0

wolfSSL 5.5.3 release

wolfSSL 5.5.3 is available! This is a minor release, containing some enhancements, fixes and one vulnerability fix. The vulnerability fix was thanks to a report from the Trail of Bits team! It affects a very specific build, having the debug macro WOLFSSL_CALLBACKS set. If using WOLFSSL_CALLBACKS it is recommended to upgrade to wolfSSL version 5.5.3 or later. For more information about the vulnerability visit the vulnerabilities page here (https://www.wolfssl.com/docs/security-vulnerabilities/).

Some of the enhancements included in this release were x86 assembly additions for performance, a port to Xilinx Versal with calls to the hardened crypto available and additional ARM 32bit assembly for performance increases. The full list of changes can be found in the ChangeLog.md bundled with wolfSSL or on the website www.wolfssl.com.

For questions about wolfSSL contact facts@wolfssl.com.