Elliptic curve cryptography (ECC) is increasingly popular in secure communications, and secp256k1—famous for its use in Bitcoin and Blockchains—is a widely used curve. This blog post will walk you through building wolfSSL with support for secp256k1, generating an ECC certificate using that curve, and using it in a TLS connection with wolfSSL’s example client and server.
Step 1: Build wolfSSL with secp256k1 Support
Start by cloning the wolfSSL repository and building it with custom curve and certificate generation support:
# Download wolfssl from https://www.wolfssl.com/download/ cd wolfssl ./configure --enable-ecccustcurves=all --enable-keygen --enable-certgen --enable-certreq --enable-certext make sudo make install
Step 2: Generate a secp256k1 Certificate
Next, use the certgen example from wolfSSL’s examples repository.
git clone https://github.com/wolfssl/wolfssl-examples cd wolfssl-examples/certgen
Modify the example for secp256k1
In certgen_example.c, modify the key generation line to explicitly use secp256k1:
- ret = wc_ecc_make_key(&rng, 32, &newKey); + ret = wc_ecc_make_key_ex(&rng, 32, &newKey, ECC_SECP256K1);
Add Key Output in PEM Format
To write the private key to a file, add the following block after certificate generation (be sure to add in proper error checks):
derBufSz = wc_EccKeyToDer(&newKey, derBuf, LARGE_TEMP_SZ);
pemBufSz = wc_DerToPem(derBuf, derBufSz, pemBuf, LARGE_TEMP_SZ, ECC_PRIVATEKEY_TYPE);
if (pemBufSz < 0) goto exit;
file = fopen("newCert.key", "wb");
if (!file) goto exit;
ret = (int)fwrite(pemBuf, 1, pemBufSz, file);
fclose(file);
Build and Run
make ./certgen_example
You should now have newCert.pem and newCert.key files using a secp256k1 key.
Step 3: Configure Client/Server for secp256k1
Go back to the wolfssl directory and modify the client example to explicitly support the secp256k1 curve:
+++ b/examples/client/client.c
@@ -3707,6 +3707,9 @@
#endif
+
+ wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_SECP256K1);
+
#if defined(HAVE_SUPPORTED_CURVES)
Run the Server and Client
Use the generated cert/key with the server, and run the client with a trusted CA cert:
./examples/server/server -d -c newCert.pem -k newCert.key ./examples/client/client -A ./certs/ca-ecc-cert.pem
If everything is set up correctly, you'll see output like:
SSL version is TLSv1.2 SSL cipher suite is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL curve name is SECP256K1 I hear you fa shizzle!
You’ve just built wolfSSL with support for custom ECC curves, generated a certificate using secp256k1, and successfully used it in a TLS session. This setup is great for anyone integrating Bitcoin-style cryptography into embedded or resource-constrained systems using wolfSSL.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now