Topic: OpenSSL compatibility

I have my SSL Accelerator project working with OpenSSL. I am trying to replace OpenSSL by wolfSSL for POC purpose. I am facing problem which replacing OpenSSL API for which I don't find any respective API in wolfSSL. Following are few API example which I am not able to replace
a. SSL_get_privatekey
b. X509_set_version
c. X509_set_serialNumber
d. X509_NAME_add_entry_by_txt
e. X509_sign
and similarly many more

though i have successfully replaced wolfSSL_CTX_new, wolfSSLv23_server_method, wolfSSL_CTX_use_PrivateKey_file, wolfSSL_BIO etc.

Please suggest how to proceed for completely replacing OpenSSL API

Share

Re: OpenSSL compatibility

Hi,

wolfSSL's OpenSSL compatibility layer was designed to make porting into existing OpenSSL applications easier, but is far from complete.  It maps roughly the most-used 300 OpenSSL functions to the native wolfSSL API, where OpenSSL has over 4,000 in total.

It sounds like the functions you have listed are related to certificate generation.  For an example of how wolfSSL does certificate generation, see ./ctaocrypt/test/test.c, specifically the code inside of the #ifdef WOLFSSL_CERT_GEN define of rsa_test().

a. SSL_get_privatekey

wolfSSL doesn't currently support this function.  For certificate generation, wolfSSL uses an RsaKey structure, which contains a RSA private key.  A private key buffer (in DER format) can be loaded into an RsaKey structure using the RsaPrivateKeyDecode() function.

b. X509_set_version

In OpenSSL, this function lets the application set the X.509 certificate version to use.  wolfSSL embedded SSL only supports X.509 V3 certificate generation.  As such, this function is not needed with wolfSSL.

c. X509_set_serialNumber

When doing certificate generation with wolfSSL, the serial number can be set directly by the user when filling in the "Cert" structure.

d. X509_NAME_add_entry_by_txt

Like the previous function, certificate fields can be set directly by the user when filling in the "Cert" structure.

e. X509_sign

wolfSSL's equivalent to X509_sign() would be the SignCert() function, with usage shown in rsa_test() of test.c.

Best Regards,
Chris

Re: OpenSSL compatibility

Thanks Chrisc for the detailed response. Let me re-check how can i proceed to integrate wolfSSL embedded SSL in my application instead of OpenSSL.

Share