Topic: Doing private-key operations with cryptographic chips

Hi!

I'm developing the firmware for an already existant hardware, that is using an ST32F207 as MCU and the VaultIC cryptographic chip from WiseKey (https://www.wisekey.com/vaultic405/).

By an strict requirement, I need to maintain the private RSA key inside the vaultic, and sign/encrypt/decrypt only using chip's API. More: The private key is protected into the chip and canot be exported or extracted.

I need to:

- Generate and sign a CSR (done)
- Handle X509 certificates (done)
- Generate and sign VERY BIG xml files, exporting them as CMS (PKCS7) (Done, but only for small files)
- Implement an HTTPS web server (partially done - working in this)

The list above is only to illustrate in which scenarios I will probably need to work with the private key. I read that WolfSSL was already adapted to a bunch of chips with hardware acceleration for cryptographic functions, but I cannot find by myself how to replace any sign/verify done by software with the same functions implemented in external chips.

So, my questions are 2:

- How to use the functions of an external cryptographic chip to replace only the RSA sing/verify functions in wolfssl?
- How to generate big signed CMS (PKCS#7) files, in environmentes with restricted working ram but with big disks in sdcard?

Thank you in advance!!

Share

Re: Doing private-key operations with cryptographic chips

Hi fvillaf,

Thank you for using the wolfSSL support forums. If you perform a search in the file <wolf-root>/wolfcrypt/src/rsa.c for the define HAVE_CAVIUM you will see how we went about adding support for the CAVIUM hardware RSA API calls. We would recommend one of two methods when adding support for hardware crypto:

#1 Add your own new pre-processor macro such as HAVE_VAULTIC405 and #ifndef out the wc_Rsa... API's you wish to replace.
     Create a new directory such as <wolf-root>/wolfcrypt/src/port/vaultic405
     Create a new file such as <wolf-root>/wolfcrypt/src/port/vaultic405/vaultic-rsa.c
     Implement your own version of the wc_Rsa... API's that you #ifndef'd out and have these API's call to the hardware directly.

#2 Add your own new pre-processor macro such as HAVE_VAULTIC405 and
     follow the method we used with HAVE_CAVIUM define and place the hardware API calls directly into wolfcrypt/src/rsa.c
     


We have used #2 in the past but as we add support for more devices we have started to abstract that support by using the <wolf-root>/wolfcrypt/src/port/<new device> setup as it is cleaner and easier to maintain. Also if you do this solution then every time we put out a new release you would simply have to add back in the select few #ifndef HAVE_VAULTIC405 rules to rsa.c and then copy/paste your port directory into the new release. You can also submit your work back to us under a contributor agreement if you wish for us to maintain your port through release cycles.

Let us know if you have any questions on this.


Warm Regards,

Kaleb

Re: Doing private-key operations with cryptographic chips

Thanks for the tips, Kaleb. I did a couple of minor tests and it worked as a charm!

I opted for the approach #1 but, sadly, I cannot submit any work as a contributor because I signed an NDA with WiseKey before they supplied the API to me.

Share

Re: Doing private-key operations with cryptographic chips

Hi fvillaf,

No problem as far as the NDA goes. Glad to hear the solution worked for you!
Let us know if anything else comes up.


Warm Regards,

Kaleb