Topic: Does wolfCrypt Support CMS_CADES option in openssl/crypto/cms.c?

We have a desire to port a version of libcryto, wolfCrypt is in the running as an option, to a TEE environment that is fairly similar to a RTOS in terms of system libraries availability.

Our current implementation makes use of openssl/crypto/cms.c:

CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey,
                          STACK_OF(X509) *certs, BIO *data,
                          unsigned int flags)

but with CMS_CADES in the "flags" argument to pick-up the new patch in OPENSSL 3.0.0-alpha4.

Question: the above patched added ASN.1 support for the CAdES-BES compliant, "ESS signing-certificate-v2" syntax.

Is it easy to port the above patch to wolfCrypt?


Re: Does wolfCrypt Support CMS_CADES option in openssl/crypto/cms.c?

Hi thomas.zeng,

wolfCrypt's PKCS#7/CMS implementation doesn't have support for CAdES-BES currently.  This is something our team could look into adding for you if needed, under our consulting services.  We would need to add re-implement CMS CAdES-BES support ourselves in wolfCrypt instead of porting the pull request you mentioned, for licensing reasons.

wolfSSL does have an OpenSSL compatibility layer which includes a large number of the most commonly-used OpenSSL API.  Our compatibility layer does have some OpenSSL PKCS7 API support, which can be seen in the <wolfssl/openssl/pkcs7.h> header file: … sl/pkcs7.h

We don't yet have the CMS_sign() API wrapped yet, or the CMS_ContentInfo structure.  It looks like there may be some work required to fill out missing OpenSSL CMS API support if you would require that.  Another route would be to switch to the wolfCrypt PKCS7/CMS API instead of using the OpenSSL compatibility layer.

Is this something you would be interested in exploring further?

Best Regards,

Re: Does wolfCrypt Support CMS_CADES option in openssl/crypto/cms.c?

Thank you. Our first order of business is to build wolfcrypt into our C++ program, after that we can evaluate the CAdES-BES porting. We are struggling at the moment.

Yes we can refactor and use wc_PKCS7_* family of APIs.

Is there an utility in WC to convert client key and PK certificates from PEM to and from DER?

Now the biggest problem we face is the linking of wolfcrypt object files, compiled in clang, with the rest of the program compiled with clang++.

Does wolfcrypt require the runtime to provide  `strncasecmp'? I ask because of this linker error:

Error: TA/libseccamdemo64.a.p/.._subprojects_wolfssl_wolfcrypt_src_ecc.c.o(.text+0x1c34): undefined reference to `strncasecmp'

We are facing what look like C vs C++ linker problems:

Error: /pkg/qct/software/llvm/release/arm/8.0.12/aarch64-none-elf/lib/libc++.a(.text._ZNSt3__117iostream_categoryEv+0x4c): undefined reference to `__dso_handle'
Error: /pkg/qct/software/llvm/release/arm/8.0.12/aarch64-none-elf/lib/libc++.a(.text._ZNSt3__117__libcpp_sscanf_lEPKcP15__locale_structS1_z+0x60): undefined reference to `uselocale'