Topic: support of DTLS Raw public keys (RFC 7250)

Hello guys

Does wolfssl support dtls/tls raw public keys?
I googled for a few days and does not found anything about this topic.

Or, can i go in another way, create server certificate based on a 'SubjectPublicKeyInfo' in DER  format? And then attaching it to SSL context, and work it, like working with x509 certificates


   uint8_t srv_cert_buffer[1024] = {};
   const  uint8_t  srv_pub_key[] = {...}; // Server's 'SubjectPublicKeyInfo' in DER  format
   size_t srv_pubkey_len = sizeof(srv_pub_key);

    if ( wc_EccPublicKeyDecode(srv_pub_key, (word32*)&srv_pub_ecc_key_inptr, &srv_pub_key_ecc, (word32)srv_pubkey_len) != 0) 
        LOG("Error parsing server public key");
        goto on_error;

    if (wc_InitRng(&rng) != 0) 
        LOG("Init RNG failed");
        goto on_error;

    strncpy(, "UA", CTC_NAME_SIZE);
    strncpy(srv_cert.subject.state, "Kiev", CTC_NAME_SIZE);
    strncpy(srv_cert.subject.locality, "Kiev", CTC_NAME_SIZE);
    strncpy(srv_cert.subject.commonName, "", CTC_NAME_SIZE);
    srv_cert_len = wc_MakeCert (&srv_cert, srv_cert_buffer, sizeof(srv_cert_buffer), NULL, &srv_pub_key_ecc, &rng);
    if(srv_cert_len == 0)
        LOG("Generated server public certificate is null");
        goto on_error;

    wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1);

    if(wolfSSL_use_certificate_ASN1(ssl,(unsigned char*)srv_cert_buffer,srv_cert_len) != WOLFSSL_SUCCESS)
         LOG("Wrong RPK server certificate");
         goto on_error;

But this could be ridiculous code, because for generating wc_MakeCert() want's to see Private key.  Is there some method to include only public key to certificate, without any generation.


Re: support of DTLS Raw public keys (RFC 7250)

wolfSSL does not currently support RFC 7250 raw public keys.

If your server can use a self-signed certificate, you could load the server's certificate as a root CA. You can disable certificate verification in the client. It won't check the server's certificate signature, but it would still use the public key in the handshake.