Topic: PKCS11 callback for hardware

Dear community,

I am using a hardware token to do some PKCS11 operation such as generate key pair, generate random and sign using ECC.
I am using the WolfMQTT client with the latest wolfSSL code with  --enable-pkcs11 and --enable-crytocb for the callback.

My hardware is well initialized, the  communication is fine.

I modify the 'mqttexample' to load the private key from the token, which seems to be fine.

I am using:
typedef int (*CryptoDevCallbackFunc)(int devId, wc_CryptoInfo* info, void* ctx);
WOLFSSL_API int wc_CryptoCb_RegisterDevice(
    int devId,
    CryptoDevCallbackFunc cb,
    void* ctx);

in my mqttexample file:
_ret = wc_CryptoDev_RegisterDevice(devId, wc_Pkcs11_CryptoDevCb,  &token);

This seems to be fine.

The problem i am facing is my token only support generate key pair, generate random and sign using ECC.
All the other operation, i do not wish to use my hardware token.

Unfortunately by using this callback, WofSSL expect the verify operation to be found, but it is not supported.

How can implement a callback to only support these 3 operations. (random, genKeyPair and Sign)?

Thank you for your help.
Regards
Remy

Share

Re: PKCS11 callback for hardware

Hi Remy,

Thanks for joining the wolfSSL Forum. When you said:

Unfortunately by using this callback, WofSSL expect the verify operation to be found, but it is not supported.

Could you please share the error that you are seeing? Is it an actual verify operation failure, or just that the init is failing because the verify does not exist (NULL)?

Re: PKCS11 callback for hardware

Hi Remy,

In your crypto callback just return `CRYPTOCB_UNAVAILABLE` and it will fallback to using software operations.

Thanks,
David Garske, wolfSSL

Share

4 (edited by saksik.remy 2021-02-21 19:58:54)

Re: PKCS11 callback for hardware

Hi all,

Thanks for your help.

i will try to return the "CRYPTOCB_UNAVAILABLE" and see if it is working for me.

@embhor:
The verify operation fails i guess because it is NULL due to the ''Not supported operation"

@all:
I also got confuse between the" --enable-crytocb", and the "--enable-pk-callback"...
I believe I do not need the pk-callback, because I do not want to do extra operation with the keys...But maybe this two feature are working together.


For your reference I have posted the log i am getting...
You can see I am using the private key ID as a standard URL with "%" separator, I am not sure that this is supported by WolfSSL tho.

pi@raspberrypi:~/experiment/wolfMQTT-Client/wolfMQTT/examples/mqttclient $ ./mqttclient -h localhost -p 1883 -t -A ~/certs/ca.crt -c ~/certs/exportedClientCert.crt -K %AA%07%19%18%C6%16%14%FF%DF%C7%3F%12%85%24
MQTT Client: QoS 0, Use TLS 1
MQTT Net Init: Success (0)
MQTT Init: Success (0)
NetConnect: Host localhost, Port 1883, Timeout 5000 ms, Use TLS 1
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering TLSv1_2_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL_CTX_load_verify_locations_ex
Getting dynamic buffer
Processing CA PEM file

<WolfSSL step hidden all okay >

Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
ECDSA cert signature [What is this step?]

PKCS 11 REQUIRED
CTX DEV ID is 1
Loading my pkcs library

Application::Application - Elapsed time <0.003377> seconds
C_GetFunctionList - <BEGIN> [PID=0x000003B1, TID=0xb6f6a210] [2021-02-22 02:01:08(UTC)]
C_GetFunctionList - [IN]
C_GetFunctionList - CK_FUNCTION_LIST_PTR_PTR <0x25244>
C_GetFunctionList - Elapsed time <0.000001> seconds
C_GetFunctionList - [RV] <0x00> (CKR_OK)
C_GetFunctionList - [OUT]
C_GetFunctionList - CK_FUNCTION_LIST_PTR_PTR <0x25244>
C_GetFunctionList - <END> [PID=0x000003B1, TID=0xb6f6a210] [2021-02-22 02:01:08(UTC)]


PKCS 11 object are found here

Object CKO_CERTIFICATE
CKA_TOKEN <1>
CKA_PRIVATE <0>
CKA_MODIFIABLE <1>
CKA_TRUSTED <1>
CKA_SUBJECT - <0x2435c0> - size <33> - buffer <30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 38 39 39 36 36 30 36 30 39 39 30 30 38 37 34 32 34 31 32 38>
CKA_ID - <0x2430e8> - size <20> - buffer <61 0A B8 C5 27 B1 CD 91 9B C4 E6 6A B2 42 70 45 9C A1 63 05>

Object CKO_PUBLIC_KEY
CKA_TOKEN <1>
CKA_PRIVATE <0>
CKA_ID - <0x2420a0> - size <20> - buffer <AA 07 19 18 C6 16 14 FF DF C7 3F 12 85 24 E9 18 FF B3 B7 02>

Object CKO_PRIVATE_KEY
CKA_TOKEN <1>
CKA_PRIVATE <1>
CKA_MODIFIABLE <1>
CKA_ID - <0x2446d8> - size <20> - buffer <AA 07 19 18 C6 16 14 FF DF C7 3F 12 85 24 E9 18 FF B3 B7 02>


C_CloseSession - Elapsed time <0.000062> seconds
C_CloseSession - [RV] <0x00> (CKR_OK)
C_CloseSession - <END> [PID=0x000003B1, TID=0xb6f6a210] [2021-02-22 02:01:12(UTC)]

wolfSSL Leaving SSL_new, return 0
wolfSSL Entering wolfSSL_SetCertCbCtx
SSL DEVICE ID IS SET TO 1
wolfSSL Entering SSL_connect()
wolfSSL Entering SendClientHello
Adding signature algorithms extension
growing output buffer

Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Encrypt-Then-Mac extension to write
EMS extension to write
Shrinking output buffer

wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering DoServerHello
Point Formats extension received
Extended Master Secret extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoServerHello, return 0
Shrinking input buffer

wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
        Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
CA found
wolfSSL Entering ConfirmSignature
wolfSSL Entering GetObjectId()

C_OpenSession - <BEGIN> [PID=0x000003B1, TID=0xb6f6a210] [2021-02-22 02:01:12(UTC)]
C_OpenSession - [IN]
C_OpenSession - slotID <00>
C_OpenSession - CK_FLAGS <CKF_SERIAL_SESSION>
C_OpenSession - pApplication <00>
C_OpenSession - Notify <00>
C_OpenSession - phSession <0xbe80aab8> (0x323935a0)

C_GetMechanismInfo - <BEGIN> [PID=0x000003B1, TID=0xb6f6a210] [2021-02-22 02:01:12(UTC)]
C_GetMechanismInfo - [IN]
C_GetMechanismInfo - slotID <00>
C_GetMechanismInfo - CK_MECHANISM_TYPE <CKM_ECDSA>
C_GetMechanismInfo - CK_MECHANISM_INFO - ulMinKeySize <0xb6eeaf2c> - ulMaxKeySize <0xbe80aab8> - flags <CKF_EXTENSION | CKF_UNWRAP | CKF_WRAP | CKF_GENERATE | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_SIGN>


C_GetMechanismInfo - Elapsed time <0.034830> seconds
C_GetMechanismInfo - [RV] <0x5> (CKR_GENERAL_ERROR) //Not Supported by hardware
C_GetMechanismInfo - [OUT]
C_GetMechanismInfo - CK_MECHANISM_INFO - ulMinKeySize <0xb6eeaf2c> - ulMaxKeySize <0xbe80aab8> - flags <CKF_EXTENSION | CKF_UNWRAP | CKF_WRAP | CKF_GENERATE | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_SIGN>

C_CloseSession - Elapsed time <0.000062> seconds
C_CloseSession - [RV] <0x00> (CKR_OK)
C_CloseSession - <END> [PID=0x000003B1, TID=0xb6f6a210] [2021-02-22 02:01:12(UTC)]

wolfSSL Leaving ConfirmSignature, return 0
Verified CA from chain and already had it
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
CA found
wolfSSL Entering ConfirmSignature
wolfSSL Entering GetObjectId()

C_OpenSession - Elapsed time <0.000159> seconds
C_OpenSession - [RV] <0x00> (CKR_OK)

C_GetMechanismInfo - Elapsed time <0.019171> seconds
C_GetMechanismInfo - [RV] <0x5> (CKR_GENERAL_ERROR) //Not Supported by hardware

C_CloseSession - Elapsed time <0.000060> seconds
C_CloseSession - [RV] <0x00> (CKR_OK)
C_CloseSession - <END> [PID=0x000003B1, TID=0xb6f6a210] [2021-02-22 02:01:12(UTC)]

wolfSSL Leaving ConfirmSignature, return 0
Verified Peer's cert
wolfSSL Entering GetObjectId()
wolfSSL Leaving ProcessPeerCerts, return 0
wolfSSL Leaving DoCertificate, return 0
Shrinking input buffer

wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server key exchange
wolfSSL Entering DoServerKeyExchange
wolfSSL Entering EccVerify
C_OpenSession - <BEGIN> [PID=0x000003B1, TID=0xb6f6a210] [2021-02-22 02:01:12(UTC)]
C_OpenSession - [IN]
C_OpenSession - slotID <00>

C_GetMechanismInfo - Elapsed time <0.019167> seconds
C_GetMechanismInfo - [RV] <0x5> (CKR_GENERAL_ERROR) //Not Supported by hardware
C_GetMechanismInfo - [OUT]
C_GetMechanismInfo - CK_MECHANISM_INFO - ulMinKeySize <0xb6eeaf2c> - ulMaxKeySize <0xbe80ab68> - flags <CKF_EXTENSION | CKF_GENERATE | CKF_VERIFY | CKF_DIGEST | CKF_SIGN>

C_CloseSession - Elapsed time <0.000063> seconds
C_CloseSession - [RV] <0x00> (CKR_OK)
C_CloseSession - <END> [PID=0x000003B1, TID=0xb6f6a210] [2021-02-22 02:01:12(UTC)]

wolfSSL Leaving EccVerify, return 0
wolfSSL Leaving DoServerKeyExchange, return 0
Shrinking input buffer

wolfSSL Leaving EccSign, return -170
wolfSSL Leaving SendCertificateVerify, return -170
wolfSSL error occurred, error = -170
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -170
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
Shrinking output buffer

Share

Re: PKCS11 callback for hardware

The `-K` option is expecting a path to a file.

6 (edited by saksik.remy 2021-02-24 00:26:13)

Re: PKCS11 callback for hardware

Great I managed to verify my Certificate.

I still have an issue tho, could someone explain a bit the SendClientKeyExhange()?

I am using ECC (ECDSA 256). But somehow in this function after generating the Public key (EccMakeKey), I end up exporting the key with  wc_ecc_export_x963 .... Which i found really strange...I am not sure i understand this part. I am supposed to compute the DH keys...

Then i have a error ECC_EXPORT_ERROR             = -354,   /* Bad ECC Export Key */
Which make sense to me.

Did I forgot a #Define ?? or configure the WolfSSL build with some missing options?


The code below is the internal.c file, sendClientKeyExchange(...)

i have define HAVE_ECC but i never defined the ECCKEY_EXPORT and I dont not have PK_CALLBACKS.

I would appreciate some help where I go wrong...

Thanks a lot for your time
Remy

 #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
                #ifdef HAVE_PK_CALLBACKS
                    /* if callback then use it for shared secret */
                    if (ssl->ctx->EccSharedSecretCb != NULL) {
                        break;
                    }
                #endif
                WOLFSSL_MSG("\reach here, why?\n");
                    /* Place ECC key in buffer, leaving room for size */
                    ret = wc_ecc_export_x963((ecc_key*)ssl->hsKey,
                                args->encSecret + OPAQUE8_LEN, &args->encSz);
                    if (ret != 0) {
                        ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
                    }
                #endif /* HAVE_ECC */

Share

Re: PKCS11 callback for hardware

Do you still have `--enable-pk-callback` in your configure line?

8 (edited by saksik.remy 2021-02-25 03:02:18)

Re: PKCS11 callback for hardware

I have removed it because i do not do anything extra with the public key, It is just the normal process of TLS handshake. But perhaps I am wrong. I am doubtful on the callback usage...I don't want to modify the internal.c code.

At sendClientKeyExhange():
The process leads me to: wc_ecc_export_x963.

Why do I need to export the public key?

The GenerateKeyPair() was successful so I have the public key already.

The process is:
A. public key = Generate the Key pair()
B. Export the public key () - strange to me
C. Compute the share secret()

Am I wrong?

Remy

Share

Re: PKCS11 callback for hardware

Hi Remy,

No, I do not think you need the pk callback option, but you mentioned earlier in the thread.

The `NO_ECC_KEY_EXPORT` define comes from here (because `HAVE_ECC` is defined):
https://github.com/wolfSSL/wolfssl/blob … gs.h#L1821

The public key is exported to the `ssl->hsKey` structure in order to compute the shared secret.

                    ret = EccSharedSecret(ssl,
                        (ecc_key*)ssl->hsKey, ssl->peerEccKey,
                        args->output + OPAQUE8_LEN, &args->length,
                        ssl->arrays->preMasterSecret + OPAQUE16_LEN,
                        &ssl->arrays->preMasterSz,
                        WOLFSSL_CLIENT_END
                    );

10 (edited by saksikremy 2021-03-17 00:31:18)

Re: PKCS11 callback for hardware

Hi,

Sorry for the late reply, I could not login to the forum.
Thank you for your previous answer. I could generate the secret as long as I fallback of the software implementation to generate the key pair.

But my purpose is to generate the key pair with my token (Can do) and use the generated public key to create the secret (cannot do).

I manage to use my token to generate the key pair, but it is not possible for me to re-inject the public key into the SSL context after the callback. I am stuck on this for a few weeks...

entry point: cryptocb.c
the key has been initialized but empty in order to let the token generate the public key in the "key" structure.

#ifdef HAVE_ECC
int wc_CryptoCb_MakeEccKey(WC_RNG* rng, int keySize, ecc_key* key, int curveId)
{
    printf("\n wc crypto Make ecc key. keySize= %d  \n", keySize);
    int ret = CRYPTOCB_UNAVAILABLE;
    CryptoCb* dev;

    if (key == NULL)
        return ret;

    /* locate registered callback */
    dev = wc_CryptoCb_FindDevice(key->devId);
    if (dev && dev->cb) {
        wc_CryptoInfo cryptoInfo;
        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
        cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
        cryptoInfo.pk.type = WC_PK_TYPE_EC_KEYGEN;
        cryptoInfo.pk.eckg.rng = rng;
        cryptoInfo.pk.eckg.size = keySize;
        cryptoInfo.pk.eckg.key = key;
        cryptoInfo.pk.eckg.curveId = curveId;

        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);

          printf("\n INSIDE THE CALLBACK....  \n");

         #define FOURK_BUF 4096
            byte  der[FOURK_BUF];
            int derSz = 0;

            derSz = wc_EccKeyToDer(key, der, FOURK_BUF);
            int i;
            for (i = 0; i <= derSz;i++){
                printf("%02x:", der[i]);
                if (((i+1)%16)==0){
                    printf("\n");
                }
            }
            printf("\n");
    }

    return wc_CryptoCb_TranslateErrorCode(ret);
}

in my pkcs11 interface the following code allows me to generate the CKA-points for the public key:

static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)
{
    int               ret = 0;
    ecc_key*          key = info->pk.eckg.key;

...

rv = session->func->C_GenerateKeyPair(session->handle, &mech,
                                                       pubKeyTmpl, pubTmplCnt,
                                                       privKeyTmpl, privTmplCnt,
                                                       &pubKey, &privKey);

...
Pkcs11GetEccPublicKey(key, session, pubKey);
pkcs11_dump_template(pubKeyTmpl, pubTmplCnt); 

Ecc Public Key
             CKA_EC_POINT: 67
                           0x04,0x41,0x04,0x80,0xf6,0x67,0x7a,0x5b,
                           0xac,0x31,0x25,0xf8,0x2e,0xa7,0xc8,0x32,
                           0x12,0xf9,0xad,0xd9,0x33,0x01,0x6d,0xe0,
                           0x17,0x50,0xcb,0x2d,0x36,0xb1,0x28,0xf6,
                           0x32,0x2a,0xf0,0x55,0x75,0x6e,0xe3,0xc9,
                           0xff,0x7f,0xf4,0x0f,0xe2,0xce,0x4c,0x35,
                           0xbd,0x30,0x92,0x47,0x86,0x0f,0xc3,0x25,
                           0x3f,0xaa,0xeb,0x1c,0xb4,0x58,0x98,0x9a,
                           0x5e,0x02,0x1a,
            CKA_EC_PARAMS: 10
                           0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x03,
                           0x01,0x07,

from here, the key structure must have the public key. I can print the public key CKA points just nice as expected.


When this function ends I am going back to the callback (first sample of the code above.)

And then I try to display the public key after the printf : printf("\n INSIDE THE CALLBACK....  \n");
But i always get error -173 =>     BAD_FUNC_ARG       = -173,  /* Bad function argument provided */

INSIDE THE CALLBACK....
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:

So I believe the public key is not getting updated in the 'ecc_key' structure. it is quite hard to debug.

inside the Pkcs11 implementation i have tried to:

-check the "ecc_key key" with:

check_result = wc_ecc_check_key(key);

-> success
           

- Copy the point from the template that display the CKA points to the "ecc_key key" structure.

point = wc_ecc_new_point();
int copy_return = wc_ecc_copy_point(&key->pubkey,  &info->pk.eckg.key->pubkey);

-> success.

- Compare the CKA points inside the "ecc_key key" with:

 int cmp_result = wc_ecc_cmp_point(&key->pubkey, &info->pk.eckg.key->pubkey);

-> success

- Export the points into byte array to print them with:

       word32 buffSz = 64;
        byte  der[buffSz];
        XMEMSET(der, 0, sizeof(der));
        wc_ecc_export_point_der(key->dp->id, &key->pubkey, der,  &buffSz);

->  not successful



I am short of idea, I am not sure where the keys goes and in which format the key is represented.


Any help would highly appreciated.

Share

Re: PKCS11 callback for hardware

Hi Remy,

Is it possible you need to call `int wc_ecc_make_pub_ex(ecc_key* key, ecc_point* pubOut, WC_RNG* rng)` first to generate the public key material?

I've also asked our PKCS11 expert Sean P to review this post.

Thanks,
David Garske, wolfSSL

Share

Re: PKCS11 callback for hardware

Hi Remy,

I'm not sure what's going wrong here.
The function Pkcs11EcKeyGen() is calling Pkcs11GetEccPublicKey() which will fail when the key doesn't load.
Does your version of wc_pkcs11.c have this call sequence?

Note: WOLFSSL_DEBUG_PKCS11 will show more debug information about the PKCS #11 calls.

Thanks,
Sean Parkinson, wolfSSL

Share

13 (edited by saksikremy 2021-03-19 03:23:24)

Re: PKCS11 callback for hardware

Hi Sean,

Yes you are right:
Pkcs11EcKeyGen() is calling Pkcs11GetEccPublicKey() and Pkcs11GetEccPublicKey() return 0, which mean everything is okay with the PKCS11 but when I try to print the key it is failing. It is like the key is in the structure but there is no way i can double check if the public key is correct.

In order to check if the public key is okay I do two things:
1. call:  wc_ecc_check_key(key) which returns MP_OKAY
2. print the public key with:

 word32 buffSz = 67;
  byte  der[buffSz];
 XMEMSET(der, 0, sizeof(der));
 wc_EccKeyToDer(key, der, buffSz); 

which return -173

BAD_FUNC_ARG       = -173,  /* Bad function argument provided */

The function:

int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen)

calls:

 static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 inLen,
                             int pubIn)
{
 if (key == NULL || output == NULL || inLen == 0)
        return BAD_FUNC_ARG;
....
}

Does it means my key actually null? it does not make sense, the wc_ecc_check_key(key) return MP_OKAY.

Anyway,

After enabling the PKCS11_DEBUG inside:
static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)

C_OpenSession: OK
C_Login: OK
C_GenerateKeyPair: OK
C_GetAttributeValue: OK
C_GetAttributeValue: OK

Ec Public Key
             CKA_EC_POINT: 67
                           0x04,0x41,0x04,0xea,0x6a,0x08,0xad,0xa2,
                           0xca,0x5b,0x15,0xbe,0x03,0xe8,0x05,0x89,
                           0xc4,0xec,0x0f,0x03,0x35,0x71,0x71,0x8f,
                           0x54,0x31,0xc0,0xfc,0x21,0x95,0x44,0x32,
                           0xaa,0xab,0x19,0x43,0x6e,0x17,0x7f,0x8d,
                           0x53,0x4d,0x6a,0x71,0x25,0x78,0x17,0x6f,
                           0x12,0xd0,0xd8,0x0a,0xa4,0xad,0xf2,0x54,
                           0x86,0x53,0x64,0x36,0xca,0x95,0x2c,0x7f,
                           0x71,0x65,0x81,
            CKA_EC_PARAMS: 10
                           0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x03,
                           0x01,0x07,

I am getting:
wolfSSL Leaving SendClientKeyExchange, return -354
wolfSSL error occurred, error = -354

  ECC_EXPORT_ERROR             = -354,   /* Bad ECC Export Key */




Thanks for your help
Remy

Share