1 (edited by bare-embedded-dev 2023-02-06 15:23:08)

Topic: Interfacing wolfTPM with mbedTLS for TLS client cert & WPA enterprise

We are trying to implement X.509 client certificate authentication and WPA enterprise using asymmetric hardware cryptography for the private key.

Our platform is an STM32F469 (m4) that has an Infineon OPTIMA TPM SLB9670VQ20FW. Our product has fully functional TLS over wifi using the Cypress/Infineon WICED 6.2 SDK to an Azure services endpoint, excluding the TPM support. Presently, the certificate and keys are only stored on the device flash.

The WICED 6.2 FreeRTOS platform supports Client Certificate and WPA enterprise for a software implementation with MBED TLS 2.6.0, however we would like to implement TPM crypto hardware for these client side SSL functions and private key management. Changing over fully to wolfcrypt platform may be difficult since the WICED platform has multiple vendor customizations for memory optimizations which breaks encapsulation to LwIP. We are not code space constrained, but more RAM constrained.

An SDK update to mbedTLS 2.16.6 has documented support for callbacks for server sided authentication but not client side.
https://mbed-tls.readthedocs.io/en/late … -callbacks
There appears to be callbacks in the client side TLS authentication that may be used "unofficially" through the the use of RSA_ALT configurations and a PKCS#11 interface.  Implementation examples are very difficult to find. PCKS#11 examples also very hard to find examples for low level embedded systems.

Is anybody familiar with interfacing a PCKS#11 library to wolfTPM and separately interfacing the PCKS#11 interface to mbedTLS (or wolfCrypt or have suggestions or resources for where to look?


Re: Interfacing wolfTPM with mbedTLS for TLS client cert & WPA enterprise

Hi Geoff,

It is great to hear from you. This is a very interesting use-case.

For the TLS use case we have lots of examples for this in wolfTPM:
https://github.com/wolfSSL/wolfTPM/tree … s-examples
https://github.com/wolfSSL/wolfTPM/tree … amples/tls

In wolfSSL we support consuming a PKCS11 interface. We also have a wolfPKCS11 provider that uses wolfCrypt on the backend. It would be possible to take our wolfPKCS11 and use a TPM under it. We've discussed doing this, but is a decent effort. https://github.com/wolfSSL/wolfpkcs11

Let's have a call with Rich and I to discuss.

David Garske, wolfSSL


Re: Interfacing wolfTPM with mbedTLS for TLS client cert & WPA enterprise

Hi David, I"m back in touch with Rich.
I'll look at the PKCS7 and TLS Examples.