1 (edited by artur 2023-06-23 11:14:21)

Topic: Static ECC doesn't work with PKCS11.

Hi all,

I need TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 cipher suit. its old static ECDH.

I tested it with example/client and example/server, works just fine.

I also need to keep keys in PKCS11 storage.

I took example from https://github.com/wolfSSL/wolfssl-exam … cs11-ecc.c:

then test it with TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (it's not static), work just fine.


When I use static ECDH and PKCS11 it doens't work!

I took server-tls-pkcs11-ecc.c as a base then add static ECDH cipher:

wolfSSL_CTX_set_cipher_list(ctx, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256")

then run...

and then after connection I have a handshake error:

wolfSSL Leaving DoClientHello, return -501

the cause is that "ctx->haveStaticECC" property is false.
it set to true during setting private key, but in case of PKCS11 private key is not extractble.

also I'd like to highlight that ECDH with private.pem file works, ECDHE with PKCS11 works,
ECDH with PKCS11 fails.

my build options:

./configure --enable-pkcs11 --enable-ecc --enable-trustedca --enable-renegotiation-indication --enable-debug

and also enabled WOLFSSL_STATIC_DH in settings.h

If someone knows any approach how to fix it, I'd kindly ask to share it.
thank you.

I did "ctx->haveStaticECC = 1;" manually, it crashes in DoClientKeyExchange because ssl->hskey->dp is NULL, and according to PKCS11 sniffer it didn't even try to get EC_POINT from PKCS11 storage.


Re: Static ECC doesn't work with PKCS11.

Hi Artur,

this seems more appropriate as a support question.  Please copy and past this message into an email and send it to support@wolfssl.com so it can get assigned to an engineer for review.

The wolfSSL Support Team.