Topic: wolfSSL pkcs11 ecdsa key failing on DoTls13CertficateRequest
Hi, I have a wolfSSL program that is written for a TLS 1.3 connection using keys interfaced with pkcs11. When the client connects to a server and the server responds with a certificate request the wolfSSL client fails with
wolfSSL Entering DoTls13CertificateRequest
Signature Algorithms extension received
wolfSSL Entering SendAlert
wolfSSL Entering SendAlert
SendAlert: 47 illegal_parameter
From my understanding what should happen in this process is the token that was registered to the pkcs11 library should be used to sign the certificate request and I assuming that is what is failing. The token is using a ecdsa key, should wolfssl be build with any specific options that is not allowing it to complete this request? When running the code as openssl client it works. See client code below and the openssl command that works. (I want to add I register the pkcs11 device earlier in another function and I am not thinking the registering of the device is the issue as it has worked with softhsm"
I run the client wolfssl code against a wolfssl server implementation similar to the implementation below, or the openssl s_server command.
Client wolfssl code that fails.
int CarrierTls::tlsHandshakeClient() {
int ret;
wolfSSL_Init();
unsigned char privKeyId[] = PRIV_KEY_ID;
if ((_ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())) == NULL) {
std::cout << "Creating ctx failed" << std::endl;
return 1;
}
if (wolfSSL_CTX_SetDevId(_ctx, DEV_ID) != WOLFSSL_SUCCESS) {
std::cout << "initializing wolfssl set dev_id failed" << std::endl;
return 1;
}
if (wolfSSL_CTX_use_certificate_file(_ctx, "keys/client.crt", SSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) {
std::cout << "linking certificate file failed" << std::endl;
return 1;
}
/*
if (wolfSSL_CTX_use_PrivateKey_file(_ctx, "keys/client.key", WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) {
std::cout << "linking private file failed" << std::endl;
return 1;
}
*/
if (wolfSSL_CTX_use_PrivateKey_id(_ctx, privKeyId, sizeof(privKeyId), DEV_ID, 2048/8) != SSL_SUCCESS) {
std::cout << "enrolling privatekey id failed" << std::endl;
return 1;
}
wolfSSL_CTX_set_verify(_ctx, WOLFSSL_VERIFY_PEER, NULL);
if (wolfSSL_CTX_load_verify_locations(_ctx,"keys/myCA.pem",0) != SSL_SUCCESS) {
std::cout << "Loading ca failed" << std::endl;
return 1;
}
if ((_ssl = wolfSSL_new(_ctx)) == NULL) {
std::cout << "Creating ssl failed" << std::endl;
return 1;
}
if ((ret = wc_Pkcs11Token_Open(&_token, 1)) != 0) {
std::cout << "ERROR: failed to open session on token" << std::endl;
return 1;
}
wolfSSL_set_fd(_ssl, _socket);
ret = wolfSSL_connect(_ssl);
if (ret != WOLFSSL_SUCCESS) {
char errorString[1024];
wolfSSL_ERR_error_string(ret, errorString);
std::cout << "Handshake connect failed" << errorString << std::endl;
return 1;
} else {
WOLFSSL_X509* server_cert = wolfSSL_get_peer_certificate(_ssl);
if (server_cert != NULL) {
std::cout << "Server certificate subject: " << wolfSSL_X509_get_subjectCN(server_cert) << std::endl;
long verify_result = wolfSSL_get_verify_result(_ssl);
if (verify_result != X509_V_OK) {
std::cout << "Server certificate verification failed with: " << verify_result << std::endl;
wolfSSL_X509_free(server_cert);
return 1;
}
} else {
std::cout << "No server certificate was presented" << std::endl;
return 1;
}
wolfSSL_X509_free(server_cert);
}
wc_Pkcs11Token_Close(&_token);
return 0;
}
OpenSSL command that connects:
"openssl s_cleint -connect <ip_address>:8080 -verifyCAfile keys/myCA.pem -cert keys/client_2.crt -key "pkcss11:token=test;object=test1;type=private;pin-value=1234" -state verify 1"
My wolfssl client code should be doing virtually the same thing this openssl s_client command is but the wolfssl version is not working. Hoping for any ideas why or what else i could build wolfssl with. Currently I am building with "--enable-aesgcm --enable-pkcs11 --enable-tls13 --enable-shared --enable-opensslextra --enable-debug --enable-supportedcurves --enbaled-ecccustcurves --enable-fpecc --enable-eccenvrypt --enable-eccsi"