You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by Jacob
Hi Daniel,
That's great that the certificate example ran okay. For the current issue, the certificates need to begin with the string "-----BEGIN CERTIFICATE-----\n". The wolfSSL API is finding "-----BEGIN PUBLIC KEY-----\n" from those buffers and rejecting it since it is looking for certificate headers.
Hi Daniel,
The macro OPENSSL_EXTRA will need to be defined for wolfSSL to be built with the *_X509_* API. This is API in the compatibility layer which eases integration into applications previously using OpenSSL. Once at the point you are at, with the examples compiling and running, you can then adjust which macros are defined for configuring how wolfSSL is built. For example in the example IDE/LINUX-SGX/sgx_t_static.mk file there is the Wolfssl_C_Extra_Flags variable that OPENSSL_EXTRA could be added to. Note that this macro define should be added to both the building of libwolfssl and to the compiling of the application.
We've not tested with the additional functions built with SGX, there might be system calls in the compatibility layer that need worked around for running smoothly with SGX.
Here are some non SGX examples that do not use the compatibility layer API that could be referenced (https://github.com/wolfSSL/wolfssl-exam … er/certvfy).
These are also examples that show using a CA to verify a signature without using the compatibility layer API (https://github.com/wolfSSL/wolfssl-exam … ertmanager).
Hi Daniel,
Start with the wolfSSL SGX examples, and modify them to your use case. This is where the instructions and example build of the wolfSSL library for SGX use is https://github.com/wolfSSL/wolfssl/tree … /LINUX-SGX
The example of using the built library is located here
https://github.com/wolfSSL/wolfssl-exam … /SGX_Linux
Thanks chaudhryfaisal for your patience on this,
I made progress and got it to the point of being able to collect benchmarks. It should be good for a PoC and initial benchmarking. I ended up hard setting the cpuid flags due to the SGX restrictions between trusted/untrusted. It's likely the CPU you are using supports the same things (i.e avx2, avx2, aesni) but that could be a potential pain point. There is more that could be done to the wolfSSL code for determining the CPU capabilities at runtime.
The wolfSSL changes and benchmark numbers I collected when testing it are located here (https://github.com/wolfSSL/wolfssl/pull/8463).
The updated example application used to collect the benchmark numbers is located here (https://github.com/wolfSSL/wolfssl-examples/pull/488)
Please give it a try and let me know through support@wolfssl.com if there are any issues encountered.
Thanks for running the AES-GCM benchmarks and confirming performance increases there.
I brought the PIE error with SP assembly up internally. One of my co-workers had a suggestion on it. I need to give that suggestion a test and do a bit more investigation. Will post the results back here.
These changes get AES-NI use closer. (https://github.com/wolfSSL/wolfssl/pull/8463) and (https://github.com/wolfSSL/wolfssl-examples/pull/488). It passed unit tests using SIM mode. But had an issue with aes-gmac using HW mode. Possibly a buffer alignment issue. I'm not sure when I will be allocated time to farther investigate the aes-gmac unit test. Could you give it a try with your SGX SDK and compiler and see if these changes work for you?
Old forum thread... but for anyone coming here looking for OpenCL support, we recently added in some support in this github pull request (https://github.com/wolfSSL/wolfssl/pull/7436). david.ruiz if you still have the pet project going please give that a shot.
Hi Iycboy,
Eric is correct that, the public key portion is necessary in addition to the private key for signing. Just as a side note though you can generate the public portion given the private portion of the key. Check out the API wc_ed25519_make_public and wc_ed25519_import_public.
The question is if we should be trying to do this automatically in wolfSSL given a sign request where the public portion of the key is not set, just the private key. Will discuss that internally, in the mean time though generating and importing the public key is how you could avoid having to send / store the public key portion. Or if you could send /store the public key portion with the private key then altering the DER being passed to wc_Ed25519PrivateKeyDecode to also contain the public key would avoid the public key generation step.
Regards,
Jacob
Hi Scott,
Will forward the thread on to the support channel (support@wolfssl.com) using the 'user' email we have register to you on the forums here. That way we can be sure to handle it in a timely manner under the support contract and provide any optimization settings support specific to the use case.
Regards,
Jacob
Not sure, maybe OpenSSL key generation on Windows is just slow.....
Mac i7 with wolfSSL does around 6 generations per second for an average of 178.508 ms per generations. Without disabling any safe guards.
./wolfcrypt/benchmark/benchmark
...
RSA 2048 key gen 6 ops took 1.071 sec, avg 178.508 ms, 5.602 ops/sec
...For the 20 seconds on the device there could be multiple factors 32bit vs 64bit for one, have ran into that previously or optimizations with the build flags. We would have to do some optimization investigations under a support contract for faster speeds.
Regards,
Jacob
Adding the macros;
#define USE_FAST_MATH
#define TFM_TIMING_RESISTANT
#define WC_RSA_BLINDING
#define ECC_TIMING_RESISTANT
and including wolfcrypt/src/tfm.c in the build should build it.
Regards,
Jacob
I don't see any benchmark values internally for the AM3352. We have a benchmark for a Rasperry PI at 1500 MHz with a 2048 bit RSA key generation. It took a little under a second at 700 ms. That was with --enable-fastmath and --enable-sp --enable-sp-asm.
Heres the setting broken down into the individual parts for you:
newCert.beforeDate[0] = ASN_UTC_TIME;
newCert.beforeDate[1] = ASN_UTC_TIME_SIZE - 1;
newCert.beforeDate[2] = '2'; //year 2022
newCert.beforeDate[3] = '2'; //year 2022
newCert.beforeDate[4] = '0'; //month 02
newCert.beforeDate[5] = '2'; //month 02
newCert.beforeDate[6] = '1'; //day 15
newCert.beforeDate[7] = '5'; //day 15
newCert.beforeDate[8] = '0'; //hour 06
newCert.beforeDate[9] = '6'; //hour 06
newCert.beforeDate[10] = '0'; //minute 00
newCert.beforeDate[11] = '0'; //minute 00
newCert.beforeDate[12] = '0'; //second 01
newCert.beforeDate[13] = '1'; //second 01
newCert.beforeDate[14] = 'Z';
newCert.beforeDateSz = 15;
newCert.afterDate[0] = ASN_UTC_TIME;
newCert.afterDate[1] = ASN_UTC_TIME_SIZE - 1;
newCert.afterDate[2] = '2'; //year 2024
newCert.afterDate[3] = '4'; //year 2024
newCert.afterDate[4] = '0'; //month 02
newCert.afterDate[5] = '2'; //month 02
newCert.afterDate[6] = '1'; //day 15
newCert.afterDate[7] = '5'; //day 15
newCert.afterDate[8] = '0'; //hour 06
newCert.afterDate[9] = '6'; //hour 06
newCert.afterDate[10] = '0'; //minute 00
newCert.afterDate[11] = '0'; //minute 00
newCert.afterDate[12] = '0'; //second 01
newCert.afterDate[13] = '1'; //second 01
newCert.afterDate[14] = 'Z';
newCert.afterDateSz = 15;Having set the before and after you can remove the set of dayValid.
Regards,
Jacob
Hi Scotty2541,
The function wc_SetDatesBuffer takes in a DER formatted certificate to use the date from it.
There is two main options for setting the date:
1) Set it directly in the Cert structure using the current API's you have listed. This is setting beforeDate, beforeDateSz, afterDate, afterDateSz, daysValid.
2) Use the compatibility layer APIs and create the certificate using WOLFSSL_X509 structure. This has the API's wolfSSL_X509_set_notBefore and wolfSSL_X509_set_notAfter. The function test_wolfSSL_X509_sign2 in tests/api.c has code testing the setting of a certificate date when creating it.
Regards,
Jacob
Here is an example of static rsa build and use with wolfssl-py.
mkdir test && cd test
git clone --depth=1 git@github.com:wolfssl/wolfssl-py.git
git clone --depth=1 git@github.com:wolfssl/wolfssl.git
cd wolfssl
./autogen.sh && ./configure CPPFLAGS=-DWOLFSSL_STATIC_RSA --enable-sni --enable-opensslextra --enable-opensslall --enable-debug --prefix=`pwd`/../wolfssl-install && make && make install
cd ../wolfssl-py
USE_LOCAL_WOLFSSL=`pwd`/../wolfssl-install/ pip install .
export LD_LIBRARY_PATH=`pwd`/../wolfssl-install/lib
python3 ./examples/server.py -l AES256-SHA256Regards,
Jacob
Hi Donnie.dump,
Can you tell us some about the background of how wolfSSL is being used? If the details can not be put on a public forum like this please contact us through support @ wolfssl.com.
wolfSSL natively does support unnammed and custom curves when compiled with ./configure --enable-ecccustcurves. The JSSE wrapper does not support custom curves though.
Regards,
Jacob
Please double check that wolfSSL was built with static RSA suites enabled. To do this run the example client bundled with wolfSSL with -e "./examples/client/client -e". One of the cipher suites output should be AES256-SHA. It's easy to get a typo on the macro or any number of other things that would cause wolfSSL to build but not include the static RSA cipher suites.
The wolfssl-py if being used looks at the default location of /usr/local when built by running "pip install". A couple ways to go about it would be to install wolfSSL at that default location having been compiled with the static RSA macro or to build wolfssl-py using the environment variable USE_LOCAL_WOLFSSL=/wherever/wolfssl/install/is/
To build wolfSSL with static RSA enabled go to the wolfSSL directory "cd wolfssl/" and run "./configure CPPFLAGS=-DWOLFSSL_STATIC_RSA --prefix=/wherever/wolfssl/install/is/ && make install".
Regards,
Jacob
Hello DLLegend,
At a certain version of wolfSSL static RSA cipher suites were disabled by default. The cipher suite TLS_RSA_WITH_AES_256_CBC_SHA is going to be less secure then those using ephemeral keys like TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384. To turn static cipher suite support on use the macro WOLFSSL_STATIC_RSA. If adding that macro to the build does not resolve the issue then send of the build options being used with wolfSSL and we can debug farther.
Warm Regards,
Jacob
The main wolfSSL library will need compiled with SNI and Supported curves enabled. If adding in the functions enc_wolfSSL_CTX_UseSupportedCurve and enc_wolfSSL_set_SNI it looks like by default those are off with the library build and the example. SNI is enabled with the HAVE_SNI macro and supported curves are enabled with the HAVE_SUPPORTED_CURVES and HAVE_TLS_EXTENSIONS macros.
Regards,
Jacob
Hi Kannan,
Thanks for double checking that. I re-read through the "Purpose" you listed in the first message. It looks like you are concerned for just ECDSA and HASH-DRBG? (note that you will need some form of entropy to seed the HASH-DRBG) These two algorithms do not benefit from xilsecure use of RSA, AES-GCM, and SHA3. To that end lets first try without the macro WOLFSSL_XILINX_CRYPT defined in user_settings.h. A helpful write up with adjusting the user_settings.h is located at "Xilinx/FreeRTOS/README.pdf" in the pull request David sent earlier.
Regards,
Jacob
Hi Kannan,
Just to double check possible places that could cause the undefined issue. Did you build the BSP after xilsecure was added?
Regards,
Jacob
Hi Andres,
I confirmed what you are seeing by writing a simple test case using the order of function calls listed. This may be a feature gap (being that AES-GCM use with EVP is relatively new and developed for a specific use case) or it's an unintended restriction with AES-GCM use with EVP. It's under further review.
Regards,
Jacob
Hi Abbey,
There may be an options.h or some settings in the way. Please try from a fresh directory with the following commands on Linux (plus the one change you did in the Makefile).
(download and unzip wolfssl 4.1.0)
cd wolfssl-4.1.0/IDE/LINUX-SGX
make -f sgx_t_static.mk HAVE_WOLFSSL_TEST=1 HAVE_WOLFSSL_BENCHMARK=1 all
cd ../..
git clone [url]https://github.com/wolfssl/wolfssl-examples[/url]
cd wolfssl-examples/SGX_Linux
#(if SGX_SDK is not already set then)
export SGX_SDK=/opt/intel/sgxsdk
make SGX_MODE=HW SGX_PRERELEASE=1 SGX_WOLFSSL_LIB=../../IDE/LINUX-SGX/ WOLFSSL_ROOT=../../ SGX_DEBUG=0 HAVE_WOLFSSL_TEST=1
./App -tIf the issue persists after a fresh attempt using the above commands let me know and we can dig into it more to debug what is going on.
Regards,
Jacob
Hi hzwssl,
The RSA operations can be sped up using --enable-sp and --enable-sp-asm when building wolfSSL. The bulk of the time taken during TLS connections is due to public key operations.
To have packets bundled together the option -f can be used on the example wolfSSL client located at ./examples/client/client
```
-f Fewer packets/group messages
```
Regards,
Jacob
wolfSSL - Embedded SSL Library → Posts by Jacob
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.008 seconds (70% PHP - 30% DB) with 4 queries