You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by dgarske
Hi tomris,
See https://github.com/wolfSSL/wolfssl/issues/4319
Similar report. Please try those suggestions.
Make sure `USE_HAL_DRIVER` is added to CFLAGS like "-DUSE_HAL_DRIVER" to include `wolfSSL.I-CUBE-wolfSSL_conf.h`. Also make sure you change you include so it does not use options.h and instead uses wolfssl/wolfcrypt/settings.h.
Thanks,
David Garske, wolfSSL
Hi Tomris,
I have not yet tried using the "Makefile" code generation option in CubeMX with the wolfSSL pack. Can you share your Makefile as reference?
To work around this I suggest adding your own `MX_wolfSSL_Init` and `MX_wolfSSL_Process` API's that call `wolfSSL_Init()` and `wolfSSL_Cleanup()`.
Next time I am working on the Cube pack I will test with Makefile generation and see if there are improvements we can make.
Thanks,
David Garske, wolfSSL
Hi Tomris,
Do you have a `main` function defined in your code? The `int main(void)` is an entry point required by the startup code. When you use the STM32 Cube back for wolfSSL it allows you to choose the wolfSSL/wolfCrypt features, but you would need to provide the code to call our API's. We have a wolfCrypt test demo that can be enabled also in the pack selections. What IDE are you generating code for? I have only tested with STM32CubeIDE, Keil and IAR.
You can find some great examples in this repo:
https://github.com/wolfSSL/wolfssl-examples
For LWIP we support their socket interface by default if you add `WOLFSSL_LWIP` to the generated configuration file `wolfSSL.I-CUBE-wolfSSL_conf.h`.
The documentation or the Cube pack is here:
https://github.com/wolfSSL/wolfssl/tree … /STM32Cube
Thanks,
David Garske, wolfSSL
Hi oloke5,
We have some great user setting templates here:
https://github.com/wolfSSL/wolfssl/tree … es/configs
Please try adding `WOLFCRYPT_ONLY`. This will enable only wolfCrypt and disable the TLS/SSL layer.
For ED/Curve I recommend using:
#define HAVE_CURVE25519
#define HAVE_ED25519
#define CURVED25519_SMALLFor AES 256-bit CTR only try:
#define WOLFSSL_AES_COUNTER
#define NO_AES_128
#define NO_AES_192
#define NO_AES_CBCLet me know if you have any issues.
Thanks,
David Garske, wolfSSL
Hi Messias,
Our support for Windows TBS has been tested on Windows 10. Can you tell us the compiler and exact Windows version? It is possible the toolchain being used doesn't have the tbs.h with TBS_HCONTEXT, but I am not sure why.
You can see our TPM code for windows in src/tpm2_winapi.c where it includes the required headers:
#include <windows.h>
#include <tbs.h>We will do some additional testing here and see if we can find any issues.
Thanks,
David Garske, wolfSSL
Hi ENOTTY,
The FP_MAX_BITS can be overridden as a build-time pre-processor macro and should be set to double the max RSA/DH key size. So for 4096-bit it should be `-DFP_MAX_BITS=8192` or `./configure CFLAGS="-DFP_MAX_BITS=8192` or `#define FP_MAX_BITS 8192`.
Thanks,
David Garske, wolfSSL
Hi Noufal,
Seems like the issue is with the path to `cryptoauthlib`. I don't see any wolfSSL build errors. Are you trying to use the ATECC with wolfSSL?
Thanks,
David Garske, wolfSSL
Hi Kelvin,
Thanks for this report. We are trying to reproduce and should get back shortly with a fix.
David Garske, wolfSSL
Hi François,
You can enable IO level debugging inside wolfTPM using `./configure --enable-debug=io`. The command code TPM_CC_GetRandom is `0x0000017B`. The command also includes a 16-bit request size at the end. The ST33 uses a SPI wait state, so the header is 4 bytes and a single byte is read until the 0x80 MSB is set. Then a tag, command size and command code are added.
b d4 0 24 /* header */
b b b /* ready bytes */
80 1 TAG
0 0 0 c SIZE
0 0 1 7b COMMAND
0 20 Arguments (bytes requested)
Thanks,
David Garske, wolfSSL
Hi Scott,
I put up a PR with the `wolfSSL_CTX_load_verify_buffer_ex` API documentation. Thanks for reporting that.
https://github.com/wolfSSL/wolfssl/pull/4161
David Garske, wolfSSL
Hi JA,
Typically the operation is synchronous where the write and read and happening at the same time. I believe you can get the separate write and read working, but you will have to assert the chip select between the entire transaction.
1) Assert CS
2) Write 4 byte header (ignore read)
3) Read 1 byte and check for MSB 0x80 set
4) Read or Write remainder
5) De-assert CS.
It sounds like the issue is with the SPI driver. I have not tested wolfTPM with the i.MX8Q, but we do have customers using that platform. If this is a commercial effort you might considering using our consulting services to help port. Feel free to send an email to support@wolfssl.com and mention this ticket along with your project and contact details.
Thanks,
David Garske, wolfSSL
Hi Hadrien,
This code will only work with a TPM 2.0 module. With a TPM 1.2 module it will fail. Sorry I don't have any example of how that failure would look.
Thanks,
David Garske, wolfSSL
Hi JA,
The Infineon SLB9670 does not require SPI wait states. In fact it is the only TPM module that doesn't require the SPI wait states.
Some things to try:
1) Lowering or increasing the SPI bus speed.
2) Give additional time for the SPI CS and first clock
3) Make sure your SPI mode is 0 (CPOL=0, CPHA=0).
For reference: To use a SPI wait state:
1) Assert chip select (low)
2) Send 4 byte header
3) Read a single byte and checks for the MSB (0x80) is set (read single byte until set) Typically 1-2 times.
4) Read remainder
5) De-assert chip select (high)
Here is a simple get capabilities for an Infineon SLB9670 on my Raspberry Pi:
PI4:pi@raspberrypi:~/wolftpm $ ./examples/wrap/wrap_test
TPM2 Demo for Wrapper API's
Found TPM @ /dev/spidev0.0
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 00 00 | .....
00 00 00 01 a1 | .....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 00 00 | .....
40 00 00 01 a1 | @....
TPM2_IoCb: Ret 0, Sz 8
83 d4 00 14 00 00 00 00 | ........
40 00 00 01 97 06 00 30 | @......0
TPM2_IoCb: Ret 0, Sz 8
83 d4 0f 00 00 00 00 00 | ........
00 00 00 01 d1 15 1b 00 | ........
TPM2_IoCb: Ret 0, Sz 5
80 d4 0f 04 00 | .....
00 00 00 01 16 | .....
TPM2: Caps 0x30000697, Did 0x001b, Vid 0x15d1, Rid 0x16
Command: 12
80 01 00 00 00 0c 00 00 01 44 00 00 | .........D..
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 44 | @...D
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
40 00 00 01 ff 00 | @.....
TPM2_IoCb: Ret 0, Sz 16
0b d4 00 24 80 01 00 00 00 0c 00 00 01 44 00 00 | ...$.........D..
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 | ................
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 0c | .....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 84 | @....
TPM2_IoCb: Ret 0, Sz 5
00 d4 00 18 20 | ....
40 00 00 01 00 | @....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 84 | .....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 94 | @....
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
00 00 00 01 0a 00 | ......
TPM2_IoCb: Ret 0, Sz 14
89 d4 00 24 00 00 00 00 00 00 00 00 00 00 | ...$..........
00 00 00 01 80 01 00 00 00 0a 00 00 01 00 | ..............
Response: 10
80 01 00 00 00 0a 00 00 01 00 | ..........
TPM2_IoCb: Ret 0, Sz 5
00 d4 00 18 40 | ....@
00 00 00 01 00 | .....
TPM2_Startup pass
Command: 11
80 01 00 00 00 0b 00 00 01 43 01 | .........C.
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 44 | ....D
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
40 00 00 01 ff 00 | @.....
TPM2_IoCb: Ret 0, Sz 15
0a d4 00 24 80 01 00 00 00 0b 00 00 01 43 01 | ...$.........C.
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 | ...............
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 0c | .....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 84 | @....
TPM2_IoCb: Ret 0, Sz 5
00 d4 00 18 20 | ....
40 00 00 01 00 | @....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 84 | .....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 84 | @....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 84 | @....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 84 | @....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 80 | @....
...
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 80 | @....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 84 | @....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 94 | @....
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
00 00 00 01 0a 00 | ......
TPM2_IoCb: Ret 0, Sz 14
89 d4 00 24 00 00 00 00 00 00 00 00 00 00 | ...$..........
00 00 00 01 80 01 00 00 00 0a 00 00 00 00 | ..............
Response: 10
80 01 00 00 00 0a 00 00 00 00 | ..........
TPM2_IoCb: Ret 0, Sz 5
00 d4 00 18 40 | ....@
00 00 00 01 00 | .....
TPM2_SelfTest pass
Command: 22
80 01 00 00 00 16 00 00 01 7a 00 00 00 06 00 00 | .........z......
01 05 00 00 00 08 | ......
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 44 | ....D
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
40 00 00 01 ff 00 | @.....
TPM2_IoCb: Ret 0, Sz 26
15 d4 00 24 80 01 00 00 00 16 00 00 01 7a 00 00 | ...$.........z..
00 06 00 00 01 05 00 00 00 08 | ..........
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 | ..........
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 0c | .....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 84 | @....
TPM2_IoCb: Ret 0, Sz 5
00 d4 00 18 20 | ....
40 00 00 01 00 | @....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 84 | .....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 84 | @....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 94 | @....
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
40 00 00 01 53 00 | @...S.
TPM2_IoCb: Ret 0, Sz 14
89 d4 00 24 00 00 00 00 00 00 00 00 00 00 | ...$..........
00 00 00 01 80 01 00 00 00 53 00 00 00 00 | .........S....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 94 | .....
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
40 00 00 01 49 00 | @...I.
TPM2_IoCb: Ret 0, Sz 68
bf d4 00 24 00 00 00 00 00 00 00 00 00 00 00 00 | ...$............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 | ....
00 00 00 01 01 00 00 00 06 00 00 00 08 00 00 01 | ................
05 49 46 58 00 00 00 01 06 53 4c 42 39 00 00 01 | .IFX.....SLB9...
07 36 37 30 00 00 00 01 08 00 00 00 00 00 00 01 | .670............
09 00 00 00 00 00 00 01 0a 00 00 00 00 00 00 01 | ................
0b 00 07 00 | ....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 94 | .....
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
00 00 00 01 09 00 | ......
TPM2_IoCb: Ret 0, Sz 13
88 d4 00 24 00 00 00 00 00 00 00 00 00 | ...$.........
00 00 00 01 55 00 00 01 0c 00 11 cb 00 | ....U........
Response: 83
80 01 00 00 00 53 00 00 00 00 01 00 00 00 06 00 | .....S..........
00 00 08 00 00 01 05 49 46 58 00 00 00 01 06 53 | .......IFX.....S
4c 42 39 00 00 01 07 36 37 30 00 00 00 01 08 00 | LB9....670......
00 00 00 00 00 01 09 00 00 00 00 00 00 01 0a 00 | ................
00 00 00 00 00 01 0b 00 07 00 55 00 00 01 0c 00 | ..........U.....
11 cb 00 | ...
TPM2_IoCb: Ret 0, Sz 5
00 d4 00 18 40 | ....@
00 00 00 01 00 | .....
Command: 22
80 01 00 00 00 16 00 00 01 7a 00 00 00 06 00 00 | .........z......
01 2d 00 00 00 01 | .-....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 44 | ....D
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
40 00 00 01 ff 00 | @.....
TPM2_IoCb: Ret 0, Sz 26
15 d4 00 24 80 01 00 00 00 16 00 00 01 7a 00 00 | ...$.........z..
00 06 00 00 01 2d 00 00 00 01 | .....-....
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 | ..........
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 84 | .....
TPM2_IoCb: Ret 0, Sz 5
00 d4 00 18 20 | ....
40 00 00 01 00 | @....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 84 | .....
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
40 00 00 01 94 | @....
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
00 00 00 01 1b 00 | ......
TPM2_IoCb: Ret 0, Sz 14
89 d4 00 24 00 00 00 00 00 00 00 00 00 00 | ...$..........
00 00 00 01 80 01 00 00 00 1b 00 00 00 00 | ..............
TPM2_IoCb: Ret 0, Sz 5
80 d4 00 18 00 | .....
00 00 00 01 94 | .....
TPM2_IoCb: Ret 0, Sz 6
81 d4 00 19 00 00 | ......
00 00 00 01 11 00 | ......
TPM2_IoCb: Ret 0, Sz 21
90 d4 00 24 00 00 00 00 00 00 00 00 00 00 00 00 | ...$............
00 00 00 00 00 | .....
00 00 00 01 01 00 00 00 06 00 00 00 01 00 00 01 | ................
2d 00 00 00 01 | -....
Response: 27
80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 | ................
00 00 01 00 00 01 2d 00 00 00 01 | ......-....
TPM2_IoCb: Ret 0, Sz 5
00 d4 00 18 40 | ....@
00 00 00 01 00 | .....
Mfg IFX (1), Vendor SLB9670, Fw 7.85 (4555), FIPS 140-2 1, CC-EAL4 1Thanks,
David Garske, wolfSSL
Hi Scott,
Did you see this example?
https://github.com/wolfSSL/wolfssl-exam … mes.c#L145
I will have another engineer provide some additional examples. For reference the test case I was using for Scott is posted here:
https://drive.google.com/file/d/15QOGFB … sp=sharing
Thanks,
David Garske, wolfSSL
Hi Scott,
Thanks for your feedback on Doxygen quality and will bring up with the team. We strive to keep things well documented, provide timely support and quality examples.
David Garske, wolfSSL
Hi Scott,
I found a couple bugs in your code:
1) The wc_SignCert needs to pass the existing dercert that was used on wc_MakeCert.
2) The output size from wc_SignCert was not being captured and used.
Here is the fully working example, which can be used from the wolfSSL root:
#include <stdio.h>
#include "wolfssl/options.h"
#include "wolfssl/wolfcrypt/settings.h"
#include "wolfssl/wolfcrypt/asn_public.h" /* Used for cert generation */
#include "wolfssl/wolfcrypt/random.h"
#include "wolfssl/wolfcrypt/rsa.h" /* Used for RNG and RSA Key */
/*
./configure CFLAGS="-DKEEP_PEER_CERT -DWOLFSSL_ALT_NAMES" --enable-keygen --enable-certgen --enable-sni --enable-debug && make
sudo make install
gcc -Wall -g -o certgen_sign -lwolfssl certgen_sign.c
*/
#define MAX_BUF_SZ 4096
int main() {
int res;
word32 idx = 0;
RsaKey genKey;
RsaKey cakey;
WC_RNG rng;
FILE *fp;
int cacertbufsize;
byte cacertbuf[MAX_BUF_SZ*2];
byte cacertder[MAX_BUF_SZ];
int cakeybufsize;
byte cakeybuf[MAX_BUF_SZ];
byte pemcert[MAX_BUF_SZ];
byte dercert[MAX_BUF_SZ];
int certsize;
int certpemsize;
byte caderkey[MAX_BUF_SZ];
int keysize;
byte keyDer[MAX_BUF_SZ];
int keypemsize;
byte keypem[MAX_BUF_SZ];
Cert testcert;
memset(&rng, 0, sizeof(rng));
memset(&cakey, 0, sizeof(cakey));
memset(&genKey, 0, sizeof(genKey));
memset(&testcert, 0, sizeof(testcert));
res = wc_InitRng(&rng);
if (res != 0) goto exit;
res = wc_InitRsaKey(&genKey,0);
if (res != 0) goto exit;
res = wc_MakeRsaKey(&genKey, 2048, 65537, &rng);
if (res != 0) goto exit;
/* Save off the private key we are going to use */
res = wc_RsaKeyToDer(&genKey, keyDer, sizeof(keyDer));
if (res < 0) goto exit;
keysize = res;
res = wc_DerToPem(keyDer, keysize, keypem, sizeof(keypem), PRIVATEKEY_TYPE);
if (res < 0) goto exit;
keypemsize = res;
/* Save the new private key */
fp = fopen("TestprivateKey.pem", "w+");
if (fp == NULL) { res = -1; goto exit; }
fwrite(keypem, 1, keypemsize, fp);
fclose(fp);
/* Create a CERT */
wc_InitCert(&testcert);
testcert.sigType = CTC_SHA256wRSA;
testcert.isCA = 0;
strcpy(testcert.subject.country, "US");
strcpy(testcert.subject.state, "ZZ");
strcpy(testcert.subject.locality, "This City");
strcpy(testcert.subject.org, "Yada");
strcpy(testcert.subject.unit, "Dev");
strcpy(testcert.subject.commonName, "www.whatever.com");
strcpy(testcert.subject.email, "Info@whatever.com");
/* Use for SELF SIGNED */
//certsize = wc_MakeSelfCert(&testcert, dercert, sizeof(dercert), &genKey, &rng);
/* Use to sign it */
/* Load the CA cert to use */
fp = fopen("./certs/ca-cert.pem", "r");
if (fp == NULL) { res = -1; goto exit; }
cacertbufsize = fread(cacertbuf, 1, sizeof(cacertbuf), fp);
fclose(fp);
/* Need to convert it to DER */
res = wc_CertPemToDer(cacertbuf, cacertbufsize, cacertder, sizeof(cacertder), CERT_TYPE);
if (res < 0) goto exit;
cacertbufsize = res;
res = wc_SetIssuerBuffer(&testcert, cacertder, cacertbufsize);
if (res != 0) goto exit;
/* Now we can make the certificate */
res = wc_MakeCert_ex(&testcert, dercert, sizeof(dercert), RSA_TYPE, &genKey, &rng);
if (res < 0) goto exit;
certsize = res;
/* Now load the CA key */
fp = fopen("./certs/ca-key.pem", "r");
if (fp == NULL) { res = -1; goto exit; }
cakeybufsize = fread(cakeybuf, 1, sizeof(cakeybuf), fp);
fclose(fp);
/* Need to conver it to DER */
wc_InitRsaKey(&cakey, 0);
res = wc_KeyPemToDer(cakeybuf, cakeybufsize, caderkey, sizeof(caderkey), NULL /* no password */);
if (res < 0) goto exit;
cakeybufsize = res;
res = wc_RsaPrivateKeyDecode((const byte *)caderkey, &idx, &cakey, cakeybufsize);
if (res < 0) goto exit;
/* Now we sign the certificate */
res = wc_SignCert(testcert.bodySz, testcert.sigType, dercert, sizeof(dercert), &cakey, NULL, &rng);
if (res < 0) goto exit;
certsize = res;
/* Save the signed signed cert (DER) */
fp = fopen("TestprivateCert.der", "w+");
if (fp == NULL) { res = -1; goto exit; }
fwrite(dercert, 1, certsize, fp);
fclose(fp);
/* Convert the DER to PEM */
res = wc_DerToPem(dercert, certsize, pemcert, sizeof(pemcert), CERT_TYPE);
if (res < 0) goto exit;
certpemsize = res;
res = 0; /* success */
/* Save the signed signed cert (PEM) */
fp = fopen("TestprivateCert.pem", "w+");
if (fp == NULL) { res = -1; goto exit; }
fwrite(pemcert, 1, certpemsize, fp);
fclose(fp);
exit:
printf("Result %d\n", res);
wc_FreeRsaKey(&cakey);
wc_FreeRsaKey(&genKey);
wc_FreeRng(&rng);
return res;
}Thanks,
David Garske, wolfSSL
Hi Hadrien,
It looks like you have an Infineon TPM 2.0 module, which is fully supported. You've probably already seen this documentation? https://github.com/wolfSSL/wolfTPM/blob … ndowTBS.md
cd wolftpm/
./autogen.sh
./configure --prefix="$PREFIX" --enable-winapi
make
./examples/wrap/wrap_testThere are two interfaces available to use. 1) The "TPM2_" standard API and 2) The "wolfTPM2_" wrappers.
The easiest will be the wrappers and the code looks like this:
WOLFTPM2_DEV dev;
WOLFTPM2_CAPS caps;
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) return rc;
rc = wolfTPM2_GetCapabilities(&dev, &caps);
if (rc != 0) goto exit;
printf("Mfg %s (%d), Vendor %s, Fw %u.%u (%u), "
"FIPS 140-2 %d, CC-EAL4 %d\n",
caps.mfgStr, caps.mfg, caps.vendorStr, caps.fwVerMajor,
caps.fwVerMinor, caps.fwVerVendor, caps.fips140_2, caps.cc_eal4);Thanks,
David Garske, wolfSSL
Hi Scott,
I will load up your test and see if I can spot the issue. I do have some other cert gen/sign examples that are not public.
Note: The API `wc_KeyPemToDer` used to be named `wolfSSL_KeyPemToDer`, which you will find docs for.
Thanks,
David Garske, wolfSSL
Hi Scott,
Have you see our wolfssl-examples repo? Specifically these examples for CSR generation and signing?
https://github.com/wolfSSL/wolfssl-exam … er/certgen
We also have a good one in wolfTPM here:
https://github.com/wolfSSL/wolfTPM/blob … /csr/csr.c
I also saw your note about Doxygen quality and will bring up with the team.
Thanks,
David Garske, wolfSSL
Hi Celioaragaof48,
Our wolfSSL library does support CMake, but the Visual Studio projects were created manually. The wolfTPM support for the TBS (Windows TPM) currently uses MSYS to build (see https://github.com/wolfSSL/wolfTPM/blob … owTBS.md).
Can you tell me a bit more about your project by sending us a direct email to support@wolfssl.com and reference this forum post. I think it would be useful to add a Visual Studio wolfTPM TBS project.
Thanks,
David Garske, wolfSSL
Hi Keeperp,
I located the issue. Fixes have been pushed here:
https://github.com/wolfSSL/wolfssl/pull/4066
The ecc_map_ex should not be used with PKA, since it is handled in hardware. The tests are all passing now.
Thanks,
David Garske, wolfSSL
Hi Keeperp,
At first I ran this test on my STM32WB55 and it worked, but realized you were using math = 1 (fast math) and I was using SP math.
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/sha256.h>
#include <wolfssl/wolfcrypt/hash.h>
void custom_test(void)
{
void* _wcHeapHint = NULL;
int wc_ret;
ecc_key key;
uint32_t keysize = wc_ecc_get_curve_size_from_id(ECC_SECP256R1);
WC_RNG rng;
byte test[] = "sunny days!", sig[72];
memset(sig, 0, sizeof(sig));
uint32_t sigLen = sizeof(sig);
uint8_t hash[WC_SHA256_DIGEST_SIZE];
memset(hash, 0, sizeof(hash));
uint32_t hash_len = WC_SHA256_DIGEST_SIZE;
int32_t isVerified = 0;
//HAL_PKA_Init(&hpka);
wc_ret = wc_InitRng_ex(&rng, _wcHeapHint, INVALID_DEVID);
wc_ret |= wc_ecc_init_ex(&key, _wcHeapHint, INVALID_DEVID);
wc_ret |= wc_ecc_make_key_ex(&rng, keysize, &key, ECC_SECP256R1);
printf("Make Key %d\n", wc_ret);
// Produce a hash of the input data
wc_ret = wc_Hash(WC_HASH_TYPE_SHA256, test, sizeof(test), hash, hash_len);
printf("HASH %d\n", wc_ret);
wc_ret = wc_ecc_sign_hash(hash, hash_len, sig, (word32*)&sigLen, &rng, &key);
printf("SIGN %d\n", wc_ret);
wc_ret = wc_ecc_verify_hash(sig, sigLen, hash, hash_len, (int*)&isVerified, &key);
printf("VERIFY %d, %d\n", wc_ret, isVerified);
}Results:
Make Key 0
HASH 0
SIGN 0
VERIFY 0, 1I am debugging the fast math case and should have a fix shortly.
Thanks,
David Garske, wolfSSL
Hi Keeperp,
Thanks for your question and interest in using the STM32WB55 PKA. I have the same STM32 hardware here to try this on.
At first glance this example should work. However you are using the private key to verify, so that could be why the hardware is confused.
If you exported the public key and imported it into a new ecc_key struct it might work better. Something like `wc_ecc_export_x963` and `wc_ecc_import_x963` would do the job.
Thanks,
David Garske, wolfSSL
Hi Scott,
See here for a list of SP math build options:
https://github.com/wolfSSL/wolfssl/blob … _int.c#L42
For the assembly an you try using `WOLFSSL_SP_ARM32_ASM`
Try disabling DH (NO_DH) and only use RSA and ECC. For SP related build options try just these:
#define WOLFSSL_SP_MATH
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_SP_4096
#define WOLFSSL_SP_ARM32_ASM
#define NO_DH
#define HAVE_ECCThanks,
David Garske, wolfSSL
Hi Scott,
Make sure you set `WOLFSSL_SP_4096` to enable 4096-bit support for SP math. Also set `WOLFSSL_HAVE_SP_RSA` and `WOLFSSL_HAVE_SP_DH` to speedup RSA/DH with SP math.
For this A8 you can also enable SP assembly speedups for RSA/DH and ECC using `WOLFSSL_SP_ARM_THUMB_ASM`. If the code size grows too large you can use `WOLFSSL_SP_SMALL`. You might also consider disabling DH and use just ECDHE for the key share using `NO_DH`.
Thanks,
David Garske, wolfSSL
wolfSSL - Embedded SSL Library → Posts by dgarske
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.024 seconds (81% PHP - 19% DB) with 5 queries