Hi @kaleb,

Do you have a chance of see my question?



I forgot to say that I already integrated wolfssl in my firmware and the HTTPS site is correctly working in my emulator (windows -> vs2017, emulating LWIP over winsock2).

So, the only missing part is to move all the code into the device, using the printer's certificate and chip's privkey in place of the cert/key you provided in the examples (https://github.com/wolfSSL/wolfssl-exam … master/tls).


Hi Kaleb,

As commented in other forum's posts, I'm working in the firmware for a fiscal printer (Argentina).
All other requisites (RSA through a crypto chip, CSR generation, CERT validation, PKCS7 generation and signing) were fullfilled.

Now, I'm working in an embedded https server that each fiscal printer must expose, with a simple site used by inspectors to grab audit info.

The website exposed by each printer must be HTTPS and only usable when the connected browser send a certificate issued by our fiscal administration (in replace of any login/password schema). Of course, I have a CA root certificate to validate the inspector's certificate.

To develop the site, I used the httpd example (from lwip distribution), with SSI and CGI enabled. This website is working fine (as a pure HTTP, not HTTPS) and is time to move it from HTTP to HTTPS. The transport is LWIP over FreeRTOS.

I have the printer's certificate with the public key, and a crypto chip with the related private key. But the private key is not accesible nor extraible from the crypto chip.

I think that I could obtain a valid certificate already trusted by a some CA, with a different private key. But I modified your rsa.c in a way that all operations related to a private key are redirected to the crypto chip and I'm trying to avoid to touch that source code again.

So, I need to skip the injection of a private key using wolfSSL_CTX_use_PrivateKey_file(...) without disturbing TLS working.

Hope this explanation is clear. Else, don't hesitate to let me know.


I have working a test implementation of TLS, after modifying the httpd.c example. But, by now, I'm using your example of server cert/key files.

Now, I need to use a crypto chip and avoid the call to wolfSSL_CTX_use_PrivateKey_file(...) because the private key is not available outside the crypto chip. Of course, the public key in the certificate I'm using match the private key in the crypto chip.

NOTE: I already have the RSA engine redirected to crypto chip - Encryption/Decryption is working fine without the private key for, as example signing pkcs7 files.

Is this scenario supported?

Thanks in advance!


(2 replies, posted in wolfCrypt)

Hi Chris,

I'm working in the firmware of a new fiscal printer (for Argentina). It is including a crypto chip (vaultic 405) and I already modified wolf to delegate some rsa functions to that chip. (see https://www.wolfssl.com/forums/topic113 … hips.html)

Another requisite is to exchange some files with the authoritiy in argentina. Those files *must* be cms (pkcs7) signed but not encrypted. One of the files to send is an electronic journal of, possibly, several mb, and the hardware doesn't have so much ram.

I already fixed a bug in pkcs7 when data is extracted from cms file. (Handling the case of more than one bitstream of data - I'm not sure why I'm receiving files from argentina's authority in which the bitstreams are not larger than 1000 bytes and 2 or more consecutive bitstreams are pushed into ASN structure)

Coming back to my work, thanks for the points about hashing. Do you have any guide about how to stream out the asn?

Thanks for taking your time to answer my questions!


(2 replies, posted in wolfCrypt)


I have a requisite to write an XML file as PKCS7 file, signed but not encripted. After a bit of research/debug, I arranged to succesfully do this task with code around 'wc_PKCS7_EncodeSignedData'. It work pretty well and fast.

But my xml file could be very large (around 40mb). My board have an 8gb sdcard on which a filesystem is implemented, but the working ram is very limited (not more of 4mb free). So, I need to feed the data to 'EncodeSignedData' in small chunks, and your function must flush the asn through another function, in small chunks too.

Is this case  implemented in WolfSSL?
I'm crossing the fingers, waiting for a positive answer. But, if no, could you give some tips to implement this kind of functionallity by myself?


Thanks for the tips, Kaleb. I did a couple of minor tests and it worked as a charm!

I opted for the approach #1 but, sadly, I cannot submit any work as a contributor because I signed an NDA with WiseKey before they supplied the API to me.


I'm developing the firmware for an already existant hardware, that is using an ST32F207 as MCU and the VaultIC cryptographic chip from WiseKey (https://www.wisekey.com/vaultic405/).

By an strict requirement, I need to maintain the private RSA key inside the vaultic, and sign/encrypt/decrypt only using chip's API. More: The private key is protected into the chip and canot be exported or extracted.

I need to:

- Generate and sign a CSR (done)
- Handle X509 certificates (done)
- Generate and sign VERY BIG xml files, exporting them as CMS (PKCS7) (Done, but only for small files)
- Implement an HTTPS web server (partially done - working in this)

The list above is only to illustrate in which scenarios I will probably need to work with the private key. I read that WolfSSL was already adapted to a bunch of chips with hardware acceleration for cryptographic functions, but I cannot find by myself how to replace any sign/verify done by software with the same functions implemented in external chips.

So, my questions are 2:

- How to use the functions of an external cryptographic chip to replace only the RSA sing/verify functions in wolfssl?
- How to generate big signed CMS (PKCS#7) files, in environmentes with restricted working ram but with big disks in sdcard?

Thank you in advance!!