I am working with wolfSSL to generate some Root, Intermediate and Leaf Certificates. I am trying to mark some restrictions as critical and others as non-critical.

My problem is, in my usce case, the Basic Constraints (OID shall be present and marked as "critical". The CA component shall be false in a Leaf Certificate and true for a non-Leaf Certificate. The problem is that I can't mark this extension as "critical". Also, the Key Usage (OID  shall be present but not marked as "critical". Here is an snippet of a correct certificate that is my goal:

X509v3 extensions:
     X509v3 Basic Constraints: critical
     X509v3 Key Usage:
          Certificate Sign, CRL Sign

But what I could generate so far with wolfSSL was this:

X509v3 extensions:
     X509v3 Basic Constraints:
     X509v3 Key Usage: critical
          Certificate Sign, CRL Sign

I am using the wc_SetKeyUsage() for the Key Usage; and the variable "isCA = true" for the Basic Constraints


(3 replies, posted in wolfTPM)

Hello Jeff,

I tested your solution and the last updates/fixes solved my problem and is working fine in my use case.

Thank you for your help and support!


(3 replies, posted in wolfTPM)


I am trying to use wolfTPM wrappers to encrypt some data (random number) using a PEM RSA public key. My use case is to read a PEM containing a Public RSA Key and convert this external public key in a key to be used in wolfTPM. This can be done using the wolfTPM2_RsaKey_PubPemToTpm() wrapper. Next, I am using the loaded RSA key (WOLFTPM2_KEY) to encrypt some data using the  wolfTPM2_RsaEncrypt() wrapper.

My goal is to use RSA/ECB/PKCS1Padding as cypher type on the encryption operation, but I am not getting how to set this parameters on the wolfTPM2_RsaEncrypt() wrapper. Does the wolfTPM has support for this operation? Does the encryption wrapper's scheme parameter have anything related to it? For example, TPM_ALG_NULL, TPM_ALG_OAEP or TPM_ALG_RSAES?

I've already used the wolfTPM wrappers to encrypt some data with the public key generated using some Online RSA Key Generator (https://www.devglan.com/online-tools/rs … decryption), then I got the encrypted data and tryied to decrypt it using the private part of the key on the Online RSA Key Generator, but the decryption fails with RSA/ECB/PKCS1Padding as cypher type.

Thanks in advance.


(4 replies, posted in wolfTPM)

Hi Dimi,

Thank you for your help! I'll check this new version and examples.



(7 replies, posted in wolfTPM)

Hi Jeff,

Currently, I am working with curl version 7.78.0 (https://curl.se/download.html) configured with wolfSSL. wolfTPM is configured to use Windows TBS. Here is the simplified code just for test purposes and better understanding. In this simple use case the TPM Properties need to be obtained, specifically in this example only the amount of PCRs is returned.

#include <wolftpm/tpm2.h>
#include <wolftpm/tpm2_wrap.h>

#include <stdio.h>
#include <stdlib.h>

#include <curl/curl.h>

#include "tpm_io.h"
#include "tpm_test.h"
#include "tpm_test_keys.h"

int sendPcrsQuantity(int pcrQuantity) {
    CURL* curl;
    CURLcode res;

    curl = curl_easy_init();

    char postBuffer[12];
    snprintf(postBuffer, 12, "pcrCount=%d", pcrQuantity);
    if (curl) {

        curl_easy_setopt(curl, CURLOPT_URL, "http://localhost:8080/pcrs");
        curl_easy_setopt(curl, CURLOPT_CUSTOMREQUEST, "POST");
        curl_easy_setopt(curl, CURLOPT_POSTFIELDS, postBuffer);
        curl_easy_setopt(curl, CURLOPT_USERAGENT, "libcrp/0.1");

        res = curl_easy_perform(curl);

        if (res != CURLE_OK){
            fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res));
            return -1;


    return 0;

int getTpmProperties(){
    WOLFTPM2_DEV dev;
    WOLFTPM2_CAPS caps;
    int rc = -1;
    int pcrCount = 0;

    void* userCtx = NULL;
    union {
        GetCapability_In cap;
        byte maxInput[MAX_COMMAND_SIZE];
    } cmdIn;

    union {
        GetCapability_Out cap;
        byte maxOutput[MAX_RESPONSE_SIZE];
    } cmdOut;
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
    if (rc != TPM_RC_SUCCESS) {
        printf("wolfTPM2_Init failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
        return 0;
    printf("wolfTPM2_Init: success\n");
    cmdIn.cap.capability = TPM_CAP_TPM_PROPERTIES;
    cmdIn.cap.property = TPM_PT_PCR_COUNT;
    cmdIn.cap.propertyCount = 1;
    rc = TPM2_GetCapability(&cmdIn.cap, &cmdOut.cap);
    if (rc != TPM_RC_SUCCESS) {
        printf("TPM2_GetCapability failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
        return -1;
    tpmProp = &cmdOut.cap.capabilityData.data.tpmProperties;
    pcrCount = tpmProp->tpmProperty[0].value;
    printf("TPM2_GetCapability: success\n");
    printf("There are %d PCRs\n", pcrCount);
    rc = sendPcrsQuantity(pcrCount);
    if (rc != 0){
        printf("Error sending pcrs\n");
        return -1;
    wolfTPM2_Shutdown(&dev, 0);
    return 0;

int main(void) {
    int rc = -1;
    rc = getTpmProperties();
    return rc;

Apparently, the problem happens after wolfTPM and curl header definitions. Even if I remove all the working code, leaving just the wolfTPM and curl headers, it doesn't compile. Or if I remove one of them and the associated code, the test works fine.



(7 replies, posted in wolfTPM)

Hi Jeff,

thanks for your answer and solution. After the updates I could build wolfTPM with "winapi" and worked fine. Thank you!

Just some details aren't working, for example, in my use case I'm working with wolfTPM and libcurl and after these changes, I think there is a conflict between wolfTPM build for Windows and curl.

$ gcc curl_wolftpm_winapi_test.c tpm_io.c tpm_test_keys.c -lcurl -lwolfssl -lwolftpm -lcjson -lz -o curl_wolftpm_winapi_test
In file included from curl_wolftpm_winapi_test.c:13:
/usr/include/curl/curl.h:135:9: error: unknown type name ‘SOCKET’
  135 | typedef SOCKET curl_socket_t;

I don't know if this is the right post to discuss this error or I need to create another one.


(7 replies, posted in wolfTPM)

Hi David,

I am working with MSYS2 (https://www.msys2.org/) on Windows 10 x64. I have an update about this issue.

Until now, I was running "msys2.exe" command line. But, after I tested running "mingw64.exe", wich includes the "tbs.h" and "windows.h" in the path "C:\msys64\mingw64\x86_64-w64-mingw32\include". After this, I got a new error and new messages.
Here is the output. Sorry for the large amount of information in the log.

$ make
make -j5  all-am
make[1]: Entering directory '/home/Messias/wolftpm'
  CC       examples/keygen/keyload.o
  CC       examples/tpm_test_keys.o
  CC       examples/tpm_io.o
  CC       src/libwolftpm_la-tpm2.lo
  CC       src/libwolftpm_la-tpm2_packet.lo
  CC       src/libwolftpm_la-tpm2_wrap.lo
  CC       src/libwolftpm_la-tpm2_tis.lo
  CC       src/libwolftpm_la-tpm2_param_enc.lo
src/tpm2_packet.c: In function 'ByteReverseWord64':
src/tpm2_packet.c:91:68: warning: left shift count >= width of type [-Wshift-count-overflow]
   91 |         return (word64)((word64)ByteReverseWord32((word32) value)) << 32 |
      |                                                                    ^~
src/tpm2_packet.c:92:68: warning: right shift count >= width of type [-Wshift-count-overflow]
   92 |                         (word64)ByteReverseWord32((word32)(value   >> 32));
      |                                                                    ^~
  CC       src/libwolftpm_la-tpm2_winapi.lo
  CC       examples/keygen/keygen.o
  CC       examples/keygen/keyimport.o
  CC       examples/nvram/store.o
  CC       examples/nvram/read.o
  CC       examples/native/native_test.o
  CC       examples/wrap/wrap_test.o
  CC       examples/bench/bench.o
  CC       examples/tls/tls_client.o
  CC       examples/tls/tls_client_notpm.o
  CC       examples/tls/tls_server.o
  CC       examples/csr/csr.o
  CC       examples/pkcs7/pkcs7.o
  CC       examples/timestamp/signed_timestamp.o
  CC       examples/timestamp/clock_set.o
  CC       examples/pcr/quote.o
  CC       examples/pcr/extend.o
  CC       examples/pcr/reset.o
  CC       examples/management/flush.o
  CC       examples/gpio/gpio_config.o
  CC       examples/gpio/gpio_read.o
  CC       examples/gpio/gpio_set.o
  CC       examples/seal/seal.o
  CC       examples/seal/unseal.o
  CC       examples/attestation/make_credential.o
  CC       examples/attestation/activate_credential.o
  CC       tests/unit_test-unit_tests.o
  CC       examples/tests_unit_test-tpm_io.o
  CCLD     src/libwolftpm.la

*** Warning: linker path does not have real file for library -ltbs.
*** I have the capability to make that library automatically link in when
*** you link to this library.  But I can only do this if you have a
*** shared version of the library, which you do not appear to have
*** because I did check the linker path looking for a file starting
*** with libtbs and none of the candidates passed a file format test
*** using a file magic. Last file checked: /usr/lib/w32api/libtbs.a

*** Warning: linker path does not have real file for library -lpthread.
*** I have the capability to make that library automatically link in when
*** you link to this library.  But I can only do this if you have a
*** shared version of the library, which you do not appear to have
*** because I did check the linker path looking for a file starting
*** with libpthread and none of the candidates passed a file format test
*** using a file magic. Last file checked: /usr/lib/libpthread.a
*** The inter-library dependencies that have been dropped here will be
*** automatically added whenever a program is linked with this library
*** or is declared to -dlopen it.

*** Since this library must not contain undefined symbols,
*** because either the platform does not support them or
*** it was explicitly requested with -no-undefined,
*** libtool will only create a static version of it.
  CCLD     examples/keygen/keyload.exe
  CCLD     examples/keygen/keygen.exe
  CCLD     examples/keygen/keyimport.exe
  CCLD     examples/nvram/store.exe
  CCLD     examples/nvram/read.exe
  CCLD     examples/native/native_test.exe
  CCLD     examples/wrap/wrap_test.exe
  CCLD     examples/bench/bench.exe
  CCLD     examples/tls/tls_client.exe
  CCLD     examples/tls/tls_client_notpm.exe
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client_notpm.o:tls_client_notpm.c:(.text+0xdf): undefined reference to `__imp_send'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client_notpm.o:tls_client_notpm.c:(.text+0x1f4): undefined reference to `__imp_recv'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client_notpm.o:tls_client_notpm.c:(.text+0x44b): undefined reference to `__imp_closesocket'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client_notpm.o:tls_client_notpm.c:(.text+0x463): undefined reference to `__imp_closesocket'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client_notpm.o:tls_client_notpm.c:(.text+0x52f): undefined reference to `__imp_WSAStartup'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client_notpm.o:tls_client_notpm.c:(.text+0x556): undefined reference to `__imp_htons'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client_notpm.o:tls_client_notpm.c:(.text+0x568): undefined reference to `__imp_gethostbyname'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client_notpm.o:tls_client_notpm.c:(.text+0x59a): undefined reference to `__imp_socket'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client_notpm.o:tls_client_notpm.c:(.text+0x5be): undefined reference to `__imp_connect'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client_notpm.o:tls_client_notpm.c:(.text+0x709): undefined reference to `__imp_inet_addr'
collect2.exe: error: ld returned 1 exit status
make[1]: *** [Makefile:1778: examples/tls/tls_client_notpm.exe] Error 1
make[1]: *** Waiting for unfinished jobs....
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client.o:tls_client.c:(.text+0xdf): undefined reference to `__imp_send'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client.o:tls_client.c:(.text+0x1f4): undefined reference to `__imp_recv'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client.o:tls_client.c:(.text+0x9aa): undefined reference to `__imp_closesocket'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client.o:tls_client.c:(.text+0x9c2): undefined reference to `__imp_closesocket'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client.o:tls_client.c:(.text+0xd5c): undefined reference to `__imp_WSAStartup'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client.o:tls_client.c:(.text+0xd8c): undefined reference to `__imp_htons'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client.o:tls_client.c:(.text+0xda1): undefined reference to `__imp_gethostbyname'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client.o:tls_client.c:(.text+0xdd6): undefined reference to `__imp_socket'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client.o:tls_client.c:(.text+0xdfa): undefined reference to `__imp_connect'
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.3.0/../../../../x86_64-w64-mingw32/bin/ld.exe: examples/tls/tls_client.o:tls_client.c:(.text+0x100e): undefined reference to `__imp_inet_addr'
collect2.exe: error: ld returned 1 exit status
make[1]: *** [Makefile:1772: examples/tls/tls_client.exe] Error 1
make[1]: Leaving directory '/home/Messias/wolftpm'
make: *** [Makefile:1340: all] Error 2


(7 replies, posted in wolfTPM)


I am running wolfTPM along with IBM Simulator through "--enable-swtpm" flag. But, after some tests and advancing, I decided to run wolfTPM along with Windows TBS, enabling the "--enable-winapi" flag. I followd the "WindowTBS.md" instructions on wolfTPM GitHub Repository, but I'm having troubles with this.

I am running the commands in MSYS2 on Windows 10, and everything appears fine, until the "make" command be executed. Here is the output.

$ make
make -j5  all-am
make[1]: Entering directory '/home/Messias/wolfssl/wolftpm'
  CC       examples/keygen/keygen.o
  CC       examples/keygen/keyimport.o
In file included from ./wolftpm/tpm2_wrap.h:25,
                 from examples/keygen/keygen.c:24:
./wolftpm/tpm2.h:1661:3: error: unknown type name ‘TBS_HCONTEXT’
 1661 |   TBS_HCONTEXT tbs_context;
      |   ^~~~~~~~~~~~
In file included from ./wolftpm/tpm2_wrap.h:25,
                 from examples/keygen/keyimport.c:24:
./wolftpm/tpm2.h:1661:3: error: unknown type name ‘TBS_HCONTEXT’
 1661 |   TBS_HCONTEXT tbs_context;
      |   ^~~~~~~~~~~~
make[1]: *** [Makefile:1883: examples/keygen/keygen.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:1883: examples/keygen/keyimport.o] Error 1
make[1]: Leaving directory '/home/Messias/wolfssl/wolftpm'
make: *** [Makefile:1340: all] Error 2

Apparently some recognition issue with the TBS header. Does anyone know why this problem is happening and how to solve it? Thanks in advance.


(4 replies, posted in wolfTPM)

Hi Dimi,

thanks for your help and attention. I started making the changes indicated but got a different response code (TPM_RC_BAD_AUTH: Authorization failure without DA implications). If you can provide a new example showing the use case using EK that would be great. In the meantime I will continue working on these modifications and hope to be able to use the commands correctly.

Messias Filho


(4 replies, posted in wolfTPM)


I am working with wolfTPM to perform remote attestation. I ran the "Remote Attestation Examples" provided and it worked. But in my use case I'm working with the EK instead the SRK (wich is the key used in the examples). I had succes using makeCredential with EK Handle, but no success solving the challenge using activateCredential and EK Handle. The response code returned is TPM_RC_AUTH_UNAVAILABLE, more specifically this is the message returned:

TPM2_ActivateCredentials failed 0x12f: TPM_RC_AUTH_UNAVAILABLE: The authValue or authPolicy is not available for selected entity

Here is a code snippet just to make it more clear. I tried to modify the code to guarantee the authorization for EK Handle, but no success. Do you have any idea how to solve this problem?

    /* Activate Credential command */
    XMEMSET(&cmdIn.policyCommandCode, 0, sizeof(cmdIn.policyCommandCode));
    cmdIn.policyCommandCode.policySession = tpmSession.handle.hndl;
    cmdIn.policyCommandCode.code = TPM_CC_ActivateCredential;
    rc = TPM2_PolicyCommandCode(&cmdIn.policyCommandCode);
    if (rc != TPM_RC_SUCCESS) {
        printf("policyCommandCode failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
        goto exit;
    printf("TPM2_policyCommandCode success\n"); /* No command response payload */

    /* Prepare Key Auths in correct order for ActivateCredential */
    wolfTPM2_SetAuthHandle(&dev, 0, &akKey.handle);
    //wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle);
    wolfTPM2_SetAuthHandle(&dev, 1, &endorse.handle);

    /* Prepare the Activate Credential command */
    XMEMSET(&cmdIn.activCred, 0, sizeof(cmdIn.activCred));
    XMEMSET(&cmdOut.activCred, 0, sizeof(cmdOut.activCred));
    cmdIn.activCred.activateHandle = akKey.handle.hndl;
    cmdIn.activCred.keyHandle = endorse.handle.hndl;

    /* Read credential from server response */
    printf("Read credential and secret from Server response\n");

    /* All required data to verify the credential is prepared */
    rc = TPM2_ActivateCredential(&cmdIn.activCred, &cmdOut.activCred);
    if (rc != TPM_RC_SUCCESS) {
        printf("TPM2_ActivateCredentials failed 0x%x: %s\n", rc,
        goto exit;
    printf("TPM2_ActivateCredential success\n");
    TPM2_PrintBin(cmdOut.activCred.certInfo.buffer, cmdOut.activCred.certInfo.size);

Thanks in advance,
Messias Filho