26 Reply by anthony

(3 replies, posted in wolfSSL)

Hi Isabelle,

https://datatracker.ietf.org/doc/html/r … tion-4.4.2 has the following pragraph:

Note: Prior to TLS 1.3, "certificate_list" ordering required each
   certificate to certify the one immediately preceding it; however,
   some implementations allowed some flexibility.  Servers sometimes
   send both a current and deprecated intermediate for transitional
   purposes, and others are simply configured incorrectly, but these
   cases can nonetheless be validated properly.  For maximum
   compatibility, all implementations SHOULD be prepared to handle
   potentially extraneous certificates and arbitrary orderings from any
   TLS version, with the exception of the end-entity certificate which
   MUST be first.

Without WOLFSSL_ALT_CERT_CHAINS we expect the proper ordering and no other extra certificates.  With WOLFSSL_ALT_CERT_CHAINS we follow the guidance above.

Warm regards, Anthony

Go to forum: wolfSSL

27 Reply by anthony

(3 replies, posted in wolfSSL)

Hi Isabella,

My name is Anthony and I am a member of the wolfSSL team.  I will be helping you with this issue.  This happens quite often when connecting to large web infrastructures.  Please use --enable-altcertchains on your configure command line. If you don't use the confugre script, please define WOLFSSL_ALT_CERT_CHAINS in your user_settings.h .

Here at wolfSSL we love learning about how people are using our libraries.  Can you please tell me a bit about yourself, your use case and any other information that would give us some context so that we can better help you?

Warm regards, Anthony

Go to forum: wolfSSL

28 Reply by anthony

(1 replies, posted in wolfSSL)

Hello Shinzo,

My name is Anthony and I am a member of the wolfSSL team.

Yes, you are correct.  You'll need to use  MakeCert/SignCert in order to use ECC.

Can you please let me know a bit about yourself and your project? What are you trying to achieve? Where are you geographically located? Is this question out of personal, academic or professional interest?  Are there any organizations associated with this work.  Any information is useful in helping us prioritize your request.

Warm regards, Anthony

Go to forum: wolfSSL

29 Reply by anthony

(14 replies, posted in wolfSSL)

You need to use --enable-fips=ready

Go to forum: wolfSSL

30 Reply by anthony

(14 replies, posted in wolfSSL)

Hi volga629,

In the past, we have seen this before, but it was because someone used --enable-fips instead of --enable-fips=ready.  Can you please try again, but this time double checking that you added the =ready ?

Here at wolfSSL we love to know how people in the community are using our code.  Can you tell us a bit about yourself and your project?  Where are you located? What are you goals?  Is this project personal, academic or professional in nature?  Also let us know anything interesting.

Warm regards, Anthony

Go to forum: wolfSSL

31 Reply by anthony

(3 replies, posted in wolfSSL)

No problem and my pleasure!!
Warm regards, Anthony

Go to forum: wolfSSL

32 Reply by anthony

(5 replies, posted in General Inquiries)

Hi toni992,

My name is Anthony and I am a member of the wolfSSL team. The short answer is that it happens during the TLS  handshake.

The longer more nuanced answer follows.  From RFC 8466 (TLS 1.3)  https://datatracker.ietf.org/doc/html/rfc8446#section-2 you can see the following: 

       Client                                           Server

Key  ^ ClientHello
Exch | + key_share*
     | + signature_algorithms*
     | + psk_key_exchange_modes*
     v + pre_shared_key*       -------->
                                                  ServerHello  ^ Key
                                                 + key_share*  | Exch
                                            + pre_shared_key*  v
                                        {EncryptedExtensions}  ^  Server
                                        {CertificateRequest*}  v  Params
                                               {Certificate*}  ^
                                         {CertificateVerify*}  | Auth
                                                   {Finished}  v
                               <--------  [Application Data*]
     ^ {Certificate*}
Auth | {CertificateVerify*}
     v {Finished}              -------->
       [Application Data]      <------->  [Application Data]

The certificate and certificate verify messages are where it happens.

The Certificate message is where the certificate chain is sent to the peer.  The CertificateVerify message is where the signature of the TLS handshake transcript is sent.  The peer verifies the chain and the signature of the TLS handshake transcript.

Please let me know if you would like further clarifications.

This is a great question and here at wolfSSL we love to know about the community member and what they are doing. 

Can you please let us know about your interest in wolfSSL and protocols?  Can you let us know about yourself and your projects?

For example, where are you located?  Can you let us know your goals.

Warm regards, Anthony

Go to forum: General Inquiries

33 Reply by anthony

(2 replies, posted in wolfSSL)

Hi,
This is Anthony again.

In src/tls13.c we have TlsCheckCookie() which is called by RestartHandshakeHashWithCookie() and in turn called by DoTls13ClientHello() when the server state is in SERVER_HELLO_RETRY_REQUEST_COMPLETE.  So, in a sense, yes, it is done automatically as part of the TLS 1.3 handshake protocol.

Warm regards, Anthony

Go to forum: wolfSSL

34 Reply by anthony

(3 replies, posted in wolfSSL)

HI jlewis,

My name is Anthony and I am a member of the wolfSSL team.

I noticed that the issuer and subject are the same making this a Root CA certificate.  I think you might need a basic constraints extension that states that this is a CA certificate. 

Warm regards, Anthony

Go to forum: wolfSSL

35 Reply by anthony

(3 replies, posted in wolfSSL)

Hi,

We have the following APIs for setting the Authority Key ID and Subject Key ID: 

WOLFSSL_API int wc_SetAuthKeyIdFromPublicKey_ex(Cert *cert, int keyType,
                                                void* key);
WOLFSSL_API int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey,
                                             ecc_key *eckey);
WOLFSSL_API int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz);
WOLFSSL_API int wc_SetAuthKeyId(Cert *cert, const char* file);
WOLFSSL_API int wc_SetSubjectKeyIdFromPublicKey_ex(Cert *cert, int keyType,
                                                   void* key);
WOLFSSL_API int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey,
                                                ecc_key *eckey);
WOLFSSL_API int wc_SetSubjectKeyId(Cert *cert, const char* file);

You can find examples of how to use these APIs in tests/api.c.


Can you please let us know about how you are using wolfSSL and what you are using it for?

Warm regards, Anthony

Go to forum: wolfSSL

36 Reply by anthony

(3 replies, posted in wolfSSL)

Hi ,
My name is Anthony and I am a member of the wolfSSL team.  I'll be helping you on this topic.  Please stay tuned as I will need to ask my wider engineering team.

Warm regards, Anthony

Go to forum: wolfSSL

37 Reply by anthony

(1 replies, posted in wolfSSL)

Hi chyuk98,

Please check your email.  Scott McClung (scott@wolfssl.com) has replied to your license inquiry.  If you did not see it, please send another message to that email address directly.

Warm regards, Anthony

Go to forum: wolfSSL

38 Reply by anthony

(1 replies, posted in wolfSSL)

Hi db,

My name is Anthony and I am a member of the wolfSSL team. From what I understand, sigpipe means  the peer closed the socket when there was data still available to read.  This is generally resolved by, on both sides, doing a shutdown (for example, calling wolfSSL_shutdown() ) , checking for WOLFSSL_SHUTDOWN_NOT_DONE, and then doing wolfSSL_shutdown() again.  You can search for WOLFSSL_SHUTDOWN_NOT_DONE in wolfssl/examples/server/server.c and wolfssl/examples/client/client.c to see what I mean.

Warm regards, Anthony

Go to forum: wolfSSL

39 Reply by anthony

(1 replies, posted in wolfSSL)

This will be  handled via technical support channel.

Go to forum: wolfSSL

40 Reply by anthony

(2 replies, posted in wolfSSL)

Hi bganjl,

You are correct, we do not have support for that. Can you please email support@wolfssl.com so we can get started on a feature request?  Please reference this forum post when you send the message.

Warm regards, Anthony

Go to forum: wolfSSL

41 Reply by anthony

(2 replies, posted in wolfSSL)

Hi bganjl,

My name is Anthony and I am a member of the wolfSSL team. Its an interesting question and I will look into it for you. 

In the meantime, can you let us know a bit about yourself and your project?  We love to know about who is using our software. For example:

Where are you located?  Country and nearest urban area should suffice.

Is this project out of personal, academic or commercial interest?

Is this project associated with any institutions or organizations?

Warm regards, Anthony

Go to forum: wolfSSL

42 Reply by anthony

(4 replies, posted in wolfSSL)

Hi Scott,

Thanks for all the information you provided. Since you have commercial support, please open a support ticket by sending a message to support@wolfssl.com using an email account associated with your organization.  In that message, please reference this forum posting.  We look forward to helping you there.

Warm regards, Anthony

Go to forum: wolfSSL

43 Reply by anthony

(4 replies, posted in wolfSSL)

Hi Scotty2541,

Thanks for reaching out to us here on the forums!  My name is Anthony and I am a member of the wolfSSL team.  Have you had a look at https://github.com/wolfSSL/wolfssl/tree/master/tirtos ?  It references some documentation and examples.

AutoSAR refers to https://www.autosar.org/.  When you build using our configure scripts, autosar is disabled by default. What could be happening is that CCS is erroneously bringing in all the source and header files into your project.  You'll have to remove some files that shouldn't be there.

Can you let me know a bit about yourself? Here at wolfSSL we are very interested to know about who is using our software.  We'd love to know about:

Where are you located? (Country and nearest urban centre)
What are your goals?
Is your project out of commercial, academic or professional interest?
Is your project associated with any institutions?

Please let me know if you have further questions for me.

Warm regards, Anthony

Go to forum: wolfSSL

44 Reply by anthony

(1 replies, posted in wolfSSL)

Hi MMI_101,

Thanks for using wolfSSL and reaching out to us here on the forums.

In order to be able to use wc_InitCert, you must have the macro WOLFSSL_CERT_GEN defined. I don't know what macros you have defined in your user_settings.h and/or compiler flags, but my best guess is that this is not defined.  If it is defined, please let me know what other macros are defined.

Here at wolfSSL we love knowing how our code is being used.  Can you tell us a bit about yourself and your project?

- Where are you located?  Country and nearest large urban area should suffice.
- It this project out of personal interest, an academic project or commercial in nature?
- Is there an institution or company associated with your work?

Any other details about yourself and your project would be greatly appreciated.


Warm regards, Anthony

Go to forum: wolfSSL

45 Reply by anthony

(8 replies, posted in wolfCrypt)

Hi Adrien,

Indeed, that release does not have it yet. 

You could manually patch your copy with the following diff:

https://github.com/wolfSSL/wolfssl/comm … f2d79.diff

However, I'm not sure if/when STM32CubeIDE will overwrite your changes to wolfSSL source code.  I seem to recall that when you save certain configuration settings, the wolfSSL code gets regenerated.

Another option is to simply wait for the next release.  We are currently in the process of preparing for the next release and should be out at the beginning of July.

Perhaps another option is to just prototype on Linux with the github master branch first while you wait for the next release.

I'm very interested to know which path you choose. 

Warm regards, Anthony

Go to forum: wolfCrypt

46 Reply by anthony

(8 replies, posted in wolfCrypt)

Hi,

I'm sorry for the delayed response. I had lost track of this as I thought I had answered your questions.

dP and dQ will have to be calculated by you.  That said, they are only used in the Chinese Remainder Theorem (CRT).  If you define `RSA_LOW_MEM`, that is using a non-CRT implementation then you won't need to worry about dP and dQ.  That said, execution time will increase. 

Let me know if this helps.

Warm regards, Anthony

Go to forum: wolfCrypt

47 Reply by anthony

(8 replies, posted in wolfCrypt)

I'm sorry, I think I was mistaken!! Please see wc_RsaPrivateKeyDecodeRaw()

It has the form:

WOLFSSL_API int wc_RsaPrivateKeyDecodeRaw(const byte* n, word32 nSz,
        const byte* e, word32 eSz, const byte* d, word32 dSz,
        const byte* u, word32 uSz, const byte* p, word32 pSz,
        const byte* q, word32 qSz, const byte* dP, word32 dPSz,
        const byte* dQ, word32 dQSz, RsaKey* key);

It can be found in wolfssl/wolfcrypt/rsa.h

Warm regards, Anthony

Go to forum: wolfCrypt

48 Reply by anthony

(8 replies, posted in wolfCrypt)

Hi Adrian,

My name is Anthony and I am a member of the wolfSSL team.

We do have the function wc_RsaExportKey() which looks like this:

WOLFSSL_API int wc_RsaExportKey(RsaKey* key,
                                byte* e, word32* eSz,
                                byte* n, word32* nSz,
                                byte* d, word32* dSz,
                                byte* p, word32* pSz,
                                byte* q, word32* qSz);

But I don't think we have the corresponding API for importing it in this format.  That said, would you like to register this as a feature request?

If so, please send an email to support@wolfssl.com.  The process will only take a couple of minutes of your time.  Please also reference this forum post in that email message.

Warm regards, Anthony

Go to forum: wolfCrypt

49 Reply by anthony

(6 replies, posted in wolfSSL)

Thanks for letting me know. If you would like to share more details about yourself and your project in a more private setting, please email me at anthony@wolfssl.com.

Warm regards,  Anthony

Go to forum: wolfSSL

50 Reply by anthony

(6 replies, posted in wolfSSL)

Good to know!  Glad you got it resolved.  Can you let us know a bit about yourself?
Where are you located?
What are your goals?
Is the nature of this project academic, commercial, or personal?
We love knowing how our code is being used and any information you are willing to share helps us to better understand our user base.

Warm regards, Anthony

Go to forum: wolfSSL