We are trying to implement X.509 client certificate authentication and WPA enterprise using asymmetric hardware cryptography for the private key.

Our platform is an STM32F469 (m4) that has an Infineon OPTIMA TPM SLB9670VQ20FW. Our product has fully functional TLS over wifi using the Cypress/Infineon WICED 6.2 SDK to an Azure services endpoint, excluding the TPM support. Presently, the certificate and keys are only stored on the device flash.

The WICED 6.2 FreeRTOS platform supports Client Certificate and WPA enterprise for a software implementation with MBED TLS 2.6.0, however we would like to implement TPM crypto hardware for these client side SSL functions and private key management. Changing over fully to wolfcrypt platform may be difficult since the WICED platform has multiple vendor customizations for memory optimizations which breaks encapsulation to LwIP. We are not code space constrained, but more RAM constrained.

An SDK update to mbedTLS 2.16.6 has documented support for callbacks for server sided authentication but not client side.
https://mbed-tls.readthedocs.io/en/late … -callbacks
There appears to be callbacks in the client side TLS authentication that may be used "unofficially" through the the use of RSA_ALT configurations and a PKCS#11 interface.  Implementation examples are very difficult to find. PCKS#11 examples also very hard to find examples for low level embedded systems.

Is anybody familiar with interfacing a PCKS#11 library to wolfTPM and separately interfacing the PCKS#11 interface to mbedTLS (or wolfCrypt or have suggestions or resources for where to look?