With wolfSSL 4.6.0, the cisco/libest EST library has been ported to work with wolfSSL. The Enrollment over Secure Transport (EST) protocol defines “enrollment for clients using Certificate Management over CMS (CMC) [RFC5272] messages over a secure transport.” It uses TLS >1.1 and the Hypertext Transfer Protocol (HTTP) to facilitate secure and authenticated Public Key Infrastructure (PKI) Requests and Responses [RFC5272]. libest is a client and server EST implementation written in C.
To build wolfSSL 4.6.0 for libest:
./configure --enable-libest
make
make install
To obtain a copy of libest that is compatible with wolfSSL, please contact us at support@wolfssl.com.
Once you have a wolfSSL compatible version of libest, to build the library:
./autogen.sh
./configure --enable-wolfssl
make
make install
To run the tests in test/UT configure wolfSSL instead with:
./configure --enable-libest --enable-dsa --enable-oldtls --enable-tlsv10 --enable-sslv3
The porting of libest to wolfSSL has greatly expanded the compatibility layer. Many new API’s were introduced and old ones have been updated. Additionally, Certificate Signing Request (CSR) generation and parsing has been expanded to meet the needs of the libest library. Some of the new changes include:
- Parsing a CSR to be used for certificate generation
- Parsing and generating a limited number of supported CSR attributes
- Parsing configuration files using NCONF APIs
- Retrieving the local and peer finished message contents
- Creating and parsing text databases using TXT_DB API
- New OpenSSL compatibility layer functions implemented
- ASN1_get_object
- d2i_ASN1_OBJECT
- c2i_ASN1_OBJECT
- BIO_new_fd
- BIO_snprintf
- BUF_strdup
- BUF_strlcpy
- BUF_strlcat
- sk_CONF_VALUE_new
- sk_CONF_VALUE_free
- sk_CONF_VALUE_pop_free
- sk_CONF_VALUE_num
- sk_CONF_VALUE_value
- lh_CONF_VALUE_retrieve
- lh_CONF_VALUE_insert
- NCONF_new
- NCONF_free
- NCONF_get_string
- NCONF_get_section
- NCONF_get_number
- NCONF_load
- CONF_modules_load
- _CONF_new_section
- _CONF_get_section
- X509V3_conf_free
- EVP_PKEY_copy_parameters
- EVP_PKEY_get_default_digest_nid
- EVP_PKEY_CTX_ctrl_str
- IMPLEMENT_LHASH_HASH_FN
- IMPLEMENT_LHASH_COMP_FN
- LHASH_HASH_FN
- LHASH_COMP_FN
- lh_strhash
- PKCS12_verify_mac
- i2d_PKCS7_bio
- SSL_get_finished
- SSL_get_peer_finished
- X509_get_ext_by_OBJ
- i2d_X509_REQ_bio
- d2i_X509_REQ_bio
- PEM_read_bio_X509_REQ
- d2i_X509_REQ
- X509_REQ_sign_ctx
- X509_REQ_add1_attr_by_NID
- X509_REQ_add1_attr_by_txt
- X509_REQ_get_attr_by_NID
- X509_REQ_get_attr
- X509_ATTRIBUTE_get0_type
- X509_to_X509_REQ
- X509_get0_extensions
- X509_get_extensions
- X509_REQ_get_extensions
- X509_REQ_get_subject_name
- X509_REQ_get_pubkey
- X509_REQ_set_version
- X509_sign_ctx
- X509_REQ_print
- X509_print_fp
- X509_REQ_print_fp
- X509_signature_print
- X509_get0_signature
- X509_verify
- X509_REQ_verify
- X509_REQ_check_private_key
- X509_delete_ext
- sk_X509_INFO_shift
- X509_NAME_delete_entry
- X509_NAME_print_ex_fp
- X509_STORE_CTX_get0_parent_ctx
- X509_REQ_get_X509_PUBKEY
- BIO_new_connect
- BIO_set_conn_port
- BIO_do_connect
- ASN1_TIME_new
- ASN1_UTCTIME_new
- ASN1_UTCTIME_free
- ASN1_TIME_set
- ASN1_TIME_set_string
- ASN1_TIME_to_string
- a2i_ASN1_INTEGER
- ASN1_STRING_new
- ASN1_STRING_free
- ASN1_STRING_cmp
- ASN1_UNIVERSALSTRING_to_string
- DHparams_dup
- OPENSSL_cleanse
- sk_OPENSSL_STRING_num
- sk_OPENSSL_PSTRING_num
- sk_OPENSSL_PSTRING_value
- sk_OPENSSL_STRING_free
- SSL_CTX_set_srp_strength
- SSL_get_srp_username
- TXT_DB_read
- TXT_DB_write
- TXT_DB_insert
- TXT_DB_free
- TXT_DB_create_index
- TXT_DB_get_by_index
Feel free to contact us at facts@wolfssl.com for additional information and help with using the new features of wolfSSL 4.6.0. These features were added in commit 814ed3f5a68d37dec4ee91e6dace35c7343eec36.