wolfSSL Support for NXP SE050 with SCP03

wolfSSL has supported the NXP SE050 since wolfSSL 5.0.0 (November 1, 2021), giving wolfSSL and wolfCrypt users the ability to use cryptography and secure key generation/storage inside the SE050 while using wolfSSL’s own APIs from the application level. We recently made some substantial additions and enhancements to wolfSSL’s SE050 support, including the following.  These are currently in our master branch on GitHub, and will be included in the next stable release of wolfSSL.

  • SE050 RSA support (sign/verify/encrypt/decrypt, PKCS#1v1.5/PSS/OAEP padding, up to 4096-bit)
  • Allowing use of larger key IDs, fully utilizing SE050’s key ID range
  • Ability to get or set SE050 key IDs to/from wolfCrypt RsaKey or ecc_key structures
  • New APIs to store and get binary objects from SE050
  • New API to erase SE050 objects at a specified key ID
  • New API to get the object size at a specified key ID
  • New define WOLFSSL_SE050_NO_TRNG to fall back to usage of /dev/random and /dev/urandom instead of SE050 TRNG
  • Additional documentation (README_SE050.md)
  • Install se050_port.h with make install for public API use on Linux hosts
  • Fix default library and include paths with “--with-se050” configure option
  • Fix for ECC P-521 where curve size can be larger than SHA-512 digest size
  • Fixes to SE050 message digest support
  • Fixes for wolfCrypt test compatibility with SE050 enabled

wolfSSL SE050 Examples

To help users get going easier and more quickly, we have published example applications designed to be integrated into the SE05x Middleware on Linux (tested on Raspbian with a Raspberry Pi). This examples are located in our wolfssl-examples repository on GitHub, along with documentation on how to integrate and build. Examples include:

  • wolfCrypt test application
  • wolfCrypt benchmark application
  • wolfCrypt SE050 key and certificate insertion and use
  • wolfCrypt CSR generation

wolfSSL HostCrypto support for SCP03 Authentication

wolfSSL can be used on the host side (HostCrypto) for secure SCP03 (Secure Channel Protocol ’03’) authentication, in place of either OpenSSL or mbedTLS. To make this possible, wolfSSL has written a HostCrypto layer that can be applied as a patch to the NXP SE05x Middleware.  Using wolfSSL HostCrypto will use wolfSSL’s software cryptography on the host side to establish the SCP03 channel.  After secure channel establishment, wolfSSL can then be used while offloading crypto and key operations to the SE050.

A patch for the SE05x Middleware for adding wolfSSL HostCrypto support can be found in our osp repository (Open Source Ports) on GitHub, along with documentation on how to patch and build on a Raspberry Pi / Raspbian environment.

Support and More Details

For more details on wolfSSL’s SE050 support, or if you have questions about the wolfSSL embedded SSL/TLS library, contact us at facts@wolfssl.com.