WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Improvements to the example tls_server to accept "RSA" or "ECC". Improvement to TLS examples to old load keys/certs that are needed (reduces max handle load count). Added missing `scripts/tls_setup.sh` to automake.

pull/130/head
David Garske 2020-11-13 16:33:14 -08:00
parent 675f7deb22
commit b48f53f5e7
6 changed files with 67 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.gitignore vendored
View File

@ -60,8 +60,15 @@ certs/*.par
certs/crlnumber*
certs/serial
certs/index*
certs/tpm-*.csr
certs/server-*.der
certs/server-*.pem
certs/client-*.der
certs/client-*.pem
certs/serial.old
*.dep
IDE/IAR-EWARM/settings
quote.blob
keyblob.bin
ecc_test_blob.raw
rsa_test_blob.raw

10
examples/README.md
View File

@ -126,12 +126,12 @@ Examples show using a TPM key and certificate for TLS mutual authentication (cli
This example client connects to localhost on on port 11111 by default. These can be overridden using `TLS_HOST` and `TLS_PORT`.
You can validate using the wolfSSL example server this like:
`./examples/server/server -b -p 11111 -g -d`
`./examples/server/server -b -p 11111 -g -d -i -V`
To validate client certificate use the following wolfSSL example server command:
`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem`
`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem -i -V`
or
`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem`
`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem -i -V`
Then run the wolfTPM TLS client example:
`./examples/tls/tls_client RSA`
@ -146,7 +146,9 @@ This example shows using a TPM key and certificate for a TLS server.
By default it listens on port 11111 and can be overridden at build-time using the `TLS_PORT` macro.
Run the wolfTPM TLS server example:
`./examples/tls/tls_server`.
`./examples/tls/tls_server RSA`
or
`./examples/tls/tls_server ECC`
Then run the wolfSSL example client this like:
`./examples/client/client -h localhost -p 11111 -g -d`

36
examples/tls/tls_client.c
View File

@ -147,23 +147,27 @@ int TPM2_TLS_Client(void* userCtx)
if (rc != 0) goto exit;
#ifndef NO_RSA
/* Create/Load RSA key for TLS authentication */
rc = getRSAkey(&dev,
&storageKey,
&rsaKey,
&wolfRsaKey,
tpmDevId);
if (rc != 0) goto exit;
if (!useECC) {
/* Create/Load RSA key for TLS authentication */
rc = getRSAkey(&dev,
&storageKey,
&rsaKey,
&wolfRsaKey,
tpmDevId);
if (rc != 0) goto exit;
}
#endif /* !NO_RSA */
#ifdef HAVE_ECC
/* Create/Load ECC key for TLS authentication */
rc = getECCkey(&dev,
&storageKey,
&eccKey,
&wolfEccKey,
tpmDevId);
if (rc != 0) goto exit;
if (useECC) {
/* Create/Load ECC key for TLS authentication */
rc = getECCkey(&dev,
&storageKey,
&eccKey,
&wolfEccKey,
tpmDevId);
if (rc != 0) goto exit;
}
#ifndef WOLFTPM2_USE_SW_ECDHE
/* Ephemeral Key */
@ -172,7 +176,6 @@ int TPM2_TLS_Client(void* userCtx)
#endif
#endif /* HAVE_ECC */
/* Setup the WOLFSSL context (factory) */
if ((ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL) {
rc = MEMORY_E; goto exit;
@ -489,10 +492,11 @@ int main(int argc, const char* argv[])
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_WOLFSSL_CLIENT) && \
(defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
if (argc > 1)
if (argc > 1) {
if (XSTRNCMP(argv[1], "ECC", 3) == 0) {
useECC = 1;
}
}
rc = TPM2_TLS_Client(NULL);
#else

43
examples/tls/tls_server.c
View File

@ -157,23 +157,27 @@ int TPM2_TLS_Server(void* userCtx)
if (rc != 0) goto exit;
#ifndef NO_RSA
/* Create/Load RSA key for TLS authentication */
rc = getRSAkey(&dev,
&storageKey,
&rsaKey,
&wolfRsaKey,
tpmDevId);
if (rc != 0) goto exit;
if (!useECC) {
/* Create/Load RSA key for TLS authentication */
rc = getRSAkey(&dev,
&storageKey,
&rsaKey,
&wolfRsaKey,
tpmDevId);
if (rc != 0) goto exit;
}
#endif /* !NO_RSA */
#ifdef HAVE_ECC
/* Create/Load ECC key for TLS authentication */
rc = getECCkey(&dev,
&storageKey,
&eccKey,
&wolfEccKey,
tpmDevId);
if (rc != 0) goto exit;
if (useECC) {
/* Create/Load ECC key for TLS authentication */
rc = getECCkey(&dev,
&storageKey,
&eccKey,
&wolfEccKey,
tpmDevId);
if (rc != 0) goto exit;
}
#ifndef WOLFTPM2_USE_SW_ECDHE
/* Ephemeral Key */
@ -451,15 +455,24 @@ exit:
#endif /* !WOLFTPM2_NO_WRAPPER && WOLF_CRYPTO_DEV */
#ifndef NO_MAIN_DRIVER
int main(void)
int main(int argc, const char* argv[])
{
int rc = -1;
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_WOLFSSL_SERVER) && \
(defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
if (argc > 1) {
if (XSTRNCMP(argv[1], "ECC", 3) == 0) {
useECC = 1;
}
}
rc = TPM2_TLS_Server(NULL);
#else
(void)argc;
(void)argv;
printf("Wrapper/Crypto callback code not compiled in\n");
printf("Build wolfssl with ./configure --enable-cryptocb\n");
#endif

2
scripts/include.am
View File

@ -6,3 +6,5 @@ if BUILD_SWTPM
check_SCRIPTS += scripts/swtpm_sim.test
dist_noinst_SCRIPTS += scripts/swtpm_sim.test
endif
EXTRA_DIST += scripts/tls_setup.sh

3
scripts/tls_setup.sh
View File

@ -7,3 +7,6 @@
./examples/keygen/keygen ecc_test_blob.raw ECC T
./examples/csr/csr
./certs/certreq.sh
cp ./certs/ca-ecc-cert.pem ../wolfssl/certs/tpm-ca-ecc-cert.pem
cp ./certs/ca-rsa-cert.pem ../wolfssl/certs/tpm-ca-rsa-cert.pem