diff --git a/.gitignore b/.gitignore index bf4119e..4eca6a6 100644 --- a/.gitignore +++ b/.gitignore @@ -60,8 +60,15 @@ certs/*.par certs/crlnumber* certs/serial certs/index* - +certs/tpm-*.csr +certs/server-*.der +certs/server-*.pem +certs/client-*.der +certs/client-*.pem +certs/serial.old *.dep IDE/IAR-EWARM/settings quote.blob keyblob.bin +ecc_test_blob.raw +rsa_test_blob.raw diff --git a/examples/README.md b/examples/README.md index 3179558..58afdc3 100644 --- a/examples/README.md +++ b/examples/README.md @@ -126,12 +126,12 @@ Examples show using a TPM key and certificate for TLS mutual authentication (cli This example client connects to localhost on on port 11111 by default. These can be overridden using `TLS_HOST` and `TLS_PORT`. You can validate using the wolfSSL example server this like: -`./examples/server/server -b -p 11111 -g -d` +`./examples/server/server -b -p 11111 -g -d -i -V` To validate client certificate use the following wolfSSL example server command: -`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem` +`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem -i -V` or -`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem` +`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem -i -V` Then run the wolfTPM TLS client example: `./examples/tls/tls_client RSA` @@ -146,7 +146,9 @@ This example shows using a TPM key and certificate for a TLS server. By default it listens on port 11111 and can be overridden at build-time using the `TLS_PORT` macro. Run the wolfTPM TLS server example: -`./examples/tls/tls_server`. +`./examples/tls/tls_server RSA` +or +`./examples/tls/tls_server ECC` Then run the wolfSSL example client this like: `./examples/client/client -h localhost -p 11111 -g -d` diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c index 40fded0..152383c 100644 --- a/examples/tls/tls_client.c +++ b/examples/tls/tls_client.c @@ -147,23 +147,27 @@ int TPM2_TLS_Client(void* userCtx) if (rc != 0) goto exit; #ifndef NO_RSA - /* Create/Load RSA key for TLS authentication */ - rc = getRSAkey(&dev, - &storageKey, - &rsaKey, - &wolfRsaKey, - tpmDevId); - if (rc != 0) goto exit; + if (!useECC) { + /* Create/Load RSA key for TLS authentication */ + rc = getRSAkey(&dev, + &storageKey, + &rsaKey, + &wolfRsaKey, + tpmDevId); + if (rc != 0) goto exit; + } #endif /* !NO_RSA */ #ifdef HAVE_ECC - /* Create/Load ECC key for TLS authentication */ - rc = getECCkey(&dev, - &storageKey, - &eccKey, - &wolfEccKey, - tpmDevId); - if (rc != 0) goto exit; + if (useECC) { + /* Create/Load ECC key for TLS authentication */ + rc = getECCkey(&dev, + &storageKey, + &eccKey, + &wolfEccKey, + tpmDevId); + if (rc != 0) goto exit; + } #ifndef WOLFTPM2_USE_SW_ECDHE /* Ephemeral Key */ @@ -172,7 +176,6 @@ int TPM2_TLS_Client(void* userCtx) #endif #endif /* HAVE_ECC */ - /* Setup the WOLFSSL context (factory) */ if ((ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL) { rc = MEMORY_E; goto exit; @@ -489,10 +492,11 @@ int main(int argc, const char* argv[]) #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ !defined(NO_WOLFSSL_CLIENT) && \ (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB)) - if (argc > 1) + if (argc > 1) { if (XSTRNCMP(argv[1], "ECC", 3) == 0) { useECC = 1; } + } rc = TPM2_TLS_Client(NULL); #else diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c index 8bae498..35eadbe 100644 --- a/examples/tls/tls_server.c +++ b/examples/tls/tls_server.c @@ -157,23 +157,27 @@ int TPM2_TLS_Server(void* userCtx) if (rc != 0) goto exit; #ifndef NO_RSA - /* Create/Load RSA key for TLS authentication */ - rc = getRSAkey(&dev, - &storageKey, - &rsaKey, - &wolfRsaKey, - tpmDevId); - if (rc != 0) goto exit; + if (!useECC) { + /* Create/Load RSA key for TLS authentication */ + rc = getRSAkey(&dev, + &storageKey, + &rsaKey, + &wolfRsaKey, + tpmDevId); + if (rc != 0) goto exit; + } #endif /* !NO_RSA */ #ifdef HAVE_ECC - /* Create/Load ECC key for TLS authentication */ - rc = getECCkey(&dev, - &storageKey, - &eccKey, - &wolfEccKey, - tpmDevId); - if (rc != 0) goto exit; + if (useECC) { + /* Create/Load ECC key for TLS authentication */ + rc = getECCkey(&dev, + &storageKey, + &eccKey, + &wolfEccKey, + tpmDevId); + if (rc != 0) goto exit; + } #ifndef WOLFTPM2_USE_SW_ECDHE /* Ephemeral Key */ @@ -451,15 +455,24 @@ exit: #endif /* !WOLFTPM2_NO_WRAPPER && WOLF_CRYPTO_DEV */ #ifndef NO_MAIN_DRIVER -int main(void) +int main(int argc, const char* argv[]) { int rc = -1; #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ !defined(NO_WOLFSSL_SERVER) && \ (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB)) + if (argc > 1) { + if (XSTRNCMP(argv[1], "ECC", 3) == 0) { + useECC = 1; + } + } + rc = TPM2_TLS_Server(NULL); #else + (void)argc; + (void)argv; + printf("Wrapper/Crypto callback code not compiled in\n"); printf("Build wolfssl with ./configure --enable-cryptocb\n"); #endif diff --git a/scripts/include.am b/scripts/include.am index a2087cb..19eb687 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -6,3 +6,5 @@ if BUILD_SWTPM check_SCRIPTS += scripts/swtpm_sim.test dist_noinst_SCRIPTS += scripts/swtpm_sim.test endif + +EXTRA_DIST += scripts/tls_setup.sh diff --git a/scripts/tls_setup.sh b/scripts/tls_setup.sh index 6654f2e..05396a2 100755 --- a/scripts/tls_setup.sh +++ b/scripts/tls_setup.sh @@ -7,3 +7,6 @@ ./examples/keygen/keygen ecc_test_blob.raw ECC T ./examples/csr/csr ./certs/certreq.sh + +cp ./certs/ca-ecc-cert.pem ../wolfssl/certs/tpm-ca-ecc-cert.pem +cp ./certs/ca-rsa-cert.pem ../wolfssl/certs/tpm-ca-rsa-cert.pem