Improvements to the example tls_server to accept "RSA" or "ECC". Improvement to TLS examples to old load keys/certs that are needed (reduces max handle load count). Added missing `scripts/tls_setup.sh` to automake.

.gitignore

@@ -60,8 +60,15 @@ certs/*.par
 certs/crlnumber*
 certs/serial
 certs/index*
-
+certs/tpm-*.csr
+certs/server-*.der
+certs/server-*.pem
+certs/client-*.der
+certs/client-*.pem
+certs/serial.old
 *.dep
 IDE/IAR-EWARM/settings
 quote.blob
 keyblob.bin
+ecc_test_blob.raw
+rsa_test_blob.raw

examples/README.md

@@ -126,12 +126,12 @@ Examples show using a TPM key and certificate for TLS mutual authentication (cli
 This example client connects to localhost on on port 11111 by default. These can be overridden using `TLS_HOST` and `TLS_PORT`.
 
 You can validate using the wolfSSL example server this like:
-`./examples/server/server -b -p 11111 -g -d`
+`./examples/server/server -b -p 11111 -g -d -i -V`
  
 To validate client certificate use the following wolfSSL example server command:
-`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem`
+`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem -i -V`
 or
-`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem`
+`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem -i -V`
 
 Then run the wolfTPM TLS client example:
 `./examples/tls/tls_client RSA`
@@ -146,7 +146,9 @@ This example shows using a TPM key and certificate for a TLS server.
 By default it listens on port 11111 and can be overridden at build-time using the `TLS_PORT` macro.
 
 Run the wolfTPM TLS server example:
-`./examples/tls/tls_server`. 
+`./examples/tls/tls_server RSA`
+or
+`./examples/tls/tls_server ECC`
 
 Then run the wolfSSL example client this like:
 `./examples/client/client -h localhost -p 11111 -g -d`

examples/tls/tls_client.c

@@ -147,23 +147,27 @@ int TPM2_TLS_Client(void* userCtx)
     if (rc != 0) goto exit;
 
 #ifndef NO_RSA
-    /* Create/Load RSA key for TLS authentication */
+    if (!useECC) {
-    rc = getRSAkey(&dev,
+        /* Create/Load RSA key for TLS authentication */
-                   &storageKey,
+        rc = getRSAkey(&dev,
-                   &rsaKey,
+                    &storageKey,
-                   &wolfRsaKey,
+                    &rsaKey,
-                   tpmDevId);
+                    &wolfRsaKey,
-    if (rc != 0) goto exit;
+                    tpmDevId);
+        if (rc != 0) goto exit;
+    }
 #endif /* !NO_RSA */
 
 #ifdef HAVE_ECC
-    /* Create/Load ECC key for TLS authentication */
+    if (useECC) {
-    rc = getECCkey(&dev,
+        /* Create/Load ECC key for TLS authentication */
-                   &storageKey,
+        rc = getECCkey(&dev,
-                   &eccKey,
+                    &storageKey,
-                   &wolfEccKey,
+                    &eccKey,
-                   tpmDevId);
+                    &wolfEccKey,
-    if (rc != 0) goto exit;
+                    tpmDevId);
+        if (rc != 0) goto exit;
+    }
 
     #ifndef WOLFTPM2_USE_SW_ECDHE
     /* Ephemeral Key */
@@ -172,7 +176,6 @@ int TPM2_TLS_Client(void* userCtx)
     #endif
 #endif /* HAVE_ECC */
 
-
     /* Setup the WOLFSSL context (factory) */
     if ((ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL) {
         rc = MEMORY_E; goto exit;
@@ -489,10 +492,11 @@ int main(int argc, const char* argv[])
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
     !defined(NO_WOLFSSL_CLIENT) && \
     (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
-    if (argc > 1)
+    if (argc > 1) {
         if (XSTRNCMP(argv[1], "ECC", 3) == 0) {
             useECC = 1;
         }
+    }
 
     rc = TPM2_TLS_Client(NULL);
 #else

examples/tls/tls_server.c

@@ -157,23 +157,27 @@ int TPM2_TLS_Server(void* userCtx)
     if (rc != 0) goto exit;
 
 #ifndef NO_RSA
-    /* Create/Load RSA key for TLS authentication */
+    if (!useECC) {
-    rc = getRSAkey(&dev,
+        /* Create/Load RSA key for TLS authentication */
-                   &storageKey,
+        rc = getRSAkey(&dev,
-                   &rsaKey,
+                    &storageKey,
-                   &wolfRsaKey,
+                    &rsaKey,
-                   tpmDevId);
+                    &wolfRsaKey,
-    if (rc != 0) goto exit;
+                    tpmDevId);
+        if (rc != 0) goto exit;
+    }
 #endif /* !NO_RSA */
 
 #ifdef HAVE_ECC
-    /* Create/Load ECC key for TLS authentication */
+    if (useECC) {
-    rc = getECCkey(&dev,
+        /* Create/Load ECC key for TLS authentication */
-                   &storageKey,
+        rc = getECCkey(&dev,
-                   &eccKey,
+                    &storageKey,
-                   &wolfEccKey,
+                    &eccKey,
-                   tpmDevId);
+                    &wolfEccKey,
-    if (rc != 0) goto exit;
+                    tpmDevId);
+        if (rc != 0) goto exit;
+    }
 
     #ifndef WOLFTPM2_USE_SW_ECDHE
     /* Ephemeral Key */
@@ -451,15 +455,24 @@ exit:
 #endif /* !WOLFTPM2_NO_WRAPPER && WOLF_CRYPTO_DEV */
 
 #ifndef NO_MAIN_DRIVER
-int main(void)
+int main(int argc, const char* argv[])
 {
     int rc = -1;
 
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
     !defined(NO_WOLFSSL_SERVER) && \
     (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
+    if (argc > 1) {
+        if (XSTRNCMP(argv[1], "ECC", 3) == 0) {
+            useECC = 1;
+        }
+    }
+
     rc = TPM2_TLS_Server(NULL);
 #else
+    (void)argc;
+    (void)argv;
+
     printf("Wrapper/Crypto callback code not compiled in\n");
     printf("Build wolfssl with ./configure --enable-cryptocb\n");
 #endif

scripts/include.am

@@ -6,3 +6,5 @@ if BUILD_SWTPM
 check_SCRIPTS += scripts/swtpm_sim.test
 dist_noinst_SCRIPTS += scripts/swtpm_sim.test
 endif
+
+EXTRA_DIST += scripts/tls_setup.sh

scripts/tls_setup.sh

@@ -7,3 +7,6 @@
 ./examples/keygen/keygen ecc_test_blob.raw ECC T
 ./examples/csr/csr
 ./certs/certreq.sh
+
+cp ./certs/ca-ecc-cert.pem ../wolfssl/certs/tpm-ca-ecc-cert.pem
+cp ./certs/ca-rsa-cert.pem ../wolfssl/certs/tpm-ca-rsa-cert.pem