d8effc7c05
|
||
|---|---|---|
| .. | ||
| bench | ||
| csr | ||
| native | ||
| pkcs7 | ||
| tls | ||
| wrap | ||
| README.md | ||
| include.am | ||
| tpm_io.c | ||
| tpm_io.h | ||
| tpm_test.h | ||
README.md
wolfTPM Examples
These examples demonstrate features of a TPM 2.0 module.
The examples create RSA and ECC keys in NV for testing using handles defined in ./examples/tpm_test.h.
The PKCS #7 and TLS examples require generating CSR's and signing them using a test script. See CSR and Certificate Signing below.
Native API Test
Demonstrates calling native TPM2_* API's.
./examples/native/native_test
Wrapper API Test
Demonstrates calling the wolfTPM2_* wrapper API's.
./examples/wrap/wrap_test
CSR
Generates a Certificate Signing Request for building a certificate based on a TPM key pair.
./examples/csr/csr
It creates two files:
./certs/tpm-rsa-cert.csr
./certs/tpm-ecc-cert.csr
Certificate Signing
External script for generating test certificates based on TPM generated CSR's. Typically the CSR would be provided to a trusted CA for signing.
./certs/certreq.sh
The script creates the following X.509 files (also in .pem format):
./certs/ca-ecc-cert.der
./certs/ca-rsa-cert.der
./certs/client-rsa-cert.der
./certs/client-ecc-cert.der
./certs/server-rsa-cert.der
./certs/server-ecc-cert.der
PKCS #7
Example signs and verifies data with PKCS #7 using a TPM based key.
- Must first run:
./examples/csr/csr./certs/certreq.sh./examples/pkcs7/pkcs7
The result is displayed to stdout on the console.
TLS Examples
The TLS example uses TPM based ECDHE (ECC Ephemeral key) support. It can be disabled using CFLAGS="-DWOLFTPM2_USE_SW_ECDHE" or #define WOLFTPM2_USE_SW_ECDHE. We are also looking into using the 2-phase TPM2_EC_Ephemeral and TPM2_ZGen_2Phase methods for improved performance and scalability.
To force ECC use with wolfSSL when RSA is enabled define TLS_USE_ECC.
To use symmetric AES/Hashing/Hmac with the TPM define WOLFTPM_USE_SYMMETRIC.
Generation of the Client and Server Certificates requires running:
./examples/csr/csr./certs/certreq.sh- Copy the CA files from wolfTPM to wolfSSL certs directory.
a.
cp ./certs/ca-ecc-cert.pem ../wolfssl/certs/tpm-ca-ecc-cert.pemb.cp ./certs/ca-rsa-cert.pem ../wolfssl/certs/tpm-ca-rsa-cert.pem
TLS Client
Examples show using a TPM key and certificate for TLS mutual authentication (client authentication).
This example client connects to localhost on on port 11111 by default. These can be overriden using TLS_HOST and TLS_PORT.
You can validate using the wolfSSL example server this like:
./examples/server/server -b -p 11111 -g -d
To validate client certificate use the following wolfSSL example server command:
./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem
or
./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem
Then run the wolfTPM TLS client example:
./examples/tls/tls_client.
TLS Server
This example shows using a TPM key and certificate for a TLS server.
By default it listens on port 11111 and can be overridden at build-time using the TLS_PORT macro.
Run the wolfTPM TLS server example:
./examples/tls/tls_server.
Then run the wolfSSL example client this like:
./examples/client/client -h localhost -p 11111 -g -d
To validate server certificate use the following wolfSSL example client comment:
./examples/client/client -h localhost -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem
or
./examples/client/client -h localhost -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem
Or using your browser: https://localhost:11111
With browsers you will get certificate warnings until you load the test CA's ./certs/ca-rsa-cert.pem and ./certs/ca-ecc-cert.pem into your OS key store.
For testing most browsers have a way to continue to the site anyways to bypass the warning.
Benchmark
Performance benchmarks.
./examples/bench/bench