PKCS#11 library that implements cryptographic algorithms using wolfSSL.
Build wolfSSL:
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
make
make check
sudo make install
sudo ldconfigautogen.sh requires: automake and libtool: sudo apt-get install automake libtool
Build wolfPKCS11:
git clone https://github.com/wolfSSL/wolfPKCS11.git
cd wolfPKCS11
./autogen.sh
./configure
make
make checkEnables using a TPM for cryptography and keystore.
Tested using ./configure --enable-singlethreaded --enable-wolftpm --disable-dh CFLAGS="-DWOLFPKCS11_TPM_STORE" && make.
Note: The TPM does not support DH, so only RSA and ECC are supported.
To have AES-CCM support in wolfPKCS11, configure both wolfSSL and wolfPKCS11
with the addition of --enable-aesccm.
To have AES-ECB support in wolfPKCS11, configure wolfSSL with the C macro
HAVE_AES_ECB defined. For example, CFLAGS="-DHAVE_AES_ECB". Then
enable it in wolfPKCS11 with the addition of --enable-aesecb during the
configure step.
WARNING: ECB (Electronic Code Book) mode AES is generally considered to be insecure. Please consider using a different mode of AES.
Use WOLFPKCS11_TPM_STORE storing objects in TPM NV.
Disables storage of tokens.
Enables debugging printf's for store.
Removes default implementation of storage functions. See wolfpkcs11/store.h for prototypes of functions to implement.
Sets the private key's label against the public key when generating key pairs.
Analog Devices, Inc. MAXQ10xx Secure Elements (MAXQ1065/MAXQ1080)
Support has been added to use the MAXQ10xx hardware for cryptographic operations and storage of certificate.
Before usage:
- Make sure the maxq10xx-sdk is installed and it has installed the proper header files into the source code for wolfPKCS11.
- Edit
examples/maxq10xx_init.shto ensure it is pointing to the correct location. - Execute
examples/maxq10xx_init.shto ensure it is properly initialized.
NOTE: In the code, we have embedded a test key. This must be changed for production environments!! Please contact Analog Devices to learn how to obtain and use a production key.
Path into which files are stored that contain token data. When not set, defaults to: /tmp
Set to any value to stop storage of token data.
Summary
Added Visual Studio support for wolfPKCS11. Fixes for cast warnings and portability.
Detail
- Fixed
C_GetAttributeValueincorrectly erroring withCKR_ATTRIBUTE_VALUE_INVALIDwhen data == NULL. TheC_GetAttributeValueshould set length if data field is NULL. (PR #27) - Fixed several cast warnings and possible use of uninitialized. (PR #28)
- Fixed portability issues with
WOLFPKCS11_USER_SETTINGS. (PR #28) - Added Visual Studio support for wolfPKCS11. (PR #28)
- This includes wolfTPM support with Windows TBS interface
- Reworked shared library versioning. (PR #29)
Summary
Adds backend support for TPM 2.0 using wolfTPM. Adds AES CBC key wrap / unwrap support. Portability improvements. Improved testing with GitHub Actions.
Detail
- Cleanups for minor cast warning, spelling and ignore for generated test files (PR #14)
- Added support for wrap/unwrap RSA with aes_cbc_pad. (PR #15)
- Fixed setting of label for public key after creation (init ECC objects before decoding) (PR #16)
- Flush writes in key store. (PR #17)
- Added build options for embedded use (PR #18)
WOLFSSL_USER_SETTINGSto avoid includingwolfssl/options.hWOLFPKCS11_USER_SETTINGSto avoid includingwolfPKCS11/options.hWOLFPKCS11_NO_TIMEto make wc_GetTime() optional (it disables brute-force protections on token login)
- Reset failed login counter only with
WOLFPKCS11_NO_TIME(PR #18) - Fixed argument passing in
SetMPI/GetMPIData(PR #19) - Fixed
NO_DHifdef gate when freeing PKCS11 object (PR #20) - Added GitHub CI action (PR #21)
- Fixed warnings from
./autogen.sh. Updated m4 macros. (PR #21) - Added additional GitHub CI action tests. (PR #22)
- Added wolfPKCS11 support for using TPM 2.0 module as backend. Uses wolfTPM and supports RSA and ECC. Requires wolfSSL/wolfTPM#311 (PR #23)
- Added CI testing for wolfPKCS11 with wolfTPM backend and single threaded. (PR #23)
- Added PKCS11 TPM NV store (enabled with
WOLFPKCS11_TPM_STORE). AllowWOLFPKCS11_NO_STOREfor TPM use case. (PR #23) - Fixed compiler warnings from mingw. (PR #23)
- Added portability macro
WOLFPKCS11_NO_ENVwhen setenv/getenv are not available. (PR #23) - Fix to only require
-ldlfor non-static builds. (PR #23) - Portability fixes. Added
NO_MAIN_DRIVER. Support forSINGLE_THREADED. Addstaticto some globals. (PR #24) - Fixes for portability where
XREALLOCis not available. (PR #25) - Added support for custom setenv/get env using
WOLFPKCS11_USER_ENV. (PR #25) - Fix for final not being called after init in edge case pin failure. (PR #25)
- Added support for hashing PIN with SHA2-256.
- PKS11 uses scrypt, which uses multiple MB of memory and is not practical for embedded systems. (PR #25)
- Added support for CKM_AES_CBC_PAD
- Added support for storage of token data.
- Added support encrypted private keys.
- Added CKF_LOGIN_REQUIRED to the slot flags.
- Added RSA X_509 support for signing/verifying
- Added missing
CK_INVALID_SESSION. - Added some missing PKCS11 types.
- Fixed building with FIPS 140-2 (fipsv2).
- Fixed
WP11_APIvisibility. - Fixed test pin to be at least 14-characters as required by FIPS HMAC.
- Fixed getting a boolean for the operations flags.
- Fixed misleading indentation fixes.
- Improve the
curve_oidlookup with FIPS. - Removed
config.hfrom the public pkcs11.h header. - Convert repository to GPLv3.
- Initial PKCS11 support