TLS client / server example improvements and cleanups. Adds support f…

…or using wolfSSL client/server examples with mutual auth certificate validation. Added new dummy key as to not conflict with wolfSSL test keys.
jackctj117 · Feb 1, 2019 · bf67b3f · bf67b3f
1 parent 51a5740
commit bf67b3f
Show file tree

Hide file tree

Showing 13 changed files with 517 additions and 214 deletions.
diff --git a/certs/dummy-ecc.der b/certs/dummy-ecc.der
diff --git a/certs/dummy-ecc.pem b/certs/dummy-ecc.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAUP6rYsfNM8Zj1rRNWK1Bz2KjVJsjZ97NSzmitPccjToAoGCCqGSM49
+AwEHoUQDQgAEQ5j3M3e0VQLx83mXZ+21OnrhfMaoI4s6aELdaE9Iby2afEcgHxNp
+cQVCW58jfeCmXdQRRLGRZlDALIxxNQ4otA==
+-----END EC PRIVATE KEY-----
diff --git a/certs/dummy-rsa.der b/certs/dummy-rsa.der
diff --git a/certs/dummy-rsa.pem b/certs/dummy-rsa.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAz92yF0nrv/vFGRNjhkm8/o7tIW5TGJxB1ewSMfD5kAgVaC8A
+nKw2KPbYUKDUfN/nD+E20d3AK/A9yfBb5HZIkfCSKYJ1fwtBOXdSzR8wo8N5kr0K
+fxayBv1JxU00JttJBttJY7blpOzAbSTxgg+DG7ENo4tqOTm2s6Phd2mMx4Phvp75
+t9vf+Jh8nchyeL8TYiehv0srBBjNLBB+pTMI1Enx7JlvLgu007PCIALpOqGzgZsM
+ArDenu8KR276200THh/Se8ZI6CfevI1MYFpxtcN//HwowZnyejvNanb+qJvdAx7r
+tJ1wXHofthLszaxqzSwlU+801cWXFNSyhgNfiQIDAQABAoIBAF2evxBIJdsA/UOO
+/PtFiM6p9tlgxCJIdkpwGb3Oh8g8K9ARo1ftJDONAd5GoY1glsQLLlKVanEfseSa
+0fhy4bqBPINfk6XVntnQCUYDbzfC2aWiaPDWevY07B3l6MA7cYeaClLT1FhUnVJL
+Gk72x5kYRElNiFkfyk7cV7cdnd9Zkdku4FSqTo+SgoVw+ZOQOjDNs3OBk+f5H/ap
+qdSuiQ44EWH399ybmUv+wHF4UxgPI6kRoKpX7jmq6ip6jRJpLIJNoOUcs2mdoTCj
+QPqGQNOL+a+YfRcHoyniV+9Hz4EiTUdjpC8aj8MmH/bFgf8UqYdWGIoY/TfDS47g
+aywHSwUCgYEA7VEGkbiUXhebIiXvI3ZhJvqs7sGZjlU4hdIVBm67Rbv+X/fSpEEV
+JGeOomu6qiiEImPuqKDQ6keMrE6YGIryGXZQnf7RWcPBIzsxc8dxPpTIbX+6MPJM
+Gn50Unigq2kMRFnQsP4v6MIY5ySLc99PQJIMjGySJ7w/W3lEwTLMorcCgYEA4Dsc
+xMRpDWtXGbdZGJKyCTlml9EY3mtfxZsRRx7q46w2KzCZgQA9OUEDkHfeSuFI35iG
+Azvqr8j210/mrnDyPbvyY7ktPAizEJ6XbI0oNK7a2aGOOlF6oRQ/++o7tJOqFHq0
+18p7Ya/1hxpkqT48et0RfwEtppHtPSicZ8Jcz78CgYEAzgxZzdAbUg7g7SdOmNXB
+yJxB5hNGBiTMLLSY+LrP8t4lIKIFzAOOHcukNjWfHvqKr2lg4ByxB5kT9M9Qk46g
+Yacum9+RWYTzfml4qHP0SUfZNel+ed0GYsKEsM53ghx1QCtTXTl103wjLx21zueG
+4iNsrcfepo113TBPmAdJUcUCgYBGGTS9LsnIsC3ilDb+P5341EEGZQ/pOJgQJpIY
+McosssGcbu0OLwz0wSZkG5Uaw6MMg5ohmLGdkq3YUdpD3ntcYU09b758bhvMrkeY
+X+iZz7ALKT5VbPNxN+tozaksop0hGds/OsWnnGKdgdrGLfaqUkIN+khTMnuACxoa
+NeDd8QKBgHZGuVeRP2RdQjdwnUQ4CQlCPi6KeqRXS4GVZUc883dU433sBskmq91m
+c1SGMSZ1W4Sr0qJqm27dRa6BSRKNAxwba1s3+ucFn71m3WzXFg3MZBnCzcOp7XD6
+ddhB98aE6EDw5ZOI4k5P5F/fU6unBtxkflHofhwzn79eWLx9o4CE
+-----END RSA PRIVATE KEY-----
diff --git a/certs/include.am b/certs/include.am
@@ -6,4 +6,9 @@ EXTRA_DIST += \
 	     certs/certreq.sh \
 	     certs/ca-rsa.cnf \
 	     certs/ca-ecc.cnf \
-	     certs/wolfssl-website-ca.pem
+	     certs/wolf-ca-ecc-cert.pem \
+	     certs/wolf-ca-rsa-cert.pem \
+	     certs/dummy-ecc.pem \
+	     certs/dummy-rsa.pem \
+	     certs/dummy-ecc.der \
+	     certs/dummy-rsa.der
diff --git a/certs/wolf-ca-ecc-cert.pem b/certs/wolf-ca-ecc-cert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICiTCCAjCgAwIBAgIJANUT7c08LkF0MAoGCCqGSM49BAMCMIGXMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
+A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
+Fw0xODA5MDcyMDEzNDNaFw0zODA5MDIyMDEzNDNaMIGXMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH
+d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABGbPpebypg/W274c+uFJGMigpJy/LW0MKy1VoU88
+FSqefHY5C+es8nogRaXYU0itI+85KuUfPhJVM6Hc2evFsBajYzBhMB0GA1UdDgQW
+BBSJGbGXpAUTPLBXRrJiJ2RNoG53WjAfBgNVHSMEGDAWgBSJGbGXpAUTPLBXRrJi
+J2RNoG53WjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO
+PQQDAgNHADBEAiArQgfTsykjwoBFMa/elWAqW5r38xW48flizWImoA7jfwIgbDO/
+mF4z7Vg2cbdvjbLZenQBaXmFNXULqAlpJnlRyl4=
+-----END CERTIFICATE-----
diff --git a/certs/wolf-ca-rsa-cert.pem b/certs/wolf-ca-rsa-cert.pem
@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9727763710660753659 (0x86fff58e10deb8fb)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/[email protected]
+        Validity
+            Not Before: Apr 13 15:23:09 2018 GMT
+            Not After : Jan  7 15:23:09 2021 GMT
+        Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/[email protected]
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a:
+                    f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac:
+                    de:03:66:ee:2a:f1:d8:b0:7d:6e:07:54:0b:10:98:
+                    21:4d:80:cb:12:20:e7:cc:4f:de:45:7d:c9:72:77:
+                    32:ea:ca:90:bb:69:52:10:03:2f:a8:f3:95:c5:f1:
+                    8b:62:56:1b:ef:67:6f:a4:10:41:95:ad:0a:9b:e3:
+                    a5:c0:b0:d2:70:76:50:30:5b:a8:e8:08:2c:7c:ed:
+                    a7:a2:7a:8d:38:29:1c:ac:c7:ed:f2:7c:95:b0:95:
+                    82:7d:49:5c:38:cd:77:25:ef:bd:80:75:53:94:3c:
+                    3d:ca:63:5b:9f:15:b5:d3:1d:13:2f:19:d1:3c:db:
+                    76:3a:cc:b8:7d:c9:e5:c2:d7:da:40:6f:d8:21:dc:
+                    73:1b:42:2d:53:9c:fe:1a:fc:7d:ab:7a:36:3f:98:
+                    de:84:7c:05:67:ce:6a:14:38:87:a9:f1:8c:b5:68:
+                    cb:68:7f:71:20:2b:f5:a0:63:f5:56:2f:a3:26:d2:
+                    b7:6f:b1:5a:17:d7:38:99:08:fe:93:58:6f:fe:c3:
+                    13:49:08:16:0b:a7:4d:67:00:52:31:67:23:4e:98:
+                    ed:51:45:1d:b9:04:d9:0b:ec:d8:28:b3:4b:bd:ed:
+                    36:79
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
+            X509v3 Authority Key Identifier: 
+                keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
+                DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]
+                serial:86:FF:F5:8E:10:DE:B8:FB
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         9e:28:88:72:00:ca:e6:e7:97:ca:c1:f1:1f:9e:12:b2:b8:c7:
+         51:ea:28:e1:36:b5:2d:e6:2f:08:23:cb:a9:4a:87:25:c6:5d:
+         89:45:ea:f5:00:98:ac:76:fb:1b:af:f0:ce:64:9e:da:08:bf:
+         b6:eb:b4:b5:0c:a0:e7:f6:47:59:1c:61:cf:2e:0e:58:a4:82:
+         ac:0f:3f:ec:c4:ae:80:f7:b0:8a:1e:85:41:e8:ff:fe:fe:4f:
+         1a:24:d5:49:fa:fb:fe:5e:e5:d3:91:0e:4f:4e:0c:21:51:71:
+         83:04:6b:62:7b:4f:59:76:48:81:1e:b4:f7:04:47:8a:91:57:
+         a3:11:a9:f2:20:b4:78:33:62:3d:b0:5e:0d:f9:86:38:82:da:
+         a1:98:8d:19:06:87:21:39:b7:02:f7:da:7d:58:ba:52:15:d8:
+         3b:c9:7b:58:34:a0:c7:e2:7c:a9:83:13:e1:b6:ec:01:bf:52:
+         33:0b:c4:fe:43:d3:c6:a4:8e:2f:87:7f:7a:44:ea:ca:53:6c:
+         85:ed:65:76:73:31:03:4e:ea:bd:35:54:13:f3:64:87:6b:df:
+         34:dd:34:a1:88:3b:db:4d:af:1b:64:90:92:71:30:8e:c8:cc:
+         e5:60:24:af:31:16:39:33:91:50:f9:ab:68:42:74:7a:35:d9:
+         dd:c8:c4:52
+-----BEGIN CERTIFICATE-----
+MIIEqjCCA5KgAwIBAgIJAIb/9Y4Q3rj7MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
+VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
+A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
+Fw0xODA0MTMxNTIzMDlaFw0yMTAxMDcxNTIzMDlaMIGUMQswCQYDVQQGEwJVUzEQ
+MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3
+dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
+LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D
+mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx
+i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J
+XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc
+/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI
+/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOB/DCB
++TAdBgNVHQ4EFgQUJ45nEXTDJh0/7TNjs6TYHTDl6NUwgckGA1UdIwSBwTCBvoAU
+J45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
+VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
+aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAhv/1jhDeuPswDAYD
+VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAniiIcgDK5ueXysHxH54SsrjH
+Ueoo4Ta1LeYvCCPLqUqHJcZdiUXq9QCYrHb7G6/wzmSe2gi/tuu0tQyg5/ZHWRxh
+zy4OWKSCrA8/7MSugPewih6FQej//v5PGiTVSfr7/l7l05EOT04MIVFxgwRrYntP
+WXZIgR609wRHipFXoxGp8iC0eDNiPbBeDfmGOILaoZiNGQaHITm3AvfafVi6UhXY
+O8l7WDSgx+J8qYMT4bbsAb9SMwvE/kPTxqSOL4d/ekTqylNshe1ldnMxA07qvTVU
+E/Nkh2vfNN00oYg7202vG2SQknEwjsjM5WAkrzEWOTORUPmraEJ0ejXZ3cjEUg==
+-----END CERTIFICATE-----
diff --git a/certs/wolfssl-website-ca.pem b/certs/wolfssl-website-ca.pem
diff --git a/examples/README.md b/examples/README.md
@@ -2,7 +2,7 @@
 
 These examples demonstrate features of a TPM 2.0 module.
 
-The examples create RSA and ECC keys in NV for testing using handles defined in `./examples/tpm_io.h`.
+The examples create RSA and ECC keys in NV for testing using handles defined in `./examples/tpm_test.h`.
 
 The PKCS #7 and TLS examples require generating CSR's and signing them using a test script. See CSR and Certificate Signing below.
 
@@ -38,7 +38,7 @@ External script for generating test certificates based on TPM generated CSR's. T
 `./certs/certreq.sh`
 
 The script creates the following X.509 files (also in .pem format):
-`./certs/ca-ecc-cert.der`s
+`./certs/ca-ecc-cert.der`
 `./certs/ca-rsa-cert.der`
 `./certs/client-rsa-cert.der`
 `./certs/client-ecc-cert.der`
@@ -62,35 +62,56 @@ The result is displayed to stdout on the console.
 
 The TLS example uses TPM based ECDHE (ECC Ephemeral key) support. It can be disabled using `CFLAGS="-DWOLFTPM2_USE_SW_ECDHE"` or `#define WOLFTPM2_USE_SW_ECDHE`. We are also looking into using the 2-phase `TPM2_EC_Ephemeral` and `TPM2_ZGen_2Phase` methods for improved performance and scalability.
 
-Note: The TPM2_CreatePrimary with TPM_RH_NULL for ephemeral key use has an issue with SLB9670 7.83 firmware. Please update to latest firmware or disable ECDHE support using WOLFTPM2_USE_SW_ECDHE to resolve. 
+Note: To force ECC use with wolfSSL when RSA is enabled define `TLS_USE_ECC`.
+
+Generation of the Client and Server Certificates requires running:
+1. `./examples/csr/csr`
+2. `./certs/certreq.sh`
+3. Copy the CA files from wolfTPM to wolfSSL certs directory.
+    a. `cp ./certs/ca-ecc-cert.pem ../wolfssl/certs/tpm-ca-ecc-cert.pem`
+    b. `cp ./certs/ca-rsa-cert.pem ../wolfssl/certs/tpm-ca-rsa-cert.pem`
+
 
 ### TLS Client
 
 Examples show using a TPM key and certificate for TLS mutual authentication (client authentication).
 
-It uses macros defined at compile time for the host/port. See `TLS_HOST` and `TLS_PORT`.
+This example client connects to localhost on on port 11111 by default. These can be overriden using `TLS_HOST` and `TLS_PORT`.
 
-Generation of the Client Certificate requires running:
-1. `./examples/csr/csr`
-2. `./certs/certreq.sh`
+You can validate using the wolfSSL example server this like:
+`./examples/server/server -b -p 11111 -g -d`
+
+To validate client certificate use the following wolfSSL example server command:
+`./examples/server/server -b -p 11111 -g -A ./certs/ca-rsa-cert.pem`
+or
+`./examples/server/server -b -p 11111 -g -A ./certs/ca-ecc-cert.pem`
+
+Then run the wolfTPM TLS client example:
+`./examples/tls/tls_client`. 
 
 
 ### TLS Server
 
-This example shows using a TPM key and certificate for a TLS server. By default it listens on port 11111 and can be overridden at build-time using the `TLS_PORT` macro.
-
-Generation of the Server Certificate requires running:
-1. `./examples/csr/csr`
-2. `./certs/certreq.sh`
+This example shows using a TPM key and certificate for a TLS server.
 
- You can validate using the wolfSSL example client this like:
-  `./examples/client/client -h 192.168.0.100 -p 11111 -d -g`
-
-Or using your browser: `https://192.168.0.100:11111`
+By default it listens on port 11111 and can be overridden at build-time using the `TLS_PORT` macro.
+
+Run the wolfTPM TLS server example:
+`./examples/tls/tls_server`. 
+
+Then run the wolfSSL example client this like:
+`./examples/client/client -h localhost -p 11111 -g -d`
+
+To validate server certificate use the following wolfSSL example client comment:
+`./examples/client/client -h localhost -p 11111 -g -A ./certs/ca-rsa-cert.pem`
+or
+`./examples/client/client -h localhost -p 11111 -g -A ./certs/ca-ecc-cert.pem`
+
+
+Or using your browser: `https://localhost:11111`
 
-With browsers you will get a certificate warning because it cannot validate the test server certificate.
+With browsers you will get certificate warnings until you load the test CA's `./certs/ca-rsa-cert.pem` and `./certs/ca-ecc-cert.pem` into your OS key store.
 For testing most browsers have a way to continue to the site anyways to bypass the warning. 
-You can also load the generated test CA's at `./certs/ca-rsa-cert.pem` and `./certs/ca-ecc-cert.pem` into your OS key store.
 
 
 ## Benchmark