Merge pull request #17 from dgarske/examples

Added PKCS7, CSR and TLS Client examples for TPM
wolfSSL · Jul 19, 2018 · f95ef67 · f95ef67
2 parents 3784a6e + 8d74a1b
commit f95ef67
Show file tree

Hide file tree

Showing 26 changed files with 1,805 additions and 42 deletions.
diff --git a/.gitignore b/.gitignore
@@ -25,6 +25,21 @@ RemoteSystemsTempFiles
 *.o
 *.deps
 *.libs
+wolftpm/options.h
+
 examples/wrap/wrap_test
 examples/native/native_test
-wolftpm/options.h
+examples/bench/bench
+examples/csr/csr
+
+examples/pkcs7/pkcs7
+pkcs7tpmsigned.p7s
+
+# Generated Cert Files
+certs/ca-*.pem
+certs/ca-*.der
+certs/ca-*.crl
+certs/*.par
+certs/crlnumber*
+certs/serial
+certs/index*
diff --git a/IDE/OPENSTM32/.cproject b/IDE/OPENSTM32/.cproject
@@ -135,10 +135,9 @@
 					<sourceEntries>
 						<entry excluding="CMSIS/Device/ST/STM32F7xx|STM32F7xx_HAL_Driver/Src/stm32f7xx_hal_timebase_tim_template.c|STM32F7xx_HAL_Driver/Src/stm32f7xx_hal_timebase_rtc_alarm_template.c|STM32F7xx_HAL_Driver|STM32F4xx_StdPeriph_Driver|STM32F7xx_HAL_Driver/Src/stm32f7xx_hal_timebase_rtc_wakeup_template.c|STM32F7xx_HAL_Driver/Src/stm32f7xx_hal_msp_template.c" flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="Drivers"/>
 						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="Inc"/>
-						<entry excluding="Third_Party/wolfssl/x64|Third_Party/wolfssl/wrapper|Third_Party/wolfssl/tst.dSYM|Third_Party/wolfssl/tests|Third_Party/wolfssl/swig|Third_Party/wolfssl/support|Third_Party/wolfssl/sslSniffer|Third_Party/wolfssl/sign.dSYM|Third_Party/wolfssl/scripts|Third_Party/wolfssl/rpm|Third_Party/wolfssl/mqx|Third_Party/wolfssl/mplabx|Third_Party/wolfssl/mcapi|Third_Party/wolfssl/makecsr.dSYM|Third_Party/wolfssl/m4|Third_Party/wolfssl/lib|Third_Party/wolfssl/IPP|Third_Party/wolfssl/IDE|Third_Party/wolfssl/examples|Third_Party/wolfssl/doc|Third_Party/wolfssl/DLL Release|Third_Party/wolfssl/DLL Debug|Third_Party/wolfssl/Debug|Third_Party/wolfssl/cyassl|Third_Party/wolfssl/ctaocrypt|Third_Party/wolfssl/client.dSYM|Third_Party/wolfssl/certs|Third_Party/wolfssl/build-aux|Third_Party/wolfssl/autom4te.cache|Third_Party/wolfssl/testsuite|Third_Party/wolfssl/tirtos|Third_Party/wolfssl/wolfcrypt/src/aes_asm.s|Third_Party/wolfssl/wolfcrypt/src/aes_asm.asm|Third_Party/wolfssl/wolfcrypt/user-crypto|Third_Party/wolfMQTT/examples/aws|Third_Party/wolfMQTT|Third_Party/wolfSSL/mplabx|Third_Party/wolfSSL/IDE|Third_Party/wolfSSL/testsuite|Third_Party/wolfSSL/tests|Third_Party/wolfMQTT/examples/azure|Third_Party/wolfMQTT/examples/firmware|Third_Party/wolfSSL/wolfcrypt/src/aes_asm.s|Third_Party/wolfSSL/wolfcrypt/user-crypto|Third_Party/wolfSSL/sslSniffer|Third_Party/wolfMQTT/IDE|Third_Party/wolfSSL/mqx|Third_Party/wolfSSL/wolfcrypt/src/aes_asm.asm|Third_Party/FreeRTOS/Source/portable/GCC/ARM_CM7|Third_Party/wolfSSL/serialTest.c|Third_Party/wolfSSL/examples|Third_Party/wolfSSL/swig|Third_Party/wolfSSL/tirtos|Third_Party/wolfSSL/wolfcrypt/src/port|Third_Party/wolfSSL/mcapi" flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="Middlewares"/>
+						<entry excluding="Third_Party/wolfssl/wolfcrypt/src/aes_asm.S|Third_Party/wolfssl/x64|Third_Party/wolfssl/wrapper|Third_Party/wolfssl/tst.dSYM|Third_Party/wolfssl/tests|Third_Party/wolfssl/swig|Third_Party/wolfssl/support|Third_Party/wolfssl/sslSniffer|Third_Party/wolfssl/sign.dSYM|Third_Party/wolfssl/scripts|Third_Party/wolfssl/rpm|Third_Party/wolfssl/mqx|Third_Party/wolfssl/mplabx|Third_Party/wolfssl/mcapi|Third_Party/wolfssl/makecsr.dSYM|Third_Party/wolfssl/m4|Third_Party/wolfssl/lib|Third_Party/wolfssl/IPP|Third_Party/wolfssl/IDE|Third_Party/wolfssl/examples|Third_Party/wolfssl/doc|Third_Party/wolfssl/DLL Release|Third_Party/wolfssl/DLL Debug|Third_Party/wolfssl/Debug|Third_Party/wolfssl/cyassl|Third_Party/wolfssl/ctaocrypt|Third_Party/wolfssl/client.dSYM|Third_Party/wolfssl/certs|Third_Party/wolfssl/build-aux|Third_Party/wolfssl/autom4te.cache|Third_Party/wolfssl/testsuite|Third_Party/wolfssl/tirtos|Third_Party/wolfssl/wolfcrypt/src/aes_asm.s|Third_Party/wolfssl/wolfcrypt/src/aes_asm.asm|Third_Party/wolfssl/wolfcrypt/user-crypto|Third_Party/wolfMQTT/examples/aws|Third_Party/wolfMQTT|Third_Party/wolfSSL/mplabx|Third_Party/wolfSSL/IDE|Third_Party/wolfSSL/testsuite|Third_Party/wolfSSL/tests|Third_Party/wolfMQTT/examples/azure|Third_Party/wolfMQTT/examples/firmware|Third_Party/wolfSSL/wolfcrypt/src/aes_asm.s|Third_Party/wolfSSL/wolfcrypt/user-crypto|Third_Party/wolfSSL/sslSniffer|Third_Party/wolfMQTT/IDE|Third_Party/wolfSSL/mqx|Third_Party/wolfSSL/wolfcrypt/src/aes_asm.asm|Third_Party/FreeRTOS/Source/portable/GCC/ARM_CM7|Third_Party/wolfSSL/serialTest.c|Third_Party/wolfSSL/examples|Third_Party/wolfSSL/swig|Third_Party/wolfSSL/tirtos|Third_Party/wolfSSL/wolfcrypt/src/port|Third_Party/wolfSSL/mcapi" flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="Middlewares"/>
 						<entry excluding="stm32f7xx_it.c|main_f7.c|lwip.c|stm32f7xx_hal_msp.c|ethernetif.c|stm32f7xx_hal_timebase_TIM.c" flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="Src"/>
-						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="wolfTPM/examples/wrap"/>
-						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="wolfTPM/examples/native"/>
+						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="wolfTPM/examples"/>
 						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="wolfTPM/src"/>
 					</sourceEntries>
 				</configuration>

diff --git a/Makefile.am b/Makefile.am
@@ -35,6 +35,7 @@ include src/include.am
 include wolftpm/include.am
 include examples/include.am
 include IDE/include.am
+include certs/include.am
 
 EXTRA_DIST+= README.md
 EXTRA_DIST+= LICENSE

diff --git a/certs/ca-ecc.cnf b/certs/ca-ecc.cnf
@@ -0,0 +1,109 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = .
+certs             = $dir/certs
+new_certs_dir     = $dir/certs
+database          = $dir/certs/index.txt
+serial            = $dir/certs/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/certs/ca-ecc-key.pem
+certificate       = $dir/certs/ca-ecc-cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/certs/crlnumber
+crl_extensions    = crl_ext
+default_crl_days  = 1000
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 3650
+preserve          = no
+policy            = policy_loose
+
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = US
+stateOrProvinceName             = Washington
+localityName                    = Seattle
+0.organizationName              = wolfSSL
+organizationalUnitName          = Development
+commonName                      = www.wolfssl.com
+emailAddress                    = [email protected]
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
diff --git a/certs/ca-rsa.cnf b/certs/ca-rsa.cnf
@@ -0,0 +1,109 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = .
+certs             = $dir/certs
+new_certs_dir     = $dir/certs
+database          = $dir/certs/index.txt
+serial            = $dir/certs/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/certs/ca-rsa-key.pem
+certificate       = $dir/certs/ca-rsa-cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/certs/crlnumber
+crl_extensions    = crl_ext
+default_crl_days  = 1000
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 3650
+preserve          = no
+policy            = policy_loose
+
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = US
+stateOrProvinceName             = Washington
+localityName                    = Seattle
+0.organizationName              = wolfSSL
+organizationalUnitName          = Development
+commonName                      = www.wolfssl.com
+emailAddress                    = [email protected]
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
diff --git a/certs/certreq.sh b/certs/certreq.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+echo Run from wolftpm root
+echo Run ./examples/crl/crl first to generate the CSR
+
+
+# Make sure required CA files exist and are populated
+rm ./certs/index.txt 
+touch ./certs/index.txt 
+if [ ! -f ./certs/serial ]; then
+	echo 1000 > ./certs/serial
+fi
+if [ ! -f ./certs/crlnumber ]; then
+	echo 2000 > ./certs/crlnumber
+fi
+
+if [ $1 == clean ]; then
+	rm ./certs/*.pem
+	rm ./certs/*.der
+	rm ./certs/*.old
+fi
+
+
+# Generate RSA 2048-bit CA
+if [ ! -f ./certs/ca-rsa-key.pem ]; then
+	openssl req -new -newkey rsa:2048 -keyout ./certs/ca-rsa-key.pem -nodes -out ./certs/ca-rsa-cert.csr -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]"
+    openssl x509 -req -in ./certs/ca-rsa-cert.csr -days 1000 -extfile ./certs/ca-rsa.cnf -extensions v3_ca -signkey ./certs/ca-rsa-key.pem -out ./certs/ca-rsa-cert.pem
+    rm ./certs/ca-rsa-cert.csr
+
+	openssl x509 -in ./certs/ca-rsa-cert.pem -inform PEM -out ./certs/ca-rsa-cert.der -outform DER
+	openssl rsa -in ./certs/ca-rsa-key.pem -inform PEM -out ./certs/ca-rsa-key.der -outform DER
+
+	# generate CRL
+	openssl ca -config ./certs/ca-rsa.cnf -gencrl -crldays 1000 -out ./certs/ca-rsa.crl -keyfile ./certs/ca-rsa-key.pem -cert ./certs/ca-rsa-cert.pem
+fi
+
+# Sign RSA certificate
+if [ -f ./certs/client-rsa-cert.csr ]; then
+	openssl ca -config ./certs/ca-rsa.cnf -extensions usr_cert -days 3650 -notext -md sha256 -in ./certs/client-rsa-cert.csr -out ./certs/client-rsa-cert.pem -batch
+	openssl x509 -in ./certs/client-rsa-cert.pem -outform der -out ./certs/client-rsa-cert.der
+fi
+
+
+# Generate ECC 256-bit CA
+if [ ! -f ./certs/ca-ecc-key.pem ]; then
+	openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
+	openssl req -config ./certs/ca-ecc.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]"
+	rm ./certs/ca-ecc-key.par
+
+	openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER
+	openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
+
+	# generate CRL
+	openssl ca -config ./certs/ca-ecc.cnf -gencrl -crldays 1000 -out ./certs/ca-ecc.crl -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
+fi
+
+
+# Sign ECC Certificate
+if [ -f ./certs/client-ecc-cert.csr ]; then
+	# NOT APPLICABLE BECAUSE PRIVATE KEY IS IN TPM
+	#openssl ecparam -out ./certs/client-ecc-key.par -name prime256v1
+	#openssl req -config ./certs/ca-ecc.cnf -sha256 -new -newkey ec:./certs/client-ecc-key.par -keyout ./certs/client-ecc-key.pem -out ./certs/client-ecc-cert.csr -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/[email protected]/"
+	#rm ./certs/client-ecc-key.par
+
+	openssl ca -config ./certs/ca-ecc.cnf -extensions usr_cert -days 3650 -notext -md sha256 -in ./certs/client-ecc-cert.csr -out ./certs/client-ecc-cert.pem -batch
+	openssl x509 -in ./certs/client-ecc-cert.pem -outform der -out ./certs/client-ecc-cert.der
+fi
diff --git a/certs/include.am b/certs/include.am
@@ -0,0 +1,9 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+	     certs/certreq.sh \
+	     certs/ca-rsa.cnf \
+	     certs/ca-ecc.cnf \
+	     certs/wolfssl-website-ca.pem