Closed space88man closed 2 weeks ago
Hi @space88man,
If you do not want to perform symmetric algorithm operations with PKCS#11 then you can define: NO_PKCS11_AES. You may also want to define: NO_PKCS11_HMAC and NO_PKCS11_RNG.
You can also implement your own callback that calls wc_Pkcs11_CryptoDevCb for only the algorithms you want. Anything not using PKCS#11 needs to return NOT_COMPILED_IN. The devId can be used to identify where the operation is coming from. That is use a different identifier for TLS to another context.
Let me know which option you choose and whether it works.
Sean
Hi @SparkiDev
Thanks — I tried something like this: where 1 = real PKCS#11 devID, 2 = filter devID, and it works. Does this look correct to you?
/*
* Filter callback that will passthrough only PK operations
* to the real devID(== 1)
* /
int my_FilterCb(int devId, wc_CryptoInfo* info, void* ctx)
{
int ret = 0;
// assert (devId == 2);
fprintf(stderr, "[%d] filter callback -> %d\n", devId, info->algo_type);
if (info->algo_type != WC_ALGO_TYPE_PK)
return NOT_COMPILED_IN;
// call the real PKCS#11 device
return wc_Pkcs11_CryptoDevCb(1, info, ctx);
}
Hi @space88man,
The code looks good assuming you are setting the devId for TLS connections to 2. Note: 'ret' is not needed in the function as you have it.
Is there anything more for this issue?
Thanks, Sean
Version
5.7.2
Description
Using wolfSSL TLS with a PKCS#11 private key : how can I restrict the token to asymmetric operations and perform symmetric operations in wolfSSL?
IOW: I only want to do
C_Sign
on token and let wolfSSL take care of any AES operations.In two tokens I tested (libCryptoki2_64, libsoftoken3) the
C_Sign
succeeds but the server accept fails due to AES failures.Using PKCS#11 server example : -https://github.com/wolfSSL/wolfssl-examples/blob/master/pkcs11/server-tls-pkcs11-ecc.c
wolfSSL also uses the token for AES-GCM:
LUNA libCryptoki2_64 fails at this AES part:
NSS softoken fails at this AES part:
Additional Notes
s_server
with either 1.1.1 and openssl-pkcs11 (engine) or 3.x.x and pkcs11-provider (provider) the software library symmetric operations take precedence and onlyC_Sign
is perfomed on token