Skip to content

PKCS11 example for doing a CSR generation and creating signed certificate #318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

PKCS11 example for doing a CSR generation and creating signed certificate #318

wants to merge 1 commit into from

Conversation

dgarske
Copy link
Contributor

@dgarske dgarske commented May 27, 2022

This is a rough template for:

  1. Creating a new ECC key
  2. Creating a CSR based on the new ECC key
  3. Creating a new certificate based on CSR, populating issuer
  4. Certificate signing based on a PKCS11 ECC key (using devId setup with PKCS11 crypto callback wc_Pkcs11_CryptoDevCb).

@dgarske dgarske self-assigned this May 27, 2022
@dgarske dgarske assigned SparkiDev and unassigned dgarske Nov 23, 2022
@dgarske dgarske requested a review from SparkiDev November 23, 2022 16:31
SparkiDev
SparkiDev requested changes Nov 23, 2022
View reviewed changes
pkcs11/pkcs11_csr.c
XMEMSET(pem, 0, LARGE_TEMP_SZ);
#endif

#ifdef HAVE_ECC
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why check for HAVE_ECC here when other ECC APIs are used outside of this?

pkcs11/pkcs11_csr.c
printf("Init Cert failed: %d\n", ret);
goto exit;
}
strncpy(req.subject.country, "US", CTC_NAME_SIZE);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extract the setting of subject to a new function and comment it to say it needs to be replaced.

pkcs11/pkcs11_csr.c
newCert.sigType = CTC_SHA256wECDSA;

printf("Setting certificate subject\n");
#ifdef HAVE_DECODEDCERT
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extract this code in to separate function and add comment to indicate customer specific changes required.

pkcs11/pkcs11_csr.c
strncpy(newCert.subject.email, decoded.subjectEmail, decoded.subjectEmailLen);
#else
/* This can be used if the DER is an X.509 certificate (not CSR) */
//ret = wc_SetSubjectBuffer(&newCert, derBuf, derSz);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove

pkcs11/pkcs11_csr.c
/* Code for parsing a CSR to a DecodedCert struct */
/* Note: These are not public API's unless WOLFSSL_TEST_CERT or the compat
* layer is enabled */
InitDecodedCert(&decoded, derBuf, derSz, HEAP_HINT);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wc_InitDecodedCert() and wc_ParseCert()?

pkcs11/pkcs11_csr.c
printf("Setting certificate subject\n");
#ifdef HAVE_DECODEDCERT
/* Copy fields from CSR to new certificate */
if (decoded.subjectC)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we get raw and set raw?

@dgarske dgarske assigned dgarske and unassigned SparkiDev Nov 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SparkiDev SparkiDev SparkiDev requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@dgarske dgarske

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dgarske @SparkiDev