wolfKeyMgr v0.5:

* Fix for missing "make dist" files.
* Fix possible seg fault if pid creation failed.
* Fixed issue with forcful close of listen socket causing loop.
* Added missing files for cert generation.
* Added fingerprint to push syntax.
* Added TODO item for key expires.
* Remove certservice requirement.
* Cleanup unused `KeyManager_t`.
* Do not track and ignore options.h.
* Spelling fixes.

Author: dgarske

.gitignore

@@ -56,3 +56,4 @@ certs/server-*.pem
 certs/client-*.der
 certs/client-*.pem
 certs/serial.old
+options.h

README.md

@@ -53,16 +53,23 @@ $ sudo make install
 
 2. Install wolfssl version 3.4.2+
 
+Note: Requires at least wolfSSL v4.7.0 with PR https://github.com/wolfSSL/wolfssl/pull/3832
+
 ```sh
-$ ./configure --enable-certservice --enable-sniffer CFLAGS="-DWOLFSSL_DH_EXTRA"
+$ ./autogen.sh
+$ git clone https://github.com/wolfssl/wolfssl
+$ cd wolfssl
+$ ./autogen.sh
+$ ./configure --enable-sniffer CFLAGS="-DWOLFSSL_DH_EXTRA -DWOLFSSL_SNIFFER_WATCH"
 $ make
 $ make check   # (optional, but highly recommended)
 $ sudo make install
 ```
 
 Notes:
-* To enable all Intel speedups use `--enable-intelasm --enable-sp --enable-sp-asm`
-* To enable all Aarch64 speedups use `--enable-armasm --enable-sp --enable-sp-asm`
+
+* To enable all Intel (AESNI/AVX) speedups use `--enable-intelasm --enable-sp --enable-sp-asm`
+* To enable all ARMv8 (aarch64) speedups use `--enable-armasm --enable-sp --enable-sp-asm`
 
 3. Building wolfKeyMgr on *nix from git repository
 

certs/ca-ecc.cnf

@@ -0,0 +1,110 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = .
+certs             = $dir/certs
+new_certs_dir     = $dir/certs
+database          = $dir/certs/index.txt
+serial            = $dir/certs/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/certs/ca-key.pem
+certificate       = $dir/certs/ca-cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/certs/crlnumber
+crl_extensions    = crl_ext
+default_crl_days  = 1000
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 3650
+preserve          = no
+policy            = policy_loose
+unique_subject    = no
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = US
+stateOrProvinceName             = Washington
+localityName                    = Seattle
+0.organizationName              = wolfSSL
+organizationalUnitName          = Development
+commonName                      = www.wolfssl.com
+emailAddress                    = [email protected]
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+subjectKeyIdentifier = hash
+subjectAltName=IP:127.0.0.1
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always

certs/gen-certs.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+echo "Run from wolfkeymgr root"
+
+# Make sure required CA files exist and are populated
+rm -f ./certs/index.*
+touch ./certs/index.txt 
+if [ ! -f ./certs/serial ]; then
+	echo 1000 > ./certs/serial
+fi
+if [ ! -f ./certs/crlnumber ]; then
+	echo 2000 > ./certs/crlnumber
+fi
+
+if [ "$1" == "clean" ]; then
+	rm -f ./certs/1*.pem
+	rm -f ./certs/ca-*.pem
+	rm -f ./certs/client-*.pem
+	rm -f ./certs/client-*.der
+	rm -f ./certs/server-*.pem
+	rm -f ./certs/server-*.der
+	rm -f ./certs/*.old
+	
+	exit 0
+fi
+
+# Script to generated a TLS server and client certificates
+
+# Keys use ECC and PKCS8 with password "wolfssl"
+
+# Generate ECC 256-bit CA
+if [ ! -f ./certs/ca-key.pem ]; then
+	echo "Creating CA Key (SECP256R1)"
+    openssl ecparam -name prime256v1 -genkey -noout | openssl pkcs8 -topk8 -v2 aes-128-cbc -outform pem -out ./certs/ca-key.pem
+fi
+echo "Creating self signed root CA certificate"
+openssl req -config ./certs/ca-ecc.cnf -extensions v3_ca -x509 -nodes -key ./certs/ca-key.pem -passin pass:'wolfssl' \
+	-out ./certs/ca-cert.pem -sha256 -days 7300 -batch \
+	-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]"
+
+# Client Key
+if [ ! -f ./certs/client-key.pem ]; then
+	echo "Creating Client Key (SECP256R1)"
+    openssl ecparam -name prime256v1 -genkey -noout | openssl pkcs8 -topk8 -v2 aes-128-cbc -outform pem -out ./certs/client-key.pem
+fi
+
+# Client Cert
+echo "Creating signed Client certificate"
+openssl req -config ./certs/ca-ecc.cnf -sha256 -new -key ./certs/client-key.pem -passin pass:'wolfssl' \
+	-out ./certs/client-cert.csr \
+	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/[email protected]/"
+openssl ca -config ./certs/ca-ecc.cnf -extensions usr_cert -days 3650 -notext -md sha256 \
+	-passin pass:'wolfssl' -in ./certs/client-cert.csr -out ./certs/client-cert.pem -batch
+rm ./certs/client-cert.csr
+
+if [ ! -f ./certs/server-key.pem ]; then
+	echo "Creating Server Key (SECP256R1)"
+    openssl ecparam -name prime256v1 -genkey -noout | openssl pkcs8 -topk8 -v2 aes-128-cbc -outform pem -out ./certs/server-key.pem
+fi
+
+# Server Cert
+echo "Creating signed Server certificate"
+openssl req -config ./certs/ca-ecc.cnf -sha256 -new -key ./certs/server-key.pem -passin pass:'wolfssl' \
+	-out ./certs/server-cert.csr \
+	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/[email protected]/"
+openssl ca -config ./certs/ca-ecc.cnf -extensions server_cert -days 3650 -notext -md sha256 \
+	-passin pass:'wolfssl' -in ./certs/server-cert.csr -out ./certs/server-cert.pem -batch
+rm ./certs/server-cert.csr
+
+
+# Script to generated a self-signed TLS server certificate for Apache
+# No key password
+
+if [ -f ./certs/test-key.pem ]; then
+    # ECC
+    openssl ecparam -name prime256v1 -genkey -outform pem -out ./certs/test-key.pem
+fi
+
+openssl req -new -x509 -nodes -key ./certs/test-key.pem -out ./certs/test-cert.pem -sha256 -days 7300 -batch -subj "/C=US/ST=CA/L=Seattle/O=wolfSSL/OU=Development/CN=etsitest.com/[email protected]"

certs/include.am

@@ -10,3 +10,5 @@ EXTRA_DIST += certs/client-key.pem
 EXTRA_DIST += certs/client-cert.pem
 EXTRA_DIST += certs/server-key.pem
 EXTRA_DIST += certs/server-cert.pem
+EXTRA_DIST += certs/test-cert.pem
+EXTRA_DIST += certs/test-key.pem

certs/test-cert.pem

@@ -1,15 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIICajCCAg+gAwIBAgIUMkpxF7cixTbgy2s3ZtLYCCq7pmEwCgYIKoZIzj0EAwIw
-gYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEQMA4GA1UEBwwHU2VhdHRsZTEQ
-MA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxEjAQBgNVBAMM
-CWxvY2FsaG9zdDEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0y
-MTAzMDExOTU2MjFaFw00MTAyMjQxOTU2MjFaMIGJMQswCQYDVQQGEwJVUzELMAkG
-A1UECAwCQ0ExEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wxFDAS
-BgNVBAsMC0RldmVsb3BtZW50MRIwEAYDVQQDDAlsb2NhbGhvc3QxHzAdBgkqhkiG
-9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
-AAToBp+YdaHpiRuvAWYXgK/mv7M1szpyfv7EXYDQXibu3moryej10+ReWc5neXgD
-VfQEZ1O6CkwPo7lZU6FBhGxmo1MwUTAdBgNVHQ4EFgQUvWcAwbZL6I6LHUZYMSdT
-FBzD3cswHwYDVR0jBBgwFoAUvWcAwbZL6I6LHUZYMSdTFBzD3cswDwYDVR0TAQH/
-BAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEAtC5RgbHrOuOOZznMc62hjjmSHFCz
-3GJOj6dVuZkbFxMCIQC+RA9BvaXbUirbRZzyQThhN9ohZR5cu2G9PAwy7o1cXw==
+MIICbzCCAhWgAwIBAgIUXcyHnGxDNR6GBYq4ZHSm7hJ+e8gwCgYIKoZIzj0EAwIw
+gYwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEQMA4GA1UEBwwHU2VhdHRsZTEQ
+MA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxFTATBgNVBAMM
+DGV0c2l0ZXN0LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
+Fw0yMTAzMTkxOTAzMTVaFw00MTAzMTQxOTAzMTVaMIGMMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
+FDASBgNVBAsMC0RldmVsb3BtZW50MRUwEwYDVQQDDAxldHNpdGVzdC5jb20xHzAd
+BgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAAToBp+YdaHpiRuvAWYXgK/mv7M1szpyfv7EXYDQXibu3moryej10+Re
+Wc5neXgDVfQEZ1O6CkwPo7lZU6FBhGxmo1MwUTAdBgNVHQ4EFgQUvWcAwbZL6I6L
+HUZYMSdTFBzD3cswHwYDVR0jBBgwFoAUvWcAwbZL6I6LHUZYMSdTFBzD3cswDwYD
+VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEA6JE1aOqHMqa5zMtRuwuK
+qhKVmsgaV/FHHALuS6BmEF4CIEbQMTDs9HuSJiLUD15KqkDvgTs5EUJC7CTxgd+r
+WRpw
 -----END CERTIFICATE-----

configure.ac

@@ -5,7 +5,7 @@
 
 AC_PREREQ(2.59)
 
-AC_INIT([wolfKeyManager],[0.4],[http://www.wolfssl.com])
+AC_INIT([wolfKeyManager],[0.5],[http://www.wolfssl.com])
 AC_CONFIG_AUX_DIR(config)
 AC_CONFIG_HEADERS([wolfkeymgr/config.h])
 AC_CONFIG_MACRO_DIR(m4)
@@ -71,7 +71,7 @@ LT_PREREQ([2.2])
 LT_INIT([disable-static win32-dll])
 
 # Shared library versioning
-WOLFKM_LIBRARY_VERSION=3:0:1
+WOLFKM_LIBRARY_VERSION=3:0:2
 #                      | | |
 #               +------+ | +---+
 #               |        |     |

examples/etsi_client/include.am

@@ -9,4 +9,4 @@ examples_etsi_client_etsi_client_CFLAGS       = -Isrc
 examples_etsi_client_etsi_client_LDFLAGS      = -Lsrc
 examples_etsi_client_etsi_client_LDADD        = src/libwolfkeymgr.la $(LIB_STATIC_ADD)
 examples_etsi_client_etsi_client_DEPENDENCIES = src/libwolfkeymgr.la
-EXTRA_DIST += 
+EXTRA_DIST += examples/etsi_client/etsi_client.h

m4/have_cyassl.m4

@@ -15,7 +15,6 @@ AC_DEFUN([_TAO_SEARCH_LIBCYASSL],[
     #include <cyassl/ssl.h>
   ],[
     CyaSSL_Init();
-    CyaSSL_cert_service();
   ]) 
 
   AM_CONDITIONAL(HAVE_LIBCYASSL, [test "x${ac_cv_libcyassl}" = "xyes"])
@@ -49,7 +48,7 @@ AC_DEFUN([_TAO_REQUIRE_LIBCYASSL],[
   _TAO_SEARCH_LIBCYASSL
 
   AS_IF([test x$ac_cv_libcyassl = xno],[
-    AC_MSG_ERROR([libcyassl is required for ${PACKAGE}, it should be built with --enable-certservice. It can be obtained from http://www.yassl.com/download.html/])
+    AC_MSG_ERROR([libcyassl is required for ${PACKAGE}. It can be obtained from http://www.yassl.com/download.html/])
   ])
 ])
 

m4/have_wolfssl.m4

@@ -16,7 +16,6 @@ AC_DEFUN([_WOLF_SEARCH_LIBWOLFSSL],[
     #include <wolfssl/ssl.h>
   ],[
     wolfSSL_Init();
-    wolfSSL_cert_service();
   ]) 
 
   AM_CONDITIONAL(HAVE_LIBWOLFSSL, [test "x${ac_cv_libwolfssl}" = "xyes"])
@@ -50,7 +49,7 @@ AC_DEFUN([_WOLF_REQUIRE_LIBWOLFSSL],[
   _WOLF_SEARCH_LIBWOLFSSL
 
   AS_IF([test x$ac_cv_libwolfssl = xno],[
-    AC_MSG_ERROR([libwolfssl is required for ${PACKAGE}, it should be built with --enable-certservice. It can be obtained from http://www.wolfssl.com/download.html/])
+    AC_MSG_ERROR([libwolfssl is required for ${PACKAGE}. It can be obtained from http://www.wolfssl.com/download.html/])
   ])
 ])