wolfssl-w32/IDE/iotsafe/README.md

## wolfSSL IoT-Safe Example


### Evaluation Platform

  * ST [P-L496G-CELL02](https://www.st.com/en/evaluation-tools/p-l496g-cell02.html)

Including:
    * STM32L496AGI6-based low-power discovery mother board
    * STM Quectel BG96 modem, plugged into the 'STMod+' connector
    * IoT-Safe capable SIM card

Note: The BG96 was tested using firmware `BG96MAR02A08M1G_01.012.01.012`. If having issues with the demo make sure your BG96 firmware is updated.

### Description

This example firmware will run an example TLS 1.2 server using wolfSSL, and a 
TLS 1.2 client, on the same host, using an IoT-safe applet supporting the
[IoT.05-v1-IoT standard](https://www.gsma.com/iot/wp-content/uploads/2019/12/IoT.05-v1-IoT-Security-Applet-Interface-Description.pdf).

The client and server routines alternate their execution in a single-threaded,
cooperative loop.

Client and server communicate to each other using memory buffers to establish a 
TLS session without the use of TCP/IP sockets.

### IoT-Safe interface

In this example, the client is the IoT-safe capable endpoint. First, it creates
a wolfSSL context `cli_ctx` normally:

```c
wolfSSL_CTX_iotsafe_enable(cli_ctx);
```

In order to activate IoT-safe support in this context, the following function is
called:

```c
printf("Client: Enabling IoT Safe in CTX\n");
wolfSSL_CTX_iotsafe_enable(cli_ctx);
```


Additionally, after the SSL session creation, shown below:

```c
printf("Creating new SSL\n");
cli_ssl = wolfSSL_new(cli_ctx);
```

the client associates the pre-provisioned keys and the available slots in the
IoT safe applet to the current session:


```c
wolfSSL_iotsafe_on(cli_ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID, PEER_PUBKEY_ID, PEER_CERT_ID);
```

The applet that has been tested with this demo has the current configuration:

   Key slot | Name | Description 
   -------|--------|------------------
   0x02 | `PRIVKEY_ID` | pre-provisioned with client ECC key
   0x03 | `ECDH_KEYPAIR_ID` | can store a keypair generated in the applet, used for shared key derivation
   0x04 | `PEER_PUBKEY_ID` | used to store the server's public key for key derivation
   0x05 | `PEER_CERT_ID` | used to store the server's public key to authenticate the peer


The following file is used to read the client's certificate:
   
  File Slot | Name | Description
  ----------|------|------------
  0x03 | `CRT_FILE_ID` | pre-provisioned with client certificate


### Compiling and running

From this directory, run 'make', then use your favorite flash programming
software to upload the firmware `image.bin` to the target board.

1) Using the STM32CubeProgrammer open the `image.elf` and program to flash.
2) Using ST-Link virtual serial port connect at 115220
3) Hit reset button. 
4) The output should look similar to below:

```
wolfSSL IoT-SAFE demo
Press a key to continue...
.
Initializing modem...
Modem booting...
Modem is on.
System up and running
Initializing wolfSSL...
Initializing modem port
Turning on VDDIO2
Initializing IoTSafe I/O...
Initializing RNG...
Getting RND...
Random bytes: 08ECF538192218569876EAB9D690306C
Starting memory-tls test...
=== SERVER step 0 ===
Setting TLSv1.3 for SECP256R1 key share
=== CLIENT step 0 ===
Client: Creating new CTX
Client: Enabling IoT Safe in CTX
Loading CA
Loaded Server certificate from IoT-Safe, size = 676
Server certificate successfully imported.
Loaded Client certificate from IoT-Safe, size = 867
Client certificate successfully imported.
Creating new SSL object
Setting TLS options: turn on IoT-safe for this socket
Setting TLSv1.3 for SECP256R1 key share
Connecting to server...
=== Cli->Srv: 162
=== SERVER step 1 ===
=== Srv RX: 5
=== Srv RX: 157
=== Srv-Cli: 128
=== Srv-Cli: 28
=== Srv-Cli: 43
=== Srv-Cli: 712
=== Srv-Cli: 100
=== Srv-Cli: 58
=== CLIENT step 1 ===
Connecting to server...
=== Cli RX: 5
=== Cli RX: 123
=== Cli RX: 5
=== Cli RX: 23
=== Cli RX: 5
=== Cli RX: 38
=== Cli RX: 5
=== Cli RX: 707
=== Cli RX: 5
=== Cli RX: 95
=== Cli RX: 5
=== Cli RX: 53
=== Cli->Srv: 902
=== Cli->Srv: 101
=== Cli->Srv: 58
Client connected!
Sending message: hello iot-safe wolfSSL
=== Cli->Srv: 44
wolfSSL client test success!
=== SERVER step 1 ===
=== Srv RX: 5
=== Srv RX: 897
=== Srv RX: 5
=== Srv RX: 96
=== Srv RX: 5
=== Srv RX: 53
wolfSSL accept success!
=== Srv RX: 5
=== Srv RX: 39
++++++ Server received msg from client: 'hello iot-safe wolfSSL'
IoT-Safe TEST SUCCESSFUL
```

## Support

For questions please email support@wolfssl.com
Import from wolfssl-5.6.6 Upstream: https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable 2024-03-02 03:59:08 +00:00			`## wolfSSL IoT-Safe Example`


			`### Evaluation Platform`

			`* ST [P-L496G-CELL02](https://www.st.com/en/evaluation-tools/p-l496g-cell02.html)`

			`Including:`
			`* STM32L496AGI6-based low-power discovery mother board`
			`* STM Quectel BG96 modem, plugged into the 'STMod+' connector`
			`* IoT-Safe capable SIM card`

			Note: The BG96 was tested using firmware `BG96MAR02A08M1G_01.012.01.012`. If having issues with the demo make sure your BG96 firmware is updated.

			`### Description`

			`This example firmware will run an example TLS 1.2 server using wolfSSL, and a`
			`TLS 1.2 client, on the same host, using an IoT-safe applet supporting the`
			`[IoT.05-v1-IoT standard](https://www.gsma.com/iot/wp-content/uploads/2019/12/IoT.05-v1-IoT-Security-Applet-Interface-Description.pdf).`

			`The client and server routines alternate their execution in a single-threaded,`
			`cooperative loop.`

			`Client and server communicate to each other using memory buffers to establish a`
			`TLS session without the use of TCP/IP sockets.`

			`### IoT-Safe interface`

			`In this example, the client is the IoT-safe capable endpoint. First, it creates`
			a wolfSSL context `cli_ctx` normally:

			```c
			`wolfSSL_CTX_iotsafe_enable(cli_ctx);`
			```

			`In order to activate IoT-safe support in this context, the following function is`
			`called:`

			```c
			`printf("Client: Enabling IoT Safe in CTX\n");`
			`wolfSSL_CTX_iotsafe_enable(cli_ctx);`
			```


			`Additionally, after the SSL session creation, shown below:`

			```c
			`printf("Creating new SSL\n");`
			`cli_ssl = wolfSSL_new(cli_ctx);`
			```

			`the client associates the pre-provisioned keys and the available slots in the`
			`IoT safe applet to the current session:`


			```c
			`wolfSSL_iotsafe_on(cli_ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID, PEER_PUBKEY_ID, PEER_CERT_ID);`
			```

			`The applet that has been tested with this demo has the current configuration:`

			`Key slot \| Name \| Description`
			`-------\|--------\|------------------`
			0x02 \| `PRIVKEY_ID` \| pre-provisioned with client ECC key
			0x03 \| `ECDH_KEYPAIR_ID` \| can store a keypair generated in the applet, used for shared key derivation
			0x04 \| `PEER_PUBKEY_ID` \| used to store the server's public key for key derivation
			0x05 \| `PEER_CERT_ID` \| used to store the server's public key to authenticate the peer


			`The following file is used to read the client's certificate:`

			`File Slot \| Name \| Description`
			`----------\|------\|------------`
			0x03 \| `CRT_FILE_ID` \| pre-provisioned with client certificate


			`### Compiling and running`

			`From this directory, run 'make', then use your favorite flash programming`
			software to upload the firmware `image.bin` to the target board.

			1) Using the STM32CubeProgrammer open the `image.elf` and program to flash.
			`2) Using ST-Link virtual serial port connect at 115220`
			`3) Hit reset button.`
			`4) The output should look similar to below:`

			```
			`wolfSSL IoT-SAFE demo`
			`Press a key to continue...`
			`.`
			`Initializing modem...`
			`Modem booting...`
			`Modem is on.`
			`System up and running`
			`Initializing wolfSSL...`
			`Initializing modem port`
			`Turning on VDDIO2`
			`Initializing IoTSafe I/O...`
			`Initializing RNG...`
			`Getting RND...`
			`Random bytes: 08ECF538192218569876EAB9D690306C`
			`Starting memory-tls test...`
			`=== SERVER step 0 ===`
			`Setting TLSv1.3 for SECP256R1 key share`
			`=== CLIENT step 0 ===`
			`Client: Creating new CTX`
			`Client: Enabling IoT Safe in CTX`
			`Loading CA`
			`Loaded Server certificate from IoT-Safe, size = 676`
			`Server certificate successfully imported.`
			`Loaded Client certificate from IoT-Safe, size = 867`
			`Client certificate successfully imported.`
			`Creating new SSL object`
			`Setting TLS options: turn on IoT-safe for this socket`
			`Setting TLSv1.3 for SECP256R1 key share`
			`Connecting to server...`
			`=== Cli->Srv: 162`
			`=== SERVER step 1 ===`
			`=== Srv RX: 5`
			`=== Srv RX: 157`
			`=== Srv-Cli: 128`
			`=== Srv-Cli: 28`
			`=== Srv-Cli: 43`
			`=== Srv-Cli: 712`
			`=== Srv-Cli: 100`
			`=== Srv-Cli: 58`
			`=== CLIENT step 1 ===`
			`Connecting to server...`
			`=== Cli RX: 5`
			`=== Cli RX: 123`
			`=== Cli RX: 5`
			`=== Cli RX: 23`
			`=== Cli RX: 5`
			`=== Cli RX: 38`
			`=== Cli RX: 5`
			`=== Cli RX: 707`
			`=== Cli RX: 5`
			`=== Cli RX: 95`
			`=== Cli RX: 5`
			`=== Cli RX: 53`
			`=== Cli->Srv: 902`
			`=== Cli->Srv: 101`
			`=== Cli->Srv: 58`
			`Client connected!`
			`Sending message: hello iot-safe wolfSSL`
			`=== Cli->Srv: 44`
			`wolfSSL client test success!`
			`=== SERVER step 1 ===`
			`=== Srv RX: 5`
			`=== Srv RX: 897`
			`=== Srv RX: 5`
			`=== Srv RX: 96`
			`=== Srv RX: 5`
			`=== Srv RX: 53`
			`wolfSSL accept success!`
			`=== Srv RX: 5`
			`=== Srv RX: 39`
			`++++++ Server received msg from client: 'hello iot-safe wolfSSL'`
			`IoT-Safe TEST SUCCESSFUL`
			```

			`## Support`

			`For questions please email support@wolfssl.com`