With wolfSSL 4.6.0, the cisco/libest EST library has been ported to work with wolfSSL. The Enrollment over Secure Transport (EST) protocol defines “enrollment for clients using Certificate Management over CMS (CMC) [RFC5272] messages over a secure transport.” It uses TLS >1.1 and the Hypertext Transfer Protocol (HTTP) to facilitate secure and authenticated Public Key Infrastructure (PKI) Requests and Responses [RFC5272]. libest is a client and server EST implementation written in C.

To build wolfSSL 4.6.0 for libest:

./configure –enable-libest make make install

To obtain a copy of libest that is compatible with wolfSSL, please contact us at support@wolfssl.com.

Once you have a wolfSSL compatible version of libest, to build the library:

./autogen.sh ./configure –enable-wolfssl make make install

To run the tests in test/UT configure wolfSSL instead with:

./configure --enable-libest --enable-dsa --enable-oldtls --enable-tlsv10 --enable-sslv3

The porting of libest to wolfSSL has greatly expanded the compatibility layer. Many new API’s were introduced and old ones have been updated. Additionally, Certificate Signing Request (CSR) generation and parsing has been expanded to meet the needs of the libest library. Some of the new changes include:

Parsing a CSR to be used for certificate generation Parsing and generating a limited number of supported CSR attributes Parsing configuration files using NCONF APIs Retrieving the local and peer finished message contents Creating and parsing text databases using TXT_DB API New OpenSSL compatibility layer functions implemented ASN1_get_object d2i_ASN1_OBJECT c2i_ASN1_OBJECT BIO_new_fd BIO_snprintf BUF_strdup BUF_strlcpy BUF_strlcat sk_CONF_VALUE_new sk_CONF_VALUE_free sk_CONF_VALUE_pop_free sk_CONF_VALUE_num sk_CONF_VALUE_value lh_CONF_VALUE_retrieve lh_CONF_VALUE_insert NCONF_new NCONF_free NCONF_get_string NCONF_get_section NCONF_get_number NCONF_load CONF_modules_load _CONF_new_section _CONF_get_section X509V3_conf_free EVP_PKEY_copy_parameters EVP_PKEY_get_default_digest_nid EVP_PKEY_CTX_ctrl_str IMPLEMENT_LHASH_HASH_FN IMPLEMENT_LHASH_COMP_FN LHASH_HASH_FN LHASH_COMP_FN lh_strhash PKCS12_verify_mac i2d_PKCS7_bio SSL_get_finished SSL_get_peer_finished X509_get_ext_by_OBJ i2d_X509_REQ_bio d2i_X509_REQ_bio PEM_read_bio_X509_REQ d2i_X509_REQ X509_REQ_sign_ctx X509_REQ_add1_attr_by_NID X509_REQ_add1_attr_by_txt X509_REQ_get_attr_by_NID X509_REQ_get_attr X509_ATTRIBUTE_get0_type X509_to_X509_REQ X509_get0_extensions X509_get_extensions X509_REQ_get_extensions X509_REQ_get_subject_name X509_REQ_get_pubkey X509_REQ_set_version X509_sign_ctx X509_REQ_print X509_print_fp X509_REQ_print_fp X509_signature_print X509_get0_signature X509_verify X509_REQ_verify X509_REQ_check_private_key X509_delete_ext sk_X509_INFO_shift X509_NAME_delete_entry X509_NAME_print_ex_fp X509_STORE_CTX_get0_parent_ctx X509_REQ_get_X509_PUBKEY BIO_new_connect BIO_set_conn_port BIO_do_connect ASN1_TIME_new ASN1_UTCTIME_new ASN1_UTCTIME_free ASN1_TIME_set ASN1_TIME_set_string ASN1_TIME_to_string a2i_ASN1_INTEGER ASN1_STRING_new ASN1_STRING_free ASN1_STRING_cmp ASN1_UNIVERSALSTRING_to_string DHparams_dup OPENSSL_cleanse sk_OPENSSL_STRING_num sk_OPENSSL_PSTRING_num sk_OPENSSL_PSTRING_value sk_OPENSSL_STRING_free SSL_CTX_set_srp_strength SSL_get_srp_username TXT_DB_read TXT_DB_write TXT_DB_insert TXT_DB_free TXT_DB_create_index TXT_DB_get_by_index

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.