Topic: Couldn't find PEM header in certificate

I  am using an Apple developer certificate but when I try to use it in the test program like this:
client    -h gateway.sandbox.push.apple.com -p 2195 -v 0 –d –k devkeyslockhome.pem  –c slockhomecerts.pem

I get these messages:

getting dynamic buffer
Wolfssl entering PemToDer
Growing Tmp Chain Buffer
Processing Cert Chain
wolfSSl entering PemToDer
Couldn't Find PEM header
  Error in Cert in Chain
wolfSSl error: can't load client cert file, check file and run from wolfSSL home dir

The certificate file is:

Bag Attributes
    friendlyName: Apple Development IOS Push Services: ca.innovax.slockhome    localKeyID: B4 7A 23 DA DB 77 B7 FB FA 9E 48 1B 87 0B 53 B6 17 D3 F4 4E
subject=/UID=ca.innovax.slockhome/CN=Apple Development IOS Push Services: ca.innovax.slockhome/OU=AHJNDK3D2Q/C=US
issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
-----BEGIN CERTIFICATE-----
MIIFjTCCBHWgAwIBAgIIF4P9IRlXiuowDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNV
………………………………..
………………………………..
GLyFqiUnB4rhd+UFkR0kNBcQAtqCmWNn/6/hQMxc4Rp1
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: Will Hendrie Dev Key
    localKeyID: B4 7A 23 DA DB 77 B7 FB FA 9E 48 1B 87 0B 53 B6 17 D3 F4 4E
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvPIAgIQsorkc8obolg1t1g7ogAcy10Go+tlRlstNMNWR6qzb
ilc/DBMPpuAoUAe0uutQPVu41cl23IdgxQwo/7gWe2BmnKTfXSuhQkwLoq6jpc2a
………………………..
………………………..
Klyv3OzTr7Wc/sDAWo40+9N8a6TwjliQU1goleBtaS5SIDCqVaU=
-----END RSA PRIVATE KEY-----

What exactly is the PEM header and where should it be located?

Share

2 (edited by Kaleb J. Himes 2016-10-17 13:17:19)

Re: Couldn't find PEM header in certificate

Hi will,

Could you send me a copy of the slockhomecerts.pem NOTICE: DO NOT SEND ME YOUR PRIVATE KEY PLEASE

So I can verify it is properly formatted.

What exactly is the PEM header and where should it be located?

This is the PEM header: "-----BEGIN CERTIFICATE-----"

This should be located immediately prior to the hex representation of the certificate.


Kind Regards,

Kaleb

Re: Couldn't find PEM header in certificate

Hi Kaleb:
This is the file slockhomecerts.pem with the private key removed. I noticed it is not in hexidecimal. Is that the problem?

Bag Attributes
    friendlyName: Apple Development IOS Push Services: ca.innovax.slockhome
    localKeyID: B4 7A 23 DA DB 77 B7 FB FA 9E 48 1B 87 0B 53 B6 17 D3 F4 4E
subject=/UID=ca.innovax.slockhome/CN=Apple Development IOS Push Services: ca.innovax.slockhome/OU=AHJNDK3D2Q/C=US
issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
-----BEGIN CERTIFICATE-----
MIIFjTCCBHWgAwIBAgIIF4P9IRlXiuowDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNV
BAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBXb3Js
ZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczFEMEIGA1UEAww7QXBwbGUgV29ybGR3
aWRlIERldmVsb3BlciBSZWxhdGlvbnMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMTYwNzI2MTQwMzI0WhcNMTcwNzI2MTQwMzI0WjCBjDEkMCIGCgmSJomT8ixk
AQEMFGNhLmlubm92YXguc2xvY2tob21lMUIwQAYDVQQDDDlBcHBsZSBEZXZlbG9w
bWVudCBJT1MgUHVzaCBTZXJ2aWNlczogY2EuaW5ub3ZheC5zbG9ja2hvbWUxEzAR
BgNVBAsMCkFISk5ESzNEMlExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAvPIAgIQsorkc8obolg1t1g7ogAcy10Go+tlRlstNMNWR
6qzbilc/DBMPpuAoUAe0uutQPVu41cl23IdgxQwo/7gWe2BmnKTfXSuhQkwLoq6j
pc2aleUdraU5rZIFppmQAbfD2iRb2nmf8aR8xdlMLFG1n81Et274zUM5hLcceIE3
S/44OrKYQM7T7tB9l95vZtJxmz28j1ZBi7Te4AwLMPhO96w/oAPWTuj5ZYImd8CT
XSjvdu2UICA70JYoy+bixg3YObude0IBmcr7Vo8Rs5Z5giAfuqCye1vD9u/Vtxc8
jg9sxXm0AkFb2z8ONIdIDy6XTL4EAWejqqIx4x4+oQIDAQABo4IB5TCCAeEwHQYD
VR0OBBYEFLR6I9rbd7f7+p5IG4cLU7YX0/ROMAkGA1UdEwQCMAAwHwYDVR0jBBgw
FoAUiCcXCam2GGCL7Ou69kdZxVJUo7cwggEPBgNVHSAEggEGMIIBAjCB/wYJKoZI
hvdjZAUBMIHxMIHDBggrBgEFBQcCAjCBtgyBs1JlbGlhbmNlIG9uIHRoaXMgY2Vy
dGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUg
dGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBjb25kaXRpb25zIG9m
IHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZpY2F0aW9uIHByYWN0
aWNlIHN0YXRlbWVudHMuMCkGCCsGAQUFBwIBFh1odHRwOi8vd3d3LmFwcGxlLmNv
bS9hcHBsZWNhLzBNBgNVHR8ERjBEMEKgQKA+hjxodHRwOi8vZGV2ZWxvcGVyLmFw
cGxlLmNvbS9jZXJ0aWZpY2F0aW9uYXV0aG9yaXR5L3d3ZHJjYS5jcmwwCwYDVR0P
BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBAGCiqGSIb3Y2QGAwEEAgUAMA0G
CSqGSIb3DQEBBQUAA4IBAQA5FbqRSxA9ZX5DsqqnOsbFuOlR9lAyYOsK/QiUFPOK
L4AhMOymvRMb9FKdZkEFDJxBKX8+yJGLqboqDLHRBGxn3p5IKidzpIIuo6REqTpl
nn7R0PTwA6/IZb+O3VVzVmPiiyeQe81FWtzlTMjpL1QWItZT4QV68sz6eOr6bvZG
+2TEBtPiouDxk/irWknbcVWgL52K0NfGBmco05ZZecQWPGxkzu0fumMzp2aWDFDj
ukTRiA0AfyooD5NLeGuE0OlvqQ47ue1mp/zyNrKtaUi6LAU0BvVUM0K2AST6jjzO
GLyFqiUnB4rhd+UFkR0kNBcQAtqCmWNn/6/hQMxc4Rp1
-----END CERTIFICATE-----


Your comments and help are appreciated. thanks.

Will

Share

Re: Couldn't find PEM header in certificate

Hi Will,

Thank you so much for sending that, I believe I know what was happening.

Once I received the cert with the private key stripped out there was nothing wrong with it whatsoever. Upon further exploration I wondered if having the private key in the file is what made the difference so I put one of my private keys after the cert and sure enough I was able to reproduce your error. I tried parsing the cert with the key in the bottom using another TLS solution and even though that solution was able to parse it, it simply ignored the key at the bottom of the file and never even acknowledged it's presence.

As such I believe we may be able to modify our error message to be more informative if this occurs, but I believe to error out is a better solution so you don't accidentally send out a private key in a cert unintentionally.

We typically expect keys to be in key files and certs to be in cert files. I see you were already loading a key in (devkeyslockhome.pem) what is the difference between that key and the RSA private key contained in the cert before you removed it to send to me?

Is there a purpose for having that in the same file as the certificate?

I believe you will find that having removed the key from the cert everything should work as expected.


Kind Regards,

Kaleb

Re: Couldn't find PEM header in certificate

Hi Kaleb:

Thanks so much for analysing the file which I sent.

The keyfile (devkeyslockhome.pem) that I tried to load actually is the same as the certificate file. Strange but true. I did it this way  because the certificate file contained the private key. Nothing else was working so I gave it a try.

You asked whether there is a purpose for having the key file in the same file as the certificate. The short answer is  I don't know.  When Apple issued the certificate apparently it issued it with the private key attached to the certificate. I simply exported the certificate  ( which was in .p12  format) out of my Mac and  converted it to a .PEM file. The  private key came along as  part of that process. Perhaps Apple has a reason for including the key in the certificate file or perhaps the Mac export process added the private key to the certificate. I don't know.

I will strip out the private key, put it in a file, and  try again.

Thank you.

All the best,

Will

Share

Re: Couldn't find PEM header in certificate

Hi Kaleb:

I stripped out the private key and used it in a separate file.  I got a long way  with that. Seriously.

Wolfssl closed out with error -343 :peer sent close notify.

I guessed that I didn't send any more data so Apple closed me out and Wolfssl  gave me a Zero_return.

Can you confirm that is what happened?


Thank you so much.

Will

Share

Re: Couldn't find PEM header in certificate

Hi will,

Yes I believe you are correct here. The close notify signifies nothing particularly went wrong with the connection other than the server decided it was going to shut down and knew in advance so it sent out a notification to the client that it was shutting down the session. This could be for a few reasons:

1. The server expected a specific bit of information that it never got, eventually timed out and terminated the session.
2. The server expected a specific bit of information and incorrect information was sent. Not a true error, but not a successful exchange either.
3. The server was being shutdown for an update and termination procedures ensued (not as likely).
4. May be others but the above three are the most common reasons to send a "close notify".

If something went wrong during the handshake or the server just died you would likely see an "Alert Fatal Error" or a -308 "Error state on Socket"

If you have access to wireshark you might start it up, connect to the server again and capture the exchange, filter the report on your ip address

ip.addr==<your client ip>

and send us the trace. We could look at it more closely to determine if this is what happened or not.


Kind Regards,

Kaleb