Topic: [SOLVED] loading buffer failing when time not set

Hello,

Im trying to use the command WolfSSL_CTX_load_verify_buffer, but I did not understand how I should format the certificate in order to be acceptable to this command.

according to the online api documentation, I understand that I can choose from asn1 or pem format. However the examples I find uses der format.

I think I should use der format and write the der format like this:

static const unsigned char ca_cert_der_2048[] =
{
    0x30, 0x82, 0x04, 0xE0, 0x30, 0x82, 0x03, 0xC8, 0xA0, 0x03,
    0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xA6, 0x66, 0x38, 0x49,
.....

Is this correct?

If so, which flag should I use in the loading command? SSL_FILETYPE_PEM ?

Kind Regards

Peter
PS. By the way, I have both PEM and DER format, maybe I should write like this to use PEM:
const unsigned char caCertificate_root[] = "-----BEGIN CERTIFICATE-----MIIFazCCA...."
or?
DS

Share

2 (edited by Kaleb J. Himes 2018-10-30 12:44:42)

Re: [SOLVED] loading buffer failing when time not set

Hi Peter,

Thanks for using the wolfSSL forums!

I'll assume for now that you have defined "USE_CERTIFICATE_BUFFERS_2048" since you have ca_cert_der_2048 above.

ASN1 = DER = RAW (These terms can all be used interchangeably). ASN1 is just ASN1 encoding or RAW format encoding.
If you open the certificate in a text editor and it looks like junk it is safe to assume it is ASN1 or RAW or DER format.

PEM = BASE64_Encoded. Any certificate that starts with the line "-----BEGIN CERTIFICATE-----" could safely be assumed to be BASE64_Encoded or in PEM format.

I think I should use der format and write the der format like this:
static const unsigned char ca_cert_der_2048[] =
{
    0x30, 0x82, 0x04, 0xE0, 0x30, 0x82, 0x03, 0xC8, 0xA0, 0x03,
    0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xA6, 0x66, 0x38, 0x49,
.....
Is this correct?

If so, which flag should I use in the loading command? SSL_FILETYPE_PEM ?

That is correct. Please see the header file <wolfssl-root>/wolfssl/certs_test.h for other examples. You would use the flag SSL_FILETYPE_ASN1 for a der formatted certificate.


PS. By the way, I have both PEM and DER format, maybe I should write like this to use PEM:
const unsigned char caCertificate_root[] = "-----BEGIN CERTIFICATE-----MIIFazCCA...."
or?

There is a perl script located here: <wolfssl-root>/gencertbuf.pl
That script is used to "generate certificate buffers" as indicated by the name. That script is what creates the header file <wolfssl-root>/wolfssl/certs_test.h. The script is agnostic (doesn't care if it is pem or der). Simply add one of the pem formatted certificates to the array:

@fileList_2048

and give it a new name like

my_test_pem_cert_2048

Run the perl script and see how the certificate was formatted by viewing the newly updated <wolfssl-root>/wolfssl/certs_test.h

Warm Regards,

Kaleb

Re: [SOLVED] loading buffer failing when time not set

ASN.1 include several encode standards (Such as DER, BER, CER).
For certificate, mostly, people select DER as the encode standard. So, if your certificate is DER format, you should set the parameter as SSL_FILETYPE_ASN1.

PEM format is encoded by base64 algorithm based on ASN.1 format.

Suggest you read related ITU documents for X.690

Share

Re: [SOLVED] loading buffer failing when time not set

Thank you for all help, it gave me hints to continue :-)

it turned out that the time was not set in my pic32 device. I needed to make sure that a connection with the sntp server was established before reading the certificate.

It took me some time to understand that the complete time.h has not been implemented by microchip and that an sntp server call is being made in  pic32_time(time_t* timer).

Kind Regards

Peter

Share

Re: [SOLVED] loading buffer failing when time not set

Hi Peter,

Thanks for posting your findings so others may find it useful in the future.


Warm Regards,

Kaleb