Topic: Not able to parse certificate using ParseCert()

I am using the cyassl-2.0.0rc1 for parcing the certificate and extracting some of the info such as Subject common name.
This was working fine for many certificate. But for one perticular certificate I am not able to parse it.
I have tried using cyassl-2.0.0rc2 but the result is same.

Using openssl I am able to extract the certificate details easily using,
root@test:/tmp# openssl x509 -text -inform DER -in certbuf1
Certificate:
    Data:
        Version: 4 (0x3)
        Serial Number: -1204724928 (-0x47cea4c0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IN, ST=Gujarat, L=Ahmedabad, O=Elitecore, OU=Cyberoam Certificate Authority, CN=Cyberoam SSL

CA/emailAddress=support@elitecore.com
        Validity
            Not Before: May 17 12:16:00 2010 GMT
            Not After : May 17 12:46:00 2012 GMT
        Subject: C=IN, L=New Delhi/1.3.6.1.4.1.311.60.2.1.3=IN, O=Directorate of Income Tax (Systems)/2.5.4.15=V1.0, Clause

5.(c), OU=DIRECTORATE OF INCOME TAX SYSTEMS/serialNumber=01-04-1962, CN=incometaxindiaefiling.gov.in
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:e1:ac:7e:5a:62:0b:86:d4:03:06:e5:b5:54:06:
                    37:80:02:a8:38:11:8b:0f:7e:06:c8:a5:c7:04:a7:
                    a9:44:32:e0:9f:b9:ff:de:c6:2e:5e:3e:03:f0:e8:
                    3d:b2:38:5d:06:ec:3e:a3:e8:e3:8b:62:05:b5:95:
                    5b:32:36:ac:e8:d5:36:04:85:fc:77:29:e6:b6:64:
                    e7:ff:f7:7a:00:20:0b:5c:49:83:e8:95:4f:d9:6a:
                    b0:fb:f6:71:09:06:9f:f8:99:8f:cf:dc:d7:ff:aa:
                    f6:cb:c5:69:07:56:fd:c3:5a:44:8d:04:d4:98:08:
                    7d:c9:ec:5e:5a:21:97:f9:dd:3f:5e:f9:0e:fa:90:
                    05:08:1f:29:61:46:26:53:40:22:5e:c5:36:5e:a6:
                    4c:8f:4f:6b:33:0e:ad:81:a4:24:ad:03:cf:d8:df:
                    e8:a7:ca:b0:4f:ee:14:df:95:1a:7b:10:b1:8e:7b:
                    5a:4a:a9:e8:4f:7b:a5:b1:30:7e:69:d9:56:70:8d:
                    95:3f:ff:8b:83:8d:ec:5b:e4:c8:7b:d1:15:bb:4f:
                    59:5b:80:41:43:63:a3:96:a4:87:79:5b:56:7d:e5:
                    70:67:24:ab:82:dc:90:53:b1:6f:0c:a2:5e:32:71:
                    8d:73:fb:c3:95:ac:75:fb:df:f3:5d:4e:f0:cb:23:
                    dd:e5
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        8a:94:10:c4:15:37:9f:30:a8:fa:6e:b2:52:6e:dc:01:75:25:
        49:d0:7c:87:02:4e:75:d6:f6:1a:ea:da:c5:ec:40:0f:31:46:
        f3:a2:bf:3b:7c:bc:54:92:1f:09:5f:af:c5:5e:cb:2c:eb:91:
        94:f1:98:08:65:41:24:d4:0c:d7:a1:c2:8a:c2:9c:40:c5:34:
        85:5a:cc:3f:51:21:a2:4c:e2:fa:c6:d8:fe:b0:3a:71:26:28:
        1c:f0:f6:7c:40:bb:90:0d:50:09:36:1c:23:46:b3:f0:50:97:
        46:08:d9:bf:d0:99:9c:82:b9:ce:f0:3b:96:07:0b:f5:18:e9:
        12:6e:ef:43:63:05:58:67:39:83:38:78:f9:f6:e1:96:57:2a:
        b2:2a:1f:77:28:ae:e7:72:69:a8:c0:16:0d:e3:3b:57:a5:19:
        e9:ce:14:2d:88:a4:1f:f9:d6:fc:a5:03:88:49:ed:10:38:18:
        72:e5:4a:45:23:4e:81:de:7c:96:d5:fd:29:70:ca:a2:76:5b:
        6f:17:12:4f:ef:78:5f:fb:4b:5e:9c:04:bd:ea:ec:fb:ef:34:
        fe:c8:1c:84:02:46:71:88:c0:f5:be:18:bc:5a:8c:b3:2b:f7:
        a8:9a:37:20:e2:e9:85:89:35:9b:55:62:ad:1f:16:ef:a6:f2:
        c3:a4:01:f0
-----BEGIN CERTIFICATE-----
MIIEFTCCAv2gAwIBAwIEuDFbQDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
SU4xEDAOBgNVBAgTB0d1amFyYXQxEjAQBgNVBAcTCUFobWVkYWJhZDESMBAGA1UE
ChMJRWxpdGVjb3JlMScwJQYDVQQLEx5DeWJlcm9hbSBDZXJ0aWZpY2F0ZSBBdXRo
b3JpdHkxGDAWBgNVBAMTD0N5YmVyb2FtIFNTTCBDQTEkMCIGCSqGSIb3DQEJARYV
c3VwcG9ydEBlbGl0ZWNvcmUuY29tMB4XDTEwMDUxNzEyMTY0NloXDTEyMDUxNzEy
NDY0NFowgecxCzAJBgNVBAYTAklOMRIwEAYDVQQHEwlOZXcgRGVsaGkxEzARBgsr
BgEEAYI3PAIBAxMCSU4xLDAqBgNVBAoTI0RpcmVjdG9yYXRlIG9mIEluY29tZSBU
YXggKFN5c3RlbXMpMRswGQYDVQQPExJWMS4wLCBDbGF1c2UgNS4oYykxKjAoBgNV
BAsTIURJUkVDVE9SQVRFIE9GIElOQ09NRSBUQVggU1lTVEVNUzE4MBEGA1UEBRMK
MDEtMDQtMTk2MjAjBgNVBAMTHGluY29tZXRheGluZGlhZWZpbGluZy5nb3YuaW4w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhrH5aYguG1AMG5bVUBjeA
Aqg4EYsPfgbIpccEp6lEMuCfuf/exi5ePgPw6D2yOF0G7D6j6OOLYgW1lVsyNqzo
1TYEhfx3Kea2ZOf/93oAIAtcSYPolU/ZarD79nEJBp/4mY/P3Nf/qvbLxWkHVv3D
WkSNBNSYCH3J7F5aIZf53T9e+Q76kAUIHylhRiZTQCJexTZepkyPT2szDq2BpCSt
A8/Y3+inyrBP7hTflRp7ELGOe1pKqehPe6WxMH5p2VZwjZU//4uDjexb5Mh70RW7
T1lbgEFDY6OWpId5W1Z95XBnJKuC3JBTsW8Mol4ycY1z+8OVrHX73/NdTvDLI93l
AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAIqUEMQVN58wqPpuslJu3AF1JUnQfIcC
TnXW9hrq2sXsQA8xRvOivzt8vFSSHwlfr8VeyyzrkZTxmAhlQSTUDNehworCnEDF
NIVazD9RIaJM4vrG2P6wOnEmKBzw9nxAu5ANUAk2HCNGs/BQl0YI2b/QmZyCuc7w
O5YHC/UY6RJu70NjBVhnOYM4ePn24ZZXKrIqH3corudyaajAFg3jO1elGenOFC2I
pB/51vylA4hJ7RA4GHLlSkUjToHefJbV/SlwyqJ2W28XEk/veF/7S16cBL3q7Pvv
NP7IHIQCRnGIwPW+GLxajLMr96iaNyDi6YWJNZtVYq0fFu+m8sOkAfA=
-----END CERTIFICATE-----



Below is the program with which I am trying to parse the certificate over wolfSSL. Also I am attaching the certificate.
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include "ctc_asn.h"
int main(){
        byte tmp[2048];
        size_t bytes;
        DecodedCert cert;
        int ret;

        FILE*  file = fopen("certbuf1", "r");

        bytes = fread(tmp, 1, sizeof(tmp), file);


        InitDecodedCert(&cert, (byte*)&tmp, 0);

        ret = ParseCert(&cert, (word32)bytes, CERT_TYPE, NO_VERIFY, 0);
        printf("ParseCert returned %d\n",ret);
        if (ret != 0) return -48;

        printf("ret OK\n");
        FreeDecodedCert(&cert);

        return 0;

}

root@test:/tmp# ./certtest
ParseCert returned -140


By looking at the code 'ctaocrypt/src/asn.c' I am getting the problem in function "DecodeToKey".
Traversing the code I found line at 'GetName(cert, SUBJECT)' is returning ASN_PARSE_E; for which 'GetSet' is returning the
error.

With openssl, using a call to d2i_X509() I am able to extract certificate info perfectly. I cannot use openssl now for this purpose. Could anyone direct me, where is the problem?


Thanks & Regards,
Nrupen

Post's attachments

parsecerterror.tar 10 kb, 2 downloads since 2011-08-01 

You don't have the permssions to download the attachments of this post.

Share

Re: Not able to parse certificate using ParseCert()

Hi Nrupen,

It looks like the common name of the subject lacks a set header in your certificate.  In our initial interpretation of the X509 standard, we believed that the set header was required.  As such, wolfSSL returned an error.

We have checked in a patch to our GitHub repository that gives a warning if a certificate name lacks a set header, then continues execution for better OpenSSL compatibility.  Please take a look at the patch, here: https://github.com/cyassl/cyassl/commit … 7d53a812ea.

What kind of project are you working on?

Regards,
Chris

Re: Not able to parse certificate using ParseCert()

Hi chris,

Your solution perfectly works.

Well the certificate that I sent you was generated by one of the CA, which dynamically generates and sign the SSL the remote HTTPS server. Actually it does the HTTPS scanning as 'Trusted man in middle' sort of approach.

In my case I was just parsing the HTTPS server cert and do the logging of the HTTPS traffic. I am working over openwrt based systems. I am using wolfSSL as replacement of openssl with obvious reason for size and most of my embedded SSL needs are satisfied with that. I am just concerned about the performance w.r.t. openssl as I have not done profiling over that.

Again, Thanks for quick fix.

Regards,
Nrupen

Share