1 (edited by jspaith 2017-07-17 14:45:58)

Topic: [SOLVED] Parsing error on wolfSSL_use_certificate_buffer() cert

Hi - I'm a developer in Microsoft on Azure IOT C SDK client.  We want to make sure that our customers using Wolf SSL have a 1st class experience.

I'm having problems with WolfSSL ingesting one of our test certs during wolfSSL_use_certificate_buffer(…SSL_FILETYPE_PEM) call.  The cert is at bottom of this post.  I'm on Wolf 3.11.0 running against Windows 10.

This same cert works fine in our Schannel and OpenSSL tests and examining cert with openssl command line (bash -c "openssl x509 -in $fileName -noout -text") it seems OK (though it has a negative Serial number if that matters?)

The cert seems to be decoded to PEM fine, but during the call to GetSerialNumber() and GetASNInt(), we end up failing the "else if ((input[*inOutIdx] & 0x80) == 0x80)" call

In GetASNInt
0:000:x86> db @@c++(input) L@@c++(*len)
0004636c  30 82 03 36 30 82 02 22-a0 03 02 01 02 02 10 9e  0..60.."........
0:000:x86> ?? *inOutIdx
unsigned int 0xf
0:000:x86> ?? input[*inOutIdx]
unsigned char 0x9e ''

    if (wolfSSL_use_certificate_buffer(ssl, (unsigned char*)x509certificate, strlen(x509certificate), SSL_FILETYPE_PEM) != SSL_SUCCESS)

static const char* x509certificate =
"-----BEGIN CERTIFICATE-----""\n"
"MIIDNjCCAiKgAwIBAgIQnh0H2+qMlJxINswnu9KVITAJBgUrDgMCHQUAMCkxJzAl""\n"
"BgNVBAMTHkF6dXJlIElvVCBUZXN0IEludGVybWVkaWF0ZSBDQTAeFw0xNzAxMDEw""\n"
"NzAwMDBaFw0xOTEyMzEwNzAwMDBaMBcxFTATBgNVBAMTDElvVERldmljZUlkMDCC""\n"
"ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKc/+TseO8j+7FHdd8HwYpbr""\n"
"54/2Jhj7EqOlCboPtDhI7Sienm6gv/kAKOQDA3sgoMDTQyO/lTWHlsU3m5sD7/NM""\n"
"p56XFyoqLZt89O9kTKYQC7OyLQ8c92vSEHF8Du5m+md0P3VcL+YuFOSwywuB4wx2""\n"
"gGLRERwVFATnwessHVhUYpkVlN2DERU3FD7iUIPPi7xW068Bt8jUA+O+KgqMwlGX""\n"
"11YaY7GbS2pKe2gt7gInkqNUMmTkzIRiO+hMjbT1SH9r7Te8jVlro7VrSb4ASbu6""\n"
"R/rKlcLsy72FagPit9or0tjGj/5EP1vaeoT4VwnqJK+eVa3R5r0Za+CpezVG500C""\n"
"AwEAAaN0MHIwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjBNBgNV""\n"
"HQEERjBEgBC1YpZVm6ZnEjTezyoDYhdCoR4wHDEaMBgGA1UEAxMRQXp1cmUgSW9U""\n"
"IFRlc3QgQ0GCENaiBN+tENWlTiTtmVbFH8AwCQYFKw4DAh0FAAOCAQEAWfdX+M0l""\n"
"1HEIcPNaSiqm2/ktTyT+ZIX+SFTjF5cxVTKNoatQNW1mNKCBzx2aED8E6oPJi+bk""\n"
"0rPHp0Itrgm/VXKDxlv6NhRqoS7romeqXf1Mbko5zYFaSNjrUDc4GGJVv6ATi/cx""\n"
"/C3aDsKOMRwSdeI5+yDHmh5roapqoVdlKvwA+OPQ34XARptu2hgrzTz7KOxK4/dw""\n"
"YE4DFBfYVefPzsbjngi3TsqXCEasF8yt93nx+aS2ipGO0d4LMgfaC6B/bKr+riWo""\n"
"iAcsiUfXl8PSx4orspOqKqMo3yf7prQXkROxF5uGyn3cREZ7N1DtTJBv7ouyekcU""\n"
"1/5mIMxjQ57xBg==""\n"
"-----END CERTIFICATE-----""\n";

This is what openssl call (via custom PowerShell helper) looks like

Get-CertificateInfo .\IoTDeviceIdLeafOnly.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
             (Negative)61:e2:f8:24:15:73:6b:63:b7:c9:33:d8:44:2d:6a:df
    Signature Algorithm: sha1WithRSA
        Issuer: CN=Azure IoT Test Intermediate CA
        Validity
            Not Before: Jan  1 07:00:00 2017 GMT
            Not After : Dec 31 07:00:00 2019 GMT
        Subject: CN=IoTDeviceId0
[etc...]  

Share

Re: [SOLVED] Parsing error on wolfSSL_use_certificate_buffer() cert

Hi jspaith,

Thank you so much for using the wolfSSL forums. I understand you are having difficulties processing a certificate with a negative value in the serial number. Could you tell us a little about that certificate, how it was created, is it being used in the wild?

wolfSSL strictly adheres to the standards in order to provide our customers with the best security available on the market.

(though it has a negative Serial number if that matters?)

Unfortunately in your case this DOES matter. If you notice in RFC 5280 found here (https://www.ietf.org/rfc/rfc5280.txt) Section 4.1.2.2 is very explicit:

4.1.2.2.  Serial Number

   The serial number MUST be a positive integer assigned by the CA to
   each certificate.  It MUST be unique for each certificate issued by a
   given CA (i.e., the issuer name and serial number identify a unique
   certificate).  CAs MUST force the serialNumber to be a non-negative
   integer.

The key word "MUST" in an RFC Spec is never to be interpreted as an optional feature for best security practices. Furthermore the RFC uses both terms, POSITIVE and NON-NEGATIVE, leaving no room for interpretation! I am surprised the other implementations you noted chose to ignore this.

Please let us know if this addresses your question wholly.


Our Sincerest Regards,

The wolfSSL Team and Kaleb

Re: [SOLVED] Parsing error on wolfSSL_use_certificate_buffer() cert

Kaleb - Thank you very much for your prompt reply.

The cert in question was an internal testing cert fortunately and not in production.

It turns out we were using a deprecated cert generation tool to construct it.  Fortunately we've already moved to a newer toolset, and I've let owners know this is yet another reason to leave the old behind.

Thanks again!
John Spaith

Share

Re: [SOLVED] Parsing error on wolfSSL_use_certificate_buffer() cert

Hi jspaith,

No problem, it is my privilege to be able to answer your question. Let us know if anything else comes up in your testing!


Warm Regards,

Kaleb