Topic: [SOLVED] adding my own certificates

Hallo,
I'm trying to add my certificates to the wolfssl_client example in Espressif
https://github.com/wolfSSL/wolfssl/tree … ssl_client
however, it doesn't work with me to add them (ca, crt, key)...

For example, I've tried to add my PEM-formatted CA certificate with helping of this API:

wolfSSL_CTX_load_verify_buffer() as follows:
.
.
.
    static const char* ca_cert_der_2048_test =
    "-----BEGIN CERTIFICATE-----\n"
  .
  .
    "-----END CERTIFICATE-----";
.
.

wolfSSL_CTX_load_verify_buffer(ctx, (const byte*)ca_cert_der_2048_test,
            sizeof(ca_cert_der_2048_test), WOLFSSL_FILETYPE_PEM)


OR with this API:

wolfSSL_CTX_load_verify_locations() as follows:
.
.
.
wolfSSL_CTX_load_verify_locations(ctx, "./ca.pem",  NULL)
.
.
.

Any ideas to do it right and add my own certificates to this example?

P.S. see attachment in order to see the c file
thanks,

Post's attachments

client-tls.c 15.55 kb, 8 downloads since 2019-04-18 

You don't have the permssions to download the attachments of this post.

Share

Re: [SOLVED] adding my own certificates

Hi m0ot,

I couldn't find anything immediately wrong with the certificate or your code after a first glance, except for one thing - when you're passing the buffer to wolfSSL_CTX_load_verify_buffer, you should be passing the length of the buffer instead of the size of the pointer variable. When performing sizeof calls, if you pass a pointer variable like that it'll only return the size of the pointer and not the size of the buffer the pointer is referring to.

If changing this doesn't resolve your issue, then it may help debug the issue if you enable wolfSSL debugging, and share the error codes that are being encountered when you are attempting to use the modified example.

Share

3 (edited by m0ot 2019-04-19 07:03:04)

Re: [SOLVED] adding my own certificates

Now, I've just tried other ways and I still have the problem...
with this function wolfSSL_CTX_load_verify_buffer() I made the same as in the example.
With helping of the (xxd) tool in ubuntu, I was able to convert the ca certificate to hex exactly like in certs_test.h and then I tried to load as following:

if ((ret = wolfSSL_CTX_load_verify_buffer(ctx, ca_hex_der_2048,
            sizeof_ca_hex_der_2048, WOLFSSL_FILETYPE_ASN1)) != SSL_SUCCESS) {
            ESP_LOGE(TAG,"ERROR: failed to load %d, please check the file.\n",ret);
          }

But after flashing the code on the board, the certificate can't be loaded and I get the error (ERROR: failed to load %d, please check the file), where the error number is -162 or -150.

I'm not sure how wolfssl converted its der certificates to hex like in certs_test.h but if the way that I used correct then it supposed to work, or not?

Share

Re: [SOLVED] adding my own certificates

Hi m0ot,

-150 = ASN_BEFORE_DATE_E meaning the certificate is issued for some date in the future. Since this is unlikely true if you look at the date range and a current clock you might check that the clock on the device is set correctly. For example if your devices internal clock is set to the year 1995 and the certificate was issued for some date in 2019 - some date in 2029 then you would see the ASN_BEFORE_DATE_E.

-162 = ASN_NO_PEM_HEADER which means you passed WOLFSSL_FILETYPE_PEM instead of WOLFSSL_FILETYPE_ASN1 for a DER formatted certificate OR the PEM certificate was missing the PEM header.

Warm Regards,

K

Re: [SOLVED] adding my own certificates

hi @Kaleb,

thanks a lot for your answer. You just helped me a lot by telling me what the -150 error means! By updating the time on the board, the certificates could be loaded successfully.

Best regards,

Share

Re: [SOLVED] adding my own certificates

@m0ot,

That is good news! Thank you for the status update.

Regards,

K