1 (edited by subale255 2019-06-04 04:13:27)

Topic: [SOLVED] SSL: error:0906D06C:PEM_read_bio:no start line:Expecting:

hello all,

I am using following code for generating selfsigned certificate.
but i am getting following error:
PEM_read_bio_X509_AUX("/cert/server.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
I checked certificate type, permission and header


EVP_PKEY *pk = NULL;
  Cert newCert = { 0 };
  WC_RNG rng = { 0 };
  ecc_key newKey = { 0 };
  byte* derBuf   = NULL;
  byte* derKeyBuf   = NULL;
  int derBufSz = 0;
  int derKeyBufSz = 0;

  derBuf = (byte*) XMALLOC(FOURK_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  derKeyBuf = (byte*) XMALLOC(FOURK_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);

/* Generate new ecc key */
  int ret = wc_InitRng(&rng);
  if (ret != 0)
  {
      //("wc_InitRng() failed");
    }
 

  ret = wc_ecc_init(&newKey);
  if (ret != 0)
  {
      //("wc_ecc_init() failed");
}


  ret = wc_ecc_make_key(&rng, 32, &newKey);
  if (ret != 0)
  {
     //("wc_ecc_make_key() failed()"));
}
 
  /* Setup Certificate */
  wc_InitCert(&newCert);
  newCert.daysValid = days;
  newCert.isCA    = 0;
  newCert.sigType = CTC_SHA256wECDSA;
  strncpy(newCert.subject.commonName, (const char *)commonName, CTC_NAME_SIZE);


  /* Make an New x509 ECC Certificate  */
  ret = wc_MakeCert(&newCert, derBuf, FOURK_SZ, NULL, &newKey, &rng);
  if (ret < 0)
  {
      //(wc_ecc_make_key() failed()");
  }

  //Sign certificate using ecc key
  derBufSz = wc_SignCert(newCert.bodySz, newCert.sigType, derBuf, FOURK_SZ, NULL, &newKey, &rng);
  if (derBufSz < 0)
  {
      //("SignCert failed derBufSz%d"), derBufSz);
   }


  /* DER formatted certificate into WOLFSSL_X509 structure */
  WOLFSSL_X509* newX509;

  newX509 = wolfSSL_X509_d2i(&newX509 ,derBuf, derBufSz);
  if(newX509 == NULL)
  {
      //("wolfssl_X509_d2i() failed\n");
  }


  /* PEM formatted PrivateKey into DER formatted PrivateKey */
  derKeyBufSz = wc_EccKeyToDer(&newKey, derKeyBuf, FOURK_SZ);
  if(derKeyBufSz < 0)
  {
      //("wc_EccPrivateKeyToDer() failed");
  }


  /* This function converts DER formatted ECC PrivateKey into wolfSSL_EVP_PKEY structure */
  pk = wolfSSL_d2i_PrivateKey_EVP( NULL, &derKeyBuf, derKeyBufSz);
  if(pk == NULL)
  {
      //("wolfSSL_d2i_PrivateKey_EVP() failed");
   
  }



  // Successful exit, return pointers to cert and private key
  *x509p = newX509;
  *pkeyp = pk;

is there anything i am doing wrong in this code which i am not able to understand?

please, can any one help in this issue?

Share

Re: [SOLVED] SSL: error:0906D06C:PEM_read_bio:no start line:Expecting:

Hi @subale255,

Can you share the contents of the cert that was generated? It looks like you are missing the country, province, etc setup. I'll include the entire example at the end but note this excerpt from one of our examples:

    wc_InitCert(&newCert);
    char country[3] = "US";
    char province[CTC_NAME_SIZE] = "MT";
    char city[CTC_NAME_SIZE] = "Bozeman";
    char org[CTC_NAME_SIZE] = "wolfSSL";
    char unit[CTC_NAME_SIZE] = "wolfSSL_Forums";
    char commonName[CTC_NAME_SIZE] = "Support";
    char email[CTC_NAME_SIZE] = "support@wolfssl.com";
    char daysValid[CTC_NAME_SIZE] = "10";

    XSTRNCPY(newCert.subject.country, country, XSTRLEN(country));
    XSTRNCPY(newCert.subject.state, province, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.locality, city, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.org, org, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.unit, unit, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.commonName, commonName, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.email, email, CTC_NAME_SIZE);
    newCert.daysValid = atoi(daysValid);
    newCert.isCA    = 0;

Complete example:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <wolfssl/options.h>
#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/asn_public.h>
#include <wolfssl/wolfcrypt/rsa.h>
#include <wolfssl/test.h>

#define MAX_CERT_SZ 8192
#define HEAP_HINT NULL
#define FOURK_SZ  4096
#define RSA_E      65537

void free_things_ecc(byte** a, byte** b, byte** c, ecc_key* d, ecc_key* e,
                                                                     WC_RNG* f);

int make_self_signed_ecc_certificate(char* certOut) {
    int ret = 0;
    word32 index = 0;

    Cert newCert;
    ecc_key key;
    WC_RNG rng;

    int keyFileSz;
    byte keyBuf[FOURK_SZ] = {0};

    ret = wc_ecc_init(&key);
    if (ret != 0) {
        printf("Failed to initialize ecc key\nRET: %d\n", ret);
        return ret;
    }

    ret = wc_InitRng(&rng);
    if (ret != 0) {
        printf("Failed to initialize rng.\nRET: %d\n", ret);
        return ret;
    }

    if (wc_ecc_make_key(&rng, 32, &key) != 0) {
        printf("error making ecc key\n");
        return -1;
    }

    if (wc_EccKeyToDer(&key, keyBuf, sizeof(keyBuf)) < 0) {
        printf("error in ecc to der\n");
        return -1;
    }

    wc_InitCert(&newCert);
    char country[3] = "US";
    char province[CTC_NAME_SIZE] = "MT";
    char city[CTC_NAME_SIZE] = "Bozeman";
    char org[CTC_NAME_SIZE] = "wolfSSL";
    char unit[CTC_NAME_SIZE] = "wolfSSL_Forums";
    char commonName[CTC_NAME_SIZE] = "Support";
    char email[CTC_NAME_SIZE] = "support@wolfssl.com";
    char daysValid[CTC_NAME_SIZE] = "10";

    XSTRNCPY(newCert.subject.country, country, XSTRLEN(country));
    XSTRNCPY(newCert.subject.state, province, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.locality, city, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.org, org, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.unit, unit, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.commonName, commonName, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.email, email, CTC_NAME_SIZE);
    newCert.daysValid = atoi(daysValid);
    newCert.isCA    = 0;
// pick one:
//    newCert.sigType = CTC_SHAwECDSA;
//    newCert.sigType = CTC_SHA224wECDSA;
    newCert.sigType = CTC_SHA256wECDSA;
//    newCert.sigType = CTC_SHA384wECDSA;
//    newCert.sigType = CTC_SHA512wECDSA;

    byte* certBuf = (byte*) XMALLOC(FOURK_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
    if (certBuf == NULL) {
        printf("Failed to initialize buffer to store certificate.\n");
        return -1;
    }

    XMEMSET(certBuf, 0, FOURK_SZ);
    int certBufSz = FOURK_SZ;

    ret = wc_MakeCert(&newCert, certBuf, FOURK_SZ, NULL, &key, &rng); //ecc certificate
    if (ret < 0) {
        printf("Failed to make certificate.\n");
        return ret;
    }
    printf("MakeCert returned %d\n", ret);

    ret = wc_SignCert(newCert.bodySz, newCert.sigType, certBuf, FOURK_SZ, NULL,
                                                              &key, &rng);
    if (ret < 0) {
        printf("Failed to sign certificate.\n");
        return ret;
    }
    printf("SignCert returned %d\n", ret);

    certBufSz = ret;

    printf("Successfully created new certificate\n");

    printf("Writing newly generated certificate to file \"%s\"\n",
                                                                 certOut);
    FILE* file = fopen(certOut, "wb");
    if (!file) {
        printf("failed to open file: %s\n", certOut);
        return -1;
    }

    ret = (int) fwrite(certBuf, 1, certBufSz, file);
    fclose(file);
    printf("Successfully output %d bytes\n", ret);

/*---------------------------------------------------------------------------*/
/* convert the der to a pem and write it to a file */
/*---------------------------------------------------------------------------*/
    int pemBufSz;

    printf("Convert the der cert to pem formatted cert\n");

    byte* pemBuf = (byte*) XMALLOC(FOURK_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
    if (pemBuf == NULL) {
        printf("Failed to initialize pem buffer.\n");
        return -1;
    }

    XMEMSET(pemBuf, 0, FOURK_SZ);

    pemBufSz = wc_DerToPem(certBuf, certBufSz, pemBuf, FOURK_SZ, CERT_TYPE);
    if (pemBufSz < 0) {
        printf("Failed to convert from der to pem.\n");
        return -1;
    }

    printf("Resulting pem buffer is %d bytes\n", pemBufSz);

    FILE* pemFile = fopen(certOut, "wb");
    if (!pemFile) {
        printf("failed to open file: %s\n", certOut);
        return -1;
    }
    fwrite(pemBuf, 1, pemBufSz, pemFile);
    fclose(pemFile);
    printf("Successfully converted the der to pem. Result is in:  %s\n\n",
                                                                 certOut);

    free_things_ecc(&pemBuf, &certBuf, NULL, &key, NULL, &rng);
    return 1;
}

void free_things_ecc(byte** a, byte** b, byte** c, ecc_key* d, ecc_key* e,
                                                                      WC_RNG* f)
{
    if (a != NULL) {
        if (*a != NULL) {
            XFREE(*a, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            *a = NULL;
        }
    }
    if (b != NULL) {
        if (*b != NULL) {
            XFREE(*b, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            *b = NULL;
        }
    }
    if (c != NULL) {
        if (*c != NULL) {
            XFREE(*c, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            *c = NULL;
        }
    }

    wc_ecc_free(d);
    wc_ecc_free(e);
    wc_FreeRng(f);

}

int main(int argc, char** argv)
{

    make_self_signed_ecc_certificate("mycert.pem");
    return 0;
}

Warm Regards,

K

3 (edited by subale255 2019-06-11 02:56:58)

Re: [SOLVED] SSL: error:0906D06C:PEM_read_bio:no start line:Expecting:

hello Kaleb,
   
       Thanks for help.I am able to solve this issue.

Thanks & Regards,
Surekha

Share

Re: [SOLVED] SSL: error:0906D06C:PEM_read_bio:no start line:Expecting:

@supale255,

It was my pleasure. If you need further assistance please contact us at support@wolfssl.com for best response times or here on the forums for non-pressing matters.

Warm Regards,

K