1 (edited by rafaelzingler 2019-08-09 17:23:00)

Topic: LPC1768 No CA signer to verify with

Hi all,

I'm trying to use WolfSSL with the LPC1768 microcontroller.

The ecosystem looks like below:

  • IDE: uVision5

  • Operating system: FreeRTOS

  • TCP/IP stack: FreeRTOS TCP

  • Device: NXP LPC1768

  • WolfSSL version: 4.0.0

I'm getting -188 error in handshake process, according to the Debug output, below.

Has anyone succeeded in using the library with this or an equivalent device?

Could I get some help with the parameters for this specific use case?

Attached, the user_settings.h I'm using.

Any help would be appreciated.

wolfSSL Entering TLSv1_2_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL_CTX_load_verify_locations_ex
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
wolfSSL Entering SendClientHello
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
growing input buffer
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering DoServerHello
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoServerHello, return 0
Shrinking input buffer
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
growing output buffer
Shrinking output buffer
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
wolfSSL Leaving ProcessPeerCerts, return -188
wolfSSL Leaving DoCertificate, return -188
wolfSSL Leaving DoHandShakeMsgType(), return -188
wolfSSL Leaving DoHandShakeMsg(), return -188
wolfSSL error occurred, error = -188
wolfSSL error occurred, error = -188
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -188
wolfSSL Entering ERR_error_string



Thanks in advance!!!

Post's attachments

user_settings.h 1.44 kb, 3 downloads since 2019-08-10 

You don't have the permssions to download the attachments of this post.

Share

Re: LPC1768 No CA signer to verify with

Hi rafaelzingler,

There is nothing wrong with your settings, the -188 error code means you just haven't loaded the right cert in to validate the peer you are connecting to!

The API wolfSSL_CTX_load_verify_buffer is most common on embedded devices unless you have a file system in which case you can use wolfSSL_CTX_load_verify_locations instead. You want to load the Root CA that signed the peer cert chain.

If you have any trouble finding the right cert to load please send us the IP of a public server we can connect to and we'd be happy to track down the right cert for you.

Warm Regards,

KH

Re: LPC1768 No CA signer to verify with

Hi Kaleb.

First of all, thanks for your reply.

Yes, I have a file system available in this hardware. I'm reading the certificate file from a SD Card.

The server name I'm trying to connect is monipark.com.br

Attached, the certificate file I'm using.

Best regards.

Post's attachments

root.pem 2.08 kb, 1 downloads since 2019-08-17 

You don't have the permssions to download the attachments of this post.

Share

Re: LPC1768 No CA signer to verify with

Please try using this one instead and let us know if the issue resolves (Thank you for sending the domain)

Warm Regards,

K

Post's attachments

AddTrustExternalCARoot.pem 4.73 kb, 1 downloads since 2019-08-17 

You don't have the permssions to download the attachments of this post.

Re: LPC1768 No CA signer to verify with

Hi,

I tested with the certificate you sent me. I noticed that using it there was possible to decode the certificate policy. However, I got the same (-188) error, as shown below:

IP Init OK
wolfSSL Entering TLSv1_2_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL_CTX_load_verify_locations_ex
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
wolfSSL Entering SendClientHello
Adding signature algorithms extension
growing output buffer
Signature Algorithms extension to write
Shrinking output buffer
wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
growing input buffer
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering DoServerHello
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoServerHello, return 0
Shrinking input buffer
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCertPolicy
wolfSSL Leaving DecodeCertPolicy, return 0
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
wolfSSL Entering ConfirmSignature
Hash for Signature has unsupported type
wolfSSL Leaving ConfirmSignature, return -232
Confirm signature failed
Failed to verify CA from chain
growing output buffer
Shrinking output buffer
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCertPolicy
wolfSSL Leaving DecodeCertPolicy, return 0
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
wolfSSL Leaving ProcessPeerCerts, return -188
wolfSSL Leaving DoCertificate, return -188
wolfSSL Leaving DoHandShakeMsgType(), return -188
wolfSSL Leaving DoHandShakeMsg(), return -188
wolfSSL error occurred, error = -188
wolfSSL error occurred, error = -188
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -188
wolfSSL Entering ERR_error_string

Thanks for your attention.
Regards!!

Share

Re: LPC1768 No CA signer to verify with

Hi @rafaelzingler,

Notice the error code -232 while processing the cert, this means the hash type used is not enabled/supported. That cert uses sha1. Could you check your settings and see if NO_SHA is being defined? If so could you remove that setting and test again with SHA1 enabled?

Warm Regards,

K

Re: LPC1768 No CA signer to verify with

Hi Kaleb.

Sorry for the trouble.

The NO_SHA directive isn't defined. However, in a debug session, stopping the execution at the beginning of HashForSignature function, I noticed that the sigOID parameter had a value of 0x00000290, which stands for CTC_SHA384wRSA (decimal 656), according to definitions in asn_public.h file. In this way, should I enable SHA384 in my configurations?

The debugging results are attached.

Thanks in advance.

Post's attachments

debug.png
debug.png 81.23 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

Re: LPC1768 No CA signer to verify with

Hi @rafaelzingler,

Ahh so it must be coming from some other cert in the chain that uses SHA384 then. Yes can you try adding the settings:

WOLFSSL_SHA512
WOLFSSL_SHA384 // Truncated sha512 so you need sha512 enabled too!

OR

--enable-sha512 --enable-sha384

Let us know if that works.


Warm Regards,

KH

Re: LPC1768 No CA signer to verify with

Hi Kaleb.

After enabling SHA512/SH1384, I got the following error:

RSA_FUNCTION MP_EXPTMOD_E: memory/config problem
wolfSSL Leaving ConfirmSignature, return -155l

According to the post at https://www.wolfssl.com/forums/topic110 … rror.html, it's necessary to change FP_MAX_BITS directive to 8192. After this, I got the out of memory error:

wolfSSL Leaving ConfirmSignature, return -125

I guess there is nothing else to do with this hardware. I have to use a more powerful microcontroller.

Thank you anyway for the great support!!

Cheers

Share

Re: LPC1768 No CA signer to verify with

Hi @rafaelzingler,

Are you at the absolute maximum of available heap? Often times you simply need to increase whatever the default heap settings are. Also you can try to reduce memory usage with:

USE_SLOW_SHA256
USE_SLOW_SHA512

You can further reduce overall memory useage (increases heap usage, reduces stack usage) by removing the USE_FAST_MATH setting and reducing stack but slightly increasing heap.

Warm Regards,

KH

Re: LPC1768 No CA signer to verify with

Hi Kaleb.

Yes, I´m using the largest possible heap, which in my case is 32768 bytes.

I will try with these options to see if I get different results.

Thank you!!

Share