Topic: Mocana port of CERT_STORE_addIdentityNakedKey()
I'm currently having some trouble replicating the Mocana call, CERT_STORE_addIdentityNakedKey(). I'm not an expert on certificates and keys, but my understanding is that this call loads a DER key without an associated certificate into the certificate store. This is the pseudo-code that I'm using:
// Initialize wolfSSL
status = wolfSSL_Init();
// Initialize WolfSSL certificate manager
certManager = wolfSSL_CertManagerNew();
// Initialize the RNG
wc_InitRng(&rng);
// Generate a new DSA key
wc_InitDsaKey(&dsaKey) ;
// Generate DSA parameters
wc_MakeDsaParameters(&rng, keySize, &dsaKey);
wc_MakeDsaKey(&rng, &dsaKey);
// Convert the DSA key to DER format
pTempKeyDerLen = wc_DsaKeyToDer(&dsaKey, tempKeyDerBlob, sizeof(tempKeyDerBlob));
// Create SSL context
sslCtx = wolfSSL_CTX_new(wolfSSLv23_server_method());
// Set up cipher suites and algorithms
status =
wolfSSL_CTX_set_cipher_list(sslCtx,
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256");
// Allow loading of naked key
wolfSSL_CTX_set_verify(sslCtx, WOLFSSL_VERIFY_NONE, NULL);
// Load the private key into the SSL context
status = wolfSSL_CTX_use_PrivateKey_buffer(sslCtx, tempKeyDerBlob, pTempKeyDerLen,
WOLFSSL_FILETYPE_ASN1);
// Load the private key into the certificate manager
status = wolfSSL_CertManagerLoadCABuffer_ex(certManager, tempKeyDerBlob, pTempKeyDerLen,
WOLFSSL_FILETYPE_ASN1, 0, WOLFSSL_VERIFY_NONE);
In that code, the call to wolfSSL_CTX_use_PrivateKey_buffer returns WOLFSSL_BAD_FILE. If I skip it and call wolfSSL_CertManagerLoadCABuffer_ex, it returns ASN_PARSE_E. I looked at the DER, dumped it to a file, and verified it with openssl. Not sure why I'm getting a parsing error when it works with OpenSSL. I'd appreciate any help you can provide.
My original code did not change the verification settings. I'm not sure of the security ramifications of that, but I wanted to try it to see if I could at least get something working (it doesn't). I need it to be as secure as possible, at least as secure as the Mocana implementation was, preferably more secure.