• Registered: 2024-06-17
  • Posts: 1

Topic: Mocana port of CERT_STORE_addIdentityNakedKey()

I'm currently having some trouble replicating the Mocana call, CERT_STORE_addIdentityNakedKey().  I'm not an expert on certificates and keys, but my understanding is that this call loads a DER key without an associated certificate into the certificate store.  This is the pseudo-code that I'm using:

    // Initialize wolfSSL
    status = wolfSSL_Init();

    // Initialize WolfSSL certificate manager
    certManager = wolfSSL_CertManagerNew();

    // Initialize the RNG
    wc_InitRng(&rng);

    // Generate a new DSA key
    wc_InitDsaKey(&dsaKey) ;

    // Generate DSA parameters
    wc_MakeDsaParameters(&rng, keySize, &dsaKey);

    wc_MakeDsaKey(&rng, &dsaKey);

    // Convert the DSA key to DER format
    pTempKeyDerLen = wc_DsaKeyToDer(&dsaKey, tempKeyDerBlob, sizeof(tempKeyDerBlob));

    // Create SSL context
    sslCtx = wolfSSL_CTX_new(wolfSSLv23_server_method());

    // Set up cipher suites and algorithms
    status =
            wolfSSL_CTX_set_cipher_list(sslCtx,
                    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256");

    // Allow loading of naked key
    wolfSSL_CTX_set_verify(sslCtx, WOLFSSL_VERIFY_NONE, NULL);

    // Load the private key into the SSL context
    status = wolfSSL_CTX_use_PrivateKey_buffer(sslCtx, tempKeyDerBlob, pTempKeyDerLen,
            WOLFSSL_FILETYPE_ASN1);

    // Load the private key into the certificate manager
    status = wolfSSL_CertManagerLoadCABuffer_ex(certManager, tempKeyDerBlob, pTempKeyDerLen,
            WOLFSSL_FILETYPE_ASN1, 0, WOLFSSL_VERIFY_NONE);

In that code, the call to wolfSSL_CTX_use_PrivateKey_buffer returns WOLFSSL_BAD_FILE.  If I skip it and call wolfSSL_CertManagerLoadCABuffer_ex, it returns ASN_PARSE_E.  I looked at the DER, dumped it to a file, and verified it with openssl.  Not sure why I'm getting a parsing error when it works with OpenSSL.  I'd appreciate any help you can provide.

My original code did not change the verification settings.  I'm not sure of the security ramifications of that, but I wanted to try it to see if I could at least get something working (it doesn't).  I need it to be as secure as possible, at least as secure as the Mocana implementation was, preferably more secure.

Share

  • Registered: 2021-08-12
  • Posts: 97

Re: Mocana port of CERT_STORE_addIdentityNakedKey()

This will be  handled via technical support channel.

Share