Topic: Verify server Cert with CA using wolfSSL embedded ssl

Is any way to verify my own (TCP/IP server) Certificate with my CA before the handshake stars?

I am able to verify peer's (TCP/IP client) certificate during the handshake but I would like to verify my own Certificate.

I tried it using

CyaSSL_CertManagerVerifyBuffer(cm, server_cert, cert_size, SSL_FILETYPE_PEM);

In order to use that function I had to develop a new one to get "cm" in ssl.c.

CYASSL_CERT_MANAGER* CyaSSL_CTX_get_cm(CYASSL_CTX* ctx)
{
    CYASSL_CERT_MANAGER* cm = NULL;
   
    CYASSL_ENTER("CYASSL__CTX_get_cm");
   
    cm = ctx->cm;
   
    CYASSL_LEAVE("CYASSL__CTX_get_cm", 0);
    return cm;
}

and also include in ssl.h:

CYASSL_API CYASSL_CERT_MANAGER* CyaSSL_CTX_get_cm(CYASSL_CTX*);

My new function compiles and links with no problem but I am getting and error linking CyaSSL_CertManagerVerifyBuffer.

Any suggestions?
Thanks a lot,
Belén.

Share

Re: Verify server Cert with CA using wolfSSL embedded ssl

Hi,

Yes, you can use the wolfSSL CertManager to verify your server's certificate against your CA.  You don't need to get the CYASSL_CERT_MANAGER from the SSL context though - you can just create a new one to use.  For example, you could do something like this:

int ret;
CYASSL_CERT_MANAGER* cm;

cm = CyaSSL_CertManagerNew();
if (cm == NULL) {
     // CertManagerNew failed
}

ret = CyaSSL_CertManagerLoadCA(cm, "./path/to/your/ca.pem", 0);
if (ret != SSL_SUCCESS) {
     // CertManagerLoadCA failed
}

ret = CyaSSL_CertManagerVerify(cm, "./path/to/your/server/cert.pem",
               SSL_FILETYPE_PEM);
if (ret != SSL_SUCCESS) {
     // CertManagerVerify failed
} else {
     // server cert verified
}

CyaSSL_CertManagerFree(cm);

Regarding the linking error, what version of wolfSSL are you using?  Are you linking to an older version wolfSSL without CertManager support?

Best Regards,
Chris

Re: Verify server Cert with CA using wolfSSL embedded ssl

Hi Chris,

Thanks a lot for your suggestion.

Actually, it is already working. I am using CyaSSL_CertManagerVerifyBuffer() because it is running on an embedded system and it does not have a file system. That is why I have defined NO_FILESYSTEM.

The problem was that the above mentioned function is defined in ssl.c behind #ifndef NO_FILESYSTEM and so it was not linking with my settings.

I think it is a small bug so I moved this function to the file location where the functions related to "buffer" instead of "file" are defined. Now everything works fine.
BTW, I am using wolfssl-2.3.0. I know it is not the last one, but this function is defined in the same location in wolfssl-2.4.0.

Thanks again.
Best Regards,

Belén.

Share

Re: Verify server Cert with CA using wolfSSL embedded ssl

Hi Belen,

Thanks for the tip.  I'll look into this.

When you say you now have it working, are you still using your custom "CyaSSL_CTX_get_cm()" function?

Thanks,
Chris

Re: Verify server Cert with CA using wolfSSL embedded ssl

Hello

I am using X509 certificate signed using SHA 256 error messgae in my app.

But applicate is not working getting error as below:



- AxisFault Exception caught:
org.apache.axis2.AxisFault: WSDoAllReceiver: The certificate used for the signature is not trusted
    at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:512)
    at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:370)
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416)
   
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:989)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:930)
    at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:118)
    at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
    at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:761)
    at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:673)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:498)
    at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:464)
    at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3184)
    at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:254)


I have changed the alias name as well in the client.property


Any one could please help here.


Thanks
Priya

Share

Re: Verify server Cert with CA using wolfSSL embedded ssl

Hi Chris,

I am still using my CyaSSL_CTX_get_cm() function because my embedded system does not have a file system and I think that CyaSSL_CertManagerLoadCA() function needs a file as a second parameter.

Thanks,
Belén.

Share

Re: Verify server Cert with CA using wolfSSL embedded ssl

Hi Belen,

Ok, thanks for letting me know.  We may need to add a CyaSSL_CertManagerLoadCABuffer() function to allow loading CA certs from buffers.  I'll keep you posted.

Thanks,
Chris