1 Reply by jspaith

(3 replies, posted in wolfSSL)

Kaleb - Thank you very much for your prompt reply.

The cert in question was an internal testing cert fortunately and not in production.

It turns out we were using a deprecated cert generation tool to construct it.  Fortunately we've already moved to a newer toolset, and I've let owners know this is yet another reason to leave the old behind.

Thanks again!
John Spaith

Go to forum: wolfSSL

2 Topic by jspaith

(3 replies, posted in wolfSSL)

Hi - I'm a developer in Microsoft on Azure IOT C SDK client.  We want to make sure that our customers using Wolf SSL have a 1st class experience.

I'm having problems with WolfSSL ingesting one of our test certs during wolfSSL_use_certificate_buffer(…SSL_FILETYPE_PEM) call.  The cert is at bottom of this post.  I'm on Wolf 3.11.0 running against Windows 10.

This same cert works fine in our Schannel and OpenSSL tests and examining cert with openssl command line (bash -c "openssl x509 -in $fileName -noout -text") it seems OK (though it has a negative Serial number if that matters?)

The cert seems to be decoded to PEM fine, but during the call to GetSerialNumber() and GetASNInt(), we end up failing the "else if ((input[*inOutIdx] & 0x80) == 0x80)" call

In GetASNInt
0:000:x86> db @@c++(input) L@@c++(*len)
0004636c  30 82 03 36 30 82 02 22-a0 03 02 01 02 02 10 9e  0..60.."........
0:000:x86> ?? *inOutIdx
unsigned int 0xf
0:000:x86> ?? input[*inOutIdx]
unsigned char 0x9e ''

    if (wolfSSL_use_certificate_buffer(ssl, (unsigned char*)x509certificate, strlen(x509certificate), SSL_FILETYPE_PEM) != SSL_SUCCESS)

static const char* x509certificate =
"-----BEGIN CERTIFICATE-----""\n"
"MIIDNjCCAiKgAwIBAgIQnh0H2+qMlJxINswnu9KVITAJBgUrDgMCHQUAMCkxJzAl""\n"
"BgNVBAMTHkF6dXJlIElvVCBUZXN0IEludGVybWVkaWF0ZSBDQTAeFw0xNzAxMDEw""\n"
"NzAwMDBaFw0xOTEyMzEwNzAwMDBaMBcxFTATBgNVBAMTDElvVERldmljZUlkMDCC""\n"
"ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKc/+TseO8j+7FHdd8HwYpbr""\n"
"54/2Jhj7EqOlCboPtDhI7Sienm6gv/kAKOQDA3sgoMDTQyO/lTWHlsU3m5sD7/NM""\n"
"p56XFyoqLZt89O9kTKYQC7OyLQ8c92vSEHF8Du5m+md0P3VcL+YuFOSwywuB4wx2""\n"
"gGLRERwVFATnwessHVhUYpkVlN2DERU3FD7iUIPPi7xW068Bt8jUA+O+KgqMwlGX""\n"
"11YaY7GbS2pKe2gt7gInkqNUMmTkzIRiO+hMjbT1SH9r7Te8jVlro7VrSb4ASbu6""\n"
"R/rKlcLsy72FagPit9or0tjGj/5EP1vaeoT4VwnqJK+eVa3R5r0Za+CpezVG500C""\n"
"AwEAAaN0MHIwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjBNBgNV""\n"
"HQEERjBEgBC1YpZVm6ZnEjTezyoDYhdCoR4wHDEaMBgGA1UEAxMRQXp1cmUgSW9U""\n"
"IFRlc3QgQ0GCENaiBN+tENWlTiTtmVbFH8AwCQYFKw4DAh0FAAOCAQEAWfdX+M0l""\n"
"1HEIcPNaSiqm2/ktTyT+ZIX+SFTjF5cxVTKNoatQNW1mNKCBzx2aED8E6oPJi+bk""\n"
"0rPHp0Itrgm/VXKDxlv6NhRqoS7romeqXf1Mbko5zYFaSNjrUDc4GGJVv6ATi/cx""\n"
"/C3aDsKOMRwSdeI5+yDHmh5roapqoVdlKvwA+OPQ34XARptu2hgrzTz7KOxK4/dw""\n"
"YE4DFBfYVefPzsbjngi3TsqXCEasF8yt93nx+aS2ipGO0d4LMgfaC6B/bKr+riWo""\n"
"iAcsiUfXl8PSx4orspOqKqMo3yf7prQXkROxF5uGyn3cREZ7N1DtTJBv7ouyekcU""\n"
"1/5mIMxjQ57xBg==""\n"
"-----END CERTIFICATE-----""\n";

This is what openssl call (via custom PowerShell helper) looks like

Get-CertificateInfo .\IoTDeviceIdLeafOnly.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
             (Negative)61:e2:f8:24:15:73:6b:63:b7:c9:33:d8:44:2d:6a:df
    Signature Algorithm: sha1WithRSA
        Issuer: CN=Azure IoT Test Intermediate CA
        Validity
            Not Before: Jan  1 07:00:00 2017 GMT
            Not After : Dec 31 07:00:00 2019 GMT
        Subject: CN=IoTDeviceId0
[etc...]

Go to forum: wolfSSL