Topic: -188 err on wolfSSL_X509_verify_cert()

I have faced error when calling wolfSSL_X509_verify_cert()

this code have used as well before, but after shrink 1byte from OU function returns error as -188, ASN no signer error to confirm failure.

The value of wolfSSL_X509_STORE_CTX_get_error(ctx) is zero.

    if ((ret = wolfSSL_X509_STORE_CTX_init(ctx, store, signCert, NULL)) != SSL_SUCCESS) {
        printf(" Fail to init store context");
    } else {
        printf(" Success to init store context %d", ret);
    }
    if ((ret = wolfSSL_X509_verify_cert(ctx)) < 0) {
        printf(" Fail to verify signing certificate, %d ", wolfSSL_X509_STORE_CTX_get_error(ctx)); 
        char reason[100] = {0,};
        wolfSSL_ERR_error_string(ret, reason);
        printf(" Check certificate availability, error code = %d, %s", ret, reason);
    } else {
        printf(" Success to verify signing certificate");
    }

output

Success to init store context
Fail to verify signing certificate, 0
Check root certificate availability, error code = -188, ASN no signer error to confirm failure

To confirm the new certificate is fine, I checked with openssl like below.

$ openssl verify -verbose -CAfile ca2.cer CERT.pem                                                                 
CERT.pem: OK           
$ openssl verify -verbose -CAfile ca2.cer CERT_new.pem                                                             
CERT_new.pem: OK

Please advise to resolve.

Thanks.

Share

2 (edited by dragem 2019-01-10 04:18:10)

Re: -188 err on wolfSSL_X509_verify_cert()

I have invested the internal function of wolfSSL_X509_verify_cert().

It may returns ASN_NO_SIGNER_E because of non-existence of CA.

int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
{
    if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
        if (cert->ca) {
           ...
        }
        else {
            /* no signer */
            WOLFSSL_MSG("No CA signer to verify with");
            return ASN_NO_SIGNER_E;
        }
    }
}

But I have put the CA certificate to store before call X509_verify_cert() like below and I modified just the certificate.

    store = wolfSSL_X509_STORE_new();
    if (store == NULL) {
        printf(" [CACert] can not create certificate store");
    }
    ctx = wolfSSL_X509_STORE_CTX_new();
    if (ctx  == NULL) {
        printf(" [CACert] can not create certificate store container");
    }

    int ret = wolfSSL_X509_STORE_add_cert(store, mRootCert->mX509);
    if ( ret != SSL_SUCCESS) {
        mRootCert = NULL;
        char reason[100] = {0,};
        wolfSSL_ERR_error_string(ret, reason);
        printf(" Check CAcertificate availability, error code = %d, %s", ret, reason);
    } else {
        printf(" Success to add root certificate into store");
    }

Share

3 (edited by dragem 2019-01-12 17:07:54)

Re: -188 err on wolfSSL_X509_verify_cert()

I think it may relates below note

wolfSSL takes a different approach to certificate verification than OpenSSL
does.  The default policy for the client is to verify the server, this means
that if you don't load CAs to verify the server you'll get a connect error,
no signer error to confirm failure (-188).  If you want to mimic OpenSSL
behavior of having SSL_connect succeed even if verifying the server fails and
reducing security you can do this by calling:

wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

before calling wolfSSL_new();  Though it's not recommended.

Could anyone confirm this?
if the failure relates the note, Is it possible to provide wolfSSL_X509_STORE_CTX_set_verify also.. or something like that..

Even so, it does not make sense that the well-executed code does not execute after changing the subject's OU in certificate.

Share

Re: -188 err on wolfSSL_X509_verify_cert()

What do you mean that you reduced the size of the OU by 1?

As an example, you change your root CA's Subject Name's OU field from "OU=EngineeringX" to "OU=Engineering", and the CA certificate is still properly formed and signed. If your endpoint certificate's Issuer Name still has the old OU field, "OU=EngineeringX", then that's a different Name, and you should get an error -188.