search

Azure / azure-c-shared-utility

Azure C SDKs common code
Other
111 stars 203 forks source link

Failure PEM_read_bio_X509_AUX #544

Closed matsujirushi closed 3 years ago

matsujirushi commented 3 years ago

Using ATECC608A-TNGTLS certificate in iothub_ll_client_x509_sample causes an error.

Creating IoTHub handle
Sending message 1 to IoTHub
Error: Time:Fri Aug 20 10:31:12 2021 File:/home/pi/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:31 Failure PEM_read_bio_X509_AUX
Error: Time:Fri Aug 20 10:31:13 2021 File:/home/pi/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:38   [0] error:0909006C:PEM routines:get_name:no start line

https://github.com/Azure/azure-c-shared-utility/blob/e4d74dce9af5e885f0f26b4f9d2f693b358b6455/adapters/x509_openssl.c#L57

However, I can get the certificate chain using p11tool.

pi@raspberrypi:~/azure-iot-sdk-c $ p11tool --export-chain "pkcs11:token=MCHP;object=device;type=cert"
-----BEGIN CERTIFICATE-----
MIICHzCCAcWgAwIBAgIQWUFZXG4yTNVVbQhSXkAUHTAKBggqhkjOPQQDAjBPMSEw
HwYDVQQKDBhNaWNyb2NoaXAgVGVjaG5vbG9neSBJbmMxKjAoBgNVBAMMIUNyeXB0
byBBdXRoZW50aWNhdGlvbiBTaWduZXIgMjcwMDAgFw0yMTA4MTEwMTAwMDBaGA8y
MDQ5MDgxMTAxMDAwMFowQjEhMB8GA1UECgwYTWljcm9jaGlwIFRlY2hub2xvZ3kg
SW5jMR0wGwYDVQQDDBRzbjAxMjNGMkJDNTc4RjkxRTMwMTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABGY3mKy7exXor2VDuyivgKqcLV4Jx/pjFk3S36csTaDdUf8m
0vwFo2KeO5fscXSq0q9lPcbPeZBd5Gz8WgqR99ejgY0wgYowKgYDVR0RBCMwIaQf
MB0xGzAZBgNVBAUTEmV1aTQ4XzY4MjcxOTRDNEE4NTAMBgNVHRMBAf8EAjAAMA4G
A1UdDwEB/wQEAwIDiDAdBgNVHQ4EFgQUqvpdC1/SCYDHDpdXr/p2J/CJTzUwHwYD
VR0jBBgwFoAU4Ba5Jh9kfa1JOClbSjYs9U6NeYowCgYIKoZIzj0EAwIDSAAwRQIh
ANB9IxHZU7TcwkY2hKRMGvkz2urdCAz19CX767A7DcvrAiAfjBoDUpTOAnFlYuix
qTu0A7Ejpvt5T9Ob92G5/b8pLQ==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIICBDCCAaqgAwIBAgIQaRmQfYZP9wxeFcpCw+W6TDAKBggqhkjOPQQDAjBPMSEw
HwYDVQQKDBhNaWNyb2NoaXAgVGVjaG5vbG9neSBJbmMxKjAoBgNVBAMMIUNyeXB0
byBBdXRoZW50aWNhdGlvbiBSb290IENBIDAwMjAgFw0xODEyMTQyMDAwMDBaGA8y
MDQ5MTIxNDIwMDAwMFowTzEhMB8GA1UECgwYTWljcm9jaGlwIFRlY2hub2xvZ3kg
SW5jMSowKAYDVQQDDCFDcnlwdG8gQXV0aGVudGljYXRpb24gU2lnbmVyIDI3MDAw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAROEUiP60JV4/IF55RFx0nUqiTy0YXY
U671v4Kzzz15MWL8MigXOPf1V0MkXTceV+6jGu2JdN8QpGWGgZdBZl3Oo2YwZDAO
BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU4Ba5
Jh9kfa1JOClbSjYs9U6NeYowHwYDVR0jBBgwFoAUeu19bca3eJ2yOAGl6EqMsKQO
KowwCgYIKoZIzj0EAwIDSAAwRQIhALJmp1YuPyKllkQm9WDfoHz1OtIIpziSUgPg
cxSC9IyzAiAkB8/2EQ15+2I2un1DkvRF9U4au2vAf0BKI8bO9yT0AQ==
-----END CERTIFICATE-----

pi@raspberrypi:~/azure-iot-sdk-c $

I don't know how to find out. Could you give me some advice?

matsujirushi commented 3 years ago

I wrote the x509certificate variable:

static const char* x509certificate = "pkcs11:token=MCHP;object=device;type=cert";

image

danewalton commented 3 years ago

Hi @matsujirushi thanks for the message.

Are you able to use this to help guide you using PKCS11?

Copied here is the relevant section:

// Example using PKCS#11 OpenSSL ENGINE (https://github.com/OpenSC/libp11)
// The OpenSSL ENGINE must be associated to a pkcs11 module within openssl.cnf.
static const char* opensslEngine = "pkcs11";
static const OPTION_OPENSSL_KEY_TYPE x509_key_from_engine = KEY_TYPE_ENGINE;

// Certificate can be extracted from the PKCS#11 library using pkcs11-tool from OpenSC.
static const char* x509certificate = 
"-----BEGIN CERTIFICATE-----\n"
"MIIBMTCB1wIUTu66kxJIBR5t5IkAwh7Lqm/AM+IwCgYIKoZIzj0EAwIwGzEZMBcG\n"
// [...]
"DItkq1MHqzqExB1eTrMHQVY11w62\n"
"-----END CERTIFICATE-----\n";

// The private key contains the PKCS#11 URI.
static const char* x509privatekey = "pkcs11:object=ec-privkey;type=private?pin-value=1234";
matsujirushi commented 3 years ago

Hi @danewalton , Thank you for reply.

It working my environment when x509privatekey use pkcs11 and x509certificate is hard-code (NOT use pkcs11). I want to use the certificate in the ATECC608A-TNGTLS, so I made the following changes. Then an error occurred.

static const char* x509certificate = "pkcs11:token=MCHP;object=device;type=cert";
danewalton commented 3 years ago

Yes right now we only have support for loading the private key from an engine. Here is the call to make that happen: https://github.com/Azure/azure-c-shared-utility/blob/64ea7a9359d9f431a713658cb95bbd0c426c8e3c/adapters/x509_openssl.c#L241

The equivalent call to ENGINE_load_public_key() is not in our code base and therefore the loading comes from https://github.com/Azure/azure-c-shared-utility/blob/64ea7a9359d9f431a713658cb95bbd0c426c8e3c/adapters/x509_openssl.c#L311

TLDR: we don't support that right now. I will move this to a discussion as a feature ask though.