Closed PrakashK94 closed 10 months ago
gilles-peskine-arm
commented
10 months ago The programs in programs/x509 and programs/pkey are designed to work well together. You can see a sample script using them in https://github.com/Mbed-TLS/mbedtls/blob/a95761fb0e0a8bcfbc67fa5c246e11144a1c036b/programs/x509/cert_write_demo.sh (from https://github.com/Mbed-TLS/mbedtls/pull/2698).
PrakashK94
commented
10 months ago To do this, I need to build first the mbedtls library source in Linux system and then run the script right?
Will this work with EC keys?
Do you have any sample EC keys with that write_certificate_request function will pass and should produce a CSR?
gilles-peskine-arm
commented
10 months ago The script has been tested on Linux. It should work on other Unix-like environments too, including macOS and WSL.
The demo script uses EC keys. You can change it to use RSA by replacing type=ec with type=rsa when invoking gen_key. You can change the curve by adding ec_curve=… to type=ec when invoking gen_key.
Remove the last cleanup line if you want to keep the files used by the script. You can also find examples of valid data in the test suites (test_suite_x509*.data for X.509 functions).
PrakashK94
commented
10 months ago Where is the test suite?
It is mandatory to call the below code to make write_certificate_request function success or not needed?
/*
mbedtls_entropy_init( &entropy ); if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d", ret ); goto exit; }
mbedtls_printf( " ok\n" );
PrakashK94
commented
10 months ago "-----BEGIN EC PRIVATE KEY-----\r\n" \
"MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n" \
"AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n" \
"wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n" \
"-----END EC PRIVATE KEY-----\r\n"const char prikey1[] = TEST1_SRV1_KEY1_EC1_PEM1; void main(void) { int ret = 1; //int exit_code = MBEDTLS_EXIT_FAILURE; mbedtls_pk_context key; char buf[1024]; int i; char p, q, r; mbedtls_x509write_csr req; //mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; //const char pers = "csr example app"; char *subject_name = "CN=Cert,O=mbed TLS,C=UK"; unsigned char output_buf[4096]; size_t len = 0;
/*
* Set to sane values
*/
mbedtls_x509write_csr_init( &req );
mbedtls_pk_init( &key );
mbedtls_ctr_drbg_init( &ctr_drbg );
memset( buf, 0, sizeof( buf ) );
memset( output_buf, 0, 4096 );
mbedtls_x509write_csr_set_md_alg( &req, 4);mbedtls_entropy_init( &entropy );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d", ret );
return ret;
}if( ( ret = mbedtls_x509write_csr_set_subject_name( &req, subject_name ) ) != 0 )
{
printf( " failed\n ! mbedtls_x509write_csr_set_subject_name returned %d", ret );
return ret;
}
ret = mbedtls_pk_parse_key(&key, prikey1, sizeof(prikey1),
(const uint8_t *)NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
printf("mbedtls_pk_parse_key fails with return value %x\r\n", ret);
mbedtls_pk_free(&key);
return false;
}
mbedtls_x509write_csr_set_key( &req, &key );
if( ( ret = mbedtls_x509write_csr_der( &req, output_buf, 4096, mbedtls_ctr_drbg_random, &ctr_drbg) ) < 0 )
{
printf("Failed\r\n");
return( ret );
}
mbedtls_x509write_csr_free( &req );
mbedtls_pk_free( &key );
mbedtls_ctr_drbg_free( &ctr_drbg );
//mbedtls_entropy_free( &entropy );
//mbedtls_exit( exit_code );
return 0;} whether the above code flow should work for getting the CSR?
gilles-peskine-arm
commented
10 months ago Since mbedtls_x509write_csr_der takes an RNG argument, yes, you need to set it up, meaning you do need the entropy and the DRBG.
PrakashK94
commented
10 months ago I tried to enable the entropy, this function mbedtls_ctr_drbg_seed fails with return value -52.
gilles-peskine-arm
commented
10 months ago mbedtls-strerror -52
Last error was: -0x0034 - CTR_DRBG - The entropy source failedYou need to make sure that entropy is configured correctly on your platform.
gilles-peskine-arm
commented
10 months ago I am closing this issue because it is a platform setup issue related to entropy, not a bug report about certificate signing.
We do not use GitHub for support. You can ask support questions on the Mbed TLS mailing list. But since entropy setup is usually very platform-specific, you will probably get better help on a support channel for your platform.
PrakashK94
commented
10 months ago What shall we do in order to make entropy enable in our side?
Summary
I see there is one function write_certitifcate_request() inside main() present in this file mbedtls/programs/x509/cert_req.c for generating certificate signing request. I tried the same from my main(), it doesn’t work for me. It fails in write_certificate_request function. Do you have any sample keys with which you have tested the code present in this file cert_req.c file and it worked for you?
System information
Mbed TLS version (number or commit id): 3.3.0 Operating system and version: Ubuntu 20.04 Configuration (if not default, please attach
mbedtls_config.h): Enabled, MBEDTLS_X509_CSR_WRITE_C, MBEDTLS_X509_CREATE_C, MBEDTLS_PK_WRITE_C, MBEDTLS_ECP_C, MBEDTLS_ECDSA_C, MBEDTLS_ECP_RESTARTABLE, MBEDTLS_PLATFORM_MEMORY, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_ECDH_LEGACY_CONTEXT, MBEDTLS_ECP_DP_SECP384R1_ENABLED, MBEDTLS_ALLOW_PRIVATE_ACCESS, MBEDTLS_ASN1_WRITE_C, MBEDTLS_PEM_PARSE_C, MBEDTLS_BASE64_C, MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED, MBEDTLS_PEM_WRITE_C, MBEDTLS_ENTROPY_C Compiler and options (if you used a pre-built binary, please indicate how you obtained it): gcc Additional environment information:Expected behavior
write_certitifcate_request should return 0 on success.
Actual behavior
write_certitifcate_request return non zero.
Steps to reproduce
Used the below EC SEC384 key and executed the steps present in main() present in cert_req.c file.
Additional information
define TEST1_SRV1_KEY1_EC1_PEM1 \
const char prikey1[] = TEST1_SRV1_KEY1_EC1_PEM1;