amuthakrishnasamy
commented
3 hours ago I used openssl command to verify it was verifying the certificate as OK
openssl x509 -in root_cert1.cert.der -inform DER -noout -text openssl x509 -in root_cert1.cert.der -inform DER -out root_cert1.cert.pem -outform PEM openssl verify -CAfile root_cert1.cert.pem root_cert1.cert.pem
when mbedtls_x509write_crt_der is used below is the value of output_buf_der with der_len=318(decimal) 30 82 01 3a 30 81 e0 a0 03 02 01 02 02 01 01 30 0c 06 08 2a 86 48 ce 3d 04 03 02 05 00 30 11 31 0f 30 0d 06 03 55 04 03 0c 06 54 65 73 74 43 4e 30 1e 17 0d 32 34 31 31 30 31 30 32 35 38 30 33 5a 17 0d 32 35 31 31 30 31 30 32 35 38 30 33 5a 30 11 31 0f 30 0d 06 03 55 04 03 0c 06 54 65 73 74 43 4e 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 b1 dc ef b3 8b a5 ae d8 c9 2f 6b 78 fa 1b 72 6f 9c 43 27 64 18 bf 88 e4 6f d7 70 09 f2 66 1c 97 90 86 22 c2 61 05 fb 4f db be e9 82 38 88 9d 53 24 f5 ff 34 1a 26 e5 12 80 de 87 8e 07 74 ea 1e a3 27 30 25 30 12 06 03 55 1d 13 01 01 ff 04 08 30 06 01 01 ff 02 01 00 30 0f 06 03 55 1d 0f 01 01 ff 04 05 03 03 07 ff 80 30 0c 06 08 2a 86 48 ce 3d 04 03 02 05 00 03 47 00 30 44 02 20 13 71 f3 12 21 25 88 ad ac 1d ac 15 d1 2b a9 bd f0 7e 08 6d e6 82 05 28 72 e1 8d e0 3b ca 3e 19 02 20 5a 81 93 8a 33 9d 7f 7a ce 65 75 d7 8d 37 52 e2 ac 5f ea ff d8 50 ae cc af 98 22 ff 7a f4 ef 41
Summary
I am generating a self signed certificate with ECDSA SHA384 and mbedtls_x509_crt_parse_der is FAILED with ffffde1e
System information
Mbed TLS version (number or commit id): 2.28.1 Operating system and version: Ubuntu 20.04.6 LTS Configuration (if not default, please attach
mbedtls_config.h): Attached Compiler and options (if you used a pre-built binary, please indicate how you obtained it): Additional environment information:Expected behavior
mbedtls_x509_crt_parse_der is expected to return the Parsed Certificate Structure. If the function returns 0, the parsed certificate will be stored in the mbedtls_x509_crt structure that you pass to the function. You can then access various fields of the certificate through this structure, such as: Subject name,Issuer name,Validity period (not before and not after dates),Public key information,Extensions (if any)
Actual behavior
mbedtls_x509_crt_parse_der FAILED with ffffde1e der Len [-8674]
Steps to reproduce
Used the below code and got outout as ///////////////output log///////////////// mbedtls_x509write_crt_pem success !!!!!!! mbedtls_x509_crt_parse success !!!!!!! mbedtls_x509write_crt_der success !!!!!!! mbedtls_x509_crt_parse_der FAILED !!!!!!! ffffde1e der Len [-8674] 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 /////////////Code used////////////////////////// mbedtls_x509_crt crt,crt_der; mbedtls_pk_context key;
nfi_generate_ecc_key_pair(&key); int ret; mbedtls_mpi serial; mbedtls_x509write_cert crt_writer; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; const char pers = "crt_gen"; const char subject_namem = "CN=TestCN";
mbedtls_x509write_crt_init(&crt_writer); mbedtls_mpi_init(&serial); mbedtls_x509_crt_init(&crt); mbedtls_x509_crt_init(&crt_der); mbedtls_entropy_init(&entropy); mbedtls_ctr_drbg_init(&ctr_drbg);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers))) != 0) { return ret; }
if ((ret = mbedtls_mpi_read_string(&serial, 10, "1")) != 0) { return ret; }
mbedtls_x509write_crt_set_serial(&crt_writer, &serial); nfi_set_certificate_validity(&crt_writer,365); mbedtls_x509write_crt_set_subject_key(&crt_writer, &key); mbedtls_x509write_crt_set_issuer_key(&crt_writer, &key); mbedtls_x509write_crt_set_md_alg(&crt_writer, MBEDTLS_MD_SHA256);
if ((ret = mbedtls_x509write_crt_set_subject_name(&crt_writer, subject_namem)) != 0) { return ret; }
if ((ret = mbedtls_x509write_crt_set_issuer_name(&crt_writer, subject_namem)) != 0) { return ret; }
mbedtls_x509write_crt_set_basic_constraints(&crt_writer, 1, 0); mbedtls_x509write_crt_set_key_usage(&crt_writer, MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT | MBEDTLS_X509_KU_DATA_ENCIPHERMENT | MBEDTLS_X509_KU_KEY_AGREEMENT | MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN | MBEDTLS_X509_KU_ENCIPHER_ONLY | MBEDTLS_X509_KU_DECIPHER_ONLY );
// add_extension(&crt_writer,"1.3.2.5.444.2.1","0123",1);
unsigned char output_buf[4096]; memset(output_buf, 0, sizeof(output_buf)); ret = mbedtls_x509write_crt_pem(&crt_writer, output_buf, sizeof(output_buf), mbedtls_ctr_drbg_random, &ctr_drbg); if (ret < 0) { printf("mbedtls_x509write_crt_pem FAILED !!!!!!!\n"); return ret; } else printf("mbedtls_x509write_crt_pem success !!!!!!!\n");
ret = mbedtls_x509_crt_parse(&crt, output_buf, sizeof(output_buf)); if (ret < 0) { printf("mbedtls_x509_crt_parse FAILED !!!!!!!\n"); return ret; } else printf("mbedtls_x509_crt_parse success !!!!!!!\n");
unsigned char output_buf_der[4096];
memset(output_buf_der, 0, sizeof(output_buf_der)); ret = mbedtls_x509write_crt_der(&crt_writer,output_buf_der, sizeof(output_buf_der), mbedtls_ctr_drbg_random, &ctr_drbg); if (ret < 0) { printf("mbedtls_x509write_crt_der FAILED !!!!!!!\n"); return ret; } else printf("mbedtls_x509write_crt_der success !!!!!!!\n");
ret = mbedtls_x509_crt_parse_der(&crt_der, output_buf_der, sizeof(output_buf_der)); if (ret < 0) { printf("mbedtls_x509_crt_parse_der FAILED !!!!!!! %x\n",ret); // return ret; } else printf("mbedtls_x509_crt_parse_der success !!!!!!!\n");
printf("der Len [%d]\n",ret); for (size_t i = 0; i < ret; i++) { printf("%02x", output_buf[sizeof(output_buf) - ret + i]); } printf("\n");