• State Not Answered
  • Replies 3 replies
  • Subscribers 68 subscribers
  • Views 35 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 333954
Options

Problem Parsing pem certificate

Utkarsh

I am using mbedtls to parse a certificate. The code is as follows:

int certificate_parsing(void){
	psa_crypto_init();
    
    const char *cert_pem = "-----BEGIN CERTIFICATE-----\
                            MIIC4zCCAcsCFG9Cigrq0kDK6cSGFwDtcCgCnrZeMA0GCSqGSIb3DQEBCwUAMIGhMQswCQYDVQQGEwJJTjEUMBIGA1UECAwLTWFoYXJhc2h0cmExDzANBgNVBAcMBk1vbWJhaTEnMCUGA1UECgweVElIIEZvdW5kYXRpb24gZm9yIElvVCBhbmQgSW9FMRMwEQYDVQQLDApOZXR3b3JraW5nMQswCQYDVQQDDAJVRzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AdGloaWl0Yi5vcmcwHhcNMjQwOTMwMDM1NTUwWhcNMjUwOTMwMDM1NTUwWjCBhDELMAkGA1UEBhMCSU4xJzAlBgNVBAoMHlRJSCBGb3VuZGF0aW9uIGZvciBJb1QgYW5kIElvRTEWMBQGA1UEAwwNRGV2aWNlIFVVSUQgOjEUMBIGA1UECAwLTWFoYXJhc2h0cmExDzANBgNVBAcMBk1vbWJhaTENMAsGA1UECwwEdGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8v+LW2DEgP4DZHWURAk6OZ2NuOyyk+r+nAeRZ4Bu4q+Vu/sr4OF0vHSSNZTuQ/aXKtHxiLm7A1btg9Obf9PbswDQYJKoZIhvcNAQELBQADggEBACMkpyX9CZJASR0W0/9+G2pgpbkj/klqXcYT+f3jRXDhDdvhgdVXq9sqS9HIdz5vGclFkL3/xpJ3R8xTcZS6irLLR5vCvogw+yjsP7zEtCOi55F5EwvaJc0IPdA3gUoVOh7zqRNIdG66/KefQgSwAWLXlXniwBJHBKKpJRqbOvcGcYcQ9tE+oKY/nLfOaQ//lgALndmxD5bQP7aupkUR2lPqw9V9Q+7T1Cb0cdPTDOJ7hUhi00TcGx4TGw7IEvCHNGISBN7v/JqZrDlRKnczBJJ6tBfIkCVpXjjP1Lcxsp0gJpcwo/YMWKR/NyEqtogVRSUDtfPyj46Sl3qoiX0pdsg=-----END CERTIFICATE-----";

	const char *ca ="-----BEGIN CERTIFICATE-----\
MIIEJTCCAw2gAwIBAgIUT2Hn8xUWBIbjmNlIWS33Cb2WkyIwDQYJKoZIhvcNAQEL\
BQAwgaExCzAJBgNVBAYTAklOMRQwEgYDVQQIDAtNYWhhcmFzaHRyYTEPMA0GA1UE\
BwwGTXVtYmFpMScwJQYDVQQKDB5USUggRm91bmRhdGlvbiBmb3IgSW9UIGFuZCBJ\
b0UxEzARBgNVBAsMCk5ldHdvcmtpbmcxCzAJBgNVBAMMAlVHMSAwHgYJKoZIhvcN\
AQkBFhFhZG1pbkB0aWhpaXRiLm9yZzAeFw0yNDA5MzAwMzQ0MjNaFw0yNzA3MjEw\
MzQ0MjNaMIGhMQswCQYDVQQGEwJJTjEUMBIGA1UECAwLTWFoYXJhc2h0cmExDzAN\
BgNVBAcMBk11bWJhaTEnMCUGA1UECgweVElIIEZvdW5kYXRpb24gZm9yIElvVCBh\
bmQgSW9FMRMwEQYDVQQLDApOZXR3b3JraW5nMQswCQYDVQQDDAJVRzEgMB4GCSqG\
SIb3DQEJARYRYWRtaW5AdGloaWl0Yi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB\
DwAwggEKAoIBAQCi1hDWy6W5/cO9wlwet/FXH2rrXH6naaql/9oueCQyH6J/OQzs\
hq9/81CcKY7jC6cQxT+Pg4ZJIBobf0Hrle/QFxoGUEz+/7w9MvrvYcsK94qdI7Lr\
VUTnlIeUDCXZwMM2Mwimz1kREAN2KJcGcVraT/mtUFHXTpBu4Sr4SxVByRe0BfV6\
HSbpDej6LbCwwo2bIjyUsgoteXhzsAAOiM0NG82uonvUw2RWBJuPedbkHPAlzdOp\
nfnxXLX4srp/jvYssBpCiCNSAxBvQY0kJ6fHou7QWOP4I8vbt5E2U7CYAxBTXuVq\
EWUo7lF/+Wnwj+SAb7dro7DZic3YWP1QbbOnAgMBAAGjUzBRMB0GA1UdDgQWBBQv\
V84c8zzmyItmRnfJh45dVAW/ITAfBgNVHSMEGDAWgBQvV84c8zzmyItmRnfJh45d\
VAW/ITAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQANi/+CtqSe\
rS1X/tCBowKXd6GHYs49WOHG/Dpw6JIWUqNXP+V2v10lIQVlDKtGASSeVhHngT93\
PaPEZEctCLi/vd6xVSEV7x2AzVjgoZE52jiQedfU82+i7ouYueWtxKGbTMpqkFWI\
V1anxR6A/4HNzOPU9Dee5bR2wbr0t/+MrCkdt7dOzj68mthLT1LgNLH4eVsSamQb\
WT5s/719J1h17Dlb/RolrnefQCEwreyTap/Pjsu7sTQ+cGOZJhGQCXEwRRwwv6FN\
bHDdut72BckkJt/d8fIMrfW0CPHx/UL1rfMbQgCugufPYVVH5aOq0CLUryt3sVip\
YRQjRK+RwdAA\
-----END CERTIFICATE-----";

    mbedtls_x509_crt cert;
	mbedtls_x509_crt cacrt;
    mbedtls_x509_crt_init(&cert);

    int ret = mbedtls_x509_crt_parse(&cert, (const unsigned char *)cert_pem, strlen(cert_pem) + 1);
    if (ret < 0) {
        printf("Failed to dev certificate: %d\n", ret);
    }

	 ret = mbedtls_x509_crt_parse(&cacrt, (const unsigned char *)ca, strlen(ca) + 1);
    if (ret < 0) {
        printf("Failed to ca certificate: %d\n", ret);
        return -1;
    }
    mbedtls_x509_crt_free(&cert);
	mbedtls_x509_crt_free(&cacrt);

    return 0;
}

It builds successfully but when I flash I get the following error: 

Failed to parse certificate: -9774 i.e -0x262E in hex which does not correspond to an enumerator

Requesting help

  • 0

    Hi,

     

    Can you share your configuration?

     

    You need to enable RSA for this to work:

    CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_HEAP_SIZE=81920

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth 

    #
# Copyright (c) 2024 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#
# The Zephyr CMSIS emulation assumes that ticks are ms, currently
CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

CONFIG_MAIN_STACK_SIZE=8192
CONFIG_HEAP_MEM_POOL_SIZE=8192

# Enable logging
CONFIG_CONSOLE=y
CONFIG_LOG=y

# Enable nordic security backend and PSA APIs
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192

CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y
CONFIG_PSA_WANT_ALG_SHA_256=y

# For key generation
CONFIG_PSA_WANT_GENERATE_RANDOM=y

#----------------------------- Below is what I added beyond ECDSA sample defaults

# mbed TLS and security
CONFIG_MBEDTLS_PK_C=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=32768
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=2304
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=2304
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_NRF_SECURITY_ADVANCED=y

# NB: This list of PSA dependencies may be too long
CONFIG_PSA_WANT_GENERATE_RANDOM=y
CONFIG_PSA_WANT_KEY_TYPE_AES=y
CONFIG_PSA_WANT_ALG_CCM=y
CONFIG_PSA_WANT_ALG_GCM=y
CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305=y
CONFIG_PSA_WANT_ALG_CMAC=y
CONFIG_PSA_WANT_ALG_HMAC=y
CONFIG_PSA_WANT_ALG_SHA_1=y
CONFIG_PSA_WANT_ALG_SHA_224=y
CONFIG_PSA_WANT_ALG_SHA_256=y
CONFIG_PSA_WANT_ALG_SHA_384=y
CONFIG_PSA_WANT_ALG_SHA_512=y
CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y
CONFIG_PSA_WANT_ALG_CBC_PKCS7=y
CONFIG_PSA_WANT_ALG_CTR=y
CONFIG_PSA_WANT_ALG_HKDF=y
CONFIG_PSA_WANT_ALG_TLS12_PRF=y
CONFIG_PSA_WANT_ALG_ECDH=y
CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
#CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
CONFIG_PSA_WANT_ALG_STREAM_CIPHER=y
CONFIG_PSA_WANT_KEY_TYPE_CHACHA20=y
CONFIG_PSA_WANT_ALG_TLS12_PSK_TO_MS=y

# ------------------ My custom adds
CONFIG_LOG_MODE_IMMEDIATE=y

# Enable X509 configs
CONFIG_MBEDTLS_X509_CREATE_C=y
CONFIG_MBEDTLS_X509_CSR_WRITE_C=y

# Enable JSON for output
CONFIG_JSON_LIBRARY=y

CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_PSA_WANT_ECC_SECP_K1_256=y

# dependencies for CONFIG_MBEDTLS_RSA_C
CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y

CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY=y
CONFIG_PSA_WANT_ALG_ECDSA_ANY=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
CONFIG_MBEDTLS_X509_USE_C=y
CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_X509_CHECK_KEY_USAGE=y
CONFIG_MBEDTLS_PK_WRITE_C=y

    The certificate has ecdsa keys what should be the configs for them?

  • 0 in reply to Håkon Alseth

    I am still getting the error 

    MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT              -0x2780

    After adding the above configs

    I have two certificates one with rsa keys and another with ecdsa keys
Related