Problem Parsing pem certificate

RE: Problem Parsing pem certificate

Håkon Alseth — Fri, 11 Oct 2024 12:48:00 GMT

Hi,

The sample that I used is with the _ns board prefix:

[quote user="hkn"]I added your code to https_client sample and ran it for the nrf7002dk_nrf5340_cpuapp_ns target:[/quote]

Could you try this and share your results? And if you get the expected result from this sample, please check your configuration compared to the default configuration that I posted here:

[quote user="hkn"]With the default configuration here: https://github.com/nrfconnect/sdk-nrf/blob/v2.6.1/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf#L0-L1[/quote]

Kind regards,

Håkon

RE: Problem Parsing pem certificate

Utkarsh — Fri, 11 Oct 2024 09:14:48 GMT

I have tried various configs but the code could not build fro nrf5340dk_cpuapp

Requesting help regarding this

RE: Problem Parsing pem certificate

Håkon Alseth — Fri, 04 Oct 2024 07:55:11 GMT

Hi,

I added your code to https_client sample and ran it for the nrf7002dk_nrf5340_cpuapp_ns target:

*** Booting nRF Connect SDK v3.5.99-ncs1-1 ***
HTTPS client sample started
Dev certificate parsing successful
CA certificate parsing successful
Verfication successful
EC Public Key
RSA Public Key

Added your code that you posted in the thread yesterday:

[quote user="Utkarsh-"]There is now a problem with verifying my certificate with the ca, my code is as follows[/quote]

+ these header includes:

#include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/timing.h"

With the default configuration here: https://github.com/nrfconnect/sdk-nrf/blob/v2.6.1/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf#L0-L1

Kind regards,

Håkon

RE: Problem Parsing pem certificate

Utkarsh — Fri, 04 Oct 2024 03:42:41 GMT

I have created my own root CA Certificate by generating a self signed certificate and I have used it to sign the device certificate.
These are the steps I followed on openssl:

Generate Root CA RSA Key

openssl genrsa -out rootCA.key 2048

To pass data to be incorporated into the root certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Display root certificate

openssl x509 -in rootCA.pem -text -noout

Convert csr into signed certificate

openssl x509 -req -in CSR/newcert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 365 -sha256

Verify created certificate

openssl verify -CAfile rootCA.pem device.crt

Display generated certificate

openssl x509 -in device.pem -text

RE: Problem Parsing pem certificate

Håkon Alseth — Thu, 03 Oct 2024 10:34:32 GMT

Which root CA are you using?

Kind regards,

Håkon

RE: Problem Parsing pem certificate

Utkarsh — Thu, 03 Oct 2024 10:25:16 GMT

Yes I am getting ok as output there.

RE: Problem Parsing pem certificate

Håkon Alseth — Thu, 03 Oct 2024 10:21:54 GMT

Have you tried the same exercise with openssl?

Which root CA are you using?

Kind regards,

Håkon

RE: Problem Parsing pem certificate

Utkarsh — Thu, 03 Oct 2024 09:54:53 GMT

Actually, I have uploaded the rot CA certificate and am validating a certificate generated by the CA.

RE: Problem Parsing pem certificate

Håkon Alseth — Thu, 03 Oct 2024 08:15:18 GMT

You will need to add the root CA to be able to validate a intermediate CA or similar. I would recommend that you do this first with openssl, and get that working, and then add your corresponding CA chain to mbedtls for verification.

Kind regards,

Håkon

RE: Problem Parsing pem certificate

Utkarsh — Thu, 03 Oct 2024 06:46:26 GMT

There is now a problem with verifying my certificate with the ca, my code is as follows

int certificate_parsing(void){
	psa_crypto_init();
    
    const char *cert_pem = "-----BEGIN CERTIFICATE-----\n"
"MIIC4zCCAcsCFG9Cigrq0kDK6cSGFwDtcCgCnrZeMA0GCSqGSIb3DQEBCwUAMIGh\n"
"MQswCQYDVQQGEwJJTjEUMBIGA1UECAwLTWFoYXJhc2h0cmExDzANBgNVBAcMBk11\n"
"bWJhaTEnMCUGA1UECgweVElIIEZvdW5kYXRpb24gZm9yIElvVCBhbmQgSW9FMRMw\n"
"EQYDVQQLDApOZXR3b3JraW5nMQswCQYDVQQDDAJVRzEgMB4GCSqGSIb3DQEJARYR\n"
"YWRtaW5AdGloaWl0Yi5vcmcwHhcNMjQwOTMwMDM1NTUwWhcNMjUwOTMwMDM1NTUw\n"
"WjCBhDELMAkGA1UEBhMCSU4xJzAlBgNVBAoMHlRJSCBGb3VuZGF0aW9uIGZvciBJ\n"
"b1QgYW5kIElvRTEWMBQGA1UEAwwNRGV2aWNlIFVVSUQgOjEUMBIGA1UECAwLTWFo\n"
"YXJhc2h0cmExDzANBgNVBAcMBk11bWJhaTENMAsGA1UECwwEdGVzdDBZMBMGByqG\n"
"SM49AgEGCCqGSM49AwEHA0IABB8v+LW2DEgP4DZHWURAk6OZ2NuOyyk+r+nAeRZ4\n"
"Bu4q+Vu/sr4OF0vHSSNZTuQ/aXKtHxiLm7A1btg9Obf9PbswDQYJKoZIhvcNAQEL\n"
"BQADggEBACMkpyX9CZJASR0W0/9+G2pgpbkj/klqXcYT+f3jRXDhDdvhgdVXq9sq\n"
"S9HIdz5vGclFkL3/xpJ3R8xTcZS6irLLR5vCvogw+yjsP7zEtCOi55F5EwvaJc0I\n"
"PdA3gUoVOh7zqRNIdG66/KefQgSwAWLXlXniwBJHBKKpJRqbOvcGcYcQ9tE+oKY/\n"
"nLfOaQ//lgALndmxD5bQP7aupkUR2lPqw9V9Q+7T1Cb0cdPTDOJ7hUhi00TcGx4T\n"
"Gw7IEvCHNGISBN7v/JqZrDlRKnczBJJ6tBfIkCVpXjjP1Lcxsp0gJpcwo/YMWKR/\n"
"NyEqtogVRSUDtfPyj46Sl3qoiX0pdsg=\n"
"-----END CERTIFICATE-----";


	const char *ca ="-----BEGIN CERTIFICATE-----\n"
"MIIEJTCCAw2gAwIBAgIUT2Hn8xUWBIbjmNlIWS33Cb2WkyIwDQYJKoZIhvcNAQEL\n"
"BQAwgaExCzAJBgNVBAYTAklOMRQwEgYDVQQIDAtNYWhhcmFzaHRyYTEPMA0GA1UE\n"
"BwwGTXVtYmFpMScwJQYDVQQKDB5USUggRm91bmRhdGlvbiBmb3IgSW9UIGFuZCBJ\n"
"b0UxEzARBgNVBAsMCk5ldHdvcmtpbmcxCzAJBgNVBAMMAlVHMSAwHgYJKoZIhvcN\n"
"AQkBFhFhZG1pbkB0aWhpaXRiLm9yZzAeFw0yNDA5MzAwMzQ0MjNaFw0yNzA3MjEw\n"
"MzQ0MjNaMIGhMQswCQYDVQQGEwJJTjEUMBIGA1UECAwLTWFoYXJhc2h0cmExDzAN\n"
"BgNVBAcMBk11bWJhaTEnMCUGA1UECgweVElIIEZvdW5kYXRpb24gZm9yIElvVCBh\n"
"bmQgSW9FMRMwEQYDVQQLDApOZXR3b3JraW5nMQswCQYDVQQDDAJVRzEgMB4GCSqG\n"
"SIb3DQEJARYRYWRtaW5AdGloaWl0Yi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
"DwAwggEKAoIBAQCi1hDWy6W5/cO9wlwet/FXH2rrXH6naaql/9oueCQyH6J/OQzs\n"
"hq9/81CcKY7jC6cQxT+Pg4ZJIBobf0Hrle/QFxoGUEz+/7w9MvrvYcsK94qdI7Lr\n"
"VUTnlIeUDCXZwMM2Mwimz1kREAN2KJcGcVraT/mtUFHXTpBu4Sr4SxVByRe0BfV6\n"
"HSbpDej6LbCwwo2bIjyUsgoteXhzsAAOiM0NG82uonvUw2RWBJuPedbkHPAlzdOp\n"
"nfnxXLX4srp/jvYssBpCiCNSAxBvQY0kJ6fHou7QWOP4I8vbt5E2U7CYAxBTXuVq\n"
"EWUo7lF/+Wnwj+SAb7dro7DZic3YWP1QbbOnAgMBAAGjUzBRMB0GA1UdDgQWBBQv\n"
"V84c8zzmyItmRnfJh45dVAW/ITAfBgNVHSMEGDAWgBQvV84c8zzmyItmRnfJh45d\n"
"VAW/ITAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQANi/+CtqSe\n"
"rS1X/tCBowKXd6GHYs49WOHG/Dpw6JIWUqNXP+V2v10lIQVlDKtGASSeVhHngT93\n"
"PaPEZEctCLi/vd6xVSEV7x2AzVjgoZE52jiQedfU82+i7ouYueWtxKGbTMpqkFWI\n"
"V1anxR6A/4HNzOPU9Dee5bR2wbr0t/+MrCkdt7dOzj68mthLT1LgNLH4eVsSamQb\n"
"WT5s/719J1h17Dlb/RolrnefQCEwreyTap/Pjsu7sTQ+cGOZJhGQCXEwRRwwv6FN\n"
"bHDdut72BckkJt/d8fIMrfW0CPHx/UL1rfMbQgCugufPYVVH5aOq0CLUryt3sVip\n"
"YRQjRK+RwdAA\n"
"-----END CERTIFICATE-----";
	int ret;
	uint32_t flags;
    mbedtls_x509_crt cert;
	mbedtls_x509_crt cacrt;
	mbedtls_x509_crl crl;
	
    mbedtls_x509_crt_init(&cert);
	mbedtls_x509_crt_init(&cacrt);
	mbedtls_x509_crl_init(&crl);

     ret = mbedtls_x509_crt_parse(&cert, (const unsigned char *)cert_pem, strlen(cert_pem) + 1);
     if (ret < 0) {
         printf("Failed to dev certificate: %d\n", ret);
     }
	 else{
		printf("Dev certificate parsing successful");
	 }

	 ret = mbedtls_x509_crt_parse(&cacrt, (const unsigned char *)ca, strlen(ca) + 1);
    if (ret < 0) {
        printf("Failed to ca certificate: %d\n", ret);
    }
	else{
		printf("CA certificate parsing successful");
	 }


	ret = mbedtls_x509_crt_verify(&cert,&cacrt,&crl,NULL,&flags,NULL,NULL);
	if (ret < 0) {
		if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
    	printf("Verification failed with flags: %u\n", flags);
		}
        printf("Failed to verify certificate: %d\n", ret);
    }
	else{
		printf("Verfication successful");
	 }

	mbedtls_pk_context *cert_public_key = &cert.pk;

	if (mbedtls_pk_can_do(cert_public_key, MBEDTLS_PK_RSA)) {
        printf("RSA Public Key\n");
    } else if (mbedtls_pk_can_do(cert_public_key, MBEDTLS_PK_ECKEY)) {
        printf("EC Public Key\n");
    } else {
        printf("Unknown Public Key Type\n");
    }

	mbedtls_pk_context *ca_public_key = &cacrt.pk;

	if (mbedtls_pk_can_do(ca_public_key, MBEDTLS_PK_RSA)) {
        printf("RSA Public Key\n");
    } else if (mbedtls_pk_can_do(ca_public_key, MBEDTLS_PK_ECKEY)) {
        printf("EC Public Key\n");
    } else {
        printf("Unknown Public Key Type\n");
    }

	mbedtls_x509_crl_free(&crl);
    mbedtls_x509_crt_free(&cert);
	mbedtls_x509_crt_free(&cacrt);

    return 0;
}

The error flag indicates

"MBEDTLS_X509_BADCERT_NOT_TRUSTED"

RE: Problem Parsing pem certificate

Utkarsh — Wed, 02 Oct 2024 13:08:19 GMT

Thank you for the help!

RE: Problem Parsing pem certificate

Håkon Alseth — Wed, 02 Oct 2024 12:21:18 GMT

Hi,

You changed your working certificate to a non-working format. You're lacking the newlines (ie. \n) now.

Kind regards,

Håkon

RE: Problem Parsing pem certificate

Utkarsh — Wed, 02 Oct 2024 11:13:36 GMT

I am still getting the error

MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780

After adding the above configs

I have two certificates one with rsa keys and another with ecdsa keys

RE: Problem Parsing pem certificate

Utkarsh — Wed, 02 Oct 2024 10:58:56 GMT

#
# Copyright (c) 2024 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#
# The Zephyr CMSIS emulation assumes that ticks are ms, currently
CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

CONFIG_MAIN_STACK_SIZE=8192
CONFIG_HEAP_MEM_POOL_SIZE=8192

# Enable logging
CONFIG_CONSOLE=y
CONFIG_LOG=y

# Enable nordic security backend and PSA APIs
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192

CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y
CONFIG_PSA_WANT_ALG_SHA_256=y

# For key generation
CONFIG_PSA_WANT_GENERATE_RANDOM=y

#----------------------------- Below is what I added beyond ECDSA sample defaults

# mbed TLS and security
CONFIG_MBEDTLS_PK_C=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=32768
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=2304
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=2304
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_NRF_SECURITY_ADVANCED=y

# NB: This list of PSA dependencies may be too long
CONFIG_PSA_WANT_GENERATE_RANDOM=y
CONFIG_PSA_WANT_KEY_TYPE_AES=y
CONFIG_PSA_WANT_ALG_CCM=y
CONFIG_PSA_WANT_ALG_GCM=y
CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305=y
CONFIG_PSA_WANT_ALG_CMAC=y
CONFIG_PSA_WANT_ALG_HMAC=y
CONFIG_PSA_WANT_ALG_SHA_1=y
CONFIG_PSA_WANT_ALG_SHA_224=y
CONFIG_PSA_WANT_ALG_SHA_256=y
CONFIG_PSA_WANT_ALG_SHA_384=y
CONFIG_PSA_WANT_ALG_SHA_512=y
CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y
CONFIG_PSA_WANT_ALG_CBC_PKCS7=y
CONFIG_PSA_WANT_ALG_CTR=y
CONFIG_PSA_WANT_ALG_HKDF=y
CONFIG_PSA_WANT_ALG_TLS12_PRF=y
CONFIG_PSA_WANT_ALG_ECDH=y
CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
#CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
CONFIG_PSA_WANT_ALG_STREAM_CIPHER=y
CONFIG_PSA_WANT_KEY_TYPE_CHACHA20=y
CONFIG_PSA_WANT_ALG_TLS12_PSK_TO_MS=y

# ------------------ My custom adds
CONFIG_LOG_MODE_IMMEDIATE=y

# Enable X509 configs
CONFIG_MBEDTLS_X509_CREATE_C=y
CONFIG_MBEDTLS_X509_CSR_WRITE_C=y

# Enable JSON for output
CONFIG_JSON_LIBRARY=y

CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_PSA_WANT_ECC_SECP_K1_256=y

# dependencies for CONFIG_MBEDTLS_RSA_C
CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y

CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY=y
CONFIG_PSA_WANT_ALG_ECDSA_ANY=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
CONFIG_MBEDTLS_X509_USE_C=y
CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_X509_CHECK_KEY_USAGE=y
CONFIG_MBEDTLS_PK_WRITE_C=y

The certificate has ecdsa keys what should be the configs for them?

RE: Problem Parsing pem certificate

Håkon Alseth — Wed, 02 Oct 2024 10:30:55 GMT

Hi,

Can you share your configuration?

You need to enable RSA for this to work:

CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_HEAP_SIZE=81920

Kind regards,

Håkon