1 (edited by Elyhance 2018-06-10 19:38:41)

Topic: [wolfssl 3.14.0] Static RSA: “KeyUse Digital Sig not set”

Hi,

First, I run my routine to connect a mqtt server, and it ends with the server send me an Alert(-313). Then i search the internet and add an another OPTION "WOLFSSL_STATIC_RSA".  Now the error becomes  “KeyUse Digital Sig not set”(-383). What's more, I set my routine not verify the server's certificate.

The log pasted below:

wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering wolfSSL_set_verify
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer

Signature Algorithms extension to write
Point Formats extension to write
Elliptic Curves extension to write
[WOLFSSL]Sent data len = 220
Shrinking output buffer

connect state: CLIENT_HELLO_SENT
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
[WOLFSSL]Error in wolfSSL_connect,ret = -1, err = 2 
// WANT_READ
wolfSSL Entering SSL_connect()
[WOLFSSL]Request recv len = 5, recvd data len = 5
growing input buffer


[WOLFSSL]Request recv len = 82, recvd data len = 82
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
Point Formats extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0

[WOLFSSL]Request recv len = 5, recvd data len = 5
growing input buffer


[WOLFSSL]Request recv len = 772, recvd data len = 772
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
    Put another cert into chain
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Date BEFORE check failed
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Verified Peer's cert
KeyUse Digital Sig not set
wolfSSL Leaving ProcessPeerCerts, return -383
wolfSSL Leaving DoHandShakeMsgType(), return -383
wolfSSL Leaving DoHandShakeMsg(), return -383
wolfSSL error occurred, error = -383
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -383
[WOLFSSL]Error in wolfSSL_connect,ret = -1, err = -383 

The code segment return the error(internal.c:8755):

                #if defined(OPENSSL_EXTRA)
                  /* when compatibility layer is turned on and no verify is
                   * set then ignore the certificate key extension */
                    if (args->dCert->extKeyUsageSet &&
                          args->dCert->extKeyUsageCrit == 0 &&
                          ssl->options.verifyNone) {
                        WOLFSSL_MSG("Not verifying certificate key usage");
                    }
                    else
                #endif
                if (args->dCert->extKeyUsageSet) {
                    if ((ssl->specs.kea == rsa_kea) &&
                        (ssl->options.side == WOLFSSL_CLIENT_END) &&
                        (args->dCert->extKeyUsage & KEYUSE_KEY_ENCIPHER) == 0) {
                        ret = KEYUSE_ENCIPHER_E;
                    }
                    if ((ssl->specs.sig_algo == rsa_sa_algo ||
                            (ssl->specs.sig_algo == ecc_dsa_sa_algo &&
                                 !ssl->specs.static_ecdh)) &&
                        (args->dCert->extKeyUsage & KEYUSE_DIGITAL_SIG) == 0) {
                        WOLFSSL_MSG("KeyUse Digital Sig not set");
                        ret = KEYUSE_SIGNATURE_E;
                    }
                }

The demo client in SDK can connect to the server successfully, but its flow is in the OPENSSL_EXTRA.

Wish someone can help me to solve the problem.

Thanks.

Share

Re: [wolfssl 3.14.0] Static RSA: “KeyUse Digital Sig not set”

Hi Elyhance,

Apologies for the delay in getting back to you!

The error: KeyUse Digital Sig not set”(-383) means the cert being used is being used improperly. IE the Key Usage Extension is set but the cert is NOT allowed to be used as a signing authority. Could you try using a cert that is properly configured for use in validating an entity and let us know your results?

Warm Regards,

Kaleb

Re: [wolfssl 3.14.0] Static RSA: “KeyUse Digital Sig not set”

Hi Elyhance,

Did you ever get a chance to test a cert that was approved as a signing authority? What were your results?