1 Topic by JC

  • JC
  • Member
  • Offline
  • Registered: 2018-08-27
  • Posts: 4

Topic: [SOLVED] Unexpected ASN_NO_SIGNER_E error

Hi there,

I've been working on a project that needs an MQTT library update. The library uses wolfSSL v3.10.2 to run TLSv1.2.

More details:

Same code seems to work fine on other platforms and versions:

  • The previous version of the project also used WolfSSL, with no connection problems.

  • I am running the same version of the MQTT library and WolfSSL, the same RTOS, network stack and CA cert store on a different hardware platform. No connection problems.

  • I have tried many different configurations: Almost exactly the same as the previous version, almost exactly the same as other platforms, exactly the same as the WolfSSL IDE sample projects, combinations of them all, fully custom... None of that fixes the issue.

More debugging:

  • I've used wireshark to obtain the cert chain provided by the server. It starts at this intermediary:

        [-] Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA[/-]
        [-] Subject: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2[/-]
      Then I printed the device's CA cert buffer after CyaSSL_CTX_load_verify_buffer returns SSL_SUCCESS. It contains 4 roots; this is one of them:

        [-] Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA[/-]
        [-] Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA[/-]
      So I think the certificate store is OK. To verify that 100%, I copy/pasted the printed buffer into a file, ran WolfSSL's client example with that store, and got a successful TLS connection

  • I disabled certificate validation, but the connection still failed. This time, with a PEER_KEY_ERROR (-342)

  • SNI and OCSP are enabled on the device, as required by the server

  • Cipher suites seem compatible. The wireshark'd Client Hello includes a list of 10 suites, and the Server Hello selected the client's first option (0xc027: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)

  • The validation process fails after the client has received the server’s certificate chain, the second time WolfSSL calls GetCA() in asn.c. The first certificate is parsed correctly, but the second one returns NULL, which makes ParseCertRelative() return ASN_NO_SIGNER_E.

Here's an overview of the failed TLS handshake in wireshark:

https://i.imgur.com/U476H1I.png

My WolfSSL IAR project is configured for the correct platform. The project itself only defines WOLFSSL_USER_SETTINGS, which is also defined in the IAR project for the MQTT library. Both of them include the same header:

/* From WolfSSL's original IAR sample */
#define NO_MAIN_DRIVER
#define BENCH_EMBEDDED
#define SINGLE_THREADED
#define NO_FILESYSTEM
#define NO_WRITEV
#define WOLFSSL_USER_IO
#define NO_DEV_RANDOM
#define WOLFSSL_USER_CURRTIME
#define SIZEOF_LONG_LONG 8

/* Libxively requirements */
#define TIME_OVERRIDES
#define HAVE_TLS_EXTENSIONS
#define HAVE_CERTIFICATE_STATUS_REQUEST
#define HAVE_OCSP
#define HAVE_SNI
#define CUSTOM_RAND_GENERATE_SEED xi_bsp_rng_generate_wolfssl_seed

/* Flash and RAM optimizations */
#define SMALL_SESSION_CACHE
/* To be defined once I have a working connection:
NO_DES
NO_DES3
NO_DSA
NO_ERROR_STRINGS
NO_MD4
NO_PSK
NO_PWDBASED
NO_RC4
NO_RABBIT
NO_HC128
NO_SHA512
*/

Are you familiar with this issue? Can you see any problems with my build configuration? Any idea on where I should keep debugging?
Any suggestions would be greatly appreciated.

Thanks!

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: [SOLVED] Unexpected ASN_NO_SIGNER_E error

Hi JC,

Thank you for the details. I am not seeing anything extremely obvious but I am curious what error occurred prior to ASN_NO_SIGNER_E lower in the crypto library. Could you try two things and let me know the results:

1) Could you compile and run the application: <wolfssl-root>/wolfcrypt/test/test.c to confirm all the crypto is running properly on your device.
2) Once you have confirmed the crypto is working (if it is) could you add the define DEBUG_WOLFSSL to your settings and make the connection again. Can you send us the resulting log from the failed connection for review?

Warm Regards,

Kaleb

Kaleb J. Himes's Website

Share

3 Reply by JC

  • JC
  • Member
  • Offline
  • Registered: 2018-08-27
  • Posts: 4

Re: [SOLVED] Unexpected ASN_NO_SIGNER_E error

Hi Kaleb,

Thanks a lot for your support.

Output of the test application:

MD5      test passed!
MD4      test passed!
SHA      test passed!
SHA-256  test passed!
HMAC-MD5 test passed!
HMAC-SHA test passed!
HMAC-SHA256 test passed!
ARC4     test passed!
AES      test passed!
RANDOM   test passed!
wolfSSL Entering GetMyVersion
RSA_FUNCTION MP_EXPTMOD_E: memory/config problem
RSA_FUNCTION MP_EXPTMOD_E: memory/config problem
RSA      test failed!
 error = -43

Log of the application with DEBUG_WOLFSSL: https://gist.github.com/Palantir555/280 … 08c0a305b7

Seems like there's an issue with RSA. Any suggestions?
I'm gonna keep debugging in the meantime.

Cheers,
JC

Share

  • john
  • Moderator
  • Offline
  • From: Seattle, WA
  • Registered: 2011-11-14
  • Posts: 140

Re: [SOLVED] Unexpected ASN_NO_SIGNER_E error

Kaleb is out of the office right now. I'll try to help you in his place.

Are you using normal math or fast math? Does your build environment have a realloc() function set up? If you are setting USE_FAST_MATH, you won't need a realloc. Fast math puts preallocated large integers on the stack rather than allocating and reallocating memory to store the large integer.

--John

john's Website

Share

5 Reply by JC

  • JC
  • Member
  • Offline
  • Registered: 2018-08-27
  • Posts: 4

Re: [SOLVED] Unexpected ASN_NO_SIGNER_E error

Thanks John.

Sorry it's taking me a while to get back to you.
The logs I sent earlier did NOT use USE_FAST_MATH.

I'm trying to get the device running fast math, since I'm not sure our realloc() works correctly on this platform. I'm having lots of trouble, though. Runtime crashes during cert signature verification, memory allocation issues (the device has very limited RAM), stack overflows...

I'm gonna keep trying to get fast math working. Would you say that a malfunctioning realloc() along with big integer math is likely to be the root of the ASN_NO_SIGNER_E issue?

Thanks,
JC

Share

  • john
  • Moderator
  • Offline
  • From: Seattle, WA
  • Registered: 2011-11-14
  • Posts: 140

Re: [SOLVED] Unexpected ASN_NO_SIGNER_E error

I think it might be the root of it. If it cannot use the big integer math it cannot check the signatures on the certificates. Unfortunately, public key crypto is a memory hog.

Have you tried connecting to your server with our command line client from Windows, Linux, or macOS? Sometimes I find that web servers will return different certificate chains between connecting with a browser and from the command line tool. I believe that the web servers return a redirect or a JS that triggers a new connection from a CDN that is using a slightly different certificate chain with a different root CA certificate.

john's Website

Share

7 Reply by JC

  • JC
  • Member
  • Offline
  • Registered: 2018-08-27
  • Posts: 4

Re: [SOLVED] Unexpected ASN_NO_SIGNER_E error

Hi John,

I wanted to give you an update on this issue.

I was unable to get USE_FAST_MATH to work on the device, but you did get me on the right track. Memory reallocation was not properly implemented, which caused the ASN_NO_SIGNER_E issue. I went back to big integer math, fixed the allocation scheme, and the device is now able to connect successfully.

Thanks for your support,

JC

Share