Topic: Extract information from PEM style certificate with `WOLFCRYPT_ONLY`

I am using wolfssl for an embedded device. I have added `WOLFCRYPT_ONLY`to enable only wolfCrypt and disable the TLS/SSL layer.
Also since no file system so added corresponding NO_FILESYSTEM.

This disables a lot of certificate file parsing functions.
I have a blob of a PEM style certificate stored in the buffer, which I need to parse and extract information from.

Which includes to make in user_settings.h, or which functions to use to successfully parse the certificates? Is the certificate parsing allowed with `WOLFCRYPT_ONLY`?

I just need to extract public key and date of signing from this PEM certificate blob.

Share

Re: Extract information from PEM style certificate with `WOLFCRYPT_ONLY`

Hi Swapnil,

certificate parsing is available with WOLFCRYPT_ONLY. Please see this example for how to do this if you already have your certificate in DER format: https://github.com/wolfSSL/wolfssl-exam … y-decode.c. I have tested that this example works when wolfSSL is compiled with

./configure --enable-cryptonly --enable-ecc --enable-ecccustcurves CFLAGS="-DWOLFSSL_TEST_CERT -DWOLFSSL_DER_TO_PEM -DHAVE_ECC_KOBLITZ"

To get the DER format from a PEM buffer please use this API: https://www.wolfssl.com/doxygen/group__CertsKeys.html

int wc_CertPemToDer(const unsigned char* pem, int pemSz,
                        unsigned char* buff, int buffSz, int type)

To get the date from the certificate:

    DecodedCert cert;
    struct tm   timearg;
    const byte* date;
    byte        dateFormat;
    int         dateLength;

    InitDecodedCert(&cert, tmp, (word32)bytes, NULL);

    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
    if (ret != 0) /* handle error */;

    ret = wc_GetDateInfo(cert.afterDate, cert.afterDateLen, &date,
                         &dateFormat, &dateLength);
    if (ret != 0) /* handle error */;

    ret = wc_GetDateAsCalendarTime(date, dateLength, dateFormat, &timearg);
    if (ret != 0) /* handle error */;

After this you will have a time object populated with the expiry date of the certificate.

Sincerely
Juliusz

Share

Re: Extract information from PEM style certificate with `WOLFCRYPT_ONLY`

Hi Julius,

Thanks for the quick reply.

I just had to do a single modification and it works.
I use WOLFSSL_STATIC_MEMORY and WOLFSSL_NO_MALLOC.

Since

WOLFSSL_API int wc_CertPemToDer(const unsigned char*, int,
                                    unsigned char*, int, int);

does not give any interface to pass the static heap, I used

WOLFSSL_API int wc_PemToDer(const unsigned char* buff, long longSz, int type,
              DerBuffer** pDer, void* heap, EncryptedInfo* info, int* eccKey);

instead.

Share