Welcome to the wolfSSL Forums!

2017-07-19 00:07:44

Hi Kaleb,

we upgraded WolfSSL from 3.6.8 to 3.11.0 few weeks ago.

2017-07-17 23:37:25

Hi Kaleb,

in attachement is part of script which generates ecc certificates [encrypted].
This script generates CA pk/cert, client private key, client signing request and sign signing request with CA.

1) Extract the archive to /tmp folder and run ./ecc.sh.
2) Fill password for CA, except FQN parameter you can enter default values (have to be unique), ..., and agree sign.
3) In /tmp folder you can find certificates in DER format.

2017-07-17 05:12:51

The main problem is when decoding a certificate during TLS handshake.

Received certificate:
https://lapo.it/asn1js/#308203C93082036 … A9D5721F92

you can see parameter called keyUsage, but when it's decoded by wolfCrypt in function CheckBitString is a premise that the lowest bit of value have to be 1. I don't know why. The certificate is ok but wolfCrypt can't parse it.

input = 03 02 05 80

static int CheckBitString(const byte* input, word32* inOutIdx, int* len,
                          word32 maxIdx, int zeroBits, byte* unusedBits)
{
    ...

    if (b >= 0x08)
        return ASN_PARSE_E;
    if (b != 0) {                                             // b = 5
        if ((byte)(input[idx + length - 1] << (8 - b)) != 0)
            return ASN_PARSE_E;
        if (((input[idx + length - 1] >> b) & 0x01) != 0x01)  /// PROBLEM!!!!!! input[idx + length - 1] = 0x80, (0x80 >> 5 & 1) == 0!!
            return ASN_PARSE_E;
    }

    ...
    return 0;
}

2017-07-17 05:06:17

I have generated ECC key pair signed by CA with openssl tool in DER format.
I tried load public key to ecc_key structure but wc_EccPublicKeyDecode() returns ASN_OBJECT_ID_E.

Here is part of code:

// cert_der_ptr = 3082029C 30820243 A003020102 ...

int idx;
ecc_key pubk;

wc_ecc_init( &pubk );

idx = 0;
ret = wc_EccPublicKeyDecode( cert_der_ptr, &idx, &pubk, cert_der_size );
// here: ret == ASN_OBJECT_ID_E

// wc_EccPublicKeyDecode() expects two sequences and ObjectId but ObjectId is not on that possition:
// { GetSequence, GetSequence, SkipObjectId -> GetASNObjectId { b = 0xA0, b != ASN_OBJECT_ID -> return ASN_OBJECT_ID; } }

Here you can find decoded ASN.1 DER certificate:

https://lapo.it/asn1js/#3082029C3082024 … 90D63DBED7

Is it bug, unsupported DER format or something other wrong?

Welcome to the wolfSSL Forums!

Search options

Posts found: 4

1 Reply by huba 2017-07-19 00:07:44

Re: Export public key to ecc_key structure (7 replies, posted in wolfSSL)

2 Reply by huba 2017-07-17 23:37:25

Re: Export public key to ecc_key structure (7 replies, posted in wolfSSL)

3 Topic by huba 2017-07-17 05:12:51

Topic: Certificate decode error during TLS handshake (1 replies, posted in wolfSSL)

4 Topic by huba 2017-07-17 05:06:17

Topic: Export public key to ecc_key structure (7 replies, posted in wolfSSL)

Posts found: 4