1 Reply by dragem

(3 replies, posted in wolfSSL)

I think it may relates below note

wolfSSL takes a different approach to certificate verification than OpenSSL
does.  The default policy for the client is to verify the server, this means
that if you don't load CAs to verify the server you'll get a connect error,
no signer error to confirm failure (-188).  If you want to mimic OpenSSL
behavior of having SSL_connect succeed even if verifying the server fails and
reducing security you can do this by calling:

wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

before calling wolfSSL_new();  Though it's not recommended.

Could anyone confirm this?
if the failure relates the note, Is it possible to provide wolfSSL_X509_STORE_CTX_set_verify also.. or something like that..

Even so, it does not make sense that the well-executed code does not execute after changing the subject's OU in certificate.

Go to forum: wolfSSL

2 Reply by dragem

(3 replies, posted in wolfSSL)

I have invested the internal function of wolfSSL_X509_verify_cert().

It may returns ASN_NO_SIGNER_E because of non-existence of CA.

int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
{
    if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
        if (cert->ca) {
           ...
        }
        else {
            /* no signer */
            WOLFSSL_MSG("No CA signer to verify with");
            return ASN_NO_SIGNER_E;
        }
    }
}

But I have put the CA certificate to store before call X509_verify_cert() like below and I modified just the certificate. 

    store = wolfSSL_X509_STORE_new();
    if (store == NULL) {
        printf(" [CACert] can not create certificate store");
    }
    ctx = wolfSSL_X509_STORE_CTX_new();
    if (ctx  == NULL) {
        printf(" [CACert] can not create certificate store container");
    }

    int ret = wolfSSL_X509_STORE_add_cert(store, mRootCert->mX509);
    if ( ret != SSL_SUCCESS) {
        mRootCert = NULL;
        char reason[100] = {0,};
        wolfSSL_ERR_error_string(ret, reason);
        printf(" Check CAcertificate availability, error code = %d, %s", ret, reason);
    } else {
        printf(" Success to add root certificate into store");
    }

Go to forum: wolfSSL

3 Topic by dragem

(3 replies, posted in wolfSSL)

I have faced error when calling wolfSSL_X509_verify_cert()

this code have used as well before, but after shrink 1byte from OU function returns error as -188, ASN no signer error to confirm failure.

The value of wolfSSL_X509_STORE_CTX_get_error(ctx) is zero. 

    if ((ret = wolfSSL_X509_STORE_CTX_init(ctx, store, signCert, NULL)) != SSL_SUCCESS) {
        printf(" Fail to init store context");
    } else {
        printf(" Success to init store context %d", ret);
    }
    if ((ret = wolfSSL_X509_verify_cert(ctx)) < 0) {
        printf(" Fail to verify signing certificate, %d ", wolfSSL_X509_STORE_CTX_get_error(ctx)); 
        char reason[100] = {0,};
        wolfSSL_ERR_error_string(ret, reason);
        printf(" Check certificate availability, error code = %d, %s", ret, reason);
    } else {
        printf(" Success to verify signing certificate");
    }

output

Success to init store context
Fail to verify signing certificate, 0
Check root certificate availability, error code = -188, ASN no signer error to confirm failure

To confirm the new certificate is fine, I checked with openssl like below.

$ openssl verify -verbose -CAfile ca2.cer CERT.pem                                                                 
CERT.pem: OK           
$ openssl verify -verbose -CAfile ca2.cer CERT_new.pem                                                             
CERT_new.pem: OK

Please advise to resolve.

Thanks.

Go to forum: wolfSSL

4 Topic by dragem

(1 replies, posted in wolfCrypt)

I used wc_RsaSSL_Verify function for verifying with RSA Key. (the signature's size is 256 byte)

word32 output_len =  1073741824; // 2^30
unsigned char *output = (unsigned char *)malloc(output_len);
memset(output, 0, sizeof(output_len));
ret = wc_RsaSSL_Verify( signature,  sizeof(signature), output, output_len, &RSAkey );

I had changed output buffer's size to enough large until 2^29(536870912), but the function returned -131.
-131 is RSA_BUFFER_E, it means output is too small.

So I set output buffer size as 2^30, then the process is killed by SIGSEGV in system library.
Process 2093085 (temp) terminated SIGSEGV code=1 fltno=11 ip=0000000100076184(/usr/lib/ldqnx-64.so.2@__memset_isr+0x0000000000000064) mapaddr=0000000000076184. ref=0000000000000000

I think 2^29 is large enough, how long is needed? Is any precautions for using wc_RsaSSL_Verify()?

Go to forum: wolfCrypt

5 Reply by dragem

(2 replies, posted in wolfCrypt)

modified..

Thanks Chrisc! it works fine smile I simply add options.h into a source file that include wolfssl header first.

Go to forum: wolfCrypt

6 Topic by dragem

(2 replies, posted in wolfCrypt)

Hi,

I have faced crash with creating RSA key.

code is very simple like belows.

    RsaKey key;
    wc_InitRsaKey( &key, NULL );

Crash logs are belows

Process 987165 (temp) terminated SIGSEGV code=2 fltno=11 ip=000000010050f0ab(/usr/lib/libwolfssl.so.12@wc_InitRsaKey_ex+0x000000000000002f) mapaddr=00000000000180ab. ref=0000000008049800

and gdb back trace logs are belows

(gdb) bt
#0  0x000000010050f0ab in wc_InitRsaKey_ex (key=0x80475b0, heap=0x0, devId=-2) at wolfcrypt/src/rsa.c:188
#1  0x000000010050f1c0 in wc_InitRsaKey (key=0x80475b0, heap=0x0) at wolfcrypt/src/rsa.c:223
(gdb) f 0
#0  0x000000010050f0ab in wc_InitRsaKey_ex (key=0x80475b0, heap=0x0, devId=-2) at wolfcrypt/src/rsa.c:188
188         key->type = RSA_TYPE_UNKNOWN;
(gdb) l
183
184         if (key == NULL) {
185             return BAD_FUNC_ARG;
186         }
187
188         key->type = RSA_TYPE_UNKNOWN;
189         key->state = RSA_STATE_NONE;
190         key->heap = heap;
191         key->data = NULL;
192         key->dataLen = 0;
(gdb) print &(key->type)
$12 = (int *) 0x8049800

There is strange because key variable is okay.

Could you help me for fix it?

Go to forum: wolfCrypt