1 Topic by ePaul (edited by ePaul 2018-09-07 11:07:15)

  • Registered: 2018-08-29
  • Posts: 16

Topic: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hello Everybody,

Please guide me for proper way to generate CSR (Certificate Signing Requests) containing "serialNumber" attribute (OBJECT IDENTIFIER serialNumber (2 5 4 5)[https://www.alvestrand.no/objectid/2.5.4.5.html.

I'm using current wolfSSL & wolfTPM master brach from github on PI3Bplus with raspbian 4.14.66-v7+ and SLB9670 IRIDIUM board (TPM2.0).

I only manage to do it in openssl:

openssl genrsa -out rsa.key 2048
openssl req -new -sha256 -key rsa.key -out reqcsr.csr -subj "/C=GB/ST=London/L=London/O=Global\ Security/OU=IT\ Department/CN=example.com/serialNumber=1801908070"

-----BEGIN CERTIFICATE REQUEST-----
MIIC0jCCAboCAQAwgYwxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzAN
BgNVBAcMBkxvbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQL
DA1JVCBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLmNvbTETMBEGA1UEBRMK
MTgwMTkwODA3MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKfpHrGY
FprGTq5g261U/eYp2mo0aBZmlT4QN1C20Un9OGOwsitQAE0/pKdD4kqb3kAzaKmX
hrraHIpCCz9fMHdty4pTe6hgA5pS5oM1sBuQ/yDhca20Tu4kF9ka+ZegVkbpdnIe
BRYT6mTMTgJh3qOb3Jy3fk4b5WHxWlnDtkZ2GssABzAWmycm20gdw4XE7Gjny+P2
d6IVMaYM4vxzhlGMoZClKSW5GnfJ+bNbeiAJ1MvyGQkIrAzysquzxgnPbg8uDS1J
v7t+PrxhlIb6ug278xpZ7hTahUMC0JlKYqgy5UjZqJs0vz4s6DGOWgWFdqdXmlYt
qrMA2SpzmNUyN1kCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9oo0ceORqHULb
j165QlgUNGr+ry1S4k8Acb1GDN6EysL3Udj8SnMqR7lqDl77hvGs+b9cbbm9kg+y
XzKTD/c7nlKOaR3pyeUTjUfg/mruygIzU/xL9tFb3T4tZ1C7kJZY6d+Xxhr15UWW
lPdg7ijftHVLtvzQFeXywiTzNdRyuYUvA53Qk6OFp0wT4vfQsAT9KOVBNKVlRhiO
WsdEzlF1g3JGQaR0KdaPcV7ZNmFa7lfYVFMBwPK7vT05ie7Mc6b8KrgQHJcQtmRL
MyPXPTY9Wy0ubC8tfx7OLD4G7gxEeak277CHhcbBbvvF+/RFRi6yf7VuZqLyHtjl
5n06UrZb
-----END CERTIFICATE REQUEST-----

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi ePaul,

Thank you for using the wolfSSL forums! We very much appreciate hearing how and why users are evaluating/testing with wolfSSL, can you tell us a little about what you do and the current project you are working on?

We have an example of programmatically generating a CSR in wolfSSL if you look at the test application <wolfssl-root>/wolfcrypt/test/test.c

The function rsa_certgen_test is a good place to start. Then notice when we copy in the certDefaultName that if WOLFSSL_MULTI_ATTRIB is defined we provide up to 4 additional attributes that users can specify. See function "initDefaultName" which we call earlier on in the tests. In that function check the section guarded by macro WOLFSSL_TEST_CERT (also depends on WOLFSSL_MULTI_ATTRIB being defined). Then you'll see a section guarded by "#if CTC_MAX_ATTRIB > 3" These are the user-configurable attributes.

Please let me know if you have any questions while getting your extra attribute setup!

Example based on the link you sent:

         NameAttrib* n;              
                                                                  
         n = &certDefaultName.name[0];                                            
         n->id   = ASN_SERIAL_NUMBER;                                              
         n->type = CTC_PRINTABLE;                                                      
         n->sz   = sizeof("1801908070");                                       
         XMEMCPY(n->value, "1801908070", sizeof("1801908070"));

Warm Regards,

Kaleb

Kaleb J. Himes's Website

Share

3 Reply by ePaul (edited by ePaul 2018-08-30 07:23:17)

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi Kaleb,

Thanks for you support.
I found in https://github.com/wolfSSL/wolfssl/blob … lic.h#L177 that for extra attributes(NameAttrib ) I need WOLFSSL_MULTI_ATTRIB to be define (as you previuosly said) so I run: 

./configure --enable-all

... => resulted in bellow ERROR

  CC       tests/tests_unit_test-api.o
  CC       tests/tests_unit_test-suites.o
  CC       tests/tests_unit_test-hash.o
tests/api.c: In function ‘test_wolfSSL_ASN1_TIME_adj’:
tests/api.c:17716:20: error: integer overflow in expression [-Werror=overflow]
     t = (time_t)85 * year + 59 * day + 9 * hour + 21 * day;
         ~~~~~~~~~~~^~~~~~
  CC       tests/tests_unit_test-srp.o
  CCLD     src/libwolfssl.la
  CCLD     wolfcrypt/benchmark/benchmark

Please advise how to solve.

Thank you,
Paul

Share

  • Registered: 2015-10-07
  • Posts: 415

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi ePaul,

To resolve the build error in our api.c unit test you can build with the `./configure CFLAGS="-DTIME_T_NOT_LONG"` option. This uses a 32-bit time type.

For the wolfTPM question on creating a Certificate Signing Request you can find the complete example here:
https://github.com/wolfSSL/wolfTPM/blob … /csr/csr.c

Let us know if you have any other issues or questions.

Thanks,
David Garske, wolfSSL

Share

5 Reply by ePaul (edited by ePaul 2018-08-30 13:55:03)

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi David,

Thanks, that works. So in order to have the extra NameAttrib active I should run

./configure CFLAGS="-DTIME_T_NOT_LONG" CFLAGS="-DWOLFSSL_MULTI_ATTRIB"

or 

./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptodev --enable-opensslextra=x509small CFLAGS="-DTIME_T_NOT_LONG"

Thanks a lot,
Paul

EDIT

./configure --enable-all CFLAGS="-DTIME_T_NOT_LONG"

doesn't work with CSR example.

Share

6 Reply by dgarske (edited by dgarske 2018-08-30 15:55:00)

  • Registered: 2015-10-07
  • Posts: 415

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi ePaul,

To build you'll need to use:

./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptodev --enable-opensslextra=x509small CFLAGS="-DTIME_T_NOT_LONG  -DWOLFSSL_MULTI_ATTRIB"
make
sudo make install
sudo ldconfig

Thanks,
David Garske, wolfSSL

Share

7 Reply by ePaul (edited by ePaul 2018-08-30 20:51:28)

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi David,

Yes, CSR work after building with my second configure example, but at first run I got error "TPM2_ReadPublic failed 395: TPM_RC_HANDLE" which disappear at second run.
Unfortunately the generated CSR seems not to be valid, when I check on https://redkestrel.co.uk/products/decoder/ I got "Decoding problem" but it shows the ASN 

Decoding Problem
Sorry, we were unable to fully decode the data provided

ASN.1 Information
  0 850: SEQUENCE {
  4 570:   SEQUENCE {
  8   1:     INTEGER 2
 11 149:     SEQUENCE {
 14  11:       SET {
 16   9:         SEQUENCE {
 18   3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 23   2:           PrintableString 'US'
       :           }
       :         }
 27  15:       SET {
 29  13:         SEQUENCE {
 31   3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
 36   6:           UTF8String 'Oregon'
       :           }
       :         }
 44  17:       SET {
 46  15:         SEQUENCE {
 48   3:           OBJECT IDENTIFIER localityName (2 5 4 7)
 53   8:           UTF8String 'Portland'
       :           }
       :         }
 63  13:       SET {
 65  11:         SEQUENCE {
 67   3:           OBJECT IDENTIFIER surname (2 5 4 4)
 72   4:           UTF8String 'Test'
       :           }
       :         }
 78  16:       SET {
 80  14:         SEQUENCE {
 82   3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 87   7:           UTF8String 'wolfSSL'
       :           }
       :         }
 96  12:       SET {
 98  10:         SEQUENCE {
100   3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
105   3:           UTF8String 'RSA'
       :           }
       :         }
110  24:       SET {
112  22:         SEQUENCE {
114   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
119  15:           UTF8String 'www.wolfssl.com'
       :           }
       :         }
136  25:       SET {
138  23:         SEQUENCE {
140   3:           OBJECT IDENTIFIER objectClass (2 5 4 0)
       :             Error: Spurious EOC in definite-length item.
       :           }
       :         }
       :       }
163 290:     SEQUENCE {
167  13:       SEQUENCE {
169   9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
180   0:         NULL
       :         }
182 271:       BIT STRING
       :         30 82 01 0A 02 82 01 01 00 D9 42 DE 9F 7E 25 05
       :         54 E1 E5 39 7F A7 B5 EA CE C8 ED BB C3 8C 2D 0E
       :         BC 57 2E CE 31 A7 70 AA 7C ED 30 EE CD 29 23 3C
       :         AE B4 A4 93 6D F6 66 48 44 1A 38 7F A2 4B 33 BA
       :         11 21 83 FC 4C AC E7 82 29 22 9B CA 1B E5 2F 90
       :         65 6C 58 02 76 EA 07 F0 C1 29 87 8C B7 A1 CD FB
       :         E7 83 9C 3D A3 BC 4C 04 FE AA 57 FE 67 3D 4A 24
       :         8B 93 37 01 EA BE 8D AB 2D 5F 2A 52 DF A9 51 94
       :                 [ Another 142 bytes skipped ]
       :       }
457 119:     [0] {
459 117:       SEQUENCE {
461   9:         OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
472 104:         SET {
474 102:           SEQUENCE {
476  29:             SEQUENCE {
478   3:               OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
483  22:               OCTET STRING
       :                 04 14 DD 65 12 5E 2B A5 3A 28 B1 DC 0C D6 AB E9
       :                 08 9A C1 75 81 28
       :               }
507  69:             SEQUENCE {
509   3:               OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
514  62:               OCTET STRING
       :                 30 3C 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06
       :                 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03
       :                 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05
       :                 05 07 03 08 06 08 2B 06 01 05 05 07 03 09
       :               }
       :             }
       :           }
       :         }
       :       }
       :     }
578  13:   SEQUENCE {
580   9:     OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
591   0:     NULL
       :     }
593 257:   BIT STRING
       :     1B 8A 50 FF 2E FC 76 34 20 37 BB 7B 53 20 6C 1E
       :     A9 04 A6 BC 96 27 B4 4D A2 3C 9A 77 90 B1 E1 5F
       :     F7 9B 2E E6 73 F1 19 A9 28 37 F1 D4 68 67 81 08
       :     D7 1B 3D 2A 23 2F D1 3B 42 32 9E C3 D1 9A 49 E9
       :     F1 37 FD 10 59 11 CF A9 A8 F2 87 AC 58 0B A1 92
       :     95 B4 63 05 52 75 9F FE 19 17 15 E6 8F 8C 94 B1
       :     9B D9 CC C9 F5 94 52 74 16 92 C4 E3 E6 96 B1 87
       :     D7 13 71 EF A2 F4 F2 4F B7 3B 10 1E 2E 45 D6 F9
       :             [ Another 128 bytes skipped ]
       :   }

Similar to problem in https://www.wolfssl.com/forums/post3590.html#p3590. 

root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
TPM2_ReadPublic failed 395: TPM_RC_HANDLE

TPM2_ReadPublic failed 395: TPM_RC_HANDLE
Generated/Signed Cert (DER 854, PEM 1228)
-----BEGIN CERTIFICATE REQUEST-----
MIIDUjCCAjoCAQIwgZUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEZMBcGA1UE
AAAQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANlC3p9+JQVU4eU5f6e16s7I7bvDjC0OvFcuzjGncKp87TDuzSkjPK60pJNt
9mZIRBo4f6JLM7oRIYP8TKzngikim8ob5S+QZWxYAnbqB/DBKYeMt6HN++eDnD2j
vEwE/qpX/mc9SiSLkzcB6r6Nqy1fKlLfqVGUU2Jfkacw+TmN+WPRXWSWia3CUKyQ
wC+6hKsyp8aztrJn6hjEq3JKdTw/PeUNdRWPk+P84Z2yTYsHR1WbZ1lhyFAjfnRK
cBBUactndDfBP3BwlaLi07m9u+FtnwVeQsuftHWRiJvAQJYytyDQARKWO2V0U+vl
tYk0nVZdUr6KHzYDL8XeQ9EJWzkCAwEAAaB3MHUGCSqGSIb3DQEJDjFoMGYwHQYD
VR0OBBYEFN1lEl4rpToosdwM1qvpCJrBdYEoMEUGA1UdJQQ+MDwGCCsGAQUFBwMB
BggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUH
AwkwDQYJKoZIhvcNAQELBQADggEBABuKUP8u/HY0IDe7e1MgbB6pBKa8lie0TaI8
mneQseFf95su5nPxGakoN/HUaGeBCNcbPSojL9E7QjKew9GaSenxN/0QWRHPqajy
h6xYC6GSlbRjBVJ1n/4ZFxXmj4yUsZvZzMn1lFJ0FpLE4+aWsYfXE3HvovTyT7c7
EB4uRdb5bOEqCQjikR3huTQTQVyHGRfPPu8GvJV6FMDLEkVOupNFo9BqJzClJqbD
L8Ui31h02ua4ULe1r6yZJMipmTndt7m+0xghrPlaD/q3DmiH7C/hKqS93t8wqlRe
9E14y+Mc1mX5YbAg8N79Y9SHvsZ4YKFNa1fwacpshH6300Xetgo=
-----END CERTIFICATE REQUEST-----

TPM2_ReadPublic failed 395: TPM_RC_HANDLE
Generated/Signed Cert (DER 462, PEM 696)
-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCAW8CAQIwgZUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEZMBcGA1UE
AAAQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMNK
Ya2DUKJndeA+z2K5rrD9QDZzJAtf/07nxie3iKmbx/uB51qmTL6Fz8xeZoNasJRc
Ha9FJs3c7J7vm8ufZBigdzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBRldiw9
d/Dqs8fysULEWEgtr1AJQDBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIG
CCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoGCCqGSM49
BAMCA0kAMEYCIQDstd1TkvAWopbOTG10w/eJ3dCUZIr/t+f+WRPf51iPMQIhAK3n
0FPk8yEGoqrMtP55QvAd+/aDmH1gq4kVc8ia9uA2
-----END CERTIFICATE REQUEST-----

root@raspberrypi:/home/pi/wolfTPM#
root@raspberrypi:/home/pi/wolfTPM# ls /de
debootstrap/ dev/
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 854, PEM 1228)
-----BEGIN CERTIFICATE REQUEST-----
MIIDUjCCAjoCAQIwgZUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEZMBcGA1UE
AAAQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANlC3p9+JQVU4eU5f6e16s7I7bvDjC0OvFcuzjGncKp87TDuzSkjPK60pJNt
9mZIRBo4f6JLM7oRIYP8TKzngikim8ob5S+QZWxYAnbqB/DBKYeMt6HN++eDnD2j
vEwE/qpX/mc9SiSLkzcB6r6Nqy1fKlLfqVGUU2Jfkacw+TmN+WPRXWSWia3CUKyQ
wC+6hKsyp8aztrJn6hjEq3JKdTw/PeUNdRWPk+P84Z2yTYsHR1WbZ1lhyFAjfnRK
cBBUactndDfBP3BwlaLi07m9u+FtnwVeQsuftHWRiJvAQJYytyDQARKWO2V0U+vl
tYk0nVZdUr6KHzYDL8XeQ9EJWzkCAwEAAaB3MHUGCSqGSIb3DQEJDjFoMGYwHQYD
VR0OBBYEFN1lEl4rpToosdwM1qvpCJrBdYEoMEUGA1UdJQQ+MDwGCCsGAQUFBwMB
BggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUH
AwkwDQYJKoZIhvcNAQELBQADggEBABuKUP8u/HY0IDe7e1MgbB6pBKa8lie0TaI8
mneQseFf95su5nPxGakoN/HUaGeBCNcbPSojL9E7QjKew9GaSenxN/0QWRHPqajy
h6xYC6GSlbRjBVJ1n/4ZFxXmj4yUsZvZzMn1lFJ0FpLE4+aWsYfXE3HvovTyT7c7
EB4uRdb5bOEqCQjikR3huTQTQVyHGRfPPu8GvJV6FMDLEkVOupNFo9BqJzClJqbD
L8Ui31h02ua4ULe1r6yZJMipmTndt7m+0xghrPlaD/q3DmiH7C/hKqS93t8wqlRe
9E14y+Mc1mX5YbAg8N79Y9SHvsZ4YKFNa1fwacpshH6300Xetgo=
-----END CERTIFICATE REQUEST-----

Generated/Signed Cert (DER 461, PEM 696)
-----BEGIN CERTIFICATE REQUEST-----
MIIByTCCAW8CAQIwgZUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEZMBcGA1UE
AAAQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMNK
Ya2DUKJndeA+z2K5rrD9QDZzJAtf/07nxie3iKmbx/uB51qmTL6Fz8xeZoNasJRc
Ha9FJs3c7J7vm8ufZBigdzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBRldiw9
d/Dqs8fysULEWEgtr1AJQDBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIG
CCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoGCCqGSM49
BAMCA0gAMEUCIGJ7JhEyPND2v5LoF5avebXHgbl77cD1+2pHN0ahuC87AiEA6BSh
ujYDkitYeXj/BKD5f0U4GsCRWfAwXybqRgUAi80=
-----END CERTIFICATE REQUEST-----

Thanks a lot,
Paul

Share

8 Reply by ePaul (edited by ePaul 2018-08-31 05:16:15)

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi David,

I add to "/examples/csr/csr.c" the nameAtrib as bellow:

/* csr.c
 *
 * Copyright (C) 2006-2018 wolfSSL Inc.
 *
 * This file is part of wolfTPM.
 *
 * wolfTPM is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfTPM is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
 */


#include <wolftpm/tpm2.h>
#include <wolftpm/tpm2_wrap.h>

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
     defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)

#include <examples/tpm_io.h>
#include <examples/csr/csr.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/asn_public.h>

static const char gClientCertRsaFile[] = "./certs/client-rsa-cert.csr";
static const char gClientCertEccFile[] = "./certs/client-ecc-cert.csr";

/******************************************************************************/
/* --- BEGIN TPM2 CSR Example -- */
/******************************************************************************/

 static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int key_type, void* wolfKey,
    const char* outputPemFile)
 {
    int rc;
    Cert req;
    static CertName myCertName = {
        .country = "US",        .countryEnc = CTC_PRINTABLE, /* country */
        .state = "Oregon",      .stateEnc = CTC_UTF8,        /* state */
        .locality = "Portland", .localityEnc = CTC_UTF8,     /* locality */
        .sur = "Test",          .surEnc = CTC_UTF8,          /* sur */
        .org = "wolfSSL",       .orgEnc = CTC_UTF8,          /* org */
        .unit = "Development",  .unitEnc = CTC_UTF8,         /* unit */
        .commonName = "www.wolfssl.com",                     /* commonName */
        .commonNameEnc = CTC_UTF8,
        .email = "info@wolfssl.com"                          /* email */

/* serialNumber Attribute*/
    NameAttrib* n;
        n = &myCertName.name[0];
        n->id   = ASN_SERIAL_NUMBER;
        n->type = CTC_PRINTABLE;
        n->sz   = sizeof("1801908070");
        XMEMCPY(n->value, "1801908070", sizeof("1801908070"));
    };


    const char* myKeyUsage = "serverAuth,clientAuth,codeSigning,"
                             "emailProtection,timeStamping,OCSPSigning";
    WOLFTPM2_BUFFER der;
#ifdef WOLFSSL_DER_TO_PEM
    WOLFTPM2_BUFFER output;
#endif

    /* Generate CSR (using TPM key) for certification authority */
    rc = wc_InitCert(&req);
    if (rc != 0) goto exit;

    XMEMCPY(&req.subject, &myCertName, sizeof(myCertName));

    /* make sure each common name is unique */
    if (key_type == RSA_TYPE) {
        req.sigType = CTC_SHA256wRSA;
        XSTRNCPY(req.subject.unit, "RSA", sizeof(req.subject.unit));
    }
    else if (key_type == ECC_TYPE) {
        req.sigType = CTC_SHA256wECDSA;
        XSTRNCPY(req.subject.unit, "ECC", sizeof(req.subject.unit));
    }

#ifdef WOLFSSL_CERT_EXT
    /* add SKID from the Public Key */
    rc = wc_SetSubjectKeyIdFromPublicKey_ex(&req, key_type, wolfKey);
    if (rc != 0) goto exit;

    /* add Extended Key Usage */
    rc = wc_SetExtKeyUsage(&req, myKeyUsage);
    if (rc != 0) goto exit;
#endif

    rc = wc_MakeCertReq_ex(&req, der.buffer, sizeof(der.buffer), key_type,
        wolfKey);
    if (rc <= 0) goto exit;
    der.size = rc;

    rc = wc_SignCert_ex(req.bodySz, req.sigType, der.buffer, sizeof(der.buffer),
        key_type, wolfKey, wolfTPM2_GetRng(dev));
    if (rc <= 0) goto exit;
    der.size = rc;

#ifdef WOLFSSL_DER_TO_PEM
    /* Convert to PEM */
    XMEMSET(output.buffer, 0, sizeof(output.buffer));
    rc = wc_DerToPem(der.buffer, der.size, output.buffer, sizeof(output.buffer),
        CERTREQ_TYPE);
    if (rc <= 0) goto exit;
    output.size = rc;

    printf("Generated/Signed Cert (DER %d, PEM %d)\n", der.size, output.size);
    printf("%s\n", (char*)output.buffer);

#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
    {
        FILE* pemFile = fopen(outputPemFile, "wb");
        if (pemFile) {
            rc = (int)fwrite(output.buffer, 1, output.size, pemFile);
            fclose(pemFile);
            if (rc != output.size) {
                rc = -1; goto exit;
            }
        }
    }
#endif
#endif /* WOLFSSL_DER_TO_PEM */
    (void)outputPemFile;

    rc = 0; /* success */

exit:
    return rc;
 }

int TPM2_CSR_Example(void* userCtx)
{
    int rc;
    WOLFTPM2_DEV dev;
    WOLFTPM2_KEY storageKey;
#ifndef NO_RSA
    WOLFTPM2_KEY rsaKey;
    RsaKey wolfRsaKey;
#endif
#ifdef HAVE_ECC
    WOLFTPM2_KEY eccKey;
    ecc_key wolfEccKey;
#endif
    TPMT_PUBLIC publicTemplate;
    TpmCryptoDevCtx tpmCtx;
    int tpmDevId;

    printf("TPM2 CSR Example\n");

    /* Init the TPM2 device */
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
    if (rc != 0) return rc;

    /* Setup the wolf crypto device callback */
#ifndef NO_RSA
    XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
    tpmCtx.rsaKey = &rsaKey;
#endif
#ifdef HAVE_ECC
    XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
    tpmCtx.eccKey = &eccKey;
#endif
    rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
    if (rc != 0) goto exit;

    /* See if primary storage key already exists */
    rc = wolfTPM2_ReadPublicKey(&dev, &storageKey,
        TPM2_DEMO_STORAGE_KEY_HANDLE);
    if (rc != 0) {
        /* Create primary storage key */
        rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
            TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
            TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
            TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | TPMA_OBJECT_noDA);
        if (rc != 0) goto exit;
        rc = wolfTPM2_CreatePrimaryKey(&dev, &storageKey, TPM_RH_OWNER,
            &publicTemplate, (byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
        if (rc != 0) goto exit;

        /* Move this key into persistent storage */
        rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storageKey,
            TPM2_DEMO_STORAGE_KEY_HANDLE);
        if (rc != 0) goto exit;
    }
    else {
        /* specify auth password for storage key */
        storageKey.handle.auth.size = sizeof(gStorageKeyAuth)-1;
        XMEMCPY(storageKey.handle.auth.buffer, gStorageKeyAuth,
            storageKey.handle.auth.size);
    }

#ifndef NO_RSA
    /* Create/Load RSA key for CSR */
    rc = wolfTPM2_ReadPublicKey(&dev, &rsaKey, TPM2_DEMO_RSA_KEY_HANDLE);
    if (rc != 0) {
        rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
            TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
            TPMA_OBJECT_decrypt | TPMA_OBJECT_sign | TPMA_OBJECT_noDA);
        if (rc != 0) goto exit;
        rc = wolfTPM2_CreateAndLoadKey(&dev, &rsaKey, &storageKey.handle,
            &publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
        if (rc != 0) goto exit;

        /* Move this key into persistent storage */
        rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &rsaKey,
            TPM2_DEMO_RSA_KEY_HANDLE);
        if (rc != 0) goto exit;
    }
    else {
        /* specify auth password for RSA key */
        rsaKey.handle.auth.size = sizeof(gKeyAuth)-1;
        XMEMCPY(rsaKey.handle.auth.buffer, gKeyAuth, rsaKey.handle.auth.size);
    }

    /* setup wolf RSA key with TPM deviceID, so crypto callbacks are used */
    rc = wc_InitRsaKey_ex(&wolfRsaKey, NULL, tpmDevId);
    if (rc != 0) goto exit;
    /* load public portion of key into wolf RSA Key */
    rc = wolfTPM2_RsaKey_TpmToWolf(&dev, &rsaKey, &wolfRsaKey);
    if (rc != 0) goto exit;

    rc = TPM2_CSR_Generate(&dev, RSA_TYPE, &wolfRsaKey, gClientCertRsaFile);
    if (rc != 0) goto exit;
#endif /* !NO_RSA */


#ifdef HAVE_ECC
    /* Create/Load ECC key for CSR */
    rc = wolfTPM2_ReadPublicKey(&dev, &eccKey, TPM2_DEMO_ECC_KEY_HANDLE);
    if (rc != 0) {
        rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
            TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
            TPMA_OBJECT_sign | TPMA_OBJECT_noDA,
            TPM_ECC_NIST_P256, TPM_ALG_ECDSA);
        if (rc != 0) goto exit;
        rc = wolfTPM2_CreateAndLoadKey(&dev, &eccKey, &storageKey.handle,
            &publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
        if (rc != 0) goto exit;

        /* Move this key into persistent storage */
        rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &eccKey,
            TPM2_DEMO_ECC_KEY_HANDLE);
        if (rc != 0) goto exit;
    }
    else {
        /* specify auth password for ECC key */
        eccKey.handle.auth.size = sizeof(gKeyAuth)-1;
        XMEMCPY(eccKey.handle.auth.buffer, gKeyAuth, eccKey.handle.auth.size);
    }

    /* setup wolf ECC key with TPM deviceID, so crypto callbacks are used */
    rc = wc_ecc_init_ex(&wolfEccKey, NULL, tpmDevId);
    if (rc != 0) goto exit;
    /* load public portion of key into wolf ECC Key */
    rc = wolfTPM2_EccKey_TpmToWolf(&dev, &eccKey, &wolfEccKey);
    if (rc != 0) goto exit;

    rc = TPM2_CSR_Generate(&dev, ECC_TYPE, &wolfEccKey, gClientCertEccFile);
    if (rc != 0) goto exit;
#endif /* HAVE_ECC */

exit:

    if (rc != 0) {
        printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc));
    }

#ifndef NO_RSA
    wc_FreeRsaKey(&wolfRsaKey);
    wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
#endif
#ifdef HAVE_ECC
    wc_ecc_free(&wolfEccKey);
    wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
#endif

    wolfTPM2_Cleanup(&dev);

    return rc;
}

/******************************************************************************/
/* --- END TPM2 CSR Example -- */
/******************************************************************************/

#endif /* !WOLFTPM2_NO_WRAPPER && WOLFSSL_CERT_REQ && WOLF_CRYPTO_DEV */

#ifndef NO_MAIN_DRIVER
int main(void)
{
    int rc = -1;

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
     defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)
    rc = TPM2_CSR_Example(NULL);
#else
    printf("Wrapper/CertReq/CryptoDev code not compiled in\n");
    printf("Build wolfssl with ./configure --enable-certgen --enable-certreq --enable-certext --enable-cryptodev\n");
#endif

    return rc;
}
#endif /* !NO_MAIN_DRIVER */

Resulting:

root@raspberrypi:/home/pi/wolfTPM# make
make -j5  all-am
make[1]: Entering directory '/home/pi/wolfTPM'
make[1]: Leaving directory '/home/pi/wolfTPM'
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 875, PEM 1257)
-----BEGIN CERTIFICATE REQUEST-----
MIIDZzCCAk8CAQIwgaoxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEZMBcGA1UE
AAAQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAADCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANlC3p9+JQVU4eU5f6e16s7I7bvDjC0O
vFcuzjGncKp87TDuzSkjPK60pJNt9mZIRBo4f6JLM7oRIYP8TKzngikim8ob5S+Q
ZWxYAnbqB/DBKYeMt6HN++eDnD2jvEwE/qpX/mc9SiSLkzcB6r6Nqy1fKlLfqVGU
U2Jfkacw+TmN+WPRXWSWia3CUKyQwC+6hKsyp8aztrJn6hjEq3JKdTw/PeUNdRWP
k+P84Z2yTYsHR1WbZ1lhyFAjfnRKcBBUactndDfBP3BwlaLi07m9u+FtnwVeQsuf
tHWRiJvAQJYytyDQARKWO2V0U+vltYk0nVZdUr6KHzYDL8XeQ9EJWzkCAwEAAaB3
MHUGCSqGSIb3DQEJDjFoMGYwHQYDVR0OBBYEFN1lEl4rpToosdwM1qvpCJrBdYEo
MEUGA1UdJQQ+MDwGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUF
BwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBAGz6/sSh
fAu1HhwMZQDIhB/AuG80c46rbjUS5rkOFGKurx6tGKebeNmqKz8EG8FMbbzjmQpO
BXZB+DBy16ZWHFLKhMXVGwrvkwMErtRgyBBbkBdwY3JZdzW4EZqtwFScnVOVNkca
Kd+RYb/6Y5e1Y+N/VJa8BnKcufkHViwBHx5I7d83B/0qpG45IQyR8K5apdGNdp6/
jcRNR3lIzWGcGkttTUAe383DMsMvevzr/BPixGlLk91HYnzlt7HUqxDycH+RVD+g
F1swzCvNpY8zcNyNfcguurSZwL3e/UegiCd4aa6ncFs/imNneZNhqpM4642Qx4Cd
Z+Wt2ytH/8QQY+Q=
-----END CERTIFICATE REQUEST-----

which also give "Decoding Problem, Sorry, we were unable to fully decode the data provided" 

ASN.1 Information
  0 871: SEQUENCE {
  4 591:   SEQUENCE {
  8   1:     INTEGER 2
 11 170:     SEQUENCE {
 14  11:       SET {
 16   9:         SEQUENCE {
 18   3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 23   2:           PrintableString 'US'
       :           }
       :         }
 27  15:       SET {
 29  13:         SEQUENCE {
 31   3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
 36   6:           UTF8String 'Oregon'
       :           }
       :         }
 44  17:       SET {
 46  15:         SEQUENCE {
 48   3:           OBJECT IDENTIFIER localityName (2 5 4 7)
 53   8:           UTF8String 'Portland'
       :           }
       :         }
 63  13:       SET {
 65  11:         SEQUENCE {
 67   3:           OBJECT IDENTIFIER surname (2 5 4 4)
 72   4:           UTF8String 'Test'
       :           }
       :         }
 78  16:       SET {
 80  14:         SEQUENCE {
 82   3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 87   7:           UTF8String 'wolfSSL'
       :           }
       :         }
 96  12:       SET {
 98  10:         SEQUENCE {
100   3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
105   3:           UTF8String 'RSA'
       :           }
       :         }
110  24:       SET {
112  22:         SEQUENCE {
114   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
119  15:           UTF8String 'www.wolfssl.com'
       :           }
       :         }
136  25:       SET {
138  23:         SEQUENCE {
140   3:           OBJECT IDENTIFIER objectClass (2 5 4 0)
       :             Error: Spurious EOC in definite-length item.
       :           }
       :         }
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
Error: Inconsistent object length, 1 byte difference.
       :       }
184 290:     SEQUENCE {
188  13:       SEQUENCE {
190   9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
201   0:         NULL
       :         }
203 271:       BIT STRING
       :         30 82 01 0A 02 82 01 01 00 D9 42 DE 9F 7E 25 05
       :         54 E1 E5 39 7F A7 B5 EA CE C8 ED BB C3 8C 2D 0E
       :         BC 57 2E CE 31 A7 70 AA 7C ED 30 EE CD 29 23 3C
       :         AE B4 A4 93 6D F6 66 48 44 1A 38 7F A2 4B 33 BA
       :         11 21 83 FC 4C AC E7 82 29 22 9B CA 1B E5 2F 90
       :         65 6C 58 02 76 EA 07 F0 C1 29 87 8C B7 A1 CD FB
       :         E7 83 9C 3D A3 BC 4C 04 FE AA 57 FE 67 3D 4A 24
       :         8B 93 37 01 EA BE 8D AB 2D 5F 2A 52 DF A9 51 94
       :                 [ Another 142 bytes skipped ]
       :       }
478 119:     [0] {
480 117:       SEQUENCE {
482   9:         OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
493 104:         SET {
495 102:           SEQUENCE {
497  29:             SEQUENCE {
499   3:               OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
504  22:               OCTET STRING
       :                 04 14 DD 65 12 5E 2B A5 3A 28 B1 DC 0C D6 AB E9
       :                 08 9A C1 75 81 28
       :               }
528  69:             SEQUENCE {
530   3:               OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
535  62:               OCTET STRING
       :                 30 3C 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06
       :                 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03
       :                 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05
       :                 05 07 03 08 06 08 2B 06 01 05 05 07 03 09
       :               }
       :             }
       :           }
       :         }
       :       }
       :     }
599  13:   SEQUENCE {
601   9:     OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
612   0:     NULL
       :     }
614 257:   BIT STRING
       :     6C FA FE C4 A1 7C 0B B5 1E 1C 0C 65 00 C8 84 1F
       :     C0 B8 6F 34 73 8E AB 6E 35 12 E6 B9 0E 14 62 AE
       :     AF 1E AD 18 A7 9B 78 D9 AA 2B 3F 04 1B C1 4C 6D
       :     BC E3 99 0A 4E 05 76 41 F8 30 72 D7 A6 56 1C 52
       :     CA 84 C5 D5 1B 0A EF 93 03 04 AE D4 60 C8 10 5B
       :     90 17 70 63 72 59 77 35 B8 11 9A AD C0 54 9C 9D
       :     53 95 36 47 1A 29 DF 91 61 BF FA 63 97 B5 63 E3
       :     7F 54 96 BC 06 72 9C B9 F9 07 56 2C 01 1F 1E 48
       :             [ Another 128 bytes skipped ]
       :   }

I got an "OBJECT IDENTIFIER objectClass (2 5 4 0)" (see 140   3:) which appear also in request generated by original csr.c but I don't see it on openssl request.

Share

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi David,
please tell my whats your time zone and working hours so we can synchronize on tests.

Thank you,
Paul

Share

  • Registered: 2015-10-07
  • Posts: 415

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi ePaul,

Thanks for the bug report. I was able to reproduce your issue and identiy the cause. I've pushed a wolfSSL fix for this issue here (https://github.com/wolfSSL/wolfssl/pull/1805). It was a new issue that happened after we added some additional fields to support BusinessUnit.

I'm located in PDT (UTC -7).

Thanks,
David Garske, wolfSSL

Share

11 Reply by ePaul (edited by ePaul 2018-08-31 11:31:18)

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi David,
should I do the same fix locally?

Thanks,
Paul

Share

  • Registered: 2015-10-07
  • Posts: 415

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi ePaul,

You can do whichever is easier for you.

To clone the branch use:

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
git fetch origin pull/1805/head:fix_csr
git checkout fix_csr

Thanks,
David Garske, wolfSSL

Share

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi David,

your example from post https://www.wolfssl.com/forums/post3590.html#p3590 is OK now:

root@raspberrypi:/home/pi/wolfTPM/examples/csr# cat makecsr.c
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/asn_public.h>

#define MAX_TEMP_SIZE 1024

/* Build using:
gcc -lwolfssl -o makecsr makecsr.c
*/

int main(void)
{
    ecc_key key;
    WC_RNG rng;
    Cert req;
    byte der[MAX_TEMP_SIZE], pem[MAX_TEMP_SIZE];
    int  derSz, pemSz;

    wc_ecc_init(&key);
    wc_InitRng(&rng);

    wc_ecc_make_key_ex(&rng, 32, &key, ECC_SECP256R1);

    derSz = wc_EccKeyToDer(&key, der, sizeof(der));

    memset(pem, 0, sizeof(pem));
    pemSz = wc_DerToPem(der, derSz, pem, sizeof(pem), ECC_PRIVATEKEY_TYPE);
    printf("%s", pem);

    wc_InitCert(&req);
    strncpy(req.subject.country, "US", CTC_NAME_SIZE);
    strncpy(req.subject.state, "OR", CTC_NAME_SIZE);
    strncpy(req.subject.locality, "Portland", CTC_NAME_SIZE);
    strncpy(req.subject.org, "yaSSL", CTC_NAME_SIZE);
    strncpy(req.subject.unit, "Development", CTC_NAME_SIZE);
    strncpy(req.subject.commonName, "www.wolfssl.com", CTC_NAME_SIZE);
    strncpy(req.subject.email, "info@wolfssl.com", CTC_NAME_SIZE);
    derSz = wc_MakeCertReq(&req, der, sizeof(der), NULL, &key);

    req.sigType = CTC_SHA256wECDSA;
    derSz = wc_SignCert(req.bodySz, req.sigType, der, sizeof(der), NULL, &key, &rng);

    pemSz = wc_DerToPem(der, derSz, pem, sizeof(pem), CERTREQ_TYPE);
    printf("%s", pem);

    wc_ecc_free(&key);
    wc_FreeRng(&rng);

    return 0;
}
root@raspberrypi:/home/pi/wolfTPM/examples/csr# ./makecsr
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEILf/jyepHbL1iOPrwf1v7u3cpXpxB2+hcR8WcEzMAQy8oAoGCCqGSM49
AwEHoUQDQgAESZxt3pFt+nMS2gRjEc9hNP34Lt/GeC4jjX+x4Y0QKlMJkPXvGHkI
bETPV/nFGlXNCgEmAy29Mg8YhTmHtqZEmA==
-----END EC PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBSzCB8QIBAjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMREwDwYDVQQH
DAhQb3J0bGFuZDEOMAwGA1UECgwFeWFTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50
MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
d29sZnNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARJnG3ekW36cxLa
BGMRz2E0/fgu38Z4LiONf7HhjRAqUwmQ9e8YeQhsRM9X+cUaVc0KASYDLb0yDxiF
OYe2pkSYoAAwCgYIKoZIzj0EAwIDSQAwRgIhAJ2aHQ0OGLIB6c4scJfHQOTKyY0a
1diz9KfAu/OSS99mAiEAsu7Dawf05ziOYOpYBq7mnPEkF1c7dkooP7HX+NEcJEo=
-----END CERTIFICATE REQUEST-----
CSR ASN.1 Information
  0 331: SEQUENCE {
  4 241:   SEQUENCE {
  7   1:     INTEGER 2
 10 142:     SEQUENCE {
 13  11:       SET {
 15   9:         SEQUENCE {
 17   3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 22   2:           PrintableString 'US'
       :           }
       :         }
 26  11:       SET {
 28   9:         SEQUENCE {
 30   3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
 35   2:           UTF8String 'OR'
       :           }
       :         }
 39  17:       SET {
 41  15:         SEQUENCE {
 43   3:           OBJECT IDENTIFIER localityName (2 5 4 7)
 48   8:           UTF8String 'Portland'
       :           }
       :         }
 58  14:       SET {
 60  12:         SEQUENCE {
 62   3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 67   5:           UTF8String 'yaSSL'
       :           }
       :         }
 74  20:       SET {
 76  18:         SEQUENCE {
 78   3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
 83  11:           UTF8String 'Development'
       :           }
       :         }
 96  24:       SET {
 98  22:         SEQUENCE {
100   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
105  15:           UTF8String 'www.wolfssl.com'
       :           }
       :         }
122  31:       SET {
124  29:         SEQUENCE {
126   9:           OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
137  16:           IA5String 'info@wolfssl.com'
       :           }
       :         }
       :       }
155  89:     SEQUENCE {
157  19:       SEQUENCE {
159   7:         OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
168   8:         OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7)
       :         }
178  66:       BIT STRING
       :         04 49 9C 6D DE 91 6D FA 73 12 DA 04 63 11 CF 61
       :         34 FD F8 2E DF C6 78 2E 23 8D 7F B1 E1 8D 10 2A
       :         53 09 90 F5 EF 18 79 08 6C 44 CF 57 F9 C5 1A 55
       :         CD 0A 01 26 03 2D BD 32 0F 18 85 39 87 B6 A6 44
       :         98
       :       }
246   0:     [0]
       :       Error: Object has zero length.
       :     }
248  10:   SEQUENCE {
250   8:     OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)
       :     }
260  73:   BIT STRING
       :     30 46 02 21 00 9D 9A 1D 0D 0E 18 B2 01 E9 CE 2C
       :     70 97 C7 40 E4 CA C9 8D 1A D5 D8 B3 F4 A7 C0 BB
       :     F3 92 4B DF 66 02 21 00 B2 EE C3 6B 07 F4 E7 38
       :     8E 60 EA 58 06 AE E6 9C F1 24 17 57 3B 76 4A 28
       :     3F B1 D7 F8 D1 1C 24 4A
       :   }

Share

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Also works now "./wolfTPM/examples/csr/csr":

root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 860, PEM 1236)
-----BEGIN CERTIFICATE REQUEST-----
MIIDWDCCAkACAQIwgZsxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANZhM96VDdb11zUx3Rm+HzuxORXvCEontkwddYh59T4/UW056iXd
1Pex0dAQDniftvX9p0BylCQBHRD7dM12ByvsofO8ycd+qy3+hwEe9kHHkVIINoDw
uH0gfXXxXlhqIEe4tc/rY5LbsMy8BeSwcs7DmoZ3jLf2xO3y+B4mthxSTS/uloVE
xZC/WngFzGqmX4rQgroJYVxdu4xgzoGoOr8n6DK/Ohjhdr/KrVOo00ggM7xzkHX6
0ELFfIBWHk3UWdxHCLYa19t9Oo0U+aHloIgz4OxWXnHH1ZVLaIh3MCi48F8LdINN
bE6XyDv8NPAPqdvR3Dl4lA2KZ79L/wdudBUCAwEAAaB3MHUGCSqGSIb3DQEJDjFo
MGYwHQYDVR0OBBYEFKn3EVsrhXRvGWkTXByJZDs4qaIrMEUGA1UdJQQ+MDwGCCsG
AQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYI
KwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBAFT94Nqo18RTxIe1aqewRVrYS0U4
ug7xRiav9eE1TFyQM/udoQszLn+VLtXlH62O/LWVvpjpQQ9C/+NB4Cx32nFmyyW8
XO1icPTFm7Vp9HOS3w3a+7rIbG4r1kTpzDoL7gCeS7FBRKu7NoC6gzPAgrKQMP68
A/Es/3X5XmtzzXCSYPfopoAweOmFvZ4RJ0S4CZ2XV+3jj9XzoYztj1o1/OJ14MvS
5MG7itnEThgBTjHgTsNpKiCb8G2G4+cIjOwlIKzwnbAC2Xr66bAtDuYZAb1S2xiq
bHBsobMh/d1cd5mHLhm1wWO5O9WXEDDVTUTaYuIJTbS0eyldvd1eQmZOoas=
-----END CERTIFICATE REQUEST-----

TPM2_ReadPublic failed 395: TPM_RC_HANDLE
Generated/Signed Cert (DER 467, PEM 704)
-----BEGIN CERTIFICATE REQUEST-----
MIIBzzCCAXUCAQIwgZsxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABC/Scb98HLkXTJSDBGi7rRCJS0sr94F1ERXLTe0SHkNegzNoZ6s8YdaE+jLa
cmRc059hcbxU94cOUsDvM681ETagdzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQW
BBTECVkpK9F7FgNVRaobI/6aZp8SnzBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYB
BQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoG
CCqGSM49BAMCA0gAMEUCIBdcR6wO4FeO70MiyuUR2HUJuI6Yms6kAUwnJ8tYmVPD
AiEAu29P1m+9v2kdbuCZ+l7H9jolXNrkMwO3FIMQURKiOZ4=
-----END CERTIFICATE REQUEST-----

Share

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi David,

I have tried to add "serialNumber" attribute to the csr example but the result is getting "Decoding Problem".
This is the code:

/* csr.c
 *
 * Copyright (C) 2006-2018 wolfSSL Inc.
 *
 * This file is part of wolfTPM.
 *
 * wolfTPM is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfTPM is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
 */


#include <wolftpm/tpm2.h>
#include <wolftpm/tpm2_wrap.h>

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
     defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)

#include <examples/tpm_io.h>
#include <examples/csr/csr.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/asn_public.h>

static const char gClientCertRsaFile[] = "./certs/client-rsa-cert.csr";
static const char gClientCertEccFile[] = "./certs/client-ecc-cert.csr";

/******************************************************************************/
/* --- BEGIN TPM2 CSR Example -- */
/******************************************************************************/

 static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int key_type, void* wolfKey,
    const char* outputPemFile)
 {
    int rc;
    Cert req;
//    const CertName myCertName = {
    static CertName myCertName = {
        .country = "US",        .countryEnc = CTC_PRINTABLE, /* country */
        .state = "Oregon",      .stateEnc = CTC_UTF8,        /* state */
        .locality = "Portland", .localityEnc = CTC_UTF8,     /* locality */
        .sur = "Test",          .surEnc = CTC_UTF8,          /* sur */
        .org = "wolfSSL",       .orgEnc = CTC_UTF8,          /* org */
        .unit = "Development",  .unitEnc = CTC_UTF8,         /* unit */
        .commonName = "www.wolfssl.com",                     /* commonName */
        .commonNameEnc = CTC_UTF8,
        .email = "info@wolfssl.com"                          /* email */
    };

/* serialNumber Attribute*/
    NameAttrib* n;

        n = &myCertName.name[0];
        n->id   = ASN_SERIAL_NUMBER;
        n->type = CTC_PRINTABLE;
        n->sz   = sizeof("1801908070");
        XMEMCPY(n->value, "1801908070", sizeof("1801908070"));
/* serialNumber Attribute*/

    const char* myKeyUsage = "serverAuth,clientAuth,codeSigning,"
                             "emailProtection,timeStamping,OCSPSigning";
    WOLFTPM2_BUFFER der;
#ifdef WOLFSSL_DER_TO_PEM
    WOLFTPM2_BUFFER output;
#endif

    /* Generate CSR (using TPM key) for certification authority */
    rc = wc_InitCert(&req);
    if (rc != 0) goto exit;

    XMEMCPY(&req.subject, &myCertName, sizeof(myCertName));

    /* make sure each common name is unique */
    if (key_type == RSA_TYPE) {
        req.sigType = CTC_SHA256wRSA;
        XSTRNCPY(req.subject.unit, "RSA", sizeof(req.subject.unit));
    }
    else if (key_type == ECC_TYPE) {
        req.sigType = CTC_SHA256wECDSA;
        XSTRNCPY(req.subject.unit, "ECC", sizeof(req.subject.unit));
    }

#ifdef WOLFSSL_CERT_EXT
    /* add SKID from the Public Key */
    rc = wc_SetSubjectKeyIdFromPublicKey_ex(&req, key_type, wolfKey);
    if (rc != 0) goto exit;

    /* add Extended Key Usage */
    rc = wc_SetExtKeyUsage(&req, myKeyUsage);
    if (rc != 0) goto exit;
#endif

    rc = wc_MakeCertReq_ex(&req, der.buffer, sizeof(der.buffer), key_type,
        wolfKey);
    if (rc <= 0) goto exit;
    der.size = rc;

    rc = wc_SignCert_ex(req.bodySz, req.sigType, der.buffer, sizeof(der.buffer),
        key_type, wolfKey, wolfTPM2_GetRng(dev));
    if (rc <= 0) goto exit;
    der.size = rc;

#ifdef WOLFSSL_DER_TO_PEM
    /* Convert to PEM */
    XMEMSET(output.buffer, 0, sizeof(output.buffer));
    rc = wc_DerToPem(der.buffer, der.size, output.buffer, sizeof(output.buffer),
        CERTREQ_TYPE);
    if (rc <= 0) goto exit;
    output.size = rc;

    printf("Generated/Signed Cert (DER %d, PEM %d)\n", der.size, output.size);
    printf("%s\n", (char*)output.buffer);

#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
    {
        FILE* pemFile = fopen(outputPemFile, "wb");
        if (pemFile) {
            rc = (int)fwrite(output.buffer, 1, output.size, pemFile);
            fclose(pemFile);
            if (rc != output.size) {
                rc = -1; goto exit;
            }
        }
    }
#endif
#endif /* WOLFSSL_DER_TO_PEM */
    (void)outputPemFile;

    rc = 0; /* success */

exit:
    return rc;
 }

int TPM2_CSR_Example(void* userCtx)
{
    int rc;
    WOLFTPM2_DEV dev;
    WOLFTPM2_KEY storageKey;
#ifndef NO_RSA
    WOLFTPM2_KEY rsaKey;
    RsaKey wolfRsaKey;
#endif
#ifdef HAVE_ECC
    WOLFTPM2_KEY eccKey;
    ecc_key wolfEccKey;
#endif
    TPMT_PUBLIC publicTemplate;
    TpmCryptoDevCtx tpmCtx;
    int tpmDevId;

    printf("TPM2 CSR Example\n");

    /* Init the TPM2 device */
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
    if (rc != 0) return rc;

    /* Setup the wolf crypto device callback */
#ifndef NO_RSA
    XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
    tpmCtx.rsaKey = &rsaKey;
#endif
#ifdef HAVE_ECC
    XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
    tpmCtx.eccKey = &eccKey;
#endif
    rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
    if (rc != 0) goto exit;

    /* See if primary storage key already exists */
    rc = wolfTPM2_ReadPublicKey(&dev, &storageKey,
        TPM2_DEMO_STORAGE_KEY_HANDLE);
    if (rc != 0) {
        /* Create primary storage key */
        rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
            TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
            TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
            TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | TPMA_OBJECT_noDA);
        if (rc != 0) goto exit;
        rc = wolfTPM2_CreatePrimaryKey(&dev, &storageKey, TPM_RH_OWNER,
            &publicTemplate, (byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
        if (rc != 0) goto exit;

        /* Move this key into persistent storage */
        rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storageKey,
            TPM2_DEMO_STORAGE_KEY_HANDLE);
        if (rc != 0) goto exit;
    }
    else {
        /* specify auth password for storage key */
        storageKey.handle.auth.size = sizeof(gStorageKeyAuth)-1;
        XMEMCPY(storageKey.handle.auth.buffer, gStorageKeyAuth,
            storageKey.handle.auth.size);
    }

#ifndef NO_RSA
    /* Create/Load RSA key for CSR */
    rc = wolfTPM2_ReadPublicKey(&dev, &rsaKey, TPM2_DEMO_RSA_KEY_HANDLE);
    if (rc != 0) {
        rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
            TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
            TPMA_OBJECT_decrypt | TPMA_OBJECT_sign | TPMA_OBJECT_noDA);
        if (rc != 0) goto exit;
        rc = wolfTPM2_CreateAndLoadKey(&dev, &rsaKey, &storageKey.handle,
            &publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
        if (rc != 0) goto exit;

        /* Move this key into persistent storage */
        rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &rsaKey,
            TPM2_DEMO_RSA_KEY_HANDLE);
        if (rc != 0) goto exit;
    }
    else {
        /* specify auth password for RSA key */
        rsaKey.handle.auth.size = sizeof(gKeyAuth)-1;
        XMEMCPY(rsaKey.handle.auth.buffer, gKeyAuth, rsaKey.handle.auth.size);
    }

    /* setup wolf RSA key with TPM deviceID, so crypto callbacks are used */
    rc = wc_InitRsaKey_ex(&wolfRsaKey, NULL, tpmDevId);
    if (rc != 0) goto exit;
    /* load public portion of key into wolf RSA Key */
    rc = wolfTPM2_RsaKey_TpmToWolf(&dev, &rsaKey, &wolfRsaKey);
    if (rc != 0) goto exit;

    rc = TPM2_CSR_Generate(&dev, RSA_TYPE, &wolfRsaKey, gClientCertRsaFile);
    if (rc != 0) goto exit;
#endif /* !NO_RSA */


#ifdef HAVE_ECC
    /* Create/Load ECC key for CSR */
    rc = wolfTPM2_ReadPublicKey(&dev, &eccKey, TPM2_DEMO_ECC_KEY_HANDLE);
    if (rc != 0) {
        rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
            TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
            TPMA_OBJECT_sign | TPMA_OBJECT_noDA,
            TPM_ECC_NIST_P256, TPM_ALG_ECDSA);
        if (rc != 0) goto exit;
        rc = wolfTPM2_CreateAndLoadKey(&dev, &eccKey, &storageKey.handle,
            &publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
        if (rc != 0) goto exit;

        /* Move this key into persistent storage */
        rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &eccKey,
            TPM2_DEMO_ECC_KEY_HANDLE);
        if (rc != 0) goto exit;
    }
    else {
        /* specify auth password for ECC key */
        eccKey.handle.auth.size = sizeof(gKeyAuth)-1;
        XMEMCPY(eccKey.handle.auth.buffer, gKeyAuth, eccKey.handle.auth.size);
    }

    /* setup wolf ECC key with TPM deviceID, so crypto callbacks are used */
    rc = wc_ecc_init_ex(&wolfEccKey, NULL, tpmDevId);
    if (rc != 0) goto exit;
    /* load public portion of key into wolf ECC Key */
    rc = wolfTPM2_EccKey_TpmToWolf(&dev, &eccKey, &wolfEccKey);
    if (rc != 0) goto exit;

    rc = TPM2_CSR_Generate(&dev, ECC_TYPE, &wolfEccKey, gClientCertEccFile);
    if (rc != 0) goto exit;
#endif /* HAVE_ECC */

exit:

    if (rc != 0) {
        printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc));
    }

#ifndef NO_RSA
    wc_FreeRsaKey(&wolfRsaKey);
    wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
#endif
#ifdef HAVE_ECC
    wc_ecc_free(&wolfEccKey);
    wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
#endif

    wolfTPM2_Cleanup(&dev);

    return rc;
}

/******************************************************************************/
/* --- END TPM2 CSR Example -- */
/******************************************************************************/

#endif /* !WOLFTPM2_NO_WRAPPER && WOLFSSL_CERT_REQ && WOLF_CRYPTO_DEV */

#ifndef NO_MAIN_DRIVER
int main(void)
{
    int rc = -1;

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
     defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)
    rc = TPM2_CSR_Example(NULL);
#else
    printf("Wrapper/CertReq/CryptoDev code not compiled in\n");
    printf("Build wolfssl with ./configure --enable-certgen --enable-certreq --enable-certext --enable-cryptodev\n");
#endif

    return rc;
}
#endif /* !NO_MAIN_DRIVER */

this is the result:

root@raspberrypi:/home/pi/wolfTPM# nano /home/pi/wolfTPM/examples/csr/csr.c
root@raspberrypi:/home/pi/wolfTPM# make
make -j5  all-am
make[1]: Entering directory '/home/pi/wolfTPM'
  CC       examples/csr/csr.o
  CCLD     examples/csr/csr
make[1]: Leaving directory '/home/pi/wolfTPM'
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 881, PEM 1265)
-----BEGIN CERTIFICATE REQUEST-----
MIIDbTCCAlUCAQIwgbAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAADCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANZhM96VDdb11zUx3Rm+Hzux
ORXvCEontkwddYh59T4/UW056iXd1Pex0dAQDniftvX9p0BylCQBHRD7dM12Byvs
ofO8ycd+qy3+hwEe9kHHkVIINoDwuH0gfXXxXlhqIEe4tc/rY5LbsMy8BeSwcs7D
moZ3jLf2xO3y+B4mthxSTS/uloVExZC/WngFzGqmX4rQgroJYVxdu4xgzoGoOr8n
6DK/Ohjhdr/KrVOo00ggM7xzkHX60ELFfIBWHk3UWdxHCLYa19t9Oo0U+aHloIgz
4OxWXnHH1ZVLaIh3MCi48F8LdINNbE6XyDv8NPAPqdvR3Dl4lA2KZ79L/wdudBUC
AwEAAaB3MHUGCSqGSIb3DQEJDjFoMGYwHQYDVR0OBBYEFKn3EVsrhXRvGWkTXByJ
ZDs4qaIrMEUGA1UdJQQ+MDwGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMG
CCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEB
AGO+M1MWAnmG6WdtTWQgum86s+p1678o4WCH0tZKZ3yBu/v9lV4wQvtCVe9kqCiK
r2+Aria4JymM9ALREivqBcf10B0lxX8eL6t1EtE85fa1YBGEM/rbaD0vkuGc8+gw
NFnSm/YVg/PjHp3fOp8oN/Q6nCRUSU0mZQgjUfS4LeVFuyLbTVVQ0dCVAFSvgY+S
NWsZzyOfprao4TYCumfxU3zEO8CerXwFn+CqGfOz4zqk67piR1BiVp+dmq2LRysp
Fxl6BDEwp8HfXqtpSzObqePRjpEOB36h+INYpA9jFqUwZUAzzM7u8wtGw9NCOU5u
wl/mVyv0DAy7l4mjpgwldsU=
-----END CERTIFICATE REQUEST-----

Generated/Signed Cert (DER 487, PEM 733)
-----BEGIN CERTIFICATE REQUEST-----
MIIB4zCCAYoCAQIwgbAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAADBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABC/Scb98HLkXTJSDBGi7rRCJS0sr94F1
ERXLTe0SHkNegzNoZ6s8YdaE+jLacmRc059hcbxU94cOUsDvM681ETagdzB1Bgkq
hkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBTECVkpK9F7FgNVRaobI/6aZp8SnzBFBgNV
HSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYI
KwYBBQUHAwgGCCsGAQUFBwMJMAoGCCqGSM49BAMCA0cAMEQCIFXm6SDmtGdVnsTb
VuKnR2Tm33fq24QZ1JEj2oyNVavTAiB7xK30dB0HMDGAXuX+IBp9d/JRU1IeSkna
BlLFiLrr2w==
-----END CERTIFICATE REQUEST-----

and this is verification result:
https://redkestrel.co.uk/products/decoder/

Have a look at the next lines after "151  16:           IA5String 'info@wolfssl.com'"

Decoding Problem
Sorry, we were unable to fully decode the data provided

ASN.1 Information
  0 877: SEQUENCE {
  4 597:   SEQUENCE {
  8   1:     INTEGER 2
 11 176:     SEQUENCE {
 14  11:       SET {
 16   9:         SEQUENCE {
 18   3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 23   2:           PrintableString 'US'
       :           }
       :         }
 27  15:       SET {
 29  13:         SEQUENCE {
 31   3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
 36   6:           UTF8String 'Oregon'
       :           }
       :         }
 44  17:       SET {
 46  15:         SEQUENCE {
 48   3:           OBJECT IDENTIFIER localityName (2 5 4 7)
 53   8:           UTF8String 'Portland'
       :           }
       :         }
 63  13:       SET {
 65  11:         SEQUENCE {
 67   3:           OBJECT IDENTIFIER surname (2 5 4 4)
 72   4:           UTF8String 'Test'
       :           }
       :         }
 78  16:       SET {
 80  14:         SEQUENCE {
 82   3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 87   7:           UTF8String 'wolfSSL'
       :           }
       :         }
 96  12:       SET {
 98  10:         SEQUENCE {
100   3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
105   3:           UTF8String 'RSA'
       :           }
       :         }
110  24:       SET {
112  22:         SEQUENCE {
114   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
119  15:           UTF8String 'www.wolfssl.com'
       :           }
       :         }
136  31:       SET {
138  29:         SEQUENCE {
140   9:           OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
151  16:           IA5String 'info@wolfssl.com'
       :           }
       :         }
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
Error: Inconsistent object length, 1 byte difference.
       :       }
190 290:     SEQUENCE {
194  13:       SEQUENCE {
196   9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
207   0:         NULL
       :         }
209 271:       BIT STRING
       :         30 82 01 0A 02 82 01 01 00 D6 61 33 DE 95 0D D6
       :         F5 D7 35 31 DD 19 BE 1F 3B B1 39 15 EF 08 4A 27
       :         B6 4C 1D 75 88 79 F5 3E 3F 51 6D 39 EA 25 DD D4
       :         F7 B1 D1 D0 10 0E 78 9F B6 F5 FD A7 40 72 94 24
       :         01 1D 10 FB 74 CD 76 07 2B EC A1 F3 BC C9 C7 7E
       :         AB 2D FE 87 01 1E F6 41 C7 91 52 08 36 80 F0 B8
       :         7D 20 7D 75 F1 5E 58 6A 20 47 B8 B5 CF EB 63 92
       :         DB B0 CC BC 05 E4 B0 72 CE C3 9A 86 77 8C B7 F6
       :                 [ Another 142 bytes skipped ]
       :       }
484 119:     [0] {
486 117:       SEQUENCE {
488   9:         OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
499 104:         SET {
501 102:           SEQUENCE {
503  29:             SEQUENCE {
505   3:               OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
510  22:               OCTET STRING
       :                 04 14 A9 F7 11 5B 2B 85 74 6F 19 69 13 5C 1C 89
       :                 64 3B 38 A9 A2 2B
       :               }
534  69:             SEQUENCE {
536   3:               OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
541  62:               OCTET STRING
       :                 30 3C 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06
       :                 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03
       :                 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05
       :                 05 07 03 08 06 08 2B 06 01 05 05 07 03 09
       :               }
       :             }
       :           }
       :         }
       :       }
       :     }
605  13:   SEQUENCE {
607   9:     OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
618   0:     NULL
       :     }
620 257:   BIT STRING
       :     63 BE 33 53 16 02 79 86 E9 67 6D 4D 64 20 BA 6F
       :     3A B3 EA 75 EB BF 28 E1 60 87 D2 D6 4A 67 7C 81
       :     BB FB FD 95 5E 30 42 FB 42 55 EF 64 A8 28 8A AF
       :     6F 80 AE 26 B8 27 29 8C F4 02 D1 12 2B EA 05 C7
       :     F5 D0 1D 25 C5 7F 1E 2F AB 75 12 D1 3C E5 F6 B5
       :     60 11 84 33 FA DB 68 3D 2F 92 E1 9C F3 E8 30 34
       :     59 D2 9B F6 15 83 F3 E3 1E 9D DF 3A 9F 28 37 F4
       :     3A 9C 24 54 49 4D 26 65 08 23 51 F4 B8 2D E5 45
       :             [ Another 128 bytes skipped ]
       :   }

Thanks a lot,
Paul

PS. Did you read my PM?

Share

  • Registered: 2015-10-07
  • Posts: 415

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi Paul,

The CSR should not contain a serial number. The serial number is assigned by the CA when it gets signed.

I will however take a look at your example and see if there is an issue that needs fixed around CSR gen with serial number provided.

Thanks,
David Garske, wolfSSL

Share

17 Reply by ePaul (edited by ePaul 2018-09-04 10:09:45)

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi David,

please do, running this code:

    Cert req;
//    const CertName myCertName = {
    static CertName myCertName = {
        .country = "US",        .countryEnc = CTC_PRINTABLE, /* country */
        .state = "Oregon",      .stateEnc = CTC_UTF8,        /* state */
        .locality = "Portland", .localityEnc = CTC_UTF8,     /* locality */
        .sur = "1801908070",          .surEnc = CTC_UTF8,          /* sur */
        .org = "wolfSSL",       .orgEnc = CTC_UTF8,          /* org */
        .unit = "Development",  .unitEnc = CTC_UTF8,         /* unit */
        .commonName = "www.wolfssl.com",                     /* commonName */
        .commonNameEnc = CTC_UTF8,
        .email = "info@wolfssl.com"                          /* email */
    };

/* serialNumber Attribute*/
    NameAttrib* n;

        n = &myCertName.name[0];
        n->id   = ASN_DOMAIN_COMPONENT; //ASN_SERIAL_NUMBER;
        n->type = CTC_UTF8; //CTC_PRINTABLE;
        n->sz   = sizeof("1801908070");
        XMEMCPY(n->value, "1801908070", sizeof("1801908070"));
/* serialNumber Attribute*/

    const char* myKeyUsage = "serverAuth,clientAuth,codeSigning,"

produce a valid CSR:

root@raspberrypi:/home/pi/wolfTPM# make
make -j5  all-am
make[1]: Entering directory '/home/pi/wolfTPM'
make[1]: Leaving directory '/home/pi/wolfTPM'
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 894, PEM 1281)
-----BEGIN CERTIFICATE REQUEST-----
MIIDejCCAmICAQIwgb0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMRowGAYKCZImiZPyLGQBGQwKMTgwMTkwODA3MDEMMAoGA1UECwwDUlNB
MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
d29sZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWYTPe
lQ3W9dc1Md0Zvh87sTkV7whKJ7ZMHXWIefU+P1FtOeol3dT3sdHQEA54n7b1/adA
cpQkAR0Q+3TNdgcr7KHzvMnHfqst/ocBHvZBx5FSCDaA8Lh9IH118V5YaiBHuLXP
62OS27DMvAXksHLOw5qGd4y39sTt8vgeJrYcUk0v7paFRMWQv1p4Bcxqpl+K0IK6
CWFcXbuMYM6BqDq/J+gyvzoY4Xa/yq1TqNNIIDO8c5B1+tBCxXyAVh5N1FncRwi2
GtfbfTqNFPmh5aCIM+DsVl5xx9WVS2iIdzAouPBfC3SDTWxOl8g7/DTwD6nb0dw5
eJQNime/S/8HbnQVAgMBAAGgdzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBSp
9xFbK4V0bxlpE1wciWQ7OKmiKzBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUH
AwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMA0GCSqG
SIb3DQEBCwUAA4IBAQAvmgWw3CDIew3drW3dSwRriq2/hEyreCjQz9cMYe90FNzc
ohk1eIyTWVL8u2P0WA2pyebNAAUnu/rlhTJDcr7ZYMevP1zp0mj4ay8tW1PXpiH1
3snW8yhiBagEcUTdi+GmPKtikVekRL57/TCdFOztZuolRe5cZQB/mfp0IKTsUWO8
ObN/nQlChZML0m/Zb5FYxkV9+UucFjI98Zsaw8sfiRCQZoB9XaVJNURNzgWYBVoI
mnIo7xTvPxthd0sOD/ogiDwtLi+M4tubz1N+I+DB9LjjjbS4QjPS4zZvWShWWK89
mSZpHlfz+1HPytQ01sBW0WhV2U/RNfdYvqb/eruV
-----END CERTIFICATE REQUEST-----

Generated/Signed Cert (DER 501, PEM 749)
-----BEGIN CERTIFICATE REQUEST-----
MIIB8TCCAZcCAQIwgb0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMRowGAYKCZImiZPyLGQBGQwKMTgwMTkwODA3MDEMMAoGA1UECwwDRUND
MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
d29sZnNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQv0nG/fBy5F0yU
gwRou60QiUtLK/eBdREVy03tEh5DXoMzaGerPGHWhPoy2nJkXNOfYXG8VPeHDlLA
7zOvNRE2oHcwdQYJKoZIhvcNAQkOMWgwZjAdBgNVHQ4EFgQUxAlZKSvRexYDVUWq
GyP+mmafEp8wRQYDVR0lBD4wPAYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD
AwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDCTAKBggqhkjOPQQDAgNIADBF
AiAyusIIptmArj4EChHu/8vgs/i74W0DaNlpPxhN/xQKwQIhAOtKjhMmIqcBjpxd
G2PgGHFk9i5MhTeRE4qRfHfacKqq
-----END CERTIFICATE REQUEST-----

CSR Summary
CSR Checks
Check    Result
Debian Weak Key    PASSED - Does not use a key on our blacklist - this is good
Key Size    PASSED (2048 bits)
Signature    PASSED - CSR has a valid signature
MD5    PASSED - Not using the MD5 algorithm
CSR Subject
emailAddress    info@wolfssl.com
Common Name (CN)    www.wolfssl.com
Organizational Unit (OU)    RSA
Domain Component (DC)    1801908070
Organization (O)    wolfSSL
SN    1801908070
Locality (L)    Portland
State (ST)    Oregon
Country (C)    US
CSR Properties
Subject    C=US, ST=Oregon, L=Portland, SN=1801908070, O=wolfSSL, DC=1801908070, OU=RSA, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Key Size    2048 bits
Key Algorithm    RSA
Sig. Algorithm    sha256WithRSAEncryption
SHA256 Fingerprint    66:2E:44:8B:89:C4:3D:D2:23:C6:38:D0:02:2F:DC:4B:11:14:AF:F5:C1:6B:AC:C5:8D:FD:61:12:01:CB:C7:F0
SHA1 Fingerprint    80:3C:02:79:95:DB:07:83:F2:63:54:67:E2:FF:66:A0:64:EE:5D:06
MD5 Fingeprint    22:01:B3:E5:C9:F6:B6:C5:40:15:F6:D2:BC:AB:33:2E
SANs    
CSR Detailed Information
Certificate Request:
    Data:
        Version: 2 (0x2)
        Subject: C=US, ST=Oregon, L=Portland, SN=1801908070, O=wolfSSL, DC=1801908070, OU=RSA, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d6:61:33:de:95:0d:d6:f5:d7:35:31:dd:19:be:
                    1f:3b:b1:39:15:ef:08:4a:27:b6:4c:1d:75:88:79:
                    f5:3e:3f:51:6d:39:ea:25:dd:d4:f7:b1:d1:d0:10:
                    0e:78:9f:b6:f5:fd:a7:40:72:94:24:01:1d:10:fb:
                    74:cd:76:07:2b:ec:a1:f3:bc:c9:c7:7e:ab:2d:fe:
                    87:01:1e:f6:41:c7:91:52:08:36:80:f0:b8:7d:20:
                    7d:75:f1:5e:58:6a:20:47:b8:b5:cf:eb:63:92:db:
                    b0:cc:bc:05:e4:b0:72:ce:c3:9a:86:77:8c:b7:f6:
                    c4:ed:f2:f8:1e:26:b6:1c:52:4d:2f:ee:96:85:44:
                    c5:90:bf:5a:78:05:cc:6a:a6:5f:8a:d0:82:ba:09:
                    61:5c:5d:bb:8c:60:ce:81:a8:3a:bf:27:e8:32:bf:
                    3a:18:e1:76:bf:ca:ad:53:a8:d3:48:20:33:bc:73:
                    90:75:fa:d0:42:c5:7c:80:56:1e:4d:d4:59:dc:47:
                    08:b6:1a:d7:db:7d:3a:8d:14:f9:a1:e5:a0:88:33:
                    e0:ec:56:5e:71:c7:d5:95:4b:68:88:77:30:28:b8:
                    f0:5f:0b:74:83:4d:6c:4e:97:c8:3b:fc:34:f0:0f:
                    a9:db:d1:dc:39:78:94:0d:8a:67:bf:4b:ff:07:6e:
                    74:15
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Key Identifier: 
                A9:F7:11:5B:2B:85:74:6F:19:69:13:5C:1C:89:64:3B:38:A9:A2:2B
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         2f:9a:05:b0:dc:20:c8:7b:0d:dd:ad:6d:dd:4b:04:6b:8a:ad:
         bf:84:4c:ab:78:28:d0:cf:d7:0c:61:ef:74:14:dc:dc:a2:19:
         35:78:8c:93:59:52:fc:bb:63:f4:58:0d:a9:c9:e6:cd:00:05:
         27:bb:fa:e5:85:32:43:72:be:d9:60:c7:af:3f:5c:e9:d2:68:
         f8:6b:2f:2d:5b:53:d7:a6:21:f5:de:c9:d6:f3:28:62:05:a8:
         04:71:44:dd:8b:e1:a6:3c:ab:62:91:57:a4:44:be:7b:fd:30:
         9d:14:ec:ed:66:ea:25:45:ee:5c:65:00:7f:99:fa:74:20:a4:
         ec:51:63:bc:39:b3:7f:9d:09:42:85:93:0b:d2:6f:d9:6f:91:
         58:c6:45:7d:f9:4b:9c:16:32:3d:f1:9b:1a:c3:cb:1f:89:10:
         90:66:80:7d:5d:a5:49:35:44:4d:ce:05:98:05:5a:08:9a:72:
         28:ef:14:ef:3f:1b:61:77:4b:0e:0f:fa:20:88:3c:2d:2e:2f:
         8c:e2:db:9b:cf:53:7e:23:e0:c1:f4:b8:e3:8d:b4:b8:42:33:
         d2:e3:36:6f:59:28:56:58:af:3d:99:26:69:1e:57:f3:fb:51:
         cf:ca:d4:34:d6:c0:56:d1:68:55:d9:4f:d1:35:f7:58:be:a6:
         ff:7a:bb:95

                       
                    
CSR ASN.1 Information
  0 890: SEQUENCE {
  4 610:   SEQUENCE {
  8   1:     INTEGER 2
 11 189:     SEQUENCE {
 14  11:       SET {
 16   9:         SEQUENCE {
 18   3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 23   2:           PrintableString 'US'
       :           }
       :         }
 27  15:       SET {
 29  13:         SEQUENCE {
 31   3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
 36   6:           UTF8String 'Oregon'
       :           }
       :         }
 44  17:       SET {
 46  15:         SEQUENCE {
 48   3:           OBJECT IDENTIFIER localityName (2 5 4 7)
 53   8:           UTF8String 'Portland'
       :           }
       :         }
 63  19:       SET {
 65  17:         SEQUENCE {
 67   3:           OBJECT IDENTIFIER surname (2 5 4 4)
 72  10:           UTF8String '1801908070'
       :           }
       :         }
 84  16:       SET {
 86  14:         SEQUENCE {
 88   3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 93   7:           UTF8String 'wolfSSL'
       :           }
       :         }
102  26:       SET {
104  24:         SEQUENCE {
106  10:           OBJECT IDENTIFIER
       :             domainComponent (0 9 2342 19200300 100 1 25)
118  10:           UTF8String '1801908070'
       :           }
       :         }
130  12:       SET {
132  10:         SEQUENCE {
134   3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
139   3:           UTF8String 'RSA'
       :           }
       :         }
144  24:       SET {
146  22:         SEQUENCE {
148   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
153  15:           UTF8String 'www.wolfssl.com'
       :           }
       :         }
170  31:       SET {
172  29:         SEQUENCE {
174   9:           OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
185  16:           IA5String 'info@wolfssl.com'
       :           }
       :         }
       :       }
203 290:     SEQUENCE {
207  13:       SEQUENCE {
209   9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
220   0:         NULL
       :         }
222 271:       BIT STRING
       :         30 82 01 0A 02 82 01 01 00 D6 61 33 DE 95 0D D6
       :         F5 D7 35 31 DD 19 BE 1F 3B B1 39 15 EF 08 4A 27
       :         B6 4C 1D 75 88 79 F5 3E 3F 51 6D 39 EA 25 DD D4
       :         F7 B1 D1 D0 10 0E 78 9F B6 F5 FD A7 40 72 94 24
       :         01 1D 10 FB 74 CD 76 07 2B EC A1 F3 BC C9 C7 7E
       :         AB 2D FE 87 01 1E F6 41 C7 91 52 08 36 80 F0 B8
       :         7D 20 7D 75 F1 5E 58 6A 20 47 B8 B5 CF EB 63 92
       :         DB B0 CC BC 05 E4 B0 72 CE C3 9A 86 77 8C B7 F6
       :                 [ Another 142 bytes skipped ]
       :       }
497 119:     [0] {
499 117:       SEQUENCE {
501   9:         OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
512 104:         SET {
514 102:           SEQUENCE {
516  29:             SEQUENCE {
518   3:               OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
523  22:               OCTET STRING
       :                 04 14 A9 F7 11 5B 2B 85 74 6F 19 69 13 5C 1C 89
       :                 64 3B 38 A9 A2 2B
       :               }
547  69:             SEQUENCE {
549   3:               OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
554  62:               OCTET STRING
       :                 30 3C 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06
       :                 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03
       :                 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05
       :                 05 07 03 08 06 08 2B 06 01 05 05 07 03 09
       :               }
       :             }
       :           }
       :         }
       :       }
       :     }
618  13:   SEQUENCE {
620   9:     OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
631   0:     NULL
       :     }
633 257:   BIT STRING
       :     2F 9A 05 B0 DC 20 C8 7B 0D DD AD 6D DD 4B 04 6B
       :     8A AD BF 84 4C AB 78 28 D0 CF D7 0C 61 EF 74 14
       :     DC DC A2 19 35 78 8C 93 59 52 FC BB 63 F4 58 0D
       :     A9 C9 E6 CD 00 05 27 BB FA E5 85 32 43 72 BE D9
       :     60 C7 AF 3F 5C E9 D2 68 F8 6B 2F 2D 5B 53 D7 A6
       :     21 F5 DE C9 D6 F3 28 62 05 A8 04 71 44 DD 8B E1
       :     A6 3C AB 62 91 57 A4 44 BE 7B FD 30 9D 14 EC ED
       :     66 EA 25 45 EE 5C 65 00 7F 99 FA 74 20 A4 EC 51
       :             [ Another 128 bytes skipped ]
       :   }

so trying to use "id   = ASN_SERIAL_NUMBER" always make an invalid CSR.

Thanks a lot for your support,
Paul

Share

  • john
  • Moderator
  • Offline
  • From: Seattle, WA
  • Registered: 2011-11-14
  • Posts: 140

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

/* serialNumber Attribute*/
    NameAttrib* n;

        n = &myCertName.name[0];
        n->id   = ASN_SERIAL_NUMBER;
        n->type = CTC_PRINTABLE;
        n->sz   = sizeof("1801908070");
        XMEMCPY(n->value, "1801908070", sizeof("1801908070"));
/* serialNumber Attribute*/

Change both sizeof to strlen. sizeof a string includes the null terminator. The null terminator on the string is getting included in your name's serial number attribute. The name building function uses memcpy() not strcpy().

David is correct that CSRs do not have a Serial Number and they are added by the CA, there is a "serialnumber" name attribute for your use.

And the "sn" attribute is the surname of the owner of the certificate, I believe it is used when you have a certificate for email signing purposes.

john's Website

Share

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi,

using

...
/* serialNumber Attribute*/
    NameAttrib* n;

        n = &myCertName.name[0];
        n->id   = ASN_SERIAL_NUMBER;
        n->type = CTC_PRINTABLE;
        n->sz   = strlen("1801908070");
        XMEMCPY(n->value, "1801908070", strlen("1801908070"));
/* serialNumber Attribute*/

    const char* myKeyUsage = "serverAuth,clientAuth,codeSigning,"
                             "emailProtection,timeStamping,OCSPSigning";
    WOLFTPM2_BUFFER der;
#ifdef WOLFSSL_DER_TO_PEM
    WOLFTPM2_BUFFER output;
#endif

    /* Generate CSR (using TPM key) for certification authority */
    rc = wc_InitCert(&req);
    if (rc != 0) goto exit;

    XMEMCPY(&req.subject, &myCertName, sizeof(myCertName));
...

where I changed "sizeof" to "strlen" still produce invalid CSR.
As you can check  on https://github.com/wolfSSL/wolfTPM/blob … /csr.c#L67 "sizeof" is used with "XMEMCPY" in the example in other places.

"" result

-----BEGIN CERTIFICATE REQUEST-----
MIIDczCCAlsCAQIwgbYxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAA
AAAAADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJr2V/jfWyV4R6H9
5LN2SBavdQMW7cAP+ti7MuSIlEwDvU77otn1utzAbMKSaL53PiHasxyiEiD22MCD
o7IR1aeUvmd+7WXPvTYrmT/lVFlcD0RG0I3QkCD18tOXI6qhr6fYPbqUG3+J/q0q
zb0+N5aYIIVrXeWEzp45WK1BNRz7jbz2lTNmxo7KOxVnw23vZWmtFJbRJdjULaxF
/UBYdgzfLexoHYRi+NrTf5B4LYQLmVehoMw8Ktf7IY98ZWk62UumbJFbLatPT2RH
9KywvX9jk3s4pnSPlI52Cj4iWZ6dtgT06ZRqLy0UgipYB9ylu8g6/mVk+QitTpRo
K0sKG6cCAwEAAaB3MHUGCSqGSIb3DQEJDjFoMGYwHQYDVR0OBBYEFKp04Zy81iQg
2Y64oNzcbDMoeyd1MEUGA1UdJQQ+MDwGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYB
BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEL
BQADggEBAJnyN3/9ubr0CBquIuVlXQacAW6ERnGMWWFOFfYgyFb5BwEGyWLsvMt4
k9OLkX7CqVz3xFfzOdtmqnslt3Ho80CrVhe5xTbS06mK3o3RBBoKkADPT+4QC8wn
XtVeKCHmtd3fOb5R+W4wxMHlCnR6wGQOL7y6ZgPQtvyruVvBr9lrghlZNPM4E7cH
UrhKkrPUFDUlQ+N3eAep6esAeu7AwLWjhBUVCiWJdvMOCE28Jo08sd2NY/xGwi3E
ijx82durYKSTimqPEI3c19SaMh7NLTLSy5WIBAd+ahea9ouJq3G4rqTipoNEe0b4
GySU/IVx+CET+YjBL4AygiqMiFee79g=
-----END CERTIFICATE REQUEST-----

Generated/Signed Cert (DER 494, PEM 741)
-----BEGIN CERTIFICATE REQUEST-----
MIIB6jCCAZACAQIwgbYxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAA
AAAAADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABO5NsRS06GhvzOhNOxHMhpyV
kzDTczrqp6gqxnObwGnXC4LtiG8ZpBgwwDVdwYVTQrrn6QwThgStQaKtnSDztIqg
dzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBQnjtx0mDdWozjRUq8U0CHQ3eGE
0jBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEF
BQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoGCCqGSM49BAMCA0gAMEUCIQCZx6iH
0orLeUo53J6i5h/zs5ikmru2SroQavmywIgL2gIgHixEdr2y/tOY27HRH8QdTjwV
IMMbnrKtfdrwy3494hg=
-----END CERTIFICATE REQUEST-----

Verification result: see pos 157 "Error: Inconsistent object length, 1 byte difference."

Decoding Problem
Sorry, we were unable to fully decode the data provided

ASN.1 Information
  0 883: SEQUENCE {
  4 603:   SEQUENCE {
  8   1:     INTEGER 2
 11 182:     SEQUENCE {
 14  11:       SET {
 16   9:         SEQUENCE {
 18   3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 23   2:           PrintableString 'US'
       :           }
       :         }
 27  15:       SET {
 29  13:         SEQUENCE {
 31   3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
 36   6:           UTF8String 'Oregon'
       :           }
       :         }
 44  17:       SET {
 46  15:         SEQUENCE {
 48   3:           OBJECT IDENTIFIER localityName (2 5 4 7)
 53   8:           UTF8String 'Portland'
       :           }
       :         }
 63  19:       SET {
 65  17:         SEQUENCE {
 67   3:           OBJECT IDENTIFIER surname (2 5 4 4)
 72  10:           UTF8String '1801908070'
       :           }
       :         }
 84  16:       SET {
 86  14:         SEQUENCE {
 88   3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 93   7:           UTF8String 'wolfSSL'
       :           }
       :         }
102  12:       SET {
104  10:         SEQUENCE {
106   3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
111   3:           UTF8String 'RSA'
       :           }
       :         }
116  24:       SET {
118  22:         SEQUENCE {
120   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
125  15:           UTF8String 'www.wolfssl.com'
       :           }
       :         }
142  31:       SET {
144  29:         SEQUENCE {
146   9:           OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
157  16:           IA5String 'info@wolfssl.com'
       :           }
       :         }
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
       :         Error: Spurious EOC in definite-length item.
Error: Inconsistent object length, 1 byte difference.
       :       }
196 290:     SEQUENCE {
200  13:       SEQUENCE {
202   9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
213   0:         NULL
       :         }
215 271:       BIT STRING
       :         30 82 01 0A 02 82 01 01 00 9A F6 57 F8 DF 5B 25
       :         78 47 A1 FD E4 B3 76 48 16 AF 75 03 16 ED C0 0F
       :         FA D8 BB 32 E4 88 94 4C 03 BD 4E FB A2 D9 F5 BA
       :         DC C0 6C C2 92 68 BE 77 3E 21 DA B3 1C A2 12 20
       :         F6 D8 C0 83 A3 B2 11 D5 A7 94 BE 67 7E ED 65 CF
       :         BD 36 2B 99 3F E5 54 59 5C 0F 44 46 D0 8D D0 90
       :         20 F5 F2 D3 97 23 AA A1 AF A7 D8 3D BA 94 1B 7F
       :         89 FE AD 2A CD BD 3E 37 96 98 20 85 6B 5D E5 84
       :                 [ Another 142 bytes skipped ]
       :       }
490 119:     [0] {
492 117:       SEQUENCE {
494   9:         OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
505 104:         SET {
507 102:           SEQUENCE {
509  29:             SEQUENCE {
511   3:               OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
516  22:               OCTET STRING
       :                 04 14 AA 74 E1 9C BC D6 24 20 D9 8E B8 A0 DC DC
       :                 6C 33 28 7B 27 75
       :               }
540  69:             SEQUENCE {
542   3:               OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
547  62:               OCTET STRING
       :                 30 3C 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06
       :                 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03
       :                 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05
       :                 05 07 03 08 06 08 2B 06 01 05 05 07 03 09
       :               }
       :             }
       :           }
       :         }
       :       }
       :     }
611  13:   SEQUENCE {
613   9:     OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
624   0:     NULL
       :     }
626 257:   BIT STRING
       :     99 F2 37 7F FD B9 BA F4 08 1A AE 22 E5 65 5D 06
       :     9C 01 6E 84 46 71 8C 59 61 4E 15 F6 20 C8 56 F9
       :     07 01 06 C9 62 EC BC CB 78 93 D3 8B 91 7E C2 A9
       :     5C F7 C4 57 F3 39 DB 66 AA 7B 25 B7 71 E8 F3 40
       :     AB 56 17 B9 C5 36 D2 D3 A9 8A DE 8D D1 04 1A 0A
       :     90 00 CF 4F EE 10 0B CC 27 5E D5 5E 28 21 E6 B5
       :     DD DF 39 BE 51 F9 6E 30 C4 C1 E5 0A 74 7A C0 64
       :     0E 2F BC BA 66 03 D0 B6 FC AB B9 5B C1 AF D9 6B
       :             [ Another 128 bytes skipped ]
       :   }

David is correct that CSRs do not have a Serial Number and they are added by the CA, there is a "serialnumber" name attribute for your use.

Corect, but CA requested and openssl can do, they will issue the certificate using own SerialNumber but they need in CSR the machine serial number.

I didn't find any "serialnumber" in "asn.h", can you detailed what is about?

Thanks a lot,
Paul

Share

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi,

using this code with debug print:

/* csr.c
 *
 * Copyright (C) 2006-2018 wolfSSL Inc.
 *
 * This file is part of wolfTPM.
 *
 * wolfTPM is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfTPM is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
 */


#include <wolftpm/tpm2.h>
#include <wolftpm/tpm2_wrap.h>

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
     defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)

#include <examples/tpm_io.h>
#include <examples/csr/csr.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/asn_public.h>

static const char gClientCertRsaFile[] = "./certs/client-rsa-cert.csr";
static const char gClientCertEccFile[] = "./certs/client-ecc-cert.csr";

/******************************************************************************/
/* --- BEGIN TPM2 CSR Example -- */
/******************************************************************************/

 static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int key_type, void* wolfKey,
    const char* outputPemFile)
 {
    int rc;
    Cert req;
//    const CertName myCertName = {
    static CertName myCertName = {
        .country = "US",        .countryEnc = CTC_PRINTABLE, /* country */
        .state = "Oregon",      .stateEnc = CTC_UTF8,        /* state */
        .locality = "Portland", .localityEnc = CTC_UTF8,     /* locality */
        .sur = "1801908070",          .surEnc = CTC_UTF8,          /* sur */
        .org = "wolfSSL",       .orgEnc = CTC_UTF8,          /* org */
        .unit = "Development",  .unitEnc = CTC_UTF8,         /* unit */
        .commonName = "www.wolfssl.com",                     /* commonName */
        .commonNameEnc = CTC_UTF8,
        .email = "info@wolfssl.com"                          /* email */
    };

/* serialNumber Attribute*/
    NameAttrib* n;

        n = &myCertName.name[0];
        n->id   = ASN_SERIAL_NUMBER;
        n->type = CTC_PRINTABLE;
        n->sz   = strlen("1801908070");
        XMEMCPY(n->value, "1801908070", strlen("1801908070"));
/* serialNumber Attribute*/
/* serialNumber Attribute print for debug*/
    printf("\n\r\n\r id: 0x%02X ", myCertName.name[0].id);
    printf("type: 0x%02X ", myCertName.name[0].type);
    printf("sz: %02d ", myCertName.name[0].sz);
    printf("strlen: %02d ", strlen("1801908070"));
    printf("value: %s \n\r\n\r", (char*)&myCertName.name[0].value);
/* serialNumber Attribute print for debug*/
    
    const char* myKeyUsage = "serverAuth,clientAuth,codeSigning,"
                             "emailProtection,timeStamping,OCSPSigning";
    WOLFTPM2_BUFFER der;
#ifdef WOLFSSL_DER_TO_PEM
    WOLFTPM2_BUFFER output;
#endif

    /* Generate CSR (using TPM key) for certification authority */
    rc = wc_InitCert(&req);
    if (rc != 0) goto exit;

    XMEMCPY(&req.subject, &myCertName, sizeof(myCertName));

    /* make sure each common name is unique */
    if (key_type == RSA_TYPE) {
        req.sigType = CTC_SHA256wRSA;
        XSTRNCPY(req.subject.unit, "RSA", sizeof(req.subject.unit));
    }
    else if (key_type == ECC_TYPE) {
        req.sigType = CTC_SHA256wECDSA;
        XSTRNCPY(req.subject.unit, "ECC", sizeof(req.subject.unit));
    }

#ifdef WOLFSSL_CERT_EXT
    /* add SKID from the Public Key */
    rc = wc_SetSubjectKeyIdFromPublicKey_ex(&req, key_type, wolfKey);
    if (rc != 0) goto exit;

    /* add Extended Key Usage */
    rc = wc_SetExtKeyUsage(&req, myKeyUsage);
    if (rc != 0) goto exit;
#endif

    rc = wc_MakeCertReq_ex(&req, der.buffer, sizeof(der.buffer), key_type,
        wolfKey);
    if (rc <= 0) goto exit;
    der.size = rc;

    rc = wc_SignCert_ex(req.bodySz, req.sigType, der.buffer, sizeof(der.buffer),
        key_type, wolfKey, wolfTPM2_GetRng(dev));
    if (rc <= 0) goto exit;
    der.size = rc;

#ifdef WOLFSSL_DER_TO_PEM
    /* Convert to PEM */
    XMEMSET(output.buffer, 0, sizeof(output.buffer));
    rc = wc_DerToPem(der.buffer, der.size, output.buffer, sizeof(output.buffer),
        CERTREQ_TYPE);
    if (rc <= 0) goto exit;
    output.size = rc;

    printf("Generated/Signed Cert (DER %d, PEM %d)\n", der.size, output.size);
    printf("%s\n", (char*)output.buffer);

#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
    {
        FILE* pemFile = fopen(outputPemFile, "wb");
        if (pemFile) {
            rc = (int)fwrite(output.buffer, 1, output.size, pemFile);
            fclose(pemFile);
            if (rc != output.size) {
                rc = -1; goto exit;
            }
        }
    }
#endif
#endif /* WOLFSSL_DER_TO_PEM */
    (void)outputPemFile;

    rc = 0; /* success */

exit:
    return rc;
 }

int TPM2_CSR_Example(void* userCtx)
{
    int rc;
    WOLFTPM2_DEV dev;
    WOLFTPM2_KEY storageKey;
#ifndef NO_RSA
    WOLFTPM2_KEY rsaKey;
    RsaKey wolfRsaKey;
#endif
#ifdef HAVE_ECC
    WOLFTPM2_KEY eccKey;
    ecc_key wolfEccKey;
#endif
    TPMT_PUBLIC publicTemplate;
    TpmCryptoDevCtx tpmCtx;
    int tpmDevId;

    printf("TPM2 CSR Example\n");

    /* Init the TPM2 device */
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
    if (rc != 0) return rc;

    /* Setup the wolf crypto device callback */
#ifndef NO_RSA
    XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
    tpmCtx.rsaKey = &rsaKey;
#endif
#ifdef HAVE_ECC
    XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
    tpmCtx.eccKey = &eccKey;
#endif
    rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
    if (rc != 0) goto exit;

    /* See if primary storage key already exists */
    rc = wolfTPM2_ReadPublicKey(&dev, &storageKey,
        TPM2_DEMO_STORAGE_KEY_HANDLE);
    if (rc != 0) {
        /* Create primary storage key */
        rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
            TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
            TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
            TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | TPMA_OBJECT_noDA);
        if (rc != 0) goto exit;
        rc = wolfTPM2_CreatePrimaryKey(&dev, &storageKey, TPM_RH_OWNER,
            &publicTemplate, (byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
        if (rc != 0) goto exit;

        /* Move this key into persistent storage */
        rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storageKey,
            TPM2_DEMO_STORAGE_KEY_HANDLE);
        if (rc != 0) goto exit;
    }
    else {
        /* specify auth password for storage key */
        storageKey.handle.auth.size = sizeof(gStorageKeyAuth)-1;
        XMEMCPY(storageKey.handle.auth.buffer, gStorageKeyAuth,
            storageKey.handle.auth.size);
    }

#ifndef NO_RSA
    /* Create/Load RSA key for CSR */
    rc = wolfTPM2_ReadPublicKey(&dev, &rsaKey, TPM2_DEMO_RSA_KEY_HANDLE);
    if (rc != 0) {
        rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
            TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
            TPMA_OBJECT_decrypt | TPMA_OBJECT_sign | TPMA_OBJECT_noDA);
        if (rc != 0) goto exit;
        rc = wolfTPM2_CreateAndLoadKey(&dev, &rsaKey, &storageKey.handle,
            &publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
        if (rc != 0) goto exit;

        /* Move this key into persistent storage */
        rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &rsaKey,
            TPM2_DEMO_RSA_KEY_HANDLE);
        if (rc != 0) goto exit;
    }
    else {
        /* specify auth password for RSA key */
        rsaKey.handle.auth.size = sizeof(gKeyAuth)-1;
        XMEMCPY(rsaKey.handle.auth.buffer, gKeyAuth, rsaKey.handle.auth.size);
    }

    /* setup wolf RSA key with TPM deviceID, so crypto callbacks are used */
    rc = wc_InitRsaKey_ex(&wolfRsaKey, NULL, tpmDevId);
    if (rc != 0) goto exit;
    /* load public portion of key into wolf RSA Key */
    rc = wolfTPM2_RsaKey_TpmToWolf(&dev, &rsaKey, &wolfRsaKey);
    if (rc != 0) goto exit;

    rc = TPM2_CSR_Generate(&dev, RSA_TYPE, &wolfRsaKey, gClientCertRsaFile);
    if (rc != 0) goto exit;
#endif /* !NO_RSA */


#ifdef HAVE_ECC
    /* Create/Load ECC key for CSR */
    rc = wolfTPM2_ReadPublicKey(&dev, &eccKey, TPM2_DEMO_ECC_KEY_HANDLE);
    if (rc != 0) {
        rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
            TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
            TPMA_OBJECT_sign | TPMA_OBJECT_noDA,
            TPM_ECC_NIST_P256, TPM_ALG_ECDSA);
        if (rc != 0) goto exit;
        rc = wolfTPM2_CreateAndLoadKey(&dev, &eccKey, &storageKey.handle,
            &publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
        if (rc != 0) goto exit;

        /* Move this key into persistent storage */
        rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &eccKey,
            TPM2_DEMO_ECC_KEY_HANDLE);
        if (rc != 0) goto exit;
    }
    else {
        /* specify auth password for ECC key */
        eccKey.handle.auth.size = sizeof(gKeyAuth)-1;
        XMEMCPY(eccKey.handle.auth.buffer, gKeyAuth, eccKey.handle.auth.size);
    }

    /* setup wolf ECC key with TPM deviceID, so crypto callbacks are used */
    rc = wc_ecc_init_ex(&wolfEccKey, NULL, tpmDevId);
    if (rc != 0) goto exit;
    /* load public portion of key into wolf ECC Key */
    rc = wolfTPM2_EccKey_TpmToWolf(&dev, &eccKey, &wolfEccKey);
    if (rc != 0) goto exit;

    rc = TPM2_CSR_Generate(&dev, ECC_TYPE, &wolfEccKey, gClientCertEccFile);
    if (rc != 0) goto exit;
#endif /* HAVE_ECC */

exit:

    if (rc != 0) {
        printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc));
    }

#ifndef NO_RSA
    wc_FreeRsaKey(&wolfRsaKey);
    wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
#endif
#ifdef HAVE_ECC
    wc_ecc_free(&wolfEccKey);
    wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
#endif

    wolfTPM2_Cleanup(&dev);

    return rc;
}

/******************************************************************************/
/* --- END TPM2 CSR Example -- */
/******************************************************************************/

#endif /* !WOLFTPM2_NO_WRAPPER && WOLFSSL_CERT_REQ && WOLF_CRYPTO_DEV */

#ifndef NO_MAIN_DRIVER
int main(void)
{
    int rc = -1;

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
     defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)
    rc = TPM2_CSR_Example(NULL);
#else
    printf("Wrapper/CertReq/CryptoDev code not compiled in\n");
    printf("Build wolfssl with ./configure --enable-certgen --enable-certreq --enable-certext --enable-cryptodev\n");
#endif

    return rc;
}
#endif /* !NO_MAIN_DRIVER */

output this:

root@raspberrypi:/home/pi/wolfTPM# make
make -j5  all-am
make[1]: Entering directory '/home/pi/wolfTPM'
  CC       examples/csr/csr.o
  CCLD     examples/csr/csr
make[1]: Leaving directory '/home/pi/wolfTPM'
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example


 id: 0x05 type: 0x13 sz: 10 strlen: 10 value: 1801908070

Generated/Signed Cert (DER 887, PEM 1273)
-----BEGIN CERTIFICATE REQUEST-----
MIIDczCCAlsCAQIwgbYxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAA
AAAAADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJr2V/jfWyV4R6H9
5LN2SBavdQMW7cAP+ti7MuSIlEwDvU77otn1utzAbMKSaL53PiHasxyiEiD22MCD
o7IR1aeUvmd+7WXPvTYrmT/lVFlcD0RG0I3QkCD18tOXI6qhr6fYPbqUG3+J/q0q
zb0+N5aYIIVrXeWEzp45WK1BNRz7jbz2lTNmxo7KOxVnw23vZWmtFJbRJdjULaxF
/UBYdgzfLexoHYRi+NrTf5B4LYQLmVehoMw8Ktf7IY98ZWk62UumbJFbLatPT2RH
9KywvX9jk3s4pnSPlI52Cj4iWZ6dtgT06ZRqLy0UgipYB9ylu8g6/mVk+QitTpRo
K0sKG6cCAwEAAaB3MHUGCSqGSIb3DQEJDjFoMGYwHQYDVR0OBBYEFKp04Zy81iQg
2Y64oNzcbDMoeyd1MEUGA1UdJQQ+MDwGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYB
BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEL
BQADggEBAJnyN3/9ubr0CBquIuVlXQacAW6ERnGMWWFOFfYgyFb5BwEGyWLsvMt4
k9OLkX7CqVz3xFfzOdtmqnslt3Ho80CrVhe5xTbS06mK3o3RBBoKkADPT+4QC8wn
XtVeKCHmtd3fOb5R+W4wxMHlCnR6wGQOL7y6ZgPQtvyruVvBr9lrghlZNPM4E7cH
UrhKkrPUFDUlQ+N3eAep6esAeu7AwLWjhBUVCiWJdvMOCE28Jo08sd2NY/xGwi3E
ijx82durYKSTimqPEI3c19SaMh7NLTLSy5WIBAd+ahea9ouJq3G4rqTipoNEe0b4
GySU/IVx+CET+YjBL4AygiqMiFee79g=
-----END CERTIFICATE REQUEST-----



 id: 0x05 type: 0x13 sz: 10 strlen: 10 value: 1801908070

Generated/Signed Cert (DER 495, PEM 741)
-----BEGIN CERTIFICATE REQUEST-----
MIIB6zCCAZACAQIwgbYxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAA
AAAAADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABO5NsRS06GhvzOhNOxHMhpyV
kzDTczrqp6gqxnObwGnXC4LtiG8ZpBgwwDVdwYVTQrrn6QwThgStQaKtnSDztIqg
dzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBQnjtx0mDdWozjRUq8U0CHQ3eGE
0jBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEF
BQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoGCCqGSM49BAMCA0kAMEYCIQCrvAIb
uazflUMm8vU8HP5LBVzfq1T445id20n9VeSABAIhALCSQiXv4VTGF+fbAIbE1pN9
lYjiUuWSItro5j5aUUNq
-----END CERTIFICATE REQUEST-----

so id, type, sz, values looks ok, as i set them, but CSR is still invalid.

Thanks,
Paul

Share

  • Registered: 2015-10-07
  • Posts: 415

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi ePaul,

The code changes to use multi-attrib for serial number are not valid. In fact the serial number field is different all-together and is not encoded into a CSR.

If you'd like to have a unique identifier in the certificate typically that goes into one of the subject fields such as common name. The only valid mult-attrib fields are: ASN_ORGUNIT_NAME and ASN_DOMAIN_COMPONENT.

Example here:
https://github.com/wolfSSL/wolfssl/blob … st.c#L8564

If you are going to use the multi-attrib fields then make sure the csr.c `CertName myCertName` is not const (I see you made it static above, which is fine).

Thanks,
David Garske, wolfSSL

Share

22 Reply by ePaul (edited by ePaul 2018-09-07 11:15:59)

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

dgarske wrote:

Hi ePaul,

The code changes to use multi-attrib for serial number are not valid. In fact the serial number field is different all-together and is not encoded into a CSR.

If you'd like to have a unique identifier in the certificate typically that goes into one of the subject fields such as common name. The only valid mult-attrib fields are: ASN_ORGUNIT_NAME and ASN_DOMAIN_COMPONENT.

Example here:
https://github.com/wolfSSL/wolfssl/blob … st.c#L8564

If you are going to use the multi-attrib fields then make sure the csr.c `CertName myCertName` is not const (I see you made it static above, which is fine).

Thanks,
David Garske, wolfSSL

Hi David,
in first paragraph you are saying that code changes are not valid, but in last one you said it is fine that I made it static, so the code is correct?

As you can check in the link on my fist post:
https://www.alvestrand.no/objectid/2.5.4.5.html

2.5.4.5 - id-at-serialNumber
Submitted by j.onions at nexor.co.uk from host trident.nexor.co.uk (128.243.9.9) on Mon Jan 13 11:46:05 MET 1997 using a WWW entry form.
OID value: 2.5.4.5

OID description:
The Serial Number attribute type specifies an identifier, the serial number of a device.

An attribute value for Serial Number is a printable string.

serialNumber ATTRIBUTE ::= {
    WITH SYNTAX PrintableString (SIZE (1..ub-serialNumber))
    EQUALITY MATCHING RULE caseIgnoreMatch
    SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
    ID id-at-serialNumber
}

Thanks a lot,
Paul

Share

23 Reply by dgarske (edited by Kaleb J. Himes 2018-09-10 08:46:07)

  • Registered: 2015-10-07
  • Posts: 415

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi Paul,

We will look into supporting this feature. I've started an email thread with another engineer. Your code may be valid, but wolfSSL doesn't yet support the serial number as part of the multi-attrib.

Thanks,
David Garske, wolfSSL

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 298

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

There was some existing code to handle the device serial number OID, but it was missing from the structures you were attempting to use. I added serial number elements to the Cert and DecodedCert structures, and modified the internal methods to support these. You can review these changes in https://github.com/wolfSSL/wolfssl/pull/1826

Thanks,
Eric B
wolfSSL Support

embhorn's Website

Share

  • Registered: 2018-08-29
  • Posts: 16

Re: [SOLVED] How to create CSR with serialNumber using wolfSSL & wolfTPM

Hi Eric,

Thanks for the update, for the moment I can't test'it due to other tasks I must finish, but I will come back with feedback soon as possible.

Thanks,

Paul

Share