1 (edited by waigor 2019-10-06 16:57:08)

Topic: How to set subject alternative name (SAN) in WolfSSL?

Hi there,

I have difficulty with setting the subject alternative name (IP address: xxx.xxx.xxx.xxx) for the certificate in WolfSSL. I tried using the method in this post https://www.wolfssl.com/forums/topic140 … l-api.html as the code below:

Cert myCert;
char myAltNames[CTC_MAX_ALT_SIZE]="IP Address: 169.254.50.10";
XMEMCPY(myCert.altNames, myAltNames, XSTRLEN(myAltNames));
myCert.altNamesSz = XSTRLEN(myAltNames);

And i also tried using the function wc_SetAltNames() with a .pem file (full details in this page https://wolfssl.com/doxygen/group__ASN.html). None of them work for me, they both generate invalid certificates. In Firefox, it has such error code: SSL_ERROR_RX_RECORD_TOO_LONG.

When i open the generated certificate file in windows, it says invalid. The source code of the certificate look quiet invalid to me too:

-----BEGIN CERTIFICATE-----
MIIDyDAAoAMCAQICCAFW11SX7K/5MAoGCCqGSM49BAMCMIGEMQswCQYDVQQGEwJO
WjETMBEGA1UECAwKV2VsbGluZ3RvbjESMBAGA1UEBwwJTmdhdXJhbmdhMRAwDgYD
VQQKDAc0UkYgTHRkMRkwFwYDVQQLDBBSYWRpbyBXRUIgU2VydmVyMR8wHQYDVQQD
DBZBcHJpc2EgU1IrIFIxMzEwMDAzODY2MCIYDzIwMTkxMDAzMDAwMDAwWhgPMjAz
OTA5MjkwMDAwMDBaMIGEMQswCQYDVQQGEwJOWjETMBEGA1UECAwKV2VsbGluZ3Rv
bjESMBAGA1UEBwwJTmdhdXJhbmdhMRAwDgYDVQQKDAc0UkYgTHRkMRkwFwYDVQQL
DBBSYWRpbyBXRUIgU2VydmVyMR8wHQYDVQQDDBZBcHJpc2EgU1IrIFIxMzEwMDAz
ODY2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEV+ZJjpKHip6F46e2/8RTyws
MCWMAfvHGR5DxNrnvGcIM8DSn1XRnCC4j8ObpUBNpWo/B0cwsdEFxfA3zT8Oi6Me
MBwwGgYDVR0RBBMwEYIJQXByaXNhU1IrhwSsER4KAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAADAKBggqhkjOPQQDAgNIADBFAiEA1cVJAWWY
pL+C5ZwWuV2cDv7G7FFTQR7E40KeMtu3i9YCIEH9kvgojBSxuwUy074Jo5G8x0iy
pFXFg5W/VdSGcGc7
-----END CERTIFICATE-----

Without anything related to this alternative name, my code works perfectly fine and the generated certificate was "valid" (with no SAN field).


How could I solve this? All I want is add just some like this in the subject alternative name field in the certificate file:
     
      IP Address: XXX.XXX.XXX.XXX

Thank you in advance.

Post's attachments

Capture.PNG
Capture.PNG 25.42 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

2 (edited by Kaleb J. Himes 2019-10-07 08:29:50)

Re: How to set subject alternative name (SAN) in WolfSSL?

Hi waigor,

Thank you for reaching out to wolfSSL. Can you share a bit about what you are working on and end goals for your project? This helps us to better classify the inquiry for our records.

<EDIT>

Setting the SAN in CSR generation is not supported at this time. Using the method described in the other post is supported when generating an actual certificate.

Other Post: https://www.wolfssl.com/forums/topic140 … l-api.html

<END EDIT>


Warm Regards,

K

3 (edited by waigor 2019-10-07 18:20:48)

Re: How to set subject alternative name (SAN) in WolfSSL?

Hi Kaleb,

I am currently using WolfSSl to generate self-signed certificates for the offline web servers.  In the SAN case, I am working on putting the IP address of the web server into the SAN field.

Here are part of the code (including the code you gave me) to generate the certificate, the code was working perfectly fine without the SAN part (even generated certificate with your new code still makes the certificate invalid):

    Cert myCert;
    unsigned char *keyPem;
    int keyPemLen = 0;
    unsigned char *keyDer;
    int keyDerLen = 0;
    int certPemLen = 0;
    int ret = -1;
    word32 idx = 0;
    int certSz = 0;
    unsigned char *certDer;
    int certDerSz;
    unsigned char *certPem;
    ecc_key privKey, pubKey;
    RNG    rng;
    FILE *f;

    wc_InitRng(&rng);
    keyPem = malloc(4096);
    keyDer = malloc(4096);
    certDer = malloc(4096);
    certPem = malloc(4096);

    wc_InitCert(&myCert);


    char myAltNames[] = {
                             // SEQUENCE (2 elements)
                              0x30, 0x14,
                             // OBJECT IDENTIFIEER: 2.5.29.17 subjectAltName
                             // (X.509 extension)
                              0x06, 0x03, 0x55, 0x1D, 0x11,
                             // OCTET STRING (1 element)
                              0x04, 0x0D, //NOTE: 0x0D = length 13, this needs updated based on string length
                             // SEQUENCE (1 element)
                              0x30, 0x0B,
                             // String, value: "DNS:localhost"
                              0x82, 0x09, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x68,
                              0x6F, 0x73, 0x74
                                     };      
        strncpy(myCert.subject.country, "NZ", CTC_NAME_SIZE);
        strncpy(myCert.subject.state, "Auckland", CTC_NAME_SIZE);
        strncpy(myCert.subject.locality, "CBD", CTC_NAME_SIZE);
        strncpy(myCert.subject.org, "Test Ltd", CTC_NAME_SIZE);
        strncpy(myCert.subject.unit, "WEB Server", CTC_NAME_SIZE);
        XMEMCPY(myCert.altNames, myAltNames, XSTRLEN(myAltNames));              
        myCert.altNamesSz = (int) sizeof(myAltNames);    

        myCert.daysValid = 365 * 20;

         ret = wc_ecc_make_key(&rng, keyLen / 8, &privKey);
    
        if (ret != 0)
            goto error_out;
    
        ret = wc_ecc_make_key(&rng, keyLen / 8, &pubKey);
    
        if (ret != 0)
            goto error_out;
        
        myCert.sigType = CTC_SHA256wECDSA;

//        ret = wc_SetAltNames(&myCert,"a:/xxx/xxx.pem");
//        
//        if (ret != 0){
//            goto error_out;
//        }
        certSz = wc_MakeSelfCert(&myCert, certDer, 4096, &rsaKey, &rng);
        
        if(certSz <= 0)
        {
            ret = 1;
            wc_FreeRsaKey(&rsaKey);
            goto error_out;
        }
        
        certSz = wc_SignCert(myCert.bodySz, myCert.sigType, certDer, 4096, NULL, &privKey, &rng);
        
        if(certSz <= 0)
        {
            ret = 1;
            goto error_out;
        }
        
        certPemLen = wc_DerToPem(certDer, certSz, certPem, 4096, CERT_TYPE);
        
        if( certPemLen <= 0 )
        {
            ret = 1;
            goto error_out;
        }
        
        keyDerLen = wc_EccKeyToDer(&privKey, keyDer, 4096);
        
        if(keyDerLen <= 0)
        {
            ret = 1;
            goto error_out;
        }
        
        keyPemLen = wc_DerToPem(keyDer, keyDerLen, keyPem, 4096, ECC_PRIVATEKEY_TYPE);
        
        if( certPemLen <= 0 )
        {
            ret = 1;
            goto error_out;
        }
    f = fopen("D:/xxx.crt", "wb");
    if (f)
    {
        unsigned char *ptr = certPem;
        do {
            ret = fwrite(ptr, 1, certPemLen, f);
            if( ret <= 0 )
                break;
            certPemLen -= ret;
            ptr += ret;
        } while( certPemLen > 0 );
        fclose(f);
    }
    
    f = fopen("D:/xxx.key", "wb");
    if (f)
    {
        unsigned char *ptr = keyPem;
        do {
            ret = fwrite(ptr, 1, keyPemLen, f);
            if( ret <= 0 )
                break;
            keyPemLen -= ret;
            ptr += ret;
        } while( keyPemLen > 0 );
        fclose(f);
    }

The part that using wc_SetAltNames is commented out in the code above, please see if I am using it correctly?

Apart from this, I also define the following in the beginning of the asn_public.h to enable the SAN:

#define WOLFSSL_ALT_NAMES

Am I putting the SAN part at the right place? Since u mention that the SAN need to be in ASN.1 format and the Cert structure is not seem to be relative to ASN.1 ....

Looking forward to your reply smile

Thanks

Share

Re: How to set subject alternative name (SAN) in WolfSSL?

Hi waigor,

I was just doing some code review for another customer and while I can confirm setting the SAN using this method does work when generating a real cert, it looks like setting the SAN in a CSR is not supported, I do apologize.

I am checking with our ASN.1 experts to see if this was ever support for certificate requests or only with cert generation.

I'll let you know what I find out.

Warm Regards,

K

Re: How to set subject alternative name (SAN) in WolfSSL?

Hi Kaleb,

Please inform me if there's an update smile

Thanks

Share

Re: How to set subject alternative name (SAN) in WolfSSL?

Hi waigor,

I just heard back from the team and I must apologize, I gave you some invalid advice on setting SAN in a CSR. This has never been supported. Setting the SAN using the method I described when generating an actual certificate is supported, with a certificate signing request it is not (and never has been) supported.

Is missing this feature a blocker for your project?

Warm Regards,

K

Re: How to set subject alternative name (SAN) in WolfSSL?

Hi Kaleb,

Thanks for your information.

Actually, our project was completed. However, due to the recent update in chrome, since version72, chrome is defining any certificate (which was working fine with firefox and IE for the past 5+ years) without SAN field as "invalid", and unable to establish TCP connections. So we are just working to updating those self-signed certificates.

Thanks

Share

8 (edited by Kaleb J. Himes 2019-10-09 13:18:48)

Re: How to set subject alternative name (SAN) in WolfSSL?

waigor,

Gotcha, I did just run a quick test using the openSSL command line tool and it does work:

Save this to file "tmp.txt"

[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = myquicktest.com
emailAddress = kaleb@wolfssl.com
O = wolfSSL Inc.
OU = Support
L = Florence
ST = MT
C = US

[ req_ext ]
subjectAltName = DNS: www.domain1.com, DNS: www.domain2.com, DNS: www.domain3.com

Run the command:

openssl req -new -config tmp.txt -keyout myquicktest.key -out myquicktest.csr

Upload the contents of myquicktest.csr to the csr checker at https://ssltools.digicert.com/checker/v … rCheck.jsp

SANs' are included. (See attached screenshot)

Not sure why the CSR checker complains about us Montanan's but apparently it doesn't know what state MT is :-)

- K

Post's attachments

Screen Shot 2019-10-09 at 14.14.38.png
Screen Shot 2019-10-09 at 14.14.38.png 142.9 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Re: How to set subject alternative name (SAN) in WolfSSL?

Hi Kaleb,

Thanks for that. I already achieved that in openSSL smile Since our device is embedded and not running on Linux or Windows, and we already have WolfSSL built in the device, so I just wanna see if WolfSSL can do the same job, as we expect our device to generate its own self-signed certificate.

Regards

Share

Re: How to set subject alternative name (SAN) in WolfSSL?

waigor,

Understood. I will bring this up with the team, would like to formally request this as a feature addition? If this ever does become a blocker for the project wolfSSL can accelerate feature additions anytime through our Business department.

Warm Regards,

K