Topic: swupdate PKCS7_verify failing with Musl

Hello wolfSSL community,

I am evaluating the use of wolfSSL (5.3.0) as an alternative to OpenSSL and was looking at a patch for swupdate that allows wolfSSL to fit. I have tested this patch with glibc and it works. However, switching to musl seems to allow the certificate loading when swupdate starts works but later on when the actual update is triggered failure strikes when verifying the signature. This is making use of the PKCS7 functionality to handle CMS.

With wolfSSL 5.3.0 it seems under the opinion that there is "No certificate in buffer" at least from the comment in the source.

wolfSSL error occurred, error = 162 line:9308 file:../git/src/x509.c
[ERROR] : SWUPDATE failed [0] ERROR : Signature verification failed
[ERROR] : SWUPDATE failed [0] ERROR : Compatible SW not found

These are the patches I'm using incase something is wrong with that implementation that doesn't show up on glibc.
- swupdate Patch 0/2 https://groups.google.com/g/swupdate/c/VYbam7AvMgE
- swupdate Patch 1/2 https://groups.google.com/g/swupdate/c/Q5Vie_hU190
- swupdate Patch 2/2 https://groups.google.com/g/swupdate/c/WFrWg_w1ows

Share

Re: swupdate PKCS7_verify failing with Musl

Hello avlec,

Please retry with our latest release, 5.6.0, and let me know if it helps.
If not, please enable debug logging in wolfSSL and attach a debug log here.  To enable debug logging, build wolfSSL with --enable-debug and run wolfSSL_Debugging_ON() at the start of your program.
Please also include your build config (./configure line).

Thanks,
Kareem

Share

Re: swupdate PKCS7_verify failing with Musl

Thanks for the quick reply Kareem,

I am using Yocto to build for my device and was having trouble getting it to build 5.6.0. There was an error about a missing build-time command colrm, then there appears to be some more complex problem where it generates a header file in a different directory which it then of course cannot see (options.h.in).

Anyways, I was able to try with version 5.5.4 and saw the following error

wolfSSL error occurred, error = 150 line:14287 file:../git/wolfcrypt/src/asn.c
wolfSSL error occurred, error = 162 line:10343 file:../git/src/x509.c
wolfSSL error occurred, error = 188 line:22181 file:../git/wolfcrypt/src/asn.c
[ERROR] : SWUPDATE failed [0] ERROR : Signature verification failed
[ERROR] : SWUPDATE failed [0] ERROR : Compatible SW not found

The first error indicated that the system time was before the certificates which is correct. So I fixed that and then tried updating again and it just had a repeat of the last error. What's weird is when I updated the system time then restarted swupdate it works without a hitch. Similarly if I set the date to something current earlier in the init cycle than swupdate it works.

We have an application come in a bit after swupdate starts up that manages the time, so I guess with glibc that works for some reason where with musl it doesnt?

Share

Re: swupdate PKCS7_verify failing with Musl

Hello avlec,

Yes, this is expected.  As part of certificate validation, we ensure that the current system time falls between the notBefore and notAfter dates from the certificate.  To perform this check, the system time must be set correctly before running wolfSSL.
We get the current system time using gmtime_s, gmtime_r or gmtime, depending on which is available on the system.  It's possible that glibc supports a gmtime call which musl does not, which is causing the behavior difference you are seeing.
You can run strace on your application to confirm which time call we are using, and whether it is returning a valid date.

Thanks,
Kareem

Share

Re: swupdate PKCS7_verify failing with Musl

Thanks Kareem,

That all seems to make sense!

Share

Re: swupdate PKCS7_verify failing with Musl

Hey Kareem,

Would there be anyway to refresh the time without having to restart the application (swupdate)?

Share