1 Topic by astc (edited by astc 2023-10-23 07:07:01)

  • astc
  • Member
  • Offline
  • Registered: 2023-10-19
  • Posts: 8

Topic: [SOLVED] MATCH_SUITE_ERROR using brainpoolP224r1

I want to do an mTLS connection between a server (STM32 board) and a client (linux) via UART.
When i was using secp224r1 on both the client and the server everything was working fine.
If i'm using an hardcoded certificate in the server that i generated with openssl i get MATCH_SUITE_ERROR on the server and FATAL_ERROR on the client.
If i'm generating a new certificate in the server i get ASN_PARSE_E in the server and OUT_OF_ORDER_E on the client, but this could be my fault, related to the fact that i am sending a csr to the client to sign it with openssl.
Server and client are using the same CA certificate.

I compiled wolfSSL on linux with 

./configure --enable-ecc --enable-debug --enable-ecccustcurves=all

and on the board i have defined 

HAVE_ECC WOLFSSL_CUSTOM_CURVES HAVE_ECC_BRAINPOOL

and 

HAVE_ALL_CURVES

. The error seems to be in the PickHashSigAlgo(), wolfSSL doesn't find an "exact match" in the CmpEccStrength() function. Signature algorithm in the certificates is ecdsa-with-SHA256.

Share

2 Reply by astc (edited by astc 2023-10-20 03:56:30)

  • astc
  • Member
  • Offline
  • Registered: 2023-10-19
  • Posts: 8

Re: [SOLVED] MATCH_SUITE_ERROR using brainpoolP224r1

I am doing some tests sending and receiving data using secp256r1 for CA certificate and server certificate.
These are the curves that i tested with the client:

prime256v1                    Works
brainpoolP224r1               -425
brainpoolP256r1               Sends but fails to receive -313
brainpoolP256t1               Error loading the certificate
secp224r1                     -425
brainpoolP512r1               -425
brainpoolP192r1               Error loading the certificate
wap-wsg-idm-ecid-wtls12        Error loading the certificate
c2tnb239v3                     Error loading the certificate
secp256k1                      Sends but fails to receive -313
brainpoolP320r1               -425

Share

  • astc
  • Member
  • Offline
  • Registered: 2023-10-19
  • Posts: 8

Re: [SOLVED] MATCH_SUITE_ERROR using brainpoolP224r1

Error 313 fails on normal_ecc_mul2add

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 298

Re: [SOLVED] MATCH_SUITE_ERROR using brainpoolP224r1

Hi astc

Welcome to the wolfSSL forums.

Are you able to run the wolfCrypt tests on your platform? It's a good idea to verify the core cryptography first to be sure there is not some underlying problem.
https://github.com/wolfSSL/wolfssl/tree … crypt/test

Thanks,
Eric - wolfSSL Support

embhorn's Website

Share

  • astc
  • Member
  • Offline
  • Registered: 2023-10-19
  • Posts: 8

Re: [SOLVED] MATCH_SUITE_ERROR using brainpoolP224r1

Yes all the tests are working, i think it could be a memory error, i should try to increase the heap

Share

  • astc
  • Member
  • Offline
  • Registered: 2023-10-19
  • Posts: 8

Re: [SOLVED] MATCH_SUITE_ERROR using brainpoolP224r1

Increasing the heap solved the -425 error, now i have a new one, -330. Debugging i can see that fails during ecc_verify_hash(), when it compares if v == r and fails, what does this mean?

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 298

Re: [SOLVED] MATCH_SUITE_ERROR using brainpoolP224r1

That code corresponds to VERIFY_SIGN_ERROR, which indicates that the signature is invalid.

Are you using STM32 Cube IDE with the wolfSSL cube pack? What configuration are you using?

embhorn's Website

Share

  • astc
  • Member
  • Offline
  • Registered: 2023-10-19
  • Posts: 8

Re: [SOLVED] MATCH_SUITE_ERROR using brainpoolP224r1

Thank you for your help, i solved using two brainpoolP256r1 certificates

Share