Topic: Get Client Cert from TLS Handshake

Hi,

I want to verify that the client certificate belongs to a particular user that is logging in into a system.  Is there a way to get the client's public key or certificate from the TLS handshake so that I can cross check it against a database that holds the user name-pubicKey/Cert or something like that.   I am already verifying the peer with wolfSSL_CTX_set_verify.  However I am unable to match it to the user loggin to the publicKey/Certificate which which is done at a later stage in my uathentication system because I am unable to get the public/Key Cert from the handshake.  For now I am sending the client certificate over the TLS link but it does not seem to be the most appropriate solution.  Any Suggestions.

Thank you for all your help.

cfarrin

Share

Re: Get Client Cert from TLS Handshake

Hi cfarrin,

When calling wolfSSL_CTX_set_verify(), the optional third parameter allows an application to register a verify callback.  By default, this callback only gets called upon verification failure.  It can be switched to be called every time by defining WOLFSSL_ALWAYS_VERIFY_CB when compiling wolfSSL, ie:

cd wolfssl-3.6.6
./configure <options> C_EXTRA_FLAGS="-DWOLFSSL_ALWAYS_VERIFY_CB"
make

Inside this callback, your application can inspect the peer certificate.  You can look in <wolfssl_root>/wolfssl/test.h, myVerify() for an example.

Best Regards,
Chris

Re: Get Client Cert from TLS Handshake

Hi Thanks for the response How ever I still Have an issue.  As you mentioned I looked at the myVerify example I Tried the following:

#include <wolfssl/ssl.h>
#include <wolfssl/options.h>

#include <cyassl/openssl/ssl.h>
#include <wolfssl/test.h>

.
.
.
.


char* wolfSSL_X509_get_pubKey(WOLFSSL_X509* x509, int *outSz)
        {
        char *asciiStr = malloc(FOURK_BUF);
        WOLFSSL_ENTER("wolfSSL_X509_get_pubKey");

        if (x509 == NULL || outSz == NULL)
                return NULL;

        *outSz = (int)x509->pubKey.length;
        return x509->pubKey.buffer;
        }

main{
WOLFSSL_X509*   peerCert;
char peer_pubKey[FOURK_BUF];
int  peer_pubKeySz;
WOLFSSL *s;

.
.
.
nbytes = wolfSSL_read(s, buffer, 1024);
peerCert = wolfSSL_get_peer_certificate(s);
peer_pubKey=(char *)wolfSSL_X509_get_pubKey(peerCert, &peer_pubKeySz);

However when I compile it I get ->

SSL2CRL.c: In function ‘wolfSSL_X509_get_pubKey’:
SSL2CRL.c:147:20: error: dereferencing pointer to incomplete type
  *outSz = (int)x509->pubKey.length;
                    ^
SSL2CRL.c:148:13: error: dereferencing pointer to incomplete type
  return x509->pubKey.buffer;


For some reason the compiler is having some issues with the WOLFSSL_X509 Structure.  Mi Guess is that I need to include another library but I do not know which one.  Thanks for the help.

cafrrin

Share

Re: Get Client Cert from TLS Handshake

Hi Solved It the following way:
WOLFSSL *s;
.
.

peerCert = wolfSSL_get_peer_certificate(s);
peer_derCertCnst=wolfSSL_X509_get_der(peerCert, &peer_derCertSz);
XMEMCPY( peer_derCert, peer_derCertCnst, peer_derCertSz);
InitDecodedCert( &cert, peer_derCert, peer_derCertSz, 0);
ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, 0);
XMEMCPY(pubKey, cert.publicKey, cert.Pub.Key.Size);

However I do think a wolfSSL_X509_get_pubKey(peerCert, &peer_pubKeySz);  Should be added to ssl.c make things easier.  Thanks for the Help.

char* wolfSSL_X509_get_pubKey(WOLFSSL_X509* x509, int *outSz)
        {
        char *asciiStr = malloc(FOURK_BUF);
        WOLFSSL_ENTER("wolfSSL_X509_get_pubKey");
        if (x509 == NULL || outSz == NULL)
                return NULL;
        *outSz = (int)x509->pubKey.length;
        return x509->pubKey.buffer;
        }

Share

Re: Get Client Cert from TLS Handshake

Hi cfarrin,

wolfSSL does currently have a function similar to that in <wolfssl/ssl.h>:

WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509);

This will return a WOLFSSL_EVP_PKEY structure pointer (ex: mykey), from which you could get the DER formatted public key from mykey->pkey.ptr of size mykey->pkey_sz.

Best Regards,
Chris