Topic: Unable to generate certificates

Hi,

I am trying to generate certificates using the code given in chapter 7 and test.c, but i'm unable to compile.  During configuration, i have used --enable-certgen.

This is the piece of code i have in certificate.c :

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

#include <cyassl/ctaocrypt/asn.h>

int main()
{
            Cert myCertificate;

          // Other code as given in example
            return 0;
}

I get "Cert undeclared" error. I'm unable to figure out why this is happening. Generating RSA keys works fine, but as soon as I declare a variable to generate certificate, I get this error.

Hoping to find some assistance.

Thanks,

Nitin

Re: Unable to generate certificates

Hi Nitin,

I get "Cert undeclared" error. I'm unable to figure out why this is happening. Generating RSA keys works fine, but as soon as I declare a variable to generate certificate, I get this error.

You could be seeing this error if CYASSL_CERT_GEN is not defined.  Can you try defining -DCYASSL_CERT_GEN this when building your application and see if it resolves your error?

Regards,
Chris

Re: Unable to generate certificates

Thanks Chris..it worked.. Is there any reason why I have to add this during the build process??

Re: Unable to generate certificates

Not necessarily - you could define it in your source code as well if that was your preferred way.

Re: Unable to generate certificates

ok thanks..another question..if I try to self sign the generated  certificates everything is fine. But, if I try to sign it with a CA private key,(i setup a ca using openssl and am trying to use its private key) i get an error while trying to decode the private key..

specifically i get an error here :

ret = RsaPrivateKeyDecode(tmp,&idx,&caKey,(word32)bytes);

Is there anything wrong is using the private key of ca from openssl??

Re: Unable to generate certificates

Hi Nitin,

What command and parameters did you use to generate your CA key using OpenSSL?

- Chris

Re: Unable to generate certificates

Hi Chris,

Here are the commands used to generate the CA key and certificate:

$ openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
$ openssl x509 -req -in rootreq.pem -sha1 -extfile provenance.cnf -extensions certificate_extensions -signkey rootkey.pem -out rootcert.pem

Just as pure guess work, I tried converting this key from PEM to DER and it worked !.. But, I'm not able to use these keys with the echo client and echo server examples..

If you need more info. i can share it with you.. Currently, I have a rootCA which creates and signs a serverCA. I have done this using openssl. After this, the rootCA creates and signs client certificates and keys. The serverCA creates and signs server certificates and keys. Though i'm able to generate the keys after using DER format for the private key, i'm unable to use it with the echoclient and echoserver examples. I get a write failed and read error at the two ends.

Using openssl to generate the same client and server keys work. So I think i'm missing something while generating the keys and certificates. (Self signed certificates work seamlessly. )

Looking for your insight on this as i'm relatively new to ssl.

Nitin

Re: Unable to generate certificates

Hi Nitin,

Just as pure guess work, I tried converting this key from PEM to DER and it worked !.. But, I'm not able to use these keys with the echo client and echo server examples..

The RsaPrivateKeyDecode() function only accepts keys in DER format (raw data).  To use the example echo client and echo server with DER-formatted keys, you will need to use the SSL_FILETYPE_ASN1 format instead of the SSL_FILETYPE_PEM format.  For example, the echo server would load a private key like this (where svrKey is a RSA key in DER format):

CyaSSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_ASN1)

Here are the OpenSSL commands that we typically use to generate test CA keys and certificates and create test CA-signed certs.  To create a CA key and certificate:

1.  openssl genrsa 1024 > ca-key.pem
2.  openssl req -new -x509 -nodes -sha1 -days 1000 -key ca-key.pem > ca-cert.pem

To create a server key and CA-signed server cert:

1.  openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem
2.  openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

Does this help?

- Chris

Re: Unable to generate certificates

Hi Chris,

Well that didn't help much.  Using the ca-key and ca-cert, I want to generate client keys from code. Then I want to authenticate the client when it tries to connect to the server. I have included the key generation and other required code below.

Here is what I did:

1) Generate CA key and certificate as you have specified
2) Generate Server key and certificate as specified
3) Use the CA key and CA certificate in the below code to generate Client certificate and key

// Key generation

RsaKey genkey;
    RNG rng;
    int ret;
    FILE* fp;

    InitRng(&rng);
    InitRsaKey(&genkey, 0);

    ret = MakeRsaKey(&genkey,1024,65537,&rng);

    byte der[4096];
    byte pem[4096];

    int derSz = RsaKeyToDer(&genkey,der,sizeof(der));

    if(derSz < 0)
        printf("DER error\n");

    int pemSz = DerToPem(der,derSz,pem,sizeof(pem),PRIVATEKEY_TYPE);

    if(pemSz < 0)
        printf("PEM error\n");

    fp = fopen("client-key.pem","w+");

    fwrite(pem,1,sizeof(pem),fp);

    fclose(fp);
    
    fp = fopen("client-key.der","w+");

    fwrite(der,1,sizeof(der),fp);

    fclose(fp);

    printf("Now time for certificate..\n");

// Certificate Generation and signing by CA certificate

RsaKey      caKey;
        Cert        myCert;
        byte        derCert[4096];
        byte        pemCert[4096];
        FILE*       derFile;
        FILE*       pemFile;
        int         certSz;
        
        byte        tmp[2048];
        size_t      bytes;
        word32      idx = 0;

    FILE*  file = fopen("ca-key.der", "rb");

        if (!file)
            return -412;

        bytes = fread(tmp, 1, sizeof(tmp), file);
  

        InitRsaKey(&caKey, 0);  
        ret = RsaPrivateKeyDecode(tmp, &idx, &caKey, (word32)bytes);
        if (ret != 0) 
    {
        printf("Problem decoding private key\n");    
        return -413;
    }
        InitCert(&myCert);

    strncpy(myCert.subject.country, "US", CTC_NAME_SIZE);
        strncpy(myCert.subject.state, "Arizona", CTC_NAME_SIZE);
        strncpy(myCert.subject.locality, "Tucson", CTC_NAME_SIZE);
        strncpy(myCert.subject.org, "Certificate Authority", CTC_NAME_SIZE);
        strncpy(myCert.subject.unit, "UA", CTC_NAME_SIZE);
        strncpy(myCert.subject.commonName, "Client", CTC_NAME_SIZE);
        strncpy(myCert.subject.email, "ca@provenance.edu", CTC_NAME_SIZE);
    myCert.selfSigned = 0;
    myCert.daysValid = 30;
    ret = SetIssuer(&myCert,"ca-cert.pem");

    if(ret < 0)
    printf("Problem setting issuer..\n");

    certSz = MakeCert(&myCert, derCert, sizeof(derCert), &genkey, &rng); 
        if (certSz < 0)
    {
        printf("Problem with Make cert\n");            
        return -407;
    }

        certSz = SignCert(&myCert, derCert, sizeof(derCert), &caKey, &rng);
        if (certSz < 0)
    {
        printf("Problem with signing certificate\n");            
        return -408;
    }

    int someSz = -1;
    someSz = DerToPem(derCert,certSz,pemCert,sizeof(pemCert),CERT_TYPE);
       if (someSz < 0)
    {
        printf("Problem in conversion from DER to PEM\n");            
        return -409;
    }
    else
        printf("Size is %d\n",someSz);
    FILE* certfp;
    certfp = fopen("client-cert.pem","w+");
    fwrite(pemCert,1,sizeof(pemCert),certfp);

    fclose(certfp);

    certfp = fopen("client-cert.der","w+");
    fwrite(derCert,1,sizeof(derCert),certfp);

    fclose(certfp);
    

4) In EchoClient, I add the following code block before creating socket file descriptor:

if (CyaSSL_CTX_use_certificate_file(ctx,"./client-cert.pem",SSL_FILETYPE_PEM)!= SSL_SUCCESS) {
       fprintf(stderr, "Error loading ./clientcert.pem, please check the file.\n");
       exit(EXIT_FAILURE);
    }

    if (CyaSSL_CTX_use_PrivateKey_file(ctx,"./client-key.pem", 
                SSL_FILETYPE_PEM) != SSL_SUCCESS) {
       fprintf(stderr, "Error loading ./clientkey.pem, please check the file.\n");
       exit(EXIT_FAILURE);
    }
    
    CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |  SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);    

5) In EchoServer, I add the following line before the socket file descriptor:

CyaSSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);    

As soon as I type something in echo client and press Enter, I get read error -155.

If I create the client key and client certificate using openssl (i.e., the way we created server key and server certificate), everything works.

So I believe there is something wrong in my key and certificate generation code, but i'm unable to figure it out.

Nitin

Re: Unable to generate certificates

I have attached the client files from openssl and via the code above. The only difference i can see is in the start and end dates and version.

Post's attachments

certificates.tar.gz 2.65 kb, 3 downloads since 2011-12-28 

You don't have the permssions to download the attachments of this post.

Re: Unable to generate certificates

Nitin,

You need to tell the echoserver about the CA of the client cert you've created.  The echoserver has no way to verify the client cert you've created without it, that's why you're getting failure to verify signature.

You can use CyaSSL_CTX_load_verify_locations() with the ca-cert.pem CA on the echoserver.

You should also note the echoserver changes directory upon startup.  I'd also recommend using different names for keys and certs than CyaSSL uses for its tests ones, just to keep everything clear.

-Todd

Re: Unable to generate certificates

Hi Todd,

In fact I have used CyaSSL_CTX_load_verify_locations() with ca-cert.pem on the echo server. Now i also tried using different names for and certs than what CyaSSL uses in the examples. But, still i'm stuck with the same problem. Keys and certificates generated from code don't seem to work.

Nitin

Re: Unable to generate certificates

Nitin,

I've tested code generated keys and certs on our end and they're working fine here.

Notes:  your uploaded certs differ in another major way.  The openssl one is self-signed, look at the issuer and subject, they match.  You can look at the metadata of a certificate by adding -text to the openssl command.  The CyaSSL one is not self signed, it's issued by:

Issuer: C=US, ST=Arizona, L=Tucson, O=Root Certification Authority, OU=UA, CN=Root CA/emailAddress=ca@provenance.edu

Which is not the same as CyaSSL's test ca-cert.pem.  I have a feeling that the CA certificate you're trying to tell echoserver to load_verify with isn't the right one (either because of naming, working directory, many different iterations, etc...  It's hard to know exactly)  Can you give it another look?

-Todd

Re: Unable to generate certificates

Hi Todd,

The mismatch was due to various iterations. So I set up CA from the scratch , but i'm not able to find out where the problem is. I just feel that i'm missing something either in key generation or in the echo server/echo client examples..

I've attached the codebase i'm using for echo server and echo client. Clicert.pem and Clikey.pem are generated from openssl while new_key.pem and new_cert.pem are generated using the code i've posted earlier.

Could you please look at it and help me?

Nitin

Post's attachments

sslEg.tar.gz 22.32 kb, 4 downloads since 2011-12-29 

You don't have the permssions to download the attachments of this post.

Re: Unable to generate certificates

Hi Nitin,

Thanks for sending the CA (rootcert) and generated certs.  CyaSSL is setting the correct issuer information but in a different order than the OpenSSL generated one.  I've never seen OpenSSL do this before (with that order that is), what version are you using?  My understanding is that the name information should go

C (Country)
ST (State)
L (Locality)
O (Organization)
OU (O Unit)
CN (Common Name)
/optional like email

In the short term I guess you'll have to use the same SSL package to do the CA and issued certificates, which is pretty common I suppose.  If we can confirm that OpenSSL is correct in varying the order of the issuer information we'll have to patch CyaSSL to copy the issuer information verbatim instead of trying to interpret it and reorder it.

Thanks for the report. 

-Todd

Re: Unable to generate certificates

Hi Todd,

Thanks for looking into it. I'm using openssl version 0.9.8. In case you do comeup with a patch, please inform me. I really appreciate your support.

Thanks,

Nitin