Topic: Error -146 when loading CA certificate with Cyassl 2.4.0 on STM32F103

Hi,
I'm developing an application that uses the embedded SSL protocol (as a client) and I have to verify the server certificate. The platform I use is a Wi-Fi module with a STM32F103 ARM microcontroller. It runs the chiBios RTOS and uses the lwip tcp/ip stack. The CyaSSL version I use is 2.4.0.

This is the code I wrote
-----------------------------------------------------------------------------------------------------------------------------------------------------

    int i;
    CYASSL_CTX* ctx;
    CYASSL* ssl;
    const unsigned char cert_thawte_root[]={0x30, 0x82, 0x04, 0x20, .... //This is the CA root certificate in DER format

    CyaSSL_Init();
   
    /* Create and initialize CYASSL_CTX structure */
    if ( (ctx = CyaSSL_CTX_new(CyaTLSv1_client_method())) == NULL){
        print("SSL_CTX_new error.\r\n");

    /* Enable server certificate verification */
    CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);

    /*Load CA certificate*/
    i=CyaSSL_CTX_load_verify_buffer(ctx, test_cert_pem, (long)sizeof(test_cert_pem), SSL_FILETYPE_ASN1);
    if(i != SSL_SUCCESS){
        print("Error %d loading buffer certificate\r\n", i);}
    ...
--------------------------------------------------------------------------------------------------------------------------------------------------

When the CyaSSL_CTX_load_verify_buffer instruction is executed it returns -146 that corresponds to the error ASN_EXPECT_0_E or "ASN expect error, not zero". Following the CyaSSL_CTX_load_verify_buffer hierarchy i found that probably the error happens when the GetAlgoId (inside ctaocrypt\src.asn.c) function is called, but I don't have an idea of the source of the error. I tried to run the program without the server certificate verification and it runs fine.
Can you help me? Thanks!

Share

Re: Error -146 when loading CA certificate with Cyassl 2.4.0 on STM32F103

Hi,

From your code snippet, it looks like you may be trying to load a PEM certificate, but using the SSL_FILETYPE_ASN1 type instead of the SSL_FILETYPE_PEM type with CyaSSL_CTX_load_verify_buffer().

Your call to CyaSSL_CTX_load_verify_buffer() is using a "test_cert_pem" buffer, while above, you might have meant to use the "cert_thawte_root" buffer instead?

Best Regards,
Chris

Re: Error -146 when loading CA certificate with Cyassl 2.4.0 on STM32F103

Hi Chris,

I made a mistake when I pasted the code. The correct code I wrote is

------------------------------------------------------------------------------------------------------------------------------

int i;
    CYASSL_CTX* ctx;
    CYASSL* ssl;
    const unsigned char cert_thawte_root[]={0x30, 0x82, 0x04, 0x20, .... //This is the CA root certificate in DER format
    CyaSSL_Init();
   
    /* Create and initialize CYASSL_CTX structure */
    if ( (ctx = CyaSSL_CTX_new(CyaTLSv1_client_method())) == NULL){
        print("SSL_CTX_new error.\r\n");
    /* Enable server certificate verification */
    CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
    /*Load CA certificate*/
    i=CyaSSL_CTX_load_verify_buffer(ctx, cert_thawte_root, (long)sizeof(cert_thawte_root), SSL_FILETYPE_ASN1);
    if(i != SSL_SUCCESS){
        print("Error %d loading buffer certificate\r\n", i);}
    ...
---------------------------------------------------------------------------------------------------------------------------------------

As I said my CA certificate is in DER format and I get an error when the certificate is being loaded.
This is what I get:
---------------------------------------------------------------------------------------------------------------------------------------
CyaSSL Entering CYASSL_CTX_new

CyaSSL Entering CyaSSL_CertManagerNew

CyaSSL Leaving CYASSL_CTX_new, return 0

CyaSSL Entering CyaSSL_CTX_set_verify

CyaSSL Entering CyaSSL_CTX_load_verify_buffer

Adding a CA

CyaSSL Entering GetExplicitVersion

CyaSSL Entering GetMyVersion

CyaSSL Entering GetAlgoId

    Parsed new CA

    Freeing Parsed CA

    Freeing der CA

        OK Freeing der CA

CyaSSL Leaving AddCA, return -146

Error loading buffer certificate error -146
----------------------------------------------------------------------------------------------------------------------------------------------

I also tried with the same CA certificate in PEM format, but when the certificate is being loaded and typed out it blocks.
This is what I get:
------------------------------------------------------------------------------------------------------------------------------------------------------

CyaSSL Entering CYASSL_CTX_new

CyaSSL Entering CyaSSL_CertManagerNew

CyaSSL Leaving CYASSL_CTX_new, return 0

CyaSSL Entering CyaSSL_CTX_set_verify

CyaSSL Entering CyaSSL_CTX_load_verify_buffer

Processing CA PEM file


----------------------------------PEM BUFFER------------------------------------

-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlma

---------------------------------------------------------------------------------------------------------------------------------------------

It doesn't finish to type the certificate.
As I said before I also tried to load the test certificate of CyaSSL, but I get an error as with my CA certificate.
I attach the CA DER certificate I'm using. To add it in the code I simply opened it with notepad++, viewed it in hex format and pasted it in the code.

I'll wait for your advices.
Best Regards

Dario

Post's attachments

Thawte_root_der.cer 1.04 kb, 6 downloads since 2014-04-04 

You don't have the permssions to download the attachments of this post.

Share

Re: Error -146 when loading CA certificate with Cyassl 2.4.0 on STM32F103

Hi Dario,

I tried loading both PEM and DER formats of the root certificate you attached and didn't see any problems.

I have attached the simple test app I was using.  It contains the Thawte root cert in DER format and uses CyaSSL_CTX_load_verify_buffer(), like you mentioned above.  Can you compare the attached to what you are doing on your side?

Thanks,
Chris

Post's attachments

main.c 7.18 kb, 8 downloads since 2014-04-17 

You don't have the permssions to download the attachments of this post.

Re: Error -146 when loading CA certificate with Cyassl 2.4.0 on STM32F103

Hi Chris,

sorry for haven't replied you since your last post, but I had other things to do and I suspended the work on the server verification with the CA certificate.
I finally succeed in loading the CA certificate, but now I have another problem: when it tries to verify the server certificate chain I get errors -155 and -210. I tried with the CA certificate in both DER and PEM format, but it behaves in same manner in both case.

This is the code I wrote:

const unsigned char certCA_MW_root_der[1028] = {0x30, 0x82, 0x04, 0x00, 0x30, ....

void sslClient(char *server_ipaddr, int server_port)
{
    int socket_fd;
    char buff_err[80];
    CYASSL_CTX* ctx;
    CYASSL* ssl;
    int i;

    /* Initialize CyaSSL */
    CyaSSL_Init();

    i=CyaSSL_Debugging_ON();

    /* Create and initialize CYASSL_CTX structure */
    if ( (ctx = CyaSSL_CTX_new(CyaTLSv1_client_method())) == NULL){
        print("SSL_CTX_new error.\r\n");
    }

    i=CyaSSL_CTX_load_verify_buffer(ctx, certCA_MW_root_der, sizeof(certCA_MW_root_der), SSL_FILETYPE_ASN1);
    if(i != SSL_SUCCESS)
    {
        print("Error loading buffer certificate error %d\r\n", i);
    }
   
    CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);

    .
    .
    .
    Create the socket socket_fd
    .
    .
    .
   
    print("Loading ctx into ssl\r\n");
    if( (ssl = CyaSSL_new(ctx)) == NULL) {
        print("Unable to create SSL Object\r\n");
    }
    else
        print("SSL object created\r\n");
   
    print("Ready to set SSL Object\r\n");   
    if (CyaSSL_set_fd(ssl, socket_fd) != SSL_SUCCESS)
        print("SSL_set Object failed\r\n");
    else
    {
        print("SSL Object SET\r\n");
    }   

    /* SSL HandShake Request */
    print("Trying to establish SSL connection\r\n");
    if ((i=CyaSSL_connect(ssl)) != SSL_SUCCESS)
    {
        i=CyaSSL_get_error(ssl, i);
        CyaSSL_ERR_error_string(i, buff_err);
        print("SSL_connect failed\r\n%s\r\n", buff_err);

    }
    else
        print("CyaSSL connection established\r\n");

-------------------------------------------------------------------------------------------------------------------------------------

The following are the debugging information from CyaSSL:

CyaSSL Entering CYASSL_CTX_new

CyaSSL Entering CyaSSL_CertManagerNew

CyaSSL Leaving CYASSL_CTX_new, return 0

CyaSSL Entering CyaSSL_CTX_load_verify_buffer

Adding a CA

CyaSSL Entering GetExplicitVersion

CyaSSL Entering GetMyVersion

CyaSSL Entering GetAlgoId

Getting Cert Name

Getting Cert Name

CyaSSL Entering GetAlgoId

CyaSSL Entering DecodeCertExtensions

        Extension type not handled, skipping

        Extension type not handled, skipping

CyaSSL Entering DecodeBasicCaConstraint

CyaSSL Entering GetAlgoId

    Parsed new CA

    Freeing Parsed CA

    Freeing der CA

        OK Freeing der CA

CyaSSL Leaving AddCA, return 0

local ip address is: 132.147.2.205
connect to servicestestext.mywellness.com, port: 443
Loading ctx into ssl
CyaSSL Entering SSL_new

CyaSSL Leaving SSL_new, return 0

SSL object created
Ready to set SSL Object
CyaSSL Entering SSL_set_fd

CyaSSL Leaving SSL_set_fd, return 1

SSL Object SET
Trying to establish SSL connection
CyaSSL Entering SSL_connect()


1. CONNECT BEGIN SEND CLIENT HELLO
SEND_FUNCTION
--------------------
Bytes Send : 52
--------------------
connect state: CLIENT_HELLO_SENT

1. CONNECT BEGIN SEND CLIENT HELLO COMPLETED

2. CLIENT HELLO SENT
RECV_FUNCTION
--------------------
Bytes received 5
growing input buffer


RECV_FUNCTION
--------------------
Bytes received 2699
received record layer msg

CyaSSL Entering DoHandShakeMsg()

CyaSSL Entering DoHandShakeMsgType

processing server hello

CyaSSL Leaving DoHandShakeMsgType(), return 0

Do Hand Shake Msg ret 0
CyaSSL Leaving DoHandShakeMsg(), return 0

More messages in record

received record layer msg

CyaSSL Entering DoHandShakeMsg()

CyaSSL Entering DoHandShakeMsgType

processing certificate

Loading peer's cert chain

    Put another cert into chain

    Put another cert into chain

CyaSSL Entering GetExplicitVersion

CyaSSL Entering GetMyVersion

CyaSSL Entering GetAlgoId

Getting Cert Name

Getting Cert Name

CyaSSL Entering GetAlgoId

CyaSSL Entering DecodeCertExtensions

        Extension type not handled, skipping

        Extension type not handled, skipping

        found optional critical flag, moving past

CyaSSL Entering DecodeBasicCaConstraint

CyaSSL Entering DecodeCrlDist

        Extension type not handled, skipping

        found optional critical flag, moving past

        Extension type not handled, skipping

CyaSSL Entering GetAlgoId

About to verify certificate signature

Failed to verify CA from chain

Veriying Peer's cert

CyaSSL Entering GetExplicitVersion

CyaSSL Entering GetMyVersion

CyaSSL Entering GetAlgoId

Getting Cert Name

Getting Cert Name

CyaSSL Entering GetAlgoId

CyaSSL Entering DecodeCertExtensions

        found optional critical flag, moving past

CyaSSL Entering DecodeBasicCaConstraint

        Extension type not handled, skipping

        found optional critical flag, moving past

        Extension type not handled, skipping

CyaSSL Entering DecodeCrlDist

        Extension type not handled, skipping

        There are more Authority Information Access records, but we only use first one.

        Extension type not handled, skipping

CyaSSL Entering DecodeAltNames

        Not DNS type

        Extension type not handled, skipping

        Extension type not handled, skipping

CyaSSL Entering GetAlgoId

About to verify certificate signature

No CA signer to verify with

Failed to verify Peer's cert

        No callback override availalbe, fatal

CyaSSL Leaving DoHandShakeMsgType(), return -155

Do Hand Shake Msg ret -155
CyaSSL Leaving DoHandShakeMsg(), return -155

CyaSSL error occured, error = -155


FATAL ERROR

CyaSSL Entering SSL_get_error

CyaSSL Leaving SSL_get_error, return -155

CyaSSL Entering ERR_error_string

SSL_connect failed
ASN sig error, confirm failure
SSL connect ok, sending GET...
CyaSSL Entering SSL_write()

handshake not complete, trying to finish
CyaSSL Entering CyaSSL_negotiate

CyaSSL Entering SSL_connect()


2. CLIENT HELLO SENT
received record layer msg

CyaSSL Entering DoHandShakeMsg()

CyaSSL error occured, error = -210


FATAL ERROR

CyaSSL Leaving CyaSSL_negotiate, return -1

CyaSSL Leaving SSL_write(), return -1

SSL_write failed
CyaSSL Entering SSL_read()

CyaSSL Entering ReceiveData()

Handshake not complete, trying to finish

CyaSSL Entering CyaSSL_negotiate

CyaSSL Entering SSL_connect()


2. CLIENT HELLO SENT
received record layer msg

CyaSSL Entering DoHandShakeMsg()

CyaSSL error occured, error = -210


FATAL ERROR

CyaSSL Leaving CyaSSL_negotiate, return -1

CyaSSL Leaving SSL_read(), return -1

CyaSSL Entering SSL_free

CTX ref count not 0 yet, no free

Shrinking input buffer


CyaSSL Leaving SSL_free, return 0

CyaSSL Entering SSL_CTX_free

CTX ref count down to 0, doing full free

CyaSSL Entering CyaSSL_CertManagerFree

CyaSSL Leaving SSL_CTX_free, return 0

CyaSSL Entering CyaSSL_Cleanup

--------------------------------------------------------------------------------------------------------

It says that it hasn't the right CA certificate to verify the server, but I'm absolutely sure that I put the right certificate in the code. I downloaded it from the site I want to connect to with Google Chrome. I took only the root CA certificate, as I read in the CyaSSL documents that only the root CA certificate is needed.
Since the previous problem were caused by a stack overflow error I also increased the stack size, but it had no effect.
I'll wait for your answer.

Best Regards

Dario

Share

Re: Error -146 when loading CA certificate with Cyassl 2.4.0 on STM32F103

I have also tried with CyaSSL 3.0, but it behaves in the same manner. Without the server verification it works.

Share

7 (edited by cyberrobot 2014-05-17 12:40:47)

Re: Error -146 when loading CA certificate with Cyassl 2.4.0 on STM32F103

volondario wrote:

I have also tried with CyaSSL 3.0, but it behaves in the same manner. Without the server verification it works.

Hi I have the same problem (on Ubuntu), I copy the Root CA from a website at PEM file format and then transform it to DER via openssl and storing it in a buffer but the authentication fails.

EDIT: Finally I found the solution to my ignorance, you have to grab the ROOT certificate of the CA signed the server (It must say self signed), for google is the Equifax_Secure_CA.pem(TLS_v1.2) / amazon.uk Verisigned (TLS_v1) and it's stored to my OS as it should be.

Both CyaSSL_CTX_load_verify_locations and CyaSSL_CTX_load_verify_buffer worked like a charm.



Example : amazon.co.uk any one of these certificates fail... (find them attached on the file).
I got them with the command:
openssl s_client -showcerts -connect amazon.co.uk:443 </dev/null


I Still can't find a solution to the next one :

Another Issue is when verification fails and I try to get some info from the call of verify callback.

e.g printf(""%s",(ctx_ob->current_cert->subjectCN));

there is nothing there.... sad

Post's attachments

amazon 7.64 kb, 2 downloads since 2014-05-17 

You don't have the permssions to download the attachments of this post.

Share

Re: Error -146 when loading CA certificate with Cyassl 2.4.0 on STM32F103

Hi cyberrobot,

If you define KEEP_PEER_CERT when compiling wolfSSL, you should be able to use the following function to get the CommonName from a CYASSL_X509*:

char*  CyaSSL_X509_get_subjectCN(CYASSL_X509* x509)

Best Regards,
Chris