How to resolve x.509 certificate parsing error in mbedtls?

I am working on porting AWS freeRTOS to a new platform I referred freertos programming guide to do that.

Now my issue is, I m facing certificate parsing error in mbedtls_x509_crt_parse() - MBEDTLS_ERR_X509_INVALID_FORMAT(-2108) in function call while performing TLS_Connect() in iot_tls.c file , Mbedtls version string is “mbed TLS 2.16.0”.

After debugging I enabled MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 and MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION macro but still no luck.

I have created a certificate from the one-click method from AWS console and then used tools/certificate_configuration/CertificateConfigurator.html tool to get freeRTOS supported aws_clientcredential_keys.h file and replace in my code.
(Not able to attach files here)

Also if I apply Linux parse command with OpenSSL,

openssl x509 -in x.y.z-certificate.pem.crt -text -noout
But its showing out with no error

is there anything I m missing here?

Any guidance will be appreciable.


Hello Arjun,

Seems this is a mirror of Can you set a break point to find at what point of parsing this error is occurring?

Hi @lundinc,

Thank for the quick reply.

#define keyCLIENT_CERTIFICATE_PEM \ "-----BEGIN CERTIFICATE-----\n"\ "MIIDWjCCAkKgAwIBAgIVAJ3wzBnLSnQvYi31rNVQRAXDUO/zMA0GCSqGSIb3DQEB\n"\ "CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t\n"\ "IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yMDA3MjgxMTMz\n"\ "MTJaFw00OTEyMzEyMzU5NTlaMB4xHDAaBgNVBAMME0FXUyBJb1QgQ2VydGlmaWNh\n"\ "dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHc2tmezGoekLjkQlb\n"\ "+YOBKFyPswYR+GLq/JRVbFX2k4OrHF5js4GTfbHm1oQ733KbcnIugdejtQnRhtnr\n"\ "1HRk3pqedVhRKGRo2DFDYyuX3K1UR6xna1poJF+6WNy6vXGxIQYKi7SNS5LtzkRT\n"\ "1FCziOLBaxfcCRNgR1NBHjlcFsUWyL4evMok6h/wU7HA3/dfKEisyLdh3sMy7Yox\n"\ "Im/ldvyX+9pH7Hj0TrGGTd5f8GtX8npNuSKdkntuag95r+vAaAPp6bQVyPWm8T/G\n"\ "SUN8N7Nvc9DOcJ8ZhvB/Ubq+Fa/eoUnr3SgXInufLHhrfxJW7dyrBTlw/1kdXgYw\n"\ "YiKnAgMBAAGjYDBeMB8GA1UdIwQYMBaAFP4UzdqnzQ4l89+D7UhXC5MKWnOJMB0G\n"\ "A1UdDgQWBBSn95OHFqTn3DrE3anpNq5RoOsT+DAMBgNVHRMBAf8EAjAAMA4GA1Ud\n"\ "DwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEA2Hvrxy2N0xt3I/w/7JIyoTH4\n"\ "ixUKMaD1QXe+g6LrsQSCVVsaq0L468OpyydVzQLQONXvDDRv3rqIEel1hPAJNG0y\n"\ "dp3g+WC1dPl7E44btM+59gBf1369lFwV6FbJMwCltVBUJ4hFAjt3QTkWRHq6DlFQ\n"\ "wa896aSr5UUiVNAJjf/hLVjERlVG4wDjPN7YifQssRqlNcYDgok3UhVsBfKIGnct\n"\ "WFbisX+0ONMyNnE1Qq6bX5g4sLN7VlwFhADiz1Xp2rUtLECR1NSPutYibWyvJJ8d\n"\ "htYYV1a0FSkg7JKyvOIJ8IYKEPsKE+UYo1Z8DwkmHHcap+h0OMWAnKQgRXn6QQ==\n"\ "-----END CERTIFICATE-----"

Above is a certificate generated by AWS CertificateConfigurator.html
I performed same with on oboard key generation method also.

it is being used to save in NV Memory i.e trust -m(we have used HSM model) with vDevModeKeyProvisioning() and I don’t see any errors here.

After this call, it begins to communication and in doing so it creates Socket (which is okay ) then it tries to connect(socket_connect).

This call intern calls TLS_connect where it performs Handshaking in an early stage but before that, it parses this certificate by getting into RAM from NV memory(trust-m) using prvReadCertificateIntoContext() call and fails in mbedtls_x509_crt_parse() with an above-mentioned error.

Further deep debugging I found that from mbedtls_asn1_get_tag() function receiving MBEDTLS_ERR_ASN1_OUT_OF_DATA .

Please let me know if more info is needed.


Can you try swapping out the calls into PKCS #11, and instead directly try and parse the keyCLIENT_CERTIFICATE_PEM macro and see if that works as expected?

By trust-m, do you mean the Optiga Trust M?

I already tried that by using below function

CK_RV checkTLS( void )
	int pkret;
	mbedtls_x509_crt _cacert;
	pkret = mbedtls_x509_crt_parse(&_cacert, (const unsigned char *) keyCLIENT_CERTIFICATE_PEM,
	                           sizeof (keyCLIENT_CERTIFICATE_PEM));
	if(pkret != 0) {
			printf("\n x509 certificate parsing, error=%d", pkret);
	else if(pkret == 0) {
		printf("\n x509 certificate parsed, pass,\n");

it is returning me 0 which is okay and parsing successful.

yes optiga Trust-M is what my security element is.

Thank you, it looks like this issue is the same as seen here. Linking this as it has an infineon engineer engaged as well.

Yes, this is similar to what we are facing.