How to resolve x.509 certificate parsing error in mbedtls?

ArjunSalariya · July 29, 2020, 4:59am

Hi,
I am working on porting AWS freeRTOS to a new platform I referred freertos programming guide to do that.

Now my issue is, I m facing certificate parsing error in mbedtls_x509_crt_parse() - MBEDTLS_ERR_X509_INVALID_FORMAT(-2108) in function call while performing TLS_Connect() in iot_tls.c file , Mbedtls version string is “mbed TLS 2.16.0”.

After debugging I enabled MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 and MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION macro but still no luck.

I have created a certificate from the one-click method from AWS console and then used tools/certificate_configuration/CertificateConfigurator.html tool to get freeRTOS supported aws_clientcredential_keys.h file and replace in my code.
(Not able to attach files here)

Also if I apply Linux parse command with OpenSSL,

openssl x509 -in x.y.z-certificate.pem.crt -text -noout
But its showing out with no error

is there anything I m missing here?

Any guidance will be appreciable.

Thanks

lundinc · July 29, 2020, 11:36pm

Hello Arjun,

Seems this is a mirror of https://github.com/aws/amazon-freertos/issues/2322. Can you set a break point to find at what point of parsing this error is occurring?

ArjunSalariya · July 30, 2020, 3:58am

Hi @lundinc,

Thank for the quick reply.

#define keyCLIENT_CERTIFICATE_PEM \ "-----BEGIN CERTIFICATE-----\n"\ "MIIDWjCCAkKgAwIBAgIVAJ3wzBnLSnQvYi31rNVQRAXDUO/zMA0GCSqGSIb3DQEB\n"\ "CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t\n"\ "IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yMDA3MjgxMTMz\n"\ "MTJaFw00OTEyMzEyMzU5NTlaMB4xHDAaBgNVBAMME0FXUyBJb1QgQ2VydGlmaWNh\n"\ "dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHc2tmezGoekLjkQlb\n"\ "+YOBKFyPswYR+GLq/JRVbFX2k4OrHF5js4GTfbHm1oQ733KbcnIugdejtQnRhtnr\n"\ "1HRk3pqedVhRKGRo2DFDYyuX3K1UR6xna1poJF+6WNy6vXGxIQYKi7SNS5LtzkRT\n"\ "1FCziOLBaxfcCRNgR1NBHjlcFsUWyL4evMok6h/wU7HA3/dfKEisyLdh3sMy7Yox\n"\ "Im/ldvyX+9pH7Hj0TrGGTd5f8GtX8npNuSKdkntuag95r+vAaAPp6bQVyPWm8T/G\n"\ "SUN8N7Nvc9DOcJ8ZhvB/Ubq+Fa/eoUnr3SgXInufLHhrfxJW7dyrBTlw/1kdXgYw\n"\ "YiKnAgMBAAGjYDBeMB8GA1UdIwQYMBaAFP4UzdqnzQ4l89+D7UhXC5MKWnOJMB0G\n"\ "A1UdDgQWBBSn95OHFqTn3DrE3anpNq5RoOsT+DAMBgNVHRMBAf8EAjAAMA4GA1Ud\n"\ "DwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEA2Hvrxy2N0xt3I/w/7JIyoTH4\n"\ "ixUKMaD1QXe+g6LrsQSCVVsaq0L468OpyydVzQLQONXvDDRv3rqIEel1hPAJNG0y\n"\ "dp3g+WC1dPl7E44btM+59gBf1369lFwV6FbJMwCltVBUJ4hFAjt3QTkWRHq6DlFQ\n"\ "wa896aSr5UUiVNAJjf/hLVjERlVG4wDjPN7YifQssRqlNcYDgok3UhVsBfKIGnct\n"\ "WFbisX+0ONMyNnE1Qq6bX5g4sLN7VlwFhADiz1Xp2rUtLECR1NSPutYibWyvJJ8d\n"\ "htYYV1a0FSkg7JKyvOIJ8IYKEPsKE+UYo1Z8DwkmHHcap+h0OMWAnKQgRXn6QQ==\n"\ "-----END CERTIFICATE-----"

Above is a certificate generated by AWS CertificateConfigurator.html
I performed same with on oboard key generation method also.

it is being used to save in NV Memory i.e trust -m(we have used HSM model) with vDevModeKeyProvisioning() and I don’t see any errors here.

After this call, it begins to communication and in doing so it creates Socket (which is okay ) then it tries to connect(socket_connect).

This call intern calls TLS_connect where it performs Handshaking in an early stage but before that, it parses this certificate by getting into RAM from NV memory(trust-m) using prvReadCertificateIntoContext() call and fails in mbedtls_x509_crt_parse() with an above-mentioned error.

Further deep debugging I found that from mbedtls_asn1_get_tag() function receiving MBEDTLS_ERR_ASN1_OUT_OF_DATA .

Please let me know if more info is needed.

Thanks

lundinc · July 30, 2020, 4:07pm

Can you try swapping out the calls into PKCS #11, and instead directly try and parse the keyCLIENT_CERTIFICATE_PEM macro and see if that works as expected?

By trust-m, do you mean the Optiga Trust M?

ArjunSalariya · July 31, 2020, 4:59am

I already tried that by using below function

CK_RV checkTLS( void )
{
	int pkret;
	mbedtls_x509_crt _cacert;
	mbedtls_x509_crt_init(&_cacert);
	pkret = mbedtls_x509_crt_parse(&_cacert, (const unsigned char *) keyCLIENT_CERTIFICATE_PEM,
	                           sizeof (keyCLIENT_CERTIFICATE_PEM));
	if(pkret != 0) {
			printf("\n x509 certificate parsing, error=%d", pkret);
	}
	else if(pkret == 0) {
		printf("\n x509 certificate parsed, pass,\n");
	}
}

it is returning me 0 which is okay and parsing successful.

yes optiga Trust-M is what my security element is.

lundinc · July 31, 2020, 3:29pm

Thank you, it looks like this issue is the same as seen here. Linking this as it has an infineon engineer engaged as well. https://github.com/Infineon/amazon-freertos/issues/5

ArjunSalariya · August 2, 2020, 1:54pm

Yes, this is similar to what we are facing.
Thanks