Error using mbedtls_x509_crt_parse

Hello,
I’m starting to use the mbedTLS library. I have some problem in the mbedtls_x509_crt_parse function. I use this calling
ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *)mbedtls_m2mqtt_srv_crt, mbedtls_m2mqtt_srv_crt_len );

If I use this Certificate, it works:
“-----BEGIN CERTIFICATE-----”
“MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT”
“Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF”
“QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT”
“Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF”
“QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu”
“ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy”
“aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g”
“JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7”
“NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE”
“AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w”
“CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56”
“t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv”
“uCjn8pwUOkABXK8Mss90fzCfCEOtIA==”
“-----END CERTIFICATE-----”

If I use this one, which is that I built with openSSL it doesn’t:
“-----BEGIN CERTIFICATE-----”
“MIIDsTCCApkCFCuz8ECpfGrxuIrz4giPBwCpQ1RMMA0GCSqGSIb3DQEBCwUAMIGU”
“MQswCQYDVQQGEwJJVDEPMA0GA1UECAwGUGFkb3ZhMQ8wDQYDVQQHDAZQYWRvdmEx”
“EzARBgNVBAoMCkJlcnRyb25pY3MxEzARBgNVBAsMCkJlcnRyb25pY3MxEjAQBgNV”
“BAMMCU1hdHRpYS1QQzElMCMGCSqGSIb3DQEJARYWZWRkaWVtYXRAdGlzY2FsaW5l”
“dC5pdDAeFw0xODEyMDQxNzM4MTlaFw0yODEyMDExNzM4MTlaMIGUMQswCQYDVQQG”
“EwJJVDEPMA0GA1UECAwGUGFkb3ZhMQ8wDQYDVQQHDAZQYWRvdmExEzARBgNVBAoM”
“CkJlcnRyb25pY3MxEzARBgNVBAsMCkJlcnRyb25pY3MxEjAQBgNVBAMMCU1hdHRp”
“YS1QQzElMCMGCSqGSIb3DQEJARYWZWRkaWVtYXRAdGlzY2FsaW5ldC5pdDCCASIw”
“DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJrhu9/DD0UQYPI+Tnli1rOMdW5t”
“OT2pPw99s+ZcdvcNKRyc+i+RTVE8YSBSV4sEhpa8hdTJd/3Hc9jbBny1S+KyKfsr”
“B2O8hFEzkMYVnRBS5rHw4qeNozMLZhMSRnYjHhMnmMfaOoY6zKp+Eqwnbm3klQYM”
“lqYaTEHLDwo3H+fwgqxqOOgse4R55FXyN73nQFZrMRIyvmYGDYgTzWJ3y908hmP/”
“JHiid40S4MqPb0RYKo/eNjd/hkS0tVwbV2F5Dhyt0L8Y/BT/gz3ZrShpN10lhova”
“p9FDmJbQlNumWk/y3JsO5QeAvWFpTsgEvB1jt32X9o/1xokK8mmr2EHVEusCAwEA”
“ATANBgkqhkiG9w0BAQsFAAOCAQEAaiGcmT+Td0K7tYH8l9PAw/Mzc6OLOxRGqi03”
“frTJNZN2PIlu+tKTVcxXAY3ayPI/LnTbI8nqMOFv89/1O6vCsCbUN1LzkGa5tmwB”
“n37aTKnm8LtQQ4bOkxVTwGYEhbY2PhkwkZ8BM1SFHlYtiHDFGX+18E70heARQJJ1”
“BFqyVLf4q6uoVYdxIM9fQkw7S+2OCKeRFqztf4IGjJ+9M+qoIEQ56oHKBDjXA9Wp”
“c4sOhHm0RVUzDP4ScpvzuuzvanKj/wUYcGrdOIIhaGc2SqJmyqnEbSQzkkksz0Lc”
“b3BiodE9XkVWnkBuEfa0Zb9ZIeuzePz8+dWVhtuvH5zZPzrf4w==”
“-----END CERTIFICATE-----”

And I get an error -9774.
Could you help me to understand why the first certificate works, and the other doesn’t?
Thank you,
Mattia

Hi @MattiaBerton
Thank you for contacting us!
The certrificate that its parsing is working is signed with ECDSA with SHA256, while your generated certificate is signed with RSA with SHA-256
If you use the utility program strerr you would see:

./program/utils/strerror -9774
Last error was: -0x262e - X509 - Signature algorithm (oid) is unsupported : OID - OID is not found

This probably means that you are missing a configuration flag. Is MBEDTLS_RSA_C defined in your configuration file?

Regards,
Mbed TLS Team member
Ron

Thank you Ron, now it works. Not only, I had also a very small MPI settings (48 bytes only), but now everything is ok.

However, can I ask you how did you check that difference? Did you use the Openssl command: openssl x509 -in certificate.crt -text -noout?
Thank you,
Mattia

Hi @MattiaBerton
I could have tested with that command, but I used the Mbed TLS sample application “programs/x509/cert_app”
It would probably have failed for you, since you had a different configuration.
Regards,
Ron