Error while generating CSR from RSA keys

Mbed TLS Platform specific questions
1

Hello,

I generated RSA public and private keys in the embedded device and now I am stuck while generating CSR from the private key.
This is my code snippet to generate CSR

mbedtls_pk_context key;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_x509write_csr req;
const char *pers = “CSR”;

mbedtls_pk_init( &key );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );

if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%04x\n", -ret );
return;
}

if( ( ret = mbedtls_pk_setup( &key, mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_setup returned -0x%04x", -ret );
return;
}

if( opt.type == MBEDTLS_PK_RSA )
{
ret = mbedtls_rsa_gen_key( mbedtls_pk_rsa( key ), mbedtls_ctr_drbg_random, &ctr_drbg,
1024, 65537 );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_rsa_gen_key returned -0x%04x", -ret );
return;
}
}

mbedtls_x509write_csr_init( &req );
mbedtls_x509write_csr_set_md_alg( &req, MBEDTLS_MD_SHA256 );

if( ( ret = mbedtls_x509write_csr_set_subject_name( &req, opt1.subject_name ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_x509write_csr_set_subject_name returned %d", ret );
return;
}

mbedtls_x509write_csr_set_key( &req, &key );

unsigned char output_buf[4096];

memset(output_buf, 0, 4096);

ret = mbedtls_x509write_csr_der(&req, output_buf, 4096, mbedtls_ctr_drbg_random, &ctr_drbg);
if(ret!=0){
Serial.println("Writing csr in der format failed ");
return;
}

This is the error I am getting

Screenshot%20from%202018-10-10%2006-08-38
Screenshot%20from%202018-10-10%2006-08-381304×565 20.8 KB

In the code when I reduce the output_buf size from 4096 to 1500 I get this error

Screenshot%20from%202018-10-10%2006-12-52
Screenshot%20from%202018-10-10%2006-12-521154×607 65 KB

Could anyone of you please help me how to solve this error.
Any help is appreciated

Thank You

2

Hi @esp_16,
From your description, it sounds you are encountering stack overflow.
What is the stack size you are using? I am assuming you have done that, but have you reduced the 4096 value to 1500 in all the places you are using output_buf?

Since you are using a 1024 bit key for your signature (note this is not secure!!!), you should try to define the value of MBEDTLS_MPI_MAX_SIZE to 128. (The default size os 1024, which is more than what you need for a 1024 bit key).
I suggest you look at the following articles for more information on your footprint:

Regards,
Mbed TLS Team member
Ron

3

Hi @roneld01,
I am using the stack size 163840. I changed the value to 1500 in all the places where I am using output_buf. I defined MBEDTLS_MPI_MAX_SIZE size to 128. But still the same error.

How to proceed now?

According to me, the issue is with mbedtls_x509write_csr_der() API function because when I comment this part of code
ret = mbedtls_x509write_csr_der(&req, output_buf, 4096, mbedtls_ctr_drbg_random, &ctr_drbg);
if(ret!=0){
Serial.println("Writing csr in der format failed ");
return;
}
everything runs fine. The key I am setting in the CSR context using mbedtls_x509write_csr_set_key() is in plain text format. Is it the correct format?

Any help is appreciated.

Thank you

4

Hi @esp_16
Since you are getting a crash during mbedtls_x509write_csr_der(), it is quite reasonable you are overflowing the stack. Reducing the size from 4096 to 1500 just posponed the overflow.
I suggest you use a debugger to understand better the location of crash.

The key I am setting in the CSR context using mbedtls_x509write_csr_set_key() is in plain text format. Is it the correct format?

What do you mean plaintext format? You are sending a generated key as a pk context to your function. This is the expected format. If the key format was wrong, the mbedtls_rsa_gen_key() whould have failed.
Regards,
Mbed TLS Team member
Ron