ARMmbed

Mbedtls_x509_crt_verify 2700 on embedded platform

I am trying validate one root CA and one Intermediate CA signed by root CA.

On linux PC, it is working fine, But on arm based embedded platform mbedtls_x509_crt_verify function is -0x2700 . What could be possibly went wrong. Using valgrind profiled the memory utilization - found to be 12 kb on heap 16kb on stack.

I configured my RTOS to have even more like 32k for each and still getting this error. What else would went wrong, any help would be appreciated.

On Linux platform: parsing & verification success
On embedded platform: Parsing trusted cert & verify cert are successful, but verification failed with error return -0x2700 and flag 512.

#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include "mbedtls/x509_crt.h"

int main()
{
int ret;     uint32_t flags;
uint8_t BufDEVICECert[] = DEVICE_RSA_CERT; //preprocessor
uint8_t BufCaCert[] = ROOT_CA_RSA_CERT; //preprocessor

mbedtls_x509_crt CtxDEVICECert;
mbedtls_x509_crt CtxCaCert;

mbedtls_x509_crt_init( &CtxDEVICECert );
mbedtls_x509_crt_init( &CtxCaCert );

printf( "Parsing DEVICE.Cert " );
if( ret = mbedtls_x509_crt_parse( &CtxDEVICECert, BufDEVICECert,
                                  sizeof(BufDEVICECert) ) )
    printf( "ret-code: 0x%04x \r\n", -ret );
printf( "Parsing Ca.Cert " );
if( ret = mbedtls_x509_crt_parse( &CtxCaCert, BufCaCert,
                                  sizeof(BufCaCert) ) )
    printf( "ret-code: 0x%04x \r\n", -ret );
printf( "Verify DEVICE.Cert " );
ret = mbedtls_x509_crt_verify( &CtxDEVICECert, &CtxCaCert, NULL,
                               NULL, &flags, NULL, NULL );
printf( "ret-code: 0x%04x \r\n", -ret );
return ret;
}

Thanks,
Gopi Krishnan

Hi @gopi219
The flag 512 is 0x200 which is MBEDTLS_X509_BADCERT_FUTURE.
This probably means that the system time in your device is not set correct.
Regards,
Mbed TLS Support
Ron

Thank you, It is working with time disabled from config.h.

Now, I am writing my custom function to obtain timestamp in uint32_t UnixGMT, May I have any resource how to integrate that with mbedtls library so that mbedtls_x509_crt_verify will use my-custom-build-fn to get current time for validation.

Hi @gopi219

In this article you should find explanation how to set your own implementation of mbedtls_time() .

However, in x509 verification, you will also need support for gmtime_r. Is this available in your system? If not, you should follw instructions in here for how to define mbedtls_platform_gmtime_r().

Regards