Self signed certificate generation

Prithvi_Pai · February 8, 2023, 9:48am

Hi Team,
I have a requirement to generate self signed certificate using mbedTLS programmatically.
I have EDCSA key pairs generated using OP-TEE library.
I have set the keys into the mbedtls_pk_context using mbedtls_mpi_read_binary APIs provided.
The issue I m facing is when I call “mbedtls_x509write_crt_der” function I see the error saying MBEDTLS_ERR_OID_NOT_FOUND.

The md algorithm I have set is mbedtls_x509write_crt_set_md_alg(&crt, MBEDTLS_MD_SHA384); and fllowing is my code to init pk context

mbedtls_pk_init(&issuer_ctx);
mbedtls_pk_setup(&issuer_ctx,mbedtls_pk_info_from_type(MBEDTLS_PK_ECDSA));

Am I missing anything here ?

Prithvi_Pai · February 9, 2023, 6:00am

Complete code added. Please let me know if I making any mistake here?
I get MBEDTLS_ERR_OID_NOT_FOUND error

Code to set the key:

int setKey(mbedtls_ecp_keypair **ec_context, const uint8_t *key_X, const uint8_t *key_Y,
const uint8_t *key, size_t key_size)
{
int ret = 1;
mbedtls_ecp_keypair *ctx;

if (ec_context == NULL || key_X == NULL || key_Y == NULL) {
    return TEE_ERROR_GENERIC;
}

ctx = *ec_context;
mbedtls_ecp_group_init(&ctx->grp);
ret = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP384R1);
if (ret != 0) {
return TEE_ERROR_GENERIC;
}
ret = mbedtls_mpi_read_binary(&ctx->Q.X, key_X, key_size);
if (ret != 0) {
    return TEE_ERROR_GENERIC;
}
ret = mbedtls_mpi_read_binary(&ctx->Q.Y, key_Y, key_size);
if (ret != 0) {
    return TEE_ERROR_GENERIC;
}
ret = mbedtls_mpi_lset(&ctx->Q.Z, 1);
if (ret != 0) {
    return TEE_ERROR_GENERIC;
}
ret = mbedtls_mpi_read_binary(&ctx->d, key, key_size);
if (ret != 0) {
    return TEE_ERROR_GENERIC;
}
return TEE_SUCCESS;
}

int GenerateCertificate(const uint8_t *public_key_X, const uint8_t *public_key_X, const uint8_t *key)
{
int ret = 1;
mbedtls_pk_context issuer_ctx;

mbedtls_pk_init(&issuer_ctx);

if ((ret = mbedtls_pk_setup(&issuer_ctx,mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY))) != 0) {
    EMSG(" failed\n  !  mbedtls_pk_setup returned -0x%04x", (unsigned int) -ret);
    goto exit;
  }
mbedtls_ecp_keypair *issuer_ecp = mbedtls_pk_ec(issuer_ctx);

res =  setKey(&issuer_ecp, public_key_X, public_key_Y, private_key, 48);
if (res != TEE_SUCCESS)
{
goto exit;
}
exit:
mbedtls_pk_free(&subject_ctx);
return ret;
}

As the next step to generate a self signed certificate I’m using the following snippet.

TEE_Result TA_GenerateCert(void *loaded_issuer_key, void *loaded_subject_key, uint8_t **cert, size_t *len, uint8_t is_ca, const char *issuer_name, const char *subject_name)
{
int ret = 1;
unsigned char certificate_der[4096];
unsigned char *cert_start;
mbedtls_mpi serial;
mbedtls_x509write_cert crt;
      mbedtls_ctr_drbg_context ctr_drbg;
      mbedtls_pk_context *issuer_key = loaded_issuer_key,
                         *subject_key = loaded_subject_key;
TEE_Result res = TEE_ERROR_GENERIC;

mbedtls_x509write_crt_init(&crt);
    mbedtls_mpi_init(&serial);
    mbedtls_ctr_drbg_init(&ctr_drbg);
    mbedtls_entropy_init(&entropy);

const char *serial_number = CERT_SERIAL_NUMBER;
  if ((ret = mbedtls_mpi_read_string(&serial, 10, serial_number)) != 0) {
res = TEE_ERROR_GENERIC;
        goto exit;
     }

mbedtls_x509write_crt_set_subject_key(&crt, subject_key);
    mbedtls_x509write_crt_set_issuer_key(&crt, issuer_key);

if ((ret = mbedtls_x509write_crt_set_subject_name(&crt, subject_name)) != 0) {
res = TEE_ERROR_GENERIC;
        goto exit;
    }
    if ((ret = mbedtls_x509write_crt_set_issuer_name(&crt, issuer_name)) != 0) {
res = TEE_ERROR_GENERIC;
        goto exit;
    }

mbedtls_x509write_crt_set_version(&crt, MBEDTLS_X509_CRT_VERSION_3);
    mbedtls_x509write_crt_set_md_alg(&crt, MBEDTLS_MD_SHA384);

ret = mbedtls_x509write_crt_set_serial(&crt, &serial);
    if (ret != 0) {
res = TEE_ERROR_GENERIC;
        goto exit;
    }

const char *validity_from = CERT_VALIDITY_FROM;
const char *validity_till = CERT_VALIDITY_TILL;
    ret = mbedtls_x509write_crt_set_validity(&crt, validity_from, validity_till);
    if (ret != 0) {
res = TEE_ERROR_GENERIC;
        goto exit;
    }

if (is_ca)
{
        ret = mbedtls_x509write_crt_set_basic_constraints(&crt, is_ca,0);
        if (ret != 0) {
res = TEE_ERROR_GENERIC;
            goto exit;
        }
}

ret = mbedtls_x509write_crt_der(&crt, certificate_der, sizeof(certificate_der), mbedtls_ctr_drbg_random, &ctr_drbg);
    if (ret != 0) {
res = TEE_ERROR_GENERIC;
        return ret;
    }

*len = ret;
    cert_start = certificate_der + 4096 - *len;
cert = TEE_Malloc(*len, TEE_MALLOC_FILL_ZERO);
TEE_MemMove(cert, cert_start, *len);
res =  TEE_SUCCESS;

exit:
    mbedtls_x509write_crt_free(&crt);
    mbedtls_mpi_free(&serial);
    mbedtls_ctr_drbg_free(&ctr_drbg);
    return res;
}

I get an error when I call mbedtls_x509write_crt_der as it returns -46/MBEDTLS_ERR_OID_NOT_FOUND( 0xffffffd2).

Am I missing anything ?

Topic		Replies	Views
Selfsigned EC Certificate Generic mbed_tls	1	583	May 26, 2019
Key and Certificate Generation mbedTLS Mbed TLS mbed_tls	3	3852	October 27, 2019
ECDSA verify problems Crypto and SSL questions mbed_tls	8	3268	October 13, 2022
Mbedtls_pk_verify giving ECP - The signature is not valid as error Crypto and SSL questions mbed_tls	0	799	March 22, 2021
Program stops execution on the mbedtls_x509_crt_verify() call Mbed TLS mbed_tls	3	474	July 14, 2023

Self signed certificate generation

Related topics