X509 - Signature Algorithm (OID) is Unsupported in mbed TLS 2.16.2 During Azure MQTT Connection

I’m currently using mbed TLS 2.16.2 on an STM32F407G microcontroller with a SIM7600G GSM module to connect to an Azure MQTT broker over a GSM network. During the certificate parsing, I’m encountering the following error:

“X509 - Signature algorithm (oid) is unsupported : OID - OID is not found” with error code “-9774”

    • The STM32F407G is successfully initialized and connected to the GSM network via the SIM7600G.
    • The device obtains an IP address and the connection to the Azure MQTT broker is established.
    • However, when mbed TLS tries to parse the root certificate, it fails due to an unsupported or unrecognized signature algorithm in the certificate.
    • I’ve ensured that mbed TLS has the correct configuration options enabled for RSA and SHA256 support in config.h (such as #define MBEDTLS_RSA_C, #define MBEDTLS_X509_RSASSA_PKCS1_V1_5, and #define MBEDTLS_SHA256_C).
    • The broker’s certificate is from a trusted authority (DigiCert Global Root G2).
    • I’ve checked if mbed TLS supports the signature algorithm used by the certificate but haven’t had any luck resolving the issue.
const char mbedtls_root_certificate[] = "-----BEGIN CERTIFICATE-----\r\n"
                                        "MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh\r\n"
                                        "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\r\n"
                                        "d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\r\n"
                                        "MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT\r\n"
                                        "MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\r\n"
                                        "b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG\r\n"
                                        "9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI\r\n"
                                        "2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx\r\n"
                                        "1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ\r\n"
                                        "q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz\r\n"
                                        "tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ\r\n"
                                        "vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP\r\n"
                                        "BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV\r\n"
                                        "5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY\r\n"
                                        "1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4\r\n"
                                        "NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG\r\n"
                                        "Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91\r\n"
                                        "8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe\r\n"
                                        "pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl\r\n"
                                        "MrY=\r\n"
                                        "-----END CERTIFICATE-----\r\n";

// Define the length of the certificate
const size_t mbedtls_root_certificate_len = sizeof(mbedtls_root_certificate);



mbedtls_x509_crt cert;
    mbedtls_x509_crt_init(&cert);

    char error_buf[100];
    ret = mbedtls_x509_crt_parse(&cert, (const unsigned char *)mbedtls_root_certificate, mbedtls_root_certificate_len+1);
    if (ret != 0) {
        mbedtls_strerror(ret, error_buf, sizeof(error_buf));
        printf("Failed to parse root certificate: %s\n", error_buf);
        char oid_buf[32];
        mbedtls_oid_get_numeric_string(oid_buf, sizeof(oid_buf), &cert.sig_oid);
        printf("Signature Algorithm: %s\n", oid_buf);
    } else {
        printf("Root certificate parsed successfully.\n");
    }

Could it be this issue? Cannot use TLSSocket without enabling MBEDTLS_SHA1_C macro · Issue #8638 · ARMmbed/mbed-os · GitHub

The fix is to define MBEDTLS_SHA1_C globally, e.g. using the macros section in mbed_app.json or in your config header.