I’m currently using mbed TLS 2.16.2 on an STM32F407G microcontroller with a SIM7600G GSM module to connect to an Azure MQTT broker over a GSM network. During the certificate parsing, I’m encountering the following error:
“X509 - Signature algorithm (oid) is unsupported : OID - OID is not found” with error code “-9774”
-
- The STM32F407G is successfully initialized and connected to the GSM network via the SIM7600G.
-
- The device obtains an IP address and the connection to the Azure MQTT broker is established.
-
- However, when mbed TLS tries to parse the root certificate, it fails due to an unsupported or unrecognized signature algorithm in the certificate.
-
- I’ve ensured that mbed TLS has the correct configuration options enabled for RSA and SHA256 support in config.h (such as #define MBEDTLS_RSA_C, #define MBEDTLS_X509_RSASSA_PKCS1_V1_5, and #define MBEDTLS_SHA256_C).
-
- The broker’s certificate is from a trusted authority (DigiCert Global Root G2).
-
- I’ve checked if mbed TLS supports the signature algorithm used by the certificate but haven’t had any luck resolving the issue.
const char mbedtls_root_certificate[] = "-----BEGIN CERTIFICATE-----\r\n"
"MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh\r\n"
"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\r\n"
"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\r\n"
"MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT\r\n"
"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\r\n"
"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG\r\n"
"9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI\r\n"
"2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx\r\n"
"1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ\r\n"
"q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz\r\n"
"tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ\r\n"
"vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP\r\n"
"BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV\r\n"
"5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY\r\n"
"1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4\r\n"
"NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG\r\n"
"Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91\r\n"
"8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe\r\n"
"pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl\r\n"
"MrY=\r\n"
"-----END CERTIFICATE-----\r\n";
// Define the length of the certificate
const size_t mbedtls_root_certificate_len = sizeof(mbedtls_root_certificate);
mbedtls_x509_crt cert;
mbedtls_x509_crt_init(&cert);
char error_buf[100];
ret = mbedtls_x509_crt_parse(&cert, (const unsigned char *)mbedtls_root_certificate, mbedtls_root_certificate_len+1);
if (ret != 0) {
mbedtls_strerror(ret, error_buf, sizeof(error_buf));
printf("Failed to parse root certificate: %s\n", error_buf);
char oid_buf[32];
mbedtls_oid_get_numeric_string(oid_buf, sizeof(oid_buf), &cert.sig_oid);
printf("Signature Algorithm: %s\n", oid_buf);
} else {
printf("Root certificate parsed successfully.\n");
}