Using (trying / learning) WolfSSL on a limited device (pico) - needing a TLS client. I'd like to keep the build as small as feasible.
Trying to load the trusted CA
const char *cacerts = AWS_ROOT_CA1_SIGNED;
if ((ret = wolfSSL_CTX_load_verify_buffer(pCtx, (const unsigned char *)cacerts,
strlen(cacerts), SSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
displayWatermark();
printf("ERROR: failed to load CA cert. %d\n", ret);
for(;;);
}
wolfSSL_CTX_set_verify(pCtx, SSL_VERIFY_PEER, verifyCert);
Yet the root certificate is not recognized :/ I still believe I have something wrong (I noticed the root certificate may come cross-signed for some services)
In verification callback, preverify 0, error = -188, ASN no signer error to confirm failure Verify error depth 2, domain Amazon Root CA 1
My idea is using the verify callback to validate the cerificates based on their serial number or thumbprint. It should be much smaller than having a list of CA certificates or intermediaries built into the code.
In the WOLFSSL_X509_STORE_CTX object there's an array of buffers certs containing the whole chain. According to the examples, the store->cert buffers are holding the server certificate chain in the DER format.
I found that if I define OPENSSL_EXTRA_X509_SMALL, the callback store contains the current_cert attribute (containing only the root certificate), yet I'd like to keep the build without additional load if possible. And then I'm not sure if I will need to validate all the chain anyway (hostname, validity dates, ..)
QUESTIONS:
Is there a way to get attributes (signature, name, issuer's serial ..) form the DER buffer? I see that option for the parsed X509 certificates, but .. is there a function available to parse the DER format?
I am a member of the wolfSSL team.
Here is a snippet.
DecodedCert decodedCert;
byte derBuffer[MAX_BUF];
size_t bytes;
int ret;
// TODO: get the DER encoding into derBuffer and the size of the der
// encoding into bytes.
InitDecodedCert(&decodedCert, derBuffer, (word32) bytes, 0);
ret = ParseCert(&decodedCert, CERT_TYPE, NO_VERIFY, NULL);
check_ret("ParseCert", ret);
// TODO: Inspect decodedCert for what you're interested in
FreeDecodedCert(&decodedCert);
The declaration for decoded cert struct can be found in wolfssl/wolfcrypt/asn.h