sign the auto gen cert

Discussion to talk about software related topics only.
Post Reply
RebootExpert
Posts: 37
Joined: Fri Oct 09, 2020 2:57 pm

sign the auto gen cert

Post by RebootExpert » Wed Apr 07, 2021 12:45 pm

How do I use my own CA to sign the auto gen certificate? I want to upload my own CA to the module, and every time I call the function SSL_CreateNewSelfSignedCert(), using that CA to sign the cert instead generate a new cert that has a same subject and issuer.

Right now when the device boots up, it will check the common name of the cert with the IP address. If they don't match, a new cert will generated.
This is good, but since it's a new self signed cert, I will have to install it into window certificate store in order for it to work. This is not very ideal to do for every time the IP address change. If I can use the CA to sign the cert, it will be perfect. in that case I will only need to trust the CA once.

I try to make a new function base on SSL_CreateNewSelfSignedCert(). I see there are a few functions in wolfssl library I can use, but I just don't know how to use them correctly without the instructions/comments.

referring to these functions in C:\nburn\include\crypto\wolfssl\wolfcrypt\asn_public.h

Code: Select all

WOLFSSL_API int wc_MakeCert_ex(Cert* cert, byte* derBuffer, word32 derSz,
                                int keyType, void* key, WC_RNG* rng);
WOLFSSL_API int wc_MakeCert(Cert*, byte* derBuffer, word32 derSz, RsaKey*,
                             ecc_key*, WC_RNG*);
#ifdef WOLFSSL_CERT_REQ
    WOLFSSL_API int wc_MakeCertReq_ex(Cert*, byte* derBuffer, word32 derSz,
                                       int, void*);
    WOLFSSL_API int wc_MakeCertReq(Cert*, byte* derBuffer, word32 derSz,
                                    RsaKey*, ecc_key*);
#endif
WOLFSSL_API int wc_SignCert_ex(int requestSz, int sType, byte* buffer,
                                word32 buffSz, int keyType, void* key,
                                WC_RNG* rng);
WOLFSSL_API int wc_SignCert(int requestSz, int sigType, byte* derBuffer,
                             word32 derSz, RsaKey*, ecc_key*, WC_RNG*);

User avatar
Jon
Posts: 50
Joined: Mon Feb 05, 2018 10:54 am

Re: sign the auto gen cert

Post by Jon » Thu Apr 08, 2021 4:55 pm

Hi Rebootexpert,

The easiest way to do this is to add in a compiled version of your CA in the der format. You can generate a .cpp of this file with our NNDK using the following command:

Code: Select all

compfile CA.der ca_cert ca_cert_len CaCrt.cpp
Add this to your application. Then at the top of <nndk_isntall>\libraries\crypto\NetBurner\NbCertGen.cpp add the following near the includs:

Code: Select all

    extern const unsigned long ca_cert_len ; 
    extern const unsigned char ca_cert[];
Then, down in SSL_CreateNewSelfSignedCert(), add the following right before the call to wc_MakeCert():

Code: Select all

    // Set Issuer from Compiled in CA
    ret = wc_SetIssuerBuffer(gNewCert, ca_cert, ca_cert_len);
    if( ret < 0)
    {
        SSL_DEBUG_IPRINTF("Error setting certificate issuer: %d\r\n", ret);
        CleanUpCertKeyGen();
        return CERT_GEN_RETURN_CERT_CREATE_ERROR;
    }
You can do something similar with the file system (you would likely want to incorporate our FileSystem examples), but you will use the function

Code: Select all

wc_SetIssuer()
instead. We will add some examples on how to do this later in a future release. More can be found on these functions here:

https://wolfssl.com/doxygen/group__ASN. ... 03a7114200

All this said, please be aware that we strongly recommend against having the same CA stored on multiple devices, especially if they are accessible to the outside world. As I'm sure you're aware, this presents a substantial security risk.

Kind Regards,
Jon

RebootExpert
Posts: 37
Joined: Fri Oct 09, 2020 2:57 pm

Re: sign the auto gen cert

Post by RebootExpert » Fri Apr 09, 2021 10:43 am

Thanks Jon. I tried it out, and rebuild system library. but now I can't access the webpage via https.
there's error show in the cert "This certificate has an invalid digital signature."
How does only set the issuer of the cert can replace the process of signing a cert?

RebootExpert
Posts: 37
Joined: Fri Oct 09, 2020 2:57 pm

Re: sign the auto gen cert

Post by RebootExpert » Fri Apr 09, 2021 2:53 pm

I have to generate a caKey.cpp too.

Code: Select all

compfile caKey.der ca_key ca_key_len caKey.cpp
get a caKey from it by using wc_EccPrivateKeyDecode()
and use the caKey to sign the cert.

Code: Select all

ret = wc_SignCert(gNewCert->bodySz, gNewCert->sigType, gDerBuf, derBufSz, nullptr, caKey, gRng);
Interestingly, I still have to use the wc_MakeCert() get a cert instead of wc_MakeCertReq() to get a signing request.
But somehow this work. the browser accept the certificate it auto gen and signed by my CA

User avatar
Jon
Posts: 50
Joined: Mon Feb 05, 2018 10:54 am

Re: sign the auto gen cert

Post by Jon » Mon Apr 12, 2021 4:36 pm

Hi RebootExpert,

I'm glad you were able to get it working! The other function you mentioned, wc_MakeCertReq(), is actually for creating a certificate signing request. This would then get sent to a CA to be signed and returned. Because we provide the CA here locally, we don't need to create this request, we just sign it directly. =)

Kind Regards,
Jon

Post Reply