Page 1 of 1
self generated cert has invalid signature
Posted: Thu Dec 12, 2024 5:03 pm
by RebootExpert
using 3.5.0 and NANO module.
I am doing SSH R&D, and I started with example SSH/sshServerUserAuth. It build and runs fine.
In the example it call to generate a cert and key if there isn't one available for use. So I add a dummy html and enable HTTPS web server in the project. the certificate I download from the web browser indicate the certificate that generated has an invalid digital signature.
then I build the example, SSL/SslOnboardCertGeneration/Simple without any modification. It's the same result.
- invalidcert.jpg (34.38 KiB) Viewed 1297 times
for a comparison, this is how it looks when I generate a self signed cert using OpenSSL, you're seeing the the cert is not trusted that's because I've not install the cert into the CA store yet.
- valid.jpg (37.74 KiB) Viewed 1297 times
Re: self generated cert has invalid signature
Posted: Thu Dec 12, 2024 5:15 pm
by RebootExpert
also if I add a compile server cert and key into the SSH example instead of using the onboard generated cert and key, and that cause the SshAccept function fail and return an error code 304 which is SSH_ERROR_BAD_KEY.
The cert and key are created by OpenSSL and compile into cpp file using makeserver.sh file. I doubt that's an issue of the key
Re: self generated cert has invalid signature
Posted: Thu Dec 12, 2024 5:23 pm
by RebootExpert
This reminds me when I first play with SSL a few years ago that having the same problem with 2.9.3. I forget how it get solved, but I think it has to do with subject alternate name.
same to the second problem in the post below
viewtopic.php?t=3055
Re: self generated cert has invalid signature
Posted: Fri Dec 13, 2024 3:06 pm
by RebootExpert
with further troubleshoot, I found that was caused by the signature algorithm mismatch with the public key algorithm in the certificate.
Since it's a
self signed certificate, the two algorithms in the cert need to be the same, either RSA or ECC.
If a cert was signed by a CA, the signature algorithm in the cert need to match with the CA encryption algorithm.
The fix I make to SSL_CreateNewSelfSignedCert(CertGenData & GenData) in \nburn\libraries\crypto\NetBurner\NbCertGen.cpp
Code: Select all
#if defined(SSL_KEY_ECC)
gNewCert->sigType = CTC_SHA256wECDSA;
#elif defined(SSL_KEY_RSA)
gNewCert->sigType = CTC_SHA256wRSA;
#endif
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0e:f4:68:e3:a2:d7:6b:6d:70:1d:32:28:ca:0a:02:66
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = CA, L = San Diego, O = NetBurner, OU = CodeDemo, CN = MyNetburner, emailAddress =
Sales@NetBurner.com
Validity
Not Before: Jul 5 15:55:31 2023 GMT
Not After : Jul 3 15:55:31 2033 GMT
Subject: C = US, ST = CA, L = San Diego, O = NetBurner, OU = CodeDemo, CN = MyNetburner, emailAddress =
Sales@NetBurner.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:fe:77:01:69:ea:08:f2:16:1a:ff:fd:1b:4d:a2:
1c:6b:53:41:27:30:f2:78:18:32:5a:9b:1c:0d:80:
86:f1:f9:1c:4d:54:c5:93:a2:a0:f6:38:07:81:df:
a3:92:7e:f4:0c:fa:ee:76:60:0d:ca:1d:1b:9b:1b:
e9:24:4c:ff:6f:cc:6d:e7:13:f4:43:c1:6e:ad:3b:
c5:a1:57:41:ec:f4:06:cf:bd:af:2a:74:ce:74:2b:
96:8c:ed:3e:84:8d:79
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:10.250.5.80, DNS:10.250.5.80
Signature Algorithm: sha256WithRSAEncryption
30:64:02:30:0a:0a:29:12:16:c5:be:50:ac:d2
0e:c3:d3:
2d:af:4d:d9:1c:4a:11:d6:c3:09:fd:5f:6c:40:b3:6d:79:52:
ac
d3:b2:0f:8e:4f:28:4a:6e:0a:e0:da:b6:da:01:02:30:
2e:31:65:c2:75:13:a2:51:9a:95:27:32:aa:3d:80:a4:b3:46:
76:99:f0:ba:3a:a8:4e:4d:3d
ed:01:1e:55:bb:bb:80:b9:
d3:6c:95:cc:f3:87:73:82:9e:b9:68:67
Re: self generated cert has invalid signature
Posted: Fri Dec 13, 2024 7:42 pm
by TomNB
Hello,
That is some great troubleshooting, and thank you very much for sharing the results. We have been checking the behavior and any fixes from 3.5.0 to the latest 3.5.3, and will post back to you as soon as we know more. Have a great weekend and thank you again.
Re: self generated cert has invalid signature
Posted: Tue Dec 17, 2024 2:19 pm
by Forrest
Hello,
I examined the onboard certification generation code and agree with your assessment and fix. I am working on improving the selection logic around selecting a DEFAULT_KEY_TYPE to be used, instead of relying on a plethora of defines. This should arrive with the next release. But in the short term, your solution is both valid and will be used. Any fix put in to place around selecting the key type will be backwards compatible.
I'm curious, what method did you use to set RSA as your preferred key type?
RebootExpert wrote: ↑Fri Dec 13, 2024 3:06 pm
with further troubleshoot, I found that was caused by the signature algorithm mismatch with the public key algorithm in the certificate.
Since it's a
self signed certificate, the two algorithms in the cert need to be the same, either RSA or ECC.
If a cert was signed by a CA, the signature algorithm in the cert need to match with the CA encryption algorithm.
The fix I make to SSL_CreateNewSelfSignedCert(CertGenData & GenData) in \nburn\libraries\crypto\NetBurner\NbCertGen.cpp
Code: Select all
#if defined(SSL_KEY_ECC)
gNewCert->sigType = CTC_SHA256wECDSA;
#elif defined(SSL_KEY_RSA)
gNewCert->sigType = CTC_SHA256wRSA;
#endif
Re: self generated cert has invalid signature
Posted: Tue Dec 17, 2024 3:04 pm
by RebootExpert
I use the default ECC. However there's a HAVE_ECC defined in the \nburn\libraries\include\crypto\platform\NANO54415, my guess is if you commented it out, it will default to RSA. But I didn't test with RSA
0e:c3:d3:
d3:b2:0f:8e:4f:28:4a:6e:0a:e0:da:b6:da:01:02:30:
ed:01:1e:55:bb:bb:80:b9: