Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot try multiple certificate #9873

Open
18521344596 opened this issue Dec 26, 2024 · 0 comments
Open

Cannot try multiple certificate #9873

18521344596 opened this issue Dec 26, 2024 · 0 comments
Assignees
@waleed-elmelegy-arm

Comments

@18521344596
Copy link

Summary

mbedtls_ssl_handshake cannot properly handle the multiple CA certificates, in my case I have s set of certificates builtin my device. I want to try one by one to perform the mbedtls_ssl_handshake to connect to my server.

System information

Mbed TLS version (number or commit id): 3.6
Operating system and version: FreeRtos
Configuration (if not default, please attach mbedtls_config.h):
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:

Expected behavior

The first cdotroot.cer' cannot be verified by mbedtls. while the correct one should be connect successfully'.

Actual behavior

Both the wrong and correct CA certificates cannot connect successfully

Steps to reproduce

Here are my code sample:
···
static int load_and_verify_certificates(int conn_id, uint8_t *cert_buffer, size_t buffer_size) {
int ret;
bool connection_established = false;
uint32_t cert_index = 0;

while (!connection_established && cert_index < MAX_CERT_COUNT) {
    size_t cert_size = buffer_size;
    
    // 
    mbedtls_x509_crt_free(&cacert[conn_id]);
    mbedtls_x509_crt_init(&cacert[conn_id]);

    // 
    ret = try_built_in_certificate(cert_buffer, &cert_size, cert_index);
    if (ret == CERT_ERR_INDEX_OUT_OF_RANGE) {
        break;
    }
    if (ret != CERT_SUCCESS) {
        cert_index++;
        continue;
    }

    //
    cert_buffer[cert_size] = '\0';
    ret = mbedtls_x509_crt_parse(&cacert[conn_id], cert_buffer, cert_size + 1);
    if (ret < 0) {
        cert_index++;
        continue;
    }

    // 
    mbedtls_ssl_conf_ca_chain(&conf[conn_id], &cacert[conn_id], NULL);

    // 
    ret = mbedtls_ssl_handshake(&ssl[conn_id]);
    if (ret == 0) {
        uint32_t flags = mbedtls_ssl_get_verify_result(&ssl[conn_id]);
        if (flags == 0) {
            connection_established = true;
            // 
            cache_certificate(cert_buffer, cert_size, cert_index);
            break;
        }
    }
    else
    {
        LOGD("Failed to perform handshake with certificate index %d, error: -0x%x\n", cert_index, -ret);
    }

    // 
    ret = mbedtls_ssl_session_reset(&ssl[conn_id]);
    if (ret != 0) {
        LOGD("Failed to reset SSL session, error: -0x%x\n", -ret);
        return ret;
    }

    cert_index++;
}

return connection_established ? 0 : -1;

}
···

Additional information

here are the logs:

Reading certificate 'cdotroot.cer' at address 0x08100650, size: 1348
Failed to perform handshake with certificate index 0, error: -0x2700
Reading certificate 'digicertroot.cer' at address 0x08100B94, size: 1360
Failed to perform handshake with certificate index 1, error: -0x7300
Reading certificate 'test_cert_00.cer' at address 0x081010E4, size: 1107
Failed to perform handshake with certificate index 2, error: -0x50
Reading certificate 'test_cert_01.cer' at address 0x08101537, size: 775
Failed to perform handshake with certificate index 3, error: -0x4e
Reading certificate 'test_cert_02.cer' at address 0x0810183E, size: 1107
Failed to perform handshake with certificate index 4, error: -0x4e
Reading certificate 'test_cert_03.cer' at address 0x08101C91, size: 775
Failed to perform handshake with certificate index 5, error: -0x4e
Reading certificate 'test_cert_04.cer' at address 0x08101F98, size: 1107
Failed to perform handshake with certificate index 6, error: -0x4e
Reading certificate 'test_cert_05.cer' at address 0x081023EB, size: 775
Failed to perform handshake with certificate index 7, error: -0x4e
Reading certificate 'test_cert_06.cer' at address 0x081026F2, size: 1107
Failed to perform handshake with certificate index 8, error: -0x4e
Reading certificate 'test_cert_07.cer' at address 0x08102B45, size: 775
Failed to perform handshake with certificate index 9, error: -0x4e
Reading certificate 'test_cert_08.cer' at address 0x08102E4C, size: 1107
Failed to perform handshake with certificate index 10, error: -0x4e
Reading certificate 'test_cert_09.cer' at address 0x0810329F, size: 775
Failed to perform handshake with certificate index 11, error: -0x4e
Reading certificate 'test_cert_10.cer' at address 0x081035A6, size: 1107
Failed to perform handshake with certificate index 12, error: -0x4e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@waleed-elmelegy-arm waleed-elmelegy-arm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@18521344596 @waleed-elmelegy-arm