Hi Team, I have a requirement to generate self signed certificate programmatically. I have raw EDCSA key pairs generated via OP-TEE APIs. I m trying to generate self signed certificate. I tried the example as shown in programs/x509/cert_write.c. This doesn't work for me as I have raw key pairs where as this expects the key pairs to be in either pem/der format. I tried the following code but it throws error "0xffffdd00" when I call mbedtls_x509write_crt_der
Code to set the raw key pairs: mbedtls_ecdh_context issuer_ctx; mbedtls_ecdh_init(&issuer_ctx);
ret = mbedtls_ecdh_setup(&issuer_ctx, MBEDTLS_ECP_DP_SECP384R1); if (ret != 0) { goto exit; } res = TA_ECSetPublicKey(&issuer_ctx, public_keyX, public_key_Y, 48); if (res != TEE_SUCCESS) { goto exit; } res = TA_ECSetPrivateKey(&issuer_ctx, private_key, 48); if (res != TEE_SUCCESS) { goto exit; } Am I doing something wrong ? Please help
It would be very helpful if some working example of generating certificate programmatically is shared for my reference
Thanks, Prithvi
Complete code added. Please let me know if I making any mistake here? I get MBEDTLS_ERR_OID_NOT_FOUND error
int setKey(mbedtls_ecp_keypair **ec_context, const uint8_t *key_X, const uint8_t *key_Y, const uint8_t *key, size_t key_size) { int ret = 1; mbedtls_ecp_keypair *ctx;
if (ec_context == NULL || key_X == NULL || key_Y == NULL) { return TEE_ERROR_GENERIC; }
ctx = *ec_context; mbedtls_ecp_group_init(&ctx->grp); ret = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP384R1); if (ret != 0) { return TEE_ERROR_GENERIC; } ret = mbedtls_mpi_read_binary(&ctx->Q.X, key_X, key_size); if (ret != 0) { return TEE_ERROR_GENERIC; } ret = mbedtls_mpi_read_binary(&ctx->Q.Y, key_Y, key_size); if (ret != 0) { return TEE_ERROR_GENERIC; } ret = mbedtls_mpi_lset(&ctx->Q.Z, 1); if (ret != 0) { return TEE_ERROR_GENERIC; } ret = mbedtls_mpi_read_binary(&ctx->d, key, key_size); if (ret != 0) { return TEE_ERROR_GENERIC; } return TEE_SUCCESS; }
int GenerateCertificate(const uint8_t *public_key_X, const uint8_t *public_key_X, const uint8_t *key) { int ret = 1; mbedtls_pk_context issuer_ctx;
mbedtls_pk_init(&issuer_ctx);
if ((ret = mbedtls_pk_setup(&issuer_ctx,mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY))) != 0) { EMSG(" failed\n ! mbedtls_pk_setup returned -0x%04x", (unsigned int) -ret); goto exit; } mbedtls_ecp_keypair *issuer_ecp = mbedtls_pk_ec(issuer_ctx);
res = setKey(&issuer_ecp, public_key_X, public_key_Y, private_key, 48); if (res != TEE_SUCCESS) { goto exit; } exit: mbedtls_pk_free(&subject_ctx); return ret; }
As the next step to generate a self signed certificate I'm using the following snippet.
TEE_Result TA_GenerateCert(void *loaded_issuer_key, void *loaded_subject_key, uint8_t **cert, size_t *len, uint8_t is_ca, const char *issuer_name, const char *subject_name) { int ret = 1; unsigned char certificate_der[4096]; unsigned char *cert_start; mbedtls_mpi serial; mbedtls_x509write_cert crt; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_pk_context *issuer_key = loaded_issuer_key, *subject_key = loaded_subject_key; TEE_Result res = TEE_ERROR_GENERIC;
mbedtls_x509write_crt_init(&crt); mbedtls_mpi_init(&serial); mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_entropy_init(&entropy);
const char *serial_number = CERT_SERIAL_NUMBER; if ((ret = mbedtls_mpi_read_string(&serial, 10, serial_number)) != 0) { res = TEE_ERROR_GENERIC; goto exit; }
mbedtls_x509write_crt_set_subject_key(&crt, subject_key); mbedtls_x509write_crt_set_issuer_key(&crt, issuer_key);
if ((ret = mbedtls_x509write_crt_set_subject_name(&crt, subject_name)) != 0) { res = TEE_ERROR_GENERIC; goto exit; } if ((ret = mbedtls_x509write_crt_set_issuer_name(&crt, issuer_name)) != 0) { res = TEE_ERROR_GENERIC; goto exit; }
mbedtls_x509write_crt_set_version(&crt, MBEDTLS_X509_CRT_VERSION_3); mbedtls_x509write_crt_set_md_alg(&crt, MBEDTLS_MD_SHA384);
ret = mbedtls_x509write_crt_set_serial(&crt, &serial); if (ret != 0) { res = TEE_ERROR_GENERIC; goto exit; }
const char *validity_from = CERT_VALIDITY_FROM; const char *validity_till = CERT_VALIDITY_TILL; ret = mbedtls_x509write_crt_set_validity(&crt, validity_from, validity_till); if (ret != 0) { res = TEE_ERROR_GENERIC; goto exit; }
if (is_ca) { ret = mbedtls_x509write_crt_set_basic_constraints(&crt, is_ca,0); if (ret != 0) { res = TEE_ERROR_GENERIC; goto exit; } }
ret = mbedtls_x509write_crt_der(&crt, certificate_der, sizeof(certificate_der), mbedtls_ctr_drbg_random, &ctr_drbg); if (ret != 0) { res = TEE_ERROR_GENERIC; return ret; }
*len = ret; cert_start = certificate_der + 4096 - *len; cert = TEE_Malloc(*len, TEE_MALLOC_FILL_ZERO); TEE_MemMove(cert, cert_start, *len); res = TEE_SUCCESS;
exit: mbedtls_x509write_crt_free(&crt); mbedtls_mpi_free(&serial); mbedtls_ctr_drbg_free(&ctr_drbg); return res; }
I get an error when I call mbedtls_x509write_crt_der as it returns -46/MBEDTLS_ERR_OID_NOT_FOUND( 0xffffffd2).
Am I missing anything ? Please help me resolve this issue
mbed-tls@lists.trustedfirmware.org
-
Prithvi Pai