mbedtls_x509_crt_parse_der FAILED with ffffde1e der Len [-8674]

[amuthakrishnasamy]

Summary

I am generating a self signed certificate with ECDSA SHA384 and mbedtls_x509_crt_parse_der is FAILED with ffffde1e

System information

Mbed TLS version (number or commit id): 2.28.1
Operating system and version: Ubuntu 20.04.6 LTS
Configuration (if not default, please attach mbedtls_config.h): Attached
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:

Expected behavior

mbedtls_x509_crt_parse_der is expected to return the Parsed Certificate Structure. If the function returns 0, the parsed certificate will be stored in the mbedtls_x509_crt structure that you pass to the function. You can then access various fields of the certificate through this structure, such as: Subject name,Issuer name,Validity period (not before and not after dates),Public key information,Extensions (if any)

Actual behavior

mbedtls_x509_crt_parse_der FAILED with ffffde1e der Len [-8674]

Steps to reproduce

Used the below code and got outout as
///////////////output log/////////////////
mbedtls_x509write_crt_pem success !!!!!!!
mbedtls_x509_crt_parse success !!!!!!!
mbedtls_x509write_crt_der success !!!!!!!
mbedtls_x509_crt_parse_der FAILED !!!!!!! ffffde1e
der Len [-8674]
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
/////////////Code used//////////////////////////
mbedtls_x509_crt crt,crt_der;
mbedtls_pk_context key;

nfi_generate_ecc_key_pair(&key);
int ret;
mbedtls_mpi serial;
mbedtls_x509write_cert crt_writer;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
const char *pers = "crt_gen";
const char *subject_namem = "CN=TestCN";

mbedtls_x509write_crt_init(&crt_writer);
mbedtls_mpi_init(&serial);
mbedtls_x509_crt_init(&crt);
mbedtls_x509_crt_init(&crt_der);
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);

if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers))) != 0) {
return ret;
}

if ((ret = mbedtls_mpi_read_string(&serial, 10, "1")) != 0) {
return ret;
}

mbedtls_x509write_crt_set_serial(&crt_writer, &serial);
nfi_set_certificate_validity(&crt_writer,365);
mbedtls_x509write_crt_set_subject_key(&crt_writer, &key);
mbedtls_x509write_crt_set_issuer_key(&crt_writer, &key);
mbedtls_x509write_crt_set_md_alg(&crt_writer, MBEDTLS_MD_SHA256);

if ((ret = mbedtls_x509write_crt_set_subject_name(&crt_writer, subject_namem)) != 0) {
return ret;
}

if ((ret = mbedtls_x509write_crt_set_issuer_name(&crt_writer, subject_namem)) != 0) {
return ret;
}

mbedtls_x509write_crt_set_basic_constraints(&crt_writer, 1, 0);
mbedtls_x509write_crt_set_key_usage(&crt_writer, MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
MBEDTLS_X509_KU_NON_REPUDIATION |
MBEDTLS_X509_KU_KEY_ENCIPHERMENT |
MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
MBEDTLS_X509_KU_KEY_AGREEMENT |
MBEDTLS_X509_KU_KEY_CERT_SIGN |
MBEDTLS_X509_KU_CRL_SIGN |
MBEDTLS_X509_KU_ENCIPHER_ONLY |
MBEDTLS_X509_KU_DECIPHER_ONLY );

// add_extension(&crt_writer,"1.3.2.5.444.2.1","0123",1);

unsigned char output_buf[4096];
memset(output_buf, 0, sizeof(output_buf));
ret = mbedtls_x509write_crt_pem(&crt_writer, output_buf, sizeof(output_buf), mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret < 0) {
printf("mbedtls_x509write_crt_pem FAILED !!!!!!!\n");
return ret;
}
else
printf("mbedtls_x509write_crt_pem success !!!!!!!\n");

ret = mbedtls_x509_crt_parse(&crt, output_buf, sizeof(output_buf));
if (ret < 0) {
printf("mbedtls_x509_crt_parse FAILED !!!!!!!\n");
return ret;
}
else
printf("mbedtls_x509_crt_parse success !!!!!!!\n");

unsigned char output_buf_der[4096];

memset(output_buf_der, 0, sizeof(output_buf_der));
ret = mbedtls_x509write_crt_der(&crt_writer,output_buf_der, sizeof(output_buf_der), mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret < 0) {
printf("mbedtls_x509write_crt_der FAILED !!!!!!!\n");
return ret;
}
else
printf("mbedtls_x509write_crt_der success !!!!!!!\n");

ret = mbedtls_x509_crt_parse_der(&crt_der, output_buf_der, sizeof(output_buf_der));
if (ret < 0) {
printf("mbedtls_x509_crt_parse_der FAILED !!!!!!! %x\n",ret);
// return ret;
}
else
printf("mbedtls_x509_crt_parse_der success !!!!!!!\n");

printf("der Len [%d]\n",ret);
for (size_t i = 0; i < ret; i++)
{
printf("%02x", output_buf[sizeof(output_buf) - ret + i]);
}
printf("\n");

[amuthakrishnasamy]

I used openssl command to verify it was verifying the certificate as OK

openssl x509 -in root_cert1.cert.der -inform DER -noout -text
openssl x509 -in root_cert1.cert.der -inform DER -out root_cert1.cert.pem -outform PEM
openssl verify -CAfile root_cert1.cert.pem root_cert1.cert.pem

when mbedtls_x509write_crt_der is used below is the value of output_buf_der with der_len=318(decimal)
30 82 01 3a 30 81 e0 a0 03 02 01 02 02 01 01 30 0c 06 08 2a 86 48 ce 3d 04 03 02 05 00 30 11 31 0f 30 0d 06 03 55 04 03 0c 06 54 65 73 74 43 4e 30 1e 17 0d 32 34 31 31 30 31 30 32 35 38 30 33 5a 17 0d 32 35 31 31 30 31 30 32 35 38 30 33 5a 30 11 31 0f 30 0d 06 03 55 04 03 0c 06 54 65 73 74 43 4e 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 b1 dc ef b3 8b a5 ae d8 c9 2f 6b 78 fa 1b 72 6f 9c 43 27 64 18 bf 88 e4 6f d7 70 09 f2 66 1c 97 90 86 22 c2 61 05 fb 4f db be e9 82 38 88 9d 53 24 f5 ff 34 1a 26 e5 12 80 de 87 8e 07 74 ea 1e a3 27 30 25 30 12 06 03 55 1d 13 01 01 ff 04 08 30 06 01 01 ff 02 01 00 30 0f 06 03 55 1d 0f 01 01 ff 04 05 03 03 07 ff 80 30 0c 06 08 2a 86 48 ce 3d 04 03 02 05 00 03 47 00 30 44 02 20 13 71 f3 12 21 25 88 ad ac 1d ac 15 d1 2b a9 bd f0 7e 08 6d e6 82 05 28 72 e1 8d e0 3b ca 3e 19 02 20 5a 81 93 8a 33 9d 7f 7a ce 65 75 d7 8d 37 52 e2 ac 5f ea ff d8 50 ae cc af 98 22 ff 7a f4 ef 41