Failure PEM_read_bio_X509_AUX
matsujirushi opened this issue · 4 comments
Using ATECC608A-TNGTLS certificate in iothub_ll_client_x509_sample causes an error.
Creating IoTHub handle
Sending message 1 to IoTHub
Error: Time:Fri Aug 20 10:31:12 2021 File:/home/pi/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:31 Failure PEM_read_bio_X509_AUX
Error: Time:Fri Aug 20 10:31:13 2021 File:/home/pi/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:38 [0] error:0909006C:PEM routines:get_name:no start line
However, I can get the certificate chain using p11tool.
pi@raspberrypi:~/azure-iot-sdk-c $ p11tool --export-chain "pkcs11:token=MCHP;object=device;type=cert"
-----BEGIN CERTIFICATE-----
MIICHzCCAcWgAwIBAgIQWUFZXG4yTNVVbQhSXkAUHTAKBggqhkjOPQQDAjBPMSEw
HwYDVQQKDBhNaWNyb2NoaXAgVGVjaG5vbG9neSBJbmMxKjAoBgNVBAMMIUNyeXB0
byBBdXRoZW50aWNhdGlvbiBTaWduZXIgMjcwMDAgFw0yMTA4MTEwMTAwMDBaGA8y
MDQ5MDgxMTAxMDAwMFowQjEhMB8GA1UECgwYTWljcm9jaGlwIFRlY2hub2xvZ3kg
SW5jMR0wGwYDVQQDDBRzbjAxMjNGMkJDNTc4RjkxRTMwMTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABGY3mKy7exXor2VDuyivgKqcLV4Jx/pjFk3S36csTaDdUf8m
0vwFo2KeO5fscXSq0q9lPcbPeZBd5Gz8WgqR99ejgY0wgYowKgYDVR0RBCMwIaQf
MB0xGzAZBgNVBAUTEmV1aTQ4XzY4MjcxOTRDNEE4NTAMBgNVHRMBAf8EAjAAMA4G
A1UdDwEB/wQEAwIDiDAdBgNVHQ4EFgQUqvpdC1/SCYDHDpdXr/p2J/CJTzUwHwYD
VR0jBBgwFoAU4Ba5Jh9kfa1JOClbSjYs9U6NeYowCgYIKoZIzj0EAwIDSAAwRQIh
ANB9IxHZU7TcwkY2hKRMGvkz2urdCAz19CX767A7DcvrAiAfjBoDUpTOAnFlYuix
qTu0A7Ejpvt5T9Ob92G5/b8pLQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICBDCCAaqgAwIBAgIQaRmQfYZP9wxeFcpCw+W6TDAKBggqhkjOPQQDAjBPMSEw
HwYDVQQKDBhNaWNyb2NoaXAgVGVjaG5vbG9neSBJbmMxKjAoBgNVBAMMIUNyeXB0
byBBdXRoZW50aWNhdGlvbiBSb290IENBIDAwMjAgFw0xODEyMTQyMDAwMDBaGA8y
MDQ5MTIxNDIwMDAwMFowTzEhMB8GA1UECgwYTWljcm9jaGlwIFRlY2hub2xvZ3kg
SW5jMSowKAYDVQQDDCFDcnlwdG8gQXV0aGVudGljYXRpb24gU2lnbmVyIDI3MDAw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAROEUiP60JV4/IF55RFx0nUqiTy0YXY
U671v4Kzzz15MWL8MigXOPf1V0MkXTceV+6jGu2JdN8QpGWGgZdBZl3Oo2YwZDAO
BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU4Ba5
Jh9kfa1JOClbSjYs9U6NeYowHwYDVR0jBBgwFoAUeu19bca3eJ2yOAGl6EqMsKQO
KowwCgYIKoZIzj0EAwIDSAAwRQIhALJmp1YuPyKllkQm9WDfoHz1OtIIpziSUgPg
cxSC9IyzAiAkB8/2EQ15+2I2un1DkvRF9U4au2vAf0BKI8bO9yT0AQ==
-----END CERTIFICATE-----
pi@raspberrypi:~/azure-iot-sdk-c $
I don't know how to find out.
Could you give me some advice?
I wrote the x509certificate variable:
static const char* x509certificate = "pkcs11:token=MCHP;object=device;type=cert";
Hi @matsujirushi thanks for the message.
Are you able to use this to help guide you using PKCS11?
Copied here is the relevant section:
// Example using PKCS#11 OpenSSL ENGINE (https://github.com/OpenSC/libp11)
// The OpenSSL ENGINE must be associated to a pkcs11 module within openssl.cnf.
static const char* opensslEngine = "pkcs11";
static const OPTION_OPENSSL_KEY_TYPE x509_key_from_engine = KEY_TYPE_ENGINE;
// Certificate can be extracted from the PKCS#11 library using pkcs11-tool from OpenSC.
static const char* x509certificate =
"-----BEGIN CERTIFICATE-----\n"
"MIIBMTCB1wIUTu66kxJIBR5t5IkAwh7Lqm/AM+IwCgYIKoZIzj0EAwIwGzEZMBcG\n"
// [...]
"DItkq1MHqzqExB1eTrMHQVY11w62\n"
"-----END CERTIFICATE-----\n";
// The private key contains the PKCS#11 URI.
static const char* x509privatekey = "pkcs11:object=ec-privkey;type=private?pin-value=1234";Hi @danewalton ,
Thank you for reply.
It working my environment when x509privatekey use pkcs11 and x509certificate is hard-code (NOT use pkcs11).
I want to use the certificate in the ATECC608A-TNGTLS, so I made the following changes. Then an error occurred.
static const char* x509certificate = "pkcs11:token=MCHP;object=device;type=cert";
Yes right now we only have support for loading the private key from an engine. Here is the call to make that happen:
The equivalent call to ENGINE_load_public_key() is not in our code base and therefore the loading comes from
TLDR: we don't support that right now. I will move this to a discussion as a feature ask though.