• State
  • Locked Locked
  • Replies 13 replies
  • Subscribers 101 subscribers
  • Views 3965 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

wolfssl test certificate

Narinder Bajwa
Prodigy 95 points
Other Parts Discussed in Thread: EK-TM4C129EXL

I am trying to make https example work. I got it compiled successfully. I am currently trying to figure out certificate.h file issues. My question is if I don't want to use client certificate, do I still need some test certificate for https post call to work? If yes what test certificate.h file can I use. Do I have to generate one?

  • 0
    TI__Guru**** 465171 points
    Hello,
    Your post does not sound like a particular tools specific issue, but something related to your application. I would suggest the forum specific for your device. What device are you using?

    Thanks
    ki
  • 0
    TI__Guru**** 244400 points
    Hello Narinder

    Is it a TM4C129x device that you are compiling WolfSSL for?

    Regards
    Amit
  • 0 in reply to Amit Ashara
    Prodigy 95 points

    Hi Amit,

    Yes it is TM4C129x device. Does this board support https post call with wolfssl libraries?

    I read that TI board EK-TM4C129EXL supports crypto accelerator.

    Do I have to change my board?

    Regards...Narinder

  • 0 in reply to Narinder Bajwa
    TI__Guru**** 244400 points
    Hello Narinder

    The Crypto accelerator is available only for EK-TM4C129EXL board. I will move the post to TM4C forum where the team member can answer your question better.

    Regards
    Amit
  • 0 in reply to Amit Ashara
    TI__Mastermind 22580 points

    Hello Narinder,

    The "certificate.h" contains the public key of the Certificate Authority used by the server, to which the client is trying to connect to. This file is required, without which the "TLS/SSL Handshake" process will fail. The "Readme" file of the example should have steps to generate the "certificate.h" file.

    You don't require EK-TM4C129EXL board to run the https example with software ciphers. But if you want to use the crypto hardware ciphers then the  EK-TM4C129EXL board is required.

    Sai

  • 0 in reply to Sai Reddy
    Prodigy 95 points

    Thanks Sai,

    I highly appreciate your reply.

    Good to hear that I don't have to change my board.

    Regarding "certificate.h", I did follow the instructions from the readme file. I first tried suggested verisign client certificate but it did not work.

    Then I tried Godaddy client certificate because our server have certificate from them. That also did not work.

    The app is loading certificate but it times out trying to connect. The code is attached with masked data.

    Thanks and Regards...Narinder

    #define IP "11.11.11.11"
    //#define IP "abc.xyz.com"
    #define PORT 443
    //#define PORT 10000

    //#define HOSTNAME "11.11.11.11"
    #define HOSTNAME "abc.xyz.com"
    #define REQUEST_URI "/abc/xyz/api/v1/station/data"
    #define USER_AGENT "qlz"
    #define ACCEPT "application/json"
    #define CONTENT_TYPE "application/json"
    #define CONTENT_LENGTH "278"
    #define AUTHORIZATION "Basic ZXRyb21vabcxyzV9rZXlfMQ=="

    #define HTTPTASKSTACKSIZE 32768

    /* USER STEP: update to current time (in secs) since epoch (i.e. Jan 1, 1970) */
    #define CURRENTTIME 1435170905

    /*
    * ======== printError ========
    */
    void printError(char *errString, int code)
    {
    System_printf("Error! code = %d, desc = %s\n", code, errString);
    BIOS_exit(code);
    }

    /*
    * ======== httpsTask ========
    * Makes an HTTPS GET request
    */
    Void httpsTask(UArg arg0, UArg arg1)
    {
    bool moreFlag = false;
    char data[128]; /* buffers response data */
    int ret;
    struct sockaddr_in addr;
    char petromo_req_1[] = "{\"id\":\"11111111\",\"timestamp\":\"00083A42\",\"payload\":\"0008133200D4000101313031303931323137313830313031313131303030343235303030343435333030383037303035343333303030393F363F390301313032303931323137313830313032323131303030353030383030353533363030383130303034333530303030394636464103\"}";

    WOLFSSL_CTX *ctx;
    HTTPCli_Struct cli;
    HTTPCli_Field fields[7] = {
    { HTTPStd_FIELD_NAME_HOST, HOSTNAME },
    { HTTPStd_FIELD_NAME_USER_AGENT, USER_AGENT },
    { HTTPStd_FIELD_NAME_ACCEPT, ACCEPT },
    { HTTPStd_FIELD_NAME_CONTENT_TYPE, CONTENT_TYPE },
    { HTTPStd_FIELD_NAME_CONTENT_LENGTH, CONTENT_LENGTH },
    { HTTPStd_FIELD_NAME_AUTHORIZATION, AUTHORIZATION },
    { NULL, NULL }
    };

    //System_printf("\nGetting stock information for ticker: %s\n", TICKER);
    System_printf("\nPetromo HTTPS POST Request");
    System_flush();

    /* WolfSSL library needs time() for validating certificates. */
    Seconds_set(CURRENTTIME);

    wolfSSL_Init();

    ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
    if (ctx == NULL) {
    printError("httpsTask: cannot create wolfssl context", -1);
    } else {
    System_printf("\nhttpsTask: successfully created wolfssl context");
    System_flush();
    }

    if (wolfSSL_CTX_load_verify_buffer(ctx, ca_cert, sizeof_ca_cert,
    SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
    printError("httpsTask: error loading ca certificate", -1);
    } else {
    System_printf("\nhttpsTask: successfully loaded ca certificate");
    System_flush();
    }
    SSWolfssl_setContext(ctx);

    addr.sin_family = AF_INET;
    addr.sin_port = htons(PORT);
    inet_pton(AF_INET, IP, &addr.sin_addr);

    /* USER STEP: Comment the line if not using proxy */
    HTTPCli_setProxy((struct sockaddr *)&addr);

    HTTPCli_construct(&cli);

    HTTPCli_setRequestFields(&cli, fields);

    //System_printf("\naccept=%s", fields[2].value);
    //System_flush();
    ret = HTTPCli_connect(&cli, (struct sockaddr *)&addr, HTTPCli_TYPE_TLS, NULL);
    if (ret < 0) {
    printError("httpsTask: connect failed", ret);
    } else {
    System_printf("\nhttpsTask: connect successful");
    System_flush();
    }

  • 0 in reply to Narinder Bajwa
    TI__Mastermind 22580 points

    Hello Narinder,

    The first step is to identify the Certificate Authority (CA) and the root certificate that is being used by the server. Then go to the website of the CA to download the root certificate (in .pem format). Ensure that you are downloading the correct root certificate, as a CA's website can have multiple root certificates. Then follow the remaining steps in the "Readme" file to generate the "certificate.h" file.

    In the case of the "httpsget" example, the client communicates with "yahoo.com" which, uses the root certificate from "VeriSign". Hence the readme talks about using the root certificate from "Verisign".

    Before testing your own application, I would recommend that you first test the "httpsget" example that comes with TI-RTOS. Once this example works you can modify it to test a different server.

    Thanks,

    Sai

  • 0 in reply to Sai Reddy
    Prodigy 95 points

    Hi Sai,

    I tried the original httpsget that communicates with "yahoo.com", but same results.

    I created the verisign certificate  as instructed in the readme file.

    I get  "connect failed" with error code -102.

    Obviously I am doing something wrong, need your help.

    Thanks and Regards...Narinder

  • 0 in reply to Narinder Bajwa
    TI__Mastermind 22580 points

    Did you go through the code and make the necessary changes that are marked with the comment "USER STEP"?

    Did you change the labels "IP" and "Port" to point to the right information?
    Are you running the application from within a proxy environment? If not, then did you comment out the necessary lines in the code?

    Sai

  • 0 in reply to Sai Reddy
    Prodigy 95 points
    Thanks Sai for the tips.

    It is not failing on connect now but I am still getting following error:
    Error! code = -103, desc = httpsTask: send failed

    I did the following:

    1. Commented the proxy because I am not using any proxy.
    2. Got the IP address for "download.finance.yahoo.com" which is 206.190.61.107
    3. I kept the port as 443 because it is ssl.
    4. Set the time to current time
  • 0 in reply to Narinder Bajwa
    Prodigy 95 points

    Hello Sai,

    Thanks for all the help, but I will need some more.

    I finally got mt HTTPS POST working - almost. The error code -103 was related to invalid certificates. I had to download Godaddy's root certificate for it to work.

    The request is going fine to the server and is being processed correctly, I can see it in the logs, and I get good HTTP 200 status code back.

    However, there is nothing to read in the output stream. The HTTPCli_readResponseBody is returning 0 (zero).

    The corresponding HTTP POST request is working perfectly fine. I am getting the correct output in this case.

    Could this be something to do with certificate rights etc.?

    Please help.

    Thanks and regards...Narinder

  • 0 in reply to Narinder Bajwa
    TI__Mastermind 22580 points
    Hello Narinder,

    I am moving this thread to TI-RTOS forum, as they are more qualified to answer these questions. Hopefully someone has already solved this issue.

    Thanks,
    Sai
  • 0 in reply to Sai Reddy
    TI__Mastermind 26780 points

    Narinder,

    What version of TI-RTOS are you using?

    Please see this thread that discusses some certificate issues, and recent increases in wolfSSL stack requirements: e2e.ti.com/.../473219

    Does this help?

    Regards,
    Scott