Share via

[Azure RTOS Thread X version 6.1.9] _nx_secure_x509_pkcs1_rsa_private_key_parse returns NX_SECURE_PKCS1_INVALID_PRIVATE_KEY error

Grant Hatamosa 5 Reputation points
2024-08-29T03:11:35.2866667+00:00

I am using an STM32H735 board with Azure RTOS (ThreadX version 6.1.9). I am trying to connect the board to an Azure IoT Hub Device configured with x.509 self-signed authentication type.

I have created the X.509 self-signed certificate using openssl and listed the commands below:

** generate a 2048-bit RSA private key **

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

** create a Certificate Signing Request (CSR) **

openssl req -new -key private_key.pem -out request.csr

** generate the X.509 Certificate valid for 100 years **

openssl x509 -req -in request.csr -signkey private_key.pem -out certificate.pem -days 36500

** verify the Certificate **

openssl x509 -in certificate.pem -text -noout

** make sure the private key is in pkcs-1 format **

openssl rsa -in private_key.pem -traditional -out private_key_pkcs1.pem

** convert private key and certificate to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

openssl rsa -outform der -in private_key_pkcs1.pem -out private_key_pkcs1.der

** verify the DER certificate **

openssl x509 -in certificate.der -inform der -text -noout

openssl rsa -in private_key_pkcs1.der -inform der -text -noout

I then converted the file into a byte array so it can be loaded integrated into the firmware.

I observe that when _nxd_mqtt_client_secure_connect (nxd_mqtt_client.c) calls _nx_secure_x509_certificate_initialize (nx_secure_x509_certificate_initiatlize.c), a function within it (_nx_secure_x509_pkcs1_rsa_private_key_parse, nx_secure_x509_pkcs1_rsa_private_key_parse.c) returns NX_SECURE_PKCS1_INVALID_PRIVATE_KEY.

The specific location on the source code that returns this error is shown below:
if (tlv_type != NX_SECURE_ASN_TAG_INTEGER || tlv_type_class != NX_SECURE_ASN_TAG_CLASS_UNIVERSAL)

{

    return(NX_SECURE_PKCS1_INVALID_PRIVATE_KEY);

}

The reason for this is that the tlv_type is 16 while the code is expecting a value of 2 (NX_SECURE_ASN_TAG_INTEGER ).

Is there a step I am missing in my private key generation process that can make sure that thetlv_type will be 2 instead of 16?

Azure RTOS
Azure RTOS
An Azure embedded development suite including a small but powerful operating system for resource-constrained devices.
333 questions
Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,203 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Grant Hatamosa 5 Reputation points
    2024-08-29T07:13:06.7133333+00:00

    I have resolved the problem.

    This step is not required:
    ** make sure the private key is in pkcs-1 format **

    openssl rsa -in private_key.pem -traditional -out private_key_pkcs1.pem

    What is actually required is to add -traditional when converting the .pem to .der:
    openssl rsa -outform der -in private_key_pkcs1.pem -traditional -out private_key_pkcs1.der

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.