No start line but the certificate is correctly formatted

[valentinpi]

Greetings, I get this error:

                this.ctx.setCertAndKey(opts.cert, opts.key);                                   
                         ^                                                                     
                                               
Error: error:0909006C:PEM routines:get_name:no start line

Not just when using this library in my project, but also when testing the example.

$ openssl version
OpenSSL 1.1.1p  21 Jun 2022

The certificate I am using (self signed test certificate) can be obtained by:

openssl ecparam -name brainpoolP160r1 -noout -genkey -outform PEM -out private.pem
openssl req -x509 -nodes -key private.pem -out cert.pem -config cred.conf

Where cred.conf is just a standard certificate configuration file of form:

distinguished_name      = req_distinguished_name
prompt                  = no

[ req_distinguished_name ]
C                       = ...
ST                      = ...
L                       = ...
O                       = ...
OU                      = ...
CN                      = ...
emailAddress            = ...

Let me know if I can provide more information, because I am not sure what would help. I know that the program launches if you comment out the following in context.cc:

	if (ERR_GET_LIB(err) != ERR_LIB_PEM || ERR_GET_REASON(err) != PEM_R_NO_START_LINE) {
		X509_free(ca);
		rc = 0;
		goto final;
	}

[jue89]

Sry for the late response. Can you provide example key and cert? I'd like to reproduce the problem you are observing.

[valentinpi]

Hi, we have switched to a different approach now, but I dug out some recent commits. Here is the certificate generation:

openssl ecparam -name brainpoolP160r1 -noout -genkey -outform PEM -out private.pem
openssl req -x509 -nodes -key private.pem -out cert.pem -config ../cred.conf

And here are the Client keys. The Client uses tinyDTLS:

openssl ecparam -name brainpoolP160r1 -genkey -outform DER -out private.der
openssl ec -inform DER -in private.der -outform PEM -out private.pem
openssl ec -inform DER -in private.der -pubout -outform DER -out public.der
openssl ec -inform PEM -in private.pem -pubout -outform PEM -out public.pem

To be honest, I now do believe that it is an OpenSSL issue, since the integrated OpenSSL client does not work either. Maybe one should put up an issue on that repository.

I have also looked into the FFI code and it seems that brainpoolP160r1 is not supported, but switching that inside of the code does not really help as we got some other issues, but I cannot remember right now.