• State Verified Answer
  • Replies 4 replies
  • Subscribers 77 subscribers
  • Views 695 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 319127
Options

modem_key_mgmt: Key access refused

JordanK

I'm using some code from the nrf/samples/net/https_client sample to provision certificates in the nRF9160 modem. The (slightly modified) code looks like so:

int err;
bool exists;
int mismatch;

err = modem_key_mgmt_exists(tag, cred_type_modem, &exists);
if (err) {
	LOG_ERR("Failed to check for modem credential, err %d\n", err);
	return err;
}

if (exists) {
	mismatch = modem_key_mgmt_cmp(tag, cred_type_modem, pem,
				      strlen(pem));
	if (!mismatch) {
		LOG_INF("Modem credential match\n");
		return 0;
	}

	LOG_INF("Modem credential mismatch\n");
	err = modem_key_mgmt_delete(tag, cred_type_modem);
	if (err) {
		LOG_ERR("Failed to delete existing modem credential, err %d\n", err);
	}
}

/*  Provision certificate to the modem */
err = modem_key_mgmt_write(tag, cred_type_modem, pem,
			   strlen(pem) - 1);
if (err) {
	LOG_ERR("Failed to provision modem credential, err %d\n", err);
	return err;
}
LOG_INF("Successfully provisioned modem credential");

The modem_key_mgmt_cmp function is throwing a warning though:

<wrn> modem_key_mgmt: Key access refused

I've searched for this error and cannot find any other posts about it. Am I missing a config option of some sort, or otherwise doing something wrong here?

As a separate, unrelated question about the same code: is there any reason why it's using strlen(cert) for the modem_key_mgmt_cmp function (here), but sizeof(cert) - 1 for the modem_key_mgmt_write function (here)? These should return the same length, no?

Parents
  • 0

    It means you cannot read that credential. Some credentials cannot be read, they are protected.
    You can find the documentation in the manual for AT commands: nRF9160 AT Commands

    No, strlen(var) and sizeof(var) are different. One is the string length, the other is the size of the string in bytes.
    C strings have a NULL-terminator that is not accounted for in strlen, but it is accounted for by sizeof.

  • 0 in reply to emdi

    Thanks emdi. Could you point me to where in this document it states which credential types are protected and which are not? I cannot seem to find that.

    I'm aware that strlen and sizeof are different, but in the sample code I linked, it's using `strlen()` and `sizeof() - 1` (subtracting the NUL byte), which should be equivalent. Just curious why they mixed and matched the two.

Reply
  • 0 in reply to emdi

    Thanks emdi. Could you point me to where in this document it states which credential types are protected and which are not? I cannot seem to find that.

    I'm aware that strlen and sizeof are different, but in the sample code I linked, it's using `strlen()` and `sizeof() - 1` (subtracting the NUL byte), which should be equivalent. Just curious why they mixed and matched the two.

Children
  • +1 in reply to JordanK

    It's in chapter: 12.8 Credential storage management %CMNG

    It says that `type` (the type of credential) may be 0 to 13 (from mfw 1.3.0 onwards).

    Further down in the Note it says:
    • Reading types 1, 2, and 3 are not supported.
    • Writing and deleting types 8, 10, and 11 are not supported.
    • Overwriting and deleting type 9 is not supported.

    `strlen` is evaluated at runtime, meaning that the processor scrolls through all the bytes in the string until it finds `\0` during program execution. sizeof instead is evaluated at compile time.
    When the string is known at compile time it is best to just put its length there rather than compute it at run time.

  • 0 in reply to emdi

    > As a separate, unrelated question

    I guess the confusion is, that both variant are used in the same main.c . Maybe Nodric considers to clean up the examples and use only one variant, if possible.

    > sizeof instead is evaluated at compile time.

    The calculation benefit of "sizeof - 1" may fast vapor, if people don't get it, that this only works, if the variable is the definition of the array itself. It doesn't work on passed pointers in functions. So, in my experience for such pretty rare executed code, use "strlen" and step to the save side ;-). 

Related
Terms of service