PSA TLS sample: RSA Certificates not supported?

The description of the Crypto PSA TLS sample mentions that RSA certificates are not supported when building a _ns firmware (CMSE enabled):

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.5.0/nrf/samples/crypto/psa_tls/README.html#certificates-when-running-with-cmse

Now I wonder why I am able to establish a TLS connection with a server using this certificate: https://www.amazontrust.com/repository/AmazonRootCA1.pem, which seems to be using RSA:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon, CN = Amazon Root CA 1
Validity
Not Before: May 26 00:00:00 2015 GMT
Not After : Jan 17 00:00:00 2038 GMT
Subject: C = US, O = Amazon, CN = Amazon Root CA 1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
84:18:CC:85:34:EC:BC:0C:94:94:2E:08:59:9C:C7:B2:10:4E:0A:08
Signature Algorithm: sha256WithRSAEncryption
Signature Value:

Am I getting something wrong here?

Parents
  • Hello,

    This sample supports ECDSA by default. If CONFI_PSA_TLS_CERTIFICATE_TYPE_RSA is set to y then it can use RSA certificate also. Did you try with network stack or stack in the modem?

    because the PSA TLS only applies to native networking stack. If the modem TPC/IP stack is used instead, that has its own mbedTLS implementation, so it is not affected by PSA TLS limitations in the application processor.

    You can try with https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/net/aws_iot/README.html sample instead?

  • Hello,

     thank your for your reply. I have been using the modem stack, but currently I have to figure out how to get bigger chunks of data over an TLS connection (bigger than the 2 kB limit of the modem).

    In the example you will find this note, which sounds very general:

    "Note

    Currently, applications with CMSE enabled only support ECDSA certificates. This is automatically enforced in the configuration files for build targets with CMSE enabled (*_ns)."

    If setting CONFIG_PSA_TLS_CERTIFICATE_TYPE_RSA=y allows to use RSA certificates it might be good to modify the note slightly, in order to avoid confusion.

    Best regards

    Stefan

Reply
  • Hello,

     thank your for your reply. I have been using the modem stack, but currently I have to figure out how to get bigger chunks of data over an TLS connection (bigger than the 2 kB limit of the modem).

    In the example you will find this note, which sounds very general:

    "Note

    Currently, applications with CMSE enabled only support ECDSA certificates. This is automatically enforced in the configuration files for build targets with CMSE enabled (*_ns)."

    If setting CONFIG_PSA_TLS_CERTIFICATE_TYPE_RSA=y allows to use RSA certificates it might be good to modify the note slightly, in order to avoid confusion.

    Best regards

    Stefan

Children
  • Hello Stefan,

    Have you solved your previous issue? 

    ''I have been using the modem stack, but currently I have to figure out how to get bigger chunks of data over an TLS connection (bigger than the 2 kB limit of the modem).'' Is this the current query?

  • Hi Kazi,

     I am able to use sockets with native MBEDTLS and the offloaded modem sockets, build as _ns target (so with CMSE, as far as I understandt). Both with RSA certificates. So I have a working solution.

    Still the note in the documentation is either wrong or misleading. In both cases I would suggest to correct it.

    Thanks

    Stefan