Trouble creating a create a certificate signing request on nrf5340 for BLE Mesh Certificate based provisioning.

Hi,

the PSA Crypto example

Which sample specifically?

Also, which SDK version are you using?

Regards,
Sigurd Hellesvik

https://docs.zephyrproject.org/latest/samples/tfm_integration/psa_crypto/README.html
Link to the sample I am following 
and the SDK is 2.6,

Also, can identity key be used for asymmetric encryption?

Crypto configuration can differ a bit between the Zephyr RTOS and the nRF Connect SDK.
Can I suggest that you compare your settings to nRF Connect SDK Cryptography samples?

Also see our HTTPS sample configurations for the nRF7002DK. This is enabling crypto needed for Wi-Fi TLS, which will likely be similar to what you need.

I actually don't need TLS, I need a way to create a certificate signing request, and the only example I found that demonstrates what I want is the one I have mentioned above and it is not building

Maybe this guide can help?

https://os.mbed.com/docs/mbed-os/v6.16/porting/using-psa-enabled-mbed-tls.html#using-opaque-ecdsa-keys-to-generate-certificate-signing-requests-csrs

While searching for solutions for my problem, I came across another ticket raised on nordic dev zone for the exact problem I am facing,

https://devzone.nordicsemi.com/f/nordic-q-a/106325/mbedtls---using-keys-handled-by-psa-crypto 

but it is based on nrf Connect SDK 2.3.0 while I am working on v2.6.1.

1.The difference between the problems currently is that MBEDTLS_USE_PSA_CRYPTO was not defined in pk.h in the other case while it is defined in my case but when I build it still shows undefined function for mbedtls_pk_setup_opaque();.My guess is MBEDTLS_USE_PSA_CRYPTO is getting disabled somehow.

2.The folder nrf_security is missing in the v2.6.1 for me to make the relevant changes to define MBEDTLS_USE_PSA_CRYPTO in nrf-config.h please help me in finding the appropriate location to define the same.

3. I am attaching my files./cfs-file/__key/communityserver-discussions-components-files/4/csr-_2D00_-Copy.zip

4. There are some minor bugs that need to be fixed, sorry for the inconvenience

While searching for solutions for my problem, I came across another ticket raised on nordic dev zone for the exact problem I am facing,

https://devzone.nordicsemi.com/f/nordic-q-a/106325/mbedtls---using-keys-handled-by-psa-crypto 

but it is based on nrf Connect SDK 2.3.0 while I am working on v2.6.1.

1.The difference between the problems currently is that MBEDTLS_USE_PSA_CRYPTO was not defined in pk.h in the other case while it is defined in my case but when I build it still shows undefined function for mbedtls_pk_setup_opaque();.My guess is MBEDTLS_USE_PSA_CRYPTO is getting disabled somehow.

2.The folder nrf_security is missing in the v2.6.1 for me to make the relevant changes to define MBEDTLS_USE_PSA_CRYPTO in nrf-config.h please help me in finding the appropriate location to define the same.

3. I am attaching my files./cfs-file/__key/communityserver-discussions-components-files/4/csr-_2D00_-Copy.zip

4. There are some minor bugs that need to be fixed, sorry for the inconvenience

After looking further I have noticed that when build files are generated the nrf-config.h file does not have MBEDTLS_USE_PSA_CRYPTO defined. I have tried creating a custom header file for mbedtls but I keep getting the error that no file or directory found. I would request you to ignore the previous comment. I have defined the MBEDTLS_USE_PSA_CRYPTO in the custom header that I have created and i need help to add it to the include path. PFA the zip file

certificatesigningrequest.zip


I have been able to define MBEDTLS_USE_PSA_CRYPTO by editing legacy_crypto_config.h.template file in the directory but my question still exists on how to add custom header files to include path

Hi there,

Sigurd is currently out-of-office, but will return next week. 
He will continue supporting you when he's back,

regards

Jared

Hi Utkarsh,

Sigurd Hellesvik said:

os.mbed.com/.../using-psa-enabled-mbed-tls.html

Did you see this guide?
How did it go?

I am asking cause I just want to get the whole picture

Yes I followed this guide to write my code for generating CSR but it resulted in the following error: Implicit declaration of function : mbedtls_pk_setup_opaque. I further looked into it and found out that even after enabling CONFIG_MBEDTLS_USE_PSA_CRYPTO it was not defined in the nrf-config.h header file, so I defined it there. This led to the code building successfully but after flashing the code onto the board, the psa_generate_key() started failing with the error -134 which stands for PSA_ERROR_NOT_SUPPORTED.

I further looked into why was this happening, and I found out that this happens whenever CONFIG_MBEDTLS_LEGACY_CRYPTO_C is enabled. But without enabling this my code doesn't build. 

My problem is very similar to this and I know that there is a solution as that question was solved. Please help me in this regard

How about this?

I will try to make a CSR sample myself.
Then you can use that as a reference to check your project.
It will take some time, but I got direct access to our crypto devs so I should be able to get all potential issues I have with this figured out pretty fast.
Im guessing I will be done with such a sample next week.

How does that sound to you?