MBEDTLS time/date support with nRF Security

Hi,

Can you provide information about your application?

Can you provide complete build log and your project configuration?

Best regards,
Dejan

This is a generic issue with nRF SDK, not tied to an application. 

I am using v2.7.0 SDK.

For e.g. you can try building "aws_iot_mqtt" example on nRF7002DK. See the build log for the same below. 

Building aws_iot_mqtt
west build --build-dir /home/vscode/workspaces/base-station-application/aws_iot_mqtt/build /home/vscode/workspaces/base-station-application/aws_iot_mqtt --pristine --board nrf7002dk/nrf5340/cpuapp/ns -- -DNCS_TOOLCHAIN_VERSION=NONE -DBOARD_ROOT=/home/vscode/workspaces/base-station-application

-- west build: generating a build system
Loading Zephyr default modules (Zephyr base).
-- Application: /home/vscode/workspaces/base-station-application/aws_iot_mqtt
-- CMake version: 3.30.2
-- Found Python3: /usr/bin/python3 (found suitable version "3.10.12", minimum required is "3.8") found components: Interpreter
-- Cache files will be written to: /home/vscode/workspaces/.cache/zephyr
-- Zephyr version: 3.6.99 (/home/vscode/workspaces/external_dependencies/zephyr)
-- Found west (found suitable version "1.2.0", minimum required is "0.14.0")
-- Board: nrf7002dk, qualifiers: nrf5340/cpuapp/ns
-- Found host-tools: zephyr 0.16.5 (/home/vscode/workspaces/external_dependencies/zephyr-sdk)
-- Found toolchain: zephyr 0.16.5 (/home/vscode/workspaces/external_dependencies/zephyr-sdk)
-- Found Dtc: /usr/bin/dtc (found suitable version "1.6.1", minimum required is "1.4.6")
-- Found BOARD.dts: /home/vscode/workspaces/external_dependencies/nrf/boards/nordic/nrf7002dk/nrf7002dk_nrf5340_cpuapp_ns.dts
-- Generated zephyr.dts: /home/vscode/workspaces/base-station-application/aws_iot_mqtt/build/zephyr/zephyr.dts
-- Generated devicetree_generated.h: /home/vscode/workspaces/base-station-application/aws_iot_mqtt/build/zephyr/include/generated/devicetree_generated.h
-- Including generated dts.cmake file: /home/vscode/workspaces/base-station-application/aws_iot_mqtt/build/zephyr/dts.cmake

warning: MBEDTLS_MEMORY_DEBUG (defined at
/home/vscode/workspaces/external_dependencies/nrf/subsys/nrf_security/Kconfig.tls:167,
modules/mbedtls/Kconfig:166, modules/mbedtls/Kconfig:166) was assigned the value 'y' but got the
value 'n'. Check these unsatisfied dependencies: ((MBEDTLS_TLS_LIBRARY && NRF_SECURITY) ||
(MBEDTLS_BUILTIN && MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS && 0)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_MEMORY_DEBUG and/or look up
MBEDTLS_MEMORY_DEBUG in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.


warning: MBEDTLS_AES_ROM_TABLES (defined at
/home/vscode/workspaces/external_dependencies/nrf/subsys/nrf_security/Kconfig.legacy:417,
modules/mbedtls/Kconfig.tls-generic:261, modules/mbedtls/Kconfig.tls-generic:261) was assigned the
value 'y' but got the value 'n'. Check these unsatisfied dependencies: ((!(OBERON_BACKEND ||
CC3XX_BACKEND) && MBEDTLS_CIPHER_MODE_CBC && MBEDTLS_AES_C && MBEDTLS_LEGACY_CRYPTO_C &&
NRF_SECURITY) || (MBEDTLS_CIPHER_AES_ENABLED && !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) &&
MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS) ||
(MBEDTLS_CIPHER_AES_ENABLED && !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) && MBEDTLS_BUILTIN &&
MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_AES_ROM_TABLES and/or look up
MBEDTLS_AES_ROM_TABLES in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.


warning: MBEDTLS_SSL_ALPN (defined at modules/mbedtls/Kconfig.tls-generic:44,
modules/mbedtls/Kconfig.tls-generic:44) was assigned the value 'y' but got the value 'n'. Check
these unsatisfied dependencies: (((MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 ||
MBEDTLS_TLS_VERSION_1_2) && MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS)
|| ((MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2) &&
MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_SSL_ALPN and/or look up
MBEDTLS_SSL_ALPN in the menuconfig/guiconfig interface. The Application Development Primer, Setting
Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be helpful
too.


warning: MBEDTLS_PEM_CERTIFICATE_FORMAT (defined at modules/mbedtls/Kconfig.tls-generic:401,
modules/mbedtls/Kconfig.tls-generic:401) was assigned the value 'y' but got the value 'n'. Check
these unsatisfied dependencies: ((MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" &&
MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n).
See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT and/or
look up MBEDTLS_PEM_CERTIFICATE_FORMAT in the menuconfig/guiconfig interface. The Application
Development Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of
the manual might be helpful too.


warning: MBEDTLS_SERVER_NAME_INDICATION (defined at modules/mbedtls/Kconfig.tls-generic:446,
modules/mbedtls/Kconfig.tls-generic:446) was assigned the value 'y' but got the value 'n'. Check
these unsatisfied dependencies: ((MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" &&
MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n).
See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_SERVER_NAME_INDICATION and/or
look up MBEDTLS_SERVER_NAME_INDICATION in the menuconfig/guiconfig interface. The Application
Development Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of
the manual might be helpful too.


warning: MBEDTLS_HAVE_TIME_DATE (defined at modules/mbedtls/Kconfig.tls-generic:458,
modules/mbedtls/Kconfig.tls-generic:458) was assigned the value 'y' but got the value 'n'. Check
these unsatisfied dependencies: ((MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" &&
MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n).
See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_HAVE_TIME_DATE and/or look up
MBEDTLS_HAVE_TIME_DATE in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.


warning: MBEDTLS_SSL_MAX_CONTENT_LEN (defined at modules/mbedtls/Kconfig:73,
modules/mbedtls/Kconfig:73) was assigned the value '16384' but got the value ''. Check these
unsatisfied dependencies: ((MBEDTLS_BUILTIN && MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS && 0)) (=n).
See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN and/or look
up MBEDTLS_SSL_MAX_CONTENT_LEN in the menuconfig/guiconfig interface. The Application Development
Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual
might be helpful too.


warning: The choice symbol MBEDTLS_BUILTIN (defined at modules/mbedtls/Kconfig:30,
modules/mbedtls/Kconfig:30) was selected (set =y), but MBEDTLS_LIBRARY_NRF_SECURITY (defined at
/home/vscode/workspaces/external_dependencies/nrf/subsys/nrf_security/Kconfig:293) ended up as the
choice selection. See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_BUILTIN
and/or look up MBEDTLS_BUILTIN in the menuconfig/guiconfig interface. The Application Development
Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual
might be helpful too.

In the warning we can clearly see that MBEDTLS_HAVE_TIME_DATE is not being used.

Hi,

PSA Crypto does not support TIME_DATE. For now, legacy option must be used.

Best regards,
Dejan

Does it mean that it is not possible to check expiry of certificates ? 

Does it mean that it is not possible to check expiry of certificates ? 

Hi,

Could you provide information on how your project acquires time and how time is kept synchronized?

Best regards,
Dejan

We get time from internet and update the system time using Zephyr time utils and time is running fine.

It looks like the certificate expiry checks are not working since MBEDTLS_HAVE_TIME_DATE is not supported. 

Hi,

Can you provide information on how you tried to check certificate expiry?

Best regards,
Dejan

For e.g. we can check, if the time is not set the default time will be wrong (start of epoch). The certificates are not valid from epoch start. Or simply by setting a future time where the certificate is expired. 

Hi,

We will further look into the possibility for mbedtls to check certificate expiration date. I expect to get back to you with new information probably within next few weeks.

Best regards,
Dejan