MBEDTLS time/date support with nRF Security

Is MBEDTLS date/time is not supported in nRF security ?

warning: MBEDTLS_HAVE_TIME_DATE (defined at modules/mbedtls/Kconfig.tls-generic:458,
modules/mbedtls/Kconfig.tls-generic:458) was assigned the value 'y' but got the value 'n'. Check
these unsatisfied dependencies: ((MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" &&
MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n).
See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_HAVE_TIME_DATE and/or look up
MBEDTLS_HAVE_TIME_DATE in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.

We would like to have certificate validity check, but unable to enable it.

Top Replies

dejans 5 months ago in reply to dejans +1

Hi, We have looked further into checking certificate expiration date. Please have a look at this PR which enables usage of TLS DATE_TIME into the config system. It should work for both legacy APIs and…

0 dejans 5 months ago in reply to Ligo George

Hi,

No, not yet, but I have reached out to our developers. I am aware that looking into this takes longer time than initially expected. I am sorry for any inconvenience this might cause. Although it is difficult to give any estimate on resolution at this point, I expect to get back to you again in several weeks (possibly earlier if there is any update on this). Thank you for your patience.

Best regards,
Dejan
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 dejans 5 months ago in reply to dejans
Hi,

We have looked further into checking certificate expiration date. Please have a look at this PR which enables usage of TLS DATE_TIME into the config system. It should work for both legacy APIs and PSA APIs.

To enable DATE/TIME checking, try to enable these Kconfig options
CONFIG_DATE_TIME=y CONFIG_MBEDTLS_HAVE_TIME_DATE=y

and set date/time in the code
#include "date_time.h" ... // Setting year to 2035, which is past certificate expiration date -> SSL alert number 45 struct tm new_date_time = {0,0,0,1,0,135,0,0,0}; (void) date_time_set(&new_date_time); ...

The changes were tested using crypto psa_tls sample in sdk-nrf. struct tm can be found in this reference.

Best regards,
Dejan
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel