• State Not Answered
  • Replies 6 replies
  • Subscribers 74 subscribers
  • Views 107 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 347187
Options

TLS Credential: cannot make Amazon root CA 2 and 4 to work

c.lancea

Hello,

We are working on an NRF5340/NRF7002 based project with NCS 2.7.0 SDK.
We have been able to get Amazon Root CA 1 and 3 working with the following .conf:

# Wifi is nrf7002 based
CONFIG_WIFI=y
CONFIG_WIFI_NRF700X=y
CONFIG_NRF700X_P2P_MODE=n
CONFIG_NRF700X_MAX_TX_PENDING_QLEN=12
CONFIG_NRF_WIFI_IF_AUTO_START=n
CONFIG_NRF_WIFI_LOW_POWER=y
CONFIG_NRF_WIFI_RPU_RECOVERY=y

# WPA supplicant
CONFIG_WPA_SUPP=y
CONFIG_WPA_SUPP_CRYPTO_WEP=n
CONFIG_WPA_SUPP_NO_DEBUG=y

# Networking
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
CONFIG_NET_IPV4=y
CONFIG_NET_IPV6=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_DHCPV4=y
CONFIG_NET_CONFIG_SETTINGS=n
# CONFIG_NET_CONFIG_INIT_TIMEOUT=0
# CONFIG_NET_CONFIG_AUTO_INIT=n

CONFIG_NET_NATIVE=y
CONFIG_DNS_RESOLVER=y

# Need 16 FDs for WiFi
CONFIG_POSIX_MAX_FDS=16

# Net Management
CONFIG_NET_L2_ETHERNET=y # This is mandatory even for WIFI 
CONFIG_NET_L2_WIFI_MGMT=y
CONFIG_NET_MAX_CONTEXTS=4
CONFIG_NET_SOCKETS_OFFLOAD=n

// HTTP
CONFIG_HTTP_CLIENT=y
CONFIG_NET_TCP_KEEPALIVE=y
CONFIG_JSON_LIBRARY=y
CONFIG_BASE64=y
CONFIG_OHTTP_SIGNATURE=y
CONFIG_TINYCRYPT_SHA256_HMAC=y

#TLS 
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_TLS_CREDENTIALS=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y

CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=61440
CONFIG_MBEDTLS_DEBUG=n
CONFIG_MBEDTLS_DEBUG_C=n

Now with this config when I replace Amazon Root CA 1 and 3 by the 2 and 4, I always get a -22 error on the socket opening.

The examples I found in the DevAcademy uses Amazon Root CA 1 and I did not found any document explaining how to make it work with certificate using "sha384WithRSAEncryption" like amazon root CA 2 and "ecdsa-with-SHA384" like Amazon root CA 4.

 

I have tried playing with different setting in the .conf with no success... 
Is there any kConfig combination that is recommended, an example or a documentation that could help us with this issue ? 

For information, credentials are added using "tls_credential_add", certificate are converted from .pem to const uint8_t * see attached files 

 8244.certificates.h

 

Parents
  • 0

    Hi again

    I don't know the specific differences between Amazons Root certificates, so the first step here would be to find what the differences between these are, and then we can try finding out what configs are necessary to change here.

    Best regards,

    Simon

  • 0 in reply to Simonr

    Hello,

    Using openssl I found the following result:

    Amazon Root CA 1 : "sha256WithRSAEncryption" and 2048 bit public key 

    Amazon Root CA 2 : "sha384WithRSAEncryption" and a 4096 bit public key 

    Amazon Root CA 3 : "ecdsa-with-SHA256" and a 256 bit public key 

    Amazon Root CA 4 : "ecdsa-with-SHA384" and a 384 bit public key 

    I have tried enabling some config related to sha384, 4096 bit public key and ECDSA in addition to those described in the first post but without success:

    CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y
CONFIG_PSA_WANT_ALG_SHA3_384=y

# ECC
CONFIG_PSA_WANT_ALG_ECDH=y
CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y

CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y

# ECC curves
CONFIG_PSA_WANT_ECC_MONTGOMERY_255=y
CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_255=y
CONFIG_PSA_WANT_ECC_SECP_R1_224=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y
CONFIG_PSA_WANT_ECC_SECP_R1_384=y


    I dived deeper in the code to see where the error comes from, the -22 error is thrown by "tls_mbedtls_set_credentials"

    Hope this helps, please tell me if you need more information.

    Best regards,
    Charles 

Reply
  • 0 in reply to Simonr

    Hello,

    Using openssl I found the following result:

    Amazon Root CA 1 : "sha256WithRSAEncryption" and 2048 bit public key 

    Amazon Root CA 2 : "sha384WithRSAEncryption" and a 4096 bit public key 

    Amazon Root CA 3 : "ecdsa-with-SHA256" and a 256 bit public key 

    Amazon Root CA 4 : "ecdsa-with-SHA384" and a 384 bit public key 

    I have tried enabling some config related to sha384, 4096 bit public key and ECDSA in addition to those described in the first post but without success:

    CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y
CONFIG_PSA_WANT_ALG_SHA3_384=y

# ECC
CONFIG_PSA_WANT_ALG_ECDH=y
CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y

CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y

# ECC curves
CONFIG_PSA_WANT_ECC_MONTGOMERY_255=y
CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_255=y
CONFIG_PSA_WANT_ECC_SECP_R1_224=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y
CONFIG_PSA_WANT_ECC_SECP_R1_384=y


    I dived deeper in the code to see where the error comes from, the -22 error is thrown by "tls_mbedtls_set_credentials"

    Hope this helps, please tell me if you need more information.

    Best regards,
    Charles 

Children
No Data
Related
Terms of service