• State Not Answered
  • Replies 11 replies
  • Subscribers 74 subscribers
  • Views 238 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 347187
Options

TLS Credential: cannot make Amazon root CA 2 and 4 to work

c.lancea

Hello,

We are working on an NRF5340/NRF7002 based project with NCS 2.7.0 SDK.
We have been able to get Amazon Root CA 1 and 3 working with the following .conf:

# Wifi is nrf7002 based
CONFIG_WIFI=y
CONFIG_WIFI_NRF700X=y
CONFIG_NRF700X_P2P_MODE=n
CONFIG_NRF700X_MAX_TX_PENDING_QLEN=12
CONFIG_NRF_WIFI_IF_AUTO_START=n
CONFIG_NRF_WIFI_LOW_POWER=y
CONFIG_NRF_WIFI_RPU_RECOVERY=y

# WPA supplicant
CONFIG_WPA_SUPP=y
CONFIG_WPA_SUPP_CRYPTO_WEP=n
CONFIG_WPA_SUPP_NO_DEBUG=y

# Networking
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
CONFIG_NET_IPV4=y
CONFIG_NET_IPV6=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_DHCPV4=y
CONFIG_NET_CONFIG_SETTINGS=n
# CONFIG_NET_CONFIG_INIT_TIMEOUT=0
# CONFIG_NET_CONFIG_AUTO_INIT=n

CONFIG_NET_NATIVE=y
CONFIG_DNS_RESOLVER=y

# Need 16 FDs for WiFi
CONFIG_POSIX_MAX_FDS=16

# Net Management
CONFIG_NET_L2_ETHERNET=y # This is mandatory even for WIFI 
CONFIG_NET_L2_WIFI_MGMT=y
CONFIG_NET_MAX_CONTEXTS=4
CONFIG_NET_SOCKETS_OFFLOAD=n

// HTTP
CONFIG_HTTP_CLIENT=y
CONFIG_NET_TCP_KEEPALIVE=y
CONFIG_JSON_LIBRARY=y
CONFIG_BASE64=y
CONFIG_OHTTP_SIGNATURE=y
CONFIG_TINYCRYPT_SHA256_HMAC=y

#TLS 
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_TLS_CREDENTIALS=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y

CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=61440
CONFIG_MBEDTLS_DEBUG=n
CONFIG_MBEDTLS_DEBUG_C=n

Now with this config when I replace Amazon Root CA 1 and 3 by the 2 and 4, I always get a -22 error on the socket opening.

The examples I found in the DevAcademy uses Amazon Root CA 1 and I did not found any document explaining how to make it work with certificate using "sha384WithRSAEncryption" like amazon root CA 2 and "ecdsa-with-SHA384" like Amazon root CA 4.

 

I have tried playing with different setting in the .conf with no success... 
Is there any kConfig combination that is recommended, an example or a documentation that could help us with this issue ? 

For information, credentials are added using "tls_credential_add", certificate are converted from .pem to const uint8_t * see attached files 

 8244.certificates.h

 

Parents
  • 0

    Ah, okay, so the SHA384 is the "main" difference then. Sorry I missed that initially. We don't have a specific sample project for using the SHA384 hash, but it should be supported. However, note that it's not supported by the Cryptocell (3xx) driver, so you will need to use the nrf-oberon driver instead. https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/security/crypto/drivers.html#crypto-drivers-oberon 

    Best regards,

    Simon

  • 0 in reply to Simonr

    Hello,

    I finally managed to make Amazon Root CA 2 work, but I still have some trouble with root CA 4.
    However, I have a few question about the kConfig that I had to enable/modify.
    Here is the list I had to add, note that I'm now using NCS 3.0.2.

    CONFIG_MBEDTLS_HEAP_SIZE=85000

# Another way to set this ? 
CONFIG_MBEDTLS_MPI_MAX_SIZE=1024

# new 
CONFIG_NRF_SECURITY=y
CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
CONFIG_PSA_WANT_ALG_SHA_384=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y

# Required RSA and SHA algorithms
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
CONFIG_PSA_WANT_ALG_RSA_PSS=y
CONFIG_PSA_WANT_ALG_RSA_PSS_ANY_SALT=y
CONFIG_PSA_WANT_ALG_SHA_256=y

# ECDSA
CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY=y
CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_ALG_ECDSA_ANY=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y

     

    • I figured that I had to increase CONFIG_MBEDTLS_MPI_MAX_SIZE to 1024 otherwise the default value of 256 is not enough for MBEDTLS to parse the certificate. Is this the proper way of doing this ? Is there another config that I should use, instead of this one that is never mentioned in example code ? 
    • I had to increase CONFIG_MBEDTLS_HEAP_SIZE from ~60k to 85k. Is there a way to be sure about this value other than trial and error ? 
    • Also since we use many feature from NCS, our program is pretty RAM hungry, I had to decrease CONFIG_NRF_WIFI_DATA_HEAP_SIZE to 90k cf: 

    # Memory
CONFIG_HEAP_MEM_POOL_SIZE=40144
CONFIG_NRF_WIFI_CTRL_HEAP_SIZE=20000
CONFIG_NRF_WIFI_DATA_HEAP_SIZE=90000


    Is there a minimum value to ensure that the wifi stack will be working properly ?

    Thank you for your time 

    Best regard,

    Charles

  • 0 in reply to c.lancea
    1. Yes, it should be fine to manually set the CONFIG_MBEDTLS_MPI_MAX_SIZE, as it only have 256 and 384 as defaults if the CC310/312 backends are set.
    2. mbedtls will only provide a runtime error if not enough memory is located, so trial and error is the way to go.
    3. 8000 should be sufficient if the application only does scanning, but other than that there aren't really any recommended minimum values here. If you'd like I can ask the developers, but could you share what Wi-Fi features you're using, as generic numbers will vary a lot depending on what features are used exactly.

    Best regards,

    Simon

  • 0 in reply to Simonr

    Hello,

    Thank you for your answers. 

    Indeed, I would like to know more about the recommendation for our use case, we use scan mode and station mode with WPA2, WPA2_256 and WPA3 security supported, also if relevant we use any link mode from WiFi4 to WiFi6.

    Best regards,

    Charles

  • 0 in reply to c.lancea

    Hi Charles

    I spoke to the developer today, and the main dependency for WIFI_DATA_HEAP_SIZE depends on the throughput requirements of your application, so can you share some details on what throughput numbers you need/would like to see in your application, and we can come back with some suggestions for HEAP_SIZE

Reply Children
No Data
Related
Terms of service