• State Not Answered
  • Replies 6 replies
  • Subscribers 86 subscribers
  • Views 553 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 351974
Options

MBedTLS + PSA cannot connect because RSA is default on (v3.1.0 -> v3.1.1)

pcspets

Hello

There has been an interesting braking change between SDK v3.1.0 -> v3.1.1. When using PSA (CONFIG_MBEDTLS_USE_PSA_CRYPTO=y) and a server with signature algorithm SHA384withECDSA, MbedTLS successfully connects to the server with v3.1.0. But when compiling exactly the same project with SDK v3.1.1, it doesn't, with the error message:

<err> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7959: mbedtls_x509_crt_parse_der() returned -14848 (-0x3a00)

Which is:

/** Elliptic curve is unsupported (only NIST curves are supported). */
#define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00

The only difference between those two builds is that, when building with v3.1.1, CONFIG_MBEDTLS_RSA_C=y is automatically turned on. When turning it off in prj.conf (CONFIG_MBEDTLS_RSA_C=n), it works again.

Am I missing something or there is a bug in PSA MbedTLS? As fas as I understand, adding RSA support (without taking anything away from elliptic curve), should be able to use both, no?

Regards
Lauri

Parents
  • 0

    Hi,

    I would expect you should be able to use both yes, and I have not been able to find any references to this issue from before (though I must admit I have also not come across SHA384withECDSA before).

    Is it so that you see the same issue in 3.1.0 and 3.1.1 where it does not work with CONFIG_MBEDTLS_RSA_C=y in the build, and it works in both cases with it not in the build? Can you share the generated .config for your project both with and without it?

  • 0 in reply to Einar Thorsrud

    Unfortunately I cannot turn CONFIG_MBEDTLS_RSA_C on when usind SDK v3.1.0, because I'm using PSA crypto:

    CONFIG_MBEDTLS_RSA_C was assigned the value y, but got the value n. Missing dependencies:
    OPENTHREAD || (!MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_LEGACY_CRYPTO_C && NRF_SECURITY) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-mbedtls.h" && MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-mbedtls.h" && MBEDTLS && 0)

    So, I attached two config files. One with v3.1.0 (RSA off) and one with v.3.1.1 (RSA on by default). The latter doesn't work with ECDSA certificates but it can be fixed by CONFIG_MBEDTLS_RSA_C=n.

    config_files.zip

  • 0 in reply to pcspets

    Hi,

    I see. But you can turn it off with 3.1.1? In 3.1.0 and before you had a dependency on !MBEDTLS_USE_PSA_CRYPTO for MBEDTLS_RSA_C here, but this was removed in 3.1.1. I will look more into this.

Reply Children
Related
Terms of service