nRF91 How is it possible to generate EC 256 key pair and a self-signed X.509 certificate?

I this link useful? I don't know too much about this, but I can do some more investigation and ask internally if the link didn't help.

Best regards,

Simon

Hi Simon,

thank your for your reply, but my question is how to generate all of this ON the nRF9160. Because if that would be possible

than the private key should not leave the device ensuring a higher security level compared to generating these keys outside of the device and transmitting over some channel.

Could you please ask for that? It would be good, if the key generation could happen on the device.

With kind regards,

Árpád

Hi Simon,

thank your for your reply, but my question is how to generate all of this ON the nRF9160. Because if that would be possible

than the private key should not leave the device ensuring a higher security level compared to generating these keys outside of the device and transmitting over some channel.

Could you please ask for that? It would be good, if the key generation could happen on the device.

With kind regards,

Árpád

I'm sorry for the delay, somehow I left this ticket behind and forgot to do further investigation. I have asked some developers internally and currently waiting for an answer.

Best regards,

Simon

I got an answer on how to go about this:

"DER is just a binary encoded PEM.  they can use base64_decode(), passing in the base64 text from the PEM (data between the BEGIN/END lines). 

Best regards,
Simon

Hi Simon,

that is partially answer to my question. Thank you.

The rest of the question is:

is it possible -and if yes how- to generate elliptic curve keys and an x509 certificate needed by Google Cloud IoT on the nRF9160?

The generation with openssl on a desktop machine is described here:

I want to know whether it's possible to do the same - of course not with openssl- on the device itself.

Probably with the nrf_oberon crypto library?

For example I found ocrypto_ecdsa_p256_public_key in the nrf_oberon lib, but how to make an X509 certificate?

With kind regards,

Árpád

Hi Árpád,

I would assume that you could do this using the X.509 module in mbed TLS. It has support for building X509 certificates. I have not tested this myself though, and cannot provide any more details.

Einar

Hi Einar,

thank you for your reply. Unfortunately

CONFIG_MBEDTLS_X509_LIBRARY=y

depends on

CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h"

get_target_property() called with non-existent target "platform_cc310".

I build for nrf9160dk_nrf9160ns. 

How can I setup prj.conf to get the mbedTLS X509 module?

Why does the mbedTLS depends on CONFIG_NORDIC_SECURITY_BACKEND?

mbedTLS is a standalone lib, why is this dependency?

Here are my mbed config settings:

# Generate keys
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
CONFIG_MBEDTLS_ENTROPY_ENABLED=y
# Create certificate
CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h"
CONFIG_NORDIC_SECURITY_BACKEND=y
# Why this depends on CONFIG_NORDIC_SECURITY_BACKEND??
CONFIG_MBEDTLS_X509_LIBRARY=y

Best regards,

Árpád