Hi,
I want to connect to Google Cloud IoT and for that I would like to generate the needed credentials on the nRF9160.
PEM is needed by the modem and DER is used by jwt_sign.
With kind regards,
Árpád
I this link useful? I don't know too much about this, but I can do some more investigation and ask internally if the link didn't help.
Best regards,
Simon
Hi Simon,
thank your for your reply, but my question is how to generate all of this ON the nRF9160. Because if that would be possible
than the private key should not leave the device ensuring a higher security level compared to generating these keys outside of the device and transmitting over some channel.
Could you please ask for that? It would be good, if the key generation could happen on the device.
With kind regards,
Árpád
I got an answer on how to go about this:
"DER is just a binary encoded PEM. they can use base64_decode(), passing in the base64 text from the PEM (data between the BEGIN/END lines).
Best regards,
Simon
Hi Simon,
that is partially answer to my question. Thank you.
The rest of the question is:
is it possible -and if yes how- to generate elliptic curve keys and an x509 certificate needed by Google Cloud IoT on the nRF9160?
The generation with openssl on a desktop machine is described here:
I want to know whether it's possible to do the same - of course not with openssl- on the device itself.
Probably with the nrf_oberon crypto library?
For example I found ocrypto_ecdsa_p256_public_key in the nrf_oberon lib, but how to make an X509 certificate?
With kind regards,
Árpád
Hi Árpád,
I would assume that you could do this using the X.509 module in mbed TLS. It has support for building X509 certificates. I have not tested this myself though, and cannot provide any more details.
Einar
Hi Einar,
thank you for your reply. Unfortunately
CONFIG_MBEDTLS_X509_LIBRARY=y
depends on
CONFIG_NORDIC_SECURITY_BACKEND=y CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h"
get_target_property() called with non-existent target "platform_cc310".
I build for nrf9160dk_nrf9160ns.
How can I setup prj.conf to get the mbedTLS X509 module?
Why does the mbedTLS depends on CONFIG_NORDIC_SECURITY_BACKEND?
mbedTLS is a standalone lib, why is this dependency?
Here are my mbed config settings:
# Generate keys CONFIG_MBEDTLS=y CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y CONFIG_MBEDTLS_ENTROPY_ENABLED=y # Create certificate CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h" CONFIG_NORDIC_SECURITY_BACKEND=y # Why this depends on CONFIG_NORDIC_SECURITY_BACKEND?? CONFIG_MBEDTLS_X509_LIBRARY=y
Best regards,
Árpád
Hi Árpád,
This is not straightforward.
PopradiArpad said:
Why does the mbedTLS depends on CONFIG_NORDIC_SECURITY_BACKEND?
mbedTLS is a standalone lib, why is this dependency?
You need an entropy source in order to generate random numbers, and the only entropy source available to the application on the nRF9160 is the TRNG within the CC310 peripheral. The API for the CC310 in the nRF Connect SDK is mbed TLS, via the nordic security backend. This is still ongoing work, though. We do not have a proper solution ready at the moment.
It might be better to find some other way to generate the X509 certificate in pure SW, but in that case, it would only be for experimentation, as you will not have a usable secure solution without a proper entropy source.
Einar
Hi Árpád,
This is not straightforward.
PopradiArpad said:
Why does the mbedTLS depends on CONFIG_NORDIC_SECURITY_BACKEND?
mbedTLS is a standalone lib, why is this dependency?
You need an entropy source in order to generate random numbers, and the only entropy source available to the application on the nRF9160 is the TRNG within the CC310 peripheral. The API for the CC310 in the nRF Connect SDK is mbed TLS, via the nordic security backend. This is still ongoing work, though. We do not have a proper solution ready at the moment.
It might be better to find some other way to generate the X509 certificate in pure SW, but in that case, it would only be for experimentation, as you will not have a usable secure solution without a proper entropy source.
Einar
Hi Einar,
thank you for your fast answer. I understand ongoing work :)
Approximately when do you have a proper solution?
Best regards,
Árpád
Hi Árpád,
I cannot comment on when new features will be available, unfortunately. However, I see I was a bit too pessimistic in my previous reply. You can in fact make your own solution, and use the RNG support in the CC310 via the Secure Partition Manager, which has the spm_request_random_number() function. See Secure services. This just gives you entropy, and then you can use a pure SW library of your preference for the rest.
Einar
Hi Einar,
thanks for the hint. By trying to follow it, I get trapped by secure service causing a crash.
And I have other problem too: I want to print out the created keys to the console with
mbedtls_pk_write_pubkey_pem and mbedtls_pk_write_key_pem but they need
MBEDTLS_PK_WRITE_C to be defined, which needs a specialized mbedtls config file.
(At least I have not found a Zephyr Kconfig macro to accomplish this.)
How can I create and use such a config file without messing up Nordic's mbedtls configuration?
Best regards,
Árpád
Hi Árpád,
PopradiArpad said:thanks for the hint. By trying to follow it, I get trapped by secure service causing a crash.
I see. Have you applied the workaround?
PopradiArpad said:How can I create and use such a config file without messing up Nordic's mbedtls configuration?
I have not had a chance to test this myself, but I would not expect setting MBEDTLS_PK_WRITE_C in the mbedTLS config header file would mess up anything? In what way does it cause problems?
Einar
Hi Einar,
thank you for your answer!
to mbedTLS configuration:
It's really much easier to configure mbedTLS directly by an mbedTLS config file then through the predefined Zephyr config symbols. The only tricky part was having that file within my project.
But this prj.conf snippets does it:
# Generate credentials CONFIG_MBEDTLS=y # Configure mbedTLS directly with its configuration file instead through Zephyr config symbols # Relative from ncs/modules/crypto/mbedtls/configs/config-tls-generic.h CONFIG_MBEDTLS_CFG_FILE="../../../../MY-PROJECT/config-tls.h"
Writing the config file is easy: all the missing mbedTLS config definitions are checked by mbedTLS itself
during compilation or in case of a link error it's easy to find by the guard macro name.
to the secure service causing crash:
later.
Best regards,
Árpád