nRF91 How is it possible to generate EC 256 key pair and a self-signed X.509 certificate?

I this link useful? I don't know too much about this, but I can do some more investigation and ask internally if the link didn't help.

Best regards,

Simon

Hi Simon,

thank your for your reply, but my question is how to generate all of this ON the nRF9160. Because if that would be possible

than the private key should not leave the device ensuring a higher security level compared to generating these keys outside of the device and transmitting over some channel.

Could you please ask for that? It would be good, if the key generation could happen on the device.

With kind regards,

Árpád

Hi Einar,

thank you for your fast answer. I understand ongoing work :) 

Approximately when do you have a proper solution?

Best regards,

Árpád

Hi Árpád,

I cannot comment on when new features will be available, unfortunately. However, I see I was a bit too pessimistic in my previous reply. You can in fact make your own solution, and use the RNG support in the CC310 via the Secure Partition Manager, which has the spm_request_random_number() function. See Secure services. This just gives you entropy, and then you can use a pure SW library of your preference for the rest.

Einar

Hi Einar,

thanks for the hint. By trying to follow it, I get trapped by secure service causing a crash. 

And I have other problem too: I want to print out the created keys to the console with

mbedtls_pk_write_pubkey_pem and mbedtls_pk_write_key_pem but they need

MBEDTLS_PK_WRITE_C to be defined, which needs a specialized mbedtls config file.

(At least I have not found a Zephyr Kconfig macro to accomplish this.)

How can I create and use such a config file without messing up Nordic's mbedtls configuration?

Best regards,

Árpád

Hi Árpád,

PopradiArpad said:

thanks for the hint. By trying to follow it, I get trapped by secure service causing a crash. 

I see. Have you applied the workaround?

PopradiArpad said:

How can I create and use such a config file without messing up Nordic's mbedtls configuration?

I have not had a chance to test this myself, but I would not expect setting MBEDTLS_PK_WRITE_C in the mbedTLS config header file would mess up anything? In what way does it cause problems?

Einar

Hi Einar,

thank you for your answer!

to mbedTLS configuration:

It's really much easier to configure mbedTLS directly by an mbedTLS config file then through the predefined Zephyr config symbols. The only tricky part was having that file within my project.

But this prj.conf snippets does it:

# Generate credentials
CONFIG_MBEDTLS=y
# Configure mbedTLS directly with its configuration file instead through Zephyr config symbols
# Relative from ncs/modules/crypto/mbedtls/configs/config-tls-generic.h
CONFIG_MBEDTLS_CFG_FILE="../../../../MY-PROJECT/config-tls.h"

Writing the config file is easy: all the missing mbedTLS config definitions are checked by mbedTLS itself

during compilation or in case of a link error it's easy to find by the guard macro name.

to the secure service causing crash:

later.

Best regards,

Árpád

Hi Einar,

thank you for your answer!

to mbedTLS configuration:

It's really much easier to configure mbedTLS directly by an mbedTLS config file then through the predefined Zephyr config symbols. The only tricky part was having that file within my project.

But this prj.conf snippets does it:

# Generate credentials
CONFIG_MBEDTLS=y
# Configure mbedTLS directly with its configuration file instead through Zephyr config symbols
# Relative from ncs/modules/crypto/mbedtls/configs/config-tls-generic.h
CONFIG_MBEDTLS_CFG_FILE="../../../../MY-PROJECT/config-tls.h"

Writing the config file is easy: all the missing mbedTLS config definitions are checked by mbedTLS itself

during compilation or in case of a link error it's easy to find by the guard macro name.

to the secure service causing crash:

later.

Best regards,

Árpád