This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Cannot read full CA certificate

Hello,

I want to read the CA certificate stored inside the modem, unfortunately the modem_key_mgmt_read function cannot read a certificate bigger than 2kb even ifCONFIG_AT_CMD_RESPONSE_MAX_LEN is set to 4kb(way more than needed). It does not return any error, just an incomplete certificate.

The modem_key_mgmt_write seems to work because I can get the TLS connection.

I have prepared a sample code to reproduce the problem please see the attached file. The relevant code is inside reproduce_bug function.

NCS 1.3.1

Modem fw 1.2.1

Is there any configuration that I have to do in order to be able to read the full certificate?

Best regards,

Vlad

1018.mqtt_simple.zip

Parents

0 Didrik Rokhaug over 5 years ago

Hi,

Where does the certificate come from?

I have seen a similar case before, and then the issue was with the certificate itself.

I also see the same behavior, but when I enable more logging, particularly in the at_cmd library, I see that the full certificate is read out of the modem:

[00:07:01.415,954] [1B][0m<dbg> at_cmd.at_write: Sending command 
at%cmng=2,0,0[1B][0m
[00:07:01.431,762] [1B][0m<dbg> at_cmd.at_write: Awaiting response for 
at%cmng=2,0,0[1B][0m
[00:07:01.439,605] [1B][0m<dbg> at_cmd.socket_thread_fn: at_cmd_rx 2242 bytes, %CMNG: 0,0,"0000000000000000000000000000000000000000000000000000000000000000","-----BEGIN CERTIFICATE-----
MIIGCzCCA/OgAwIBAgIUU72NL4Kzf1mkLA4CItvWJhRVA8UwDQYJKoZIhvcNAQEL
BQAwgZQxCzAJBgNVBAYTAlJPMRwwGgYDVQQKDBNSYXB0b3IgVGVjaG5vbG9naWVz
MT4wPAYDVQQLDDVSYXB0b3IgVGVjaG5vbG9naWVzIFNlbGYgU2lnbmVkIENlcnRp
ZmljYXRlIEF1dGhvcml0eTEnMCUGA1UEAwwed2lyZXBhcy5yYXB0b3ItdGVjaG5v
bG9naWVzLnJvMB4XDTIwMTAyMDA3MTQ0MVoXDTIxMTAyMDA3MTQ0MVowgZQxCzAJ
BgNVBAYTAlJPMRwwGgYDVQQKDBNSYXB0b3IgVGVjaG5vbG9naWVzMT4wPAYDVQQL
DDVSYXB0b3IgVGVjaG5vbG9naWVzIFNlbGYgU2lnbmVkIENlcnRpZmljYXRlIEF1
dGhvcml0eTEnMCUGA1UEAwwed2lyZXBhcy5yYXB0b3ItdGVjaG5vbG9naWVzLnJv
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5okWs/YG5k63dukkeJdS
NnO9hIgKFg+5CrU2bl0guIsPBHJDp2+2EwSt0vxtoHg4TW/UiZWNE1DpUCu9sGHq
MxCK8SNdU0egEPBZXEQzycNBZlRCi97Sj0ka4hNxoV77sH9bwb52xatq9rLQ5hIW
TU4pmBcgzhpJ2htrjLVCmiuv+y3DHRxd8yqrEaRdRzKj058aumJAUDOX0+TaQe1A
v2cbu5gcg4Hqe8tbflC5jaDhgze3NTuB7O75e6nBjQkcYS9lTG6HTG+9N+uc4++x
duMVLHjoSYWZP0sXOiKReSJDcNoClERKXr8L3ERZZl+ABPLkyYq3hesLFDeAgwgB
YcwJmjWzfXcZXyLKLr+MoArJsrDk3S0cM1GSTyt0qtRh9b98yV06DxYCirXuuhiD
xTiIqJJbPkD/pnZcsWPApEEQwnZ06kcOs9A8PRQIsDvIgEm1JU0SYl/ZKkdg4Hdv
sqIaQ+gQtE75Yd003aVIWYT5FZHap57JDgaRgbYPHx8IFf0Z7FOVNn/zZHg5wG8x
L4TFFI4ggUuz6tH42JNC8s4l4dDRRnd4Fkd1FV51D3gnGLW14UFGhgRn53pxDmjU
mWFtXOYTIF0/YCwvNcmBB1PfK43E19BKI9B9ORcxGgDhJQz3g1gQWcb/e8O5ktOb
EvuDsepZXjyNTZFTU5GkiQkCAwEAAaNTMFEwHQYDVR0OBBYEFPiZU2VhNbfFdy8Q
DhwFcN1+VLK5MB8GA1UdIwQYMBaAFPiZU2VhNbfFdy8QDhwFcN1+VLK5MA8GA1Ud
EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAK0ZjZ8bTfZGPIkw+h9lh2Gl
pruDECnnxtCZnYaGqLyG2jzEdi+yEWv1Z5smduNmRlcxzt2Ypo0364Xqyegl0MFb
jlzMLGb93e/eURlqFcTOnNEEVDwjItzy1n62V5Pqpa8/S0A5iqaLegI4n6/VFtbU
RFy1OTZZtl6e9j5GO5hOOfTU0JqOQv6LPrnwedsCslRaMaEG5Ac/k/fquJICM0Yu
447Zu1gcdfFFCl/vC2HmeD8weDkrQTelr4frlC5iYX70yrUaOlE8A3vcS2WWUNsM
0n42bXzSni5UNUPfFw/40rETv0GU/FJC+izLAtUkd/rrnk7uq4+kuDj0EqjgseCk
UfnvpEopRUJI2zfQ+wtuywDn/GWE4yNFnYw5+9U3/IGU+WmV2C/IJtYsn00EWbzr
TGjEHRWhNMwkQBxsPIcev6ytUeHduAP69MSy8N/BrDaQQu7naMXTXts1LHlDQv1s
9387Eiy1FBblJcrnzVa/9EpekX9Xb1Suekm/fDACmSd0cn3I3hOKgtjIVRtqOx5s
yWVhJ5UALBvmvg1LgKgU1KH71sOqQAWuRokHUI2p7f8DHyNXUoNcDUY8Nj+JbX4H
BpxnMBPeBxzaBqxUE1Ol2pwyS9ZyZf6SZD0jxl3FJg3SDI86Z2Rh6EzJ1sQN0B6J
T9dqRC46h+0ShzkwxGIP
-----END CERTIFICATE-----
"
OK

But, for some reason, the full certificate is not forwarded to the modem_key_mgmt library. The same behavior is also seen in the AT host library.

I will continue to investigate why the full certificate is not forwarded to the modem_key_mgmt library.

Best regards,

Didrik

Reply

0 Didrik Rokhaug over 5 years ago

Hi,

Where does the certificate come from?

I have seen a similar case before, and then the issue was with the certificate itself.

I also see the same behavior, but when I enable more logging, particularly in the at_cmd library, I see that the full certificate is read out of the modem:

[00:07:01.415,954] [1B][0m<dbg> at_cmd.at_write: Sending command 
at%cmng=2,0,0[1B][0m
[00:07:01.431,762] [1B][0m<dbg> at_cmd.at_write: Awaiting response for 
at%cmng=2,0,0[1B][0m
[00:07:01.439,605] [1B][0m<dbg> at_cmd.socket_thread_fn: at_cmd_rx 2242 bytes, %CMNG: 0,0,"0000000000000000000000000000000000000000000000000000000000000000","-----BEGIN CERTIFICATE-----
MIIGCzCCA/OgAwIBAgIUU72NL4Kzf1mkLA4CItvWJhRVA8UwDQYJKoZIhvcNAQEL
BQAwgZQxCzAJBgNVBAYTAlJPMRwwGgYDVQQKDBNSYXB0b3IgVGVjaG5vbG9naWVz
MT4wPAYDVQQLDDVSYXB0b3IgVGVjaG5vbG9naWVzIFNlbGYgU2lnbmVkIENlcnRp
ZmljYXRlIEF1dGhvcml0eTEnMCUGA1UEAwwed2lyZXBhcy5yYXB0b3ItdGVjaG5v
bG9naWVzLnJvMB4XDTIwMTAyMDA3MTQ0MVoXDTIxMTAyMDA3MTQ0MVowgZQxCzAJ
BgNVBAYTAlJPMRwwGgYDVQQKDBNSYXB0b3IgVGVjaG5vbG9naWVzMT4wPAYDVQQL
DDVSYXB0b3IgVGVjaG5vbG9naWVzIFNlbGYgU2lnbmVkIENlcnRpZmljYXRlIEF1
dGhvcml0eTEnMCUGA1UEAwwed2lyZXBhcy5yYXB0b3ItdGVjaG5vbG9naWVzLnJv
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5okWs/YG5k63dukkeJdS
NnO9hIgKFg+5CrU2bl0guIsPBHJDp2+2EwSt0vxtoHg4TW/UiZWNE1DpUCu9sGHq
MxCK8SNdU0egEPBZXEQzycNBZlRCi97Sj0ka4hNxoV77sH9bwb52xatq9rLQ5hIW
TU4pmBcgzhpJ2htrjLVCmiuv+y3DHRxd8yqrEaRdRzKj058aumJAUDOX0+TaQe1A
v2cbu5gcg4Hqe8tbflC5jaDhgze3NTuB7O75e6nBjQkcYS9lTG6HTG+9N+uc4++x
duMVLHjoSYWZP0sXOiKReSJDcNoClERKXr8L3ERZZl+ABPLkyYq3hesLFDeAgwgB
YcwJmjWzfXcZXyLKLr+MoArJsrDk3S0cM1GSTyt0qtRh9b98yV06DxYCirXuuhiD
xTiIqJJbPkD/pnZcsWPApEEQwnZ06kcOs9A8PRQIsDvIgEm1JU0SYl/ZKkdg4Hdv
sqIaQ+gQtE75Yd003aVIWYT5FZHap57JDgaRgbYPHx8IFf0Z7FOVNn/zZHg5wG8x
L4TFFI4ggUuz6tH42JNC8s4l4dDRRnd4Fkd1FV51D3gnGLW14UFGhgRn53pxDmjU
mWFtXOYTIF0/YCwvNcmBB1PfK43E19BKI9B9ORcxGgDhJQz3g1gQWcb/e8O5ktOb
EvuDsepZXjyNTZFTU5GkiQkCAwEAAaNTMFEwHQYDVR0OBBYEFPiZU2VhNbfFdy8Q
DhwFcN1+VLK5MB8GA1UdIwQYMBaAFPiZU2VhNbfFdy8QDhwFcN1+VLK5MA8GA1Ud
EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAK0ZjZ8bTfZGPIkw+h9lh2Gl
pruDECnnxtCZnYaGqLyG2jzEdi+yEWv1Z5smduNmRlcxzt2Ypo0364Xqyegl0MFb
jlzMLGb93e/eURlqFcTOnNEEVDwjItzy1n62V5Pqpa8/S0A5iqaLegI4n6/VFtbU
RFy1OTZZtl6e9j5GO5hOOfTU0JqOQv6LPrnwedsCslRaMaEG5Ac/k/fquJICM0Yu
447Zu1gcdfFFCl/vC2HmeD8weDkrQTelr4frlC5iYX70yrUaOlE8A3vcS2WWUNsM
0n42bXzSni5UNUPfFw/40rETv0GU/FJC+izLAtUkd/rrnk7uq4+kuDj0EqjgseCk
UfnvpEopRUJI2zfQ+wtuywDn/GWE4yNFnYw5+9U3/IGU+WmV2C/IJtYsn00EWbzr
TGjEHRWhNMwkQBxsPIcev6ytUeHduAP69MSy8N/BrDaQQu7naMXTXts1LHlDQv1s
9387Eiy1FBblJcrnzVa/9EpekX9Xb1Suekm/fDACmSd0cn3I3hOKgtjIVRtqOx5s
yWVhJ5UALBvmvg1LgKgU1KH71sOqQAWuRokHUI2p7f8DHyNXUoNcDUY8Nj+JbX4H
BpxnMBPeBxzaBqxUE1Ol2pwyS9ZyZf6SZD0jxl3FJg3SDI86Z2Rh6EzJ1sQN0B6J
T9dqRC46h+0ShzkwxGIP
-----END CERTIFICATE-----
"
OK

But, for some reason, the full certificate is not forwarded to the modem_key_mgmt library. The same behavior is also seen in the AT host library.

I will continue to investigate why the full certificate is not forwarded to the modem_key_mgmt library.

Best regards,

Didrik

Children

0 Vlad T over 5 years ago in reply to Didrik Rokhaug

Hi Didrik,

Thank you for your help.

It's a self signed certificate generated by openssl. It's just a regular x509 certificate, nothing fancy about it.

I took a deeper look at at_cmd file and it seems that the parser confuses the certificate string with the AT "OK" string. The certificate stops right before the "OK" characters. What happens is as follows:

- The modem returns the full certificate (at_cmd.c line 146)

- at_cmd calculates the payload_len with get_return_code (at_cmd.c 177)

- get_return_code calculates the length based on the position of the "OK" or "ERROR" response

- get_return_code miscalculates the length of the response because strstr finds the wrongs "OK" (at_cmd.c 73)

get_return_code should try to find the last "OK" or "ERROR" not the first.

Best regards,

Vlad
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Didrik Rokhaug over 5 years ago in reply to Vlad T

Yes, that certainly sounds plausible. I'll inform our developers about your findings.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel