https://devzone.nordicsemi.com/f/nordic-q-a/67412/cannot-read-full-ca-certificateHello, I want to read the CA certificate stored inside the modem, unfortunately the modem_key_mgmt_read function cannot read a certificate bigger than 2kb even if CONFIG_AT_CMD_RESPONSE_MAX_LEN is set to 4kb(way more than needed). It does not returnen-USTelligent Community 13Tue, 20 Oct 2020 15:12:04 GMThttps://devzone.nordicsemi.com/thread/275994?ContentTypeID=1Tue, 20 Oct 2020 15:12:04 GMT137ad170-7792-4731-bb38-c0d22fbe4515:e5820674-45bf-40cc-906e-4b42012ffcbcDidrik Rokhaug<p>Yes, that certainly sounds plausible. I&#39;ll inform our developers about your findings.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/275968?ContentTypeID=1Tue, 20 Oct 2020 14:06:10 GMT137ad170-7792-4731-bb38-c0d22fbe4515:894f7b96-cadb-4061-b526-39f19c4711e9Vlad T<p>Hi Didrik,</p> <p></p> <p>Thank you for your help.</p> <p>It&#39;s a self signed certificate generated by openssl. It&#39;s just a regular x509 certificate, nothing fancy about it.</p> <p>I took a deeper look at at_cmd file and it seems that the parser confuses the certificate string with the AT &quot;OK&quot; string. The certificate stops right before the &quot;OK&quot; characters. What happens is as follows:</p> <p>- The modem returns the full certificate (at_cmd.c line 146)</p> <p>- at_cmd calculates the payload_len with get_return_code (at_cmd.c 177)</p> <p>- get_return_code calculates the length based on the position of the &quot;OK&quot; or &quot;ERROR&quot; response</p> <p>- get_return_code miscalculates the length of the response because strstr finds the wrongs &quot;OK&quot; (at_cmd.c 73)</p> <p>get_return_code should try to find the last &quot;OK&quot; or &quot;ERROR&quot; not the first.</p> <p></p> <p>Best regards,</p> <p>Vlad</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/275956?ContentTypeID=1Tue, 20 Oct 2020 13:37:13 GMT137ad170-7792-4731-bb38-c0d22fbe4515:0f8550f6-f815-41bb-86bb-85893c80081cDidrik Rokhaug<p>Hi,</p> <p>Where does the certificate come from?</p> <p>I have seen a similar case before, and then the issue was with the certificate itself.</p> <p>I also see the same behavior, but when I enable more logging, particularly in the at_cmd library, I see that the full certificate is read out of the modem:</p> <p><pre class="ui-code" data-mode="text">[00:07:01.415,954] [1B][0m&lt;dbg&gt; at_cmd.at_write: Sending command at%cmng=2,0,0[1B][0m [00:07:01.431,762] [1B][0m&lt;dbg&gt; at_cmd.at_write: Awaiting response for at%cmng=2,0,0[1B][0m [00:07:01.439,605] [1B][0m&lt;dbg&gt; at_cmd.socket_thread_fn: at_cmd_rx 2242 bytes, %CMNG: 0,0,&quot;0000000000000000000000000000000000000000000000000000000000000000&quot;,&quot;-----BEGIN CERTIFICATE----- MIIGCzCCA/OgAwIBAgIUU72NL4Kzf1mkLA4CItvWJhRVA8UwDQYJKoZIhvcNAQEL BQAwgZQxCzAJBgNVBAYTAlJPMRwwGgYDVQQKDBNSYXB0b3IgVGVjaG5vbG9naWVz MT4wPAYDVQQLDDVSYXB0b3IgVGVjaG5vbG9naWVzIFNlbGYgU2lnbmVkIENlcnRp ZmljYXRlIEF1dGhvcml0eTEnMCUGA1UEAwwed2lyZXBhcy5yYXB0b3ItdGVjaG5v bG9naWVzLnJvMB4XDTIwMTAyMDA3MTQ0MVoXDTIxMTAyMDA3MTQ0MVowgZQxCzAJ BgNVBAYTAlJPMRwwGgYDVQQKDBNSYXB0b3IgVGVjaG5vbG9naWVzMT4wPAYDVQQL DDVSYXB0b3IgVGVjaG5vbG9naWVzIFNlbGYgU2lnbmVkIENlcnRpZmljYXRlIEF1 dGhvcml0eTEnMCUGA1UEAwwed2lyZXBhcy5yYXB0b3ItdGVjaG5vbG9naWVzLnJv MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5okWs/YG5k63dukkeJdS NnO9hIgKFg+5CrU2bl0guIsPBHJDp2+2EwSt0vxtoHg4TW/UiZWNE1DpUCu9sGHq MxCK8SNdU0egEPBZXEQzycNBZlRCi97Sj0ka4hNxoV77sH9bwb52xatq9rLQ5hIW TU4pmBcgzhpJ2htrjLVCmiuv+y3DHRxd8yqrEaRdRzKj058aumJAUDOX0+TaQe1A v2cbu5gcg4Hqe8tbflC5jaDhgze3NTuB7O75e6nBjQkcYS9lTG6HTG+9N+uc4++x duMVLHjoSYWZP0sXOiKReSJDcNoClERKXr8L3ERZZl+ABPLkyYq3hesLFDeAgwgB YcwJmjWzfXcZXyLKLr+MoArJsrDk3S0cM1GSTyt0qtRh9b98yV06DxYCirXuuhiD xTiIqJJbPkD/pnZcsWPApEEQwnZ06kcOs9A8PRQIsDvIgEm1JU0SYl/ZKkdg4Hdv sqIaQ+gQtE75Yd003aVIWYT5FZHap57JDgaRgbYPHx8IFf0Z7FOVNn/zZHg5wG8x L4TFFI4ggUuz6tH42JNC8s4l4dDRRnd4Fkd1FV51D3gnGLW14UFGhgRn53pxDmjU mWFtXOYTIF0/YCwvNcmBB1PfK43E19BKI9B9ORcxGgDhJQz3g1gQWcb/e8O5ktOb EvuDsepZXjyNTZFTU5GkiQkCAwEAAaNTMFEwHQYDVR0OBBYEFPiZU2VhNbfFdy8Q DhwFcN1+VLK5MB8GA1UdIwQYMBaAFPiZU2VhNbfFdy8QDhwFcN1+VLK5MA8GA1Ud EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAK0ZjZ8bTfZGPIkw+h9lh2Gl pruDECnnxtCZnYaGqLyG2jzEdi+yEWv1Z5smduNmRlcxzt2Ypo0364Xqyegl0MFb jlzMLGb93e/eURlqFcTOnNEEVDwjItzy1n62V5Pqpa8/S0A5iqaLegI4n6/VFtbU RFy1OTZZtl6e9j5GO5hOOfTU0JqOQv6LPrnwedsCslRaMaEG5Ac/k/fquJICM0Yu 447Zu1gcdfFFCl/vC2HmeD8weDkrQTelr4frlC5iYX70yrUaOlE8A3vcS2WWUNsM 0n42bXzSni5UNUPfFw/40rETv0GU/FJC+izLAtUkd/rrnk7uq4+kuDj0EqjgseCk UfnvpEopRUJI2zfQ+wtuywDn/GWE4yNFnYw5+9U3/IGU+WmV2C/IJtYsn00EWbzr TGjEHRWhNMwkQBxsPIcev6ytUeHduAP69MSy8N/BrDaQQu7naMXTXts1LHlDQv1s 9387Eiy1FBblJcrnzVa/9EpekX9Xb1Suekm/fDACmSd0cn3I3hOKgtjIVRtqOx5s yWVhJ5UALBvmvg1LgKgU1KH71sOqQAWuRokHUI2p7f8DHyNXUoNcDUY8Nj+JbX4H BpxnMBPeBxzaBqxUE1Ol2pwyS9ZyZf6SZD0jxl3FJg3SDI86Z2Rh6EzJ1sQN0B6J T9dqRC46h+0ShzkwxGIP -----END CERTIFICATE----- &quot; OK </pre></p> <p>But, for some reason, the full certificate is not forwarded to the modem_key_mgmt library. The same behavior is also seen in the AT host library.</p> <p>I will continue to investigate why the full certificate is not forwarded to the modem_key_mgmt library.</p> <p>Best regards,</p> <p>Didrik</p><div style="clear:both;"></div>