• State Verified Answer
  • Replies 4 replies
  • Subscribers 74 subscribers
  • Views 1848 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 294024
Options

Understanding provision of CA certificates for TLS encryption

Sebastian Stein

Dear Nordic Support Team,

I would like my nRF9160 DK to connect to multiple servers using TLS. Among others, I have read the following documentation: nRF9160: Simple MQTT, Zephyr MQTT, TLS/DTLS configuration, Modem key management, and Zephyr BSD Sockets. I am confident that I am able to use Nordic's and Zephyr's libraries to set everything up from a programming perspective. However, there are some things I would like to clarify regarding the provision of certificates.

Since each certificate does occupy a non-neglectable amount of flash and/or RAM memory, my goal is to maximize the amount of servers I can connect to while keeping the set of certificates need as small as possible. Hence my first question: Is it sufficient to provide a few root CA (certificate authority) certificates to Nordic's modem and Zephyr's BSD Sockets library, so that they validate the chain of trust starting with the server's certificate and ending with one of the root CA certificates?

Lets consider nRF9160: Simple MQTT for example.

In the sample, the certificate "Let’s Encrypt R3" is provided to both Nordic's modem and Zephyr's BSD Socket library. However, "Let’s Encrypt R3" is signed by the certificate "Internet Security Research Group ISRG Root X1", which is one of the two root CA certificates of the Internet Security Research Group. Would the MQTT sample work if instead of "Let’s Encrypt R3"  "Internet Security Research Group ISRG Root X1" would be provided?

Since the MQTT sample uses Zephyr's MQTT library, why is the certificate provided to Nordic's modem and not only provided to Zephyr's BSD Sockets library (see function certificates_provision())?

I understand that Nordic's modem does store certificates in persistent storage (function modem_key_mgmt_write()). Do you know if Zephyr's BSD Sockets library stores certificates only in RAM? If so, does Zephyr copy the provided certificate or do one needs to keep the buffer, with which the certificate was provided (function tls_credential_add()), in memory? (Sorry for asking you questions about Zephyr, but the documentation seems inconclusive about this point and since Nordic's MQTT sample uses Zephyr's BSD Sockets library, I thought you might know more than I.)

Thank you allot for your help!

Cheers,
Sebastian

Parents
  • +1

    Hi,

    Since the MQTT sample uses Zephyr's MQTT library, why is the certificate provided to Nordic's modem and not only provided to Zephyr's BSD Sockets library (see function certificates_provision())?

    Because we use offloaded sockets, we don't use Zephyr's TLS/TCP/IP stack. Instead, the entire stack resides in the modem, and we only use Zephyr's API together with some glue code to make it work with our modem_lib and modem.

    So unless you change the configuration, you are not really using Zephyr's sockets.

    Do you know if Zephyr's BSD Sockets library stores certificates only in RAM? If so, does Zephyr copy the provided certificate or do one needs to keep the buffer, with which the certificate was provided (function tls_credential_add()), in memory?

    As explained above, this is not really relevant.

    However, for completeness: Yes, I believe tls_credential_add loads the credentials into RAM. And no, the credentials are not copied, so the buffer needs to be valid for the duration of the connection.

    Since each certificate does occupy a non-neglectable amount of flash and/or RAM memory, my goal is to maximize the amount of servers I can connect to while keeping the set of certificates need as small as possible. Hence my first question: Is it sufficient to provide a few root CA (certificate authority) certificates to Nordic's modem and Zephyr's BSD Sockets library, so that they validate the chain of trust starting with the server's certificate and ending with one of the root CA certificates?

    Yes, that should be okay.

    Best regards,

    Didrik

  • 0 in reply to Didrik Rokhaug

    Hi Didrik,

    thank you allot for your answers! I would like to make sure that I have understood everything.

    Didrik Rokhaug said:
    Because we use offloaded sockets, we don't use Zephyr's TLS/TCP/IP stack. Instead, the entire stack resides in the modem, and we only use Zephyr's API together with some glue code to make it work with our modem_lib and modem.

    I understand that when using this feature, providing all certificates via modem_key_mgmt_write() is sufficient in case of the nRF9160, and no calls to tls_credential_add() are ever needed. Is that correct?

    If the aforementioned statement is correct, I understand that one would not need to keep any certificates in RAM and/or flash memory since Nordic's modem uses some dedicated persistent memory for storing a number of certificates. One would only need to provision (or update) the certificates at one point in time. Is that correct?

    How many certificates can Nordic's modem hold?

    Didrik Rokhaug said:
    So unless you change the configuration, you are not really using Zephyr's sockets.

    I understand that one has to set the following two and only the following two configuration option to enable the offloading of Zephyr's TLS/TCP/IP stack. Is that correct?

    CONFIG_NET_NATIVE=n
CONFIG_NET_SOCKETS_OFFLOAD=y

    Again, thank you allot for your help!

    Best regards,
    Sebastian

  • 0 in reply to Sebastian Stein
    Sebastian Stein said:
    I understand that when using this feature, providing all certificates via modem_key_mgmt_write() is sufficient in case of the nRF9160, and no calls to tls_credential_add() are ever needed. Is that correct?

    Yes.

    Sebastian Stein said:
    If the aforementioned statement is correct, I understand that one would not need to keep any certificates in RAM and/or flash memory since Nordic's modem uses some dedicated persistent memory for storing a number of certificates. One would only need to provision (or update) the certificates at one point in time. Is that correct?

    Yes, the certificates stored and used in the modem does not use application core flash or RAM.

    Sebastian Stein said:
    How many certificates can Nordic's modem hold?

    From the modem FW release notes:

    "Absolute maximum number of supported credentials is 32. The actual amount depends on size of
    credentials as memory area reserved for credentials may be a limiting factor as well."

    Sebastian Stein said:
    I understand that one has to set the following two and only the following two configuration option to enable the offloading of Zephyr's TLS/TCP/IP stack. Is that correct?

    You should also add CONFIG_NRF_MODEM_LIB=y (the library the sockets are offloaded to) and CONFIG_HEAP_MEM_POOL_SIZE (needed for the modem_lib), and CONFIG_NET_SOCKETS=y to eanble Zephyr's socket API.

    You probably also want CONFIG_NET_SOCKETS_POSIX_NAMES=y to use the "normal" socket calls, and not having to add zephyr_ in front of all the calls.

  • 0 in reply to Didrik Rokhaug

    Everything is clear to me now. Thank you allot for your help!

Reply Children
No Data
Related
Terms of service