• State Verified Answer
  • Replies 3 replies
  • Subscribers 74 subscribers
  • Views 689 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 298505
Options

Verifying Public and Private Certificates

kkksss

Hi all,

This is for nrf9160 with firmware version 1.3.1.

I 'm trying to read back the certificates and comparing with a known CRC.

modem_key_mgmt_read is able to read the CA_CHAIN cert, but cannot read the Public_Cert and the Private_Cert. (retruns FFs, length = 0)

Is that for obvious security reasons that you wouldn't be able to read those certs?

If so, is there a way for getting a length or a checksum of each of the fields, to verify that the contents in NV memory are valid?

I have used the modem_key_mgmt_cmp after the write new values to confirm the values are the same as those written and that works for all the above three certificates.

Best regards,

  • 0

    Actually correction to above, the modem_key_mgmt_cmp and modem_key_mgmt_read cannot read the keys MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT and MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT.

    I tested the following and it works successfully in comparing and reading MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN.

    The AT command behind the scenes is

    AT%CMNG=2,?,?

  • +1

    Hi,

    You will have to upgrade the modem firmware to the newest version, v1.3.2, and then list these certificates to do your comparison.

    MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT and MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT can't be read, they can be listed. Listing them will include the <sha> which you can use for your comparison. See chapter 12.8 here: https://infocenter.nordicsemi.com/pdf/nrf91_at_commands_v2.1.pdf

    Unfortunately, the sha hash is only listed correctly in v1.3.2, so an upgrade will be necessary.

    Best regards,

    Raoul

  • 0 in reply to Raoul

    Hi, 

    I came across this thread because I was trying to ensure that the creds we generate ( externally) are making it into the device properly.
    In doing so, I found myself unable to generate(from the files I downloaded) a matching hash for the cert installed onto the device. ( Specifically, I expect to generate a hash to match what was written into slot 100, type 1.

    To my surprise, I noted that the hash I was able to generate for the ROOT_CA_CERT MATCHES one of the (auto-installed?) type 10 credentials in the (default?) sec_slot.

    So, in summary, How do I generate the SHA key that the device returns on a AT%CMNG=1, so I can verify the same key exists?

    Any other information about what the autogenerated tags mean would also be illustrative

Related
Terms of service