• State Not Answered
  • Replies 4 replies
  • Subscribers 70 subscribers
  • Views 756 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 301756
Options

How to validate SHA256 response from %CMNG=1

ParasAtMotive

We are writing certificates to our device correctly and they are functioning.  However, on the assembly line we can't test the certificates right away.  What I want to do is verify that the certs were written as expected before a device leaves the factory.  (Understood that we can't check the private key but we should be able to hash our public certificate and root CA and check them)

I am using the AT%CMNG=1 to list out the certificates written.  https://infocenter.nordicsemi.com/index.jsp?topic=%2Fref_at_commands%2FREF%2Fat_commands%2Fsecurity%2Fcmng.html

And it spits out a response like this:

AT%CMNG=1,12345678, 0
%CMNG: 12345678, 0, "978C...02C4"
OK

From this ticket  SHA-256 digest on %CMNG list credentials command looks strange see the response is a SHA-256 hash.

I ran a SHA-256 digest on the Root CA in PEM format written to the device and the hash did not match the hash returned.

What exactly is getting hashed for the yellow highlighted response?  Is there a better way to validate that certificates were written correctly?

Parents
  • 0

    Hello, 

    What modem FW are you running on your device? From the output, that you have marked in yellow, it does look like you are using modem FW v1.3.2 or higher?

    Is this tested with the AT client sample or have integrated AT client in your application? If so, what version of nRF Connect SDK are you working on?

    I ran a SHA-256 digest on the Root CA in PEM format written to the device and the hash did not match the hash returned.

    Can you provide more information on what you did in this step? 

    Thanks.

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    Currently we are running the v1.3.2 and will be upgrading to 1.3.3 shortly.  We are currently using SDK version 2.0.2 and are in the process of upgrading it to 2.1.0.

    We have an AT client integrated in our application for debugging.

    As far as the SHA256 hash, I just took the Root CA that I wrote to the device, dumped out it's contents:

    cat RootCA.crt

    And copy pasted the output into https://emn178.github.io/online-tools/sha256.html the contents are in PEM format.

    I then looked at the result and compared it to what I got from AT%CMNG.

    My main questions are: In the response from AT%CMNG=1 we get something that looks like a SHA256 digest for each slot in the security module.

    1. Is it a SHA256 digest?
    2. What is the input data for the digest?  (IE: Is it hashing the contents of the slot in PEM format, DER format, is any other data included?)
Reply
  • 0 in reply to Øyvind

    Currently we are running the v1.3.2 and will be upgrading to 1.3.3 shortly.  We are currently using SDK version 2.0.2 and are in the process of upgrading it to 2.1.0.

    We have an AT client integrated in our application for debugging.

    As far as the SHA256 hash, I just took the Root CA that I wrote to the device, dumped out it's contents:

    cat RootCA.crt

    And copy pasted the output into https://emn178.github.io/online-tools/sha256.html the contents are in PEM format.

    I then looked at the result and compared it to what I got from AT%CMNG.

    My main questions are: In the response from AT%CMNG=1 we get something that looks like a SHA256 digest for each slot in the security module.

    1. Is it a SHA256 digest?
    2. What is the input data for the digest?  (IE: Is it hashing the contents of the slot in PEM format, DER format, is any other data included?)
Children
  • 0 in reply to ParasAtMotive

    Thanks for clarifying. 

    One of my colleagues had a similar question, here is his answer:

    The modem (and openssl for that matter) creates a checksum based on the input data, meaning that you're calculating on a byte-by-byte, ie. the integrity of the file as a whole.

    If your line-endings are unix (\n), you'll get one sha256sum, and if its windows style line-endings, you'll get another one.

    Here's my inputted Digicert Global RootCA at sec_tag=42:

    And here's the pure "sha256sum" (alternative cmd: openssl sha256 <file>):

    sha256sum DigiCertGlobalRootCA.crt.pem
39fdcf28aeffe08d03251fccaf645e3c5de19fa4ebbafc89b4ede2a422148bab DigiCertGlobalRootCA.crt.pem

    This is the checksum of the unaltered file directly downloaded from DigiCert: https://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt.pem

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    Hi Øyvind,

    Thanks for this post as it helped me tremendously, but the DigiCert link sent me in circles when my calculated SHA didn't correspond with yours. 

    It is because the DigiCert link corresponds with the DigiCertAssuredIDRootCA.crt.pem, not the DigiCertGlobalRootCA.crt.pem which is in your code snippet.  I've updated the link below which corresponds with your SHA

    Corrected link: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem

    Output:

    sha256sum DigiCertGlobalRootCA.crt.pem
39fdcf28aeffe08d03251fccaf645e3c5de19fa4ebbafc89b4ede2a422148bab DigiCertGlobalRootCA.crt.pem

    Appreciate your help on understanding this.

    Chris

Related