How to validate SHA256 response from %CMNG=1

RE: How to validate SHA256 response from %CMNG=1

chris_h — Sat, 26 Aug 2023 17:07:29 GMT

Hi Øyvind,

Thanks for this post as it helped me tremendously, but the DigiCert link sent me in circles when my calculated SHA didn't correspond with yours.

It is because the DigiCert link corresponds with the DigiCertAssuredIDRootCA.crt.pem, not the DigiCertGlobalRootCA.crt.pem which is in your code snippet. I've updated the link below which corresponds with your SHA

Corrected link: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem

Output:

sha256sum DigiCertGlobalRootCA.crt.pem
39fdcf28aeffe08d03251fccaf645e3c5de19fa4ebbafc89b4ede2a422148bab DigiCertGlobalRootCA.crt.pem

Appreciate your help on understanding this.

Chris

RE: How to validate SHA256 response from %CMNG=1

Øyvind — Tue, 24 Jan 2023 13:21:21 GMT

Thanks for clarifying.

One of my colleagues had a similar question, here is his answer:

The modem (and openssl for that matter) creates a checksum based on the input data, meaning that you're calculating on a byte-by-byte, ie. the integrity of the file as a whole.

If your line-endings are unix (\n), you'll get one sha256sum, and if its windows style line-endings, you'll get another one.

Here's my inputted Digicert Global RootCA at sec_tag=42:

And here's the pure "sha256sum" (alternative cmd: openssl sha256 <file>):
sha256sum DigiCertGlobalRootCA.crt.pem
39fdcf28aeffe08d03251fccaf645e3c5de19fa4ebbafc89b4ede2a422148bab DigiCertGlobalRootCA.crt.pem
This is the checksum of the unaltered file directly downloaded from DigiCert: https://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt.pem

Kind regards,
Øyvind

RE: How to validate SHA256 response from %CMNG=1

ParasAtMotive — Tue, 24 Jan 2023 12:03:22 GMT

Currently we are running the v1.3.2 and will be upgrading to 1.3.3 shortly. We are currently using SDK version 2.0.2 and are in the process of upgrading it to 2.1.0.

We have an AT client integrated in our application for debugging.

As far as the SHA256 hash, I just took the Root CA that I wrote to the device, dumped out it's contents:

cat RootCA.crt

And copy pasted the output into https://emn178.github.io/online-tools/sha256.html the contents are in PEM format.

I then looked at the result and compared it to what I got from AT%CMNG.

My main questions are: In the response from AT%CMNG=1 we get something that looks like a SHA256 digest for each slot in the security module.

Is it a SHA256 digest?
What is the input data for the digest? (IE: Is it hashing the contents of the slot in PEM format, DER format, is any other data included?)

RE: How to validate SHA256 response from %CMNG=1

Øyvind — Tue, 24 Jan 2023 08:37:12 GMT

Hello,

What modem FW are you running on your device? From the output, that you have marked in yellow, it does look like you are using modem FW v1.3.2 or higher?

Is this tested with the AT client sample or have integrated AT client in your application? If so, what version of nRF Connect SDK are you working on?

[quote user=""]I ran a SHA-256 digest on the Root CA in PEM format written to the device and the hash did not match the hash returned.[/quote]

Can you provide more information on what you did in this step?

Thanks.

Kind regards,
Øyvind