- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- Identification and Security
- :
- Secure Authentication
- :
- Invalid contents when downloading pre-provisioned certificate on SE050
Invalid contents when downloading pre-provisioned certificate on SE050
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to download one of the pre-loaded certificates using just API calls. The cloud examples all show how to download these using VCOM and ssscli external software, and I've done that to verify, but I want to do it without the external tools.
There is an example that shows how to do this in simw-top/demos/se05x/se05x_GetCertificate, something along these lines:
sss_status_t status;
sss_object_t obj;
uint8_t key[1024] = {0};
size_t keyByteLen = sizeof(key);
size_t keyBitLen = keyByteLen * 8;
status = sss_key_object_init(&obj, &pex_sss_demo_boot_ctx->ks);
status = sss_key_object_get_handle(&obj, keyId);
status = sss_key_store_get_key(&pex_sss_demo_boot_ctx->ks, &obj, key, &keyByteLen, &keyBitLen);
mbedtls_x509_crt certificate;
mbedtls_x509_crt_init(&certificate);
mbedtls_x509_crt_parse(&certificate, (const unsigned char *)key, keyByteLen);
// Convert to PEM text format
std::vector< unsigned char > bufPEM( 2048, 0 );
size_t sizePEM = 0;
mbedtls_pem_write_buffer( "-----BEGIN CERTIFICATE-----\n", "-----END CERTIFICATE-----\n", key, keyByteLen, bufPEM.data(), bufPEM.size(), &sizePEM );However, the output PEM contains a few extra base64 encoded bytes before the ---END CERTIFICATE--- footer. These extra bytes invalidate the certificate, as in when I try to register it in AWS I get an error saying the certificate is invalid.
When I extract the certificate using ssscli, the result is:
-----BEGIN CERTIFICATE-----
MIIB0DCCAXegAwIBAgIUBABQAdqb3mAVSoUEZTLaD2iAAAAwCgYIKoZIzj0EAwIw
VjEXMBUGA1UECwwOUGx1ZyBhbmQgVHJ1c3QxDDAKBgNVBAoMA05YUDEtMCsGA1UE
AwwkTlhQIEludGVybWVkaWF0ZS1Db25uZWN0aXZpdHlDQXZFMjA2MB4XDTE5MTAx
MTAwMDAwMFoXDTMxMTAwODAwMDAwMFowXzEXMBUGA1UECwwOUGx1ZyBhbmQgVHJ1
c3QxDDAKBgNVBAoMA05YUDE2MDQGA1UEAwwtRGV2Q29ubjAtMDQwMDUwMDFEQTlC
REU2MDE1NEE4NTA0NjUzMkRBMEY2ODgwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEPs71H5esMxmP1AKyo4zUVww8LlrURX49r6mgpyvgFGMjq/Bq8J4CSrlTLs1n
AOKGOE9dZI4Zlw1uGtbVBq68iqMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4Aw
CgYIKoZIzj0EAwIDRwAwRAIgWW8X76lG72S2nhZ2nDlFk29cVsflGGwL8wy/dALP
w8UCIADxTz0IT6Ehb/KLb9WqPqp0zRXrzU4E350G8XiR2sRb
-----END CERTIFICATE-----
But using the code above, I get (note the extra AAA= at the end):
-----BEGIN CERTIFICATE-----
MIIB0DCCAXegAwIBAgIUBABQAdqb3mAVSoUEZTLaD2iAAAAwCgYIKoZIzj0EAwIw
VjEXMBUGA1UECwwOUGx1ZyBhbmQgVHJ1c3QxDDAKBgNVBAoMA05YUDEtMCsGA1UE
AwwkTlhQIEludGVybWVkaWF0ZS1Db25uZWN0aXZpdHlDQXZFMjA2MB4XDTE5MTAx
MTAwMDAwMFoXDTMxMTAwODAwMDAwMFowXzEXMBUGA1UECwwOUGx1ZyBhbmQgVHJ1
c3QxDDAKBgNVBAoMA05YUDE2MDQGA1UEAwwtRGV2Q29ubjAtMDQwMDUwMDFEQTlC
REU2MDE1NEE4NTA0NjUzMkRBMEY2ODgwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEPs71H5esMxmP1AKyo4zUVww8LlrURX49r6mgpyvgFGMjq/Bq8J4CSrlTLs1n
AOKGOE9dZI4Zlw1uGtbVBq68iqMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4Aw
CgYIKoZIzj0EAwIDRwAwRAIgWW8X76lG72S2nhZ2nDlFk29cVsflGGwL8wy/dALP
w8UCIADxTz0IT6Ehb/KLb9WqPqp0zRXrzU4E350G8XiR2sRbAAA=
-----END CERTIFICATE-----
The first certificate can be successfully registered in AWS, but not the second. I'd appreciate any help in getting the certificates correctly from the chip. Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found the bug.
The line that generates the PEM should read the parsed certificate, instead of the raw key data. Note, the original code in the example has the same bug, in addition to using a custom PEM genration routine that does not add line breaks and generates non standard PEM files.
Anyway, for others stumbling on this thread, the fixed line should be
mbedtls_pem_write_buffer( "-----BEGIN CERTIFICATE-----\n", "-----END CERTIFICATE-----\n", certificate.raw.p, certificate.raw.len, bufPEM.data(), bufPEM.size(), &sizePEM );- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found the bug.
The line that generates the PEM should read the parsed certificate, instead of the raw key data. Note, the original code in the example has the same bug, in addition to using a custom PEM genration routine that does not add line breaks and generates non standard PEM files.
Anyway, for others stumbling on this thread, the fixed line should be
mbedtls_pem_write_buffer( "-----BEGIN CERTIFICATE-----\n", "-----END CERTIFICATE-----\n", certificate.raw.p, certificate.raw.len, bufPEM.data(), bufPEM.size(), &sizePEM );