A1006 client certificate is not usable

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

A1006 client certificate is not usable

2,122 Views
yokonav
Contributor III

I want to validate and extract public key from the client certificate stored in Rapid IOT's A1006 authenticator secure element. In fact, I am not able to parse it. 

My workflow:

  1. Read certificate from the A1006 chip  (using ATMO_MK64F_Auth_GetCert) 
  2. Convert it to base64 (using RPK_Base64_Encode)
  3. Debug print on the serial console (using ATMO_PLATFORM_DebugPrint)

I am printing the certificate character by character using ATMO_PLATFORM_DebugPrint since the function seems not supporting string longer than 64 characters.

The base64 encoded certificate:

TlhQIFN5c3RlbVJhcGlkIElvVCAgIASSc/L4Ufmi2AJELjQ/6c1dBLaoSwDRko7jrmtOvJkqe+rUIVAe44X4xTA8Ahx8Y9Usm48QYQfCNVYFL2z8v2IyYjxNya3BXw2+AhxvnILvfKv8UYHx3/pHymAfGkOuDjFHNoo85FbiAAA=

I stored the certificate to a file (cert.pem) and made it PEM format:

-----BEGIN CERTIFICATE-----

TlhQIFN5c3RlbVJhcGlkIElvVCAgIASSc/L4Ufmi2AJELjQ/6c1dBLaoSwDRko7j

rmtOvJkqe+rUIVAe44X4xTA8Ahx8Y9Usm48QYQfCNVYFL2z8v2IyYjxNya3BXw2+

AhxvnILvfKv8UYHx3/pHymAfGkOuDjFHNoo85FbiAAA=

-----END CERTIFICATE-----

When I tried to parse:

$ openssl x509 -in cert.pem  -text  -noout

unable to load certificate

4618929600:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1130:

4618929600:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:290:Type=X509

4618929600:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:

I also tried to Debug print the certificate in base16 hex:

4E58502053797374656D526170696420496F54202020049273F2F851F9A2D802442E343FE9CD5D04B6A84B00D1928EE3AE6B4EBC992A7BEAD421501EE385F8C5303C021C7C63D52C9B8F106107C23556052F6CFCBF6232623C4DC9ADC15F0DBE021C6F9C82EF7CABFC5181F1DFFA47CA601F1A43AE0E3147368A3CE456E20000

I can confirm the content of the certificate (hex base16) above is same as the value of the BLE characteristic aa386522826cc0cdaccf40096d5876de which also read the certificate ( I checked the  OOB example code in MCUXpresso).

 I assume the format is x509 DER format stored in the A1006. Is the certificate further encrypted or corrupted?

Labels (1)
Tags (1)
0 Kudos
5 Replies

1,717 Views
estephania_mart
NXP TechSupport
NXP TechSupport

Hello, 

By any chance, do you have the same behavior by using the A1006_Get_Cert(uint8_t *cert) API? 

Regards

0 Kudos

1,717 Views
yokonav
Contributor III

Hi,

The  ATMO_MK64F_Auth_GetCert  is a wrapper of A1006_Get_Cert. The A1006_Get_Cert did not work directly.

The ATMO_MK64F_Auth_GetUid is returning the UID correctly and the ATMO_MK64F_Auth_GetCert returns

correct size response but for some reason it is not parsable. My task is simple: get cert from A1006 which should

be valid/parsable. Can’t you reproduce it at your end? By the way I am one of the contestants of the Rapid IOT

at Hackster.io and this is a blocking issue for my project.

Thank you in advance,

Naveen

0 Kudos

1,717 Views
estephania_mart
NXP TechSupport
NXP TechSupport

Hello, 

I believe this might help you, the X.509 cert is a compressed certificate and needs to be decompressed before being parsed so in order to use it as you want you you will need to decompress it. 

I would strongly recommend you to register in Docstore and check for the Host Library for the A1006 as you will find some examples and functions to achieve what you are trying to do. 

Please check this videos on the Docstore registration

Docstore tutorial part 1: User Registration|NXP  

Docstore tutorial part 2: portal usage|NXP  

And once you get access to the library you might useful the a1006_decompressCert function, so check for it and its usage. 

Regards, 

Estephania 

0 Kudos

1,717 Views
yokonav
Contributor III

Hi, 

I tried to register in Docstore using the same email registered with NXP community but it was rejected due to non-company email. I again tried with my company email but I was asked to provide NDA between my company and NXP.  My company has nothing to do with Hackster.io contest so they are not going to help me in NDA. Is there any other way to access the library you mentioned in the last reply?

Thanks,

Naveen

0 Kudos

1,717 Views
estephania_mart
NXP TechSupport
NXP TechSupport

Hello,

Sorry for the inconvenience this might cause you. But you need to sign the NDA and that you will need also to register with a company email.

You can also ask in the for one of the distributors available in the following link Distributor Network | NXP   . 


Regards, 
Estephania 

0 Kudos