I have compiled Onboard_demo as per Development Kit user guide document 80-YA121-140 Rev. D Section 5. I am using binary certificate array in cert_buf.h. On board bootup, aws iot thing private key and cert storage gets successful but CA cert store gets failed. Following is my CA key code.
Certificate copy fails in Onboard_demo
Posted: Wed, 2020-02-12 14:01
/* @brief This buffer should contain the CAList cert
*
* This can be generated using SharkSSLParseCAList <certfile>
* where certfile is downloaded for AWS Thing
*/
uint8_t aws_calist[] =
{
0x00, 0x00, 0x00, 0x01, 0x41, 0x6D, 0x61, 0x7A,
0x6F, 0x6E, 0x20, 0x52, 0x00, 0x00, 0x00, 0x10,
0x30, 0x82, 0x01, 0xB6, 0x30, 0x82, 0x01, 0x5B,
0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x13, 0x06,
0x6C, 0x9F, 0xD5, 0x74, 0x97, 0x36, 0x66, 0x3F,
0x3B, 0x0B, 0x9A, 0xD9, 0xE8, 0x9E, 0x76, 0x03,
0xF2, 0x4A, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86,
0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x39,
0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0F, 0x30,
0x0D, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x06,
0x41, 0x6D, 0x61, 0x7A, 0x6F, 0x6E, 0x31, 0x19,
0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
0x10, 0x41, 0x6D, 0x61, 0x7A, 0x6F, 0x6E, 0x20,
0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x41, 0x20,
0x33, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x30,
0x35, 0x32, 0x36, 0x30, 0x30, 0x30, 0x30, 0x30,
0x30, 0x5A, 0x17, 0x0D, 0x34, 0x30, 0x30, 0x35,
0x32, 0x36, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
0x5A, 0x30, 0x39, 0x31, 0x0B, 0x30, 0x09, 0x06,
0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
0x31, 0x0F, 0x30, 0x0D, 0x06, 0x03, 0x55, 0x04,
0x0A, 0x13, 0x06, 0x41, 0x6D, 0x61, 0x7A, 0x6F,
0x6E, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
0x04, 0x03, 0x13, 0x10, 0x41, 0x6D, 0x61, 0x7A,
0x6F, 0x6E, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20,
0x43, 0x41, 0x20, 0x33, 0x30, 0x59, 0x30, 0x13,
0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02,
0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D,
0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x29,
0x97, 0xA7, 0xC6, 0x41, 0x7F, 0xC0, 0x0D, 0x9B,
0xE8, 0x01, 0x1B, 0x56, 0xC6, 0xF2, 0x52, 0xA5,
0xBA, 0x2D, 0xB2, 0x12, 0xE8, 0xD2, 0x2E, 0xD7,
0xFA, 0xC9, 0xC5, 0xD8, 0xAA, 0x6D, 0x1F, 0x73,
0x81, 0x3B, 0x3B, 0x98, 0x6B, 0x39, 0x7C, 0x33,
0xA5, 0xC5, 0x4E, 0x86, 0x8E, 0x80, 0x17, 0x68,
0x62, 0x45, 0x57, 0x7D, 0x44, 0x58, 0x1D, 0xB3,
0x37, 0xE5, 0x67, 0x08, 0xEB, 0x66, 0xDE, 0xA3,
0x42, 0x30, 0x40, 0x30, 0x0F, 0x06, 0x03, 0x55,
0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30,
0x03, 0x01, 0x01, 0xFF, 0x30, 0x0E, 0x06, 0x03,
0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04,
0x03, 0x02, 0x01, 0x86, 0x30, 0x1D, 0x06, 0x03,
0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xAB,
0xB6, 0xDB, 0xD7, 0x06, 0x9E, 0x37, 0xAC, 0x30,
0x86, 0x07, 0x91, 0x70, 0xC7, 0x9C, 0xC4, 0x19,
0xB1, 0x78, 0xC0, 0x30, 0x0A, 0x06, 0x08, 0x2A,
0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03,
0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0xE0,
0x85, 0x92, 0xA3, 0x17, 0xB7, 0x8D, 0xF9, 0x2B,
0x06, 0xA5, 0x93, 0xAC, 0x1A, 0x98, 0x68, 0x61,
0x72, 0xFA, 0xE1, 0xA1, 0xD0, 0xFB, 0x1C, 0x78,
0x60, 0xA6, 0x43, 0x99, 0xC5, 0xB8, 0xC4, 0x02,
0x21, 0x00, 0x9C, 0x02, 0xEF, 0xF1, 0x94, 0x9C,
0xB3, 0x96, 0xF9, 0xEB, 0xC6, 0x2A, 0xF8, 0xB6,
0x2C, 0xFE, 0x3A, 0x90, 0x14, 0x16, 0xD7, 0x8C,
0x63, 0x24, 0x48, 0x1C, 0xDF, 0x30, 0x7D, 0xD5,
0x68, 0x3B
};
Now in aws_run.c file, following code fails:
cert_buf = aws_calist;
cert_buf_size = sizeof(aws_calist);
memset(&cert_info, 0, sizeof(cert_info));
cert_info.cert_Type = QAPI_NET_SSL_BIN_CA_LIST_E;
ca_info.ca_Buf = cert_buf;
ca_info.ca_Size = cert_buf_size;
cert_info.info.pem_CA_List.ca_Cnt = 1;
cert_info.info.pem_CA_List.ca_Info[0] = &ca_info;
status = qapi_Net_SSL_Cert_Store(&cert_info, AWS_CALIST_LOC);
if (QAPI_OK != status)
{
IOT_INFO("Certificate store is failed %d %d\n", status, __LINE__);
return FAILURE;
}
else
{
IOT_INFO("certificate store is success ......................\n");
}
When this code runs, it prints Certificate store failed. And after that it prints AWS THREAD EXITED !!!
I have make sure that code section and data section are set properly in linker script as per explanation in document.
What is happening wrong here? Please let me know.
Since you are using BIN_CA_LIST, kinldy use bin_CA_List instead of pem_CA_List. I am providing sample code for your referance:
589 static void init_root_ca_cert(void) {
590 static unsigned char crt[] = {
591 0x00, 0x00, 0x00, 0x01, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x00, 0x00, 0x00, 0x10,
592 0x30, 0x82, 0x03, 0xAF, 0x30, 0x82, 0x02, 0x97, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x08,
593 0x3B, 0xE0,
************
655 0x95, 0x6D, 0xDE
750 };
751
752 write_ca_to_tee(QAPI_NET_SSL_BIN_CA_LIST_E, crt, sizeof(crt));
753 }
754
755 static int write_ca_to_tee(qapi_Net_SSL_Cert_Type_t certType, uint8_t *ca_file_buf, uint32_t ca_cert_size) {
756 qapi_Status_t status;
757 qapi_CA_Info_t ca_info;
758 qapi_Net_SSL_Cert_Info_t cert_info = {0};
759
760 switch ((qapi_Net_SSL_Cert_Type_t)certType) {
761 case QAPI_NET_SSL_PEM_CA_LIST_E: {
762 ca_info.ca_Buf = ca_file_buf;
763 ca_info.ca_Size = ca_cert_size;
764 cert_info.cert_Type = QAPI_NET_SSL_PEM_CA_LIST_E;
765 cert_info.info.pem_CA_List.ca_Cnt = 1;
766 cert_info.info.pem_CA_List.ca_Info[0] = &ca_info;
767 break;
768 }
769 case QAPI_NET_SSL_BIN_CA_LIST_E: {
770 cert_info.cert_Type = QAPI_NET_SSL_BIN_CA_LIST_E;
771 cert_info.info.bin_CA_List.ca_List_Buf = ca_file_buf;
772 cert_info.info.bin_CA_List.ca_List_Size = ca_cert_size;
773 break;
774 }
775 default:
776 IOT_INFO("Unknown certificate/CA type %d\n", certType);
777 break;
778 }
779
780 status = qapi_Net_SSL_Cert_Store(&cert_info, AWS_CALIST_LOC);
781 IOT_INFO("CA storing: %d\n", status);
782 if (QAPI_OK != status) {
783 IOT_INFO("CA storing failed: %d\n", status);
784 }
785 return status;
786 }
With PEM certificate also its giving error. Tried with following:
Why above code is failing?
The reason for the failure is you have specifed cert_type as BIN and passing the arguments to pem_CA_List.
In case of cert_info.cert_Type = QAPI_NET_SSL_BIN_CA_LIST_E, use below params:
ca_info.ca_Buf = cert_buf;
ca_info.ca_Size = cert_buf_size;
cert_info.info.bin_CA_List.ca_List_Buf = ca_file_buf;
cert_info.info.bin_CA_List.ca_List_Size = ca_cert_size;
I have tried above code now with correct enum of PEM type certificate. Still it fails. Is it because of aws_calist array definition? Anything wrong in that?
Kindly try copying contents of aws_calist[] under a single line statement as described under Prerequisites to build onboard AWS demo in QCA402x (CDB2x) Development Kit User Guide.
Example:
uint8_t aws_calist[] =
{-----BEGIN CERTIFICATE-----MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXjca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qwIFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQmjgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUAA4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDIU5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUsN+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vvo/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpyrqXRfboQnoZsG4q5WTP468SQvvG5-----END CERTIFICATE-----};
Tried putting everything in one line as per documentation, but its not working, so I tried putting CR LF at end of each line as suggested in funciton comment of qapi_Net_SSL_Cert_Store. You can try it and you will see its not working.
I have tried locally using the same and no issues were seen :
include\cert_buf.h
uint8_t aws_calist[] =
{"-----BEGIN CERTIFICATE-----MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXjca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qwIFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQmjgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUAA4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDIU5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUsN+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vvo/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpyrqXRfboQnoZsG4q5WTP468SQvvG5-----END CERTIFICATE-----"};
Serial Console:
Onboard: AWS IoT SDK Version 3.0.1-
Onboard: Stack rc=100a0474 ret=100a0480
Onboard: Malloc mqttClient=100a04d8
Onboard: AWS shadow_init done
Onboard: Hostname:a2********-ats.iot.us-west-2.amazonaws.com
Onboard: Client crt file name:cert
Onboard: Client Thing name:QCA4020
Onboard: bytes_written num = 1
Onboard: Enable WLAN numVDEV:2Wlan enable_success
Onboard: Thread creation return value
Onboard: Waiting for Onboard events ...
Onboard: Mac Addr = 02:03:7f:99:92:14
Onboard: Monitor Thread is runnning ----------------------
Onboard: waiting on Monitor thread
Onboard: Current operation mode:0
Onboard: CONNECTING to SSID:QCA4020_9214, pwd:123456789
Onboard: setting to ap mode
Onboard:
Onboard: Setting SSID to QCA4020_9214
Onboard:
Onboard: certificate store is success ......................
Onboard: certificate store is success ......................
Onboard: WLANCB: dID:0, cbID:0, val:1
Onboard: Connect event on devId:0 val:1
Onboard: devid - 0 1 CONNECTED MAC addr 02:03:7f:99:92:14
Onboard: Server started.........
Onboard: Waiting on accept ...........................
Kindly share us your folder to verify the issue .
For now I have used binary certificate array and certificate load error has gone. Now it throws error in shadow connection. Following are the logs.
Kindly make sure your network is not blocking any AWS connection.
Check if there are any check blocking new devices for connection.
Restart QCA4020 to confirm if the behaviour is consistent.
However, can you also confirm if the same issue is seen with hotspot or non-corporate network ?
I checked with mobile hotspot and non-corporate network as well. Issue still remains the same. Actually QCA4020 does not send Client Hello packet for initial SSL connection. Blocking in network comes later. Seems like issue with SDK. Please let me know if you need further information.