search

aws / amazon-freertos

DEPRECATED - See README.md
https://aws.amazon.com/freertos/
MIT License
2.54k stars 1.1k forks source link

Add support to use a device certificate without a registered CA #3033

Open cmbpereira opened 3 years ago

cmbpereira commented 3 years ago

I using the module ESP32-WROOM-32SE and I have registered a client certificate without a registered CA using only the device certificate of the secure element. The first problem is the template id of my certificate in the secure element is id 3 and the FreeRTOS only found support for template id 1 and id 2. The second problem is in the iotls.c I don't have a way to disable the "Add a Just-in-Time Registration (JITR) device issuer certificate"_ and this routine makes the certificate read from the secure element invalid.

Thank you!

lundinc2 commented 3 years ago

Hi @cmbpereira,

I have added modifying the JITP/JITR logic to our backlog. For now can you comment out the loading of this certificate.

Can you outline the difficulties for the certificate template id? I am not familiar with this parameter, and would like more details so we can consider this task.

Thanks,

Carl

cmbpereira commented 3 years ago

Hi @lundinc2

Thanks to take care of this situation.

The template id is related to the secure element from Microchip (ATECC608A) and in this file, _amazon-freertos/libraries/abstractions/pkcs11/ecc608a/core_pkcs11_secureelement.c, when we select to use the Device certificate the certificate template load is with id 2.

if( !strncmp( pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS, ( char * ) pLabel->pValue, pLabel->ulValueLen ) )
    {
        /* Slot 10 - Device Cert for Slot 0*/
        pkcs11_config_init_cert( pObject, pLabel->pValue, pLabel->ulValueLen );
        pObject->slot = 10;
        pObject->class_type = CK_CERTIFICATE_CATEGORY_TOKEN_USER;
        pObject->size = g_cert_def_2_device.cert_template_size;
        pObject->data = &g_cert_def_2_device;
        #ifdef FREERTOS_ENABLE_UNIT_TESTS
            pObject->flags = PKCS11_OBJECT_FLAG_DESTROYABLE;
        #endif
    }

And the templates are defined in this file _amazon-freertos/libraries/abstractions/pkcs11/ecc608a/atca_certchain.c, but the certificate template with id 3 isn't defined, so have to use the template defined here. https://github.com/espressif/esp-cryptoauthlib/blob/c3d3a69021cfec3236ca2c0b63be4048ec6643a4/cryptoauthlib/app/tng/tngtls_cert_def_3_device.c

Thanks, Carlos