5 Replies Latest reply on Oct 3, 2018 1:01 AM by AxLi_1746341

    EAP-TLS: How to set private key password?

    AxLi_1746341

      Hi,

      When test EAP-TLS with a ubuntu-laptop I can upload "Private key" and set "Private key password".

      reference: https://4.bp.blogspot.com/-Ro85GO_wEtE/WaFyB_BUXEI/AAAAAAAAPPA/x0NLjrcozAIyI7FY757kEg2Y8ZgmAO4QwCPcBGAYYCw/s1600/2013-12-31-supplicant1.png

       

      When test with WICED devices, I don't find the "private key password" setting when use the join_ent command.

      Anything I missed?

       

      GauravS_31

        • 1. Re: EAP-TLS: How to set private key password?
          GauravS_31

          Did you try setting the password in mbedtls_pk_parse_key()? It is called in tls_load_certificate_key(). It is set to NULL by default.

          • 2. Re: EAP-TLS: How to set private key password?
            AxLi_1746341

            grsr wrote:

             

            Did you try setting the password in mbedtls_pk_parse_key()? It is called in tls_load_certificate_key(). It is set to NULL by default.

            It's not set to NULL by default, it is hard-coded NULL so there is no way to pass the password to tls_load_certificate_key.

            This is a bug in join_ent & wiced_tls_init_identity/tls_load_certificate_key APIs, it just cannot support private key with password protected.

            • 3. Re: EAP-TLS: How to set private key password?
              GauravS_31

              But the low level mbedTLS API mbedtls_pk_parse_key( &credential->private_key, (const unsigned char *) private_key, key_length, NULL, 0 ) can support private key password. You can change the last two arguments in the function for the password. You can customize the higher level APIs or join_ent command to support private key password argument so that the argument would be passed to mbedtls_pk_parse_key(). If you check the call hierarchy of mbedtls_pk_parse_key(), you will find that it is called by join_ent()->besl_supplicant_init()->wiced_tls_init_identity()->tls_load_certificate_key()->mbedtls_pk_parse_key(). So you can customize to pass the password across the call hierarchy.

              1 of 1 people found this helpful
              • 4. Re: EAP-TLS: How to set private key password?
                AxLi_1746341

                I know the low level mbedTLS API can set private key password.

                The point is "the problem is in high-level WICED API" which does not allow passing private key password.

                If cypress don't want to fix the WICED API it means you have to ask every users that needs private key password to HACK your API.

                Is this encourage? (I won't call that change as customize the higher level APIs)

                In additional, it means cypress does not test a private key with password at all.

                From my point of view, this is a bug report to help improving your sdk.

                • 5. Re: EAP-TLS: How to set private key password?
                  AxLi_1746341

                  BTW, I just found the key with below format cannot be loaded:

                   

                  -----BEGIN ENCRYPTED PRIVATE KEY-----

                  ...

                  -----END ENCRYPTED PRIVATE KEY-----