5 Replies Latest reply on Jan 24, 2019 2:47 PM by joMa_1809706

    DCT - Adding a field for a root certificate

    joMa_1809706

      I'm using studio 4.1.1. Is there an easy way to add a new field in the DCT to support root certificate downloads similar to what is currently done with the private certificate and the private key?

      I tried adding it after the DCT_MISC_SECTION section per the comments in the platform_dct.h file but the dct_write function doesn't even seem to handle the DCT_MISC_SECTION correctly along with any sections after it (bytes_to_copy calculates a negative number in reference to the version info).

       

      Since I'm not using OTA2, I also tried just adding the new field to the platform_dct_security_t struct and adding code to read/write the new field where the other fields are handled.. But that causes other problems.

      typedef struct

      {

          char    private_key[ PRIVATE_KEY_SIZE ];

          char    certificate[ CERTIFICATE_SIZE ];

          uint8_t cooee_key  [ COOEE_KEY_SIZE ];

          char    root_cert  [ CERTIFICATE_SIZE ]; //added

      } platform_dct_security_t;

        • 1. Re: DCT - Adding a field for a root certificate
          RaktimR_11

          I just added a field in platform_dct_misc_config_t structure like this.

          typedef struct

          {

              uint32_t                wifi_flags;             /* Wi-Fi Misc Flags  */

              char                    root_cert[ CERTIFICATE_SIZE ];

          } platform_dct_misc_config_t;

          I modified to the snip.dct_read_write application like this and I was able to add the certificate

          /* Print original mesh value */

              WPRINT_APP_INFO( ( "Original\r\n" ) );

              WPRINT_APP_INFO( ( "wifi flags: 0x%lx\r\n", misc_dct->wifi_flags ) );

             WPRINT_APP_INFO( ( "certificate: %s\r\n", misc_dct->root_cert ) );

              WPRINT_APP_INFO( ( "      mesh: %ld\r\n", misc_dct->wifi_flags & WIFI_FLAG_MESH ) );

           

              /* Modify mesh value */

              misc_dct->wifi_flags ^= WIFI_FLAG_MESH;

              strcpy((misc_dct->root_cert),httpbin_root_ca_certificate);

           

           

              /* write it out */

              wiced_dct_write( (const void*) misc_dct, DCT_MISC_SECTION, 0, sizeof(*misc_dct) );

           

              /* unlock & lock again  (re-reads dct) */

              WPRINT_APP_INFO( ( "Changed wifi_flag WIFI_FLAG_MESH \r\n" ) );

              wiced_dct_read_unlock( misc_dct, WICED_TRUE );

              wiced_dct_read_lock( (void**) &misc_dct, WICED_TRUE, DCT_MISC_SECTION, 0, sizeof( *misc_dct ) );

           

              /* Print changed mesh value */

              WPRINT_APP_INFO( ( "wifi flags: 0x%lx\r\n", misc_dct->wifi_flags ) );

              WPRINT_APP_INFO( ( "certificate: %s\r\n", misc_dct->root_cert ) );

              WPRINT_APP_INFO( ( "mesh: %ld\r\n", misc_dct->wifi_flags & WIFI_FLAG_MESH ) );

           

              /* restore original */

              /* Modify mesh value */

              misc_dct->wifi_flags ^= WIFI_FLAG_MESH;

           

              /* write it out */

              wiced_dct_write( (const void*) misc_dct, DCT_MISC_SECTION, 0, sizeof(*misc_dct) );

           

              /* unlock & lock again (re-reads dct) */

              wiced_dct_read_unlock( misc_dct, WICED_TRUE );

              wiced_dct_read_lock( (void**) &misc_dct, WICED_TRUE, DCT_MISC_SECTION, 0, sizeof( *misc_dct ) );

           

              /* Print restored mesh value */

              WPRINT_APP_INFO( ( "Restored wifi_flag WIFI_FLAG_MESH \r\n" ) );

              WPRINT_APP_INFO( ( "wifi flags: 0x%lx\r\n", misc_dct->wifi_flags ) );

              WPRINT_APP_INFO( ( "      mesh: %ld\r\n", misc_dct->wifi_flags & WIFI_FLAG_MESH ) );

           

              /* release the read lock */

              wiced_dct_read_unlock( misc_dct, WICED_TRUE );

           

          Could you please tell what are the things that you are doing differently and what is the error log corresponding to that?

          1 of 1 people found this helpful
          • 2. Re: DCT - Adding a field for a root certificate
            joMa_1809706

            Have you accounted for the fact that LARGEST_DCT_SUB_STRUCTURE_SIZE is 4k and that CERTIFICATE_SIZE is also 4k? This makes the data stored in the misc section larger than the buffer used to move it around.

            Also the comment in  platform_dct_data_t says to add it AFTER the misc section not in it   /* If you need to add anything to the DCT, add it here, in a new structure */

            Furthermore, as mentioned in my original post, the dct write function     /* Calculate how many bytes need to be written after the end of the header to the start of the dct_version structure */ and the misc section is after the version not before so we get a negative bytes_to_copy.

             

            I'm just trying to get the root cert downloadable without breaking everything. I would prefer to just add it to the security_credentials structure.

            1 of 1 people found this helpful
            • 3. Re: DCT - Adding a field for a root certificate
              joMa_1809706

              I’m not sure where the problem actually is, I’m just pointing to things that are causing problems when trying to add in or below the misc section.

               

               

               

              When I add the root_cert storage location to this structure the AWS connection will no longer work even when I don’t load anything into this location and just use the compiled in default root cert. The connection is closed by the server . Removing this storage location AWS works fine. When I use this storage location for an MQTT secure connection to a MQTT broker the connection works fine.

               

               

               

              typedef struct

               

              {

               

                  char    private_key[ PRIVATE_KEY_SIZE ];

               

                  char    certificate[ CERTIFICATE_SIZE ];

               

                  uint8_t cooee_key  ;

               

                  char    root_cert  ; //added

               

              } platform_dct_security_t;

               

               

               

              So basically, what causes the AWS connection to fail by just increasing the memory used for the DCT storage?

               

              What error log are you referring to?

               

              The only thing I know is that I get an ERROR 4 when I try to open the connection to AWS caused by a ERROR_QUEUE_INIT from a wiced_tcp_start_tls error

              • 4. Re: DCT - Adding a field for a root certificate
                joMa_1809706

                So far anything I do to put any storage into the dct causes the compiled in default root certificate to give me an error 5035 when I try to connect to AWS.

                    RESULT_ENUM( prefix, UNTRUSTED_CERTIFICATE,               5035 ),   /**<   */ \

                 

                Note: I am not using the storage location to hold anything at this point. I take my working code, add a buffer that will be used to eventually store a root cert. And AWS gives me this error. I remove the buffer and AWS is happy. If I add all the stuff I need to actually use the buffer and download certs and keys for a MQTT server, this also works.

                 

                On another entirely different front if I take my working AWS code and try to use the new AWSCA1 root cert with a "-ats" added to my endpoint I also get a 5035 error. No extra buffer, new cert is compiled in replacing the old Symantec cert.

                • 5. Re: DCT - Adding a field for a root certificate
                  joMa_1809706

                  got it working. Had to reduce the CERTIFICATE_SIZE from 4K to 3K.

                  1 of 1 people found this helpful