OTA integration test certificate issue

I’m working on an OTA port and trying to get the tests to pass. I am using the FreeRTOS/FreeRTOS-Libraries-Integration-Tests/blob/main/src/ota/test_files/ecdsa-sha256-signer.crt.pem.test. To provision the certificate I’m using xProvisionCertificate from FreeRTOS/FreeRTOS-Libraries-Integration-Tests/blob/main/src/pkcs11/dev_mode_key_provisioning/dev_mode_key_provisioning.c). otaPal_CloseFile is expected to validate the signature using the certificate provisioned earlier. When the certificate is loaded by mbedtls it returns MBEDTLS_ERR_ASN1_UNEXPECTED_TAG from mbedtls_asn1_get_tag. Does anyone know what could be causing this?

OTA does not appear under “optional tags”. It may be worth adding.

@renesas.bg I’ve forwarded this topic to one of my colleagues who can investigate further.

To assist them in this, can you re-build with logging enabled and include any useful information generated at runtime?

If you are using corePKCS11 or another software token, you might also try to dump the flash in which the certificate is stored to ensure that it has been written correctly.

You might also try importing a certificate containing an RSA key to see if the issue is related to ECDSA key handling. If this works, please check that your mbedtls configuration has ECDSA and the relevant curve enabled.

Update:
My colleague suggested that you can extract the public key from the certificate using the following openssl command:

openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

and then import it using the xProvisionPublicKey function from aws_dev_mode_key_provisioning.c.

This of course depends on you OTA PAL implementation and whether or not it expects to use the public key or a certificate for the verification operation.

Hi @renesas.bg,
Sometimes I need to extract the public key from certificate and then import the public key into the device to verify the signature. Depend on your implementation.

I used cli.c to provision public key into the device.
And the content of pucKey is in PEM format, for example:

-----BEGIN PUBLIC KEY-----\n
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyza/tGLVbVxhL41iYtC8D6tGEvAH\n
u498gNtqDtPsKaoR3t5xQx+6zdWiCi32fgFT2vkeVAmX3pf/Gl8nIP48Zg==\n
-----END PUBLIC KEY-----\n

Command to extract public key from certificate:

openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

Please give it a try and let me know if you need more help.

Thanks.

Extracting and using the public key did work for signature verification. I’m still concerned about the certificate parsing though, shouldn’t that work?

Hi @renesas.bg,
Thanks for your feedback.
In my opinion, we can use both certificate/public key to verify signatures.
The only difference is if we need to extract public key from certificate before verifying.
And that depends on platform implementation on OTA PAL layer.

Reference: digital_signature
verify-signature

Thanks.