vDevModeKeyProvisioning() with ATECC608A chip

Hi,

I am currently using an esp32 dev_kit C with external atecc608A chip connected. From what I understood, this function either stores the certificate in NVS flash or provisions them to the eccx08 chip. Is this correct and if so what exactly is the process or flow of operations ? The goal is to be able to store certificate and the private key (aws generated credentials for tls) in the chip. Is it possible with using vDevModeKeyProvisioning() function to do all of this and are there any requirements ?

Hi @MrMelon,

The ATECC608A is distributed with Microchip’s Cryptoauthlib library. This library handles all the communication for the device with you. Included with it, is a PKCS #11 implementation. My recommendation is for you to use PKCS #11 for all your operations with that chip.

It really depends on your use case, but I recommend that you follow either the flow outlined in Amazon FreeRTOS. An alternative approach is to use the flow found in the SESIP example project, in which the device creates a CSR, and a trusted device on the serial port sends it to IoT Core.

Note that you should avoid importing a private key into the ATECC608A. It is much more secure to use one that was generated on the device, to avoid leaking any data.

This whitepaper is also very helpful for understanding some approaches to provisioning.

Thanks,

Carl

Hi @lundic,

Thank you for your response on this situation is it much appreciated. I am aware of the Cryptoauthlib library you speak of and its functionality. I’ve also seen the amazon freertos example you mentioned. From what I understood from it, after generating certificates and registering them with aws, modification of the file aws_clientcredential_keys.h is required so that the function vDevModeKeyProvisioning() provisions the secure element. In my case, I just want to store the certificate I already generated from another method into the provision secure element using vDevModeKeyProvisioning(). What is required to be modified specifically in the aws_clientcredential_keys.h file so that this can occur ?

Hey @MrMelon,

I think the cleanest way may be to expose a helper function that takes a buffer, it’s size, and a label for it. This function is a little lengthy, but it contains all the bits and pieces you would need for importing a certificate.

If this is the certificate that you want to use for connecting to AWS then the pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS would be the correct label.

Am I understanding your use case correctly? I am happy to walk you through using a separate slot for the certificate if needed.

Thanks,

Carl

Here is a demo outlining how to import a certificate object with PKCS #11 aws-iot-device-sdk-embedded-C/pkcs11_demo_objects.c at abb462794c2c1c8f8505ff73d92c7836087509ff · aws/aws-iot-device-sdk-embedded-C · GitHub

Hi @lundinc ,

I tried running the amazon example project and I keep getting errors when trying to run the ca_create_signer.py script.
Here is the error:

Traceback (most recent call last):
  File "ca_create_signer.py", line 150, in <module>
    create_intermediate_cert(args.code, args.vcert, args.cert, args.key, args.root, args.rootkey)
  File "ca_create_signer.py", line 104, in create_intermediate_cert
    x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(issuer_ski),
  File "/home/freertos/vendors/microchip/secure_elements/app/example_trust_chain_tool/env/lib/python3.8/site-packages/cryptography/x509/extensions.py", line 222, in from_issuer_subject_key_identifier
    key_identifier=ski.digest,
AttributeError: 'Extension' object has no attribute 'digest'

Is there any reason for this to happen ?

Hi @MrMelon,

This is an issue with the Cryptography dependency. Please make sure that it is on major version, 2, instead of 3.

You can modify the requirements.txt to the following:
cryptography <= 2.9
Thanks,

Carl

Hi @lundinc,

I have tried your suggestion and it worked! Thanks for the help!
If there is anything else I’ll let you know.

@MrMelon great to hear! I’ll keep an eye on this thread!

Thanks,

Carl

Hi @lundinc,

Looks like I get this error when trying to run this command python ca_create_device.py --sn <thing-name> --cert signer-ca.crt --key signer-ca.key --file public_key.pem. This is to run the script to create the device certificate.

Here is the error:

Traceback (most recent call last):
  File "ca_create_device.py", line 10, in <module>
    from cryptoauthlib import *
  File "/home/julien/freertos_robco_project/freertos/vendors/microchip/secure_elements/app/example_trust_chain_tool/env/lib/python3.8/site-packages/cryptoauthlib/__init__.py", line 18, in <module>
    load_cryptoauthlib()
  File "/home/julien/freertos_robco_project/freertos/vendors/microchip/secure_elements/app/example_trust_chain_tool/env/lib/python3.8/site-packages/cryptoauthlib/library.py", line 85, in load_cryptoauthlib
    _CRYPTO_LIB = cdll.LoadLibrary(os.path.join(curr_path, "libcryptoauth.so"))
  File "/usr/lib/python3.8/ctypes/__init__.py", line 451, in LoadLibrary
    return self._dlltype(name)
  File "/usr/lib/python3.8/ctypes/__init__.py", line 373, in __init__
    self._handle = _dlopen(self._name, mode)
OSError: /home/julien/freertos_robco_project/freertos/vendors/microchip/secure_elements/app/example_trust_chain_tool/env/lib/python3.8/site-packages/cryptoauthlib/libcryptoauth.so: undefined symbol: hid_open

Hmm, this did not crop up for me, testing with Python v3.9.2. Can you try downgrading the cryptoauthlib that was installed?

This seems particularly relevant:

pip uninstall cryptoauthlib
pip install cryptoauthlib==20190517 --no-cache-dir

References:

Hi @lundinc,

Your suggestion works. But I’ve realized that this example is to perform JITR where as I am more interested in JITP. I have follow this guide and was successful with JITP using mosquitto. Now I am trying to implement this feature with the esp32 and am having a few roadblocks and questions. One of the errors I am getting trying to provision to the secure element is the following:
ERROR: Failed to provision device certificate. 5. I am certain that my formatting is correct could there possibly be another mistake ?
This is my formatting"

"-----BEGIN CERTIFICATE-----\n"\
"...base64 data...\n"\
"-----END CERTIFICATE-----\n"
  1. I replaced keyJITR_DEVICE_CERTIFICATE_AUTHORITY_PEM from NULL to the rootCA I download from amazon, put the device private key, $DEVICE.key into keyCLIENT_PRIVATE_KEY_PEM and lastly, put the deviec certificate, $DEVICE.crt, generated as follows into keyCLIENT_CERTIFICATE_PEM. N.B. This look wrong. It’s 2 separate pem certificates stuck together. Is this correct ?

  2. When trying to establish mqtt connection, the client certificate and private key must be specified in the parameters for the IotNetworkCredentials_t structure notably .pClientCert and .pPrivateKey. Since I want the device to use the certificate it will obtain from the aws cloud with JITP what should these parameters be set to ?

@MrMelon in your application, src/main.c, you can create the another function like vModeKeyProvisioning, amazon-freertos/aws_dev_mode_key_provisioning.c at master · aws/amazon-freertos · GitHub

and change the keys here

    xParams.pucJITPCertificate = ( uint8_t * ) keyJITR_DEVICE_CERTIFICATE_AUTHORITY_PEM;
    xParams.pucClientPrivateKey = ( uint8_t * ) keyCLIENT_PRIVATE_KEY_PEM;
    xParams.pucClientCertificate = ( uint8_t * ) keyCLIENT_CERTIFICATE_PEM;

when your application restart your keys, private and certificate will get, so, for send the certificates and private keys you will use Custom GATT Service, bluetooth

https://docs.aws.amazon.com/freertos/latest/userguide/ble-demo.html

it’s work too, @lundinc what you think ?

Hi @luk4z_7,

I am aware of how the function works and what are the parameters it looks for provisioning certificates. I am also using mqtt over wifi and not bluetooth. As discussed in this forum post, I got this error when trying to provision the chip ERROR: Failed to provision device certificate. 5 and was wondering what could go wrong.

The bluetooth is a tip only, because is the one of the ways to send data to microcontroller, but I understood, so try to search the message on the source code and debug the logic behind, I never got this error Failed to provision device certificate.

Apologies for the delay,

Are you comfortable sending me a sending me a ZIP file of your certificates? I am not certain if the forum supports this, but you can email them to me at (my forum name)@amazon.com.

No worries if not. I will work on reproducing this in a day or two, and post back here afterwards.

Thanks,

Carl

No worries!
I’ve sent you an email regarding the certificates.

Hmm it seems your email was filtered out.

I suppose another approach is a DM with the certificates?

I did not go through the flow myself, but I think I see what may be the issue here.

I looked at the device certificate, and it seems to have been created in the “Create device certificates and perform JITP” step of Set up JITP with AWS IoT Core.

Instead of following those steps, take the CA you created and follow the steps we discussed earlier for provisioning an ATECC08A.

The certificate you create with said Python scripts should work, right now the device is returning an error due to the contents of the certificate. (Note I would need to dig deep to see what the difference is, for now it is a black box to me).

Another thing of note is that you may want to only use EC certificates, but I don’t think that matters for the JITP certificate.

For fun, here are some sample instructions for creating EC certs and keys: amazon-freertos/readme.md at master · aws/amazon-freertos · GitHub.

Let me know if you run into further issues.

1 Like

So if I understand this well, I would create a signing CA from my root CA then use the signing CA to create my device certificate and finally provision it to the secure element. Would the signing CA also need to have the jitp template attached to it ? And would the signing CA also need to be provisioned to the device ?