Upload own certificates
Antwort
21.03.15 21:24
Hello at all,

I try to build a TLS secure Web Socket and want use my own certificates. But i dont know how to upload this files :/ I just found a solution to use the files if they allready on the device. Could anyone help me? 

Thank you,
Mario
0 (0 Stimmen)
Upload own certificates
Antwort
24.03.15 10:22 als Antwort auf Mario Schillmüller.
Ok, it should work with Unicast tool from Texas Instruments but I cant connect to the device... Now i've written my certificate in a char array and uploaded it with the functions of fs.c. The File should now stored in the SFlash If I understand it right. I hope that works :)
0 (0 Stimmen)
Upload own certificates
Antwort
07.04.15 06:40 als Antwort auf Mario Schillmüller.
Hello Mario,


applogies for the late reply.

The doxygen documentation currently does not include the filesystem API for the Wlan radio. However, as you have discovered, establishing a TLS connection requires to store the certificate on the flash of the Wlan radio.

Please open up this file in XDK Workbench: lib\wifi\TI\simplelink\include\fs.h

It outlines how to use the filesystem API and enables you to upload the files in question. The way to go in fact is to write a small program that will upload the certificate. XDK currently does not support the desktop tools supplied by TI.

In case you have any more questions, please do not hesitate to ask here.

Regards,

Bastian
0 (0 Stimmen)
Upload own certificates
Antwort
07.04.15 08:04 als Antwort auf Wolf-Bastian Pöttner.
Thank you for your reply. The upload of my own files workes fine. But i need a TLS cipher suite for my projekt which is not supported :(
0 (0 Stimmen)
Upload own certificates
Antwort
07.04.15 08:12 als Antwort auf Mario Schillmüller.
Hi Mario,


what ciphersuite do you need exactly?

With XDK Workbench, we have included the cyaSSL library into XDK. Support is still experimental, but you could give it a try. It allows HTTPS Server and Client connections as well as plain TLS connections.

Since this is still experimental, you are outside of supported terrian here - however, have a look at this file: xdk110\PAL_XDK\cyassl_adapt\CyaSslAdapter.h. In there, you will find the following functions:
  • Tcp_SecureClient_initialize
  • Tcp_SecureClient_credentials

Afterwards, you can estabilish an encrypted TCP connection.

Please provide feedback on how you liked the functionality.


Regards

Bastian


 
0 (0 Stimmen)
Upload own certificates
Antwort
07.04.15 08:21 als Antwort auf Wolf-Bastian Pöttner.
Thank you very much. But I need TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256. The Hardware cant support that as i heared.
0 (0 Stimmen)
Upload own certificates
Antwort
07.04.15 08:35 als Antwort auf Mario Schillmüller.
Hi Mario,


as said, you are outside of the supported area now. However, based on a quick check, cyaSSL supports the ciphersuite that you require. cyaSSL will not use hardware acceleration, all crypto-related calculations will be done in software.

So, in case you really require this cipher, feel free to give cyaSSL a try.


Regards

Bastian
0 (0 Stimmen)
Upload own certificates
Antwort
07.04.15 08:39 als Antwort auf Wolf-Bastian Pöttner.
aaaahhhh... Ok i will try it :)
0 (0 Stimmen)
Upload own certificates
Antwort
07.04.15 13:00 als Antwort auf Mario Schillmüller.
There are some things that I need. For example the aes or sha256. But I dont know what i have to do to include this in my project... I've tried several things but everytime I get the message of no such file or directory. Could you help me again?
0 (0 Stimmen)
Upload own certificates
Antwort
14.04.15 15:24 als Antwort auf Mario Schillmüller.
Hi Mario,


sorry for letting you wait so long, but I am currently on a business trip. Officially, XDK does not support TLS connections with this ciphersuite. The reason is, that we do not have an official interface for TLS connections. However, the crypto library that we are using (cyaSSL) is supporting said ciphersuite in the configuration we are using. However, you have to be aware, that you are moving outside of supported terrain when going this path. Furthermore, I have to say, that we have never actually tested the combination which I will outline in the following. Therefore, using it, especially in a production environment, is on your own risk.

For starters, you can try looking here: xdk110\PAL_XDK\cyassl_adapt\CyaSslAdapter.c.

In there, you will find the following functions:
  • retcode_t Tcp_SecureClient_initialize(void);
  • retcode_t Tcp_connectSecure(Ip_Address_T *ipAddr_ptr, Ip_Port_T ..., Callable_T *callback_ptr, Tcp_Socket_T *socket_ptr)
  • retcode_t Tcp_receive(Tcp_Socket_T socket, CommBuff_T *rcvdData_ptr)
  • retcode_t Tcp_send(Tcp_Socket_T socket, CommBuff_T data, Callable_T *callback_ptr)
  • ...

Some documentation can be found in this file: lib\ServalStack\pal\Serval_Tcp.h

You may also have to modify this file to give the necessary credentials (key material) for the TLS connection: xdk110\PAL_XDK\cyassl_adapt\CyaSslCredentials.c.

In case are inside the Bosch network, you can furthermore access the following three documents that may help you:
  • http://rb-bios-com4t.bosch.com/serval/doc/Serval_Dev_Guide_P01_Getting_Started.pdf
  • http://rb-bios-com4t.bosch.com/serval/doc/Serval_Dev_Guide_P02_Advanced.pdf
  • http://rb-bios-com4t.bosch.com/serval/api/current/

Regards,

Bastian
0 (0 Stimmen)
Upload own certificates
Antwort
15.04.15 06:47 als Antwort auf Wolf-Bastian Pöttner.
Hi Bastian,

I've allready found the Files but I dont know what i have to do to use them in my Source Code... If I just #include "aes.h" for example, I get the message of no such file or directory.
Same behavior in case of "SDK/lib/cyassl/cyassl/ctaocrypt/aes.h". Im sorry for this low level question but I havnt worked before with embedded systems in this Extent. Do I have to write anything in the makefile?

Thank you
0 (0 Stimmen)
Upload own certificates
Antwort
15.04.15 07:19 als Antwort auf Mario Schillmüller.
Hi Mario,


you can find the include path configuration in the following file: xdk110\make\application.mk

If you want to work with the cyaSSL files directly, then you should add the following lines to the include directories in the file application.mk:
-I $(CYASSL_LIB_PATH) \

Then, you should be able use the following include statement in your own code:
#include "cyassl/ctaocrypt/aes.h"

BUT: As said, before trying this, I would rather go for the PAL-internal functions for TLS connections, because they already abstract much of the complexity away. Only if this path does not work out (as said, untested and unsupported) you should try to manually interact with cyaSSL.

Please keep in mind, that usually crypto-related problems are the hardest to find and even harder to debug. Therefore, you may have a rocky road ahead.


Regards

Bastian
 
0 (0 Stimmen)
Upload own certificates
Antwort
15.04.15 07:41 als Antwort auf Wolf-Bastian Pöttner.
Thank you ver very much. This is exactly this what Im searching for :) Just one more thing... The ssl.h trys to include the <sys/ui.h> but cant found the file. Could you give me the file?

Thank You,

Regards

Mario
0 (0 Stimmen)
Upload own certificates
Antwort
15.04.15 17:48 als Antwort auf Mario Schillmüller.
Hi Mario,


thank you very much for making me aware of this problem. There is actually a configuration problem which we will fix in the May release of XDK.

Until then, you can add the following to the makefile of your application:
CYASSL_FEATURES_CONFIG = \
    -DSINGLE_THREADED \
    -DCYASSL_USER_IO \
    -DNO_WRITEV \
    -DFREERTOS \
    -DUSER_TICKS \
    -DUSER_TIME \
    -DXMALLOC_USER \
    -DNO_SESSION_CACHE \
    -DTFM_TIMING_RESISTANT \
    -DNO_ERROR_STRINGS \
    -DNO_MD4 \
    -DNO_RABBIT \
    -DNO_PWDBASED \
    -DNO_RC4 \
    -DNO_DES \
    -DNO_DES3 \
    -DFP_MAX_BITS=512 \
    -DCYASSL_DTLS \
    -DHAVE_THREAD_LS \
    -DHAVE_ECC \
    -DNO_DSA \
    -DNO_PWDBASED \
    -DNO_HC128 \
    -DNO_FILESYSTEM \
    -DUSE_FAST_MATH \
    -DCYASSL_LPC43xx \
    -DDEBUG_CYASSL \
    -DCYASSL_SMALL_STACK \
    -DTFM_ECC256 \
    -DECC_SHAMIR \
    -DNO_DH \
    -DHAVE_HASHDRBG

Then, please change the following line
override CFLAGS += $(CFLAGS_APP)
to
override CFLAGS += $(CFLAGS_APP) $(CYASSL_FEATURES_CONFIG)

Now you should be able to compile your project.

Please let me know, if you have any more issue.


Regards,

Bastian

 
0 (0 Stimmen)
Upload own certificates
Antwort
15.04.15 23:14 als Antwort auf Wolf-Bastian Pöttner.
Thank you,
the next failure i received is "*** missing separator.  Stop." at line "-DSINGLE_THREADED \" in Make file

Regards 

Mario
0 (0 Stimmen)
Upload own certificates
Antwort
16.04.15 02:33 als Antwort auf Mario Schillmüller.
Hi Mario,


that is a common problem in Makefiles (you will find it dozens of times on Google). Oftentimes this is related to the indentation or misplaced whitespaces. However, this is not XDK specific but rather a general property (not to say problem) of Makefiles. I recommend one of those sites to track down the problem:
  • http://stackoverflow.com/questions/16931770/makefile4-missing-separator-stop
  • http://stackoverflow.com/questions/18936337/makefile1-missing-separator-stop

Regards

Bastian
0 (0 Stimmen)
Upload own certificates
Antwort
16.04.15 02:34 als Antwort auf Wolf-Bastian Pöttner.
Hi Mario,


I have just verified: If you copy the code from above into Eclipse, you will have spaces (instead of tabs) in front of each line. Please replace the 4 spaces with a tab and you should be fine.


Regards

Bastian
0 (0 Stimmen)
Upload own certificates
Antwort
16.04.15 06:51 als Antwort auf Wolf-Bastian Pöttner.
Year, your right... First the Whitespaces instead of Tabs and second the whitespace after every comment... Bad behavior of the Make File :D

Thank,

Regards

Mario
0 (0 Stimmen)
Upload own certificates
Antwort
19.04.15 08:35 als Antwort auf Mario Schillmüller.
Hi Bastian,

All the cryptographic methods working very fine. Now I try to solve the TLS problem again. But their are a couple of problems... I know that is unsupported area but maybe you allready know the solution. 

If I try to include "CyaSslAdapter.h" i get the Failure "No such file or directory". So maybe one more problem in the makefile...

If I try to use the "ssl.h" instead of "CyaSslAdapter.h" the include works but some methods from the ssl.h wont found. For example the "CyaSSL_CTX_use_certificate_file()" throws this failure "undefined reference to `CyaSSL_CTX_use_certificate_file'". I've allready take a look in the ssl.h and found the methods. ôO

And last failure... If you just use the "CyaSSL_CTX_new()" method, it will compile without any problems but when you call the method in your programm you get following failuren:  asserted at Filename D:/Programme/XDK/SDK/lib/FreeRTOS/source/queue.c , line no  1176 

Do you know anything about this errors? 
Thank you

Regards
Mario
0 (0 Stimmen)
Upload own certificates
Antwort
29.04.15 09:13 als Antwort auf Mario Schillmüller.
Hi Mario,

again, sorry for the delay. Your questions required quite some effort to investigate and I have to remind you again, that this is not an officially supported feature of XDK.

Question 1: This is a standard property of include path settings. Include Path' are configured in the makefile. You can simply add a line to include the directory in which CyaSslAdapter.h sits and then your include will work:
-I $(BCDS_XDK110_DIR)/PAL_XDK/cyassl_adapt \
(watch out to get the whitespaces correct)

Question 2: The header file ssl.h contains conditional compilation via preprocessor statements (prefixed with #). In particular, it is checking whether the system has a filesystem. Since XDK is not a posix system, we are not offering a standard filesystem API, which is why we are compiling cyaSSL *without* support for reading files from the filesystem. This is the reason, why the function is not available on XDK. I see however, that XDK Workbench is highlighting the source code in the wrong way and we will improve this for the next release of XDK Workbench.

Question 3: I would assume, that this function has certain preconditions, that may not be met by your code. I cannot disclose any documentation here, but cyaSSL is in fact open source code. Feel free to find the source code online to dig into the code and find the culprit.

I hope, I could give you the pointers into the right direction so that you are able to solve your problem.

Best regards

Bastian
0 (0 Stimmen)