Issue in script "python reprov_helper.py"

Sachin_Patel · ‎Aug 02, 2022

Hi @AlenAn14 currently i am running the AWS_OTA using the MQTT example in that I run the "reprov_helper.py" script and found the below issue.

key: {'crv': 'P-256', 'kty': 'EC', 'use': 'sig', 'kid': '1', 'x': 'UR9hgEqcFo14PbkuvIgSpJA0pncbktCZGInvjo0bgbk', 'y': 'Tm3vNOIh8dRBmaj_VS4UyWRfuwf4Whs9CTOqarcczuI'} Device public key has been read successfully. Device certificate generated successfully. 2022-08-02 15:46:56,158 : C : WARN : There is gap between regions 269926400:270254080 and 270303232:270336000 (49152 bytes) 2022-08-02 15:46:56,158 : C : WARN : Policy validation finished with warnings Traceback (most recent call last): File "reprov_helper.py", line 305, in <module> main(sys.argv[1:]) File "reprov_helper.py", line 297, in main create_provisioning_packet() File "reprov_helper.py", line 166, in create_provisioning_packet cytools.create_provisioning_packet() File "C:\Users\Engibrains\ModusToolbox\tools_2.4\python\lib\site-packages\cysecuretools\main.py", line 250, in create_provisioning_packet image_cert=image_cert, dev_cert=dev_certs) File "C:\Users\Engibrains\ModusToolbox\tools_2.4\python\lib\site-packages\cysecuretools\core\strategy_context\prov_packet_strategy_ctx.py", line 54, in create return self._strategy.create(**kwargs) File "C:\Users\Engibrains\ModusToolbox\tools_2.4\python\lib\site-packages\cysecuretools\execute\provisioning_packet_mxs40v1.py", line 176, in create complete=True) File "C:\Users\Engibrains\ModusToolbox\tools_2.4\python\lib\site-packages\cysecuretools\execute\provisioning_lib\cyprov_hsm.py", line 57, in pack_provision_cmd x509.load_pem_x509_certificate(barr, default_backend()) File "C:\Users\Engibrains\ModusToolbox\tools_2.4\python\lib\site-packages\cryptography\x509\base.py", line 514, in load_pem_x509_certificate return rust_x509.load_pem_x509_certificate(data) TypeError: argument 'data': 'bytearray' object cannot be converted to 'PyBytes'

Thanks.

LeoMathews · ‎Sep 22, 2022

Hi @Sachin_Patel

Please install cysecuretools 3.1.0 using the following command

pip install cysecuretools

Before running the command

python reprov_helper.py

Please verify whether the cysecuretools version installed is 3.1.0

Thanks and Regards
Leo

View solution in original post

ninad_w · ‎Aug 02, 2022

Hi @Sachin_Patel ,

Could you please tell us which PSoC 6 board you are using in this example code?

Also please share the example code link or send the example project file.

Thank you!

Best regards,

Ninad

Sachin_Patel · ‎Aug 03, 2022

Hi @ninad_w ,

I am using "CY8CKIT-064S0S2-4343W" EVK.

Please find example code in below link.

https://github.com/Infineon/mtb-example-aws-iot-ota-mqtt

Thanks.

AlenAn14 · ‎Aug 03, 2022

HI @Sachin_Patel ,

Can you please let me know if you are running the "reprov_helper.py" script manually or are you using some cysecure tools commands?

Can you also let me know if you made any modifications in the policy file in the project as well?

Warm Regards
Alen

Sachin_Patel · ‎Aug 03, 2022

Hi @AlenAn14,

I ran it in Modus-shell1.3.0 at this project folder "mtb_shared\trusted-firmware-m\release-v1.3.3\security".

yes, I did some changes as per provisioning steps by readme. md , You can see below are provisioning steps in readme.md

Open a CLI terminal.

On Linux and macOS, you can use any terminal application. On Windows, open the "modus-shell" app from the Start menu.
Navigate the terminal to the <mtb_shared>/trusted-firmware-m/<tag>/security folder.

Run the following command.

cysecuretools --target CY8CKIT-064S0S2-4343W init

In the same directory create a folder called certificates and navigate the terminal to the new directory.
```
mkdir certificates
cd certificates
```
Create a root CA key pair.
```
openssl genrsa -out rootCA.key 2048 
```
Create a root CA certificate. When you run the following command you will be asked to enter some fields, fill them. You can leave the Common Name and Email Address fields empty.
```
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
```
Download the Amazon Root CA certificate and place it in the certificates directory. Keep the file name as AmazonRootCA1.pem.
Open the file <mtb_shared>/trusted-firmware-m/<tag>/security/policy/policy_multi_CM0_CM4_tfm_dev_certs.json in a text editor.
Edit the value of set_img_ok key to false.
Edit the value of chain_of_trust key to ["../certificates/device_cert.pem", "../certificates/AmazonRootCA1.pem"]. Save the file and close it.
If you already have a provisined kit, skip to step 13.

Run the following commands in the modus-shell from <mtb_shared>/trusted-firmware-m/<tag>/security directory.

cysecuretools -t CY8CKIT-064S0S2-4343W -p policy/policy_multi_CM0_CM4_tfm.json create-keys
cysecuretools -t CY8CKIT-064S0S2-4343W -p policy/policy_multi_CM0_CM4_tfm.json provision-device

Run the following command in the modus-shell from <mtb_shared>/trusted-firmware-m/<tag>/security directory, to re-provision the device. Select yes for all the questions asked.
```
python reprov_helper.py
```
Note that this step generates a device_cert.pem certificate file in the certificates folder that you created in step 4. This is a self-signed device certificate. This certificate should be attached to the AWS IoT Thing when it is created; do not let AWS create ceritficates for you.

The device_cert.pem file will be regenerated every time you run the reprov_helper.py python file. Take care to update the new device certificate to the AWS IoT Thing.

LeoMathews · ‎Sep 22, 2022

Hi @Sachin_Patel

Please install cysecuretools 3.1.0 using the following command

pip install cysecuretools

Before running the command

python reprov_helper.py

Please verify whether the cysecuretools version installed is 3.1.0

Thanks and Regards
Leo