DCT - Adding a field for a root certificate

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
joMa_1809706
Level 4
Level 4
10 likes received First like received First like given

I'm using studio 4.1.1. Is there an easy way to add a new field in the DCT to support root certificate downloads similar to what is currently done with the private certificate and the private key?

I tried adding it after the DCT_MISC_SECTION section per the comments in the platform_dct.h file but the dct_write function doesn't even seem to handle the DCT_MISC_SECTION correctly along with any sections after it (bytes_to_copy calculates a negative number in reference to the version info).

Since I'm not using OTA2, I also tried just adding the new field to the platform_dct_security_t struct and adding code to read/write the new field where the other fields are handled.. But that causes other problems.

typedef struct

{

    char    private_key[ PRIVATE_KEY_SIZE ];

    char    certificate[ CERTIFICATE_SIZE ];

    uint8_t cooee_key  [ COOEE_KEY_SIZE ];

    char    root_cert  [ CERTIFICATE_SIZE ]; //added

} platform_dct_security_t;

0 Likes
1 Solution

got it working. Had to reduce the CERTIFICATE_SIZE from 4K to 3K.

View solution in original post

5 Replies
RaktimR_11
Moderator
Moderator
Moderator
500 replies posted 250 replies posted 100 replies posted

I just added a field in platform_dct_misc_config_t structure like this.

typedef struct

{

    uint32_t                wifi_flags;             /* Wi-Fi Misc Flags  */

    char                    root_cert[ CERTIFICATE_SIZE ];

} platform_dct_misc_config_t;

I modified to the snip.dct_read_write application like this and I was able to add the certificate

/* Print original mesh value */

    WPRINT_APP_INFO( ( "Original\r\n" ) );

    WPRINT_APP_INFO( ( "wifi flags: 0x%lx\r\n", misc_dct->wifi_flags ) );

   WPRINT_APP_INFO( ( "certificate: %s\r\n", misc_dct->root_cert ) );

    WPRINT_APP_INFO( ( "      mesh: %ld\r\n", misc_dct->wifi_flags & WIFI_FLAG_MESH ) );

    /* Modify mesh value */

    misc_dct->wifi_flags ^= WIFI_FLAG_MESH;

    strcpy((misc_dct->root_cert),httpbin_root_ca_certificate);

    /* write it out */

    wiced_dct_write( (const void*) misc_dct, DCT_MISC_SECTION, 0, sizeof(*misc_dct) );

    /* unlock & lock again  (re-reads dct) */

    WPRINT_APP_INFO( ( "Changed wifi_flag WIFI_FLAG_MESH \r\n" ) );

    wiced_dct_read_unlock( misc_dct, WICED_TRUE );

    wiced_dct_read_lock( (void**) &misc_dct, WICED_TRUE, DCT_MISC_SECTION, 0, sizeof( *misc_dct ) );

    /* Print changed mesh value */

    WPRINT_APP_INFO( ( "wifi flags: 0x%lx\r\n", misc_dct->wifi_flags ) );

    WPRINT_APP_INFO( ( "certificate: %s\r\n", misc_dct->root_cert ) );

    WPRINT_APP_INFO( ( "mesh: %ld\r\n", misc_dct->wifi_flags & WIFI_FLAG_MESH ) );

    /* restore original */

    /* Modify mesh value */

    misc_dct->wifi_flags ^= WIFI_FLAG_MESH;

    /* write it out */

    wiced_dct_write( (const void*) misc_dct, DCT_MISC_SECTION, 0, sizeof(*misc_dct) );

    /* unlock & lock again (re-reads dct) */

    wiced_dct_read_unlock( misc_dct, WICED_TRUE );

    wiced_dct_read_lock( (void**) &misc_dct, WICED_TRUE, DCT_MISC_SECTION, 0, sizeof( *misc_dct ) );

    /* Print restored mesh value */

    WPRINT_APP_INFO( ( "Restored wifi_flag WIFI_FLAG_MESH \r\n" ) );

    WPRINT_APP_INFO( ( "wifi flags: 0x%lx\r\n", misc_dct->wifi_flags ) );

    WPRINT_APP_INFO( ( "      mesh: %ld\r\n", misc_dct->wifi_flags & WIFI_FLAG_MESH ) );

    /* release the read lock */

    wiced_dct_read_unlock( misc_dct, WICED_TRUE );

Could you please tell what are the things that you are doing differently and what is the error log corresponding to that?

Have you accounted for the fact that LARGEST_DCT_SUB_STRUCTURE_SIZE is 4k and that CERTIFICATE_SIZE is also 4k? This makes the data stored in the misc section larger than the buffer used to move it around.

Also the comment in  platform_dct_data_t says to add it AFTER the misc section not in it   /* If you need to add anything to the DCT, add it here, in a new structure */

Furthermore, as mentioned in my original post, the dct write function     /* Calculate how many bytes need to be written after the end of the header to the start of the dct_version structure */ and the misc section is after the version not before so we get a negative bytes_to_copy.

I'm just trying to get the root cert downloadable without breaking everything. I would prefer to just add it to the security_credentials structure.

I’m not sure where the problem actually is, I’m just pointing to things that are causing problems when trying to add in or below the misc section.

When I add the root_cert storage location to this structure the AWS connection will no longer work even when I don’t load anything into this location and just use the compiled in default root cert. The connection is closed by the server . Removing this storage location AWS works fine. When I use this storage location for an MQTT secure connection to a MQTT broker the connection works fine.

typedef struct

{

    char    private_key[ PRIVATE_KEY_SIZE ];

    char    certificate[ CERTIFICATE_SIZE ];

    uint8_t cooee_key  ;

    char    root_cert  ; //added

} platform_dct_security_t;

So basically, what causes the AWS connection to fail by just increasing the memory used for the DCT storage?

What error log are you referring to?

The only thing I know is that I get an ERROR 4 when I try to open the connection to AWS caused by a ERROR_QUEUE_INIT from a wiced_tcp_start_tls error

0 Likes

So far anything I do to put any storage into the dct causes the compiled in default root certificate to give me an error 5035 when I try to connect to AWS.

    RESULT_ENUM( prefix, UNTRUSTED_CERTIFICATE,               5035 ),   /**<   */ \

Note: I am not using the storage location to hold anything at this point. I take my working code, add a buffer that will be used to eventually store a root cert. And AWS gives me this error. I remove the buffer and AWS is happy. If I add all the stuff I need to actually use the buffer and download certs and keys for a MQTT server, this also works.

On another entirely different front if I take my working AWS code and try to use the new AWSCA1 root cert with a "-ats" added to my endpoint I also get a 5035 error. No extra buffer, new cert is compiled in replacing the old Symantec cert.

0 Likes

got it working. Had to reduce the CERTIFICATE_SIZE from 4K to 3K.