Authenticate a self signed certificate for mbedtls on Zephyr

hrm2519 · December 5, 2023, 3:46am

I am struggling with mbedtls on Zephyr. I am trying to authenticate a self signed certificate in PEM format with a local server. I am able to add and store the certificate to TLS and flash. But somehow connect() returns -113. Also, I am unable to enable debug logs for mbedtls even though I have added the configuration in prj.conf. Any guidance on this would help as I am pretty new to Zephyr. I have also created a post in Zephyr’s discord as well: Zephyr Discord Deeplink

achim.kraus · December 5, 2023, 7:09am

Certificate based authentication requires certificates on both sides. For client authentication, the client requires the certificate and the corresponding private key. The server then requires either that certificate in its truststore, or the CA certificate, which was used to sign the client certificate. Though you use a “self signed certificate” you need to put that on the server’s truststore, though this approach the only CA is that certificate itself.
And the same applies for the server. The server requires also a certificate and corresponding private key, and the client requires to have that certificate or one of the CA certificates in it’s truststore.
Hope that hepls.

hrm2519 · December 9, 2023, 5:49am

Update: I have had some progress. I was able to authenticate with a hard-coded certificate in my code. I had added ‘\n’ at the end of each line in this hard-coded array. I have created a shell command which takes the certificate as an argument line-by-line. I append a new line character after each line, thus emulating my array. To my surprise, this doesn’t work and connect() returns -22. Also noticed that the size of the array which I had passed was 1307 compared to 1306, the size of the actual certificate. Since the connect call itself fails, mbedTLS logs are not triggered so debugging isn’t easy. When I pass the hard-coded array, TLS handshake happens and I can see the mbedTLS logs.

sam · December 19, 2023, 4:10am

Hi @hrm2519.

We find it’s easier and more reliable to use a file transfer protocol to get certificates on the device, rather than implementing a piecemeal console command. You can take a look at our own certificate provisioning example to see one way of doing it using mcumgr and a filesystem.

Best,
Sam

hrm2519 · December 19, 2023, 4:14am

The issue has been resolved now. I wanted to pass the certificate as a shell command for demo purposes only. In the end it won’t be that way. Does your example provide certificate expiry check? Do you know if there are Zephyr APIs for checking this?