TM4C129ENCPDT: Certificate date issue

Akhi G

Part Number: TM4C129ENCPDT

Hi All,
I am using TI RTOS and tm4c129encpdt with CCS with Ethernet.
I am using httpcli library for MQTT and HTTPS

My MQTT is based on AWS IoT. There I am using the certificate/key pair whose date is -

For MQTT certificate used in the device (created from AWS IoT)

Create date
September 12, 2020, 01:04:42 (UTC+0530)
Effective date
September 12, 2020, 01:02:42 (UTC+0530)
Expiration date
January 01, 2050, 05:29:59 (UTC+0530)

FOR HTTPS certificate used in the device

Expiration date is 20Dec. 2021

When I am setting the date as 1600422026 (18sep, 2020),
the MQTT works fine and HTTPS works fine too.

But when I set the date to 1631946773 (18Sept, 2021),
HTTPS works fine but MQTT fails and gives error ASN_AFTER_DATE_E (-151) (checked from the wolfssl logs).

Why is it so? For MQTT and HTTPS, I have the date which is lying between the activation date and expiration date. But if I am setting the date to some larger, mqtt getting failed and https is working. Why is it so?

Thanks

over 3 years ago

0 Bob Crosby over 3 years ago

TI__Guru 72500 points

I suspect it is in the interpretation of the epoch. From https://github.com/wolfSSL/wolfssl/issues/367 a comment from "cconlon"

"An ASN_AFTER_DATE_E error means that when wolfSSL was validating a certificate, the certificate's "Not Valid After" date was invalid. If you are on an embedded device, you should check to make sure your device clock is set correctly. By default wolfSSL uses time() to get seconds since the Unix epoch."

By default, the TI compiler does not use the POSIX epoch of Jan 1, 1970, rather Jan 1, 1900. That difference may make your MQTT certificate appear to expire. See: https://processors.wiki.ti.com/index.php/Time_and_clock_RTS_Functions

0 Akhi G over 3 years ago in reply to Bob Crosby

Genius 3410 points

Hi Bob,

The issue was in the intermediate certificate. One of the certificate expiry date was 20April, 2021 and my device time was set March, 2021. That's why I was getting this issue.

As I am setting the device time statically like this-

Seconds_set(currentTimeSecs); // epoch time // 1600695606
g_microSecsFromEpoch = ((uint64_t)currentTimeSecs)*1000000ULL - getTimeInMicroSecsFromStart();

/* Conversion to time_t as localtime() expects a time_t* */
time_t epoch_time_as_time_t = g_microSecsFromEpoch/1000000ULL; // - 28800 for GMT to PST
struct tm * timeinfo = localtime(&epoch_time_as_time_t);
g_microSecsFromZeroHour = ((uint64_t)((timeinfo->tm_hour*60+timeinfo->tm_min)*60 + timeinfo->tm_sec))*1000000ULL;

This won';t change with time. I saw article on SNTP. As I am using httpcli library for all communication, is there a way to use SNTP here so that I can update my time after after specific timeperiod?

I never worked on SNTP. If you can give me some example on SNTP client and what SNTP servers are and how to set them up, I can work on that accordingly.

Also, in one of the posts ( e2e.ti.com/.../350577 , I saw that you people were integrating SNTP with the Time() apis. Any update on that?

Thanks

0 Bob Crosby over 3 years ago in reply to Akhi G

TI__Guru 72500 points

Glad to hear you resolved the certificate issue. I am going to send your question about SNTP to a colleague.

0 Charles Tsai over 3 years ago in reply to Akhi G

TI__Guru**** 159385 points

Hi,

Can you reference the below code? Note that for this example, I adjusted the time to the US Central time zone where I work. You will adjust to your timezone. But a few hours of difference will not matter to the certificate date checking by Wolfssl.

#include <string.h>
#include <time.h>

/* XDCtools Header files */
#include <xdc/runtime/Error.h>
#include <xdc/runtime/System.h>

/* TI-RTOS Header files */
#include <ti/sysbios/BIOS.h>
#include <ti/sysbios/hal/Seconds.h>
#include <ti/sysbios/knl/Task.h>
#include <ti/sysbios/knl/Semaphore.h>
#include <ti/drivers/GPIO.h>
#include <ti/net/http/httpcli.h>
#include <ti/net/sntp/sntp.h>

/* Example/Board Header file */
#include "Board.h"

#include <sys/socket.h>


#define NTP_HOSTNAME "north-america.pool.ntp.org"
#define NTP_PORT         "123"
#define NTP_SERVERS      3
#define NTP_SERVERS_SIZE (NTP_SERVERS * sizeof(struct sockaddr_in))
#define HTTPTASKSTACKSIZE 32768


unsigned char ntpServers[NTP_SERVERS_SIZE];
static Semaphore_Handle semHandle = NULL;

/*
 *  ======== printError ========
 */
void printError(char *errString, int code)
{
    System_printf("Error! code = %d, desc = %s\n", code, errString);
    BIOS_exit(code);
}

/*
 *  ======== timeUpdateHook ========
 *  Called after NTP time sync
 */
void timeUpdateHook(void *p)
{
    Semaphore_post(semHandle);
}

/*
 *  ======== startNTP ========
 */
void startNTP(void)
{
    int ret;
    int currPos;
    time_t ts;
    struct sockaddr_in ntpAddr;
    struct addrinfo hints;
    struct addrinfo *addrs;
    struct addrinfo *currAddr;
    Semaphore_Params semParams;

    memset(&hints, 0, sizeof(struct addrinfo));
    hints.ai_family = AF_INET;
    hints.ai_socktype = SOCK_DGRAM;


    ret = getaddrinfo(NTP_HOSTNAME, NTP_PORT, NULL, &addrs);
    if (ret != 0) {
        printError("startNTP: NTP host cannot be resolved!", ret);
    }

    currPos = 0;


    for (currAddr = addrs; currAddr != NULL; currAddr = currAddr->ai_next) {
        if (currPos < NTP_SERVERS_SIZE) {
            ntpAddr = *(struct sockaddr_in *)(currAddr->ai_addr);
            memcpy(ntpServers + currPos, &ntpAddr, sizeof(struct sockaddr_in));
            currPos += sizeof(struct sockaddr_in);
        }
        else {
            break;
        }
    }

    freeaddrinfo(addrs);

    ret = SNTP_start(Seconds_get, Seconds_set, timeUpdateHook,
            (struct sockaddr *)&ntpServers, NTP_SERVERS, 0);
    if (ret == 0) {
        printError("startNTP: SNTP cannot be started!", -1);
    }

    Semaphore_Params_init(&semParams);
    semParams.mode = Semaphore_Mode_BINARY;
    semHandle = Semaphore_create(0, &semParams, NULL);
    if (semHandle == NULL) {
        printError("startNTP: Cannot create semaphore!", -1);
    }

    SNTP_forceTimeSync();
    Semaphore_pend(semHandle, BIOS_WAIT_FOREVER);

    /* Adjust the time zone by 5 hours as the Seconds_get() is 5 hours ahead of Houston time */
    Seconds_set(Seconds_get()-5*60*60);
    ts = time(NULL);

    System_printf("Current time: %s\n", ctime(&ts));
    System_flush();

}

/*
 *  ======== netIPAddrHook ========
 *  This function is called when IP Addr is added/deleted
 */
void netIPAddrHook(unsigned int IPAddr, unsigned int IfIdx, unsigned int fAdd)
{
    static Task_Handle taskHandle;
    Task_Params taskParams;
    Error_Block eb;

    /* Create a HTTP task when the IP address is added */
    if (fAdd && !taskHandle) {
        Error_init(&eb);

        Task_Params_init(&taskParams);
        taskParams.stackSize = HTTPTASKSTACKSIZE;
        taskParams.priority = 1;
        taskHandle = Task_create((Task_FuncPtr)startNTP, &taskParams, &eb);
        if (taskHandle == NULL) {
            printError("netIPAddrHook: Failed to create HTTP Task\n", -1);
        }
    }
}

/*
 *  ======== main ========
 */
int main(void)
{
    /* Call board init functions */
    Board_initGeneral();
    Board_initGPIO();
    Board_initEMAC();

    /* Turn on user LED */
    GPIO_write(Board_LED0, Board_LED_ON);

    System_printf("Starting the SNTP example\nSystem provider is set to "
            "SysMin. Halt the target to view any SysMin contents in ROV.\n");
    /* SysMin will only print to the console when you call flush or exit */
    System_flush();

    /* Start BIOS */
    BIOS_start();

    return (0);
}

0 Akhi G over 3 years ago in reply to Charles Tsai

Genius 3410 points

hi Charles,

Thanks for this. I am able to run this code and it is working fine.

Though I have not created the task for this, as by default, the task is created for the sntp with priority 1.

Also, I have to include these in my .cfg file before start.

var Sntp = xdc.useModule('ti.net.sntp.Sntp');

Sntp.networkStack = Sntp.NDK;

I just created the function startSNTP() and called it inorder to run it. I have one doubt. As I can see from ROV that this task syncTime is created upon calling this and after this, it is shown as blocked on Event: 0x20000648.

I want to know what event is this and when it will be unblocked again?

Thanks

0 Charles Tsai over 3 years ago in reply to Akhi G

TI__Guru**** 159385 points

HI,

Please see below description.

snip....

SNTP_forceTimeSync();
Semaphore_pend(semHandle, BIOS_WAIT_FOREVER);

snip....

/*
* ======== timeUpdateHook ========
* Called after NTP time sync
*/
void timeUpdateHook(void *p)
{
Semaphore_post(semHandle);
}

Arm-based microcontrollers

Arm-based microcontrollers forum

TM4C129ENCPDT: Certificate date issue