• State Resolved
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 140 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220MODA: period of certificate validity SLNETERR_ESEC_DATE_ERROR

Roman Jordan
Expert 1770 points
Part Number: CC3220MODA

Hello all,

I want to check the behavior of the HTTP connection process releated to the period of validity of the certificates using the TI SDK functions HTTPClient_connect2 and HTTPClient_connect.
But I can*t find any information about the time setting used for comparsion.

I assume that the network processor will verify the time period of the certificate against it's RTC.
That time, the NWP internal RTC, is set with the function sl_DeviceSet( SL_DEVICE_GENERAL, SL_DEVICE_GENERAL_DATE_TIME, sizeof(SlDateTime_t), (_u8*)( &st_DateTime ) ).

I am right?

Best regards and many thanks,
Roman

  • 0
    TI__Genius 9475 points

    Hello Roman,

    I wanted to confirm if  the error code was -461L /*connected with certificate date verification error*/ as I found the error named SL_ERROR_BSD_ESECDATEERROR however, it should be the same.

    You are correct, to set the CC3220 date and time I would used the DeviceSet function (sec. 3.7)

    For more information regarding certificates and security on the CC3220 I recommend reading section 2 of Built in Security Features

    and the Simplelink Wifi Certificates Handling guide.

    Hope this helps,

    Rogelio

  • 0 in reply to RogelioD
    Expert 1770 points

    Hello RogelioD,

    thanks for your answer and the links.

    I analyzed the behavior by setting the controller's time outside the time window of the test server's certificate.
    I didn't activated the Trusted Root-Certificate Catalog.
    I use the function HTTPClient_connect that in turn uses HTTPClient_connect2.


    I set the NWP time to three points  and connected to server: one lower, one inside and one higher then the time window of the crtificate. I always get the same result code of -468 SLNETERR_ESEC_UNKNOWN_ROOT_CA.

    So I assume that the following sentence in the TI documentation Built-in Security Features section 2.2.3.7 Validating the Date of the Server means, that the Root CA has to validated first. After this the date and the time are checked.

    Every certificate has an expiration date. When connecting to a server in client mode, the server time validation
occurs if the root CA was set. If the time validation fails, the sl_connect command returns an error
SL_ERROR_BSD_ESECDATEERROR, “connected with time and date validation error.” The user can set the
time and date of the device, and this is used in the certificate time and date validation. The date and time are
kept in hibernate mode.

    Other words: If the Trusted Root-Certificate Catalog is not used, it not possible to validate the date and time settings of a HTTP server certificate.
    Maybe it is because of the data and time check of the certificate is done only after the certificate itself is verified.
    I am right?

    Best regards and thanks for reading this,
    Roman

  • 0 in reply to Roman Jordan
    TI__Genius 9475 points

    Hello Roman,

    Since you're trying to connect using TLS you will need to use the correct Root CA. The following code can be found in the httpclient.c which can hopefully give you a better understanding on how the cert is validated.

            if ((intFlags & ISSECURED) || getCliState(cli, ISSECURED_STATE))
            {
                ret = SlNetSock_startSec(cli->ssock, secAttribs,
                                         SLNETSOCK_SEC_START_SECURITY_SESSION_ONLY |
                                         SLNETSOCK_SEC_BIND_CONTEXT_ONLY);
                /*
                 *  Each of these specific return values indicate that the
                 *  connection was successful, but with a caveat
                 */
                if ((ret >= 0) ||
                    (ret == SLNETERR_ESEC_UNKNOWN_ROOT_CA)      ||
                    (ret == SLNETERR_ESEC_CERTIFICATE_REVOKED)  ||
                    (ret == SLNETERR_ESEC_DATE_ERROR)           ||
                    (ret == SLNETERR_ESEC_SNO_VERIFY))
                {
                    if (secureRetVal)
                    {
                        *secureRetVal = ret;
                    }
                }
                else
                {
                    /* Exit, as the secure connection could not be established */
                    return (ret);
                }
    Once an error is from SlNetSock_StartSec it returned it will not establish the connection and the httpclient_connect2 function will then in turn return the error. TLDR: If you want to test the validity of the certificate date and time you would need to use the correct Root Certificate for the server.
     
    Kind Regards,
    Rogelio
  • 0 in reply to RogelioD
    Expert 1770 points

    Hello RogelioD,

    yes i know about it. If no certificate file is specified, the function SlNetSock_startSec returns  SLNETERR_ESEC_SNO_VERIFY.

    Given the valid root CA certificate file, the function retuns SLNETERR_ESEC_UNKNOWN_ROOT_CA, regardless of the time settings in the NWP.

    My question: Can I check the validity period of a certificate when the Trusted Root Catalog is disabled, or does the NWP only check the validity period of the certificate after the ROOT CA has been compared to the Trusted Root Catalog?

    Best regards,
    Roman

  • 0 in reply to Roman Jordan
    TI__Genius 9475 points

    Hello Roman,

    I just want to confirm you did disable the Trusted Root Certificate Catalog. You can do it with the following code found in Sec 7.5.4 of the NWP User Guide 

    _u32 dummyVal;
_i16 status;
status = sl_SetSockOpt(SockID,SL_SOL_SOCKET, SL_SO_SECURE_DISABLE_CERTIFICATE_STORE,

&dummyVal,sizeof(dummyVal));

    If it was disabled the SLNETERR_ESEC_UNKNOWN_ROOT_CA error should not appear when using a certificate outside of the trusted catalog, however, the certificates date would still be validated and if its not correct would return SLNETERR_ESEC_DATE_ERROR.

    -Rogelio

  • 0 in reply to RogelioD
    Expert 1770 points

    Hello Rogelio,

    no, I didn't disable the Trusted Root Catalog.

    my solution is to use the ROOTCA certificate in the file system and the SDK function HTTPClient_connect. The error code SLNETERR_ESEC_UNKNOWN_ROOT_CA comes only if a ROOTCA certificate is given. This code is mapped to zero (as shown in the listing at the start of this thread). For now I do not need more details.
    But now I know what to do if it is needed.

    Thank you very much.

    Best regards,
    Roman