This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3235SF: Code signature file size exeeds 256 bytes

Part Number: CC3235SF
Other Parts Discussed in Thread: UNIFLASH

Hi,

We have an application with an OTA mechanism implemented. Since our current code signing certificate is about to expire, we have requested a new. 

Our certificate authority does not support the SHA 256 key size anymore and supplied a new 512 key size.

This new key trow an error in our OTA application, we tracked this down to the sl_FsClose function. 

When using our new key the function returns -10290

#define SL_ERROR_FS_WRONG_SIGNATURE_OR_CERTIFIC_NAME_LENGTH             (-10290L)

If we check the Simplelink WiFi Network processor user guide we find on page 138 chapter 8.4.7 there is noted that the device supports up to 512 certificate chain verification type.

https://www.ti.com/lit/ug/swru455m/swru455m.pdf?ts=1665048047843

Another test we did, is that we flashed the device with an image, signed with the old certificate, containing the necessary files to support the new certificate.  But we still getting the sl_FsCl.ose error after performing an OTA. 

When we try to flash the device using Uniflash we get the error below:  

We tested both ways (OTA and Uniflash) with sp_4.8.0.8_3.7.0.1_3.1.0.26, and sp_4.13.0.2_3.7.0.1_3.1.0.26

  • The uniflash (i.e. programming) would fail since the ROM bootloader doesn't support the longer keys. 

    It requires installing SP to get the 512B support.

    The OTA should work assuming the certificate used for verification was updated (and the SP is installed).

  • We did a new test to use our new code signing certificate following the steps below:

    1) Made a new image, signed with the old certificate.  This image contains all the new cert files.

    2) We flashed this image to the device using uniflash.

    3) On boot the device prints out the files it contains, just to check if all necessary files are in place:

    application_cert
    ALLOCATEDBLOCKS:     1
    MaxSize(bytes):  3656
    Flags: File safe,
    
    
    /sys/mcubootinfo.bin
    ALLOCATEDBLOCKS:     2
    MaxSize(bytes):  3656
    Flags: Secure, File safe, System, Public write ,
    
    
    digicert assured id root ca
    ALLOCATEDBLOCKS:     2
    MaxSize(bytes):  3656
    No Flags for file
    
    
    digicert sha2 assured id code signing ca
    ALLOCATEDBLOCKS:     2
    MaxSize(bytes):  3656
    No Flags for file
    
    
    fp-bootstrap-certificate
    ALLOCATEDBLOCKS:     2
    MaxSize(bytes):  3656
    No Flags for file
    
    
    application_cert_20241216
    ALLOCATEDBLOCKS:     1
    MaxSize(bytes):  3656
    Flags: File safe,
    

    Our old certificate is the application_cert, and our new is the "application_cert_2024_12_16", "digicert assured id root ca" and "digicert sha2 assured id code signing ca"

    4) Also the version of the installed SP is printed out to check if we have the most recent version running:

    4) When the device was running and connected, we send out an OTA, signed with the new certificate.

    5) When the new image file is received, the file is checked, and here fails the device:  

    The error message is:   "Error (!:0xffd7ce) closing OTA file.

    If we follow this message in the source we find it fails on the fs_Close() function:

    /* Close the specified file. This will also authenticate the file if it is marked as secure. */
    
    OTA_Err_t prvPAL_CloseFile( OTA_FileContext_t *C )
    {
        DEFINE_OTA_METHOD_NAME("prvPAL_CloseFile");
    
    	int32_t lResult;
        OTA_Err_t xReturnCode = kOTA_Err_Uninitialized;
    
    	/* Let SimpleLink API handle error checks so we get an error code for free. */
    	OTA_LOG_L1( "[%s] Authenticating and closing file.\r\n", OTA_METHOD_NAME );
    	lResult = ( int32_t ) sl_FsClose( ( _i32 ) ( C->lFileHandle ), C->pucCertFilepath, C->pxSignature->ucData, ( _u32 ) ( C->pxSignature->usSize ) );
    
    	switch ( lResult )
    	{
    	    case 0L:
    	    {
    	        xReturnCode = kOTA_Err_None;
    	        break;
    	    }
    
    	    case SL_ERROR_FS_WRONG_SIGNATURE_SECURITY_ALERT:
    	    case SL_ERROR_FS_WRONG_SIGNATURE_OR_CERTIFIC_NAME_LENGTH:
    	    case SL_ERROR_FS_CERT_IN_THE_CHAIN_REVOKED_SECURITY_ALERT:
    	    case SL_ERROR_FS_INIT_CERTIFICATE_STORE:
    	    case SL_ERROR_FS_ROOT_CA_IS_UNKOWN:
    	    case SL_ERROR_FS_CERT_CHAIN_ERROR_SECURITY_ALERT:
    	    case SL_ERROR_FS_FILE_NOT_EXISTS:
    	    case SL_ERROR_FS_ILLEGAL_SIGNATURE:
    	    case SL_ERROR_FS_WRONG_CERTIFICATE_FILE_NAME:
    	    case SL_ERROR_FS_NO_CERTIFICATE_STORE:
    	    {
                xReturnCode = ( uint32_t ) kOTA_Err_SignatureCheckFailed | ( ( ( uint32_t ) lResult ) & ( uint32_t ) kOTA_PAL_ErrMask );   /*lint !e571 intentionally cast lResult to larger composite error code. */
                break;
    	    }
    
    	    default:    /*lint -e788 Keep lint quiet about the obvious unused states we're catching here. */
    	    {
    	        xReturnCode = ( uint32_t ) kOTA_Err_FileClose | ( ( ( uint32_t ) lResult ) & ( uint32_t ) kOTA_PAL_ErrMask );   /*lint !e571 intentionally cast lResult to larger composite error code. */
    	        break;
    	    }
    	}
    	return xReturnCode;
    }

    In our case the function returns the value -10290.  If we look this value up in the "Errors.h"file we find this:

    #define SL_ERROR_FS_WRONG_SIGNATURE_OR_CERTIFIC_NAME_LENGTH             (-10290L)

    Any more suggestions what we can do?

  • It should work, let me consult internally about a possible root cause. it may take couple of days.

    Can you provide the NWP log? (see chapter 20 of https://www.ti.com/lit/swru455)

    Meanwhile, i suggest that you double check your settings.

  • Hi Kobi,

    We did the same test as above, but this time we captured the NWP logs from boot, over OTA until it failed.  I embedded the log below:

    ���Đ���������������D�@�@@ ����Ċ��������C$����T���,��ȴ��E����J�Đ�J�$����?������~�����
                                                                                        ���������#����\�J,��,���K)ۿ^��B��<����������@����t����5��������������������|_q��`����������������������B����`���������<�����������xKx�oZp6E�|�r��w����~�����|������kA��������������������������R��^4�,���������O<�64��:��0��6�~��>����M�ZF����~�� Xf�`���������������������������������`�������������\������X`��
                                              ���� ��������������������������������������������������������������������������������������������������������������������Q�������������������������������������������������������#@�����������������������������(�����������������������������������������������������������������������������p�������������@������������������������������������������������������ ����������������������������������������������0����������������������������������������������������������������������������(�����������0�������������������������v������������������������������������������� ���������������������������������������������������������������������������������������������

    Below the UART output when the OTA failed:

    Agent T] [prvIngestDataBlock] Received file block 345, size 888
    1586 155928 [OTA Agent T] [prvIngestDataBlock] Received final expected block of file.
    1587 155936 [OTA Agent T] [prvStopRequestTimer] Stopping request timer.
    1588 155936 [OTA Agent T] [prvPAL_CloseFile] Authenticating and closing file.
    1589 155937 [OTA Agent T] [prvIngestDataBlock] Error (1:0xffd7ce) closing OTA file.
    1590 155959 [OTA Agent T] [prvStopRequestTimer] Stopping request timer.
    1591 155959 [OTA Agent T] [prvProcessDataMessage] Aborting due to IngestResult_t error -2
    1592 156538 [OTA Agent T] [prvPAL_SetPlatformImageState] Image was rejected and bundle files rolled back.
    1593 156538 [OTA Agent T] [prvPublishStatusMessage] Msg: {"status":"FAILED","statusDetails":{"reason":"0x01ffd7ce: 0xfffffffe"}}
    1594 156539 [OTA Agent T] [INFO ][MQTT][156539] (MQTT connection 2000da88) MQTT PUBLISH operation queued.
    1595 156540 [OTA Agent T] [INFO ][MQTT][156539] (MQTT connection 2000da88, PUBLISH operation 2000dcc0) Waiting for operation completion.
    1596 156703 [OTA Agent T] [INFO ][MQTT][156701] (MQTT connection 2000da88, PUBLISH operation 2000dcc0) Wait complete with result SUCCESS.
    1597 156704 [OTA Agent T] [prvPublishStatusMessage] 'FAILED' to $aws/things/NS_4c2498d6726f/jobs/AFR_OTA-1_4_3_cert2024-1665736938191/update

    To point out the error we get (-10290) is not from our certificate name length, we tried to shorten our cert name lengt from application_cert_20221216 tot app_cert, but this did not help either.  

    We would like to point out another issue we going to have if we can solve this issue with the OTA.  Since we need to program each device at first using the Uniflash tool, we cannot program our devices after the 15th of December this year since our old certificate is then expired and our new certificate is not supported by the Uniflash tool.  Is there any update of the software to be released before our certificate expire date to tackle this problem? 

  • Did you add the log as a "image/video/file" attachment? From some reason i can't download it. Please try to add it again.

    Can you also send the entire certificate chain for review? 

  • I added the code below as a "code snippet" in plain text format:

    ���Đ���������������D�@�@@ ����Ċ��������C$����T���,��ȴ��E����J�Đ�J�$����?������~�����
                                                                                        ���������#����\�J,��,���K)ۿ^��B��<����������@����t����5��������������������|_q��`����������������������B����`���������<�����������xKx�oZp6E�|�r��w����~�����|������kA��������������������������R��^4�,���������O<�64��:��0��6�~��>����M�ZF����~�� Xf�`���������������������������������`�������������\������X`��
                                              ���� ��������������������������������������������������������������������������������������������������������������������Q�������������������������������������������������������#@�����������������������������(�����������������������������������������������������������������������������p�������������@������������������������������������������������������ ����������������������������������������������0����������������������������������������������������������������������������(�����������0�������������������������v������������������������������������������� ���������������������������������������������������������������������������������������������

    Below the certificate chain:

    -----BEGIN CERTIFICATE-----
    MIIHVzCCBT+gAwIBAgIQCz2d2+iJX7Th/uVBN65GUTANBgkqhkiG9w0BAQsFADBp
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
    OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
    IDIwMjEgQ0ExMB4XDTIyMTAwNDAwMDAwMFoXDTI0MTIxNjIzNTk1OVowXDELMAkG
    A1UEBhMCVVMxDzANBgNVBAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRMw
    EQYDVQQKEwpOaWtlLCBJbmMuMRMwEQYDVQQDEwpOaWtlLCBJbmMuMIICIjANBgkq
    hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1n2R0H2sNkcN5IfGzqW4uLuz7vnaFvRf
    Hv5tV0u3J8InJX36vxSzQsyGPDuc24XBYK55ZZCswgNskD9p9VKGHP8nqMNqAkOE
    W4pXK39l6t7eyXDCaCokE84v9udXX7VmHCRrX/nDFhT6q1MAMWZLooPIhbUs02mW
    eTPSoqQiVGzbhiJuSp7BsZhBrKtEnkBrSztFP3kgE4pX44/wRDlrV3IaBusKrF3E
    NIrHYiu8AdFaVgbMXDZZJcn2vlLosXH8IinMsZn4q7gQHgR6p7vGYNQtIY3CCnBq
    POeaSfOfGNMWgMkAXoWVwrcoW8Bkp7nYBebFI5FaIes+/5EBs77dPSujmLEBCrV5
    iNv6tlIeVZ8LnuxeZ2Q9Q6UN7PooRO1o3fOb9Zt5zDR96r7KOQ5H8aFFTcyFgvVj
    rpBfvcTICug8vExpK0SjUUb4eeU0ZlX8Nf3TSCq1kXuihTXOlqzPItSzQqo67qMf
    SsSsMbqv3NR1hAL+NL0Eaq9UmldVPcSjf0osd2bO/HC4nALcv4ejzFzbxS1PifoG
    WD6zASSYw4ezs/VQVm291XVwL07+Jii7bjQat54an1sWMAFX/LMKF4cdQWZeOU7b
    /jsHU3Caj9Up+NX+JXv0mKhuAoahVd8nKSH1zfO8siKqJ6CzLR5ELB7dZHYEEZi3
    pKsC7uSvVB0CAwEAAaOCAgYwggICMB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7
    CIhl9E5CMB0GA1UdDgQWBBQ/NLGqc6+K9Va7gJ+dh+pGtcnIDTAOBgNVHQ8BAf8E
    BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZN
    aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNp
    Z25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0
    LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5
    NlNIQTM4NDIwMjFDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYB
    BQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEE
    gYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggr
    BgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1
    c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwDAYDVR0T
    AQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAdtHNoZ2E8ktVTT9ivpXK6WR9jY9U
    96fWR6TyIWmUJPJK+NMg5k6c/NdOCtvvF1gp4+T0HJT0jzhAmZjiebQIW3qy+4Z/
    r9370Oo4y86Xs5/m+1gJwzgCPfRIUQWJgrN//UTRlHmoI2Gf266fPRNU/tcZuoYH
    b468q0qOeVO496mEiQEjyX3rHFWa6YW0+JbtDLc5h+Zxf162gVFfe450ASLD3RH8
    1sj6Xe6g89MInz2D/0Adbv2msObm+7fdpWl1ukOlnS2962RQcnGwUbJD6irkamvB
    DWGaKtUy7PW54sBpUlPMkR9jJ8jGA9Q5u6DPycDvKsK27EZ6Oqu/NhrmQTuRLGTU
    eANM+aZTSGdEhL6Wzoap0GH3cZLqQFaXdnbjq/k/6LxVxplBodzrvp21sQg1Heho
    dMYB030Wqo3YOqzFCVrbt0gio1uTB2EeXTjcJtNbu5Se5WTu/EQvCKzCisbfae79
    FMndF3/4oNYT5Yr3szwcWGnNXm55gWHkRIyFFIh8TUqAyungJ3PEKL/wF6pf/vcW
    KdmaE6R45dhjjNzlJyz1duvlTyRJ9l3OjseweEWWIPlfLWoP5r6PdFls5rsZy+WZ
    ETIIsSt79v+WWgCBwKJ/dHPHcxrDcj1pzjwiDjNa92tmvK/z9W2xdqbOcF23jxgC
    VEXSxobA7qVKktY=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIGsDCCBJigAwIBAgIQCK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0BAQwFADBi
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
    RzQwHhcNMjEwNDI5MDAwMDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYDVQQGEwJV
    UzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRy
    dXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMIIC
    IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5WRuxiEL1
    M4zrPYGXcMW7xIUmMJ+kjmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJPDqFX/IiZ
    wZHMgQM+TXAkZLON4gh9NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI
    8IrgnQnAZaf6mIBJNYc9URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGi
    TUyCEUhSaN4QvRRXXegYE2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLm
    ysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3S
    vUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tv
    k2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+
    960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3s
    MJN2FKZbS110YU0/EpF23r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlNWdt4z4FK
    PkBHX8mBUHOFECMhWWCKZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1H
    s/q27IwyCQLMbDwMVhECAwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAw
    HQYDVR0OBBYEFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LS
    cV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF
    BQcDAzB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
    Z2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu
    Y29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYy
    aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5j
    cmwwHAYDVR0gBBUwEzAHBgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcNAQEMBQAD
    ggIBADojRD2NCHbuj7w6mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L
    /Z6jfCbVN7w6XUhtldU/SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHV
    UHmImoqKwba9oUgYftzYgBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rd
    KOtfJqGVWEjVGv7XJz/9kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK
    6Wrxoj7bQ7gzyE84FJKZ9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43N
    b3Y3LIU/Gs4m6Ri+kAewQ3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4Z
    XDlx4b6cpwoG1iZnt5LmTl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvm
    oLr9Oj9FpsToFpFSi0HASIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8
    y4+ICw2/O/TOHnuO77Xry7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMM
    B0ug0wcCampAMEhLNKhRILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+F
    SCH5Vzu0nAPthkX0tGFuv2jiJmCG6sivqf6UHedjGzqGVnhO
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
    RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV
    UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
    Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG
    SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y
    ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If
    xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV
    ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO
    DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ
    jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/
    CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi
    EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM
    fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY
    uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK
    chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t
    9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
    hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD
    ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2
    SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd
    +SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc
    fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa
    sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N
    cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N
    0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie
    4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI
    r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
    /YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
    gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
    -----END CERTIFICATE-----

  • Can you put the log in some file server (google drive?) and send me a link to it?

    I can't download the one you uploaded. I'm not sure what is the problem (you should inset it as a file). 

  • something is wrong with the format of the file.

    Note that it should be a binary file and not a txt.

  • Kobi,

    The data before was just copied from the screen terminal in MAC.

    The log below is the raw log file from putty.exe, as described in the datasheet.  Hope this works now.

      CC3235SF_OTA_20221020_141535.log

  • This one is ok. Thanks.

    What i just learned, is that the secure file signature can't be more 256B. The support of 512B is for the chain itself. So you can use a chain that internally includes a 512B signatures, but when you generate you own private key and CSR - it should include a shorter key so the image signature will be up to 256B.

  • Hey Kobi. Can this be supported via a service pack update or is this a hardware limitation? We use a code signing certificate from DigiCert and they have changed their policy about code signing certificates. As of the end of May, DigiCert will no longer allow you to generate code signing certificates smaller than 3072 key size.https://knowledge.digicert.com/alerts/code-signing-new-minimum-rsa-keysize.html

  • Theoretically this can be fixed by a service pack. I'll need to double check if there are any limitations there.

    The hardware limits from using key > 2048b in production (i.e. before the first SP is loaded). and since this was the main issue for our customers we recommended them to program their own catalog (see https://www.ti.com/lit/pdf/swru547) and use a self-signed keys.

    Since a service pack can (theoretically) solve your use-case, i'll raise the requirement for the next SDK release.

    I'll update here when i have more info.

  • BTW. What is the reason you need to create a new certificate?  can't you  just use your old certificate for that? 

    (during the code signature verification we are not checking date validity). 

  • We are using the same certificate to initial flash the devices and to perform OTAs. We are still in the process of rolling out new devices. If I remember correctly, the expire date of the certificate is validated when flashing the device with Uniflash. That is the reason we we need to update/replace our certificate.

  • The expiration date is not checked for code signature verification (only during TLS).

    You can use your existing certificate.

  • Hi Kobi,

    Since we use the AWS system to deploy our OTA updates we cannot use the certificate after the expiration date.

    We tried the path of using a self signed certificate.  To use our self signed certificate we need to update the certificate catalog in the OTP memory.  

    This works fine when using Uniflash, but we cannot do this for the devices already deployed.  

    For the deployed devices we need to provide the certificate catalog trough an OTA. The documentation mentions to create an OTA file to update the OTP, but this works only with the OTA libraries from TI and cannot be used with the AWS OTA we're using now.

    Is there a workaround that we can write the OTP from the device itself? 

    Our idea is hard coding the certificate catalog in our firmware, send the new firmware trough an OTA to our devices and then using the flash write functions to write the catalog into the OTP memory.  Is there any documentation available for writing and reading the OTP?

  • There is no way to write to OTP with an OTA. Only using uniflash.

    However, I don't think there is a problem that prevents using specific certificate when using the AWS OTA.

    As far as i remember they support a method that accept an already signed image (providing the signature with the image) - so this enable you to use whatever certificate you have.