• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 40 subscribers
  • Views 794 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

CC3220: Question about code signing certs with OTA

CC3220: Question about code signing certs

ironman
Intellectual 731 points
Part Number: CC3220
Other Parts Discussed in Thread: UNIFLASH, SHA-256

Hello,

I am trying to decide whether to purchase an RSA or ECDSA code signing certificate for the CC3220SF.  

After reading SWRU455E,

"Using the private key, the file digital signature is generated. The signature is a standard digital
signature; the algorithm first calculates the SHA of the file content and then the SHA result is encrypted
using the private key. The supported signature types are: PKCS#1, RSA 256 or 128 bytes, SHA_1 (the
signature length is 256 or 128 bytes). The signature for the file can be created by standard tools, or by
the UniFlash Image Creator tool (using the private key)."

In the OTA example, you use ECDSA Certificate to validate the package but for programming the SFLASH, you use RSA certificate.  Could you answer the following questions?

  1. Is it possible to use ECDSA to create signatures for files stored on the SFLASH?
  2. Is SHA-1 the only supported hash for file signatures on the SFLASH?  SHA-256 is not supported?
  3. All certificates in the chain of trust must be RSA?  ECDSA in the cert chain is not supported?
  4. It seems there are only two supported signature types for secure files in SFLASH. Is this correct?
    1. RSA-128 of a SHA1 hash with PKCS#1 padding
    2. RSA-256 of a SHA1 hash with PKCS#1 padding
  5. The OTA ECDSA signature verification is completely separate from file system signature verification and we do not need to include the certificate chain for the OTA ECDSA certificate on the file system?

Thank you.

  • 0
    TI__Mastermind 40965 points
    Hi Ironman,

    1. No, that is not possible
    2. SHA-128 and SHA-256 is supported
    3. Yes, all of the certificates in the chain of trust must be RSA.
    4. Yes, that is correct
    5. The OTA signature verification uses a different mechanism from the file system signature verification system, but you do need to include the public certificate corresponding to the private key used to sign the OTA package on the file system. This public cert can be part of a cert chain, but it is not required to include the chain as the device will not check the root of the chain against the cert store.

    More information on the certificate handling of the CC3220 can be found in this appnote:
    www.ti.com/.../swpu332.pdf

    Let me know if you have other questions.

    Regards,
    Michael