• State TI Thinks Resolved
  • Locked Locked
  • Replies 14 replies
  • Answers 3 answers
  • Subscribers 40 subscribers
  • Views 1099 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220MOD: CC3220MOD and AT Command Demo

Nick Price
Expert 2235 points
Part Number: CC3220MOD
Other Parts Discussed in Thread: UNIFLASH,

Hi

Still having some issues with the file system commands via AT Command Demo.

I'm trying to transfer a root certificate file pem format, to  /sys/cert/ca.der     

I first use the file open, and it returns the fileID and a token.   (for some reason last week , it did not return a token, but now it does)?

Then I do a file write, using the fileID.

When I close the file, I get error 10370 (SL_ERROR_FS_FILE_IS_OPEN_FOR_WRITE)

Does this mean I need to do a  "at+filectl=COMMIT,-142064371,/sys/cert/ca.der," before closing the file?  Also, if I do what is the returned new secure token used for?

Another question. The AT Command Demo has a receive buffer limited 1024 bytes, but all my certificates are around 1.6k. Extending the AT buffer to 2048 bytes, would this have any negative know on effect else where in the project.

Below are the actual strings I'm sending and receiving.

at+test

OK

at+filedel=/sys/cert/ca.der,

OK

at+fileopen=/sys/cert/ca.der,CREATE,57

+fileopen:382982955,-142064371

OK

at+filewrite=382982955,0,0,57,-----BEGIN CERTIF  (Data truncated)

+filewrite:57

OK


at+fileclose=382982955,/sys/cert/ca.der,

ERROR: process command,-10370

  • 0
    Expert 2235 points
    extra question. Using AT+FileCtl=RESTORE,,,
    Does this set the file storage back to default, and how long does this command take to complete?
  • 0 in reply to Nick Price
    TI__Guru 63006 points
    Hi Nick,

    You are trying to provide (in the fileclose) a certificate although the file was open as non-secure (i.e. without the CREATE_SECURE flag). It should be kept empty.
    The main problem is that the certificate file you've provided is the current file (which is already opened for write, so the device fails to read it).
    When you want to add a certificate - you should use one of the following:
    1. add it as non secure (as in this case) without any signature and/or certificate file to verify the content
    2. add it as secure file (|CREATE_SECURE), and close it with different certificate (which already exist on file system) and signature (signed by the key correlated to the 2nd certificate).

    The commit can be done only after the file is closed (and only if it is opened as FAILSAFE).

    The Restore the factory default - restore the original image (if it was created with factory image - in the uniflash settings). The time it will take depends on the image size.

    Br,
    Kobi
  • 0 in reply to Kobi Leibovitch
    Expert 2235 points

    Hi Kobi

    Sorry, yes there was a mistake in my close, and have amended below. I don't want to sign my certificate, I just want it present to use for my Enterprise connection.

    In your reply you state under 1.  add it as non secure. 

    But below it is responding with SL_ERROR_FS_WRONG_CERTIFICATE_FILE_NAME... I re-flashed the CC3220MOD with Uniflash, and it aways had the same error. I created the /sys/cert empty folder in uniflash.

    Why does file open return a secure token? I'm not using CREATE_SECURE


    at+test

    OK

    at+filedel=/sys/cert/ca.der,

    OK

    at+fileopen=/sys/cert/ca.der,CREATE,57

    +fileopen:1794088747,-1413969520

    OK

    at+filewrite=1794088747,0,0,57,-----BEGIN CERTI

    +filewrite:57

    OK

    at+fileclose=1794088747,,

    ERROR: process command,-10372    [SL_ERROR_FS_WRONG_CERTIFICATE_FILE_NAME]

  • 0 in reply to Nick Price
    Expert 2235 points

    Looking into this further... I changed the file name from ca.der to cows.txt. Now, I get no token on open and the file close is successful. Does this mean the system is determining i'm uploading a certificate, and it needs to be a CREATE_SECURE?

    Regards

    Nick


    at+test

    OK

    at+filedel=/sys/cert/cows.txt,

    ERROR: process command,-10341  [file does not exist, continue]

    at+fileopen=/sys/cert/cows.txt,CREATE,57

    +fileopen:1794053386,0

    OK

    at+filewrite=1794053386,0,0,57,-----BEGIN CERTI

    +filewrite:57

    OK

    at+fileclose=1794053386, ,

    OK

  • 0 in reply to Nick Price
    TI__Guru 63006 points
    No, the ATCMD app doesn't know about the content of the file.
    It may indicate on an issue with the command input (especially in regards to the "SL_ERROR_FS_WRONG_CERTIFICATE_FILE_NAME" - it looks like the parser identified a certificate name although your input is empty.
    I'll check the parser code although i couldn't reproduce the issue.

    Br,
    Kobi
  • 0 in reply to Kobi Leibovitch
    Expert 2235 points

    I will wait for your response Kobi.  

  • 0 in reply to Kobi Leibovitch
    Expert 2235 points

    I will wait for your response Kobi.   Hopefully you can let me know soon, as I've have a demo to present to a customer. Regards Nick

  • 0 in reply to Nick Price
    TI__Guru 63006 points

    Hi Nick,

    I'm not able to recreate this currently (see log below). So your help will expedite this debug.

    It can be helpful if you check the value of params->certFilename in ATCmdFile_closeParse (in atcmd_file.c) when the error occurs (by printing or setting a break point, e.g. in line 365 before the ATCmd_errorResult call).

    Also please check the content (string) pointed by the "arg" input in this case.

    Br,

    Kobi

    Enter AT Command:

    at+fileopen=/sys/cert/c1.txt

    ERROR: number of parameters,0

    at+fileopen=/sys/cert/c1.txt,CREATE,10

    +fileopen:879454731,0

    OK

    at+filewrite=879454731,0,0,10,1234567890

    +filewrite:19

    OK

    at+fileclose=879454731,,

    OK

    at+fileopen=/sys/cert/c2.txt,CREATE,10

    +fileopen:842637069,0

    OK

    at+filewrite=842637069,0,0,10,1234567890

    +filewrite:10

    OK

    at+fileclose=842637069,,

    OK

    at+fileopen=/sys/cert/c3.txt,CREATE,57

    +fileopen:339912485,0

    OK

    at+filewrite=339912485,0,0,57,000001111122222333334444455555666667777788888999990000012

    +filewrite:57

    OK

    at+fileclose=339912485,,

    OK

    at+fileopen=/sys/cert/c4.txt,CREATE,57

    +fileopen:1159090233,0

    OK

    at+filewrite=1159090233,0,0,57,000001111122222333334444455555666667777788888999990000012

    +filewrite:57

    OK

    at+fileclose=1159090233, ,

    OK

  • 0 in reply to Kobi Leibovitch
    Expert 2235 points
    Hi Kobi
    You have not tested with "ca.der" file name, mine always works with the *.txt filename, only failed when I have the ca.der.

    Because the module is installed on the product, I don't have JTAG access on the product. I do have a dev board, but this is running different software. Can you please test again with the different file name
    Regards
    Nick
  • 0 in reply to Nick Price
    TI__Guru 63006 points
    Hi Nick,

    I can see this now. It is true only when you use the entire path "/sys/cert/ca.der" - in such case the file will be considered secure (even if you don't set the flags) and you'll need to use the certificate and signature (and to maintain the token).
    This is a reserved file for enterprise network certificates.
    You can set "ca.der" file in other paths (e.g. just "ca.der") with no problem.

    Br,
    Kobi
  • 0 in reply to Kobi Leibovitch
    Expert 2235 points

    Hi Kobi

    I can't change folder or file name, as this is a fixed path for the enterprise conneciton details to work.

    I'm not sure how the signing works, Can I use the Dummy-Cert details used when creating the basic image in Uniflash?

    Do you have an example?

    Regards

    Nick

  • 0 in reply to Nick Price
    TI__Guru 63006 points

    Hi Nick,

    If you need it for Enterprise connection, then this is the right place for the file.

    As for the signature, you'll need to have a valid key and certificate pair (the certificate should be signed by a root CA that appears in our Certificate Catalog). You'll have sign the file with your private key and when closing the file - you should add the signature and public certificate that is paired with the key. 

    You can use dummy "Playground" certificates and keys for development (with the Playground certificate catalog), but for production, you'll have to use a valid certificate.

    See detailed instructions in the certificate handling guide ( ) and in the file system training ( ).

    BTW. if you open the file with the PUBLIC_WRITE flag, you will not need to maintain the master token if it is re-written (the token will still be needed if you want to delete the file).

    br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Expert 2235 points

    Hi Kobi.

    I've looked at the documents suggest, but it is still not clear to me.

    Can you give me a little guidence.

    I have generated the certs below, using the following link  http://processors.wiki.ti.com/index.php/CC3120_%26_CC3220_Generate_Certificate

    So, when using the AT Commands, I need to put the cert.pem and the privkey.pem in the root of the image. Then reference this certificate when transfering my EAP-TLS certificate?

    Regards

    Nick

  • 0 in reply to Nick Price
    TI__Guru 63006 points
    Please refer to the certificate handling document (see link above) for more info about the TLS requirements.
    For EAP-TLS you need the Server's root CA certificate and the Client's certificate and private key.
    For enterprise connection they should be located in the following paths:
    * Server's Root CA – sys/cert/ca.der
    • Client certificate – sys/cert/client.der
    • Client's Private key – sys/cert/private.key

    Br,
    Kobi