• State Resolved
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 433 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

LAUNCHCC3220MODASF: SLImageCreator fails with Error: list index out of range

Arnaud Moeschwitzer
Intellectual 785 points

Part Number: LAUNCHCC3220MODASF

Hi,

i have tried to create a otp file following https://www.ti.com/lit/ug/swru547a/swru547a.pdf?ts=1612165357917&ref_url=https%253A%252F%252Fwww.google.com%252F, Chapter 7.

Certificate chain:

* ca_ste.key is my self created private ca key vendor_root_ca_key
* ca_ste.pem is my self created and signed by ca_ste.key vendor_root_ca public certificate
* ste.pem is my self created vendor-root public certificate signed by ca_ste.key
* ste_key is my self created vendor-root private key.

Step under 7.1.1 Creating the Certificate Catalog success, Using ca_ste.der in folder

Step under 7.1.2 Signing the Certificate Catalog success, in this step i have used my private vendor key(ste_key)

Step under 7.2.1 Creating the OTP Metadata File fails

I have tried the following call: 

SLImageCreator.exe tools meta --cert "D:\certificate_chain\MySSLChain\input_certs\ste.pem" --out_file "D:\certificate_chain\vendor_otp.meta" --mac "000000000000" --usechain

Command fails with:

Error: list index out of range

I don't know why ?

Do i have to use my root_ca certificate as pem ca_ste.pem which contains onyl certificate ? Or do i have to use ste.pem ?

It is not clear for me if the cert has to contain private key and public certificate or not ?

BR,

Arnaud

  • 0
    TI__Guru 63006 points

    You need to create the metadata with a root CA (e.g. --cert ".../ste_ca.pem").

    The root CA (within the OTP) will be used to verify the catalog signature (so it can't be based on the content of the catalog). 

    Br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Intellectual 785 points

    Hi Kobi,

    thank you i will give it a try and will communicate back if it solved my problem.

    BR,

    Arnaud

  • 0 in reply to Arnaud Moeschwitzer
    Intellectual 785 points

    Hi Kobi,

    i gave it another shot here is what i am doing but it won't success. I don't know why:

    ## Generate Private Key

    openssl genrsa -des3 -out ca.key 4096

    ## OpenSSL verify Private Key content (optional)

    openssl rsa -noout -text -in ca.key

    ## Create Certificate Authority Certificate

    openssl req -new -x509 -days 8096 -key ca.key -out ca.cert.pem

    ## OpenSSL verify CA certificate (optional)

    openssl x509 -noout -text -in ca.cert.pem

    ## Generate a server key and request for signing (CSR)

    ### Generate key

    openssl genrsa -des3 -out vendor.key 4096

    ### Generate request for signing

    openssl req -new -key vendor.key -out vendor.csr

    ### Verify CSR (optional)

    openssl req -noout -text -in vendor.csr

    ### Sign a certificate with CA

    openssl x509 -req -days 8096 -in vendor.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out vendor.crt

    ### OpenSSL verify server certificate (optional)

    ## Following the guide from swru547a.pdf

    ### Convert pem from ca cert to der

    openssl x509 -in ca.cert.pem -out ca.cert.der -outform DER

    ### Creating the Certificate Catalog

    SLImageCreator.exe tools make_cert_catalog --cert_folder "D:\opensslchain\otp\ExampleknownCA" --out_file "D:\opensslchain\otp\Certs\certificate_Catalog.lst"

    ### Signing the Certificate Catalog

    #### Create pem file from key file:

    openssl rsa -in vendor.key -out vendor.key.pem -outform PEM

    Using this file for signing the catalogue.

    SLImageCreator.exe tools sign --file "D:\opensslchain\otp\Certs\certificate_Catalog.lst" --priv "D:\opensslchain\vendor.key.pem" --out_file "D:\opensslchain\otp\Certs\certificate_Catalog.lst.signed.bin" --fmt "BINARY_SHA1"

    ### Creating the OTP Metadata File

    1st try by your answer:

    PS D:\opensslchain> SLImageCreator.exe tools meta --cert "D:\opensslchain\vendor.key.pem" --out_file "D:\opensslchain\otp\vendor_otp.meta" --mac "000000000000" --usechain

    Error: 'long' object has no attribute '__getitem__'

    Failed because of reason above.

    2nd try with key file:

    SLImageCreator.exe tools meta --cert "D:\opensslchain\vendor.key" --out_file "D:\opensslchain\otp\vendor_otp.meta" --mac "000000000000" --usechain

    Error: Incorrect padding

    So i am confused what am i doing wrong ?

  • 0 in reply to Arnaud Moeschwitzer
    TI__Guru 63006 points

    You can't store the private key in the OTP metadata. You need to store the root CA certificate that will serve as the root of trust for the device.

    In your example it will be: --cert "ca.cert.pem"

    And you should sign the catalog and the metadata (signature 1) with your private key ("ca.key").

    You will then need to keep you private key safe (and use it only when you update the catalog).

    Br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Intellectual 785 points

    Hi Kobi,

    ok i was a little bit confused by the documentation. I will give it a try.

    BR,

    Arnaud

  • 0 in reply to Kobi Leibovitch
    Intellectual 785 points

    Hi Kobi,

    that worked for me. In addtiion i had to change my key length from  openssl genrsa -des3 -out ca.key 4096 to openssl genrsa -des3 -out ca.key 2048 and for openssl genrsa -des3 -out vendor.key 4096 to for openssl genrsa -des3 -out vendor.key 2048.

    Now i am facing new problems while adding my own certificate chain to uniflash.

    Attached you will see my properties in uniflash. Because i don't know better i have used ca.cert.der as file for uniflash because palyground files also following that naming dummy-root-ca-cert which points to me it is the root ca. 

     

    BR,

    Arnaud

  • 0 in reply to Arnaud Moeschwitzer
    TI__Guru 63006 points

    The device (Hardware) only supports RSA keys up to 2048b.

    This means that in the initial programming (by Uniflash) process, you can only use keys up to 2048b.

    After a new SP is installed, the firmware will be able to support 4096B keys (so an RSA 4096 certificate can be used when the SW writes a secure file, e.g. in an OTA update).

    See the programmers guide (https://www.ti.com/lit/pdf/swru455) for more details (e.g. section 8.4.7).

    Br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Intellectual 785 points

    Hi Kobi,

    yeah that's right but i have changed it to 2048. See openssl genrsa -des3 -out ca.key 4096 to openssl genrsa -des3 -out ca.key 2048.

    And then i ran complete through the whole process again. But the failure with uniflash is left there. The source of the problem seems to be the file certificate_Catalog.lst.signed.bin which is in my case 512Bytes sized. Your Files provided from playground are 256Bytes sized.

    But i don't know what the problem is. I have no option to change what is coming out of SLImagecreator.exe.

    Here again my complete new chain based on 2048 Bytes keys:

    ## Generate Private Key

    openssl genrsa -des3 -out ca.key 2048

    ## OpenSSL verify Private Key content (optional)

    openssl rsa -noout -text -in ca.key

    ## Create Certificate Authority Certificate

    openssl req -new -x509 -days 8096 -key ca.key -out ca.cert.pem

    ## OpenSSL verify CA certificate (optional)

    openssl x509 -noout -text -in ca.cert.pem

    ## Generate a server key and request for signing (CSR)

    ### Generate key

    openssl genrsa -des3 -out vendor.key 2048

    ### Generate request for signing

    openssl req -new -key vendor.key -out vendor.csr

    ### Verify CSR (optional)

    openssl req -noout -text -in vendor.csr

    ### Sign a certificate with CA

    openssl x509 -req -days 8096 -in vendor.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out vendor.crt

    ### OpenSSL verify server certificate (optional)

    ## Following the guide from swru547a.pdf

    ### Convert pem from ca cert to der

    openssl x509 -in ca.cert.pem -out ca.cert.der -outform DER

    ### Creating the Certificate Catalog

    SLImageCreator.exe tools make_cert_catalog --cert_folder "D:\openssl_chain_2048\otp\ExampleKnownCA" --out_file "D:\openssl_chain_2048\otp\Certs\certificate_Catalog.lst"

    ### Signing the Certificate Catalog

    #### Create pem file from key file:

    openssl rsa -in vendor.key -out vendor.key.pem -outform PEM

    Using this file for signing the catalogue.

    SLImageCreator.exe tools sign --file "D:\openssl_chain_2048\otp\Certs\certificate_Catalog.lst" --priv "D:\opensslchain\vendor.key.pem" --out_file "D:\openssl_chain_2048\otp\Certs\certificate_Catalog.lst.signed.bin" --fmt "BINARY_SHA1"

    ### Creating the OTP Metadata File

    SLImageCreator.exe tools meta --cert "D:\openssl_chain_2048\ca.cert.pem" --out_file "D:\openssl_chain_2048\otp\vendor_otp.meta" --mac "000000000000" --usechain

    ### Signing the OTP Metadata File

    SLImageCreator.exe tools sign --file "D:\openssl_chain_2048\otp\vendor_otp.meta" --priv "D:\openssl_chain_2048\vendor.key.pem" --out_file "D:\openssl_chain_2048\otp\vendor_otp.meta.sig" --fmt "BINARY_SHA2"

    ### Create the OTP Information File

    SLImageCreator.exe tools inf --algo 2 --sign1 "D:\openssl_chain_2048\otp\vendor_otp.meta.sig" --sign2 "D:\openssl_chain_2048\otp\vendor_otp.meta.sig" --meta "D:\openssl_chain_2048\otp\vendor_otp.meta" --out_file "D:\openssl_chain_2048\otp\vendor_otp.inf"

    So please give me a hint whats going wrong.  I have provided my whole certifacte chain for you. it is only an example and will never be used productive.

    Password: for ca.key is test

    Password: for vendor.key is test2

    BR,

    Arnaud

    https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/968/openssl_5F00_chain_5F00_2048.7z