• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 40 subscribers
  • Views 1309 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

CC3220: Question about code signing certs with OTA

CC3220: Question about code signing certs with OTA

Charles Warren
Prodigy 170 points
Part Number: CC3220
Other Parts Discussed in Thread: UNIFLASH

Hi,

We're trying to move to production with the C3220S and I am having trouble with the OTA key and Certificate I created according to these instructions from the TI Resource Explorer article about Wi-Fi OTA. dev.ti.com/.../

Generate the private key

openssl ecparam -name prime256v1 -genkey -out ota_vendor_key.pem

Generate the public certifcate

openssl req -new -x509 -key ota_vendor_key.pem -out ota_vendor_cert.pem -days 730

I have created these files as shown. Note that they are .pem files. Uniflash does accept the private key as a .pem. I remember reading that the CC3220 works with .pem files although I don't remember where I saw that. I have tried this with the cert changed to a der file, but that didn't help. I could not determine how to convert the key file to a der file, and maybe that would fix this. 

I modified the OtaArchive.c file of the ota source as shown:

#define BUNDLE_CMD_FILE_NAME "ota.cmd"
#define BUNDLE_CMD_SIGNATURE_FILE_NAME "ota.sign"
#define OTA_CERTIFICATE_NAME "ota_vizco_cert.pem"
// #define OTA_CERTIFICATE_NAME "dummy_ota_vendor_cert.der"
#define BUNDLE_CMD_MAX_OBJECT_SIZE (1000)

Note that I changed the OTA_CERTIFICATE_NAME to ota_vizco_cert.pem which was generated by the (modified) openssl command above.

By the way, the OTA process works well with Dropbox when I use the "dummy" key and cert, but it fails to verify the a file signature when I try to use the certs I have generated.

This shows a snippet of the debug trace from the ota library. 

[_BundleCmdFile_Parse] bundle cmd file=/sys/servicepack.ucf, sig_len=256, SHA_256_Digets=5c842c3139ecda90f0c15723f920a392b8d4d19f03281ee226359308f758f06e, cert=, secured=1, bundle=1
Signal Event 10-CONTINUE
Provisioning: State = OTA_RUN, Event=CONTINUE, Next State=OTA_RUN
OtaArchive_RunParseTar: parsing archive file header
OtaArchive_RunParseTar: skip block align RecvBufLen=863, SkipAlignSize=463
Signal Event 10-CONTINUE
Provisioning: State = OTA_RUN, Event=CONTINUE, Next State=OTA_RUN
OtaArchive_RunParseTar: parsing archive file header
OtaArchive_RunParseTar: FileType=0, FileName=ota.sign, FileSize=70
Signal Event 10-CONTINUE
Provisioning: State = OTA_RUN, Event=CONTINUE, Next State=OTA_RUN
[verifySignature] cert name=ota_vizco_cert.pem
[_BundleCmdSignatureFile_Parse] signature verification failed!
OtaArchive_RunParseTar: ERROR in _BundleCmdSignatureFile_Parse, Status=-12291
OTA_run: ERROR OtaArchive_RunParse, Status=-12291

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=2/5, return only WARNNING

I made sure that I was compiling the ota library and I rebuilt the application and verified it was using the new ota.a library file.

I'm out of ideas to try. Could you help me with this?

Thanks,

Chuck

  • 0
    TI__Guru 63006 points
    Hi Chuck,

    The certificate should appear in DER format.
    Please use the following command to convert it to "ota_vendor_key.der":
    -> openssl x509 -outform der -in ota_vendor_cert.pem -out ota_vendor_cert.der

    So, after you generate the key and public certificate - convert the latter to DER format (then install it to the file system and update the "OTA_CERTIFICATE_NAME" definition).
    The image itself can be signed using either the PEM (or DER) key.

    Br,
    Kobi