CC3220: 10289 SL_ERROR_FS_WRONG_SIGNATURE_SECURITY_ALERT when closing file with certificate

Cedric Gerber

Part Number: CC3220

Hi,

I'm trying to update the file mcuflashimg.bin on the cc3220modasf and am getting an error 10289 SL_ERROR_FS_WRONG_SIGNATURE_SECURITY_ALERT when closing the file. Here are the steps I am following:

I'm flashing once with Uniflash, using the catalog certcatalogPlayGround20160911.lst (It gets renamed to certcatalogPlayGround.lst when I upload the FW file to uniflash, I guess it still points to the correct one... )

I leave the dummy-root-ca-cert as certificate for the file. All three files of the certificate chain are present on the file system (dummy-root-ca-cert, dummy-trusted-ca-cert, dummy-trusted-cert)

I then program the device with uniflash.

Then I use the tools/"sign file" of Uniflash to sign the exact same binary using the dummy-root-ca-cert-key. I send both the binary and the signature to the device using our own library and try to write the file which always fails on close with the error: -10289 SL_ERROR_FS_WRONG_SIGNATURE_SECURITY_ALERT.

I close it with the command sl_FsClose(FileHandle, "dummy-root-ca-cert", &buff, 256);

I have tried the same thing using the dummy-trusted-cert and its key, I get the same error.

Note: I'm disabling the cert store in slnetsock using SLNETSOCK_SEC_ATTRIB_DISABLE_CERT_STORE to use our self signed certificate for HTTPS communication. I suppose this shall have no influence on the file system certificates.

Any idea what can be the issue?

over 7 years ago

0 made4engineering over 7 years ago

TI__Mastermind 27605 points

Hi Cedric,

Please see the app note here: http://www.ti.com/lit/swpu332

-Aaron

0 Cedric Gerber over 7 years ago in reply to made4engineering

Expert 2310 points

Hi Aaron,

Thanks I did not know this app note. But I already apply what is explain in it.

When I generate the OTA package, in the ota.cmd file I see the following:

"digest":"2293604760f0175dcebe7aba0f20f1ea2b5bfc04290e9d2a64c84e1ee70fc41a",
"certificate":"dummy-root-ca-cert",
"signature_base64":"huNIeH0DVN/jB7s2mnVxZ5uxKu4LklCygAoX9buia2nNj/JC4EqQvAQ3aQ9KOSMeaZbp8bJuiPy+/CZXPhFTRs2uvXksIy5FSLX/Zn53qm99UtY7onPbum1s+mJV5cBbyOfmkYlIhzSb3SsWpWYkxvbTzsEVMAafGMU1tYp6ZBdafFmk4z9G/wNrIk5J+9jDD47YDgBZB8kMI9GF9XvFTLIYaY8wOt1/vhBmjcIe3jWGmH/GA5JyZc0v1GrUsHbOWkiZgmdaOYoidOqJ8VAxyD2/o0qoImmFlxzMMBR/YcIdrcKgOhr1JiEoXCmOK8dRy5UK0XWTRzOZgMXgYa2i0g==",
"secured":1,
"bundle":1,
"filename":"/sys/mcuflashimg.bin"

But when generating the signature for the same file with uniflash and the dummy-root-ca-cert-key I get the following which does not match the one from the OTA.

b4zBdBiUXLYjM5GNN+sIT9oOHoIOgYBAg2JipwLcZ2cNjKLxacEMCY8RMovmgjfcL7RqwXdkMpTbWCCStzs096O4fwcRQTqar9RMRktnzpp+JCPFOvVKHEq1DOqkxTGDHla6z5vFiP61k49tYDe9jRYECyEdWXZE0bKoMK86Ml4ZYgmcCTjsp8osOY5XpDW1VxkKLY/Pz5AzCytaPKDn6VgQz5XlCp9aR7NjWaQVs5sM6VwAYOsCMC/WGVn7HkfY3gA8twCx0Gyt5bufsUU7doH1GU/oj8JNUFkbJU1ZKrqlsogqq96/EA3kVhuOAnCmKFwqng6INChm7lZAaFcJNA==

I suppose they should match?

So I've tried to follow this tutorial.

http://dev.ti.com/tirex/content/simplelink_academy_cc32xxsdk_1_13_00_29/modules/wifi_secure_file_system/wifi_secure_file_system.html

And when generating the signature with the command "openssl dgst -hex -c -sha1 -keyform DER -sign dummy-trusted-cert-key -out origin.hex.sign mcuflashimg.bin" the file now closes correctly but the CC3220 does not restart, I get nothing out of the console anymore.

0 Cedric Gerber over 7 years ago in reply to Cedric Gerber

Expert 2310 points

Thanks to the link below I discovered that Uniflash modifies the binary before flashing. So now I import the file in uniflash, export it, generate its signature and send it to the device. This works fine ;)

https://e2e.ti.com/support/wireless_connectivity/f/968/t/705658?tisearch=e2e-sitesearch&keymatch=firmware%20binary%20(mcuflashimg.bin)%20is%20stored%20at

Wi-Fi

Wi-Fi forum

CC3220: 10289 SL_ERROR_FS_WRONG_SIGNATURE_SECURITY_ALERT when closing file with certificate