CCS/CC3220SF: Production Certificates

Mark Johnson25

Part Number: CC3220SF
Other Parts Discussed in Thread: UNIFLASH,

Tool/software: Code Composer Studio

My project now has a code signing certificate signed by DigiCert. The delivery consisted of three files:

Filename Issued To
=====================================
TrustedRoot.crt DigiCert Assured ID Root CA
DigiCertCA.crt DigiCert SHA2 Assured ID Code Signing CA
mycompany.crt My Company Name, LLC

The TrustedRoot is issued to "DigiCert Assured ID Root CA" and issued by "DigiCert Assured ID Root CA" which is listed in the certificate catalog, certcatalog20181112.lst.

These files correspond very well to the TI provided certificate playground files:

dummy-root-ca-cert
dummy-trusted-ca-cert
dummy-trusted-cert

The playground uses DER files so the CRT certificates were converted to DER with OpenSSL. The DER read correctly from Windows.

So I changed out the filename and certificate names, from the playground settings to the production settings. The image built without errors but bootloading a board resulted in error -677705143.

What is that error -677705143?

In SWPU332, SimpleLink™ Wi-Fi® Certificates Handling, section 2.2 "Installing the Certificates" is says:

"When installing a DER-formatted certificate chain, the filename of the root and intermediate
certificates (that is, all but the vendor certificate) should match exactly the value of the certificate’s “Issued
To” field. The “Issued To” value makes a full path that is relative to the file system’s root folder (unless the
field value contains subfolders, the certificates should be located in the root folder). The vendor (identity)
certificate can have any path or name as long as the full path is referenced when it is used in the
application code or in Uniflash."

Since the vendor certificate name can change, I tried again and removed the comma from its name. Error -677705143.

As an experiment, I went back to the playground build, added a file called "mytest.txt" but named it "Test File Name" with initial capital letters. When the CC3220SF file list is checked, it returns "test file name" without capitals and therefore the name does not match exactly.

Question: Does the TI toolchain support certificates with upper case letters?

over 6 years ago

0 Mark Johnson25 over 6 years ago

Intellectual 755 points

The root cause was that the SLImageCreator --cert argument was set to the certificate filename rather than the actual name of the certificate. In the playground these are identical so the playground settings worked fine. In the general case these can be different.

By the way, initial caps still get mapped to all lower case but that did not prevent the code from loading. I found no documentation for the -677705143 return value.

My mkimage batch file has been updated. This is added to the Properties, Build, Steps, Post-build to automate the UCF image creation.

Updated Image Creator Batch File:

@ECHO OFF
REM Version 1.2
REM 03/27/2019
REM mkimage <projname> <mcuimage.bin>
REM This creates an UCF file with the patches and certificates.
REM Set PRODUCTION to '0' for playground certs or '1' for production certs.


set PRODUCTION='1'

IF NOT "%~2"=="" IF "%~3"=="" GOTO ARGS_OK
ECHO This script requires two parameters:
ECHO - PROJECT_NAME
ECHO - PROJECT_BIN
GOTO :EOF

:ARGS_OK


set PROJECT_NAME=%1
set PROJECT_IMAGE=%2
set PROJECT_PATH=C:\ti\project_images\%PROJECT_NAME%\projects

REM The QUIET parameter can be nothing or -q
set QUIET=-q

REM SDK 2.4
set SERVICEPACK=C:\ti\simplelink_cc32xx_sdk_2_40_00_05\tools\cc32xx_tools\servicepack-cc3x20\sp_3.10.0.5_2.0.0.0_2.2.0.6.bin

IF NOT %PRODUCTION%=='1' GOTO ENDPRODUCTION

set CERTS_LST=C:\ti\simplelink_cc32xx_sdk_2_40_00_05\tools\cc32xx_tools\certificate-catalog\certcatalog20181112.lst
set CERTS_BIN=C:\ti\simplelink_cc32xx_sdk_2_40_00_05\tools\cc32xx_tools\certificate-catalog\certcatalog20181112.lst.signed_3220.bin
set CERTS_PATH=C:\ti\simplelink_cc32xx_sdk_2_40_00_05\tools\cc32xx_tools\certificate-catalog\MyCompany

set ROOTCA_CERT=TrustedRoot.der
set ROOTCA_NAME="digicert assured id root ca"
set TRUSTCA_CERT=DigiCertCA.der
set TRUSTCA_NAME="digicert sha2 assured id code signing ca"
set CODESIGN_CERT=MyCompanyLLC.der
set CODESIGN_NAME="my company llc"
set CODESIGN_KEY=MyCompanyLLC.key 


:ENDPRODUCTION

IF %PRODUCTION%=='1' GOTO ENDPLAYGROUND

set CERTS_LST=C:\ti\simplelink_cc32xx_sdk_2_40_00_05\tools\cc32xx_tools\certificate-playground\certcatalogPlayGround20160911.lst
set CERTS_BIN=C:\ti\simplelink_cc32xx_sdk_2_40_00_05\tools\cc32xx_tools\certificate-playground\certcatalogPlayGround20160911.lst.signed_3220.bin
set CERTS_PATH=C:\ti\simplelink_cc32xx_sdk_2_40_00_05\tools\cc32xx_tools\certificate-playground

set ROOTCA_CERT=dummy-root-ca-cert
set ROOTCA_NAME=dummy-root-ca-cert
set TRUSTCA_CERT=dummy-trusted-ca-cert
set TRUSTCA_NAME=dummy-trusted-ca-cert
set CODESIGN_CERT=dummy-trusted-cert
set CODESIGN_NAME=dummy-trusted-cert
set CODESIGN_KEY=dummy-trusted-cert-key

:ENDPLAYGROUND


REM ### Delete the previous version of the project if it exists.
@rmdir %PROJECT_PATH% /s /q
@mkdir %PROJECT_PATH%
@copy %PROJECT_IMAGE% %PROJECT_PATH%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE

@where /q SLImageCreator.exe
@IF ERRORLEVEL 1 (
    SET "PATH=%PATH%;c:\ti\uniflash_4.5.0\simplelink\imagecreator\bin"
)

@ECHO ON

@echo.
@echo ### New Project. (6.1.8)
call SLImageCreator.exe %QUIET% project new --name %PROJECT_NAME% --project_path %PROJECT_PATH% --overwrite --device CC3220SF
@echo New Project Error=%ERRORLEVEL%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE

@echo.
@echo ### Set Trusted Root-Certificate Catalog.  (6.1.4)
call SLImageCreator.exe %QUIET% project set_certstore --name %PROJECT_NAME% --project_path %PROJECT_PATH% --file %CERTS_LST% --sign %CERTS_BIN%
@echo Set Certificate Store Error=%ERRORLEVEL%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE

@echo.
@echo ### Set Service Pack. (6.1.2)
call SLImageCreator.exe %QUIET% project set_sp --name %PROJECT_NAME% --project_path %PROJECT_PATH% --file %SERVICEPACK%
@echo Set Service Pack Error=%ERRORLEVEL%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE

REM ### Add filesytem files.

@echo.
@echo ### Add the Root Certificate Authority file.
call SLImageCreator.exe %QUIET% project add_file --name %PROJECT_NAME% --project_path %PROJECT_PATH% --file %CERTS_PATH%\%ROOTCA_CERT% --fs_path %ROOTCA_NAME% --flags nofailsafe,nopublicwrite
@echo Set Add Root Certificate Error=%ERRORLEVEL%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE

@echo.
@echo ### Add the Trusted Certificate Authority file.
call SLImageCreator.exe %QUIET% project add_file --name %PROJECT_NAME% --project_path %PROJECT_PATH% --file %CERTS_PATH%\%TRUSTCA_CERT% --fs_path %TRUSTCA_NAME% --flags nofailsafe,nopublicwrite
@echo Add Trusted Certificate Authority Error=%ERRORLEVEL%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE

@echo.
@echo ### Add the Trusted Certificate file.
call SLImageCreator.exe %QUIET% project add_file --name %PROJECT_NAME% --project_path %PROJECT_PATH% --file %CERTS_PATH%\%CODESIGN_CERT% --fs_path %CODESIGN_NAME% --flags nofailsafe,nopublicwrite
@echo Add Trusted Certificate Error=%ERRORLEVEL%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE

rem Start Test Code
@echo.
@echo ### Add a test file.
call SLImageCreator.exe %QUIET% project add_file --name %PROJECT_NAME% --project_path %PROJECT_PATH% --file %CERTS_PATH%\mytest.txt --fs_path "Test File Name" --flags nofailsafe,nopublicwrite
@echo Add Trusted Certificate Error=%ERRORLEVEL%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE
rem End Test Code

@echo.
@echo ### Add the MCU Image.
call SLImageCreator.exe %QUIET% project add_file --name %PROJECT_NAME% --project_path %PROJECT_PATH% --file %PROJECT_PATH%\%PROJECT_IMAGE% --mcu --flags failsafe,secure,publicwrite --cert %CODESIGN_NAME% --priv %CERTS_PATH%\%CODESIGN_KEY%
@echo Add MCU Image Error=%ERRORLEVEL%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE

@echo.
@echo ### Complete project configuration.
call SLImageCreator.exe %QUIET% project reconfig --name %PROJECT_NAME% --project_path %PROJECT_PATH% --file C:\ti\project_images\SimpleLink_Station_USA.json
@echo Add Project Configuration Error=%ERRORLEVEL%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE

@echo.
@echo ### Create the image.
call SLImageCreator.exe %QUIET% project create_image --name %PROJECT_NAME% --project_path %PROJECT_PATH% --ucf_file %PROJECT_PATH%\%PROJECT_NAME%.ucf
@rem Create Image Error=%ERRORLEVEL%
@IF NOT '%ERRORLEVEL%'=='0' GOTO :FAILURE

@ECHO.
@ECHO ++++ SUCCESS ++++
@ECHO.
@ECHO Image Path:
@DIR /S /B %PROJECT_PATH%\%1.ucf
@ECHO.
@EXIT /B

:FAILURE
@ECHO.
@ECHO ---- FAILURE ----
@ECHO.
@EXIT /B

0 Kobi Leibovitch over 6 years ago

TI__Guru 63006 points

Hi Mark,

The file-system is not case sensitive - it converts every file name to lower case. So if you try to open a "Test File Name" it will open the existing "test file name".

I'm not sure where did you get this error. what do you mean by "bootloading a board"? are you referring to the image creator programming?

The company certificate name can have any name (even "mycompany.crt").

The DigiCert Assured ID Root CA should be named: "DigiCert Assured ID Root CA" (the file should be in the file-system root folder).

The DigiCert SHA2 Assured ID Code Signing CA should be named: "DigiCert SHA2 Assured ID Code Signing CA" (the file should be in the file-system root folder).

Make sure that you set the right certificate catalog (under "Trusted Root-Certificate Catalog").

Make sure the MCU image (and any secure and signed file) is signed with your company private name name and is associated with your company certificate.

Please attach screenshots of your image creator configuration if you still face issues.

Br,

Kobi

Wi-Fi

Wi-Fi forum

CCS/CC3220SF: Production Certificates