• State Resolved
  • Locked Locked
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 284 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

BOOSTXL-CC3135: CC3135 EAP-TLS

Gasper Korinsek37
Prodigy 240 points
Part Number: BOOSTXL-CC3135
Other Parts Discussed in Thread: CC3135, CC3100, UNIFLASH

Hi,

We're trying to establish the EAP connection from CC3135 via FreeRADIUS to our TCP test server (CC3135 is the TCP client).

The FreeRADIUS TLS mode was tested with an alternative WiFi module so the configuration seems to be correct (using our custom ca.pem, client.pem, and client.key certificates).

We can also connect to the TCP test server when using SL_WLAN_ENT_EAP_METHOD_PEAP0_MSCHAPv2 with disabled server authentication (SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH) using the CC3135 module.

If we try to use SL_WLAN_ENT_EAP_METHOD_TLS, we get an error SL_WLAN_DISCONNECT_MISSING_CERT.

We're uploading the certificates to the file system on the CC3135 using the code below that was adopted from CC3100 (where this mechanism was working):

static const char* cc3135_cert_name[VP_CERT_TYPE_END] = {
[VP_CERT_TYPE_PRIVATE_KEY] = "/sys/cert/private.key",
[VP_CERT_TYPE_PUBLIC_KEY] = "/sys/cert/client.pem",
[VP_CERT_TYPE_CA] = "/sys/cert/ca.pem",
};

#define FLASH_CHUNK_LEN        1024

static uint32_t cc3135_load_certificate(enum vp_cert_type type, uint8_t *data, uint32_t length)
{
        int32_t retVal;
        uint32_t movingOffset, chunkLen;

        if ((type >= VP_CERT_TYPE_END) || (NULL == cc3135_cert_name[type]))
        {
                return -1;
        }

        int32_t fileHandle = sl_FsOpen((const _u8*)cc3135_cert_name[type],
                                SL_FS_CREATE_MAX_SIZE(length) | SL_FS_CREATE | SL_FS_OVERWRITE | SL_FS_CREATE_PUBLIC_READ,
                                NULL);
        if (fileHandle < 0)
        {
                return -1;
        }

        movingOffset = 0;

        do
        {
                chunkLen = (_u32)find_min(FLASH_CHUNK_LEN, length);
                retVal = sl_FsWrite(fileHandle, movingOffset, (_u8 *)&data[movingOffset], chunkLen);
                if (retVal < 0)
                {
                        return -1;
                }

                length -= chunkLen;
                movingOffset += chunkLen;

        } while (chunkLen > 0);

        retVal = sl_FsClose(fileHandle, NULL, NULL, 0);
        if (retVal < 0)
        {
                return -1;
        }

        return 0;
}

According to the User guide  chapter Enterprise security 4.6.2 the "Client Authentication" states:

– Private Key – Station (client) RSA private key file in PEM format
– Client Certificate – Certificate of the client, given by the authenticating network (has the public key
matches to the private key) in PEM format

On the other hand, the user guide describes that certificates should be in DER format in chapter 8.4.3.2 Forced creation flags, table 8-4, which contradicts chapter 4.6.2.

Questions:

1. Is the upper code for writing the EAP-TLS certificates correct (especially the file creation flags)?

2. Is it mandatory to use certificates in DER format for EAP-TLS as specified in chapter 8.4.3.2?

 

chrome
chrome
  • 0
    TI__Guru 61516 points

    The certificates should be in DER format.

    You must use the path and names exactly as defined in the programmers guide.

    Br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Prodigy 240 points

    Dear Kobi,

    Thank you for clearly explaining question 2.

    What about question 1, is it possible to obtain an example code?

    chrome
    chrome
  • 0 in reply to Gasper Korinsek37
    TI__Guru 61516 points

    I briefly looked at your code and it seems ok (you can also write the certificate files as a user file with uniflash).

    We don't have a sample app for this, but the programmers guide has some reference code.

  • 0 in reply to Kobi Leibovitch
    Prodigy 240 points

    Dear Kobi,

    Thank you for clarification, I'll try with DER format on Monday and let you know of the results. 

    Have a nice weekend.

    Best,

    Gašper

    chrome
    chrome
  • 0 in reply to Gasper Korinsek37
    Prodigy 240 points

    I have found that the code below is working (I can write and overwrite certificate files). 

    I have also found that .key and .der endings seem to be a formality only (even if I load PEM file under DER or KEY name it will still work. It looks as if the CC3135 actually determines the file type by its content and not by the filename extension).

    static const char* cc3135_cert_name[VP_CERT_TYPE_END] = {
        [VP_CERT_TYPE_PRIVATE_KEY] = "/sys/cert/private.key",
        [VP_CERT_TYPE_PUBLIC_KEY] = "/sys/cert/client.der",
        [VP_CERT_TYPE_CA] = "/sys/cert/ca.der",
};

static uint32_t cc3135_load_certificate(enum vp_cert_type type, uint8_t *data, uint32_t length)
{
        int32_t retVal;

        int32_t fileHandle = sl_FsOpen((const _u8*)cc3135_cert_name[type],
                                SL_FS_CREATE_MAX_SIZE(length) | SL_FS_CREATE | SL_FS_CREATE_SECURE | 
                                SL_FS_OVERWRITE | SL_FS_CREATE_NOSIGNATURE, NULL);
        if (fileHandle < 0)
        {
                return -1;
        }

        retVal = sl_FsWrite(fileHandle, 0, data, length);
        if (retVal < 0)
        {
                sl_FsClose(fileHandle, NULL, NULL, 0);
                return -1;
        }

        retVal = sl_FsClose(fileHandle, NULL, NULL, 0);
        if (retVal < 0)
        {
                return -1;
        }

        return 0;
}

    chrome
    chrome
    chrome
    chrome