Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate CSR and store new certificate #11

Open
tadejg opened this issue Mar 24, 2023 · 14 comments
Open

Generate CSR and store new certificate #11

tadejg opened this issue Mar 24, 2023 · 14 comments
Assignees
Labels
question Further information is requested

Comments

@tadejg
Copy link

tadejg commented Mar 24, 2023

Is it possible to use the stored private key to generate a CSR and store a newly signed certificate in the esp_secure_cert partition?

@AdityaHPatwardhan
Copy link
Collaborator

AdityaHPatwardhan commented Mar 24, 2023

Hi @tadejg,
Yes it is possible to store the newly signed certificate in the esp_secure_cert partition. It can be done externally through the python script. The newly signed certificate can be provided as the device certificate to the script.

python configure_esp_secure_cert.py --device-cert newly_signed_certificate.pem

@AdityaHPatwardhan AdityaHPatwardhan self-assigned this Mar 24, 2023
@AdityaHPatwardhan AdityaHPatwardhan added the question Further information is requested label Mar 24, 2023
@tadejg
Copy link
Author

tadejg commented Mar 24, 2023

@AdityaHPatwardhan Yes, I know you can use the python script. Maybe I wasn't specific enough in my initial question. I want the device to be able to renew its certificate while deployed in the wild. So I'm looking for a way to do this on the device, in firmware.

@AdityaHPatwardhan
Copy link
Collaborator

Ah, okay.
As of now we have not supported the ability to write into the esp_secure_cert partition.
But internal discussion is ongoing about this.
I will update about this.

@tadejg
Copy link
Author

tadejg commented Mar 24, 2023

Understood, thanks. In that case, should I leave the issue open?

@zafeer-birde
Copy link

@AdityaHPatwardhan any update on this ?

@AdityaHPatwardhan
Copy link
Collaborator

Hi @tadejg @zafeer-birde We have started development for this feature, this should be available in a few days.

@zafeer-birde
Copy link

@AdityaHPatwardhan to confirm is this complete now ?
Do we have an example to try this out ?

@AdityaHPatwardhan
Copy link
Collaborator

Hi @zafeer-birde Sorry, this is still in progress. Should be converged by end of the week or mid next week.
Sorry for the delay.

@zafeer-birde
Copy link

Hi @zafeer-birde Sorry, this is still in progress. Should be converged by end of the week or mid next week. Sorry for the delay.

@AdityaHPatwardhan any update ?

@AdityaHPatwardhan
Copy link
Collaborator

Hi @zafeer-birde The MR is in the review stage, should be merged by next week.
Sorry for the delay

@zafeer-birde
Copy link

zafeer-birde commented May 12, 2023

@AdityaHPatwardhan can we have some definite timelines for this ? We are waiting to implement a feature on certs regeneration which is currently blocked.

@AdityaHPatwardhan
Copy link
Collaborator

AdityaHPatwardhan commented May 18, 2023

Hi @zafeer-birde I am sharing this patch with you, It contains the support for appending to the esp_secure_cert partition. please check if it solves your blocker.
support_writing.patch.zip

Additionally, I wanted to understand the reason for this to be a blocker. There are other secure storage implementations as well, were they not suitable for your application ? ( e.g. NVS).

@jimmyw
Copy link

jimmyw commented Oct 31, 2023

@AdityaHPatwardhan Do you know if its possible to generate a CSR in runtime, that is signed with the private key in DS store that i can send to a server for signing?

The example code you wrote, is to write down that cert you get back.

I have looked at MBEDTLS code, and the code path for generating a CSR is bound to having a private key in a pem file you store, and not to access it from DS storage. Dont think there should be any limitations on that, just think its not supported yet, or at least that i know of.

The use case for this, is to allow sign a new certificate from a new service with a the key stored in the ESP in factory not replacing the device key.

@AdityaHPatwardhan
Copy link
Collaborator

@jimmyw I see no reason for it to be prohibited for generating a CSR at runtime using the DS peripheral.
Technically the private key is only required to sign the TBS content of the CSR. The DS peripheral supports the signing operation through the key, so it should be supported.

If it helps your to fix your issue, I would like to suggest following

  1. Have you tried generating a pk context for the private key with mbedtls_pk_setup_rsa_alt API ? ( we do similar in the esp-tls component when we are using RSA key from the DS instead of plaintext key (https://github.com/espressif/esp-idf/blob/b4268c874a4cf8fcf7c0c4153cffb76ad2ddda4e/components/esp-tls/esp_tls_mbedtls.c#L1093).
    I think it should be possible to provide this pk context for the key to the CSR generation API.

If the above suggestion does not help, I think it is better to take this discussion to https://github.com/Mbed-TLS/mbedtls/issues which is the appropriate place for mbedTLS specific questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

4 participants