WINC1500 set certificates from host

Go To Last Post
7 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hi all

 

We use a WINC1500 on a custom board which also supports an SD-card.

 

We want to be able to use certificates placed on the SD-card with the WINC1500 / TLS.

 

Specifically, we need to be able to set the root certificate, such that the WINC1500 can validate the server certificate (signed by the rootCA) when using TLS. Also, we need to be able to set the client certificate when connecting to a server using mutual authentication (such that the server can verify that the WINC1500 is allowed to connect).

 

Most WINC1500 documentation describe how to set the certificates using a PC (over UART) or HTTP provisioning in AP mode. As explained above, we want to set the certificates from the host MCU over SPI. We found the "programmers_apis", which includes a few functions which seem to support setting certificates over SPI:

 

http://asf.atmel.com/docs/latest...

 

However, the documentation is very sparse. Do any of you know of any documentation on this, examples, or have experience using these functions?

 

Any help you can provide is highly appriciated.

 

Thanks

 

Br

Christian

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

i am also having the similar problem ,please provide some documentation about how to update the winc1500 firmware update and certificate using same54 evalution board

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hello, have you find some solution for this?, I want to pass the certificates by USB to the micro and then the micro program the Winc3400...buy haven't found to much info to do this... :( 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Certificates can be loaded by a host CPU. However, this feature requires the use of newer version of host driver from ASF. If your project contains a folder named <root_cert>, then your host driver is only capable of decoding very limited types of certificates. I don't know exactly when the improvement was made, but you need to look for the version of ASF that has a folder named <root_tls_cert>. The API for programming a root CA cert is:

 

/**********************************************************************
*    @fn            int WriteRootCertificate
*    @brief        Write a given Root Certificate on the WINC1500 FLASH Root certificate Store.
*    @param[in]    pu8RootCert
*                    Buffer hoilding the root certificate (Both DER and PEM formats are valid).
*
*   @param [in]    u32RootCertSz
*                    Size of the root certificate buffer
*
*    @return        writing status
**********************************************************************/
int WriteRootCertificate(uint8 *pu8RootCert, uint32 u32RootCertSz)
{

}

 

Make sure the WINC's firmware is up to date. The host driver's version can't be higher than WINC's firmware version.

Last Edited: Wed. Apr 24, 2019 - 02:24 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Thank you very much acpie360, I found an example "ATWINC15X0 Certificates Update from Host via OTA", it contains the folder that you said and I used that to try with my Winc3400 but, over my base application, I'm out of memory with my samd21 for 7500 bytes :( ... I'm planning to migrate to a samd51.

 

Bye.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

jgaete - Don't thank me yet. I haven't been able to get this to work. It seems the SPI Flash image loaded by the API is different from the image loaded from the batch command over an identical set of root CA certs.

 

[Update]

The SHA1 digests generated by the API when uploading root certs from a host CPU are different from the digests generated by the PC batch processing over the same set of root certificates. I am waiting for Atmel to confirm the bug.

 

/*!
@struct
	tstrRootCertEntryHeader

@brief
	Header of a root certificate entry in flash.
*/
typedef struct{
	uint8				au8SHA1NameHash[CRYPTO_SHA1_DIGEST_SIZE];
	tstrSystemTime			strStartDate;
	tstrSystemTime			strExpDate;
	tstrRootCertPubKeyInfo	strPubKey;
}tstrRootCertEntryHeader;

au8SHA1NameHash is the SHA1 digest over a certificate's issuer field. For example, if a certificate has the following issuer info:

 

CN = Amazon Root CA 1
O = Amazon
C = US

 

Then "USAmazonAmazon Root CA 1" will be fed into the SHA1 computation function. The expected 20-byte digest should be A8-66-80-C4-56-27-2E-AF-E3-A7-CE-2E-49-D1-31-DC-65-BB-B1-ED. However, the API seems to produce wrong digest.

 

[Update]

It turns out I need to #undef BIG_ENDIAN in nm_common.h

 

#undef BIG_ENDIAN

#ifndef BIG_ENDIAN
#define BYTE_0(word)   					((uint8)(((word) >> 0 	) & 0x000000FFUL))
#define BYTE_1(word)  	 				((uint8)(((word) >> 8 	) & 0x000000FFUL))
#define BYTE_2(word)   					((uint8)(((word) >> 16) & 0x000000FFUL))
#define BYTE_3(word)   					((uint8)(((word) >> 24) & 0x000000FFUL))
#else
#define BYTE_0(word)   					((uint8)(((word) >> 24) & 0x000000FFUL))
#define BYTE_1(word)  	 				((uint8)(((word) >> 16) & 0x000000FFUL))
#define BYTE_2(word)   					((uint8)(((word) >> 8 	) & 0x000000FFUL))
#define BYTE_3(word)   					((uint8)(((word) >> 0 	) & 0x000000FFUL))
#endif

 

Last Edited: Mon. Apr 29, 2019 - 11:22 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hi all, I am new here (very) but I also want to do this if possible.