Adding STSAFE with mbedTLS client for IoT work

KBhon.1 · ‎2023-01-03

Hello all,

I am working on creating a secure IoT device. The device is configured as MQTT client which will be sending sensors data to the sever over MQTT. I have implemented encryption using mbed-TLS where I confirm server's authenticity with server CA certificate.

Now I wish to implement 2 way authentication where I need to send client certificate to the server for verifying client authenticity by server.

I see it is possible with the help of mbed-TLS but we need to provide private key of the client to mbedTLS which is not possible since we cannot extract private key out of STSAFE.

I have been searching on this from almost a month and I have not been able to find a direct example on implementing this.

Also, the STSAFE examples are not clear about implementing this with mbedTLS.

I am in search of something that links stsfae with mbedTLS for client authentication.

Can anyone please guide me how to implement this?

Benjamin BARATTE · ‎2023-12-11

Hi @KBhon.1,

As the private key inside the STSAFE-A is not accessible, you can't use the mbedtls_pk_check_pair function.

The only way to check that the public key is related to the STSAFE-A private key is to either check the public key value from the certificate match the public key you have put in your CSR.

For that, you need to same the public key on your side (you can use a memory region of the STSAFE-A to store it)

Or as a signature request to the STSAFE-A and use the public key in the certificate to verify the generated signature.

If the signature is verified then the public key belong to the private key.

Best Regards,

Benjamin