2023-01-03 5:06 AM
Hello all,
I am working on creating a secure IoT device. The device is configured as MQTT client which will be sending sensors data to the sever over MQTT. I have implemented encryption using mbed-TLS where I confirm server's authenticity with server CA certificate.
Now I wish to implement 2 way authentication where I need to send client certificate to the server for verifying client authenticity by server.
I see it is possible with the help of mbed-TLS but we need to provide private key of the client to mbedTLS which is not possible since we cannot extract private key out of STSAFE.
I have been searching on this from almost a month and I have not been able to find a direct example on implementing this.
Also, the STSAFE examples are not clear about implementing this with mbedTLS.
I am in search of something that links stsfae with mbedTLS for client authentication.
Can anyone please guide me how to implement this?
2023-12-11 5:50 AM
Hi @KBhon.1,
As the private key inside the STSAFE-A is not accessible, you can't use the mbedtls_pk_check_pair function.
The only way to check that the public key is related to the STSAFE-A private key is to either check the public key value from the certificate match the public key you have put in your CSR.
For that, you need to same the public key on your side (you can use a memory region of the STSAFE-A to store it)
Or as a signature request to the STSAFE-A and use the public key in the certificate to verify the generated signature.
If the signature is verified then the public key belong to the private key.
Best Regards,
Benjamin
2024-12-10 12:09 PM
I've tried to use the example code that you have so kindly provided here in this topic with mbedTLS version , but I think that unfortunately there is a small issue with this version. This is that the pk_wrap.h file, where the precious definition of the struct mbedtls_pk_info_t is included, is not any longer available to be included at the include directory. Therefore we can't declare our custom mbedtls_pk_info_t structures.
Are you aware of a workaround for this challenge?
2024-12-11 8:35 AM
Hi @naNEQ ,
In your MbedTLS config, did you enable MBEDTLS_ALLOW_PRIVATE_ACCESS ?
This will allow you to update the mbedtls_pk_context structure to use your own mbedtls_pk_info_t.
Best Regards,
Benjamin
2024-12-17 5:51 AM
I did enable MBEDTLS_ALLOW_PRIVATE_ACCESS, yes, but the problem is that the file pk_wrap.h is not accessible. In the example you have attached here you also want to include this, and it is indeed necessary, because otherwise several things don't work, but the file is not in any include directory.
It only works if I copy that pk_wrap.h file from the mbedtls library and put it in the same directory as the main file (or the mbedtls_example.c one). Perhaps this is the solution? That the pk_wrap.h is replicated to the application include directory?
Best regards,
Nikos
2024-12-17 6:30 AM
Hi @naNEQ ,
You have to add to your includes the directory mbedtls/library.
In that case, you will not have to copy the pk_wrap.h file.
I'm working in that way with mbedtls 3.5.0
Best Regards,
Benjamin
