NetxDuo - STSAFE A110 TLS

I_C · ‎2025-09-01

Hello.

I'm working with STM32H573.

I have a question related with the use of STSAFE-A110 for TLS. I have to authenticate also the client.

I've succeded stablishing TLS mutual authentication with HTTPS server and TCP server (different applications, not related) using this type of functions from NetxDuo with the correct data and test certificates:

/* TCP Server */
nx_secure_tls_session_create();
nx_secure_tls_ecc_initialize();

memset(&certificate, 0, sizeof(certificate)); // Server Local certificate
nx_secure_x509_certificate_initialize();
memset(&certificate_, 0, sizeof(certificate_)); // Client certificate
nx_secure_x509_certificate_initialize();

nx_secure_tls_local_certificate_add();
nx_secure_tls_trusted_certificate_add();

nx_secure_tls_session_start();

/* HTTPS */
memset(&certificate, 0, sizeof(certificate)); // Server Local certificate
nx_secure_x509_certificate_initialize();
memset(&certificate_, 0, sizeof(certificate_)); // Client certificate
nx_secure_x509_certificate_initialize();
nx_web_http_server_secure_configure(&HTTPServer, &nx_crypto_tls_ciphers,
                                               crypto_metadata_server, sizeof(crypto_metadata_server), tls_packet_buffer, sizeof(tls_packet_buffer),
                                               &certificate, &ca_list[0], 1,&remote_issuer[0], 1,remote_cert_buffer, sizeof(remote_cert_buffer));
nx_web_http_server_start(&HTTPServer);

What I want to achieve is the same functionality but instead of using my own certificate for local, use the one that STSAFE-A110 has that I cannot access.

I understand that I have use the option: NX_SECURE_X509_KEY_TYPE_HARDWARE when adding the certs, but I don't know if there is a 'direct' way of using the STSAFE-A110 API to achieve it.

Note: I have tested the STSAFE-A110 with the examples and it works fine.

Thank you.

I_C · ‎2025-11-18

I have tried approaching it in several ways:

The STSAFE-A110 does not have an RSA key but an ECDSA key, so I configured the HTTPS server and generated new keys to have a server running with TLS1.3. It works correctly.
The configuration change a bit:

/* Server */
memset(&certificate, 0, sizeof(certificate));
nx_secure_x509_certificate_initialize(&certificate, server_ec_cert_der, (USHORT)server_ec_cert_der_len, NX_NULL, 0, server_ec_key_der, (USHORT)server_ec_key_der_len, NX_SECURE_X509_KEY_TYPE_EC_DER);
/* Client */
memset(&trusted_certificate, 0, sizeof(trusted_certificate));
nx_secure_x509_certificate_initialize(&trusted_certificate, client_ec_cert_der, (USHORT)client_ec_cert_der_len, NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
/* Server Config */
nx_web_http_server_secure_configure(
&HTTPServer,
&nx_crypto_tls_ciphers_ecc, // ECC table
crypto_metadata_server, sizeof(crypto_metadata_server),
tls_packet_buffer, sizeof(tls_packet_buffer),
&certificate,
&ca_list[0], 1,
&remote_issuer[0], 1,
remote_cert_buffer, sizeof(remote_cert_buffer));

nx_web_http_server_secure_ecc_configure(
&HTTPServer,
nx_crypto_ecc_supported_groups,
(USHORT)nx_crypto_ecc_supported_groups_size,
nx_crypto_ecc_curves);

I found a comment (https://github.com/eclipse-threadx/netxduo/issues/152 ) that said someone managed to use the NX_SECURE_X509_KEY_TYPE_HARDWARE option, but it didn’t work with TLS1.2 server or TLS1.3 client, it only worked with TLS1.2 client.
I successfully obtained the certificate from the STSAFE-A110 to pass it to the function nx_secure_x509_certificate_initialize().
I have tried creating my own crypto_method and replacing it both in the cryptographic methods table and the certificates table, but they were never called (I’m not sure if it's because it doesn’t have an added private key).