BGS2 AT^SBNW=is_cert,1 command fails - Cinterion Transport Layer Security for Client TCP/IP Services documentation not detailed enough | Telit Cinterion IoT Developer Community
September 24, 2014 - 6:43pm, 16004 views
I am involved in developing a tracking system using Cinterion BGS2 M2M modems and I am having problems loading TLS certificates using the Java tools provided and it has also failed when using the AT^SBNW=is_cert,1 command. I get the following error; AT^SBNW=is_cert,1 CONNECT SECURE CMD READY: SEND COMMAND ... SECURE CMD TOO MANY DATA ERROR OK I am having problems understanding the details of the AT^SBNW=is_cert,1 command in the TLS documentation :- Transport Layer Security for Client TCP/IP Services Application Note 62 Version: 04 DocId: wm01_wm02_an62_tls_v04 This document describes the formats but is not specific about message lengths – are they word counts or byte counts? It would also be useful for it to show an example HEX dump of a valid certificate AT^SBNW=is_cert,1 upload message. If anybody knows the answer to these questions please let me know - Jeff White email@example.com
Did you have any luck on this Jeff? I'm having the same problem - the docs are very sparse on the actual structure to be loaded.
Are the javatools open-source? Is there any chance we could see how they construct the binary structure?
The suggested approach is to use the javatools, but these are not always possible. I've tried using the javatools with emulated COM ports to try and capture the tools output but have not been successful in this approach either
The code is not attached unfortunately. Using the java tools is recommended. However the data structure is also described in the document - but I agree that there could be some examples.
Can you give any reason why the java tools are not sufficient for you? On the other hand it should be possible to use some COM port tracer to see what is really transferred.
I can't use the javatools as I only have a programmer for the pic, no direct communication with the modem. This is prototype (obviously) and I just need to get a signed cert + key on the board so I can test the full buildout with the new AWS service.
I've followed your suggestion of capturing port output and gathered a dump of the full binary output from ip_cmdcertmgr, this was fine and I used the info here to fix a few issues in the code. However the modem still simply replies "SECURE CMD ERROR" (even with verbose) and no cert is set at index 0.
Do you have any suggestions on how to debug this issue. As far as I can tell, the certificate & private key are correct.
Since this is a low level mechanism, there are no custom ways to debug this. General assumption is that customers will use the provided tool chain. It is possible to create own tolls, but since it requires expert knowledge and is for a very limited usecases, Gemalto does not provide any additional to implement it.
I would suggest to follow what Bartek recommended. If you were able to trace successful cmdcertmanager communication, you should start from sending exactly the same data from your uP to the module. If this will succeed, then you may try to introduce small delta between your implementation and the traced binary. It should lead you to the point where you will see where the issue is.
Thanks for the reply Michal
To answer the original question (if anyone cares) all ID's and lengths are uint16s and lengths are byte ******. The ***** includes the bytes used for the length & ParamID.
Unfortunately, even with using the javatools we are unable to load the client cert on the modem.
The modem we are using is hte BGS2-W (V2). There is some discrepancy between the application note and the cmd_IpCertMgr syntax - when following the app note verbatim the -writeCert command will complain of missing keyfile argument. I am assuming the keyfile should be the private key, although the command needing private key, public key and keystore seems a bit redundant
The commands we are using are exactly as below:
keytool -genkeypair -alias client01 -keypass pwdclient01 -keystore client.ks -storepass pwdclient -sigalg SHA1withRSA -keyalg RSA
keytool -exportcert -v -keystore client.ks -storepass pwdclient -alias client01 -file client01_pub.der
java -jar keystoretools\getPrivateKey.jar -alias client01 -keypass pwdclient01 -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
java -jar cmd_ipcertmgr\win-x86\cmd_IpCertMgr.jar" -serialPort COM3 -serialSpd 115200 -cmd writecert -certfile client01_pub.der -certIndex 0 -imei 123456789012354 -alias client01 -keypass pwdclient01 -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
Does this look right to you? Is the assumption that keyfile is the private key correct? Any partircular suggestions on what else I could look into?
I understand you are going to set the certificate on the module. I have created some time ago a cmd line script to do so. Please check if this will be use full for your scenario:
Did anyone find any further documentation on the AT commands used by the java scripts?
This is an embedded module, and I find it hard to believe that we have to rely on java and command line scripts.
I already have certificates, so don't want to use keystore.
Please see chapter 6 "Secure Commands" of AN62. You will find the the data structure for AT^SBNW command.
Thank you very much. I will try to post some examples once I get it working.