Skip to main content
N
NCatt.1
Explorer
February 24, 2022
Question

How to put my TLS certificate from Azure to my software

  • February 24, 2022
  • 2 replies
  • 1889 views

Hello everyone,

I have a custom board based on X-CUBE-AZURE, connecting and sending data to a our own Azure Server. When connecting a device we get security alerts from Azure, telling that we do not use a TLS certificate validation. I have found in my software where to put the certificate, but I have to generate it in .pem file from Azure.

Do you have any idea or any documentation about how to do that ? Thanks in advance

    This topic has been closed for replies.

    2 replies

    G
    Guillaume K
    ST Employee
    February 24, 2022

    Hello

    which certificate are you talking of ? is it a device certificate ? or Azure IoT server root certificate ?

    the Azure root certificates are available in https://github.com/Azure/azure-iot-sdk-c/blob/main/certs/certs.c

    N
    NCatt.1Author
    Explorer
    February 25, 2022

    Hello Guillaume and thank you for your answer.

    As I have no experience in IoT security I do not really know, the alert message I received is : IoT devices running C-SDK + OpenSSL/WolfSSL perform no validation of the remote TLS server certificate.

    After some research I have found that there is a certificate in the file iot_flash_config.c, in the function CaptureAndFlashPem(). Originnally it requests the user to give a string array, but in my case the string array is hardcoded in the function, instead to request it. Let me precise that this part has not been made by me. I have discussed with the person in charge of this and he told me he get this certificate from ST.

    int CaptureAndFlashPem(char *pem_name, char const *flash_addr, bool restricted_area)
 {
 char * key_read_buffer = NULL;
 int ret = 0;
 
 key_read_buffer="-----BEGIN CERTIFICATE-----\nMIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB\n"
		 "iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl\ncnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV\n"
		 "BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw\nMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV\n"
		 "BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU\naGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy\n"
		 "dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK\nAoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B\n"
		 "3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY\ntJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/\n"
		 "Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2\nVN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT\n"
		 "79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6\nc0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT\n"
		 "Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l\nc6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee\n"
		 "UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE\nHg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd\n"
		 "BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G\nA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF\n"
		 "Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO\nVWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3\n"
		 "ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs\n8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR\n"
		 "iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze\nSf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ\n"
		 "XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/\nqS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB\n"
		 "VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB\nL6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG\n"
		 "jjxDah2nGN59PRbxYvnKkKj9\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n"
		 "MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ\nRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD\n"
		 "VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX\nDTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y\n"
		 "ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy\nVHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr\n"
		 "mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr\nIZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK\n"
		 "mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu\nXmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy\n"
		 "dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye\njl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1\n"
		 "BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3\nDQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92\n"
		 "9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx\njkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0\n"
		 "Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz\nksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS\n"
		 "R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp\n-----END CERTIFICATE-----\n\0";
 
 /* Write to Flash. */
 TRACE_FLASH("writing to %lx\n", flash_addr);
 ret = FLASH_update((uint32_t)flash_addr, key_read_buffer, strlen(key_read_buffer) + 1); /* Append the closing \0*/
 
 //free(key_read_buffer);
 
 return ret;
 }

     So, I have a certificate on Azure app service :

    0693W00000KaVLgQAN.pngI would like to know how to add it in my code. It seems I have to download it in .pem format but I do not know how to do it.

    Thank you

    G
    Guillaume K
    ST Employee
    February 25, 2022

    This is confusing. X-CUBE-AZURE purpose is to connect an IoT device to an Azure IoT Hub.

    You are talking about an Azure App Service certificate. So it is not the same thing .

    Going back to the original problem, what is the exact warning message from Azure ? ("When connecting a device we get security alerts from Azure, telling that we do not use a TLS certificate validation.")

    is it written exactly like this ?

    I know the root CA certificates from Azure will change soon. Is it this specific problem ?

    https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes

    https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169

    N
    NCatt.1Author
    Explorer
    February 28, 2022

    Sorry for being confusing, maybe I will go too fast.

    The original alert message received by Azure is:

    Issue

    IoT devices running C-SDK + OpenSSL/WolfSSL perform no validation of the remote TLS server certificate. The security advisory is present both in our GitHub Repo as well as CVE-2020-17002.

    Affected versions:

    <2020-12-09, <LTS_07_2020_Ref02, <LTS_02_2020_Ref02, Public-Preview <1.6.0

    Patched versions:

    2020-12-09, LTS_07_2020_Ref02, LTS_02_2020_Ref02, Public-Preview 1.6.0

    Recommended actions:

    Update all impacted devices to patched versions.

    Security reminder:

    Continuously monitor Azure IoT CVEs for other Azure IoT security related issues

    G
    Guillaume K
    ST Employee
    February 28, 2022

    As far as I understand the problem is not with the certificate itself. It's the software used for TLS communication that doesn't use the certificate.

    The security article mentions WolfSSL and OpenSSL. But X-CUBE-AZURE uses mbedTLS. So are you using a modified X-CUBE-AZURE or an entirely different software ?

    Terms & ConditionsAccessibility statement