 Hi Today I will be giving a brief presentation on the integration of the CA certificate store into Zephyr or TOS To start. Hi. My name is Jared Bowman. I work for T-Mobile USA We had a particular interest in implementing some Implementing the CA certificate store into Zephyr to help simplify some applications as with our DivEd IoT platform We very quickly realized the weaknesses of Zephyr's current implementation or current way of handling certificates which Doesn't have any native way of pulling the certificate from Flash storage and instead relies on it being loaded Either preloaded into the application itself or for the user to implement their own solution We thought it'd be wise to add our own custom interface and Try and propose something similar for Zephyr itself So this start with a little bit of background What value does this actually provide? A TOS based applications often require CA certificates for validation, of course Currently though in Zephyr and you require certificate must be loaded manually which is to say that Let's see if you wanted to load a certificate from Flash You'd have to manually open the file pull that into RAM etc. Yeah, but also and We'll mention this a little bit later if we want to actually dynamically load certificates based on my website Requires we have no good way of doing that either An integrated search store allows for many search to be preloaded Presumably into Flash for use at any time This could support even support automatic selection as previously stated which could massively improve the convenience for a novice user who may or may not know the correct certificates load for whatever service they're using So let's talk a little bit about the current state of affairs. Of course, there is no current certificates or in Zephyr or TOS Search supposed to be manually loaded when needed Generally search are part of the program itself because that is the symbols way to implement it though There is no real restriction that says this has to be the case But any kind of implementation would have to be completely custom Store it again storing search in the flash style system is possible But what is not possible though is automatic search selection unless all search are loaded into memory in one chain for embed TLS Well, this is doable for a small number of certificates because 2k a piece That's in some embedded scenarios you can get away with let's say for five But once you get above a couple bottlenecks can easily rise Especially if you have one use like a full CA certificate set these can easily be in the excess of 150 kilobytes by themselves and it most embedded platform that is in the mount that is unreasonable to use for one static blob So let's talk a little bit about the design of course Our proposed solution really just emplends a very basic interface um it has three user code functions a Store function a load function and a delete function Which are about as self-explanatory as can be So the start the store function, of course takes a certificate and stores it in the flash base certificate store You basically just provide the store information you want for Sorry store information for the certificate store for the certificate to be stored in as well as the certificate and its size The second function, of course is the delete function Where you just provide again the same certificate store information for the store you want to edit but also provide the fingerprint to Find the certificate to identify the certificate by This then the code will go out delete the file the certificate from the storage all handle automatically Final function, of course is load Similar to delete you just provide a fingerprint You also just provide a output buffer for it to be loaded into memory the size of the buffer and it will return Into the cert size pointer will write out how large the certificate that was loaded all very self-explanatory Nothing super exotic here Of course, this is very basic, but it's a framework to be expanded upon of course a very obvious thing We want to work on next with this is the implement automatic certificate selection This could easily be expanded to be used automatic load certificates necessary for CA validation And it can already be done with embed tls. There is a built-in callback that we're not that's not currently used in Zephyr, but could easily be added particularly that it has a certificate validation callback Which provides the certificate received from the server bit from that we can get our the signatures and just verify that against the uh certificate store automatically and remove a lot of burden from the user In developing tls applications as they won't really have to worry about what certificates need to be loaded We can completely remove the expectation of mail certificate management And better yet if we were to do something like this, we could also have just the trusted set of ca's premade Possibly we could base off something that already exists let's just common ca database or we could do something different Regardless the whole point of this is to kind of provide a framework to simplify development of user code So as you can see here, this is rpr Of course, it is a placeholder since we are still working on finalizing all the details But do expect the code to be up soon Um, and thank you for watching