microchiptech / aws-iot-zero-touch-secure-provisioning-kit Goto Github PK

Project files for the AWS IoT Zero Touch Secure Provisioning Kit

License: Other

Python 2.21% C 92.01% C++ 5.31% Makefile 0.16% HTML 0.31%

aws-iot-zero-touch-secure-provisioning-kit's Introduction

Microchip Zero Touch Secure Provisioning Kit for AWS IoT

This package contains all the files to run the Microchip Zero Touch Secure Provisioning Kit for AWS IoT.

Latest product information can be found at http://www.microchip.com/developmenttools/productdetails.aspx?partno=at88ckecc-aws-xstk-b

The full user guide can be found at http://microchipdeveloper.com/iot:ztpk

Quick Setup

This section serves as a quick reference for the setup required. The full user manual referenced above will give more detailed instructions.

Software Setup

Clone or Download the AWS IOT Zero-Touch Secure Provisioning kit software.

Note- CryptoAuthLib is a submodule and is not automatically included and will need to be cloned recursively or downloaded separately from the kit software. If downloaded separately, the files will need to be placed in firmware\SAMG55\AWS_IoT_Zero_Touch_SAMG55\src\cryptoauthlib folder
Install AWS CLI. Used to configure AWS credentials for the python scripts.
Install serial terminal emulator, like PuTTY. Used to view status/debug information from the SAMG55.
Install Python 3. Make sure to include pip and tcl/tk. PC side work is all done from python scripts.
Install Python packages (pip install –r requirements.txt) required for the kit python scripts.
Maybe install Visual C++ 2017 Build Tools. Microsoft Visual C++ Build Tools 14.0 may be required for the hidapi python package. This is a big download/install and it is not needed if the previous step completed without error.

AWS Setup

Automated Setup

See AWS CloudFormation templates and documentation in the cloud-formation-templates folder.

Manual Setup

Log into the AWS Console for your account and select the region you want to run the kit from.
Create an IAM user to demo/run the kit from:
- User name: ZTUser
- Enable Programmatic access and AWS Management Console access
- Add AWS managed policies AWSIoTFullAccess and AWSLambdaFullAccess
- Run aws configure from the command line on your PC to configure the AWS credentials for the ZTUser account. Make sure the enter the same region as selected in the previous step.

Create JITR Lambda Function Policy

Name: ZTLambdaJITRPolicy

Policy Document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:UpdateCertificate",
                "iot:CreatePolicy",
                "iot:AttachPrincipalPolicy",
                "iot:CreateThing",
                "iot:CreateThingType",
                "iot:DescribeCertificate",
                "iot:DescribeCaCertificate",
                "iot:DescribeThing",
                "iot:DescribeThingType",
                "iot:GetPolicy"
            ],
            "Resource": "*"
        }
    ]
}

Create JITR Lambda Function Role
- Role type: AWS Service Role > AWS Lambda
- Name: ZTLambdaJITRRole
- Add policies AWSLambdaBasicExecutionRole, AWSXrayWriteOnlyAccess, and ZTLambdaJITRPolicy.

AWS Configuration

Once AWS has been configured successfully, Run aws configure from the command line. (part of the AWS CLI download)
Enter the AWS Access Key ID from AWS and press enter.
Enter the Secret Access Key from AWS and press enter.
Ensure that the defualt region name matches the AWS account.
Press enter for the Default output format[None]: prompt.

Hardware Setup

The central hub of the kit is the SAMG55 Xplained Pro board.

Plug WINC1500 Xplained Pro into EXT1 on the SAMG55 Xplained Pro.
Plug OLED1 Xplained Pro into EXT3 on the SAMG55 Xplained Pro.
Plug CryptoAuth Xplained Pro into EXT4 on the SAMG55 Xplained Pro. Please note, depending on when you purchased your kit, your kit may have come with CryptoAuth Xplained Pro Rev A boards or Rev B boards. Rev B boards have an ATECC608A device attached and do not come pre-configured. Extra steps need to be followed to initialize the ATECC CryptoAuthentication device on the board. Begin the initialization process by running the firmware without the WINC1500 Xplained Pro board attached. The firmware will automatically guide you through this process with instructions from EDBG serial port output messages.
Plug USB cable from PC into Target USB port on the SAMG55 Xplained Pro. Once the firmware is loaded, the board communicates with the scripts on the PC via this port as an HID device.
Plug USB cable from PC into EDBG USB port on the SAMG55 Xplained Pro. This port is how the firmware is loaded/updated and also exposes a serial port (COM port) that outputs debug/status information (115200 baud).

Firmware Setup

While the revision B kit comes with the appropriate firmware loaded, the original (rev A) kit will need firmware updates to work. Additionally, new firmware updates may be released.

Update the WINC1500 firmware to 19.5.2. Use Atmel Studio to find create a new ASF Example Project for the WINC1500 Firmware Update Project (v19.5.2) - SAMG55 Xplained Pro. Run the samg55_xplained_pro_firmware_update.bat batch script from the src folder to update.
Update the SAMG55 firmware to the latest version in the firmware folder of this package.
Once the firmware has been successfully downloaded open a serial terminal and press the reset button on the SAMG55. There should be instructions on how to proceed.

Quick Demo

This section serves as a quick reference for the steps required. The full user manual referenced above will give more detailed instructions.

Configure AWS for Just In Time Registration (JITR)

These steps will be performed from the IAM user, ZTUser, created for demonstrating this kit.

Note - If the AWS CloudFormation template was used these two steps can be skipped.

Create the Just In Time Registration (JITR) Lambda Function
- Name: ZTLambdaJITR
- Runtime: Python 3.6
- Copy and paste the code found in ZTLambdaJITR/lambda_function.py into the code entry area.
- Existing Role: ZTLambdaJITRRole
Create IoT Rules Engine Rule for triggering the JITR lambda function.
- Name: ZeroTouchJustInTimeRegistration
- SQL version: 2016-03-23
- Rule query statement: SELECT * FROM '$aws/events/certificates/registered/#'
- Add action to invoke the ZTLambdaJITR lambda function.

Create and Register the Certificate Authorities (CAs)

Run python ca_create_root.py to create a root CA.
Run python ca_create_signer_csr.py to create a CSR for a signer.
Run python ca_create_signer.py to sign the signer CSR with the root CA.
Run python aws_register_signer.py to register the signer with AWS IoT.

Provision the ATECCx08A on the kit

Run python kit_set_wifi.py --ssid wifi-name --password wifi-password to configure wifi settings on the board. This network must have internet access with ports 123 (UDP, time server) and 8883 (TCP, secure MQTT) open.
Run python kit_provision.py to provision the ATECCx08A on the board for AWS IoT. After this command, the board will automatically attempt to connect to AWS IoT.

Interact with the Board via AWS

Run python aws_interact_gui.py to interact with the board and toggle LEDs. Pressing the buttons on the board will also update their state in the GUI.

Releases

2019-06-21

Updated firmware to v2.2.5
Updated CryptoAuthLib to 20190517
Updated ASF to 3.40.0
Minor bugs fixes around USB communication and date handling

2018-03-19

Updated aws_register_signer.py to account for new datetime fields from AWS

2017-12-19

Updated CA scripts to use fixed set of extensions for CSR and certificate
Set fixed version of pyasn1_modules as new version broke cert2certdef.py

2017-11-17

Updated firmware to v2.2.4 to bring in ATECC608A support with CryptoAuthLib release 3.
Firmware now supports automatic pre-configuration of new ATECC508A and ATECC608A devices.
Fixed a memory leak in the JSON parsing.

2017-9-26

Updated firmware to v2.2.2 to resolve DNS lookup issue

2017-9-18

Initial release of software and firmware v2.2.1

aws-iot-zero-touch-secure-provisioning-kit's People

Contributors

Stargazers

Watchers

Forkers

sdsxpln hortau-ffortin zerynth benpoon-microchip matianfu ikeyoshy flyerink omenlabs r25willi c41187 fiims ja-mescher wrtcoder zerofiver oxygensh rheatley-logitech ram1505 tomazbracic

aws-iot-zero-touch-secure-provisioning-kit's Issues

WiFi state machine race conditions

It appears there are callbacks in aws_wifi_state.c which are executed from ISRs and modify the state machine state without any synchronization methods. I believe this will cause race conditions if the state machine thread is about to modify the state and a callback occurs which also modifies the state.

e.g. The callback could handle a disconnect scenario and change the state to start the disconnect process, and then the thread could immediately change it back to a connected state if it was in the processes of updating the state. This would likely cause the state machine to fall apart.

Shouldn't there be a synchronization between the callback and threads such that the state is updated in the thread and not in the callback?

cert2certdef.py can not generate code with some certificates

I create 3 device certificates using AWS and use these cert to generate certdef but only 1 cert success, 2 fail. Error likes this:
File "E:\ATECC608A.NB\cert\CSR_0123B0E84AD32E1FEE\cert2certdef.py", line 656, in <module> main() File "E:\ATECC608A.NB\cert\CSR_0123B0E84AD32E1FEE\cert2certdef.py", line 44, in main print(gen_cert_def_c_device(cert_der)) File "E:\ATECC608A.NB\cert\CSR_0123B0E84AD32E1FEE\cert2certdef.py", line 122, in gen_cert_def_c_device raise ValueError('Invalid certificate SN length (no more than 20 bytes).') ValueError: Invalid certificate SN length (no more than 20 bytes).

This is success gen cert:
-----BEGIN CERTIFICATE----- MIICnzCCAYegAwIBAgIUILETayh7aCRQGaS1jrCah/qmMb4wDQYJKoZIhvcNAQEL BQAwTTFLMEkGA1UECwxCQW1hem9uIFdlYiBTZXJ2aWNlcyBPPUFtYXpvbi5jb20g SW5jLiBMPVNlYXR0bGUgU1Q9V2FzaGluZ3RvbiBDPVVTMB4XDTIwMDEwODAyMjQz MVoXDTQ5MTIzMTIzNTk1OVowLzEUMBIGA1UECgwLRXhhbXBsZSBJbmMxFzAVBgNV BAMMDkV4YW1wbGUgRGV2aWNlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESpn3 quAHdFiEJVl/8l2kNc8/7amjaxC5tH+nLU16kZx5gorpnnLRiNaDnVPcDCgvW4DO lyKd92H/sdWfiEKPkKNgMF4wHwYDVR0jBBgwFoAUC73QXiJDl0+4NKGCGQXcs/OG j8owHQYDVR0OBBYEFCMSpnN28l2Y/UF6TIKdu50Wyd8MMAwGA1UdEwEB/wQCMAAw DgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQAXpKqv88E1EhjvbDMV diS2APY2+CIjQHsZQVR1BANYXXhytqjuI0yymQA3yEnSYHRkzgTJepK1jq7nEnyo p2lPFgvwpSIh15HfwkBz0jzRHQ+6xnEAy3Ve4chXOq5x6ztmzAPGIgeV/VjDfGXM +ZI3Amj5SOjoVrx8WS6Bp0Crz9Ykc2W78JIN2wL3r5jmjz67Ex4dSixMrw3V8SWV fpfZypv2TDxe5FD6+gYrtUeBakAwcqKiGLRWeemaWrayf+/1LPqZnX+CLQCcgOdu h99muVD9AjVAPU26+HEwfh4VEmghIgBw0jGJ7LJGKbbihqpvpIoahMruRT3m9C++ 58Z2 -----END CERTIFICATE-----
These are fail gen certs:
-----BEGIN CERTIFICATE----- MIICoDCCAYigAwIBAgIVAJltRdCLqxGHc3Rea7yIh5CH8idaMA0GCSqGSIb3DQEB CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yMDAxMTQwNDQ2 MzNaFw00OTEyMzEyMzU5NTlaMC8xFDASBgNVBAoMC0V4YW1wbGUgSW5jMRcwFQYD VQQDDA5FeGFtcGxlIERldmljZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOIq SyrjOk7CF6tyITsFRIFQ5QIXHaE6v/7b+7Woh/N9R3wWYJKtT3nZf9+wEliZYHNQ Lbq6TYPFv2KhKyu2ZGOjYDBeMB8GA1UdIwQYMBaAFNh1+z0VRg0uD9Qyyz1jOkuX i6zfMB0GA1UdDgQWBBQRDom/ERRSDlx2QDGGxFS3KJzs8TAMBgNVHRMBAf8EAjAA MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAlB0n5sgb+0jgB6U+ IwDm9GFeR1HznZTMoadQGPfNvXxiq0GyCenqma4ZX/3ribkLhdRDo8CcoEMEcInS FqtlcXb6N7al82pP2jnscFqSs2++iEdSpzP7xop9LnkwOqvzBAM0KP6RPcqMBbnZ avmC643x0eDhr2Akxr9a+6pTGtXoiQsAWr6Retses7nU5b3pjP12CPLS6OMoEykV Ht9xvR04pK75mOn69KfB0LFXDEIWf08cGpSYottV+Qr/G6N65YKZ6zN/dPDqIVHF 1tWU8JkVDgda1GBQOtOoI3W07QOI0v09Sk5HUJl9mifK9Xw4Kngz1HuyNui2E4nP W2tffw== -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- MIICoDCCAYigAwIBAgIVAM9vt2NpMgVWdBJK0s6kE5ZHwHGKMA0GCSqGSIb3DQEB CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yMDAxMjAwODI1 MjRaFw00OTEyMzEyMzU5NTlaMC8xFDASBgNVBAoMC0V4YW1wbGUgSW5jMRcwFQYD VQQDDA5FeGFtcGxlIERldmljZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHml XGQWAvKcvy3EKEAcmAMvmKWVjHhBHN7du0MPK1buETy9fCcmXFa/0BLOvDqVW1UC nrzsJaPf6JU7KtVv5aijYDBeMB8GA1UdIwQYMBaAFMejyL/MYkv4f//lRSMC5E7W 0SP7MB0GA1UdDgQWBBQXiu/DxBcKRuXvLJMb9XIf2gMxxDAMBgNVHRMBAf8EAjAA MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAwdM9Xu2VAeO3vUpk WyUuqwRegQhxmKsbB+E4fsxzqFzt+AphKRSJp1DRqsd63ilObYPvwBFdrX3IUatG OUJ4/x6qMcdMnPAyrnlNp1eDstA0hbqa9JwlTfyHdxcCsyZpKSlutWILubUlPMLe AuHU8ijkgkc9BlPtTFN/Kvc+GICUNyU+yZWfxx9kmN3fApFMNWLbh/Ewgxhzsd2d 1BD2RDpQ29+fOCHJIm5jayIoIKP+DHfUcSwsmu1Heh7nkJucRbdA8r06KuBbVtnR 0b/zJwUYBJPVk9O1P4w4FRXKOa2uWIehsftSmQk5ZjxEZZbEgyxxpSK2MST3mIQJ x6n0BQ== -----END CERTIFICATE-----
2. The generated cerdef includes None value in STDCERT_SIGNER_ID parameter. What is value of None?
{ // STDCERT_SIGNER_ID .offset = None, .count = 4 },

kit_provision.py error

I have followed all the step as per the guide http://microchipdeveloper.com/iot:ztpk

But kit_provision.py gives me following error

Opening AWS Zero-touch Kit Device
Traceback (most recent call last):
  File "D:\Projects\Liquitech\AtmelAWS\Software\aws-iot-zero-touch-secure-provisioning-kit-master\kit_provision.py", line 147, in <module>
    main()
  File "D:\Projects\Liquitech\AtmelAWS\Software\aws-iot-zero-touch-secure-provisioning-kit-master\kit_provision.py", line 27, in main
    device.open()
  File "D:\Projects\Liquitech\AtmelAWS\Software\aws-iot-zero-touch-secure-provisioning-kit-master\mchp_aws_zt_kit.py", line 24, in open
    return self.device.open(vendor_id, product_id)
  File "hid.pyx", line 66, in hid.device.open
OSError: open failed

I am getting driver detected with following VID & PID. So i updated in 'mchp_aws_zt_kit.py'.
DEVICE_HID_VID = 0x03eb
DEVICE_HID_PID = 0x2111
After updating i am getting below error.

Opening AWS Zero-touch Kit Device

Initializing Kit
Traceback (most recent call last):
  File "D:\Projects\Liquitech\AtmelAWS\Software\aws-iot-zero-touch-secure-provisioning-kit-master\kit_provision.py", line 147, in <module>
    main()
  File "D:\Projects\Liquitech\AtmelAWS\Software\aws-iot-zero-touch-secure-provisioning-kit-master\kit_provision.py", line 30, in main
    resp = device.init()
  File "D:\Projects\Liquitech\AtmelAWS\Software\aws-iot-zero-touch-secure-provisioning-kit-master\mchp_aws_zt_kit.py", line 102, in init
    resp = self.kit_read_app_no_error(id)
  File "D:\Projects\Liquitech\AtmelAWS\Software\aws-iot-zero-touch-secure-provisioning-kit-master\mchp_aws_zt_kit.py", line 94, in kit_read_app_no_error
    resp = self.kit_read_app(id)
  File "D:\Projects\Liquitech\AtmelAWS\Software\aws-iot-zero-touch-secure-provisioning-kit-master\mchp_aws_zt_kit.py", line 81, in kit_read_app
    kit_resp = self.parse_kit_reply(data)
  File "D:\Projects\Liquitech\AtmelAWS\Software\aws-iot-zero-touch-secure-provisioning-kit-master\mchp_aws_zt_kit.py", line 74, in parse_kit_reply
    raise ValueError('Unable to parse kit protocol reply: %s' % data)
ValueError: Unable to parse kit protocol reply: ÿ  ♠♫

What is the issue in my case?

Generating certificate definition template during factory provision at a mass production level

I am reviewing the cert_def_1_signer.c source and I see the variable "g_cert_template_1_signer" which is a hex template generated by cert2certdef.py. It looks like these hex template files are generated from the .pem certificate.

Are these template (i.e g_cert_template_XXX) always different for each new certificate?
Are these template really requires to read the compressed certificate?
If this is the case this means that for every device built we need to upload a new template to the device which matches the compressed certificate on the ATECC coprocessor?

provisioning_get_hostname bug

in provisoning_task.c function provisioning_get_hostname() line 1096 hostname_length is incorrectly set to the ssid_size of the metadata. This doesn't cause any issues since hostname is treated as a NULL terminated string but a bug nevertheless.

Possible Problem when using 19.6.1 WINC1500 Firmware

I think I am seeing a problem when using the 19.6.1 firmware. But I did not have time to investigate futher. I had two setups of the hardware. I believe one has the 19.5.4 WINC1500 firmware and the other has the 19.6.1 firmware (this was only by chance that I had two different versions). I was only able to get the setup with the 19.5.4 firmware to connect and work. The 19.6.1 would connect to Wi-Fi (console indicates "AWS Zero Touch Demo: Connected to AWS IoT.") and then stop reporting any messages on the console port. The 19.5.4 worked fine.

SAMG55 firmware update Build errors

Building the firmware AWS_IoT_Zero_Touch_SAMG55.atsln project with Ateml Studio 7 fails with some errors.
e.g. atcacert/atcacert_client.h: No such file or directory

CryptoAuthLib missing?

TypeError running ca_create_root.py

I'm using the master version of this repo in a Ubuntu 16.04 VM, which has Python 3.5.2 installed and ran pip3 install -r requirements.txt to get the dependencies.

$ python3 ca_create_root.py 

Loading root CA key
    No key file found, generating new key
    Saving to root-ca.key

Generating self-signed root CA certificate
Traceback (most recent call last):
  File "ca_create_root.py", line 51, in <module>
    main()
  File "ca_create_root.py", line 27, in main
    builder = builder.not_valid_before(datetime.datetime.now(tz=pytz.utc))
  File "/usr/lib/python3/dist-packages/cryptography/x509/base.py", line 441, in not_valid_before
    if time <= _UNIX_EPOCH:
TypeError: can't compare offset-naive and offset-aware datetimes

Hello, glad the latest version worked. Some of the AWS API responses changed and broke one of the original scripts. As you discovered, the latest version in the repo fixed that issue. I'll get the older copy you found updated to the latest version.

I tried cloning the repo and could not even get passed running the:

ca_create_signer_csr.py
anymore.

PS C:\Users\Joema\OneDrive\Desktop\zt_master_clone\aws-iot-zero-touch-secure-provisioning-kit> python ca_create_signer_csr.py

Loading signer CA key
No key file found, generating new key
Saving to signer-ca.key

Generating signer CA CSR
Traceback (most recent call last):
File "ca_create_signer_csr.py", line 78, in
ca_create_signer_csr()
File "ca_create_signer_csr.py", line 21, in ca_create_signer_csr
public_key=signer_ca_priv_key.public_key())
File "ca_create_signer_csr.py", line 70, in add_signer_extensions
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(subj_key_id_ext.value),
File "C:\Users\Joema\AppData\Local\Programs\Python\Python37\lib\site-packages\cryptography\x509\extensions.py", line 192, in from_issuer_subject_key_identifier
key_identifier=ski.value.digest,
AttributeError: 'SubjectKeyIdentifier' object has no attribute 'value'
PS C:\Users\Joema\OneDrive\Desktop\zt_master_clone\aws-iot-zero-touch-secure-provisioning-kit>

In the earlier version of the kit, this didn't have any issue> Ben could you kindly verify the functionality of the current codes in the kit? This would be very helpful. Thanks for the effort.

Misleading Status Message on WAP Connect

The message "AWS Zero Touch Demo: Connected to AWS IoT." is very misleading. That message is displayed when the radio connects to the WAP but BEFORE the MQTT connection is opened. So the kit has not connected with AWS at the point of the message.

cert2certdef.py does not work with serial numbers prefixed with 00

The serial number for my certificate which was signed by AWS IoT is:

F8:3A:AC:49:2E:E7:52:F2:83:8C:60:F3:C2:AA:6A:BF:9E:2A:CD:DD

However, in the .pem file it is stored as 00:F8:3A:AC:49:2E:E7:52:F2:83:8C:60:F3:C2:AA:6A:BF:9E:2A:CD:DD - the length is 21 instead of 20. I think the extra 00 prefix byte was adding to the serial number because it starts with 0xf8 which is a negative number.

OTA Support

Is this FreeRTOS support over the air update feature provided by amazon.

Can't build firmware due to cryptoauthlib changes

The required version of cryptoauthlib (commit b31ed52daf) is not api-compatible with the current version. Ideally this project would be updated to use the new version of cryptoauthlib, and if not instructions for using the correct commit should be added to the firmware readme.md.

Sample python gui shadow can cost lots of AWS IoT $ charges if you leave it running

The line of code:

self.after(500, self.on_update)

in the file "aws_interact_gui.py" causes 2 messages per second to the AWS IoT network.

I highly recommend that users change the 500ms to something higher and then check their usage.
Unfortunately raising the timer will also delay the update of the gui button status display as this all one polling loop.

One good way to check usage is to turn on AWS IoT Cloudwatch.

Intermediate CA

Hi,
I added an intermediate CA in the certificate chain. The flow is root-CA->IntermediateCA->CA->Signer-CA->Device_certificate. I copied and modified the ca_create_signer_csr.py and ca_create_signer.py to generate intermediate CA.
During provisioning it fails with error message "The AWS IoT Demo failed to save the Signer certificate."

Creating device CSR, how to get the certificate definition i.e atcacert_def_t

I am trying to create a the CSR for the device so I can create the device certificate. In order to create the CSR I need to create the CSR template (i. e atcacert_def_t). To create the CSR template I am looking at the python script cert2certdef.py which takes a CSR using --device-csr.

The CSR I feed the script is a CSR that I generate using openSSL with specific certificate element such as origination name, etc. The CSR is not correct the correct one for the device because the key pair used to create it is wrong. But the common elements would be correct. (I assume so)

I then plan to use the CSR template definition (atcacert_def_t) with atcacert_create_csr() method to create the device CSR.

Is this the correct way to achieve this?

how to communicate with ATECC508A in Linux via i2c directly?

Hello,
I am developing an IoT device using your ATECC508A and AWS IoT service. I have the chip connected via I2C to a Chip pro board based on Debian.

Although there is some documentation here using the SAMG55 Xplained Pro board to make a JITR with AWS, I don't have many clues to use the ATECC508A connected directly to a Debian board using I2C without use in between the MCU ATSAMG55-XPRO. I am also using Python and Boto3 library to manage AWS services from the Chip pro Debian board and develop the board firmware.

Thank you in advance!

the security token included in the request is invalid

Hi,

just followed the ztpk guide, but hit a snag when running the aws_register_signer.py command. The error is:
Getting CA registration code from AWS IoT
Traceback (most recent call last):
File "C:\Users\Jelle\Zign\tls-gedoe\aws-iot-zero-touch-kit-20170926\aws_register_signer.py", line 119, in
main()
File "C:\Users\Jelle\Zign\tls-gedoe\aws-iot-zero-touch-kit-20170926\aws_register_signer.py", line 64, in main
reg_code = aws_iot.get_registration_code()['registrationCode']
File "C:\Program Files (x86)\Python36-32\lib\site-packages\botocore\client.py", line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File "C:\Program Files (x86)\Python36-32\lib\site-packages\botocore\client.py", line 612, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the GetRegistrationCode operation: The security token included in the request is invalid.

that was the initial error..: after trying again but this time in powershell (instead of cmd.exe), the script gets further, but fails at save_kit_info:
Getting AWS IoT device endpoint
Hostname: a10nbthkpnvvpf.iot.eu-central-1.amazonaws.com
Traceback (most recent call last):
File "C:\users\Jelle\Zign\tls-gedoe\aws-iot-zero-touch-kit-20170926\aws_register_signer.py", line 119, in
main()
File "C:\users\Jelle\Zign\tls-gedoe\aws-iot-zero-touch-kit-20170926\aws_register_signer.py", line 114, in main
save_kit_info(kit_info)
File "C:\users\Jelle\Zign\tls-gedoe\aws-iot-zero-touch-kit-20170926\aws_kit_common.py", line 42, in save_kit_info
f.write(json.dumps(kit_info, indent=4, sort_keys=True))
File "C:\Program Files (x86)\Python36-32\lib\json_init_.py", line 238, in dumps
**kw).encode(obj)
File "C:\Program Files (x86)\Python36-32\lib\json\encoder.py", line 201, in encode
chunks = list(chunks)
File "C:\Program Files (x86)\Python36-32\lib\json\encoder.py", line 430, in _iterencode
yield from _iterencode_dict(o, _current_indent_level)
File "C:\Program Files (x86)\Python36-32\lib\json\encoder.py", line 404, in _iterencode_dict
yield from chunks
File "C:\Program Files (x86)\Python36-32\lib\json\encoder.py", line 404, in _iterencode_dict
yield from chunks
File "C:\Program Files (x86)\Python36-32\lib\json\encoder.py", line 437, in _iterencode
o = _default(o)
File "C:\Program Files (x86)\Python36-32\lib\json\encoder.py", line 180, in default
o.class.name)
TypeError: Object of type 'datetime' is not JSON serializable

this probably writes somethis incorrectly to file, as subsequent runs of the command get an error in File "C:\users\Jelle\Zign\tls-gedoe\aws-iot-zero-touch-kit-20170926\aws_register_signer.py", line 27, in main
kit_info = read_kit_info()