device_credentials_installer: add nrf_cloud_cred_shell cmd type#87
Open
PavelVPV wants to merge 2 commits into
Open
device_credentials_installer: add nrf_cloud_cred_shell cmd type#87PavelVPV wants to merge 2 commits into
PavelVPV wants to merge 2 commits into
Conversation
Add a new --cmd-type 'nrf_cloud_cred_shell' that uses the NrfCloudCredShellInterface to generate the device private key and CSR on-device via the 'nrf_cloud_cred' shell commands. The CSR returned by this interface is plain Base64-encoded DER (not the modem's body.cose format), so get_csr() decodes it with load_der_x509_csr(). As with tls_cred_shell, a random device id is used when none is provided. The private key stays in PSA on the device; only CA and device certificates are written via the TLS Credentials Shell. Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
For the nrf_cloud_cred_shell command type, the private key is held in PSA and cannot be hashed, so verify it by comparing the device public key against the public key in the installed device certificate. Also reject --local-cert / --local-cert-file with nrf_cloud_cred_shell, since the key and CSR are generated on-device and a host-generated key would be a mistake. Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
PavelVPV
changed the title
simonduq
reviewed
Jun 24, 2026
| csr = x509.load_der_x509_csr(base64.b64decode(csr_blob)) | ||
| else: | ||
| csr_bytes, _, _, _ = modem_credentials_parser.parse_keygen_output(csr_blob) | ||
| csr = x509.load_pem_x509_csr(csr_bytes) |
There was a problem hiding this comment.
csr = x509.load_pem_x509_csr() is common to both branches, consider moving to after if/else statement
simonduq
reviewed
Jun 24, 2026
| if args.cmd_type == CMD_TYPE_NRF_CLOUD_CRED_SHELL and (args.local_cert or args.local_cert_file): | ||
| # The key and CSR are generated on-device; generating a key on the host | ||
| # would defeat the purpose and is almost certainly a mistake. | ||
| logger.error(f"cmd_type '{CMD_TYPE_NRF_CLOUD_CRED_SHELL}' generates the key on-device; " |
There was a problem hiding this comment.
we could probably use parser.error() here
simonduq
approved these changes
Jun 24, 2026
erikberces
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a new --cmd-type 'nrf_cloud_cred_shell' that uses the NrfCloudCredShellInterface to generate the device private key and CSR on-device via the 'nrf_cloud_cred' shell commands.
The CSR returned by this interface is plain Base64-encoded DER (not the modem's body.cose format), so get_csr() decodes it with load_der_x509_csr(). As with tls_cred_shell, a random device id is used when none is provided. The private key stays in PSA on the device; only CA and device certificates are written via the TLS Credentials Shell.