TLS Credentials Shell
The TLS Credentials shell provides a command-line interface for managing installed TLS credentials.
Commands
Buffer Credential (buf)
Buffer data incrementally into the credential buffer so that it can be added using the Add Credential (add) command.
Alternatively, clear the credential buffer.
Usage
To append <DATA> to the credential buffer, use:
cred buf <DATA>
Use this as many times as needed to load the full credential into the credential buffer, then use the Add Credential (add) command to store it.
To clear the credential buffer, use:
cred buf clear
Arguments
Argument |
Description |
|---|---|
|
Text data to be appended to credential buffer. It can be either text, or base64-encoded binary. See Add Credential (add) and Storage/Retrieval Formats for details. |
Add Credential (add)
Add a TLS credential to the TLS Credential store.
Credential contents can be provided in-line with the call to cred add, or will otherwise be sourced from the credential buffer.
Usage
To add a TLS credential using the data from the credential buffer, use:
cred add <SECTAG> <TYPE> <BACKEND> <FORMAT>
To add a TLS credential using data provided with the same command, use:
cred add <SECTAG> <TYPE> <BACKEND> <FORMAT> <DATA>
Arguments
Argument |
Description |
|---|---|
|
The sectag to use for the new credential. Can be any non-negative integer. |
|
The type of credential to add. See Credential Types for valid values. |
|
Reserved. Must always be |
|
Specifies the storage format of the provided credential. See Storage/Retrieval Formats for valid values. |
|
If provided, this argument will be used as the credential data, instead of any data in the credential buffer. Can be either text, or base64-encoded binary. |
Delete Credential (del)
Delete a specified credential from the credential store.
Usage
To delete a credential matching a specified sectag and credential type (if it exists), use:
cred del <SECTAG> <TYPE>
Arguments
Argument |
Description |
|---|---|
|
The sectag of the credential to delete. Can be any non-negative integer. |
|
The type of credential to delete. See Credential Types for valid values. |
Get Credential Contents (get)
Retrieve and print the contents of a specified credential.
Usage
To retrieve and print a credential matching a specified sectag and credential type (if it exists), use:
cred get <SECTAG> <TYPE> <FORMAT>
Arguments
Argument |
Description |
|---|---|
|
The sectag of the credential to get. Can be any non-negative integer. |
|
The type of credential to get. See Credential Types for valid values. |
|
Specifies the retrieval format for the provided credential. See Storage/Retrieval Formats for valid values. |
List Credentials (list)
List TLS credentials in the credential store.
Usage
To list all available credentials, use:
cred list
To list all credentials with a specified sectag, use:
cred list <SECTAG>
To list all credentials with a specified credential type, use:
cred list any <TYPE>
To list all credentials with a specified credential type and sectag, use:
cred list <SECTAG> <TYPE>
Arguments
Argument |
Description |
|---|---|
|
Optional. If provided, only list credentials with this sectag. Pass |
|
Optional. If provided, only list credentials with this credential type. Pass |
Output
The command outputs all matching credentials in the following (CSV-compliant) format:
<SECTAG>,<TYPE>,<DIGEST>,<STATUS>
Where:
Symbol |
Value |
|---|---|
|
The sectag of the listed credential. A non-negative integer. |
|
Credential type short-code (see Credential Types for details) of the listed credential. |
|
A string digest representing the credential contents. The exact nature of this digest may vary depending on credentials storage backend, but currently for all backends this is a base64 encoded SHA256 hash of the raw credential contents (so different storage formats for essentially identical credentials will have different digests). |
|
Status code indicating success or failure with generating a digest of the listed credential. 0 if successful, negative error code specific to the storage backend otherwise. Lines for which status is not zero will be printed with error formatting. |
After the list is printed, a final summary of the found credentials will be printed in the form:
<N> credentials found.
Where <N> is the number of credentials found, and is zero if none are found.
Credential Types
The following keywords (case-insensitive) may be used to specify a credential type:
Keyword(s) |
Meaning |
|---|---|
|
A trusted CA certificate. |
|
Self or server certificate. |
|
A private key. |
|
A pre-shared key. |
|
ID for pre-shared key. |
Storage/Retrieval Formats
The tls_credentials module treats stored credentials as arbitrary binary buffers.
For convenience, the TLS credentials shell offers four formats for providing and later retrieving these buffers using the shell.
These formats and their (case-insensitive) keywords are as follows:
Keyword |
Meaning |
Behavior during storage ( |
Behavior during retrieval ( |
|---|---|---|---|
|
Credential is handled by shell as base64 and stored without NULL termination. |
Data entered into shell will be decoded from base64 into raw binary before storage. No terminator will be appended. |
Stored data will be encoded into base64 before being printed. |
|
Credential is handled by shell as base64 and stored with NULL termination. |
Data entered into shell will be decoded from base64 into raw binary and a NULL terminator will be appended before storage. |
NULL terminator will be truncated from stored data before said data is encoded into base64 and then printed. |
|
Credential is handled by shell as literal string and stored without NULL termination. |
Text data entered into shell will be passed into storage as-written, without a NULL terminator. |
Stored data will be printed as text. Non-printable characters will be printed as |
|
Credential is handled by shell as literal string and stored with NULL-termination. |
Text data entered into shell will be passed into storage as-written, with a NULL terminator. |
NULL terminator will be truncated from stored data before said data is printed as text. Non-printable characters will be printed as |
The BIN format can be used to install credentials of any type, since base64 can be used to encode any concievable binary buffer.
The remaining three formats are provided for convenience in special use-cases.
For example:
To install printable pre-shared-keys, use
STRto enter the PSK without first encoding it. This ensures it is stored without a NULL terminator.To install DER-formatted X.509 certificates (or other raw-binary credentials, such as non-printable PSKs) base64-encode the binary and use the
BINformat.To install PEM-formatted X.509 certificates or certificate chains, base64 encode the full PEM string (including new-lines and
----BEGIN X ----/----END X----markers), and then use theBINTformat to make sure the stored string is NULL-terminated. This is required because Zephyr does not support multi-line strings in the shell. Otherwise, theSTRTformat could be used for this purpose without base64 encoding. It is possible to useBINinstead if you manually encode a NULL terminator into the base64.