topic Re: PKCS#11 not working on SE050 in Secure Authentication

PKCS#11 not working on SE050

msalvinik — Thu, 26 Oct 2023 07:44:09 GMT

Hi all,

I'm testing PKCS#11 on SE050 chip using a OM-SE050ARD board (SE050C chip mounted on it) connected through I2C to a i.MX8MN custom SoM. I'm using the Plug & Trust MW v04.03.01 with OpenSC 0.22 (PKCS#11 v.2.40).

I'm following the documentation contained in the middleware package (simw-top/doc/plugins/pkcs11.html, "8.8. PKCS#11 Standalone Library").

When I try to sign a file with SHA256-RSA-PKCS (as reported in documentation) I get the error

error: PKCS11 function C_SignUpdate failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)

Here are the commands executed:

# chip reset
ssscli connect se05x t1oi2c /dev/i2c-2
ssscli se05x reset
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
ssscli disconnect
# example file creation
echo Hello > myfile
# needed exports
export EX_SSS_BOOT_SSS_PORT=/dev/i2c-2
export PKCS11_MODULE=/usr/lib/libsss_pkcs11.so
# keypair generation
pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Key pair generated:
Private Key Object; RSA
label: sss:20202020
ID: 20202020
Usage: decrypt, sign
Access: sensitive, always sensitive
Allowed mechanisms: RSA-PKCS,SHA1-RSA-PKCS,SHA224-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS,RSA-PKCS-OAEP
Public Key Object; RSA 1024 bits
label: sss:20202020
ID: 20202020
Usage: none
Access: none
# signing
pkcs11-tool --module $PKCS11_MODULE --sign --label sss:20202020 -m SHA256-RSA-PKCS --slot 1 -i myfile -o myfile.sig
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Using signature algorithm SHA256-RSA-PKCS
error: PKCS11 function C_SignUpdate failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.

Attached the cmake configuration used to build the middleware.

How can I solve this issue?

Thanks in advance

Mauro

Re: PKCS#11 not working on SE050

msalvinik — Thu, 26 Oct 2023 10:07:47 GMT

I found this thread https://community.nxp.com/t5/Secure-Authentication/Broken-pkcs11-sign-and-verify-in-SDK-SE05x-MW-v04-03-00/m-p/1613443 where @vishwanchandapu got the same error.

As @Kan_Li stated, hash+encrypt in one step is not supported at the moment. Then I split the hash and encryption steps separately, as @Kan_Li suggested, and commands worked properly. I suggest to update the documentation.

Symmetrically I suppose that also verification does not work and should be done in two steps: signature decryption and resulting hash comparison with original one.

But trying to decrypt the signature using RSA-PCKS results in the following error:

pkcs11-tool --module $PKCS11_MODULE --decrypt --label sss:20202020 -m RSA-PKCS -i myfile.signature -o myfile.decrypted
Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Using decrypt algorithm RSA-PKCS
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:7026 Function:sss_se05x_TXn
PKCS11:ERROR:sss_asymmetric_decrypt failed
error: PKCS11 function C_Decrypt failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.

Any suggestions?

Re: PKCS#11 not working on SE050

Kan_Li — Fri, 27 Oct 2023 08:45:30 GMT

Hi @msalvinik ,

Your question has been submitted to our expert team for analyzation. Thanks for your patience!

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: PKCS#11 not working on SE050

marcocavallini — Sat, 04 Nov 2023 10:36:33 GMT

Hello,

We are looking forward to receiving a response.

Thank you

Marco Cavallini | KOAN sas
Bergamo - Italia
embedded software engineering
https://KoanSoftware.com

Re: PKCS#11 not working on SE050

Kan_Li — Mon, 06 Nov 2023 08:56:23 GMT

Hi @marcocavallini @msalvinik ,

This is confirmed as an issue in PKCS11 library, and we are working on to fix it, but not sure if it meets your timeline, for a quick solution, maybe you can use some older MW version instead, in our tests MW version 04.01.01 is working.

Have a great day,
Kan