https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1905259#M1635 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/59276">@Kan_Li</a>&nbsp;: I am writing on behalf of&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/221468">@CristianeBP</a>&nbsp;and Lorenzo Verniani (they got problems to access this thread):</P> <P><EM><SPAN class="uiOutputText">Good morning Kan Li,</SPAN></EM></P> <P><EM><SPAN class="uiOutputText">&nbsp;thank you very much for your reply.</SPAN></EM></P> <P><EM><SPAN class="uiOutputText">&nbsp;Your answer is about my 2nd test, and ok, it is a limitation and we need to wait some updates.</SPAN></EM></P> <P><STRONG><SPAN class="uiOutputText">RGs:<SPAN>&nbsp;</SPAN></SPAN><SPAN class="cuf-entityLinkId forceChatterEntityLink entityLinkHover" data-id="0052p00000D4vDIAAZ" data-hashtag="" data-mention="0052p00000D4vDIAAZ"><A id="247:7404;a" class="cuf-entityLink cuf-mention" href="https://nxp.lightning.force.com/lightning/r/0052p00000D4vDIAAZ/view" data-sfdc-wired-mouseover="" data-sfdc-wired-mouseout="" data-sfdc-wired-focus="" data-sfdc-wired-blur="" data-proxy-id="aura-pos-lib-1" target="_blank"><SPAN class="uiOutputText">@Lorenzo Verniani</SPAN></A><SPAN class="cuf-entityAdditionalLabel uiOutputText"><SPAN>&nbsp;</SPAN>(Customer)</SPAN></SPAN><SPAN class="uiOutputText">​&nbsp;let us know how severe this limitation is for ABB.</SPAN></STRONG></P> <P><SPAN class="uiOutputText">&nbsp;</SPAN></P> <P><EM><SPAN class="uiOutputText">But in the 3rd test, I generated both key pair using SETool, not using OPENSSL, and the verification fails equally. How can you explain that?</SPAN></EM></P> <P><EM><SPAN class="uiOutputText">&nbsp;Thanks again,</SPAN></EM></P> <P><EM><SPAN class="uiOutputText">Cristiane Bellenzier Piaia</SPAN></EM></P> <P>&nbsp;</P> <P><STRONG><SPAN class="uiOutputText">RGs: I repeat 3rd test here:</SPAN></STRONG></P> <P>3 -both key pairs generated inside the SE using seTool:</P> <P>#seTool genRSA 2048 0x00000003 127.0.0.1:8040</P> <P># seTool getRSARef 0x00000003 a.pem 127.0.0.1:804<BR /># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -x509 -new -nodes -key a.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out a.cer<BR />sssprov-flw: Get random data from SE05x<BR />sssprov-flw: Performing RSA sign using SE05x</P> <P>#seTool genRSA 2048 0x00000020 127.0.0.1:8040</P> <P># seTool getRSARef 0x00000020 b.pem 127.0.0.1:8040</P> <P># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key b.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out b.csr<BR />sssprov-flw: Performing RSA sign using SE05x<BR /># openssl x509 -req --provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem<BR />Certificate request self-signature ok<BR />subject=CN = NXP_SE050_TLS_CLIENT_RSA<BR /># openssl verify -partial_chain -trusted a.cer b.cer<BR />CN = NXP_SE050_TLS_CLIENT_RSA<BR />error 7 at 0 depth lookup: certificate signature failure<BR /><STRONG>error b.cer: verification failed</STRONG><BR />2090F276:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../openssl-3.0.13/crypto/rsa/rsa_pk1.c:75:<BR />2090F276:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../openssl-3.0.13/crypto/rsa/rsa_ossl.c:598:<BR />2090F276:error:1C880004:Provider routines:rsa_verify:RSA lib:../openssl-3.0.13/providers/implementations/signature/rsa_sig.c:774:<BR />2090F276:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.13/crypto/asn1/a_verify.c:217:</P> <P>&nbsp;</P> Wed, 10 Jul 2024 10:48:58 GMT rodolfoveltrigo 2024-07-10T10:48:58Z https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1898491#M1626 <P>Hi,</P><P>I have some problem to use SE (version B) +&nbsp;libsssProvider + openssl 3.0.13.</P><P>I generate a key pair using SETool, but when I tried to access my key to generate a certificate signing request I facing some problem, because my csr is not generate and the command exiting is 1.</P><P>I also tried to access my key using the SE index (-key nxp:0x00000020 and&nbsp;-inkey nxp:0x00000020), but also without success.</P><P>[root@ABB-ea-a6-d2-59-47-62 cert]# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key nxp:0x00000020 -out server.csr -config csr.conf<BR />[root@ABB-ea-a6-d2-59-47-62 cert]# echo $?<BR />1</P><P>[root@ABB-ea-a6-d2-59-47-62 cert]# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key $SERVER.key -out $SERVER.csr -config csr.conf<BR />[root@ABB-ea-a6-d2-59-47-62 cert]# echo $?<BR />1<BR />[root@ABB-ea-a6-d2-59-47-62 cert]# cat server.key<BR />-----BEGIN PRIVATE KEY-----<BR />MIIBPQIBADANBgkqhkiG9w0BAQEFAASCAScwggEjAgEAAoIBAQCoWVZ3r3KbD9Ms<BR />2DmJQL2Zt7B+4J9YhlAlavk3k2FcDyRr268W9OTk3xa1Z97IcnSmFyiYatNOCBGa<BR />DmmzRpRvFuoHfgS4aHIGiLesp/APgwioclLsHadmNOen3fBWlZ0y02G2bW7YtBJa<BR />6d5kKyI83CQUl2zapFnylpZWZEB81Cz3Cbyy/N6v6o1cEDYD8f8Pq2UltD0LGnjp<BR />jZqN1Tyy4QIXT9niKXJYCklordJe55+VVth8qedi40Xq7RSnGu0ujIIrcwnnX7GF<BR />qExtw80UMHwKnJnOpJthmQ4VIPBXH8bokPDwr6g9DE9UP2gUezcUFor6U5j4uHaf<BR />iece/VIBAgMBAAECAQECAQECASACAQECAQECBQClprW2<BR />-----END PRIVATE KEY-----</P><P>I use the accessManager (executed with plain option) to access my SE.</P><P>Yocto version: kirkstone.</P><P>Thanks in advance,</P><P>Cristiane Bellenzier Piaia</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Jul 2024 15:57:56 GMT https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1898491#M1626 CristianeBP 2024-07-03T15:57:56Z https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1899289#M1627 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/221468">@CristianeBP</a>&nbsp;,</P> <P>&nbsp;</P> <P>Would you please share more details regarding the SE and the platform? also how did you create the key with SeTool? I may try to reproduce this issue here.</P> <P>&nbsp;</P> <P>Thanks for your patience!</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>Kan</P> Thu, 04 Jul 2024 07:46:13 GMT https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1899289#M1627 Kan_Li 2024-07-04T07:46:13Z https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1899319#M1628 <P>Good morning Kan,</P><P>thanks for your reply.</P><P>SE version: B</P><P>Middleware version: 04.05.03</P><P>Linux:&nbsp; Kernel: Linux 5.15.71-5.15.71-2.2.0+g3313732e9984+p5<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Architecture: arm</P><P>seTool command:# seTool getRSARef 0x00000020 server.key $EX_SSS_BOOT_SSS_PORT<BR />App :INFO :PlugAndTrust_v04.05.03_20240502<BR />App :INFO :Running seTool<BR />App :INFO :Using PortName='127.0.0.1:8040' (CLI)<BR />sss :WARN :Communication channel is Plain.<BR />sss :WARN :!!!Not recommended for production use.!!!<BR />App :INFO :ex_sss Finished<BR /># cat server.key<BR />-----BEGIN PRIVATE KEY-----<BR />MIIBPQIBADANBgkqhkiG9w0BAQEFAASCAScwggEjAgEAAoIBAQDLnqjJfGZVgcGq<BR />zcztezdSbIFYRVQFI4nOJuDgprlvzX/T7K73UAeZvwAiIy5Juyer9/vufpgG7Q56<BR />lmgiEYAyHlIcgetskarxV3JpSG/P+vzYQtFqpbSrHOS+eSF7JS/7pQQVY0sqMiaj<BR />3FrrPfubPfRalS7ztGPq9Ch0YacX70yntDzm+MnIncmOitcPo/+Exr6g8maO8bOI<BR />XzfKMY05klnkDiup5jTY0AGJknuDNLc77u0WVTf+pP3A0xkjZ6yDACWpPuk/6xVd<BR />CUp+ABAfY8BQqncfNGRxihOQ1roqGLvHn9LypON84b+VUQKSxkJabSojCrL/oFTs<BR />mIMiBWwlAgMBAAECAQECAQECASACAQECAQECBQClprW2<BR />-----END PRIVATE KEY-----<BR /><BR /></P><P># echo $EX_SSS_BOOT_SSS_PORT<BR />127.0.0.1:8040</P><P># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key server.key -out server.csr -config csr.conf<BR />App :INFO :Using PortName='127.0.0.1:8040' (ENV: EX_SSS_BOOT_SSS_PORT=127.0.0.1:8040)<BR />sss :WARN :Communication channel is Plain.<BR />sss :WARN :!!!Not recommended for production use.!!!<BR /># echo $?<BR />1</P><P># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key nxp:0x00000020 -out server.csr -config csr.conf<BR />App :INFO :Using PortName='127.0.0.1:8040' (ENV: EX_SSS_BOOT_SSS_PORT=127.0.0.1:8040)<BR />sss :WARN :Communication channel is Plain.<BR />sss :WARN :!!!Not recommended for production use.!!!<BR /># echo $?<BR />1</P><P>Thanks,</P><P>Cristiane Bellenzier Piaia</P> Thu, 04 Jul 2024 08:18:33 GMT https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1899319#M1628 CristianeBP 2024-07-04T08:18:33Z https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1899342#M1629 <P>Kan,</P><P>just for your knowledge.</P><P>The same happens when I generate the keypair using openssl:<BR /># openssl genrsa --provider /usr/lib/libsssProvider.so --provider default -out tls_client_key_ref_0xEF000011.pem 1024<BR />App :INFO :Using PortName='127.0.0.1:8040' (ENV: EX_SSS_BOOT_SSS_PORT=127.0.0.1:8040)<BR />sss :WARN :Communication channel is Plain.<BR />sss :WARN :!!!Not recommended for production use.!!!<BR />Warning: generating random key material may take a long time<BR />if the system has a poor entropy source<BR />sssprov-flw: Generate RSA key inside SE05x</P><P># cat tls_client_key_ref_0xEF000011.pem<BR />-----BEGIN PRIVATE KEY-----<BR />MIHSAgEAMA0GCSqGSIb3DQEBAQUABIG9MIG6AgEBAoGAbchhCXBMjOV4xS+6dBjt<BR />4wyjZf3AespjZ37m/DOUxOh41rH6wBDXlGYlpjsHZWBEHAxMV9e9qvqzxcD5+kKY<BR />bShdSA3vl6ZQpzpDvtk0qMXRkLr54QwXUvlbB38eS/TUYhbmeEFJ66CnR2K5/8AY<BR />EJ9DqmVQ0twc7TATgsRS45UCAwEAAQIBAAIBAQIFAO8AABECAQACAQACBQClprW2<BR />MBMwEQIFAO8AABECAQACBQClprW2<BR />-----END PRIVATE KEY-----<BR /><BR /># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key tls_client_key_ref_0xEF000011.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out tls_client.csr<BR />App :INFO :Using PortName='127.0.0.1:8040' (ENV: EX_SSS_BOOT_SSS_PORT=127.0.0.1:8040)<BR />sss :WARN :Communication channel is Plain.<BR />sss :WARN :!!!Not recommended for production use.!!!<BR /># echo $?<BR />1<BR />Thanks,</P><P>Cristiane Bellenzier Piaia</P> Thu, 04 Jul 2024 08:32:40 GMT https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1899342#M1629 CristianeBP 2024-07-04T08:32:40Z https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1899957#M1630 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/221468">@CristianeBP</a>&nbsp;，</P> <P>&nbsp;</P> <P><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Please give it a try with the github version:&nbsp;<A href="https://github.com/NXPPlugNTrust/se05x-openssl-provider" target="_blank">https://github.com/NXPPlugNTrust/se05x-openssl-provider</A>&nbsp;,&nbsp;<SPAN>Most of the features are updated over there.&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak"><SPAN>Please kindly have my test result with the&nbsp;libsssProvider.so generated from above.</SPAN></SPAN></P> <P><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak"><SPAN>ubuntu@ubuntu:~/provider_test/rsa_test$ openssl genrsa --provider /usr/local/lib/libsssProvider.so --provider default -out tls_client_key_ref_0xEF000011.pem 1024<BR />App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.<BR />sss :INFO :atr (Len=35)<BR />01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00<BR />01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31<BR />00 00 00<BR />sss :INFO :Newer version of Applet Found<BR />sss :INFO :Compiled for 0x30100. Got newer 0x60000<BR />sss :WARN :Communication channel is Plain.<BR />sss :WARN :!!!Not recommended for production use.!!!<BR />Warning: generating random key material may take a long time<BR />if the system has a poor entropy source<BR />sssprov-flw: Generate RSA key inside SE05x<BR />ubuntu@ubuntu:~/provider_test/rsa_test$ cat tls_client_key_ref_0xEF000011.pem<BR />-----BEGIN PRIVATE KEY-----<BR />MIG+AgEAMA0GCSqGSIb3DQEBAQUABIGpMIGmAgEAAoGBAMOMHJoKSm4V6tDRehUx<BR />Hk81c0u18eL85piCFFzfygUP1qz0aGb4dYn7R/gk6pITJnBF1uoF9L5fLp6cbqTX<BR />YyS3q90W69IRzDRZMWye1/QYer6MNImbqe+Xfj8av64JVsSE634rsUN4iMZCQGbr<BR />JAFQxjUsVFH6gvy2OybL+KQBAgMBAAECAQACAQECBQDvAAARAgEAAgEAAgUApaa1<BR />tg==<BR />-----END PRIVATE KEY-----<BR />ubuntu@ubuntu:~/provider_test/rsa_test$ openssl req -new --provider /usr/local/lib/libsssProvider.so --provider default -key tls_client_key_ref_0xEF000011.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out tls_client.csr<BR />App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.<BR />sss :INFO :atr (Len=35)<BR />01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00<BR />01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31<BR />00 00 00<BR />sss :INFO :Newer version of Applet Found<BR />sss :INFO :Compiled for 0x30100. Got newer 0x60000<BR />sss :WARN :Communication channel is Plain.<BR />sss :WARN :!!!Not recommended for production use.!!!<BR />sssprov-flw: Performing RSA sign using SE05x<BR />ubuntu@ubuntu:~/provider_test/rsa_test$ ls<BR />tls_client.csr tls_client_key_ref_0xEF000011.pem<BR />ubuntu@ubuntu:~/provider_test/rsa_test$ cat tls_client.csr<BR />-----BEGIN CERTIFICATE REQUEST-----<BR />MIIBYjCBzAIBADAjMSEwHwYDVQQDDBhOWFBfU0UwNTBfVExTX0NMSUVOVF9SU0Ew<BR />gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOMHJoKSm4V6tDRehUxHk81c0u1<BR />8eL85piCFFzfygUP1qz0aGb4dYn7R/gk6pITJnBF1uoF9L5fLp6cbqTXYyS3q90W<BR />69IRzDRZMWye1/QYer6MNImbqe+Xfj8av64JVsSE634rsUN4iMZCQGbrJAFQxjUs<BR />VFH6gvy2OybL+KQBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQBxEFr13fnb07Ve<BR />6wTqzUHmb9xAOd2yc0gcm2+JXPweUxw++UV6Sxqp26A7R5yvU2OFtR21G/lJ0Vye<BR />kbtp5YffeDnP/A3z4qCAjD+6y2BjXSbLloDWtS4jRG/mniIBn4KW15GY8rOKS0vP<BR />X1SSXAjHwbgkKiuzSWM84qiv1Cus2w==<BR />-----END CERTIFICATE REQUEST-----<BR /><A href="mailto:ubuntu@ubuntu:~/provider_test/rsa_test$" target="_blank">ubuntu@ubuntu:~/provider_test/rsa_test$</A><BR /></SPAN></SPAN></P> <P>&nbsp;</P> <P>Have a great day,<BR />Kan</P> <P><BR />-------------------------------------------------------------------------------<BR />Note:<BR />- If this post answers your question, please click the "Mark Correct" button. Thank you!<BR />- We are following threads for 7 weeks after the last post, later replies are ignored<BR />Please open a new thread and refer to the closed one, if you have a related question at a later point in time.<BR />-------------------------------------------------------------------------------</P> Fri, 05 Jul 2024 06:11:07 GMT https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1899957#M1630 Kan_Li 2024-07-05T06:11:07Z https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1904032#M1633 <P>Good morning,</P><P>I just finished my tests but I think I found another problem.</P><P>The certificate signing fails when both key pairs are generated inside the SE.</P><P>My tests are:</P><P>1 -&nbsp; generates 1 key pair inside and 1 outside:</P><P># openssl genrsa -out a.pem 1024<BR /># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -x509 -new -nodes -key a.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out a.cer<BR />sssprov-flw: Not a ref key<BR />sssprov-flw: Get random data from SE05x<BR />sssprov-flw: Not a key in secure element. Performing RSA sign operation using host software<BR />sssprov-flw: Get random data from SE05x<BR /># openssl genrsa --provider /usr/lib/libsssProvider.so --provider default -out b.pem 1024<BR />Warning: generating random key material may take a long time<BR />if the system has a poor entropy source<BR />sssprov-flw: Generate RSA key inside SE05x<BR /># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key b.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out b.csr<BR />sssprov-flw: Performing RSA sign using SE05x<BR />[root@ABB-f6-4e-b6-68-0b-a1 ~]# openssl x509 -req --provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem<BR />Certificate request self-signature ok<BR />subject=CN = NXP_SE050_TLS_CLIENT_RSA<BR /># openssl verify -partial_chain -trusted a.cer b.cer<BR /><STRONG>b.cer: OK</STRONG></P><P>2 -both key pairs generated inside the SE using openssl:</P><P># openssl genrsa --provider /usr/lib/libsssProvider.so --provider default -out a.pem 1024<BR />Warning: generating random key material may take a long time<BR />if the system has a poor entropy source<BR />sssprov-flw: Generate RSA key inside SE05x<BR /># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -x509 -new -nodes -key a.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out a.cer<BR />sssprov-flw: Get random data from SE05x<BR />sssprov-flw: Performing RSA sign using SE05x<BR /># openssl genrsa --provider /usr/lib/libsssProvider.so --provider default -out b.pem 1024<BR />Warning: generating random key material may take a long time<BR />if the system has a poor entropy source<BR />sssprov-flw: Generate RSA key inside SE05x<BR /># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key b.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out b.csr<BR />sssprov-flw: Performing RSA sign using SE05x<BR /># openssl x509 -req --provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem<BR />Certificate request self-signature ok<BR />subject=CN = NXP_SE050_TLS_CLIENT_RSA<BR /># openssl verify -partial_chain -trusted a.cer b.cer<BR />CN = NXP_SE050_TLS_CLIENT_RSA<BR />error 7 at 0 depth lookup: certificate signature failure<BR /><STRONG>error b.cer: verification failed</STRONG><BR />2020F576:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../openssl-3.0.13/crypto/rsa/rsa_pk1.c:75:<BR />2020F576:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../openssl-3.0.13/crypto/rsa/rsa_ossl.c:598:<BR />2020F576:error:1C880004:Provider routines:rsa_verify:RSA lib:../openssl-3.0.13/providers/implementations/signature/rsa_sig.c:774:<BR />2020F576:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.13/crypto/asn1/a_verify.c:217:</P><P>3 -both key pairs generated inside the SE using seTool:</P><P>#seTool genRSA 2048 0x00000003 127.0.0.1:8040</P><P># seTool getRSARef 0x00000003 a.pem 127.0.0.1:804<BR /># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -x509 -new -nodes -key a.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out a.cer<BR />sssprov-flw: Get random data from SE05x<BR />sssprov-flw: Performing RSA sign using SE05x</P><P>#seTool genRSA 2048 0x00000020 127.0.0.1:8040</P><P># seTool getRSARef 0x00000020 b.pem 127.0.0.1:8040</P><P># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key b.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out b.csr<BR />sssprov-flw: Performing RSA sign using SE05x<BR /># openssl x509 -req --provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem<BR />Certificate request self-signature ok<BR />subject=CN = NXP_SE050_TLS_CLIENT_RSA<BR /># openssl verify -partial_chain -trusted a.cer b.cer<BR />CN = NXP_SE050_TLS_CLIENT_RSA<BR />error 7 at 0 depth lookup: certificate signature failure<BR /><STRONG>error b.cer: verification failed</STRONG><BR />2090F276:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../openssl-3.0.13/crypto/rsa/rsa_pk1.c:75:<BR />2090F276:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../openssl-3.0.13/crypto/rsa/rsa_ossl.c:598:<BR />2090F276:error:1C880004:Provider routines:rsa_verify:RSA lib:../openssl-3.0.13/providers/implementations/signature/rsa_sig.c:774:<BR />2090F276:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.13/crypto/asn1/a_verify.c:217:</P><P>Thanks,</P><P>Cristiane Bellenzier Piaia</P><P>&nbsp;</P> Tue, 09 Jul 2024 09:29:36 GMT https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1904032#M1633 CristianeBP 2024-07-09T09:29:36Z https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1905031#M1634 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/221468">@CristianeBP</a>&nbsp;,</P> <P>&nbsp;</P> <P>The openssl command has some limitation for rsa generation, which doesn't have a "-name" option as ecc generation, so that the current provider implementation uses a default key ID hard coded in the source file , so in your case, only one RSA ref key was generated inside the SE indeed. We have to wait for openssl updated to some version which allows to specify the rsa key name.&nbsp;</P> <P>&nbsp;</P> <P>Sorry for the inconvenience that might cause.</P> <P>&nbsp;</P> <P>Have a great day,<BR />Kan</P> <P><BR />-------------------------------------------------------------------------------<BR />Note:<BR />- If this post answers your question, please click the "Mark Correct" button. Thank you!<BR />- We are following threads for 7 weeks after the last post, later replies are ignored<BR />Please open a new thread and refer to the closed one, if you have a related question at a later point in time.<BR />-------------------------------------------------------------------------------</P> Wed, 10 Jul 2024 03:25:56 GMT https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1905031#M1634 Kan_Li 2024-07-10T03:25:56Z https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1905259#M1635 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/59276">@Kan_Li</a>&nbsp;: I am writing on behalf of&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/221468">@CristianeBP</a>&nbsp;and Lorenzo Verniani (they got problems to access this thread):</P> <P><EM><SPAN class="uiOutputText">Good morning Kan Li,</SPAN></EM></P> <P><EM><SPAN class="uiOutputText">&nbsp;thank you very much for your reply.</SPAN></EM></P> <P><EM><SPAN class="uiOutputText">&nbsp;Your answer is about my 2nd test, and ok, it is a limitation and we need to wait some updates.</SPAN></EM></P> <P><STRONG><SPAN class="uiOutputText">RGs:<SPAN>&nbsp;</SPAN></SPAN><SPAN class="cuf-entityLinkId forceChatterEntityLink entityLinkHover" data-id="0052p00000D4vDIAAZ" data-hashtag="" data-mention="0052p00000D4vDIAAZ"><A id="247:7404;a" class="cuf-entityLink cuf-mention" href="https://nxp.lightning.force.com/lightning/r/0052p00000D4vDIAAZ/view" data-sfdc-wired-mouseover="" data-sfdc-wired-mouseout="" data-sfdc-wired-focus="" data-sfdc-wired-blur="" data-proxy-id="aura-pos-lib-1" target="_blank"><SPAN class="uiOutputText">@Lorenzo Verniani</SPAN></A><SPAN class="cuf-entityAdditionalLabel uiOutputText"><SPAN>&nbsp;</SPAN>(Customer)</SPAN></SPAN><SPAN class="uiOutputText">​&nbsp;let us know how severe this limitation is for ABB.</SPAN></STRONG></P> <P><SPAN class="uiOutputText">&nbsp;</SPAN></P> <P><EM><SPAN class="uiOutputText">But in the 3rd test, I generated both key pair using SETool, not using OPENSSL, and the verification fails equally. How can you explain that?</SPAN></EM></P> <P><EM><SPAN class="uiOutputText">&nbsp;Thanks again,</SPAN></EM></P> <P><EM><SPAN class="uiOutputText">Cristiane Bellenzier Piaia</SPAN></EM></P> <P>&nbsp;</P> <P><STRONG><SPAN class="uiOutputText">RGs: I repeat 3rd test here:</SPAN></STRONG></P> <P>3 -both key pairs generated inside the SE using seTool:</P> <P>#seTool genRSA 2048 0x00000003 127.0.0.1:8040</P> <P># seTool getRSARef 0x00000003 a.pem 127.0.0.1:804<BR /># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -x509 -new -nodes -key a.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out a.cer<BR />sssprov-flw: Get random data from SE05x<BR />sssprov-flw: Performing RSA sign using SE05x</P> <P>#seTool genRSA 2048 0x00000020 127.0.0.1:8040</P> <P># seTool getRSARef 0x00000020 b.pem 127.0.0.1:8040</P> <P># openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key b.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out b.csr<BR />sssprov-flw: Performing RSA sign using SE05x<BR /># openssl x509 -req --provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem<BR />Certificate request self-signature ok<BR />subject=CN = NXP_SE050_TLS_CLIENT_RSA<BR /># openssl verify -partial_chain -trusted a.cer b.cer<BR />CN = NXP_SE050_TLS_CLIENT_RSA<BR />error 7 at 0 depth lookup: certificate signature failure<BR /><STRONG>error b.cer: verification failed</STRONG><BR />2090F276:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../openssl-3.0.13/crypto/rsa/rsa_pk1.c:75:<BR />2090F276:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../openssl-3.0.13/crypto/rsa/rsa_ossl.c:598:<BR />2090F276:error:1C880004:Provider routines:rsa_verify:RSA lib:../openssl-3.0.13/providers/implementations/signature/rsa_sig.c:774:<BR />2090F276:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.13/crypto/asn1/a_verify.c:217:</P> <P>&nbsp;</P> Wed, 10 Jul 2024 10:48:58 GMT https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1905259#M1635 rodolfoveltrigo 2024-07-10T10:48:58Z https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1906252#M1636 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/221468">@CristianeBP</a>&nbsp;,</P> <P>&nbsp;</P> <P>For the 3rd case,&nbsp;<SPAN>As you are using RSA ref key as the rootCA key it is mandatory to load sssProvider at first because the&nbsp;</SPAN><SPAN>default provider cannot recognize the reference key format.<BR /><BR />So the command to generate the certificate is:<BR />#openssl x509 -req –provider /usr/local/lib/libsssProvider.so –provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please kindly refer to the following for more details.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Kan_Li_0-1720695122931.png" style="width: 706px;"><img src="https://community.nxp.com/t5/image/serverpage/image-id/288134iA1B52CE579DA22C8/image-dimensions/706x96?v=v2" width="706" height="96" role="button" title="Kan_Li_0-1720695122931.png" alt="Kan_Li_0-1720695122931.png" /></span></P> <P>&nbsp;</P> <P>Have a great day,<BR />Kan</P> <P><BR />-------------------------------------------------------------------------------<BR />Note:<BR />- If this post answers your question, please click the "Mark Correct" button. Thank you!<BR />- We are following threads for 7 weeks after the last post, later replies are ignored<BR />Please open a new thread and refer to the closed one, if you have a related question at a later point in time.<BR />-------------------------------------------------------------------------------</P> <P>&nbsp;</P> Thu, 11 Jul 2024 10:53:58 GMT https://community.nxp.com/t5/Secure-Authentication/Error-to-access-SE-through-libsssProvider-openssl/m-p/1906252#M1636 Kan_Li 2024-07-11T10:53:58Z