Secure AuthenticationのトピックRe: openssl provier error when generate key

openssl provier error when generate key

chanyoung — Wed, 06 Nov 2024 16:10:35 GMT

hello.

An error occurred while running the test example.

The environment is raspberry pi + OM-SE050ARD0-F + openssl3 + provider

While creating a key pair in se050, the following error occurred and ended.

Could I ask for some advice?

mw version : 4.5.1

PTMW_APPLET : SE050_C

$ openssl genrsa --provider /usr/local/lib/libsssProvider.so --provider default -out tls_client_key_ref_0xEF000011.pem 2048 App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1) App :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt) sss :INFO :atr (Len=35) 00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08 01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41 54 50 4F App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1) App :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt) sss :INFO :atr (Len=35) 00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08 01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41 54 50 4F sssprov-flw: Generate RSA key inside SE05x sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:7837 Function:sss_se05x_TXn sss :WARN :nxEnsure:'status == SM_OK' failed. At Line:4063 Function:sss_se05x_key_store_generate_key App :WARN :nxEnsure:'status == kStatus_SSS_Success' failed. At Line:471 Function:sss_keymgmt_rsa_gen genrsa: Error generating RSA key

Re: openssl provier error when generate key

Kan_Li — Thu, 07 Nov 2024 06:33:33 GMT

Hi @chanyoung ,

The openssl provider generates RSA in plain mode by default, which is not supported on SE050F, if you want to use provider to generates RSA CRT instead, just change the following kSSS_CipherType_RSA to kSSS_CipherType_RSA_CRT in sssProvider_main.h .

please also note RSA key length <2048 bits is not supported on SE050F either.

BTW, as provider doesn't support Key ID as a parameter, the default key ID is set as "0xEF000011", but you may modify it in sssProvider_key_mgmt_rsa.c. Alternatively you may use SETool instead to generate RSA key pairs in SE050F.

Please refer to se05x_mw_v04.05.01/simw-top/doc/demos/se05x/seTool/Readme.html for more details.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: openssl provier error when generate key

chanyoung — Thu, 07 Nov 2024 09:57:19 GMT

thank you for your reply
I modified it according to the advice and confirmed that it was created normally.

But there's one more problem
During the process of creating a CSR by calling the created key pair, the program ends without being created.

Is it impossible to create it with RSA? Or I would like to know if there is another way

Additionally, here is the full script of the example I am referring to.

TLS client example using RSA keys

# Create Root CA key pair and certificate
openssl genrsa -out tls_rootca_key.pem 2048
openssl req -x509 -new -nodes -key tls_rootca_key.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out tls_rootca.cer

# Create client key inside secure element
openssl genrsa --provider /usr/local/lib/libsssProvider.so --provider default -out tls_client_key_ref_0xEF000011.pem 2048

# Create Client key CSR. Use the provider to access the client key created in the previous file.
openssl req -new --provider /usr/local/lib/libsssProvider.so --provider default -key tls_client_key_ref_0xEF000011.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out tls_client.csr

# Create Client certificate
openssl x509 -req --provider default -in tls_client.csr -CAcreateserial -out tls_client.cer -days 5000 -CA tls_rootca.cer -CAkey tls_rootca_key.pem

# Create Server key pair and certificate
openssl genrsa -out tls_server_key.pem 2048
openssl req -new -key tls_server_key.pem -subj "/CN=NXP_SE050_TLS_SERVER_RSA" -out tls_server.csr
openssl x509 -req -sha256 -days 4380 -in tls_server.csr -CAcreateserial -CA tls_rootca.cer -CAkey tls_rootca_key.pem -out tls_server.cer

Re: openssl provier error when generate key

Kan_Li — Mon, 11 Nov 2024 02:52:53 GMT

Hi @chanyoung ,

Yes, it is possible to use RSA in TLS client demo, but if you use ref key instead, you'd better use the access Manager together with the openssl provider. Please kindly refer to simw-top/doc/hostlib/hostLib/accessManager/doc/accessManager.html for more details.

Have a great day,
Kan