topic OpenSSL Provider with SE052F for RNG in Secure Authentication https://community.nxp.com/t5/Secure-Authentication/OpenSSL-Provider-with-SE052F-for-RNG/m-p/2365478#M2074 <P>We have a requirement to use the SE052F as a FIPS compliant source for random number generation. We require OpenSSL to use the SE052F, and in turn, all applications that use the openssl libraries to use the SE052F for RNG.</P><P>I understand we must use the NXP MW accessManager and the OpenSSL Provider.<BR />I am using: SE-PLUG-TRUST-MW_04.07.01<BR />I have followed the instructions in:<BR />AN14028.pdf<BR />SE-PLUG-TRUST-MW_04.07.01/simw-top/doc/hostlib/hostLib/accessManager/doc/accessManager.html<BR />and the README info here (but not using this repo): <A href="https://github.com/NXPPlugNTrust/se05x-openssl-provider" target="_blank">https://github.com/NXPPlugNTrust/se05x-openssl-provider</A></P><P>accessManager built with the following cmake options:</P><LI-CODE lang="markup">NXP_SE_MW_CONF_OPTS += -DWithSharedLIB=OFF -DPTMW_Host=Raspbian -DPTMW_SMCOM=T1oI2C -DPTMW_Applet=SE05X_C \ -DPTMW_FIPS=None -DPTMW_SE05X_Ver=07_02 -DPTMW_SE05X_Auth=PlatfSCP03 -DPTMW_SCP=SCP03_SSS -DSE05X_EN_PIN=582 -DSE_RESET_LOGIC=0 \ -DPAHO_BUILD_SHARED=FALSE -DPAHO_BUILD_STATIC=TRUE</LI-CODE><P>&nbsp;</P><P>OpenSSL Provider built with the following cmake options:</P><LI-CODE lang="markup">NXP_SE_MW2_CONF_OPTS += -DWithSharedLIB=ON -DPTMW_HostCrypto=OPENSSL -DPTMW_Host=Raspbian -DPTMW_SMCOM=JRCP_V1_AM -DPTMW_SE05X_Auth=None</LI-CODE><P>&nbsp;</P><P>openssl.cnf modified as follows:</P><LI-CODE lang="markup">[provider_sect] nxp_prov = nxp_sect default = default_sect [nxp_sect] identity = nxp_prov module = /usr/lib/libsssProvider.so activate = 1 [default_sect] activate = 1</LI-CODE><P>&nbsp;</P><P>The accessManager starts:</P><LI-CODE lang="markup">Starting accessManager (Rev.1.1). Protect Link between accessManager and SE: YES. accessManager JRCPv1 (T1oI2C SE side) ****************************************************************************** Server: waiting for connections on port 8040. Server: only localhost based processes can connect.</LI-CODE><P>&nbsp;</P><P>RNG using openssl from the command line seems to work OK:</P><LI-CODE lang="markup"># openssl rand -hex 64 sssprov-dbg: Enter - OSSL_provider_init App :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault) App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments. New client connection from 127.0.0.1. Client ID: 5 Command 0x00 from client 5 DUMMY_ATR=0x01.A0.00.00.03.96.04.03.E8.00.FE.02.0B.03.E8.00.01.00.00.00.00.64.13.88.0A.00.65.53.45.30.35.31.00.00.00. Replacing *_ATR by default (pre-cooked) ATR. ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB. Command 0x01 from client 5 SM_EstablishPlatformSCP03Am (Entry) App :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt) SE051 connected. SM_EstablishPlatformSCP03Am (Exit); Status = 0x9000 sss :INFO :Newer version of Applet Found sss :INFO :Compiled for 0x70200. Got newer 0x70216 sss :WARN :Communication channel is Plain. sss :WARN :!!!Not recommended for production use.!!! sssprov-dbg: Enter - sss_rand_newctx sssprov-dbg: Enter - sss_rand_instantiate sssprov-dbg: Enter - sss_rand_enable_locking sssprov-dbg: Enter - sss_rand_newctx sssprov-dbg: Enter - sss_rand_instantiate sssprov-dbg: Enter - sss_rand_get_ctx_params sssprov-dbg: Enter - sss_rand_generate sssprov-flw: Get random data from SE05x Command 0x01 from client 5 SM_SendAPDUAm: smStatus = 0x9000 5f0f4d63e4ec771b8cfd46dd50c497b7e4e56e203ad5bc6eca9f8c28d23f39aa2d4a807915e3c60cf2e6a833794cb1208554f3e635811354eadd7b2c911c60da sssprov-dbg: Enter - sss_rand_freectx sssprov-dbg: Enter - sss_rand_freectx sssprov-dbg: Enter - sss_teardown Received 0 byte from client 5 (Message Header Phase) .</LI-CODE><P>&nbsp;</P><P>But, starting the ssh daemon fails:</P><LI-CODE lang="markup"># /usr/sbin/sshd &amp; sssprov-dbg: Enter - OSSL_provider_init App :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault) App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments. New client connection from 127.0.0.1. Client ID: 5 Command 0x00 from client 5 ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB. Command 0x01 from client 5 Pre-cooked response (rspAppletSelect) sss :INFO :Newer version of Applet Found sss :INFO :Compiled for 0x70200. Got newer 0x70216 sss :WARN :Communication channel is Plain. sss :WARN :!!!Not recommended for production use.!!! sssprov-dbg: Enter - sss_rand_newctx sssprov-dbg: Enter - sss_rand_instantiate sssprov-dbg: Enter - sss_rand_enable_locking sssprov-dbg: Enter - sss_rand_get_ctx_params PRNG is not seeded Received 0 byte from client 5 (Message Header Phase) . [2]+ Done(255) /usr/sbin/sshd</LI-CODE><P>&nbsp;</P><P>I'd be very grateful for any help,</P><P>Sam</P><P>&nbsp;</P> Thu, 14 May 2026 10:42:53 GMT sam123 2026-05-14T10:42:53Z OpenSSL Provider with SE052F for RNG https://community.nxp.com/t5/Secure-Authentication/OpenSSL-Provider-with-SE052F-for-RNG/m-p/2365478#M2074 <P>We have a requirement to use the SE052F as a FIPS compliant source for random number generation. We require OpenSSL to use the SE052F, and in turn, all applications that use the openssl libraries to use the SE052F for RNG.</P><P>I understand we must use the NXP MW accessManager and the OpenSSL Provider.<BR />I am using: SE-PLUG-TRUST-MW_04.07.01<BR />I have followed the instructions in:<BR />AN14028.pdf<BR />SE-PLUG-TRUST-MW_04.07.01/simw-top/doc/hostlib/hostLib/accessManager/doc/accessManager.html<BR />and the README info here (but not using this repo): <A href="https://github.com/NXPPlugNTrust/se05x-openssl-provider" target="_blank">https://github.com/NXPPlugNTrust/se05x-openssl-provider</A></P><P>accessManager built with the following cmake options:</P><LI-CODE lang="markup">NXP_SE_MW_CONF_OPTS += -DWithSharedLIB=OFF -DPTMW_Host=Raspbian -DPTMW_SMCOM=T1oI2C -DPTMW_Applet=SE05X_C \ -DPTMW_FIPS=None -DPTMW_SE05X_Ver=07_02 -DPTMW_SE05X_Auth=PlatfSCP03 -DPTMW_SCP=SCP03_SSS -DSE05X_EN_PIN=582 -DSE_RESET_LOGIC=0 \ -DPAHO_BUILD_SHARED=FALSE -DPAHO_BUILD_STATIC=TRUE</LI-CODE><P>&nbsp;</P><P>OpenSSL Provider built with the following cmake options:</P><LI-CODE lang="markup">NXP_SE_MW2_CONF_OPTS += -DWithSharedLIB=ON -DPTMW_HostCrypto=OPENSSL -DPTMW_Host=Raspbian -DPTMW_SMCOM=JRCP_V1_AM -DPTMW_SE05X_Auth=None</LI-CODE><P>&nbsp;</P><P>openssl.cnf modified as follows:</P><LI-CODE lang="markup">[provider_sect] nxp_prov = nxp_sect default = default_sect [nxp_sect] identity = nxp_prov module = /usr/lib/libsssProvider.so activate = 1 [default_sect] activate = 1</LI-CODE><P>&nbsp;</P><P>The accessManager starts:</P><LI-CODE lang="markup">Starting accessManager (Rev.1.1). Protect Link between accessManager and SE: YES. accessManager JRCPv1 (T1oI2C SE side) ****************************************************************************** Server: waiting for connections on port 8040. Server: only localhost based processes can connect.</LI-CODE><P>&nbsp;</P><P>RNG using openssl from the command line seems to work OK:</P><LI-CODE lang="markup"># openssl rand -hex 64 sssprov-dbg: Enter - OSSL_provider_init App :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault) App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments. New client connection from 127.0.0.1. Client ID: 5 Command 0x00 from client 5 DUMMY_ATR=0x01.A0.00.00.03.96.04.03.E8.00.FE.02.0B.03.E8.00.01.00.00.00.00.64.13.88.0A.00.65.53.45.30.35.31.00.00.00. Replacing *_ATR by default (pre-cooked) ATR. ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB. Command 0x01 from client 5 SM_EstablishPlatformSCP03Am (Entry) App :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt) SE051 connected. SM_EstablishPlatformSCP03Am (Exit); Status = 0x9000 sss :INFO :Newer version of Applet Found sss :INFO :Compiled for 0x70200. Got newer 0x70216 sss :WARN :Communication channel is Plain. sss :WARN :!!!Not recommended for production use.!!! sssprov-dbg: Enter - sss_rand_newctx sssprov-dbg: Enter - sss_rand_instantiate sssprov-dbg: Enter - sss_rand_enable_locking sssprov-dbg: Enter - sss_rand_newctx sssprov-dbg: Enter - sss_rand_instantiate sssprov-dbg: Enter - sss_rand_get_ctx_params sssprov-dbg: Enter - sss_rand_generate sssprov-flw: Get random data from SE05x Command 0x01 from client 5 SM_SendAPDUAm: smStatus = 0x9000 5f0f4d63e4ec771b8cfd46dd50c497b7e4e56e203ad5bc6eca9f8c28d23f39aa2d4a807915e3c60cf2e6a833794cb1208554f3e635811354eadd7b2c911c60da sssprov-dbg: Enter - sss_rand_freectx sssprov-dbg: Enter - sss_rand_freectx sssprov-dbg: Enter - sss_teardown Received 0 byte from client 5 (Message Header Phase) .</LI-CODE><P>&nbsp;</P><P>But, starting the ssh daemon fails:</P><LI-CODE lang="markup"># /usr/sbin/sshd &amp; sssprov-dbg: Enter - OSSL_provider_init App :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault) App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments. New client connection from 127.0.0.1. Client ID: 5 Command 0x00 from client 5 ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB. Command 0x01 from client 5 Pre-cooked response (rspAppletSelect) sss :INFO :Newer version of Applet Found sss :INFO :Compiled for 0x70200. Got newer 0x70216 sss :WARN :Communication channel is Plain. sss :WARN :!!!Not recommended for production use.!!! sssprov-dbg: Enter - sss_rand_newctx sssprov-dbg: Enter - sss_rand_instantiate sssprov-dbg: Enter - sss_rand_enable_locking sssprov-dbg: Enter - sss_rand_get_ctx_params PRNG is not seeded Received 0 byte from client 5 (Message Header Phase) . [2]+ Done(255) /usr/sbin/sshd</LI-CODE><P>&nbsp;</P><P>I'd be very grateful for any help,</P><P>Sam</P><P>&nbsp;</P> Thu, 14 May 2026 10:42:53 GMT https://community.nxp.com/t5/Secure-Authentication/OpenSSL-Provider-with-SE052F-for-RNG/m-p/2365478#M2074 sam123 2026-05-14T10:42:53Z